Italian Military Prepares for Cyber Combat
Client:Italian Ministry of Defense
- Tailor training to emphasize key cybersecurity areas such as penetration testing
- Ensure that students are certified as Common Criteria Evaluation Assurance Level 4 evaluators
- Engage experienced CSC cybersecurity experts to lead training program
- Conduct a full immersion training course in three phases over three months
- Military officers obtained extensive knowledge in major cyber issues
- All team members successfully passed Common Criteria qualification exam
Attaining deep cybersecurity knowledge is essential in the ongoing war against hackers and other cyber criminals. CSC experts conducted an extensive three-month training program for a team of Italian military officers that resulted in each of them successfully passing a key cybersecurity qualification exam.
Across the globe, enterprises and government entities – including the military – must contend with ongoing cybersecurity threats. Organizations that provide IT security are required to comply with minimum security baselines, and common standards have been established for specifying and evaluating security in IT products and systems.
The Common Criteria for Information Technology (IT) Security Evaluation, also known as ISO 15408, is endorsed by government bodies around the world as the standard for IT security testing and evaluation. Common Criteria evaluator certificates in participating countries are issued to those who successfully complete a rigorous evaluation of their cybersecurity knowledge.
Gaining experience through training
The Italian Defence Ministry sent four of its officers to CSC’s offices in Ottawa, Canada to be trained by a team of experts from CSC’s Security Testing and Certification Laboratory (STCL). In addition to offering training, CSC provides a wide range of Common Criteria and Federal Information Processing Standards (FIPS) related services, such as consulting, feasibility assessments, evidence preparation and evaluation and testing of IT security products and cryptographic modules. A global leader in cybersecurity, CSC is the only company accredited to perform Common Criteria IT security evaluations on three continents.
The Italian military team was familiar with basic security issues but not highly experienced in advanced cybersecurity testing and evaluation. Carlo Fabiani, a colonel in the Italian Army and director of Italian Ministry of Defence’s Information Technology Defence Common Criteria Testing Laboratory, says, “The tough challenge was to meet the different technical and professional experiences of the four visiting officers. Nobody on the team had previous experience with Common Criteria.”
CSC’s training was initiated by Lachlan Turner, STCL’s technical director, a recognized expert in all aspects of Common Criteria. CSC senior evaluator, Changying Zhou, conducted the majority of the intensive training program in three phases, with four weeks devoted to each phase. CSC subject matter experts (SMEs) participated in the training sessions to share their knowledge in areas such as cryptography and quality management.
The first phase consisted of the four officers gaining a basic understanding of Common Criteria and associated evaluation methods. The next phase included on-the-job training focused on handling real-world situations as well as preparing the students to take the Common Criteria evaluator certification exam.
Phase three included additional on-the-job training that focused on areas such as penetration testing, quality processes and relevant security standards. A LAN was set up so the students could perform functional and penetration testing using cybersecurity tools such as WebGoat and Nessus.
The training also included vulnerability analysis, an overview of quality management systems and cryptographic evaluation. The cryptography-related training included an introduction to the (FIPS 140-2), which is used to validate cryptographic modules.
The most significant milestone of the training was that each of Italian military officers successfully passed the Common Criteria evaluator qualification exam, which was administered by Communications Security Establishment Canada, a Canadian independent third-party evaluation and certification service for measuring the trustworthiness of IT security products.
“CSC delivered an effective training course, whose success has been ‘combat proven,’” Fabiani says. In addition to leveraging decades of cybersecurity knowledge and experience, a key to the success of the training for CSC was fostering a positive learning environment for the students. Fabiani says the CSC team was very welcoming to the Italian officers, creating a friendly atmosphere that included several social events. He says the positive work atmosphere helped the officers increase their competence level quickly.
Another success factor was that CSC tailored the course around the particular profile of the targeted audience. After the course got underway, periodic meetings were arranged to get feedback and the course curriculum was adjusted as needed. “The CSC training team made a concerted effort to fully understand what the four officers needed and were able to clearly define the best ways to achieve the results that were expected,” he says.
Common Criteria includes a series of Evaluation Assurance Levels (EALs) that signify the rigor of an evaluation. The level for a security evaluation that indicates rigorous assurance requirements have been met is EAL4, and that is the level the four Italian military officers were certified for as evaluators. Now, the officers are fully qualified to perform security evaluations on IT security products and services up to EAL4.
CSC background in Common Criteria-related work spans the globe and encompasses many areas such as feasibility assessments, security evaluations and assurance maintenance. Maureen Barry, program manager, CSC, who participated in instruction in management-related areas, says, “I believe working with the Italian military on training is a real complement to all of the Common Criteria services we provide. It clearly demonstrates to our clients that we have the expertise to manage their Common Criteria evaluations.”