Title: CISSP Exam Study Seminar for CBK Domain 4: Applications and Systems Development Security
1CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Overview
- Dr. Richard B. Neely, CISSPrich.neely_at_cta.com
- March 14, 2007
2Warning About This Briefing
- This does not include all the detail of Domain 4!
- Not enough time for everything
- Some of this is my point of view
- But it does cover all the areas of Domain 4
- Therefore, base your study on other sources
3Overview Topics
- Domain 4 Information Content Summary
- Relationship of Domain 4 to the Overall CBK
- Domain 4 Presentation Segments
4Domain 4 Information Content Summary
This is the Junk DrawerA very important
location!
- Special technical security controls
- In applications and data storage
- Software life-cycle controls
- Supporting mechanisms for security featuresin
hardware and software - Security threat focus areas
- Policies and security requirements
5Domain 4 in the CBK
1 Access Ctrl
2 Networks
10 Physical
9 Law
3 Mgmt
12 of the Exam
4 AppsDev
8 Business
5 Crypto
7 Operations
6 Scty Arch
6Domain 4 Relationships Within the CBK
1 Access Ctrl
2 Networks
10 Physical
9 Law
3 Mgmt
4 AppsDev
8 Business
5 Crypto
7 Operations
6 Scty Arch
7Domain 4 Presentation Segments
8Domain 4 in the Contextof a Security Program
3 General ThreatMethods
1 Security PolicyAllocation
2 SpecialPolicies
- Threats
- Direct exploitation of flawsand vulnerabilities
- System Subversion malicious logic, password
cracking, etc. - Human Exploitation social engineering, hoaxes,
etc. - Service Targeting denial of service,
fraud/waste/abuse, etc. - Physical theft, destruction, etc.
- Flaws and Vulnerabilities
- Hardware
- Software/firmware
- Configuration
- Procedural
- Security Controls
- Drivers legal, standards, enterprise, oversight,
specification - Assurance strengths, enforcement
- Architectures system, security
- Safeguards direct protection
- Human authorization, discipline, training
- Operational patches, configuration maintenance,
incidents, intrusions, continuity - Physical access control, media, EMSEC
- Technical authentication, access control, crypto
- Life Cycle configuration management, product
review
5 DataStorage
4 MaliciousLogic
6 SpecialArchitectures
7 SupportMechanisms
8 Life-CycleControls
9CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
O
P
Segment 1Policy Allocationto Applications
Y
L
C
C
I
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
10Segment 1 Topics
- Security Policies and Requirements
- Development of the Policy Enforcement View
- A Policy Enforcement Distribution Model
- An Important Aspect of Security Requirements
11Security Policies and Requirements
- Security policies apply to enterprises and
systems - Security policies allocated to subsystems and
components via security requirements - To decide
- How is a security policy broken out?
- Which portions/aspects of a policy are allocated
to which system elements? - How are those portions represented assecurity
requirements?
12Development ofthe Policy Enforcement View
- Pre-TCSEC (Orange Book) All policy enforcement
was by the Security Kernel - TCSEC
- Expanded to the Trusted Computing Base (TCB)It
was accepted that policy enforcement also
occurred elsewhere - But no established model for enforcement
distribution - Common Criteria (CC)
- A less monolithic view
- Only one level of distribution specified
- An emerging view Full depth of distribution
13A Policy EnforcementFull-Distribution Model
- Multiple Independent Levels of Security (MILS)
- Developed and encouraged by NSA(particularly
Mark Vanfleet) - Allows distribution of policy enforcement to all
appropriate system elements (security functions) - Application of principle of least privilegefor
security architecture - Now used on multiple current Air Force andjoint
programs
14What MILS Looks Like
TS (SL)
U (SL)
C (SL)
S (SL)
Applications
ApplicationMiddleware
ApplicationMiddleware
ApplicationMiddleware
ApplicationMiddleware
Guest OS
VxWorks
Guest OS
Guest OS
Guest OS
Guest OS
Mac OS
SEPARATION KERNEL
Middleware, E.g.
15Policy Enforcers (Security Functions)
- Kinds
- Self enforcing (all, particularly applications)
- Reference monitor (hardware, kernel, middleware,
applications) - Reference monitor characteristicsNEAT
- Non-bypassable Cannot be ignored
- Evaluatable Not too big/complex
- Always invoked Satisfies its own policy
- Tamperproof Protected by self / lower
16An Important Aspectof Security Requirements
- Two kinds of security requirements(Basic to the
CC) - Functional requirements
- Assurance requirements
- An effective security policy addresses both
- Both must be allocated to requirements levied on
each security function
17CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 2Security Policies AcrossMultiple
Enterprises
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
18Segment 2 Topics
- What Is an Enterprise?
- Example
- Agreement Forms
- Examples of Policy Relationships
19What Is an Enterprise?
- Many definitions, but usually a center of
decision making and financial accountability - Commercial enterprise (e.g., corporation)
- Military command
- Sometimes (as in this briefing) extended meaning
- Any distinguishable organization and related
(technical) entities - Something you can rationally draw a boundary
around - Examples
- Provider of (computational) services
- Developer/deployer/configurer of applications or
systems - Deployment sites
- Key Point Each enterprise has (Better have!) its
own security policy
20An Example of the Concept
Enterprise A (DefenseFinanceAccountingService(
DFAS))
Enterprise B (DefenseMega-Center(DMC))
Overlapping Concerns
21Forms of Agreements
- Not just securitySecurity often embedded in
more general - Other Terms
- Letter of Agreement (LOA)
- Memorandum of Agreement (MOA)
- Memorandum of Understanding (MOU)
- Service Level Agreement (SLA)
- Statement of Intent (SOI)
- In general, semantically interchangeable
- Enterprises have preferences
22Examples of Policy Relationships
- A Deployed ApplicationB Computational
Infrastructure - A Policy Shall not compromise Bs (security)
operations - B Policy Shall meet As (security) requirements
- Example DFAS/DMC
- A Developed (COTS) ApplicationB System in
Which A is Integrated - A Policy Shall meet specified security
requirements - B Policy Shall meet As environmental
assumptions - Example High-assurance DBMS in military
compartmented-mode system - A Type-Accredited SystemB Site Accreditation
for Deployment of A at a Site - A Policy Shall satisfy specified security
requirements given proper environment - B Policy Shall satisfy environment constraints
- Example GCCS type accreditation and AFSPACECOM
GCCS site accred.
23Sample Questions
- LOA, MOA, and MOU are
- three forms of governing regulations
- three substantially different forms of agreement
- three similar forms of agreement
- three Hawaiian volcanoes
- Agreements among multiple enterprises are the
greatest challenge when - the enterprises are entirely independent
- the enterprises have a common area of concern
- one enterprise is internal to another
- the enterprises are co-extensive
24Sample Questions
- LOA, MOA, and MOU are
- three forms of governing regulations
- three substantially different forms of agreement
- three similar forms of agreement
- three Hawaiian volcanoes
- Agreements among multiple enterprises are the
greatest challenge when - the enterprises are entirely independent
- the enterprises have a common area of concern
- one enterprise is internal to another
- the enterprises are co-extensive
25Sample Questions
- LOA, MOA, and MOU are
- three forms of governing regulations
- three substantially different forms of agreement
- three similar forms of agreement
- three Hawaiian volcanoes
- Agreements among multiple enterprises are the
greatest challenge when - the enterprises are entirely independent
- the enterprises have a common area of concern
- one enterprise is internal to another
- the enterprises are co-extensive
26CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 3General ThreatMethods
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
27Segment 3 Topics
- General Information on Security Threats
- Focus on CBKs Key Areas of KnowledgeMethods of
Attack - Creates a Setting for Application-Oriented Threats
28A Threat Taxonomy
29Achieving UnauthorizedAccess
- Password attacks
- Brute force/exhaustive
- Dictionary/context attacks
- May be real words, user ids, related info
- Can involve various modifications
- Spoofing/masqueradingimitating legitimate
information/components/persons to gain access - IP SpoofingMakes source look legitimate(Not
possible for many attacksthose requiring a
response) - Authenticator Masqueradesfalse login
- Social Engineering
30Resource Attacks
- Denial of ServicePrevention or delay of access
to information assets or services - Ping of DeathCrashes servers by sending
invalidIP ping packets - Distributede.g., February 2000 Yahoo attack
- FloodingOverwhelming with transmissions
- Malicious logic causing false negatives in access
control - Cache Cramming--Sidestepping Javas security
model by inserting code in the execution cache
31Malicious Logic(Details in Segment 4)
- Alteration of authorized code
- Hidden code (e.g., Trojan horse)
- Logic bomb
- Trap door
32Exploitation ofCommunications
- Remote maintenance
- A potentially high-exposure threat source
- By authorized personnelless accountability
- By unauthorized personnel
- Capturing system and authentication information
- Posing as maintainer
- Traffic Analysis
- Even though data is encrypted, traffic attributes
(sources, destinations, frequency, etc.) are
visible - Tunneling technology is a countermeasure
33Direct Exploitationof Authorization
- Snooping
- Undirected search through authorized information
storageinformation for which the snooper is
unauthorized may have been inadvertently placed
there. - Dumpster diving is a physical form of this.
- Inference
- Obtaining information for which access is not
authorized by performing deductions on
information for which access is authorized. - Normally performed in the context of a database.
- This is NOT the same as aggregation.
- With inference one infersperforms a deduction.
- In a bank, as a junior teller (1) I am not
permitted to know that a particular customer is
in the preferred category. (2) I am permitted
to know the entire list of customers. (3) I am
permitted to know that a particular customer is
not preferred. - Then, by inference, I know that a customer on the
entire list who is not on the non-preferred list
is preferredwhich I am not allowed to know. - With aggregation, one simply has.
E.g.http//eserver.org/poetry/paul-revere.html,
Henry Wadsworth Longfellow - Item 1 One if by land, and two if by sea
- Item 2 A second lamp in the belfry burns
34Active Defenses
- Pseudo-FlawAn apparent vulnerability
deliberately set up to trap attackers. - Honey PotSpoofing on the defense sidea server
in front of the real onetraps or sidetracks
attackers
35Two Key Component Flaws
- Characteristics
- Where operating systems, DBMSs, communications
protocols - Functional flaws and security vulnerabilities
- (1) Time of check/time of use (TOC/TOU)
- Operating SystemsThis can occur in the context
of interrupt handling and privileged instruction
execution - Database management systemsFlawed locking
mechanism - (2) Buffer overflow
- Excess data interpreted as instructions
- One example overlarge passwords
- Probably the most common flaw
36Another Threat CategorizationLevel of
Sophistication
- Categories
- ExampleThe February 2000 distributed denial of
service (DDOS) attack was perpetrated by
non-experts guided by a self-styled expert
Inexperienced / Basic Skills - Nation-states and sophisticated terrorists
Expert Groups will be more subtle and more
dangerous - Will come in under the radar
- Stakes are higher
Will?
37Sample Questions
- A pseudo-flaw is
- an apparent loophole deliberately implanted in an
operating system program as a trap for intruders. - an omission when generating pseudo-code.
- used for testing for bounds violations in
application programming. - normally generates a page fault, causing the
system to halt. - In an inference attack
- Excessive access authorization is granted to the
attacker. - Information to which access is granted is
under-classified. - The attacker discovers information not authorized
from authorized information. - A logical fallacy has occurred.
38Sample Questions
- A pseudo-flaw is
- an apparent loophole deliberately implanted in an
operating system program as a trap for intruders. - an omission when generating pseudo-code.
- used for testing for bounds violations in
application programming. - normally generates a page fault, causing the
system to halt. - In an inference attack
- Excessive access authorization is granted to the
attacker. - Information to which access is granted is
under-classified. - The attacker discovers information not authorized
from authorized information. - A logical fallacy has occurred.
39Sample Questions
- A pseudo-flaw is
- an apparent loophole deliberately implanted in an
operating system program as a trap for intruders. - an omission when generating pseudo-code.
- used for testing for bounds violations in
application programming. - normally generates a page fault, causing the
system to halt. - In an inference attack
- Excessive access authorization is granted to the
attacker. - Information to which access is granted is
under-classified. - The attacker discovers information not authorized
from authorized information. - A logical fallacy has occurred.
40CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 4Malicious Logic
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
41Segment 4 Topics
- What Is Malicious Logic?
- Types of Malicious Logic
- Development, Dissemination, and Actions
- Prevention
- Recovery
Much of this material derived from a briefing by
Rich Cox.
42What Is Malicious Logic?
- Definition Any set of instructions to be
interpreted in the context of a computer system
intended for a malicious result - Several Major Categories
- Virus is just one categorythough this term is
often used more generally - Categories tend to be overlapping
- A major attack type
43Modes of Malicious Logic
- NOTE Not limited to softwareThis is any form
of interpretable instructions - Not necessarily distinguishable from data
- Hardware interprets Object Code
- Interpreter interprets Source Code(In the case
of Java, interprets compiled Bytecode) - Word/Excel/etc. interpret Macros
- Web browsers interpret HTML Javascript
- The above and other entities as email
attachmentsNote the risk of automatic opening of
attachments,including embedded attachments and
the preview pane in MS Outlook
44Key Attributes of Malicious Logic
- Means of Infection(How and where it gains new
footholds) - Means of Propagation(How it replicates)
- Payload(What it doesparticularly, destructive
behavior)
45Types of Malicious Logic
- Not a standard/consistent set of
definitions/categories - Definitions overlap
- Common terms
- Trap doors
- Trojan horses
- Time or logic bombs
- Worms
- Decoys
- Viruses
46Types A Venn Diagramof Irregular Logic (My
Terminology)
Irregular
47Types of Malicious Logic
- Trap Doors / Back Doors
- Installed by developers or maintainers to bypass
normal security controls - Purpose is unauthorized access, with no harm
intendedbut - Trojan Horses
- Created as part of an otherwise useful
application, often well known - Can do just about anythingtypically privileged
48Types of Malicious Logic
- Time or Logic Bombs
- Waits for a particular time (e.g., Friday the
13th) - Or a particular event (e.g., 99th time a program
is executed) - Could be a form of terrorism
- Sometimes intended to cause embarrassment for a
political statement - In the future, may be a method ofinternational
blackmail
49Types of Malicious Logic
- Worms
- Network orientedUses network platforms for
propagation (Infects at the platform level) - Started as benign tools for network management
- Morris Worm (1988) is the most well-known
- Decoys
- A form of spoofing
- E.g., duplicates normal login sequence, recording
password
50Types of Malicious LogicViruses
- Most commonly/popularly known type
- What they do
- InfectEmbed in elements of a system
- PropagatePass the infection on
- Payloaddata compromise, corruption, deletion,
subvert systems
51Locations of Virus Embedding
- General Areas
- Physical memory (Use the Terminate and Stay
ResidentTSR property) - System areas of hard or removable disks(boot
records) - Executables (object code).com, .exe, .dll, etc.
- Macrosthousands of thesecross platforms
- Scripts (.sys, .prg, etc.)
52Detection Avoidance
- Stealth viruses
- Hide modifications by forging results to system
functions - Polymorphic viruses
- Rewrite encrypted, fully functionalcopies of
themselves - Scanners could search for decryption key
- Whale uses multiple encryption schemes
53Virus Payloads
- Overlap other kinds of malicious logic
- Some have time/logic bomb characteristics(Jerusal
em Friday the 13th) - Early viruses infected Microsoft products
- Many thousands of these, most not in the wild
- Fewer than 100 cause most infections
- More recently, infections on all platformsUsing
higher-level implementations, such as macros
54Hoaxes
- Many (mostly virus) hoaxes
- Effectively result in organizationaldenial of
service and wasted resources - Often in the form ofdont open such-and-such
e-mail - Until recently, opening a message was risk-free
- Now, e-mail shells have gotten more sophisticated
- Many of these can be configured for safety
- Deal with hoaxes (and viruses) by informing
security incident organization, not other users
(otherwise becomes human denial of service!)n
vs. n2
55Specific Sources
- Inadvertent
- Failure to use virus checker at home
- Work at home, bring floppy to work
- Deliberate
- Insider use access to install virus
- Outsider use network connections and web site
access - Need not be expert or programmermany virus
cookbooks and toolkits on underground sites - Once released, operate without human intervention
56Prevention and Response
Concept Negative Return on Non-Investment
An Ounce of Prevention Is Worth a Pound of Cure
57Means of Prevention
- Effective policies in place
- User and expert training
- Accountability/enforcement
- Security staffadvisory, incident response
Management
- 1Make Backups!
- Multiple generations (may be infected)
- Off-site storage
- Test
- Use anti-virus softwareavailable up to date
- Always some false positives/negatives
- Always out of date--update constantly
- Prepare for response
- Make emergency boot and utility diskettes
- Best to use a utility for this, such as Norton
- Set to boot from diskette
Operational
58Recovery
- If you see evidence of malicious logic
- Turn off computer
- Dont do anything else!
- Get an expert (your organization should have an
incident response team) - Remember, other systems could be infectedprovide
warning (through the incident response team)
59Sample Questions
- A virus
- can only be executable code.
- can only be executable code or macros.
- is the first form of life created by humans, and
is malicious. - can be difficult to distinguish from data.
- The most important operational preventive measure
against malicious logic is - anti-virus software
- user training
- backups
- emergency boot disks
60Sample Questions
- A virus
- can only be executable code.
- can only be executable code or macros.
- is the first form of life created by humans, and
is malicious. - can be difficult to distinguish from data.
- The most important operational preventive measure
against malicious logic is - anti-virus software
- user training
- backups
- emergency boot disks
61Sample Questions
- A virus
- can only be executable code.
- can only be executable code or macros.
- is the first form of life created by humans, and
is malicious.(See me after class for further
philosophical discussion.) - can be difficult to distinguish from data.
- The most important operational preventive measure
against malicious logic is - anti-virus software
- user training
- backups
- emergency boot disks
62Sample Questions
- A virus
- can only be executable code.
- can only be executable code or macros.
- is the first form of life created by humans, and
is malicious.(See me after class for further
philosophical discussion.) - can be difficult to distinguish from data.
- The most important operational preventive measure
against malicious logic is - anti-virus software
- user training
- backups
- emergency boot disks
63CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 5Security Issues and Controlsfor Data
Storage
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
64Segment 5 Topics
- Data Storage Infrastructures
- Databases and Security
- Database Concepts and Models
- Security Basis
- Relational Databases
- Object-Oriented Databases
- Bigger Picture Data Warehousing and Data Mining
65Data Storage Infrastructure Concepts
- Real/physical memory (PM) vs. virtual memory (VM)
- OS instantiates multiple VM instances from PM
- OS implements a security model that isolates VM
instances - Inter-VM references via OS requests, filtered by
OS - Volatile vs. persistent storage
- Require different security rules
- E.g., Loss of power erases volatile memory (e.g.,
RAM) - Typically, primary is volatile, secondary is
permanent - Random vs. sequential (tape) access
- Different organizations
- OS isolation can be used to implement a security
model for each
66Databases and Security
- About Databases
- Security Basis
- Relational Databases
- Object-Oriented Databases
- Bigger Picture Data Warehousing and Data Mining
67About Databases
- A database is a consistently structured
collection of data - Usually intended for Sharing
- Often distributed
- Managed by a database management system (DBMS)
- Supports sharing via locking portions of the
database (records, tables, etc.) against either
reading or writing - May supports distribution through replication
- Supports recovery in case of partial or complete
loss(e.g., snapshot, replay of transactions)
68About Databases (2)
- Data Representation
- Physicalimplementation on underlying HW/OS
system(s) - OS reserves a block of space (sectors) on
secondary storage - DBMS is privileged for the block of space
- Dedicated database machines
- Logical
- Implemented on physical representation
- User view of data structures based on data models
- Several data models
- Hierarchical (CODASYL)crawl along tree
- Relationalbased on tables, derived structures,
and operations - Object-orientedbased on classes, instances, and
operations
69About Databases (3)
- DBMSs normally support these functions
- Data definition
- Data manipulation
- Query interpretation
- Report generation
- Each function is supported by a specialized
language - Levels of normalization
- There are several levels of normalizationthe
first three are most often usedhttp//dev.mysql.c
om/tech-resources/articles/intro-to-normalization.
html - Normalization provides robustness and sometimes
security - For security, normalization (and the supporting
DBMS) should provide referential integrity, i.e.,
assuring that references make sense relative to
table relationships.
70Security Approaches for DatabasesSecurity Is
Dependent on
- Hardware and software (OS) infrastructure
- Protects DBMS and database from interference
- Selectively provides/delegates appropriate
privilegesand controls to DBMS - Security features and assurance of DBMS
- Functional security constraints (access control)
- Security as part of interface language, data
model, and operations - Appropriate level of DBMS and Data model
development assurance
71Security BasisAccess Control Modes Objectives
- Discretionary Access Control (DAC)
- Used for need-to-know
- Access decisions based on
- User identity and authorizations/privileges
- Permissions (access control list) associated with
resources - Mandatory Access Control (MAC)
- Used for classified data access
- Access decisions based on
- User identity and clearance
- Data classification represented by sensitivity
labels - Should provide higher assurancemore costly,
often impacts performance - Sometimes MAC features are provided without
enhanced assuranceTCSEC (Orange Book) allowed
this at B1 Common Criteria protection profile
could specify this - Security Objectives
- Availability (protect against denial of service)
- Data confidentiality and integrity (in terms of
both DAC and MAC)
72Relational Database CharacteristicsBasic
Concept Table
Field (Cell)
73Relational Database CharacteristicsDerived
Concept View (from Query)
Example Table Directory
Index
Phone
Addr.
etc.
Name
Query Languages Are Used to Specify ViewsMost
Common is Standard Query Language (SQL)
74Relational Database Security
- Classification (expressed as sensitivity label)
atview, record, or field level - View access decision based on view classification
- Can be implemented internally (representationally)
- can be implemented by modifying the query that
generatesthe view (not supported by SQL) - Distinguish between
- FeaturesE.g., sensitivity labels and view-based
classification decisions - AssuranceHow much architects and developers
provide a convincing argument that those features
are reliable
75Relational Database Security
- Classification (expressed as sensitivity label)
atview, record, or field level - View access decision based on view classification
- Can be implemented internally (representationally)
- can be implemented by modifying the query that
generatesthe view (not supported by SQL) - Distinguish between
- FeaturesE.g., sensitivity labels and view-based
classification decisions - AssuranceHow much architects and developers
provide a convincing argument that those features
are reliable
Front-End Security Add-ons May Fail to Do This
76Object-Oriented Database CharacteristicsBasic
Concepts Class Instance
- Class works like a relational Table
- Also has Attributes that work similarly
- Instance works like Record
- Class treated as a template
- Object is class or instance
- More flexible operations
- Based on methods of a classKnow about
referenced instanceslike overloading - Inheritance relates nested classesis a
Relationship - Class concept supports information
hidingattributes may be public or private
77OODBMS Security Models DAC
- ORION--explicit authorizations
- Positive and negative authorizations explicitly
allow and deny access to an object - Based on explicit authorizations provided to each
group of usersimplements access control lists
(ACLs) - Supports role-based access control (RBAC)
- Data Hiding Model
- Distinguishes between public and private methods
- Based on authorizations for particular users to
execute methodson particular objects
78OODBMS Security Models MAC
- SORION Model
- Extends ORION model to encompass MAC
- Millen-Lunt Model
- Similar to SORION
- Classifies information into three different
levels - The data itself is classified.
- The existence of the data is classified.
- The reason for classifying the info is also
classified
79OODBMS Security Models MAC (2)
- Secure Object-Oriented Data Base (SODA)
- Benchmark OO model to which other models are
compared - Important concept polyinstantiation
- Information is multiply instantiated for
different security levels - Value this is a solution to the multiparty
update conflict,which results in compromise - Data consistency is a challenge, similar to that
of replication for distributed databases
80A Bigger PictureData Warehousing and Data Mining
- Data warehousing
- Managed data situated after and outside
operational systems - Security challengesmultiple sources, lack of
operational integration, logical and physical
transformations - Data mining
- Process of automatically finding patterns and
relationsin large databases - Similar security challenges
- Security agent (bot) approaches have merit
- For any security solutions (I repeat), it is
necessaryto distinguish between Features and
Assurance
81Sample Questions
- In SQL (sic) where is the actual data stored
- Views
- Tables
- Schemas and sub-schemas
- Index-sequential tables
- A department manager has read access to the
salaries of the employees in his/her department
but not to the salaries of employees in other
departments. A database security mechanism that
enforces this policy would typically be said to
provide - content-dependent access control
- context-dependent access control
- least privileges access control
- ownership-based access control
82Sample Questions
- In SQL (sic) where is the actual data stored
- Views
- Tables
- Schemas and sub-schemas
- Index-sequential tables
- A department manager has read access to the
salaries of the employees in his/her department
but not to the salaries of employees in other
departments. A database security mechanism that
enforces this policy would typically be said to
provide - content-dependent access control
- context-dependent access control
- least privileges access control
- ownership-based access control
83Sample Questions
- In SQL (sic) where is the actual data stored
- Views
- Tables
- Schemas and sub-schemas
- Index-sequential tables
- A department manager has read access to the
salaries of the employees in his/her department
but not to the salaries of employees in other
departments. A database security mechanism that
enforces this policy would typically be said to
provide - content-dependent access control
- context-dependent access control
- least privileges access control
- ownership-based access control
84Sample Questions
- Which of the following is commonly used for
retrofitting multilevel security to a database
management system? - trusted front-end
- trusted back-end
- controller
- kernel
85Sample Questions
- Which of the following is commonly used for
retrofitting multilevel security to a database
management system? - trusted front-end
- trusted back-end
- controller
- kernel
86CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 6Special ApplicationArchitectures
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
87Segment 6 Topics Security-Related Implications
of
- Module Interaction
- Distributed Application Architectures
- Fourth-Generation ApplicationsInformation-Orient
ed Architecture - Fifth-Generation ApplicationsKnowledge-Based
Architecture
88Module Interaction
- Module relationships
- High cohesionperformance of a single function
with minimal external interaction - Low couplingminimally affecting the behavior of
other modules - Inter-module communication
- Component object model (COM)architecture for IPC
- DCOMdistributedsynchronization, translation,
etc.globally unique identifier (GUID) - Distributed Computing Environment (DCE)from
OSF(protocol layer)universal unique identifier
(UUID) - Object Linking and Embedding (OLE)
- Embedding objects into other objects (documents
or programs) - Program into program linking, plug-ins
- Dynamic Data Exchange (DDE)sharing data via IPC
89Distributed Application Architectures
- Distributed architecture viewed as layered
protocols - Lowest Communications Infrastructure
- Then Distribution Mechanism
- Highest Seamless Application View
- Examples
- Distributed environment
- Resources distributed, specific location
transparent - Abstract client-server view
- Example CORBA (Distributed Object-Oriented
Model)Associated security service CORBASEC - Portable applications
- Hardware (even OS) independence
- Infrastructure (e.g., vendor) extensibility
- Example Java based
- Recent focus application service providers
(ASPs) - In all cases, we are interested in security
services
90Portable Applications Agents
- Surrogates used in a distributed environment that
operate on behalf of a user or application - Example Personal data mining on web
- Google bots
- CNN e-mail alerts
- Platform or mobile
- Example Security policy servers
91Portable Applications Applets
- Small programs residing on a host computer that
are downloaded to a client computer to be
executed - Languages
- Java--Object-oriented programming language
- Developed by Sun Microsystems
- Compiles into byte code for portability, with
client side interpreter - Interpreter enforces strict security model
(sandbox) for applets - Over time, many holes found and fixednew
features new holes - JavaScriptSubset of Java for embedding in HTML
- Active-XMicrosofts version of Javastripped
down OLE functionality
92Security Services Are Not Enough
- Services/features may be providedwithout
sufficient (or any) assurance. - E.g., CORBASEC provides security features, but
rides on the humongous ORB that is unverifiable. - Because of this, and because infrastructures are
often forgotten once in place (out-of-sight
out-of-mind), security is often weak in
distributed environments.
93Fourth-Generation ApplicationsData-Oriented
Architecture
- A different point of view regarding databases
- Databases have been considered merely a data
infrastructure. - Fourth-generation architecture views that
infrastructureas an abstraction layer. - Different computational model from the
traditional - Third-generation model describes algorithms
procedurally(directions for doing something). - Fourth-generation is specification-oriented (what
is to be done). - Fourth-generation often uses query languages.
- Brings solution space closer to problem
spacereduces flaw risk. - Security features must fit this model.
- E.g., Query filtering / view filtering
- Assurance with this architecture is based on DBMS
assurance.
94Fifth-Generation ApplicationsKnowledge-Based
Architecture
- Elements
- Knowledge base, in the form of rules and rule
structures - Inference engine
- Interprets rules
- Applies rules to available information
- Development/operational shells allow convenient
developmentof useful software (typically GUI
based) - Benefit rule-based computational model
putssolution space very close to problem space - Security
- Rule basis allows clear implementation of
security model - Can define special security rules
- Big assurance problem
95Special Forms ofKnowledge-Based Architectures
- Neural networks
- Also termed artificial neural networks
- Infrastructure is many neuronsanalogous to
those in the brain - In effect, many small inference engines
- Network composed of directed links,with one
neuron firing another - Rules facilitate learning within an application
- Expert systems
- Rules are used to emulate the knowledge of an
expert - Fuzzy Logic
- Infrastructure uses probabilistic distributions
rather than binary values for truth values - Allows more realistic implementations of knowledge
96Sample Questions
- Which of the following is an advantage of using a
high-level programming language? - It decreases the total amount of code written.
- It allows programmers to define syntax.
- It requires programmer-controlled storage
management. - It enforces coding standards.
- It brings the solution space closer to the
problem space. - Which of the following is often the greatest
failing of distributed system management
solutions? - scalability
- security
- heterogeneity
- synchronization
97Sample Questions
- Which of the following is an advantage of using a
high-level programming language? - It decreases the total amount of code written.
- It allows programmers to define syntax.
- It requires programmer-controlled storage
management. - It enforces coding standards.
- It brings the solution space closer to the
problem space. - Which of the following is often the greatest
failing of distributed system management
solutions? - scalability
- security
- heterogeneity
- synchronization
98Sample Questions
- Which of the following is an advantage of using a
high-level programming language? - It decreases the total amount of code written.
- It allows programmers to define syntax.
- It requires programmer-controlled storage
management. - It enforces coding standards.
- It brings the solution space closer to the
problem space. - Which of the following is often the greatest
failing of distributed system management
solutions? - scalability
- security
- heterogeneity
- synchronization
99Sample Questions
- Which of the following is commonly used for
adding security after development to database
management systems? - trusted front-end
- trusted back-end
- controller
- kernel
- Which of the following uses the concept of a
sandbox? - CGI scripts
- applets
- Java
- Active X
100Sample Questions
- Which of the following is commonly used for
adding security after development to database
management systems? - trusted front-end
- trusted back-end
- controller
- kernel
- Which of the following uses the concept of a
sandbox? - CGI scripts
- applets
- Java
- Active X
101Sample Questions
- Which of the following is commonly used for
adding security after development to database
management systems? - trusted front-end
- trusted back-end
- controller
- kernel
- Which of the following uses the concept of a
sandbox? - CGI scripts
- applets
- Java
- Active X
102CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 7Support Mechanisms forTechnical
Controls
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
103Segment 7 Topics
- Basis Security Principles
- Infrastructure Mechanisms
- Levels of Trust in a System
104Security Principles
- Separation of Privileges (based on isolation)
- Least Privilege
- People, computational entities
- Accountability(using authentication auditing)
- Primarily supported by infrastructure
105Infrastructure Mechanisms
- Abstraction layering and data hiding
- Reference monitor(implementation of reference
validation mechanism) - What it does
- Access control
- Flow control filtersrouters, firewalls
- What its like
- HardwareMemory domains/segments, privileges,
etc. - Operating SystemSpecial operations via
privileged instructions - Lowest layer security kernel
- MiddlewareE.g., DBMS, special security
mechanisms - Isolation of processes
- Allows reference monitors to be effective
- Part of, or all of, kernel
- Levels of security auditsupports accountability
- OS, middleware, privileged applications
- Tracks security events
106Levels of Privilege in a System
- Implemented by the infrastructure
- Ring architecture (e.g., Multics)
- Simpler modes of operation
- Supervisor, User
- Specific targets
- Local OS
- Database
- Network management
107Sample Questions
- In an on-line application system, erroneous or
invalid transactions that are detected by the
program should be - dropped from processing.
- processed after the program makes adjustments.
- written to a report and reviewed.
- corrected and reprocessed.
- A reference monitor
- cannot be implemented in hardware.
- cannot be implemented in an operating system.
- cannot be implemented in middleware.
- cannot be implemented in an application.
108Sample Questions
- In an on-line application system, erroneous or
invalid transactions that are detected by the
program should be - dropped from processing.
- processed after the program makes adjustments.
- written to a report and reviewed.
- corrected and reprocessed.
- A reference monitor
- cannot be implemented in hardware.
- cannot be implemented in an operating system.
- cannot be implemented in middleware.
- cannot be implemented in an application.
109Sample Questions
- In an on-line application system, erroneous or
invalid transactions that are detected by the
program should be - dropped from processing.
- processed after the program makes adjustments.
- written to a report and reviewed.
- corrected and reprocessed.
- A reference monitor
- cannot be implemented in hardware.
- cannot be implemented in an operating system.
- cannot be implemented in middleware.
- cannot be implemented in an application.
110CISSP Exam Study Seminar forCBK Domain
4Applications and Systems Development Security
Segment 8Life-Cycle Controls
1PA
2PE
3TG
4TL
5AS
6AA
7CS
8CL
111Segment 8 Topics
- Basic Concepts
- Process Definition and Control
- Process Application
- Security Products
- Some Issues
112Basic Concepts
- Definition Life-Cycle Management (as it applies
to Security) is the means of producing
computer-related (usually system/software)
products in a way that meets prescribed security
assurance standards. - Closely allied to general standards.High-quality
development (not particularly related to
security) is most of what is required for
high-assurance development.
113Aspects of Process Definition
- Development process characteristics
- Covers the entire life cycle
- General standardized processes
- Security processes
- Automation
- E.g., computer-aided software engineering (CASE)
tools - Some (Rational Rose) support all portions of the
development process and use a standard modeling
basis (UML) - Life-cycle accountability
- Information management (configuration
managementCM)for all development and
operational artifacts - Ideal integration of development and operational
CM
114Outcomes
- Enforcement of the process is (obviously)
critical - Cant (honestly) fix short-cuts after the fact
115Security Standards for Development
- Naval Research Laboratory Handbook for the
Computer Security Certification of Trusted
Systems - Goal Is certification, but is a good definition
of the process - Capability Maturity Models (CMMs)
- Software Engineering Institutes CMM for Software
(SW-CMM) and for System Engineering
(SE-CMM)http//www.sei.cmu.edu/sei-home.html - International Systems Security Engineering
Associations(ISSEAs) Systems Security
Engineering (SSE-CMM)http//www.sse-cmm.org/ - Integrated CMM CMMICrossTalk articlehttp//www
.stsc.hill.af.mil/crosstalk/2000/09/phillips.html
116Security in the Development Process
- Role of the Security Engineer
- Close coordination with developers (e.g., IPTs)
- Role of security process and products
- Not separate
- Instead, fully integrated cooperative, not
adversarial - Security standards
- Approval processes
- Security products
117Development Process Phases
- Augmented Sources of Assurance (e.g., Modeling
Analysis) - Approval
- Distribution/Installation/ Configuration
- Maintenance/Operation
- Security Maintain System Integrity (Periodic
Testing)
- Requirements Management
- Design and Implementation
- Verification
- Security in Standard Forms of Vetting
- Test systematic collection, analysis, and
evaluation - Analysis evaluation using recognized analytical
techniques - Inspection physical examination or review of
features - Demonstration physical observation of events
- Developer Interviews
- Specific Security Testing (STE)
- Penetration Testing
118Development Process Phases
- Requirements Management
- Design and Implementation
- Verification
- Augmented Sources of Assurance
- Approval
- Distribution/Installation/Configuration
- Maintenance/Operation
Spiral
119Approval Processes and Related Standards
- Approval of ProductsEvaluation
- Common Criteria (and related protection profiles
(PPs))http//niap.nist.gov/ - Orange Book/TCSEC (decommissioned)(RIP, but
still among the living dead) - Approval of SystemsCertification
AccreditationFeatures, criticality, and process - DoDI 5200.40DITSCAP Instruction Manual
(decommissioned)http//www.dtic.mil/whs/directive
s/corres/html/85101m.htm - DoDI 8510.bbDIACAP Guidance (Interim)http//iase
.disa.mil/ditscap/interim-ca-guidance.pdf - DCID 6/3Intelligence requirements and process
(FOUO) - JAFAN 6/3DoD Special Access requirements and
process (FOUO) - NISPOMIndustrial Security requirements and
processhttp//www.dtic.mil/whs/directives/corres/
pdf2/d85001p.pdf - Related Standards
- DoD Directive 8500.2IA Policies and
Responsibilitieshttp//www.dtic.mil/whs/directive
s/corres/html/85001.htm - DoD Directive 8500.2IA Implementationhttp//www.
dtic.mil/whs/directives/corres/html/85002.htm - IA Technical Framework (IATF)Applying IA
Technologyhttp//www.iatf.net - NSA Consistency Instruction Manuals (Robustness
Levels)strength assurancehttp//niap.nist.gov/
pp/ci_manuals.html
120Security Products
- Security Documentation
- Security-Related User, Administrator, and
Maintainer Documentation - Standard
- Security Features Users Guide (SFUG)--User
- Trusted Facility Manual (TFM)--Administrator
- Security Development Evidence (Part of CA)
- Level of Assurance Claimed
- Specification of Development Requirements
- Evidence That Requirements Were Met
- Examples
- Common Criteria Security Target
- DITSCAP System Security Authorization Agreement
(SSAA) - DIACAP Many
- JAFAN 6/3 Interconnection Security Agreement
(ISA)
121The Open-Source Debate
- Pro
- The More Exposure the Design Has, the More
FlawsWill Be Eliminated - If Exposure Is Anticipated During Development,
Higher QualityWill Result - Anyway, Design Information Will Eventually Be
Compromised - Con
- Dont Give Away the Crown Jewels! Knowledge of
the Security Design Will Result in Many More
Successful