Sunday, November 30, 2014

Chapter 11: Change Control Process

  1. Request for a change to take place
    • present to individual or group responsible for approving changes and overseeing activities of changes within an environment
  2. Approval of the change
    • justify reason for change and clearly show benefits and possible pitfalls of change
  3. Documentation of the change
    • after approval of change, enter it into a log and update it according to changes
  4. Tested and presented
    • changes have to be fully tested, this uncovers unforeseen results
  5. Implementation
    • schedule that outlines projected phases of changes being implemented
  6. Report change to management
    • full report summarizing changes, and submit it to management


Posted by at No comments:
Chapter 11: After a System Crash

  • Steps to take when a system crashes:
    1. Enter into single user or safe mode:
      • System cold start takes place when the system's is unable to automatically recover itself to a secure state. This is when an administrator gets involved.
      • The systems will have two options:
        1. Automatically boot up to a "single user mode"
        2. Manually boot up to a "recovery console"
      • The administrator must physically be at the console or have deployed external technology such as secured dial-in/dial-back modems attached to serial console ports or remote keyboard video mouse [KVM] switches attacked to graphic consoles.
    2. Fix issues and recover files:
      • Single user mode:
        • Admin salvages file systems from damage that may have occurred as a result of the unclean, sudden shutdown of the system, and attempts to identify cause of the shutdown to prevent it from recurring.
    3. Validate critical files and operations:
      • If the shutdown suggests corruption then the admin must validate the contents of configuration files and ensure system files are consistent with their expected state.
Posted by at No comments:
Chapter 11: Assurance Level

  • Two types of assurance:
    1. Operational Assurance:
      • Concentrates on the product's architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product
      • Examples:
        • Access control mechanisms
        • Separation of privileged and user program code
        • Auditing and monitoring capabilities
        • Covert channel analysis
        • Trusted recovery (when product experiences unexpected circumstances)
    2. Life-Cycle Assurance:
      • How product was developed and maintained because each stage of the product life cycle has standards and expectations it must fulfill before it can be deemed a highly trusted product.
        • Examples:
          • Design specifications
          • Clipping-level configurations
          • Unit and integration testing
          • Configuration management
          • Trusted distribution
Posted by at No comments:

Sunday, November 16, 2014

Chapter 11: Security and Network Personnel

  • The security administrator should not report to the network administrator of their responsibilities have different focuses. Network administrators have a focus on high availability and performance of the network and resources. The focus on performance and user functionality is usually a trade-off for security. 
  • The following tasks are tasks that should be carried out my security administrators:
    • Implements and maintains security devices and software
      • security products require monitoring and maintenance to get their full value, this includes version updates and upgrades.
    • Carry out security assessments
      • security administrator identify vulnerabilities in the system, networks, software, and in-house developed products used by a business
      • assessments enable business to understand risks it faces in order to make sensible business decisions about products and services it considers purchasing, risk mitigation strategies i chooses to fund vs. risks it chooses to accept.
    • Creates and maintains user profiles and implements and maintains access control mechanisms
    • Configures and maintains security labels in mandatory access controls (MAC) environments
      • MAC environments are mostly found in government and military agencies.
      • Access decisions are based on comparing object's classification and subject's clearance.
    • Sets initial passwords for users
      • New accounts must be protected from attackers who might know patterns used for passwords.
    • Reviews audit logs
Posted by at No comments:

Friday, November 14, 2014

Chapter 11: Administrative Management

  • One aspect of administrative management is dealing with personnel issues which include separation of duties and job rotation. 
  • Separation of duties:
    • The objective is to ensure that one person acting alone cannot comprise the company's security in any way.
    • High-risk activities are broken up into different parts and distributed to different individuals or departments this prevents any one person from having too much authority. 
    • This decreases the changes of fraud unless collision is committed. Collision is when more then one person is needed to commit an act against policy. 
    • Separation of duties can help prevent mistakes and minimize conflict of interest that can take place if one person is performing a task from beginning to end. 
      • E.g. a programmer should not be the only one testing her own code. 
  • Job rotation:
    • Over time, more then one person fulfills the tasks of one position within the company. 
    • How job rotation is helpful for the company is that this allows the company to have more then one person who understands the tasks and responsibilities of a specific job title. This allows for backup and redundancy when a person leaves a company or is absent. 
    • Job rotation also helps identify fraudulent activities.
Posted by at No comments:
Chapter 11: Security Operations

  • Operation security is about configuration, performance, fault tolerance, security, and accounting and verification management to ensure that proper standards of operations and compliance requirements are met (Harris, 1234).
  • Operations security is also about ensuring people, applications, equipment, and overall environment are properly and adequately secured. 
  • Another large part of operations security includes ensuring the physical and environmental concerns are adequately addressed. This includes things such as temperature and humidity controls, media reuse, disposal, and destruction of media containing sensitive information. 
Posted by at No comments:

Tuesday, November 11, 2014

Chapter 10: Software Development Models Overview

  1. Break and Fix:
    1. No real planning up front
    2. Flaws are reactively dealt with after release with the creation of patches and updates
  2. Waterfall:
    1. Sequential approach that requires each phase to complete before the next one can begin.
    2. Difficult to integrate changes
    3. Inflexible model
  3. V-model:
    1. verification and validation is emphasized at each phase
    2. Testing takes place throughout the project, not just at the end
  4. Prototyping:
    1. A model or sample is created from the code for proof-of-concept purposes
  5. Incremental:
    1. Multiple development cycles carried out on a pice of software throughout its development stages
    2. Each stage provides a usable version of software
  6. Spiral:
    1. Interactive approach
    2. Emphasizes risk analysis per iteration
    3. Allows for customer feedback to be integrated through a flexible evolutionary approach
  7. Rapid Application Development:
    1. combines prototyping an d iterative development procedures with goal of accelerating software development process
  8. Agile:
    1. Iterative and incremental development processes that encourages team-base collaboration
    2. Flexible and adaptive


Posted by at No comments:
Chapter 10: Software Development Life Cycle

  • Software development deals with putting repeatable and predictable processes in place which helps to ensure functionality, cost, quality, and delivery schedule requirements are met. 
  • Software Development Life Cycle (SDLC) in general covers the following areas:
    • Requirements gathering:
      • Answers the "why, what, and for whom" in why do we create this software, what will the software do, and for whom the software will be created?
      • In this phase, everyone attempts to understand why the project is needed and what the scope of the project will be. 
      • The team examines software's requirements and proposed functionality, brainstorming sessions take place, and obvious restrictions are reviewed. 
      • This is where you can evaluate products currently on the market and identify demands that aren't met by current vendors.
      • From a security aspect, the following items should be accomplished in this phase:
        • Security requirements
        • Security risk assessment
        • Privacy risk assessment
        • Risk-level acceptance
    • Design:
      • Design in SDLC covers "how" the software will accomplish the goals that are identified.
      • The design phase maps theory and reality
      • Theory encompasses all the requirements that were identified in previous phases and outlines how the product is actually going to accomplish these requirements.
      • Software requirements commonly come in three models:
        • Information model (dictates type of information to be processed and how it will be processed)
        • Functional model (outlines tasks and functions application needs to carry out)
        • Behavioral model (Explains states the application will be in during and after specific transitions take place)
      • From a security standpoint, the following items should be accomplished:
        • Attack surface analysis:
          • Attack surface - what is available to be used by attackers against the product itself.
          • Attack surface analysis - identifies and reduces amount of code and functionality accessible to untrusted users. 
        • Threat modeling:
          • Systematic approach used to understand how different threats could be realized and how a successful compromise could take place.
    • Development:
      • Development is when the actual programming of the software and the code has to meet specifications laid out in the design phase.
      • The software design created in the previous phase (design) is broken down into defined deliverables, and programmers develop code to meet the deliverable requirements. 
      • Computer-aided software engineering (CASE):
        • Any type of software tool 
        • Allows for automated development of software (i.e. program editors, debuggers, code analyzers, version-control mechanisms etc.)
    • Testing/Validation:
      • We have to validate software to ensure the goals are met and the software works as planned.
      • Formal/informal testing should be done as soon as possible.
      • Unit testing:
        • Start very early in development
        • After programmer develops a component (unit of code) it is tested with several different input values in many different situations
        • It isolates each part of the software and show that the individual parts are correct 
        • Continues throughout development phase
      • Different types of testing:
        • Unit testings:
          • Individual components in a controlled environment where programmers validate structure, logic, and boundary conditions.
        • Integration testing:
          • Verifying components work together as outlined in design specifications.
        • Acceptance testing:
          • Ensures code meets customer requirements 
        • Regression testing:
          • When changes are made to the system, you have to retest it to ensure functionality, performance, and protection.
    • Release/maintenance:
      • After the software is developed and deployed, you have to ensure that it is properly configured, patched, and monitored. 
  • The difference in the software development life cycle and the system development life cycle is how each goal is accomplished. System development life cycle has a focus on operations which the IT department usually follows. Software development life cycle focuses more on design and programming and software engineers and coders usually follow this model. 
Posted by at No comments:

Chapter 10: System Development Life Cycle
  • A life cycle is a representation of development changes and a project has the following life cycle: initiation, planning, execution and controlling, and closure.
  • A system's life cycle consist of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. 
  • The basic components of the system development life cycle:
    • Initiation is needed for a new system to be defined
      • When the company establishes a need for a specific system
      • Answer the questions "What do we need and why do we need it?"
      • Primary risk assessment is carried out to develop an initial description of the confidentiality, integrity, and availability requirements of the system.
        • the assessment defines the environment in which the system will operate within any identified vulnerabilities.
    • Acquisition/development is when a new system is either created or purchased
      • "buy" or "build" decision - the organization needs to evaluate ithe need for the system and see if it can be developed in-house or if it needs to be purchased from a vendor.
      • Activities that need to take place:
        • Requirements analysis
        • Formal risk assessment
        • Security functional requirements analysis
        • Security assurance requirements analysis
        • Third-party evaluations
        • Security plan
        • Security test and evaluation plan
    • Implementation is when a new system is installed into production environment
      • Before a system can be formally installed within the production environment a certification and accreditation (C&A) processes has to be performed.
      • Certification: the technical testing of a system.
      • Accreditation: formal authorization given by management to allow a system to operate in a specific environment.
    • Operation/maintenance is when the system is used and cared for
      • Within the implementation phase, baselines were set pertaining to the system's hardware, software, and firmware configuration.
      • In the operation/maintenance phase, continuous monitoring needs to take place to ensure that the baselines are always met. 
    • Disposal is when the system is removed from the production environment
      • Disposal activities need to ensure that orderly termination of systems that no longer provide a needed function can take place and all the necessary data are preserved.
Posted by at No comments:

Friday, November 7, 2014

Chapter 10: Different Environments Demand Different Security 

 Environment vs. Application
  • Software controls can be implemented by the operating system or by the application, but usually its a combination of both.
  • Application controls and database management controls are specific to their needs and security compromises they understand.
  • Application:
    • Application protects data by allowing only certain types of inputs and not permitting certain users to view data kept in sensitive database fields.
    • It does not protect against users inserting bogus data into Address Resolution Protocol (ARP) table.
  • The downsides to relying mainly on operating system controls:
    • Although they can control a subject's access to different objects and restrict the actions of that subject within the system, they do not necessarily restrict the subject's actions within an application.  
      •  In other words, if an application has a security vulnerability within its own programming code, it is hard for the operating system to predict and control this vulnerability. 
Functionality vs. Security
  • Trying to account for all the "what-ifs" and programming with caution can reduce the overall functionality of the application.
  • You have to balance functionality and security but in the development world functionality is more important. 
  • Each module of the system should be capable of being tested individually and in concert with other modules so the product can be more secure because flaws could be exploited early on.
Implementation and Default Issues
  • Most security has to be configured and turned on after installation.
  • Settings have to be configured to properly integrate it into different environments.
  • When a security application or device is installed, it should default to "No Access" because when a user installs a packet-filter firewall, it should not allow any packets to pass into the network that were not specifically granted access.
  • A fine balance exists between security, functionality, and user-friendliness.
  • A user-friendly application requires a lot of extra coding for potential user errors, dialog boxes, wizards, and step-by-step instructions, this could result in bloated codes that can create unforeseeable compromises because of extra coding. 
  • Various servers are enabled when a system is installed.
  • Implementation errors and misconfigurations are common items that cause a majority of security issues in network environments. 
Posted by at No comments:
Chapter 10: Software Development Security
  • To help implement security into a software you have to understand the security needs of a piece of software, implement the right controls and mechanisms, thoroughly test the mechanisms and how they integrate into the application, follow structured development methodologies, and provide secure and reliable distribution methods. 
  • Today, network and security administrations are having to integrate different applications and computer systems to keep up with their company's demand for expandable functionality.
  • The usual trend of dealing with security, figure 10-1 from CISSIP All-in-One Exam Guide:
Posted by at No comments:

Wednesday, November 5, 2014

Chapter 9: Complexities in Cybercrime- International Issues

  • Council of Europe (CoE) Convention on Cybercrime:
    • Is an example to create a standard international response to cybercrime.
    • It is the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation.
    • Objectives include:
      • Creating a framework for establishing jurisdiction and extradition of the accused
  • Organization for Economic Co-operation and Development (OECD):
    • Global organization that move data across other country boundaries must be aware and follow the Organization for Economic Co-operation and Development (OECD).
    • The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. 
    • The OECD came up with guidelines for various countries to follow so that data are properly protected and everyone follows the same types of rules.
    • The core principles defined by the OECD are as follows:
      • Collection of personal data should be limited, obtained by lawful and fair means, and with the knowledge of the subject.
      • Personal data should be kept complete and current, and be relevant to the purposes for which it is being used.
      • Subjects should be notified of the reason for the collection of their personal information at the time that it is collected, and organizations should only use it for that stated purpose.
      • Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other then those previously stated.
      • Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
      • Developments, practices, and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data.
      • Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data, and to challenge denied request to do so.
      • Organizations should be accountable for complying with measures that support the previous principles.
Posted by at No comments:
Chapter 9: Complexities in Cybercrime - The Evolution of Attack

  • Advanced Persistent Threat (APT)
    • APT differs from regular attackers in that it is a common group of attackers, not just one hacker, which combine knowledge and abilities to carry out whatever exploit that will get them into the environment they seek.
    • APT are focused and motivated to aggressively and successfully penetrate a network with variously different attack methods.
    • This type of attack is coordinated by human involvement, rather then various types of threats that goes through automated steps to inject its payload.
    • The APT has specific goals and is commonly highly organized and well funded, this makes it the biggest threat of all. 
    • An APT is commonly custom-developed malicious code that is build specifically for its target, it has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different "anchors" so eradicating it is difficult if it is discovered. 
    • The attacker put the code through barrage of tests against the most up-to-date detection applications on the market so APT infiltrations are usually very hard to detect with host-based solutions. 

Posted by at No comments:
Subscribe to: Comments (Atom)