IATF Forum Brings Government and Industry Together

Today I attended my first meeting of the Information Assurance Technical Framework (IATF) Forum. The IATF is organized by the National Security Agency (hi guys) to foster discussion among developers and users of digital security products. The Federal government is heavily represented. I attended in a role as a security vendor with Foundstone. Today's meeting focussed on Protection Profiles for intrusion detection systems. According to the Common Criteria, a Protection Profile (PP) is "an implementation independent statement of security requirements that is shown to address threats that exist in a specified environment." According to the NIST Computer Security Resource Center, the Common Criteria for IT Security Evaluation is "a Common Language to Express Common Needs." Unfortunately, many people at the IATF today noted that the IDS PP doesn't require a product to be able to detect intrusions! Products evaluated against the PPs are listed here.

This process seems driven by the National Information Assurance Partnership, (NIAP) a joint NIST-NSA group "designed to meet the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers." The people who validate products appear to be part of the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme (CCEVS) Validation Body, a group jointly managed NIST and NSA.

Obviously I haven't figured out how all of this works. For example, I don't know how the Evaluation Assurance Levels like "EAL4" fit in. I do know that companies trying to get a product through this process can spend "half a million dollars" and 15+ months, according to speakers at the IATF Forum. Is this better security? I don't know yet.

Besides the Common Criteria, other groups assess security products.

• Neohapsis' Open Security Evaluation Criteria (OSEC) seems much more practical and current.


• ISCA Labs assess a variety of products. They have certifuied some IDS already.


• The NSS Group describes itself as "Europe's foremost independent network and security testing organization." They tend to like Snort.


• While Talisker's site doesn't rate products, it is a comprehensive listing to security products and services.

Bob Hillery of the Insitute for Security Technology Studies at Dartmouth described the findings of the 2002 Law Enforcement Tools and Technologies for Investigating Cyber Attacks: A National Needs Assessment. I'm going to watch the institute's what's new page for publication of their forthcoming nation-state "cyber threat" report.

You can watch for future events at the IAEvents Web site. Many require a clearance.