Upload
ella-powell
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
November 3, 2003 2
Domain Objective
The objective of this domain is to understand:• the basic security structures and controls that are
incorporated into systems and applications• how security controls are structured and used in the
software life cycle• concepts used to ensure data confidentiality,
integrity, and availability
November 3, 2003 3
Computer system life cycle - the planning and management phases a software system project goes through from conception to abandonment
• Phases:– Initiation - need and purpose for system
– Development/Acquisition - system is purchased or developed
– Implementation - system is tested and installed in production
– Operation - normal system operations and scheduled maintenance
– Disposal - system is obsolete and replaced by new system or hardware
Systems Development Controls
November 3, 2003 4
Security system assurance - degree of confidence in the security controls developed or implemented during a system life cycle
• Planning - starts in planning phase of life cycle, security controls are analyzed for cost and effectiveness
• Testing - is done in all life cycle phases, tests of security controls include metrics, automated tools, and detailed test cases
• Certification - done during design and implementation phases, security controls are checked against a specified set of security requirements
Systems Development Controls
November 3, 2003 5
Service Level Agreement (SLA) - a service agreement between a provider and subscriber that confirms system services within predefined limits
• SLA Objectives:– agreement should be well documented – service levels should be measurable– resolution defined for missed service levels– regular reports on SLA service periods to provider and
subscriber
Systems Development Controls
November 3, 2003 6
Software prototyping - the development of a working application model with test or real data supported by interaction between a user and developer
Computer-aided Software Engineering (CASE) Tools - a set of development tools integrated together that support the information engineering of application systems
Software capability maturity model - the model is used for determining the likely range of cost, schedule, and quality results to be achieved by a development project
Systems Development Controls
November 3, 2003 7
Application Controls
Distributed Environment – systems architecture that integrates management of application software, application platform, technology interface, information and communications.
High-level requirements: portability - source code easily transferred between different
systems interoperability - information shared between different vendor
systems transparency - operate resources across different vendor systems
without regards to system configuration robustness and security - authorization and authentication services extensibility - ability to manage resources across different vendor
systems
November 3, 2003 8
Client/Server Systems - an application system that has a client that requests data services and a server that furnishes requested data to client
Elements - data storage, data base management system, application system, operating system, user interface
Functionality - the front-end application runs on the workstation and the back-end programs containing the data base engines run on the server
Implementations - simple file transfer, API link to application, GUI-based application, peer-to-peer application linkage
Application Controls
November 3, 2003 9
Distributed Data Processing (DDP) - physically separated computers manage data independently and are able to share it with one another
Agents – surrogates used in client/server model that perform information preparation and exchange on behalf of a user
Applets – small programs residing on a host computer that are downloaded to a client computer to be executed, usually written in Java, Active-X, JavaScript Java – object-oriented, distributed, general-purpose programming
language, developed by SUN Active-X – Microsoft’s answer to Java, stripped down
implementation of OLE
Application Controls
November 3, 2003 10
Local Environment - applications are located in one place and on one system; no communications links exist
Non-data base system - traditional batch or online application system used on a single computer system
Data Base application system - an application system which uses data in an integrated structure that contains operational management features centralized - one site contains hardware and data storage decentralized - multiple independent locations that contain
hardware and data storage using the same application
Application Controls
November 3, 2003 11
Data Bases & Data Warehousing
Data Base - a collection of related data intended for sharing by multiple users
• Data Base Management System (DBMS) - is a software system whose primary function is to maintain data base operations and provide application operations to data stored on data bases– features:
• persistence - data base reuse
• data sharing - simultaneous data base use
• recovery - restore data base to original state
• data base language - used to manipulate and query data base
• security and integrity - data base protection and consistency
November 3, 2003 12
• Logical data base design - the process of creating a structure independent of software or hardware components
• Physical data base design - the implementation of a logical design optimally configured for a computer system
• Data models - a tool to conceptually represent data organization– relational - records stored in a rows and columns structure
– hierarchical - records stored in a tree structure
– network - records stored in blocks and areas structure
– distributed - records stored in network node structure
Data Bases & Data Warehousing
November 3, 2003 13
Structured Query Language (SQL) - a widely used language for accessing and manipulating data bases
• Aggregation - assembling technique for building a new object from two or more existing objects that support the new object’s required links
• Inference - ability to derive information not explicitly available from know information
• Polyinstantiation - a repeating process that produces multiple records of an object by replacing a variable with data values
Data Bases & Data Warehousing
November 3, 2003 14
Data warehouse - a storage facility comprising data from several data bases or pre-computed data to be used by users through query and analysis tools
Data mining - is a tool that uses structured queries along with an inference engine to extract information from data bases or data warehouses to match complex or relational information searches
Data Dictionary - a central repository of data elements and their relationships covering an organizations data bases used for keeping data integrity
Data Bases & Data Warehousing
November 3, 2003 15
Object-Oriented Design - interconnects data items (objects) and operations in a modular fashion
• Object – a computational data structure defined by its class, each object has an operation and state that remembers its function
• Class - a generic description of an object type (i.e. template)• Instance - an individual occurrence of an object• Inheritance - object driving data and functionality automatically
from another object– polymorphism – different objects responding to the same command
in different ways
Data Bases & Data Warehousing
November 3, 2003 16
Knowledge-Based Systems
Knowledge-base system – programs that use inference, a knowledge base, and user input to identify patterns and reach conclusions
• Neural network- network of many simple processors built similar to human
brain- network is connected by unidirectional communications
channel- training rule enables learning from examples and ability to
do generalizations
November 3, 2003 17
• Fuzzy logic - process where decision process is not based on clear or absolute values– uses set theory that an element may have partial membership in a
set
– doesn’t need a large amount of detailed information for decision process
• Expert system - artificial intelligence program that uses information from a knowledge expert to make decisions similar to a human one– used to make consistent decisions
– used to keep a expert’s knowledge within an organization
Knowledge-Based Systems
November 3, 2003 18
Application and System Attacks
• Virus – programs that searches out other programs and infects them by embedding a copy of itself
• Backdoor – (trap door or wormhole) security bypass left in by designers
• Trojan horse – useful program containing hidden code exploiting the authorization process to violate security
• Logic bombs – surreptitiously inserted code causing application or OS to perform security compromising activity when specified conditions are met
• Worm – program that propagates itself over a network reproducing itself enroute
November 3, 2003 19
• Covert channel – communication channel violating access policy by allowing information transfer
• Covert storage channel – writing to storage by one process and reading by another
• Covert timing channel – one-process signals to another by modulating own system use
• Data contamination – corruption of data integrity by input data errors
Application and System Attacks