When does EAL 4+ truly matter?

Evaluating the security readiness of energy grids, financial trading networks, or communication networks is predominantly important, as they are responsible for the smooth delivery of services used nationwide. Common Criteria Evaluation certification on different EAL (Evaluation Assurance Level) levels is a great way to validate the security of any networked products and systems, including critical infrastructures, but how well, and how thoroughly their technology should be evaluated?

In this article we are going to explore the different EAL levels of the CC certification, and give an insightful view about the different levels.

How to make sense of the Evaluation Assurance Level (EAL)?

EAL certifications range from EAL1 to EAL7, signifying the growing number of requirements technologies need to comply with to obtain the certification. The intent of the higher numbers is to ensure customers that the organizations’ main security features have been reliably implemented. However, we need to emphasize that the higher EAL numbers are not meant to show the growth in the security of the given technology, but signal the level it was tested on.

The EAL requirements are comprehensively collected in a set of documentations, called the “Security Target”, which details every provision an organization needs to comply with in order to receive the certification. These specifications range from thorough software documentation, customer guidance to security assurance, or penetration testing.

What types of vulnerabilities should be considered and scanned  for during evaluation?

Ensuring that the infrastructure of the organization in question is reliable, and securely implemented, it’s worth considering penetration testing and stress testing to find the most common types of vulnerabilities. Finding these vulnerabilities and providing feedback to the developer in time reduces the risk of malevolent attacks.

Here is a list of the most common vulnerabilities:

• Remote Code Execution: RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware).
• Privilege escalation: Gaining illicit access of elevated rights.
• Clear text communication: The data is transmitted without any encryption.
• Unrestricted file upload: The file upload mechanism is not protected well enough hence an attacker could upload a file with arbitrary extension or to arbitrary path
• Log injection: Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs.
• Application logic flaw: A logic flaw happens when an application does not behave as expected.
• XSS: XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
• DoS: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.

The malevolent cyber attacks pose a great threat to the organizations’ unobstructed delivery of services, to the security of customer data and financial reliability, so it is recommended not to take these threats lightly. These are the most common types of cyber attacks caused by any vulnerabilities mentioned above and not being treated properly:

• Malwares: including spyware, ransomware, viruses, and worms
• Phishing: Impersonating a reputable source to extort personal data from people
• Man-in-the-middle attacks: Eavesdropping on communication to filter and steal data
• Denial-of-Services attack (DoS, DDoS): Flooding the system with queries to exhaust resources and to make the service unavailable
• SQL injection: Inserting malicious SQL code to reveal critical information
• Zero-day exploits: Exploiting system vulnerabilities when they are announced, before patches are implemented
• DNS Tunneling: Manipulating DNS requests to exfiltrate data to the attackers’ infrastructure

Which EAL level does my organization need?

Generally, organizations, in terms of meeting regulatory requirements, aim for the necessary minimum. Usually companies are trying to minimize their costs and expenditures while making sure that their products and services are secure. However, there are some institutions and agencies that cannot avoid the investment of an EAL4+ certification, due to their services’ critical importance. Organizations worldwide have to adapt to the industry standards and the requirements of the legislator, these are the most important boundary conditions companies have to meet for a secure and future-proof product.

Which organizations can make use of EAL1-3?

Usually, EAL 1-3 is more than enough for the general public, and private tech organizations, where the company needs to be confident in the products’ correct operation, and when developers or users require a low to moderate level of independently assured security.

A certification on these levels is able to provide reliable evidence about the consistency of the technology, and the fact that it is substantially protected against identified threats. EAL 1-3 certifications are also a great means to test and validate the security of legacy systems, or when the target of the evaluation requires substantial security investigation without high-level reengineering.

Which organizations need EAL4+?

In contrast to private tech companies, industries like essential services, government agencies, critical infrastructures and high profile organizations can’t evade the question of the EAL4+ certification. The reason for this is that they need to create a well-established trust in the product or service they are using, for which Common Criteria Evaluation and EAL are among the best solutions.

Organizations should consider EAL4+ certifications when developers or users require moderate to high, or extreme high independently assured security. As a result of this evaluation, high-profile agencies can make sure that their product or service is prepared to incur additional security-specific engineering costs, and that the value of the protected asset justifies the additional security costs.

How can CCLab help in obtaining your EAL4+ certification?

Apart from choosing the appropriate level of EAL certification, organizations also need to carefully choose the evaluating external party. The evaluating party needs to be top-notch and thoroughly test and verify technologies against all attack methods and surfaces, such as the ones mentioned above in this article.

CCLab is a professional certification and evaluation agency providing pre-evaluation and consultation services to organizations interested in Common Criteria Evaluation and EAL certifications. Thanks to the agile methodologies we apply throughout the consultation and pre-evaluation process, our clients can avoid unforeseen complications, extra costs and delays during the certification process.

Besides proficiency and agility, CCLab is able to provide remarkably fast project delivery (approximately 4 months for an EAL4+ project) for our well-prepared customers, which is an outstanding quality within the industry.

If you need a Common Criteria certification, our dedicated team is ready to fulfill your expectations! Get in touch now!