Thursday, November 27, 2014
Chapter 11: Security Operations - Media Controls
Media is defined as anything that contains company data. This could be electronic (disks, CDs, DVDs, thumb drives) or it could be information that is in traditional paper form. These items should be stored in a "library" and only authorized personnel should have access to them. The media should also be protected from environmental threats, such as fire or humidity. Data from these media devices should be erased properly, and unwanted devices should be disposed of in a protected manner to ensure that unauthorized people do not obtain them. When media is erased from a device, the device is said to be sanitized. The zeroization method of sanitation is when data is overwritten with new data, and there is no possible way that the old data can be recovered. Degauassing is another method of sanitization, in which the data is scrambled so that is cannot be read. There are 7 area that a media librarian is responsible for. Media should be marked. Media should be properly logged. The integrity of the media on a device should be verified. Librarians should control physical access to the media. Librarians should ensure environmental protection of the media. They should make sure that media data is transmitted securely and to the appropriate parties. Lastly, librarians should make sure that media is disposed of properly.
Chapter 11: Security Operations - Configuration Management
There are 6 steps to the change control process as stated in the study guide.
1. Request for a change to take place - Person requesting the change should construct the change idea and present it to the party responsible for approving and implementing changes.
2. Approval of the change - Benefits of the change should be presented to the approving party and also show the potential problems that the change could cause. The approving party might make the requestor go back and do more research or development of the change be approval takes place.
3. Documentation of the change - If a change gets approved, all the appropriate information about the change should be entered into a change log. As the change develops, updates should be made to the individual record in the change log.
4. Tested and presented - Testing is necessary to uncover any unforeseen negative affects of the change. In the step, if it is a big change, a change control committee might be brought in to weigh the positives and negatives of the change and get another opinion on the change before company wide implementation occurs.
5. Implementation - Once all of the previous steps have been satisfied, it is time to put the change into action. An implementation schedule and milestones should be set up in order to keep the implementation organized.
6. Report change to management - A final report should be submitted to management that gives a summary of the implementation and the status of the change that is now in production.
1. Request for a change to take place - Person requesting the change should construct the change idea and present it to the party responsible for approving and implementing changes.
2. Approval of the change - Benefits of the change should be presented to the approving party and also show the potential problems that the change could cause. The approving party might make the requestor go back and do more research or development of the change be approval takes place.
3. Documentation of the change - If a change gets approved, all the appropriate information about the change should be entered into a change log. As the change develops, updates should be made to the individual record in the change log.
4. Tested and presented - Testing is necessary to uncover any unforeseen negative affects of the change. In the step, if it is a big change, a change control committee might be brought in to weigh the positives and negatives of the change and get another opinion on the change before company wide implementation occurs.
5. Implementation - Once all of the previous steps have been satisfied, it is time to put the change into action. An implementation schedule and milestones should be set up in order to keep the implementation organized.
6. Report change to management - A final report should be submitted to management that gives a summary of the implementation and the status of the change that is now in production.
Chapter 11: Security Operations - Operational Responsibilites
Operations personnel within an organization are an extremely important asset to have. They are largely responsible for ensuring that a company's systems run as they are supposed to and that these systems are protected. In the event that a system crashes, there are three steps that the department should take in order to troubleshoot and resolve the issue as quickly as possible.
1. Safe mode - Also known as 'single-user mode', logging in this way prevents the system from running services for other users on that network. Also, when in this mode, only the local console is able to be gotten to. This makes troubleshooting more effective.
2. Resolve issue and get back lost files - After logged onto the system in safe mode, the administrator can go in and attempt to correct any damage that has been done. Afterwards, it is important to try and figure out why the system shut down improperly to begin with so that it does not happen again. Changes might have to be made to applications and databases as a result of the system crash.
3. Operation and file validation - If the investigation shows that corruption to files and operations had occurred, the administrator must make sure that they validate file contents to ensure that the system configuration is in its expected state.
1. Safe mode - Also known as 'single-user mode', logging in this way prevents the system from running services for other users on that network. Also, when in this mode, only the local console is able to be gotten to. This makes troubleshooting more effective.
2. Resolve issue and get back lost files - After logged onto the system in safe mode, the administrator can go in and attempt to correct any damage that has been done. Afterwards, it is important to try and figure out why the system shut down improperly to begin with so that it does not happen again. Changes might have to be made to applications and databases as a result of the system crash.
3. Operation and file validation - If the investigation shows that corruption to files and operations had occurred, the administrator must make sure that they validate file contents to ensure that the system configuration is in its expected state.
Tuesday, November 18, 2014
Chapter 11: Security Operations - Administrative Management Continued
Along with the separation of duties, there are a few other important administrative controls that are a good idea to implement within a company. The concept of job rotation refers to not only having one person that knows how to perform certain duties of a particular role. If you only have one person that has the knowledge of how to perform a key duty in your organization, and that person decides to leave the company or is unable to work, the company could be in a world of hurt. It also makes it easier to spot activities that are either criminal or go against company policy. A second important administrative control is what is known as least privilege. This means that an employee should only have access to resources they need to do their job and nothing more. For example, it wouldn't make sense to have an analyst with the ability to go into the database and alter data or tables. That is the sole responsibility of your database administrators. A third important administrative control is mandatory vacations, meaning that the employee is required to take vacation time after working continuously for a certain period of time. This is another key way in order to spot fraudulent activities and is also a great way to deploy job rotation. While the employee is on vacation, another employee will be brought in to fulfill the vacationing employee's duties. If an employee does not want to take vacation (who doesn't want to take vacation time, right?) it is usually a red flag that they are doing something that they know they are not supposed to.
Chapter 11: Security Operations - Security Operations and Administrative Management
A core principle when it comes to administrative management is the concept of separation of duties. This term means that roles are specified to only do one distinct thing. This idea ensures that one person alone could not compromise the whole company by either making a mistake or with intentions of causing harm. Common roles with their descriptions are listed below:
Control Group - Gets the information from different groups or people and passes the information along to the groups or people that need the information to do their jobs.
Systems Analyst - Designs how data will be used in a system or how the data will be transferred from system to system based upon requirements provided by the user as long as those requirements are within the scope of operation.
Application Programmer - Develop software and maintains software.
Help Desk/Support - Responsible for fixing technical issues within the organization and provides guidance to clients and employees for using systems.
IT Engineer - Responsible for doing routine operations on systems on a daily basis to keep them up and running.
Database Administrator - Develops new data models for database implementations and maintain the databases in an organization.
Network Administrator - Installs Local Area Networks and/or Wide Area Networks for use within the company. Also responsible for maintaining these networks.
Security Administrator - Responsible for the security framework. They develop the security controls, implement them, and insure that these controls are in use effectively.
Tape Librarian - Responsible for backing up and keeping record of all important data.
Quality Assurance - Ensures that activities meet the standards of requirements. Responsible for testing the activities to find issues and pass the issues back to the appropriate group so that the problem/issue can be resolved.
Chapter 10: Software Development Security - Malware
Malware, also known as malicious software, comes in many forms. Some examples are viruses, worms, Trojan horses, and logic bombs. Malware can be spread through a variety of methods, including email and downloads from the internet. First off, I want to identify what a virus is and the different types of viruses. A virus is an application that infects software. They cannot reproduce on their own, and must have a host program. After attaching to a host application, it then gives its payload to the host. The payload could be a few different things such as deleting files, displaying useless information, or thieving data from the application or system that it has infected. A macro virus is a form of a virus that infects macro programs; programs that are written in Word Basic, Visual Basic, or VBscript. They generally infect Microsoft Office. They are pretty easy to write and affect the templates of documents. A boot-sector virus is one that, as the name implies, affects the boot sector of a computer. They either reposition data or override data within the boot sector. A third type of virus, the compression virus, finds an uninfected executable file and attaches itself to it. It them compresses the executable using system permissions. When the user runs that executable, the virus proceeds to run. A stealth virus is one that essentially makes it look like the system is the same as it was before infection. Another common type of malware is a worm. A worm is a program that replicates itself in order to spread to other machines. It usually spreads through networks that have security flaws. While a virus has to have a host program, worms do not. They can be standalone programs. A Trojan horse is a program that disguises itself to look like an existing program. For example, the Trojan horse can look exactly like an everyday application. When a user runs makes the unknowing mistake of opening the Trojan horse (because it looks just like the app they use daily) the regular app is opened but the Trojan horse is executing its malicious actions in the background. Unlike viruses, they do not replicate themselves but can be just as devastating as viruses. A logic bomb slightly differs from the the previous types of malware discussed. It is a sting of code that is executed when certain conditions are met. For example, it could be coded in such a way that when a user visits a certain website, it triggers the logic bomb and, for example, deletes certain specified files from the system.
Monday, November 17, 2014
Chapter 10: Software Development Security - Expert Systems/Knowledge-Based Systems and Artificial Neural Networks
Expert Systems - Another name for knowledge based systems. These types of systems use artificial intelligence in order to solve extremely complex problems. To put in terms that non-computer people would understand, they attempt to mirror the thought process of a human expert in the field of the particular problem.
Inference Engine - This is the center of the knowledge base system. It is a program that tries to come up with answers from the kbase for a problem. The main purpose here is to come up with legitimate conclusions based upon the retrieved data in the kbase.
Rule-based programming - A method of programming knowledge-based systems. Uses if-then logic with particular actions that must take place for individual situations.
Artificial Neural Networks - Programs or models in computing that attempt to mimic a human brain. These programs can even learn as they go, but connot deal with "fuzzy logic" well. The study guide puts it this way: ANNs cannot see the gray in the world, such as good and bad.
Inference Engine - This is the center of the knowledge base system. It is a program that tries to come up with answers from the kbase for a problem. The main purpose here is to come up with legitimate conclusions based upon the retrieved data in the kbase.
Rule-based programming - A method of programming knowledge-based systems. Uses if-then logic with particular actions that must take place for individual situations.
Artificial Neural Networks - Programs or models in computing that attempt to mimic a human brain. These programs can even learn as they go, but connot deal with "fuzzy logic" well. The study guide puts it this way: ANNs cannot see the gray in the world, such as good and bad.
Chapter 10: Software Development Security - Database Management Part 2
There are four languages when dealing with relational databases.
Data definition language - Defines the database schema or structure.
Data manipulation language - defines the data and how the data can be manipulated when retrieved.
Data control language - grans access to people or systems that cab carry out certain functions within the database.
Query Language - the language commands are written in in order to retrieve data, insert data, update data, or delete data from a database.
A data dictionary is where data about the data is stored. This info is often referred to as metadata. Another concept that is important to remember about relational databases is the concept of primary and foreign keys. A primary key is a unique value that no other record can posses. When you relate two tables, the primary key attribute of one table becomes the foreign key of another. This is what relates the two tables.
Data definition language - Defines the database schema or structure.
Data manipulation language - defines the data and how the data can be manipulated when retrieved.
Data control language - grans access to people or systems that cab carry out certain functions within the database.
Query Language - the language commands are written in in order to retrieve data, insert data, update data, or delete data from a database.
A data dictionary is where data about the data is stored. This info is often referred to as metadata. Another concept that is important to remember about relational databases is the concept of primary and foreign keys. A primary key is a unique value that no other record can posses. When you relate two tables, the primary key attribute of one table becomes the foreign key of another. This is what relates the two tables.
Chapter 10: Software Development Security - Database Management
Types of database models:
Relational- Uses columns and rows to organize data into tables. The columns are the attributes that each record has while the row is the collection of each records individual attributes. Most widely used model of today. Uses primary keys and foreign keys to develop relationships.
Hierarchical- Uses a tree structure with parent/child relationships. Parents can have one child, many children, or no children. Not as flexible as relational databases.
Network- Similar to the hierarchical model. However, in this model, each data element can have multiple parent child records. This model is a little bit more flexible than the hierarchical model because it allows redundancy.
Object-Oriented- Can handle a variety of data types such as images, documents, and video. Really dynamic because objects are created when needed and sent with the object is the needed functionality of the object.
Object-Relational- This type is relational database with a front end designed from an object oriented programming language. Useful to have the methods already there to actually do something with the retrieved data.
Relational- Uses columns and rows to organize data into tables. The columns are the attributes that each record has while the row is the collection of each records individual attributes. Most widely used model of today. Uses primary keys and foreign keys to develop relationships.
Hierarchical- Uses a tree structure with parent/child relationships. Parents can have one child, many children, or no children. Not as flexible as relational databases.
Network- Similar to the hierarchical model. However, in this model, each data element can have multiple parent child records. This model is a little bit more flexible than the hierarchical model because it allows redundancy.
Object-Oriented- Can handle a variety of data types such as images, documents, and video. Really dynamic because objects are created when needed and sent with the object is the needed functionality of the object.
Object-Relational- This type is relational database with a front end designed from an object oriented programming language. Useful to have the methods already there to actually do something with the retrieved data.
Chapter 10: Software Development Security - Web Security
Threats on the web:
Information gathering- This is step one during a hacker's attempt to cause damage to your system. Usually goes unnoticed on the web server side because they can simply use search engines to find the information that they want.
Administrative interfaces- Not a very good idea to use a web-based administrative interface. Use superior authentication method rather than the simple username/password method. Also, have strong control over which systems can access the administrative system.
Authentication and access control- To protect against this threat, use multifactor authentication. Another way to protect against this threat is to encrypt info and transfer the data using a secure protocol.
Input validation- path or directory traversal: dot-dot-slash method. Attackers try to get into a web server's drive. Unicode encoding: same idea as the previous method but they use Unicode representations of characters. URL encoding: attackers bypass filters and make requests using different representations of characters. The most most famous method here is SQL injection, where an attacker puts in actual database commands to try and retrieve data from the web server.
Parameter validation- Important to validate all data that passes through the system. Client side should check for validation and then the server side should as well.
Session management- Common way to combat against this threat is to use unique session ids for every session. Do not use sequential ids as it would make it easier for the attacker to guess it.
Information gathering- This is step one during a hacker's attempt to cause damage to your system. Usually goes unnoticed on the web server side because they can simply use search engines to find the information that they want.
Administrative interfaces- Not a very good idea to use a web-based administrative interface. Use superior authentication method rather than the simple username/password method. Also, have strong control over which systems can access the administrative system.
Authentication and access control- To protect against this threat, use multifactor authentication. Another way to protect against this threat is to encrypt info and transfer the data using a secure protocol.
Input validation- path or directory traversal: dot-dot-slash method. Attackers try to get into a web server's drive. Unicode encoding: same idea as the previous method but they use Unicode representations of characters. URL encoding: attackers bypass filters and make requests using different representations of characters. The most most famous method here is SQL injection, where an attacker puts in actual database commands to try and retrieve data from the web server.
Parameter validation- Important to validate all data that passes through the system. Client side should check for validation and then the server side should as well.
Session management- Common way to combat against this threat is to use unique session ids for every session. Do not use sequential ids as it would make it easier for the attacker to guess it.
Tuesday, November 11, 2014
Chapter 10: Software Development Security - Mobile Code
Mobile code is code that can be send to another location across a network and then be executed and used on the other side. In Java, Java applets are used to accomplish this. The programmer creates the applet, runs the program through a compiler and is turned into bytecode (this code is not platform specific; it can run on many platforms. This bytecode is then placed on a server available for users to download it. Once a user downloads it, the universal bytecode is then transformed into machine-level code that is specific to the type of system it was downloaded to. To accomplish this code conversion, a Java Virtual Machine is used. Usually this virtual machine is running within the users web browser. The applet is then able to be ran when it is called upson, but it is ran in what is known as a sandbox. A sandbox is an area in where potentially unsafe code from another area can be ran in a secure manner.
Chapter 10: Software Development Security - Programming Languages and Concepts
At the very lowest level, the language that a computer can read is known as binary. "Bi" meaning two, as binary is only a combination of 1's and 0's. This is also known as machine code. There were no "programming" languages in the early 1950's, so this is how programmers wrote instructions for computers. Later, assembly language came along. Assembly language is only one step above machine language. Instead of all 1's and 0's, it uses symbols to represent many 1's and 0's. Assemblers were used to convert these symbols into machine readable code. Later on in the early 60's, high level languages started to emerge. Syntax became closer to human language and introduced abstract statements. Many statements could now be reduced to single line and provide the same functionality. Later, even more abstraction became involved in fourth-generation languages. Things that used to be constructed with a ton of code could now be accomplished with one-tenth of that. Programmers do not have to know how a computer works, how memory is handled, etc. when using very high level languages. The 1990's saw the emergence of what is known as natural languages, where the main goal is that the software can solve problems by itself instead of having an algorithm based method to complete tasks. Object-Oriented programming is widely used in today's world. Objects can be instantiated, communicate with each other, and inherit behavior and attributes from parent classes. This leads to code reuse and a lot less coding for developers. Instead of code being executed in a sequential manner, execution can bounce around from class to class.
Monday, November 10, 2014
Chapter 10: Software Development Security - Capability Maturity Model Integration
CMMI is a set of guideline for developing software products. There are 5 levels and each level builds off of the ones prior to it. In other words, you cannot progress to a level if you have not met the requirements for a previous level. The idea behind this was to have a standard to make software development more organized.
Chapter 10: Software Development Security - Software Development Models
Break and Fix - Planning is not really used here. Produce working software and deal with issues as they arise.
Waterfall - Plan everything up front before a single line of code is written. Not very flexible and does not account for changes in requirements.
V-Model - Testing is used during each phase of the project, not at the very end.
Prototyping - Models of code or application are created up front before actual work takes place to develop the software.
Incremental -Many development cycles are used and each cycle produces working software. Improvements are made during each cycle.
Spiral - Iterative model that encourages client involvement. Customer feedback is important throughout these types of projects.
Rapid Application Development - A combination of prototyping and incremental. Goal is to make the process quicker.
Agile - Encourages teamwork. Anticipates that new requirements and modifications will arise throughout the project.
Waterfall - Plan everything up front before a single line of code is written. Not very flexible and does not account for changes in requirements.
V-Model - Testing is used during each phase of the project, not at the very end.
Prototyping - Models of code or application are created up front before actual work takes place to develop the software.
Incremental -Many development cycles are used and each cycle produces working software. Improvements are made during each cycle.
Spiral - Iterative model that encourages client involvement. Customer feedback is important throughout these types of projects.
Rapid Application Development - A combination of prototyping and incremental. Goal is to make the process quicker.
Agile - Encourages teamwork. Anticipates that new requirements and modifications will arise throughout the project.
Chapter 10: Software Development Security - Secure Software Development Best Practices
There are many resources available to software developers that will help them make their software more secure. Most of these are available for free. Here are four that the book lists:
Web Application Security Consortium - Best practices and security standards for web application development on the world wide web
www.webappsec.org/
Open Web Application Security Project - An organization that operates from a non-profit standpoint that aides in security of software application
https://www.owasp.org/
Build Security In - Provides various resources to aid in building secure software in every phase of its development.
https://buildsecurityin.us-cert.gov/
ISO/IEC 27034 - International standard of security for all classes of applications.
http://www.iso27001security.com/html/27034.html
Web Application Security Consortium - Best practices and security standards for web application development on the world wide web
www.webappsec.org/
Open Web Application Security Project - An organization that operates from a non-profit standpoint that aides in security of software application
https://www.owasp.org/
Build Security In - Provides various resources to aid in building secure software in every phase of its development.
https://buildsecurityin.us-cert.gov/
ISO/IEC 27034 - International standard of security for all classes of applications.
http://www.iso27001security.com/html/27034.html
Chapter 10: Software Development Security - Software Development Life Cycle
Since I am already fairly familiar with the Software Development Life Cycle and it would be kind of pointless to simply explain what each phase is, I want to list things from the book that I had zero previous knowledge of in each phase of the SDLC.
Gather Requirements: A privacy Impact Rating is the classification of the data in which the software will use. There are three classifications - P1, P2, and P3 where P3 is the lowest privacy risk and P1 is the highest.
Design: During this phase, at least from a security standpoint, two things should occur. The first is that an attack surface analysis should be performed. This will show you how much code and software functionality is available to users that are untrustworthy. The second thing that should occur is to create a realistic threat model. A threat model is a visualization of how threats could affect your software and how this threat might occur.
Development: Computer aided software engineering is the use of computers to aid in development. From my understanding, an Integrated Development Environment (IDE) is a form of computer aided software engineering because you are using software to help you develop or enhance new software.
Testing/Validation: Unit Testing - A look at each piece of a program. Data structures, logic, methods, and boundaries.
Integration Testing - Make sure all parts work together as designed.
Acceptance Testing - Making sure requirements are met.
Regression Testing - When a change is made, make sure it nothing else is affected.
Release/Maintenance: Verification - product meets the specs.
Validation - real world solution is achieved.
Gather Requirements: A privacy Impact Rating is the classification of the data in which the software will use. There are three classifications - P1, P2, and P3 where P3 is the lowest privacy risk and P1 is the highest.
Design: During this phase, at least from a security standpoint, two things should occur. The first is that an attack surface analysis should be performed. This will show you how much code and software functionality is available to users that are untrustworthy. The second thing that should occur is to create a realistic threat model. A threat model is a visualization of how threats could affect your software and how this threat might occur.
Development: Computer aided software engineering is the use of computers to aid in development. From my understanding, an Integrated Development Environment (IDE) is a form of computer aided software engineering because you are using software to help you develop or enhance new software.
Testing/Validation: Unit Testing - A look at each piece of a program. Data structures, logic, methods, and boundaries.
Integration Testing - Make sure all parts work together as designed.
Acceptance Testing - Making sure requirements are met.
Regression Testing - When a change is made, make sure it nothing else is affected.
Release/Maintenance: Verification - product meets the specs.
Validation - real world solution is achieved.
Chapter 10: Software Development Security - Intro
I want to begin my blog on this chapter by saying that I am very excited about broadening my knowledge of this area of security. I find software development very interesting, and I hope to one day become a software developer. To begin this chapter, I want to talk about the main reasons why insecurities within actual software exists, why this is concerning, and why software needs to be built in a secure manner, especially in today's world. In the past, security was not really an issue when it came to software development. There were not as many malicious attacks, and the technology was no where near as advanced as it is now. This is a problem because a lot of this "old" software is still in use. Another reason why insecurities exist is because the people that are in charge of keeping things secure often do not have a development background. To add to this, many developers to not view security as the most important element in software. At the end of the day, they are more concerned about what the software's functionality. If a company is trying to get to get their product to market and make money, do you think they always take all the necessary steps in order to be sure the product is as secure as possible? The short answer is, absolutely not. It has become a sort of standard for software to have flaws when it comes to the user, with fixes coming at a later date. Last, customers cannot control the software they buy. This is why perimeter protection of software is so important. As an everyday user, you really never know how secure the software is that you are running...until something bad happens. While perimeter protection is great and highly necessary, in my opinion, security should be just as important as functionality for the modern day developer. We are so reliant on computers these days, it would be absurd to let security fall behind functionality. Think of it this way. Would you want to live in a house where it was not possible to lock your doors? Heck no! That would be a security threat. The same applies for software. You don't want to purchase or use something that was not made with security in mind.
Subscribe to:
Comments (Atom)