min reading time
The latest version of the Network Device collaborative Protection Profile (NDcPP) was released in March 2020. NDcPP currently is one of the most popular and extensively used protection profiles among network device vendors and manufacturers to get their product certified.
In our latest article, we provide a deeper insight into the followings:
Network devices are tools that allow communication between different hardware components in a computer network. These devices are also referred to as networking hardware, physical devices, as well as computer networking devices. Each network device in a computer network plays a critical role based on its capabilities and also serves distinct purposes in different segments. Hub, switch, router, bridge, gateway, and modem are some of the most commonly used network devices.
The most frequently used collaborative Common Criteria Protection Profile for Network Devices defines the core security standards that should be anticipated from a network device, with the goal of mitigating a certain set of security risks. The primary goal of NDcPP is to guarantee that the device’s capabilities are safe and that it does not constitute a security risk in the network environment where it is implemented. Any network device getting certified by NDcPP can get listed on the official Common Criteria portal and the NIAP Product Compliant list as well.
NDcPP is a foundational standard for many network-connected high-security devices and systems, fulfilling its requirements recognized all over the world while the value of these certifications goes beyond the Common Criteria consuming member states and markets.
There are various possibilities for performing a Common Criteria security evaluation of a network device. In summary, the developer or manufacturer can choose the objectives and Target of Evaluation (TOE) based on an EAL (Evaluation Assurance Level). Alternatively, they can use a Protection Profile (PP) that fits the taxonomy of the network device.
Protection Profiles are generated by international technical working groups, including evaluation laboratories, consumers, public bodies, manufacturers, and other parties. The PPs are then reviewed and certified by a recognized Common Criteria Certification Body.
The two comprehensive categories of in-scope functional requirements of NDcPP are the following:
NDcPP defines a core set of security standards to be anticipated from a network solution, with the goal of mitigating a specified list of security risks. NDcPP can be used for network devices regardless of the solution's ultimate goal or any specific security capabilities that the product may provide.
NDcPP’s set of security standards includes the followings:
The threats that the NDcPP is designed to minimize are classified according to the network device’s functional areas:
Unreported activity: Network devices connected with systems that do not log activities continuously become vulnerable to attacks that can even change critical functions without the administrator noticing it.
Manipulated update: Regular updates are essential, but improperly protected update packages may contain some kind of malware that can attack the system or steal sensitive data.
Poor cryptographic algorithms: with weak protective processes implemented, a possible attacker might jeopardize the confidentiality, integrity, and validity of a communication. This would involve both conversations and information kept within the device itself.
Untrusted communication channels: communication channels might be potential targets for attacks if they are not adequately designed and implemented, and do not handle confidential information sharing properly.
Weak authentication processes: a weak authentication method inside a secure communication protocol might be exploited by an attacker. It can be a shared or easily guessable password for example.
Unauthorized access: without proper authorization attackers might try to get administrator access via network attacks or by exploiting a user's session or credentials.
Credentials of network devices, which can be easily cracked, mean serious security threats to the entire system, therefore, filtering them out has critical importance. The security procedures of network devices may fail at some times. It is therefore essential that the device should be able to identify this vulnerable condition by self-testing.
A network device (ND) is the collaborative Network Device Protection Profile's (NDcPP) Target of Evaluation (TOE). It sets security requirements that network devices shall meet in order to minimize a certain set of cyber threats. Future cPPs will expand on this foundational collection of requirements to give an overall set of security solutions for networks ranging in scale up to enterprises. NDcPP currently is the most favored option among network device vendors and manufacturers to get their product PP-compliant Common Criteria certified.
As an agile cybersecurity laboratory, we have experience with many different Protection Profiles and types of products when it comes to Common Criteria certification. We provide consulting services to help you prepare for the assessment project in order to minimize delays and extra expenditures throughout the Common Criteria certification process. We are prepared for CC evaluations of network devices both with or without a chosen PP.
Get your network device Common Criteria certified in the shortest timeframe feasible by utilizing our industry-leading agile methodology.
Medical devices have been around for decades, however they weren’t built with cybersecurity in mind. Even though these connected devices, like insulin pumps, peacemakers or smart MRI scans gain popularity with an increasing speed, their security consideration still lags behind when compared to other IoT devices intended for industrial usage.
min reading time
According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity.
min reading time
Based on Upstream’s - a cybersecurity and data management platform for connected vehicles - latest report, the frequency of cyberattacks on cars increased 225% from 2018 to 2021. This data perfectly represents the importance of strengthening automotive cybersecurity for the entire industry. In our article below, we provide insight into this topic and its possible solutions. We explain why international cybersecurity standards and regulations are extremely important. Moreover, you can learn how we support automotive cybersecurity at CCLab.
min reading time