CISSP Review Course Domain 4

Application & System Development

November 3, 2003 2

Domain Objective

The objective of this domain is to understand:• the basic security structures and controls that are

incorporated into systems and applications• how security controls are structured and used in the

software life cycle• concepts used to ensure data confidentiality,

integrity, and availability

November 3, 2003 3

Computer system life cycle - the planning and management phases a software system project goes through from conception to abandonment

• Phases:– Initiation - need and purpose for system

– Development/Acquisition - system is purchased or developed

– Implementation - system is tested and installed in production

– Operation - normal system operations and scheduled maintenance

– Disposal - system is obsolete and replaced by new system or hardware

Systems Development Controls

November 3, 2003 4

Security system assurance - degree of confidence in the security controls developed or implemented during a system life cycle

• Planning - starts in planning phase of life cycle, security controls are analyzed for cost and effectiveness

• Testing - is done in all life cycle phases, tests of security controls include metrics, automated tools, and detailed test cases

• Certification - done during design and implementation phases, security controls are checked against a specified set of security requirements

Systems Development Controls

November 3, 2003 5

Service Level Agreement (SLA) - a service agreement between a provider and subscriber that confirms system services within predefined limits

• SLA Objectives:– agreement should be well documented – service levels should be measurable– resolution defined for missed service levels– regular reports on SLA service periods to provider and

subscriber

Systems Development Controls

November 3, 2003 6

Software prototyping - the development of a working application model with test or real data supported by interaction between a user and developer

Computer-aided Software Engineering (CASE) Tools - a set of development tools integrated together that support the information engineering of application systems

Software capability maturity model - the model is used for determining the likely range of cost, schedule, and quality results to be achieved by a development project

Systems Development Controls

November 3, 2003 7

Application Controls

Distributed Environment – systems architecture that integrates management of application software, application platform, technology interface, information and communications.

High-level requirements: portability - source code easily transferred between different

systems interoperability - information shared between different vendor

systems transparency - operate resources across different vendor systems

without regards to system configuration robustness and security - authorization and authentication services extensibility - ability to manage resources across different vendor

systems

November 3, 2003 8

Client/Server Systems - an application system that has a client that requests data services and a server that furnishes requested data to client

Elements - data storage, data base management system, application system, operating system, user interface

Functionality - the front-end application runs on the workstation and the back-end programs containing the data base engines run on the server

Implementations - simple file transfer, API link to application, GUI-based application, peer-to-peer application linkage

Application Controls

November 3, 2003 9

Distributed Data Processing (DDP) - physically separated computers manage data independently and are able to share it with one another

Agents – surrogates used in client/server model that perform information preparation and exchange on behalf of a user

Applets – small programs residing on a host computer that are downloaded to a client computer to be executed, usually written in Java, Active-X, JavaScript Java – object-oriented, distributed, general-purpose programming

language, developed by SUN Active-X – Microsoft’s answer to Java, stripped down

implementation of OLE

Application Controls

November 3, 2003 10

Local Environment - applications are located in one place and on one system; no communications links exist

Non-data base system - traditional batch or online application system used on a single computer system

Data Base application system - an application system which uses data in an integrated structure that contains operational management features centralized - one site contains hardware and data storage decentralized - multiple independent locations that contain

hardware and data storage using the same application

Application Controls

November 3, 2003 11

Data Bases & Data Warehousing

Data Base - a collection of related data intended for sharing by multiple users

• Data Base Management System (DBMS) - is a software system whose primary function is to maintain data base operations and provide application operations to data stored on data bases– features:

• persistence - data base reuse

• data sharing - simultaneous data base use

• recovery - restore data base to original state

• data base language - used to manipulate and query data base

• security and integrity - data base protection and consistency

November 3, 2003 12

• Logical data base design - the process of creating a structure independent of software or hardware components

• Physical data base design - the implementation of a logical design optimally configured for a computer system

• Data models - a tool to conceptually represent data organization– relational - records stored in a rows and columns structure

– hierarchical - records stored in a tree structure

– network - records stored in blocks and areas structure

– distributed - records stored in network node structure

Data Bases & Data Warehousing

November 3, 2003 13

Structured Query Language (SQL) - a widely used language for accessing and manipulating data bases

• Aggregation - assembling technique for building a new object from two or more existing objects that support the new object’s required links

• Inference - ability to derive information not explicitly available from know information

• Polyinstantiation - a repeating process that produces multiple records of an object by replacing a variable with data values

Data Bases & Data Warehousing

November 3, 2003 14

Data warehouse - a storage facility comprising data from several data bases or pre-computed data to be used by users through query and analysis tools

Data mining - is a tool that uses structured queries along with an inference engine to extract information from data bases or data warehouses to match complex or relational information searches

Data Dictionary - a central repository of data elements and their relationships covering an organizations data bases used for keeping data integrity

Data Bases & Data Warehousing

November 3, 2003 15

Object-Oriented Design - interconnects data items (objects) and operations in a modular fashion

• Object – a computational data structure defined by its class, each object has an operation and state that remembers its function

• Class - a generic description of an object type (i.e. template)• Instance - an individual occurrence of an object• Inheritance - object driving data and functionality automatically

from another object– polymorphism – different objects responding to the same command

in different ways

Data Bases & Data Warehousing

November 3, 2003 16

Knowledge-Based Systems

Knowledge-base system – programs that use inference, a knowledge base, and user input to identify patterns and reach conclusions

• Neural network- network of many simple processors built similar to human

brain- network is connected by unidirectional communications

channel- training rule enables learning from examples and ability to

do generalizations

November 3, 2003 17

• Fuzzy logic - process where decision process is not based on clear or absolute values– uses set theory that an element may have partial membership in a

set

– doesn’t need a large amount of detailed information for decision process

• Expert system - artificial intelligence program that uses information from a knowledge expert to make decisions similar to a human one– used to make consistent decisions

– used to keep a expert’s knowledge within an organization

Knowledge-Based Systems

November 3, 2003 18

Application and System Attacks

• Virus – programs that searches out other programs and infects them by embedding a copy of itself

• Backdoor – (trap door or wormhole) security bypass left in by designers

• Trojan horse – useful program containing hidden code exploiting the authorization process to violate security

• Logic bombs – surreptitiously inserted code causing application or OS to perform security compromising activity when specified conditions are met

• Worm – program that propagates itself over a network reproducing itself enroute

November 3, 2003 19

• Covert channel – communication channel violating access policy by allowing information transfer

• Covert storage channel – writing to storage by one process and reading by another

• Covert timing channel – one-process signals to another by modulating own system use

• Data contamination – corruption of data integrity by input data errors

Application and System Attacks