Specifications
Security Target Version 1.0 9/29/2014
82
8.1.1.6 T.ADMIN_ERROR
An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective
security mechanisms.
This Threat is satisfied by ensuring that:
• O.TOE_ADMINISTRATION: Plays a role in mitigating this threat by limiting the functions an
administrator can perform. Revoking administrator access when not needed also reduces the chance that an
error may occur.
• OE.TRUSTED_ADMIN: Mitigates this threat by ensuring the administrators are properly trained and the
administrative guidance instructs the administrator how to properly configure the environment and TOE to
avoid mistakes.
8.1.1.7 T.RESOURCE_EXHAUSTION
A process or user may deny access to TOE services by exhausting critical resources on the TOE.
This Threat is satisfied by ensuring that:
• O.RESOURCE_AVAILABILITY: Mitigates the threat by ensuring that the TOE has mechanisms and
policy in place to deal with attempts to exhaust resources.
8.1.1.8 T.TSF_FAILURE
Security mechanisms of the TOE may fail, leading to a compromise of the TSF.
This Threat is satisfied by ensuring that:
• O.FAIL_SECURE: Contributes to mitigating this threat by ensuring that on a detected failure the TOE
maintains a secure state.
• O.TSF_SELF_TEST: Counters this threat by ensuring that the TSF runs a suite of self tests to successfully
demonstrate the correct operation of the TSF.
8.1.1.9 T.UNAUTHORIZED_ACCESS
A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process,
or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data
or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to
obtain identification and authentication data.
This Threat is satisfied by ensuring that:
• O.AUTH_COMM: Works to mitigate this threat by ensuring that the TOE identifies and authenticates all
users prior to allowing TOE access or setting up a security association with that user. The TOE must also
be capable of sending its own credentials to users to ensure mutual authentication prior to obtain
identification and authentication data.
• O.CRYPTOGRAPHIC_FUNCTIONS: Contributes to mitigating this threat by providing the underlying
cryptographic functionality required by other protection mechanisms.
• O.PROTECTED_COMMUNICATIONS: Contributes to mitigating this threat by ensuring protection of the
communication between the TOE and authorized administrator while transmitting data.
• O.REPLAY_DETECTION: Prevents unauthorized access by replaying sessions (or portions of sessions)
from legitimate administrators or entities that have been captured by a malicious actor.
• O.ROBUST_TOE_ACCESS: Mitigates this threat by requiring the TOE to identify and authenticate all
administrators prior to allowing any TOE access or any TOE mediated access on behalf of those
administrators.
• O.SESSION_LOCK: Mitigates this threat by requiring the TOE to provide a way for the user to lock a
session or for the TOE to lock after a certain time-period which ensures an authorized session cannot be
hijacked at the terminal.