CISSP Exam Study Seminar for CBK Domain 4: Applications and Systems Development Security

1
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Overview

• Dr. Richard B. Neely, CISSPrich.neely_at_cta.com
• March 14, 2007

2
Warning About This Briefing

• This does not include all the detail of Domain 4!
• Not enough time for everything
• Some of this is my point of view
• But it does cover all the areas of Domain 4
• Therefore, base your study on other sources

3
Overview Topics

• Domain 4 Information Content Summary
• Relationship of Domain 4 to the Overall CBK
• Domain 4 Presentation Segments

4
Domain 4 Information Content Summary
This is the Junk DrawerA very important
location!

• Special technical security controls
• In applications and data storage
• Software life-cycle controls
• Supporting mechanisms for security featuresin
  hardware and software
• Security threat focus areas
• Policies and security requirements

5
Domain 4 in the CBK
1 Access Ctrl
2 Networks
10 Physical
9 Law
3 Mgmt
12 of the Exam
4 AppsDev
8 Business
5 Crypto
7 Operations
6 Scty Arch
6
Domain 4 Relationships Within the CBK
1 Access Ctrl
2 Networks
10 Physical
9 Law
3 Mgmt
4 AppsDev
8 Business
5 Crypto
7 Operations
6 Scty Arch
7
Domain 4 Presentation Segments
8
Domain 4 in the Contextof a Security Program
3 General ThreatMethods
1 Security PolicyAllocation
2 SpecialPolicies

• Threats
• Direct exploitation of flawsand vulnerabilities
• System Subversion malicious logic, password
  cracking, etc.
• Human Exploitation social engineering, hoaxes,
  etc.
• Service Targeting denial of service,
  fraud/waste/abuse, etc.
• Physical theft, destruction, etc.
• Flaws and Vulnerabilities
• Hardware
• Software/firmware
• Configuration
• Procedural

• Security Controls
• Drivers legal, standards, enterprise, oversight,
  specification
• Assurance strengths, enforcement
• Architectures system, security
• Safeguards direct protection
• Human authorization, discipline, training
• Operational patches, configuration maintenance,
  incidents, intrusions, continuity
• Physical access control, media, EMSEC
• Technical authentication, access control, crypto
• Life Cycle configuration management, product
  review

5 DataStorage
4 MaliciousLogic
6 SpecialArchitectures
7 SupportMechanisms
8 Life-CycleControls
9
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
O
P
Segment 1Policy Allocationto Applications
Y
L
C
C
I
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
10
Segment 1 Topics

• Security Policies and Requirements
• Development of the Policy Enforcement View
• A Policy Enforcement Distribution Model
• An Important Aspect of Security Requirements

11
Security Policies and Requirements

• Security policies apply to enterprises and
  systems
• Security policies allocated to subsystems and
  components via security requirements
• To decide
• How is a security policy broken out?
• Which portions/aspects of a policy are allocated
  to which system elements?
• How are those portions represented assecurity
  requirements?

12
Development ofthe Policy Enforcement View

• Pre-TCSEC (Orange Book) All policy enforcement
  was by the Security Kernel
• TCSEC
• Expanded to the Trusted Computing Base (TCB)It
  was accepted that policy enforcement also
  occurred elsewhere
• But no established model for enforcement
  distribution
• Common Criteria (CC)
• A less monolithic view
• Only one level of distribution specified
• An emerging view Full depth of distribution

13
A Policy EnforcementFull-Distribution Model

• Multiple Independent Levels of Security (MILS)
• Developed and encouraged by NSA(particularly
  Mark Vanfleet)
• Allows distribution of policy enforcement to all
  appropriate system elements (security functions)
• Application of principle of least privilegefor
  security architecture
• Now used on multiple current Air Force andjoint
  programs

14
What MILS Looks Like
TS (SL)
U (SL)
C (SL)
S (SL)
Applications
ApplicationMiddleware
ApplicationMiddleware
ApplicationMiddleware
ApplicationMiddleware
Guest OS
VxWorks
Guest OS
Guest OS
Guest OS
Guest OS
Mac OS
SEPARATION KERNEL
Middleware, E.g.

• DBMS
• MLS Flow Control

15
Policy Enforcers (Security Functions)

• Kinds
• Self enforcing (all, particularly applications)
• Reference monitor (hardware, kernel, middleware,
  applications)
• Reference monitor characteristicsNEAT
• Non-bypassable Cannot be ignored
• Evaluatable Not too big/complex
• Always invoked Satisfies its own policy
• Tamperproof Protected by self / lower

16
An Important Aspectof Security Requirements

• Two kinds of security requirements(Basic to the
  CC)
• Functional requirements
• Assurance requirements
• An effective security policy addresses both
• Both must be allocated to requirements levied on
  each security function

17
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 2Security Policies AcrossMultiple
Enterprises
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
18
Segment 2 Topics

• What Is an Enterprise?
• Example
• Agreement Forms
• Examples of Policy Relationships

19
What Is an Enterprise?

• Many definitions, but usually a center of
  decision making and financial accountability
• Commercial enterprise (e.g., corporation)
• Military command
• Sometimes (as in this briefing) extended meaning
• Any distinguishable organization and related
  (technical) entities
• Something you can rationally draw a boundary
  around
• Examples
• Provider of (computational) services
• Developer/deployer/configurer of applications or
  systems
• Deployment sites
• Key Point Each enterprise has (Better have!) its
  own security policy

20
An Example of the Concept
Enterprise A (DefenseFinanceAccountingService(
DFAS))
Enterprise B (DefenseMega-Center(DMC))
Overlapping Concerns
21
Forms of Agreements

• Not just securitySecurity often embedded in
  more general
• Other Terms
• Letter of Agreement (LOA)
• Memorandum of Agreement (MOA)
• Memorandum of Understanding (MOU)
• Service Level Agreement (SLA)
• Statement of Intent (SOI)
• In general, semantically interchangeable
• Enterprises have preferences

22
Examples of Policy Relationships

• A Deployed ApplicationB Computational
  Infrastructure
• A Policy Shall not compromise Bs (security)
  operations
• B Policy Shall meet As (security) requirements
• Example DFAS/DMC
• A Developed (COTS) ApplicationB System in
  Which A is Integrated
• A Policy Shall meet specified security
  requirements
• B Policy Shall meet As environmental
  assumptions
• Example High-assurance DBMS in military
  compartmented-mode system
• A Type-Accredited SystemB Site Accreditation
  for Deployment of A at a Site
• A Policy Shall satisfy specified security
  requirements given proper environment
• B Policy Shall satisfy environment constraints
• Example GCCS type accreditation and AFSPACECOM
  GCCS site accred.

23
Sample Questions

• LOA, MOA, and MOU are
• three forms of governing regulations
• three substantially different forms of agreement
• three similar forms of agreement
• three Hawaiian volcanoes
• Agreements among multiple enterprises are the
  greatest challenge when
• the enterprises are entirely independent
• the enterprises have a common area of concern
• one enterprise is internal to another
• the enterprises are co-extensive

24
Sample Questions

• LOA, MOA, and MOU are
• three forms of governing regulations
• three substantially different forms of agreement
• three similar forms of agreement
• three Hawaiian volcanoes
• Agreements among multiple enterprises are the
  greatest challenge when
• the enterprises are entirely independent
• the enterprises have a common area of concern
• one enterprise is internal to another
• the enterprises are co-extensive

25
Sample Questions

• LOA, MOA, and MOU are
• three forms of governing regulations
• three substantially different forms of agreement
• three similar forms of agreement
• three Hawaiian volcanoes
• Agreements among multiple enterprises are the
  greatest challenge when
• the enterprises are entirely independent
• the enterprises have a common area of concern
• one enterprise is internal to another
• the enterprises are co-extensive

26
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 3General ThreatMethods
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
27
Segment 3 Topics

• General Information on Security Threats
• Focus on CBKs Key Areas of KnowledgeMethods of
  Attack
• Creates a Setting for Application-Oriented Threats

28
A Threat Taxonomy
29
Achieving UnauthorizedAccess

• Password attacks
• Brute force/exhaustive
• Dictionary/context attacks
• May be real words, user ids, related info
• Can involve various modifications
• Spoofing/masqueradingimitating legitimate
  information/components/persons to gain access
• IP SpoofingMakes source look legitimate(Not
  possible for many attacksthose requiring a
  response)
• Authenticator Masqueradesfalse login
• Social Engineering

30
Resource Attacks

• Denial of ServicePrevention or delay of access
  to information assets or services
• Ping of DeathCrashes servers by sending
  invalidIP ping packets
• Distributede.g., February 2000 Yahoo attack
• FloodingOverwhelming with transmissions
• Malicious logic causing false negatives in access
  control
• Cache Cramming--Sidestepping Javas security
  model by inserting code in the execution cache

31
Malicious Logic(Details in Segment 4)

• Alteration of authorized code
• Hidden code (e.g., Trojan horse)
• Logic bomb
• Trap door

32
Exploitation ofCommunications

• Remote maintenance
• A potentially high-exposure threat source
• By authorized personnelless accountability
• By unauthorized personnel
• Capturing system and authentication information
• Posing as maintainer
• Traffic Analysis
• Even though data is encrypted, traffic attributes
  (sources, destinations, frequency, etc.) are
  visible
• Tunneling technology is a countermeasure

33
Direct Exploitationof Authorization

• Snooping
• Undirected search through authorized information
  storageinformation for which the snooper is
  unauthorized may have been inadvertently placed
  there.
• Dumpster diving is a physical form of this.
• Inference
• Obtaining information for which access is not
  authorized by performing deductions on
  information for which access is authorized.
• Normally performed in the context of a database.
• This is NOT the same as aggregation.
• With inference one infersperforms a deduction.
• In a bank, as a junior teller (1) I am not
  permitted to know that a particular customer is
  in the preferred category. (2) I am permitted
  to know the entire list of customers. (3) I am
  permitted to know that a particular customer is
  not preferred.
• Then, by inference, I know that a customer on the
  entire list who is not on the non-preferred list
  is preferredwhich I am not allowed to know.
• With aggregation, one simply has.
  E.g.http//eserver.org/poetry/paul-revere.html,
  Henry Wadsworth Longfellow
• Item 1 One if by land, and two if by sea
• Item 2 A second lamp in the belfry burns

34
Active Defenses

• Pseudo-FlawAn apparent vulnerability
  deliberately set up to trap attackers.
• Honey PotSpoofing on the defense sidea server
  in front of the real onetraps or sidetracks
  attackers

35
Two Key Component Flaws

• Characteristics
• Where operating systems, DBMSs, communications
  protocols
• Functional flaws and security vulnerabilities
• (1) Time of check/time of use (TOC/TOU)
• Operating SystemsThis can occur in the context
  of interrupt handling and privileged instruction
  execution
• Database management systemsFlawed locking
  mechanism
• (2) Buffer overflow
• Excess data interpreted as instructions
• One example overlarge passwords
• Probably the most common flaw

36
Another Threat CategorizationLevel of
Sophistication

• Categories
• ExampleThe February 2000 distributed denial of
  service (DDOS) attack was perpetrated by
  non-experts guided by a self-styled expert
  Inexperienced / Basic Skills
• Nation-states and sophisticated terrorists
  Expert Groups will be more subtle and more
  dangerous
• Will come in under the radar
• Stakes are higher

Will?
37
Sample Questions

• A pseudo-flaw is
• an apparent loophole deliberately implanted in an
  operating system program as a trap for intruders.
• an omission when generating pseudo-code.
• used for testing for bounds violations in
  application programming.
• normally generates a page fault, causing the
  system to halt.
• In an inference attack
• Excessive access authorization is granted to the
  attacker.
• Information to which access is granted is
  under-classified.
• The attacker discovers information not authorized
  from authorized information.
• A logical fallacy has occurred.

38
Sample Questions

• A pseudo-flaw is
• an apparent loophole deliberately implanted in an
  operating system program as a trap for intruders.
• an omission when generating pseudo-code.
• used for testing for bounds violations in
  application programming.
• normally generates a page fault, causing the
  system to halt.
• In an inference attack
• Excessive access authorization is granted to the
  attacker.
• Information to which access is granted is
  under-classified.
• The attacker discovers information not authorized
  from authorized information.
• A logical fallacy has occurred.

39
Sample Questions

• A pseudo-flaw is
• an apparent loophole deliberately implanted in an
  operating system program as a trap for intruders.
• an omission when generating pseudo-code.
• used for testing for bounds violations in
  application programming.
• normally generates a page fault, causing the
  system to halt.
• In an inference attack
• Excessive access authorization is granted to the
  attacker.
• Information to which access is granted is
  under-classified.
• The attacker discovers information not authorized
  from authorized information.
• A logical fallacy has occurred.

40
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 4Malicious Logic
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
41
Segment 4 Topics

• What Is Malicious Logic?
• Types of Malicious Logic
• Development, Dissemination, and Actions
• Prevention
• Recovery

Much of this material derived from a briefing by
Rich Cox.
42
What Is Malicious Logic?

• Definition Any set of instructions to be
  interpreted in the context of a computer system
  intended for a malicious result
• Several Major Categories
• Virus is just one categorythough this term is
  often used more generally
• Categories tend to be overlapping
• A major attack type

43
Modes of Malicious Logic

• NOTE Not limited to softwareThis is any form
  of interpretable instructions
• Not necessarily distinguishable from data
• Hardware interprets Object Code
• Interpreter interprets Source Code(In the case
  of Java, interprets compiled Bytecode)
• Word/Excel/etc. interpret Macros
• Web browsers interpret HTML Javascript
• The above and other entities as email
  attachmentsNote the risk of automatic opening of
  attachments,including embedded attachments and
  the preview pane in MS Outlook

44
Key Attributes of Malicious Logic

• Means of Infection(How and where it gains new
  footholds)
• Means of Propagation(How it replicates)
• Payload(What it doesparticularly, destructive
  behavior)

45
Types of Malicious Logic

• Not a standard/consistent set of
  definitions/categories
• Definitions overlap
• Common terms
• Trap doors
• Trojan horses
• Time or logic bombs
• Worms
• Decoys
• Viruses

46
Types A Venn Diagramof Irregular Logic (My
Terminology)
Irregular
47
Types of Malicious Logic

• Trap Doors / Back Doors
• Installed by developers or maintainers to bypass
  normal security controls
• Purpose is unauthorized access, with no harm
  intendedbut
• Trojan Horses
• Created as part of an otherwise useful
  application, often well known
• Can do just about anythingtypically privileged

48
Types of Malicious Logic

• Time or Logic Bombs
• Waits for a particular time (e.g., Friday the
  13th)
• Or a particular event (e.g., 99th time a program
  is executed)
• Could be a form of terrorism
• Sometimes intended to cause embarrassment for a
  political statement
• In the future, may be a method ofinternational
  blackmail

49
Types of Malicious Logic

• Worms
• Network orientedUses network platforms for
  propagation (Infects at the platform level)
• Started as benign tools for network management
• Morris Worm (1988) is the most well-known
• Decoys
• A form of spoofing
• E.g., duplicates normal login sequence, recording
  password

50
Types of Malicious LogicViruses

• Most commonly/popularly known type
• What they do
• InfectEmbed in elements of a system
• PropagatePass the infection on
• Payloaddata compromise, corruption, deletion,
  subvert systems

51
Locations of Virus Embedding

• General Areas
• Physical memory (Use the Terminate and Stay
  ResidentTSR property)
• System areas of hard or removable disks(boot
  records)
• Executables (object code).com, .exe, .dll, etc.
• Macrosthousands of thesecross platforms
• Scripts (.sys, .prg, etc.)

52
Detection Avoidance

• Stealth viruses
• Hide modifications by forging results to system
  functions
• Polymorphic viruses
• Rewrite encrypted, fully functionalcopies of
  themselves
• Scanners could search for decryption key
• Whale uses multiple encryption schemes

53
Virus Payloads

• Overlap other kinds of malicious logic
• Some have time/logic bomb characteristics(Jerusal
  em Friday the 13th)
• Early viruses infected Microsoft products
• Many thousands of these, most not in the wild
• Fewer than 100 cause most infections
• More recently, infections on all platformsUsing
  higher-level implementations, such as macros

54
Hoaxes

• Many (mostly virus) hoaxes
• Effectively result in organizationaldenial of
  service and wasted resources
• Often in the form ofdont open such-and-such
  e-mail
• Until recently, opening a message was risk-free
• Now, e-mail shells have gotten more sophisticated
• Many of these can be configured for safety
• Deal with hoaxes (and viruses) by informing
  security incident organization, not other users
  (otherwise becomes human denial of service!)n
  vs. n2

55
Specific Sources

• Inadvertent
• Failure to use virus checker at home
• Work at home, bring floppy to work
• Deliberate
• Insider use access to install virus
• Outsider use network connections and web site
  access
• Need not be expert or programmermany virus
  cookbooks and toolkits on underground sites
• Once released, operate without human intervention

56
Prevention and Response
Concept Negative Return on Non-Investment
An Ounce of Prevention Is Worth a Pound of Cure
57
Means of Prevention

• Effective policies in place
• User and expert training
• Accountability/enforcement
• Security staffadvisory, incident response

Management

• 1Make Backups!
• Multiple generations (may be infected)
• Off-site storage
• Test
• Use anti-virus softwareavailable up to date
• Always some false positives/negatives
• Always out of date--update constantly
• Prepare for response
• Make emergency boot and utility diskettes
• Best to use a utility for this, such as Norton
• Set to boot from diskette

Operational
58
Recovery

• If you see evidence of malicious logic
• Turn off computer
• Dont do anything else!
• Get an expert (your organization should have an
  incident response team)
• Remember, other systems could be infectedprovide
  warning (through the incident response team)

59
Sample Questions

• A virus
• can only be executable code.
• can only be executable code or macros.
• is the first form of life created by humans, and
  is malicious.
• can be difficult to distinguish from data.
• The most important operational preventive measure
  against malicious logic is
• anti-virus software
• user training
• backups
• emergency boot disks

60
Sample Questions

• A virus
• can only be executable code.
• can only be executable code or macros.
• is the first form of life created by humans, and
  is malicious.
• can be difficult to distinguish from data.
• The most important operational preventive measure
  against malicious logic is
• anti-virus software
• user training
• backups
• emergency boot disks

61
Sample Questions

• A virus
• can only be executable code.
• can only be executable code or macros.
• is the first form of life created by humans, and
  is malicious.(See me after class for further
  philosophical discussion.)
• can be difficult to distinguish from data.
• The most important operational preventive measure
  against malicious logic is
• anti-virus software
• user training
• backups
• emergency boot disks

62
Sample Questions

• A virus
• can only be executable code.
• can only be executable code or macros.
• is the first form of life created by humans, and
  is malicious.(See me after class for further
  philosophical discussion.)
• can be difficult to distinguish from data.
• The most important operational preventive measure
  against malicious logic is
• anti-virus software
• user training
• backups
• emergency boot disks

63
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 5Security Issues and Controlsfor Data
Storage
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
64
Segment 5 Topics

• Data Storage Infrastructures
• Databases and Security
• Database Concepts and Models
• Security Basis
• Relational Databases
• Object-Oriented Databases
• Bigger Picture Data Warehousing and Data Mining

65
Data Storage Infrastructure Concepts

• Real/physical memory (PM) vs. virtual memory (VM)
• OS instantiates multiple VM instances from PM
• OS implements a security model that isolates VM
  instances
• Inter-VM references via OS requests, filtered by
  OS
• Volatile vs. persistent storage
• Require different security rules
• E.g., Loss of power erases volatile memory (e.g.,
  RAM)
• Typically, primary is volatile, secondary is
  permanent
• Random vs. sequential (tape) access
• Different organizations
• OS isolation can be used to implement a security
  model for each

66
Databases and Security

• About Databases
• Security Basis
• Relational Databases
• Object-Oriented Databases
• Bigger Picture Data Warehousing and Data Mining

67
About Databases

• A database is a consistently structured
  collection of data
• Usually intended for Sharing
• Often distributed
• Managed by a database management system (DBMS)
• Supports sharing via locking portions of the
  database (records, tables, etc.) against either
  reading or writing
• May supports distribution through replication
• Supports recovery in case of partial or complete
  loss(e.g., snapshot, replay of transactions)

68
About Databases (2)

• Data Representation
• Physicalimplementation on underlying HW/OS
  system(s)
• OS reserves a block of space (sectors) on
  secondary storage
• DBMS is privileged for the block of space
• Dedicated database machines
• Logical
• Implemented on physical representation
• User view of data structures based on data models
• Several data models
• Hierarchical (CODASYL)crawl along tree
• Relationalbased on tables, derived structures,
  and operations
• Object-orientedbased on classes, instances, and
  operations

69
About Databases (3)

• DBMSs normally support these functions
• Data definition
• Data manipulation
• Query interpretation
• Report generation
• Each function is supported by a specialized
  language
• Levels of normalization
• There are several levels of normalizationthe
  first three are most often usedhttp//dev.mysql.c
  om/tech-resources/articles/intro-to-normalization.
  html
• Normalization provides robustness and sometimes
  security
• For security, normalization (and the supporting
  DBMS) should provide referential integrity, i.e.,
  assuring that references make sense relative to
  table relationships.

70
Security Approaches for DatabasesSecurity Is
Dependent on

• Hardware and software (OS) infrastructure
• Protects DBMS and database from interference
• Selectively provides/delegates appropriate
  privilegesand controls to DBMS
• Security features and assurance of DBMS
• Functional security constraints (access control)
• Security as part of interface language, data
  model, and operations
• Appropriate level of DBMS and Data model
  development assurance

71
Security BasisAccess Control Modes Objectives

• Discretionary Access Control (DAC)
• Used for need-to-know
• Access decisions based on
• User identity and authorizations/privileges
• Permissions (access control list) associated with
  resources
• Mandatory Access Control (MAC)
• Used for classified data access
• Access decisions based on
• User identity and clearance
• Data classification represented by sensitivity
  labels
• Should provide higher assurancemore costly,
  often impacts performance
• Sometimes MAC features are provided without
  enhanced assuranceTCSEC (Orange Book) allowed
  this at B1 Common Criteria protection profile
  could specify this
• Security Objectives
• Availability (protect against denial of service)
• Data confidentiality and integrity (in terms of
  both DAC and MAC)

72
Relational Database CharacteristicsBasic
Concept Table
Field (Cell)
73
Relational Database CharacteristicsDerived
Concept View (from Query)
Example Table Directory
Index
Phone
Addr.
etc.
Name
Query Languages Are Used to Specify ViewsMost
Common is Standard Query Language (SQL)
74
Relational Database Security

• Classification (expressed as sensitivity label)
  atview, record, or field level
• View access decision based on view classification
• Can be implemented internally (representationally)
  
• can be implemented by modifying the query that
  generatesthe view (not supported by SQL)
• Distinguish between
• FeaturesE.g., sensitivity labels and view-based
  classification decisions
• AssuranceHow much architects and developers
  provide a convincing argument that those features
  are reliable

75
Relational Database Security

• Classification (expressed as sensitivity label)
  atview, record, or field level
• View access decision based on view classification
• Can be implemented internally (representationally)
  
• can be implemented by modifying the query that
  generatesthe view (not supported by SQL)
• Distinguish between
• FeaturesE.g., sensitivity labels and view-based
  classification decisions
• AssuranceHow much architects and developers
  provide a convincing argument that those features
  are reliable

Front-End Security Add-ons May Fail to Do This
76
Object-Oriented Database CharacteristicsBasic
Concepts Class Instance

• Class works like a relational Table
• Also has Attributes that work similarly
• Instance works like Record
• Class treated as a template
• Object is class or instance
• More flexible operations
• Based on methods of a classKnow about
  referenced instanceslike overloading
• Inheritance relates nested classesis a
  Relationship
• Class concept supports information
  hidingattributes may be public or private

77
OODBMS Security Models DAC

• ORION--explicit authorizations
• Positive and negative authorizations explicitly
  allow and deny access to an object
• Based on explicit authorizations provided to each
  group of usersimplements access control lists
  (ACLs)
• Supports role-based access control (RBAC)
• Data Hiding Model
• Distinguishes between public and private methods
• Based on authorizations for particular users to
  execute methodson particular objects

78
OODBMS Security Models MAC

• SORION Model
• Extends ORION model to encompass MAC
• Millen-Lunt Model
• Similar to SORION
• Classifies information into three different
  levels
• The data itself is classified.
• The existence of the data is classified.
• The reason for classifying the info is also
  classified

79
OODBMS Security Models MAC (2)

• Secure Object-Oriented Data Base (SODA)
• Benchmark OO model to which other models are
  compared
• Important concept polyinstantiation
• Information is multiply instantiated for
  different security levels
• Value this is a solution to the multiparty
  update conflict,which results in compromise
• Data consistency is a challenge, similar to that
  of replication for distributed databases

80
A Bigger PictureData Warehousing and Data Mining

• Data warehousing
• Managed data situated after and outside
  operational systems
• Security challengesmultiple sources, lack of
  operational integration, logical and physical
  transformations
• Data mining
• Process of automatically finding patterns and
  relationsin large databases
• Similar security challenges
• Security agent (bot) approaches have merit
• For any security solutions (I repeat), it is
  necessaryto distinguish between Features and
  Assurance

81
Sample Questions

• In SQL (sic) where is the actual data stored
• Views
• Tables
• Schemas and sub-schemas
• Index-sequential tables
• A department manager has read access to the
  salaries of the employees in his/her department
  but not to the salaries of employees in other
  departments. A database security mechanism that
  enforces this policy would typically be said to
  provide
• content-dependent access control
• context-dependent access control
• least privileges access control
• ownership-based access control

82
Sample Questions

• In SQL (sic) where is the actual data stored
• Views
• Tables
• Schemas and sub-schemas
• Index-sequential tables
• A department manager has read access to the
  salaries of the employees in his/her department
  but not to the salaries of employees in other
  departments. A database security mechanism that
  enforces this policy would typically be said to
  provide
• content-dependent access control
• context-dependent access control
• least privileges access control
• ownership-based access control

83
Sample Questions

• In SQL (sic) where is the actual data stored
• Views
• Tables
• Schemas and sub-schemas
• Index-sequential tables
• A department manager has read access to the
  salaries of the employees in his/her department
  but not to the salaries of employees in other
  departments. A database security mechanism that
  enforces this policy would typically be said to
  provide
• content-dependent access control
• context-dependent access control
• least privileges access control
• ownership-based access control

84
Sample Questions

• Which of the following is commonly used for
  retrofitting multilevel security to a database
  management system?
• trusted front-end
• trusted back-end
• controller
• kernel

85
Sample Questions

• Which of the following is commonly used for
  retrofitting multilevel security to a database
  management system?
• trusted front-end
• trusted back-end
• controller
• kernel

86
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 6Special ApplicationArchitectures
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
87
Segment 6 Topics Security-Related Implications
of

• Module Interaction
• Distributed Application Architectures
• Fourth-Generation ApplicationsInformation-Orient
  ed Architecture
• Fifth-Generation ApplicationsKnowledge-Based
  Architecture

88
Module Interaction

• Module relationships
• High cohesionperformance of a single function
  with minimal external interaction
• Low couplingminimally affecting the behavior of
  other modules
• Inter-module communication
• Component object model (COM)architecture for IPC
• DCOMdistributedsynchronization, translation,
  etc.globally unique identifier (GUID)
• Distributed Computing Environment (DCE)from
  OSF(protocol layer)universal unique identifier
  (UUID)
• Object Linking and Embedding (OLE)
• Embedding objects into other objects (documents
  or programs)
• Program into program linking, plug-ins
• Dynamic Data Exchange (DDE)sharing data via IPC

89
Distributed Application Architectures

• Distributed architecture viewed as layered
  protocols
• Lowest Communications Infrastructure
• Then Distribution Mechanism
• Highest Seamless Application View
• Examples
• Distributed environment
• Resources distributed, specific location
  transparent
• Abstract client-server view
• Example CORBA (Distributed Object-Oriented
  Model)Associated security service CORBASEC
• Portable applications
• Hardware (even OS) independence
• Infrastructure (e.g., vendor) extensibility
• Example Java based
• Recent focus application service providers
  (ASPs)
• In all cases, we are interested in security
  services

90
Portable Applications Agents

• Surrogates used in a distributed environment that
  operate on behalf of a user or application
• Example Personal data mining on web
• Google bots
• CNN e-mail alerts
• Platform or mobile
• Example Security policy servers

91
Portable Applications Applets

• Small programs residing on a host computer that
  are downloaded to a client computer to be
  executed
• Languages
• Java--Object-oriented programming language
• Developed by Sun Microsystems
• Compiles into byte code for portability, with
  client side interpreter
• Interpreter enforces strict security model
  (sandbox) for applets
• Over time, many holes found and fixednew
  features new holes
• JavaScriptSubset of Java for embedding in HTML
• Active-XMicrosofts version of Javastripped
  down OLE functionality

92
Security Services Are Not Enough

• Services/features may be providedwithout
  sufficient (or any) assurance.
• E.g., CORBASEC provides security features, but
  rides on the humongous ORB that is unverifiable.
• Because of this, and because infrastructures are
  often forgotten once in place (out-of-sight
  out-of-mind), security is often weak in
  distributed environments.

93
Fourth-Generation ApplicationsData-Oriented
Architecture

• A different point of view regarding databases
• Databases have been considered merely a data
  infrastructure.
• Fourth-generation architecture views that
  infrastructureas an abstraction layer.
• Different computational model from the
  traditional
• Third-generation model describes algorithms
  procedurally(directions for doing something).
• Fourth-generation is specification-oriented (what
  is to be done).
• Fourth-generation often uses query languages.
• Brings solution space closer to problem
  spacereduces flaw risk.
• Security features must fit this model.
• E.g., Query filtering / view filtering
• Assurance with this architecture is based on DBMS
  assurance.

94
Fifth-Generation ApplicationsKnowledge-Based
Architecture

• Elements
• Knowledge base, in the form of rules and rule
  structures
• Inference engine
• Interprets rules
• Applies rules to available information
• Development/operational shells allow convenient
  developmentof useful software (typically GUI
  based)
• Benefit rule-based computational model
  putssolution space very close to problem space
• Security
• Rule basis allows clear implementation of
  security model
• Can define special security rules
• Big assurance problem

95
Special Forms ofKnowledge-Based Architectures

• Neural networks
• Also termed artificial neural networks
• Infrastructure is many neuronsanalogous to
  those in the brain
• In effect, many small inference engines
• Network composed of directed links,with one
  neuron firing another
• Rules facilitate learning within an application
• Expert systems
• Rules are used to emulate the knowledge of an
  expert
• Fuzzy Logic
• Infrastructure uses probabilistic distributions
  rather than binary values for truth values
• Allows more realistic implementations of knowledge

96
Sample Questions

• Which of the following is an advantage of using a
  high-level programming language?
• It decreases the total amount of code written.
• It allows programmers to define syntax.
• It requires programmer-controlled storage
  management.
• It enforces coding standards.
• It brings the solution space closer to the
  problem space.
• Which of the following is often the greatest
  failing of distributed system management
  solutions?
• scalability
• security
• heterogeneity
• synchronization

97
Sample Questions

• Which of the following is an advantage of using a
  high-level programming language?
• It decreases the total amount of code written.
• It allows programmers to define syntax.
• It requires programmer-controlled storage
  management.
• It enforces coding standards.
• It brings the solution space closer to the
  problem space.
• Which of the following is often the greatest
  failing of distributed system management
  solutions?
• scalability
• security
• heterogeneity
• synchronization

98
Sample Questions

• Which of the following is an advantage of using a
  high-level programming language?
• It decreases the total amount of code written.
• It allows programmers to define syntax.
• It requires programmer-controlled storage
  management.
• It enforces coding standards.
• It brings the solution space closer to the
  problem space.
• Which of the following is often the greatest
  failing of distributed system management
  solutions?
• scalability
• security
• heterogeneity
• synchronization

99
Sample Questions

• Which of the following is commonly used for
  adding security after development to database
  management systems?
• trusted front-end
• trusted back-end
• controller
• kernel
• Which of the following uses the concept of a
  sandbox?
• CGI scripts
• applets
• Java
• Active X

100
Sample Questions

• Which of the following is commonly used for
  adding security after development to database
  management systems?
• trusted front-end
• trusted back-end
• controller
• kernel
• Which of the following uses the concept of a
  sandbox?
• CGI scripts
• applets
• Java
• Active X

101
Sample Questions

• Which of the following is commonly used for
  adding security after development to database
  management systems?
• trusted front-end
• trusted back-end
• controller
• kernel
• Which of the following uses the concept of a
  sandbox?
• CGI scripts
• applets
• Java
• Active X

102
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 7Support Mechanisms forTechnical
Controls
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
103
Segment 7 Topics

• Basis Security Principles
• Infrastructure Mechanisms
• Levels of Trust in a System

104
Security Principles

• Separation of Privileges (based on isolation)
• Least Privilege
• People, computational entities
• Accountability(using authentication auditing)
• Primarily supported by infrastructure

105
Infrastructure Mechanisms

• Abstraction layering and data hiding
• Reference monitor(implementation of reference
  validation mechanism)
• What it does
• Access control
• Flow control filtersrouters, firewalls
• What its like
• HardwareMemory domains/segments, privileges,
  etc.
• Operating SystemSpecial operations via
  privileged instructions
• Lowest layer security kernel
• MiddlewareE.g., DBMS, special security
  mechanisms
• Isolation of processes
• Allows reference monitors to be effective
• Part of, or all of, kernel
• Levels of security auditsupports accountability
• OS, middleware, privileged applications
• Tracks security events

106
Levels of Privilege in a System

• Implemented by the infrastructure
• Ring architecture (e.g., Multics)
• Simpler modes of operation
• Supervisor, User
• Specific targets
• Local OS
• Database
• Network management

107
Sample Questions

• In an on-line application system, erroneous or
  invalid transactions that are detected by the
  program should be
• dropped from processing.
• processed after the program makes adjustments.
• written to a report and reviewed.
• corrected and reprocessed.
• A reference monitor
• cannot be implemented in hardware.
• cannot be implemented in an operating system.
• cannot be implemented in middleware.
• cannot be implemented in an application.

108
Sample Questions

• In an on-line application system, erroneous or
  invalid transactions that are detected by the
  program should be
• dropped from processing.
• processed after the program makes adjustments.
• written to a report and reviewed.
• corrected and reprocessed.
• A reference monitor
• cannot be implemented in hardware.
• cannot be implemented in an operating system.
• cannot be implemented in middleware.
• cannot be implemented in an application.

109
Sample Questions

• In an on-line application system, erroneous or
  invalid transactions that are detected by the
  program should be
• dropped from processing.
• processed after the program makes adjustments.
• written to a report and reviewed.
• corrected and reprocessed.
• A reference monitor
• cannot be implemented in hardware.
• cannot be implemented in an operating system.
• cannot be implemented in middleware.
• cannot be implemented in an application.

110
CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 8Life-Cycle Controls
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
111
Segment 8 Topics

• Basic Concepts
• Process Definition and Control
• Process Application
• Security Products
• Some Issues

112
Basic Concepts

• Definition Life-Cycle Management (as it applies
  to Security) is the means of producing
  computer-related (usually system/software)
  products in a way that meets prescribed security
  assurance standards.
• Closely allied to general standards.High-quality
  development (not particularly related to
  security) is most of what is required for
  high-assurance development.

113
Aspects of Process Definition

• Development process characteristics
• Covers the entire life cycle
• General standardized processes
• Security processes
• Automation
• E.g., computer-aided software engineering (CASE)
  tools
• Some (Rational Rose) support all portions of the
  development process and use a standard modeling
  basis (UML)
• Life-cycle accountability
• Information management (configuration
  managementCM)for all development and
  operational artifacts
• Ideal integration of development and operational
  CM

114
Outcomes

• Enforcement of the process is (obviously)
  critical
• Cant (honestly) fix short-cuts after the fact

115
Security Standards for Development

• Naval Research Laboratory Handbook for the
  Computer Security Certification of Trusted
  Systems
• Goal Is certification, but is a good definition
  of the process
• Capability Maturity Models (CMMs)
• Software Engineering Institutes CMM for Software
  (SW-CMM) and for System Engineering
  (SE-CMM)http//www.sei.cmu.edu/sei-home.html
• International Systems Security Engineering
  Associations(ISSEAs) Systems Security
  Engineering (SSE-CMM)http//www.sse-cmm.org/
• Integrated CMM CMMICrossTalk articlehttp//www
  .stsc.hill.af.mil/crosstalk/2000/09/phillips.html

116
Security in the Development Process

• Role of the Security Engineer
• Close coordination with developers (e.g., IPTs)
• Role of security process and products
• Not separate
• Instead, fully integrated cooperative, not
  adversarial
• Security standards
• Approval processes
• Security products

117
Development Process Phases

• Augmented Sources of Assurance (e.g., Modeling
  Analysis)
• Approval
• Distribution/Installation/ Configuration
• Maintenance/Operation
• Security Maintain System Integrity (Periodic
  Testing)

• Requirements Management
• Design and Implementation
• Verification
• Security in Standard Forms of Vetting
• Test systematic collection, analysis, and
  evaluation
• Analysis evaluation using recognized analytical
  techniques
• Inspection physical examination or review of
  features
• Demonstration physical observation of events
• Developer Interviews
• Specific Security Testing (STE)
• Penetration Testing

118
Development Process Phases

• Requirements Management
• Design and Implementation
• Verification
• Augmented Sources of Assurance
• Approval
• Distribution/Installation/Configuration
• Maintenance/Operation

Spiral
119
Approval Processes and Related Standards

• Approval of ProductsEvaluation
• Common Criteria (and related protection profiles
  (PPs))http//niap.nist.gov/
• Orange Book/TCSEC (decommissioned)(RIP, but
  still among the living dead)
• Approval of SystemsCertification
  AccreditationFeatures, criticality, and process
• DoDI 5200.40DITSCAP Instruction Manual
  (decommissioned)http//www.dtic.mil/whs/directive
  s/corres/html/85101m.htm
• DoDI 8510.bbDIACAP Guidance (Interim)http//iase
  .disa.mil/ditscap/interim-ca-guidance.pdf
• DCID 6/3Intelligence requirements and process
  (FOUO)
• JAFAN 6/3DoD Special Access requirements and
  process (FOUO)
• NISPOMIndustrial Security requirements and
  processhttp//www.dtic.mil/whs/directives/corres/
  pdf2/d85001p.pdf
• Related Standards
• DoD Directive 8500.2IA Policies and
  Responsibilitieshttp//www.dtic.mil/whs/directive
  s/corres/html/85001.htm
• DoD Directive 8500.2IA Implementationhttp//www.
  dtic.mil/whs/directives/corres/html/85002.htm
• IA Technical Framework (IATF)Applying IA
  Technologyhttp//www.iatf.net
• NSA Consistency Instruction Manuals (Robustness
  Levels)strength assurancehttp//niap.nist.gov/
  pp/ci_manuals.html

120
Security Products

• Security Documentation
• Security-Related User, Administrator, and
  Maintainer Documentation
• Standard
• Security Features Users Guide (SFUG)--User
• Trusted Facility Manual (TFM)--Administrator
• Security Development Evidence (Part of CA)
• Level of Assurance Claimed
• Specification of Development Requirements
• Evidence That Requirements Were Met
• Examples
• Common Criteria Security Target
• DITSCAP System Security Authorization Agreement
  (SSAA)
• DIACAP Many
• JAFAN 6/3 Interconnection Security Agreement
  (ISA)

121
The Open-Source Debate

• Pro
• The More Exposure the Design Has, the More
  FlawsWill Be Eliminated
• If Exposure Is Anticipated During Development,
  Higher QualityWill Result
• Anyway, Design Information Will Eventually Be
  Compromised
• Con
• Dont Give Away the Crown Jewels! Knowledge of
  the Security Design Will Result in Many More
  Successful