The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which CyberWolf was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Computer Sciences Corporation determined that the evaluation assurance level (EAL) for the product is EAL2. The product, when configured and installed according to supplied guidance, satisfies all of the security functional requirements stated in the Security Target. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Computer Sciences Corporation. The evaluation was completed in May 2004. Results of the evaluation can be found in the NIAP CCEVS Report, CCEVS-VR-04-0061 prepared by NIAP CCEVS.
\r\n
The TOE provides the following security features:
\r\nSecurity Management (TSF_FMT): CyberWolf differentiates between four user roles. Each user role is assigned a limited number of security functions that the role can perform on the TOE. The roles defined for TOE usage are: Administrator, Senior Incident Handler, Junior Incident Handler, Read-Only User.
\r\nUser Action Log (TSF_UAL): CyberWolf collects a log of certain user actions that result in changes to the Oracle database. The logs include the user name performing the action, the type of even, the date and time of the event, and the outcome of the event.
\r\nData Collection (TSF_EDC): CyberWolf utilizes its Device Experts to collect data from security components outside the TOE. The TOE contains the RealSecure Device Expert which is programmed to read fro the RealSecure database and the Snort Device Expert which reads from the Snort log file.
\r\n
\r\nKey Management (TSF_KMG): CyberWolf performs Key Management through the use of the Monitor subsystem. The Monitor maintains a list of each of the active keys and their associated components. As each component starts, it generates its own symmetric secret key. The Monitor subsystem performs key management for the Manager, SecurSite, and each Device Expert subsystem.
Communications Security (TSF_CCS): All message traffic between CyberWolf components is encypted. At the time CyberWolf is installed, the type of encryption can be selected. When the Monitor component is installed, it generates a shared secret key of maximum length. This secret key is then encrypted with a pseudo-random password. They key is then used as an encryption key for sending messages to the CyberWolf Monitor. The CyberWolf Monitor uses it as its decryption key.
\r\nData Reporting (TSF_DRE): Reporting is done in both real-time for listing alerts and incidents and generated graphically in predefined intervals. Reports are viewable by all valid CyberWolf users. Reports are generated on a daily and weekly basis. By default daily reports are generated at 2:00AM everyday and weekly reports are generated on every Wednesday at the same time specified for the daily reports (i.e. 2:00AM). Users must manually edit the reports configuration file if the desired reporting schedule does not match the default settings. CyberWolf reports are generated directly from the data in the database at the time the report is run.
\r\n