Description

This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.

48 Is an evaluated product "hacker proof?" (Computer Security Evaluation)

No product can be guaranteed to be "hacker proof" or
"impenetrable." An evaluated product has demonstrated certain
features and assurances, as specified by the rating criteria.
Those features and assurances counter certain threats. Thus an
evaluated product is usually vulnerable to fewer threats than
an unevaluated product. Products with higher ratings are
vulnerable to fewer threats than products with low ratings.
Vulnerabilities to threats that remain in products can often be
addressed through other means. No rating class used by the
Trusted Product Evaluation Program (TPEP), for example,
counters the threat of directly tampering with the hardware.
That threat would need to be addressed physically or
procedurally if it was realistic for the particular system
environment.

Finally, it seems many "hackers" today prefer to use "social
engineering" to accomplish their goals. As with other
insider-related threats, education is necessary in preventing
naive users from disclosing sensitive information. However,
technical measures can also help. They can enforce the the
principle of least privilege, check the reasonableness of
administrative inputs, and provide timely on-line cautions.

Continue to:

• prev: 47 How do I get a copy of an evaluation report? (Computer Security Evaluation)
• Index
• next: 49 What is the rating of DOS? (Computer Security Evaluation)