lvissa cissp course winter 2017 domain 8lvissa.org › mentor_slides › lvissa cissp course winter...
TRANSCRIPT
![Page 1: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/1.jpg)
![Page 2: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/2.jpg)
![Page 4: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/4.jpg)
4
Understand Software Development Life Cycle (SDLC)
Enforce security controls in the development environment
Assess the effectiveness of softwaresecurity
Apply security across the landscape of the SDLC
![Page 5: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/5.jpg)
5
CISSP approach for SoftwareDevelopment
Software Acquisition Security * Software Development Life Cycle (SDLC) Security Controls in the Development
Environment Common Software Development Issues Effectiveness of Software Security
![Page 6: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/6.jpg)
6
Re-titled as “Security in the Software Development Life Cycle”
Why? Software is the prevalent interaction
component Mobility enables less direct access to “The
System” Software includes interaction across the
entire life cycle of data Combination of Live and Archived data Often access hybrid-mesh (private and public)
data across networking components that all run side-by-side
![Page 7: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/7.jpg)
7
Integrity Model Assurance Processes
![Page 8: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/8.jpg)
Security KernelHardware Interfaces
Hardware Abstraction Layer (HAL)
The “System”Reference
Monitor
Application Group / Suite
Program Program ProgramProgram Program
Application APIsNetworkAPIs
Hardware
Common Application Base
System APIs
Software Defined NetworkHypervisor
![Page 9: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/9.jpg)
![Page 10: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/10.jpg)
9
Goals Both aspects (Functionality and Security)
need to be looked at from the start of the project
Security should be integrated in the entire product and be implemented in a layered approach
Data and data processing procedures must be accurate at all times
Proactive, not Reactive
![Page 11: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/11.jpg)
Defines the phases of software development
Select model based on the project
Don’t “band-aid” it in on top of an un-secure solution Expense of security “add-ons” increases
exponentially during later stages of a project
![Page 12: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/12.jpg)
![Page 13: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/13.jpg)
Comprehensive analysis
Ensure system will meet end-user
needs
![Page 14: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/14.jpg)
Design system and software
Establish data input, flow, and output requirements
Design security features
![Page 15: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/15.jpg)
Generate source code
Develop test scenarios and
test cases
Conduct unit and integration
testing Document for maintenance
![Page 16: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/16.jpg)
An independent group tests to ensure: It will function within the organization’s
environment It meets all the functional and security
requirements
![Page 17: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/17.jpg)
Test data should include: Data at the ends of the acceptable data ranges Various points in between Data beyond expected/allowable data points
Test with: Known good data Never live production data Sanitized data
![Page 18: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/18.jpg)
Certification Authorization
![Page 19: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/19.jpg)
Obtain security accreditation
Train the new users
Implement the system
![Page 20: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/20.jpg)
Periodic evaluations and auditsChanges must follow SDLC and be recorded
![Page 21: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/21.jpg)
Focuses on quality
management processes
Five maturity levels
![Page 22: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/22.jpg)
ISO/IEC 90003:2004 is appropriate to software that is (mostly focuses on TQM): Part of a commercial contract with another
organization A product available for a market sector Used to support the processes of an organization Embedded in a hardware product, or Related to software services
![Page 23: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/23.jpg)
INSTRUCTIONSComplete the table to compare the CMM and ISO.
CMM ISO
Purpose
Most applicable for …
![Page 24: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/24.jpg)
Monitor the performance of the system
Ensure continuity of operations
Detect defects or weaknesses
Manage and prevent system problems
Recover from system problems
Implement system changes
![Page 25: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/25.jpg)
Successful change management requires:
Benefits management and realization
Effective communication
Effective education,
training
Counter resistance
Monitoring of the
implementation
![Page 26: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/26.jpg)
Management technique that simultaneously
integrates all essential acquisition activities
through multidisciplinary teams
![Page 27: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/27.jpg)
Develop and test against production-like systemsDeploy with repeatable, reliable processes
Monitor and validate operational quality
Amplify feedback loops
![Page 28: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/28.jpg)
![Page 29: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/29.jpg)
PrototypingModified
Prototype Model (MPM)
Rapid Application
Development (RAD)
Joint Analysis Development
(JAD)Exploratory
Model
![Page 30: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/30.jpg)
Computer-Aided Software Engineering
(CASE) Component-Based
Development
Reuse Model Extreme Programming
![Page 31: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/31.jpg)
Combine models
Consider security
![Page 32: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/32.jpg)
INSTRUCTIONS Working with a partner, please note your assigned methods in the top row of the table.
Method 1: Method 2: Method 3:
Inappropriate circumstance
Best circumstance
![Page 33: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/33.jpg)
A suite of application programs that typically manages large, structured sets of persistent data
Stores, maintains, and provides access to data using ad hoc query capabilities
![Page 34: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/34.jpg)
The database engine itself
The hardware platform
Application software Users
![Page 35: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/35.jpg)
The relationship between the data elements and provides a framework for organizing the data: Transaction Persistence Fault Tolerance and Recovery Sharing by Multiple Users Security Controls
![Page 36: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/36.jpg)
![Page 37: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/37.jpg)
Oldest of the database models
Stores data in a series of records that have field values attached
Collects all the instances of a specific record together as a record type
Uses parent/child relationships through the use of trees
Useful for mapping 1:N relationships
![Page 38: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/38.jpg)
Also known as Distributed Database Model
Represents its data in the form of a network of records and sets that are related to each other
Records are the equivalent of rows in the relational model
Record types are sets of records of the same type
Data is stored in more than 1 database but relatively hierarchically
Useful for N:N relationships
![Page 39: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/39.jpg)
Based on set theory and
predicate logic
Provides a high level of
abstraction
![Page 40: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/40.jpg)
Tables or relations Integrity rules
Data manipulation agents
![Page 41: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/41.jpg)
Attributes Tuple
Primary keys Foreign key value
![Page 42: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/42.jpg)
To solve the problems of concurrency and security
within a database, the database must provide
some integrity
![Page 43: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/43.jpg)
Language in which users may issue commands
The main components of a database using SQL are: Schemas Tables Views
![Page 44: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/44.jpg)
Data Definition Language
(DDL)
Data Manipulation
Language (DML)
Data Control Language
(DCL)
![Page 45: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/45.jpg)
One of the most recent database
models
Stores data as objects
![Page 46: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/46.jpg)
INSTRUCTIONSMatch the database model with the correct description.
a. Hierarchical Database Model
b. Network Database Management Model
c. Relational Database Management Model
d. Object-Orientated Database Model
1. _____ Stores data in a series of records that have field values attached. It
collects all the instances of a specific record together as a record type. 2. _____ Allows data to be structured in a series of
tables that have columns representing the variables and rows that contain specific
instances of data. 3. _____ One of the most recent database models. 4. _____ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.
![Page 47: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/47.jpg)
INSTRUCTIONSMatch the database model with the correct description.
a. Hierarchical Database Model
b. Network Database Management Model
c. Relational Database Management Model
d. Object-Orientated Database Model
1. __a__ Stores data in a series of records that have field values attached. It
collects all the instances of a specific record together as a record type. 2. __c__ Allows data to be structured in a series of
tables that have columns representing the variables and rows that contain specific
instances of data. 3. __d__ One of the most recent database models. 4. __b__ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.
![Page 48: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/48.jpg)
Open Database Connectivity (ODBC)
Java Database Connectivity (JDBC)
eXtensible Markup Language (XML)
Object Linking and Embedding Database (OLE DB)ActiveX Data Objects (ADO)
![Page 49: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/49.jpg)
1. What is a markup language?
2. What is Object Linking and Embedding (OLE)?
3. What is the protocol that allows OLE to work?
4. What is JDBC?
![Page 50: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/50.jpg)
1. What is a markup language?A system of symbols and rules to identify structures (format) in a document
2. What is Object Linking and Embedding (OLE)?A Microsoft technology that allows an object, such as an Excel spreadsheet, to be embedded or linked to the inside of another object, such as a Word document
![Page 51: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/51.jpg)
3. What is the protocol that allows OLE to work?The Component Object Model (COM)
4. What is JDBC?An API from Sun Microsystems used to connect Java programs to databases
![Page 52: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/52.jpg)
API security issues including: Authentication of users Authorizations of users Encryption Protection of the data from unauthorized entry,
accountability, and auditing Availability of current data
![Page 53: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/53.jpg)
There can be any number of layersThree-tier approach is most typical: Presentation layer Business logic layer Data layer
![Page 54: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/54.jpg)
Microsoft high-level interface for all kinds of data
No configurable restrictions on its access to the underlying system
Newer browsers implement sandboxing and stronger ActiveX controls to help mitigate this vulnerability
![Page 55: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/55.jpg)
Metadata is useful because it provides: Valuable information about the unseen
relationships between data The ability to correlate data that was previously
considered unrelated The keys to unlocking critical or highly important
data inside the data warehouse
![Page 56: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/56.jpg)
OLAP technologies provide an analyst with the ability to formulate
queries and define further queries
![Page 57: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/57.jpg)
As a first line of security to prevent unauthorized users from accessing the system, the DBMS should use: Identification Authentication Authorization Other forms of access controls
![Page 58: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/58.jpg)
Locks are used for read and write access to specific rows of data in relational systems or objects in object-oriented systems Atomicity - All or None Consistency - Changes maintain consistency Isolation - Pending transactions are Invisible to others Durability - When you say it’s done, it stays Done
The ACID test: ALL CHANGES are INVISIBLE until DONE
![Page 59: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/59.jpg)
View-Based Access Controls
Grant and Revoke Access Controls
Security for Object-Oriented (OO)
Databases
Metadata ControlsData
Contamination Controls
![Page 60: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/60.jpg)
Data processing system facilitating and managing transaction-oriented applications
The security concerns for OLTP systems are: Concurrency Atomicity
![Page 61: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/61.jpg)
A key feature of knowledge
management is application of artificial intelligence techniques
to decision support
![Page 62: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/62.jpg)
Mathematical, statistical, and
visualization method of identifying valid and
useful patterns in data
![Page 63: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/63.jpg)
Protecting the knowledge base
Routinely verifying decisions
Changes to the rules must go through a
change control process
Additional and different queries to
verify the information
Making risk management
decisions
Developing a baseline of expected performance from the
analytical tool
![Page 64: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/64.jpg)
Most attacks are conducted at the application level
![Page 65: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/65.jpg)
Designed to be widely accessible
Usually heavily advertised
Administrators turn off logging
Not well suited for firewalls and intrusion detection systems
![Page 66: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/66.jpg)
Particular assurance sign-off process for web servers
Harden operating system of such servers Extend web and network vulnerability scans
prior to deploymentPassively assess IDS and IPS technologyUse application proxy firewallsDisable unnecessary documentation and
libraries
![Page 67: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/67.jpg)
Remove or appropriately secure administrative interfacesOnly allow access from authorized hosts or networksDo not hard code the authentication credentialsUse account lockout and extended logging and auditEnsure the interface is at least as secure as the rest of the application
![Page 68: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/68.jpg)
Development Guide
Code Review Guide Testing Guide
Top Ten Web Application
Security Vulnerabilities
OWASP Mobile
![Page 69: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/69.jpg)
The objective of information security is to make sure: That the system and its resources are available
when needed That the integrity of the processing of the data
and the data itself is ensured That the confidentiality of the data is protected
![Page 70: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/70.jpg)
More distributed
Substantial increase in open protocols, interfaces, and source code
Increased sharing requires increased protection
More complex
![Page 71: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/71.jpg)
Linus’s law:
With sufficiently many eyeballs looking at
the code, all bugs will become apparent
![Page 72: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/72.jpg)
INSTRUCTIONSWith a partner, discuss your thoughts on whether open source leads to quick identification and repair of issues.
![Page 73: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/73.jpg)
Individuals who find security
vulnerabilities will publicly disseminate
the information
![Page 74: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/74.jpg)
This environment begins with the standard model of hardware resources, with items such as: Central processing unit (CPU) Memory Input/output (I/O) requests Storage devices
![Page 75: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/75.jpg)
A programming language is a set of
rules telling the computer what
operations to perform
![Page 76: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/76.jpg)
First generation(Machine)
Second generation(Assembly)
Third generation
(High-Level)
Fourth generation
(Report Gens)
Fifth generation
(Natural Lang)
![Page 77: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/77.jpg)
Higher-level languages
Machine language
Directive patterns
![Page 78: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/78.jpg)
![Page 79: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/79.jpg)
![Page 80: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/80.jpg)
![Page 81: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/81.jpg)
Verifier Class Loader
Security Manager
![Page 82: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/82.jpg)
Java Certification Path API Java GSS-API
Java Authentication and Authorization
Service (JASS)
Java Cryptography Extension (JCE)
Java Secure Socket Extension (JSSE)
![Page 83: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/83.jpg)
Encapsulation Inheritance
Polymorphism Polyinstantiation
![Page 84: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/84.jpg)
Specific objects, instantiated from a higher class, may vary
their behavior depending upon the data they contain
![Page 85: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/85.jpg)
Encapsulation Polyinstantiation
![Page 86: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/86.jpg)
Allow applications to be divided into components that can exist in different
locations
![Page 87: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/87.jpg)
A set of standards that addresses the need for
interoperability between hardware and software
![Page 88: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/88.jpg)
When reviewing implementations, consider: Supported CORBA security features
CORBA security
Administration
Access control mechanisms
Tools for capturing and reviewing audit logs
Any technical evaluations
![Page 89: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/89.jpg)
A software library consists of pre-written
code, classes, procedures, scripts, and
configuration data
![Page 90: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/90.jpg)
Increased Dependability
Reduced Process Risk
Effective Use of Specialists
Standards Compliance
Accelerated Development
![Page 91: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/91.jpg)
A standard library in computer programming is the library made available across implementations of a programming language
![Page 92: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/92.jpg)
The C standard library
The C++ standard library
The Framework Class Library
(FCL)
The Java Class Library (JCL)
The Ruby standard library
![Page 93: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/93.jpg)
A program or application that software developers use to create, debug, maintain, or
otherwise support other programs and applications
![Page 94: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/94.jpg)
Combine the features of many
tools
Maximize programmer productivity
![Page 95: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/95.jpg)
A runtime system exhibits the behavior of the
constructs of a computer language
![Page 96: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/96.jpg)
Based on the principle of representing oneself as someone who needs or
deserves the information to gain access to the system
![Page 97: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/97.jpg)
INSTRUCTIONSReview each of the security weaknesses/threats on your own and write a brief, simple explanation after each one
Buffer Overflow Citizen Programmers Covert Channel Malformed Input Attacks
Memory Reuse (Object Reuse)
Executable Content/Mobile Code
Time of Check/Time of Use (TOC/TOU)
Between-the-Lines Attack Trapdoor/Backdoor
![Page 98: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/98.jpg)
Designed to analyze source code to help find
security flaws
Used in software development phase
![Page 99: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/99.jpg)
Scale well Output is good for developers
![Page 100: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/100.jpg)
Many security vulnerabilities are
difficult to find automatically
False positivesFrequently cannot find configuration
issues
Difficult to prove actual vulnerability
Difficulty analyzing code that cannot be
compiled
![Page 101: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/101.jpg)
Google CodeSearchDiggity FindBugs FxCop (Microsoft) PMD
PreFast (Microsoft) RATS (Fortify) OWASP SWAAT Project Flawfinder
RIPS Brakeman Codesake Dawn VCG
![Page 102: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/102.jpg)
IBM Security AppScan
Source Edition Insight
(KlocWork) Parasoft Test
Seeker Source Patrol (Pentest)
Static Source Code Analysis
with CodeSecure
Static Code Analysis
(Checkmarx) Security Advisor
(Coverity) Veracode
![Page 103: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/103.jpg)
Can compromise programs and data to the point where they are no longer available
Generally uses the resources of the system it has attacked
Viruses are the largest class of malware
![Page 104: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/104.jpg)
A program written with functions and intent to copy and disperse itself without
the knowledge and cooperation of the owner or
user of the computer
![Page 105: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/105.jpg)
File Infectors
Boot Sector Infectors
System Infectors
Companion Virus E-mail Virus Multipartite
Macro Virus Script Virus
![Page 106: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/106.jpg)
Worms Hoaxes Trojans
DDoS Zombies
Logic Bombs
Spyware and
Adware
Pranks Botnets
![Page 107: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/107.jpg)
INSTRUCTIONSWorking with your partner or small group, review
your assigned malware type and prepare to share it with the rest of the group
Please include the following in your introduction: Definition Example Ideas about how to avoid and/or overcome this
type of malware
![Page 108: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/108.jpg)
Do not double-click on
attachments
Describe the content of
attachments
Do not blindly use the most widely
used products as a company standard
Disable Windows Script Host,
ActiveX, VBScript, and JavaScript
Do not send HTML-formatted e-mail
Use more than one scanner, and scan
everything
![Page 109: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/109.jpg)
Scanners Heuristic Scanners Activity Monitors
Change Detection Reputation
Monitoring/Zero-day/Zero-hour
Antimalware Policies
![Page 110: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/110.jpg)
Collection of all of thehardware, software, and
controls within a computersystem that can be trusted toadhere to the security policy
![Page 111: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/111.jpg)
Ensures any subject attempting to
access any object has the appropriate
rights to do so
Protects the object from unauthorized
access attempts by bad actors
![Page 112: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/112.jpg)
Made up of all of the components of the TCB and it is responsible for
implementing and enforcing the reference
monitor
![Page 113: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/113.jpg)
Protect the processor and the activities
that it performs
Privilege levels are typically
referenced in a ring structure
![Page 114: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/114.jpg)
A buffer overflow: Is caused by improper bounds checking on input
to a program Must be corrected by the programmer or by
directly patching system memory
![Page 115: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/115.jpg)
The lack of parameter
checking can lead to buffer overflow
attacks
Operating systems should offer some
type of buffer management
![Page 116: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/116.jpg)
Ensure that multiple processes do not attempt
to access the same system resources at the
same time
![Page 117: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/117.jpg)
Interrupts allows the operating system to ensure that a
process is given enough time to access the CPU when necessary to carry out its
required functions
![Page 118: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/118.jpg)
Encapsulating a process means that no other
process is able to understand or interact with the internal programming
code of the process
![Page 119: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/119.jpg)
Allows the operating system to provide structured access
to processes that need to use resources according to a
tightly managed schedule
![Page 120: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/120.jpg)
Ensure that each process is assigned a unique identity
within the context of the operating system
![Page 121: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/121.jpg)
![Page 122: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/122.jpg)
Allows each process to have access to its own
memory space as it executes
Enforced through the operating
system’s use of the memory manager
![Page 123: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/123.jpg)
Provide an abstraction level for programmers
Maximize performance with the limited amount
of memory available
Protect the operating system and applications
once they are loaded into memory
![Page 124: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/124.jpg)
Relocation Protection Sharing
Logical organization
Physical organization
![Page 125: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/125.jpg)
Allow the operating system to make sure that a process is only able to interact with the defined
memory segments
![Page 126: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/126.jpg)
Access kernel components only while in kernel mode
ASLR and process isolation
Data execution prevention
(DEP)
Use of ACLs to protect shared
memory
![Page 127: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/127.jpg)
Inspection of sharedcommunication channels thatcould allow two cooperating
processes to transferinformation in a way that
violates the system’s securitypolicy
![Page 128: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/128.jpg)
Cryptographic techniques protect the confidentiality
and integrity of information
![Page 129: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/129.jpg)
Encrypting stored passwords
with hashes, and usingoverstrike masking within
application interface
![Page 130: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/130.jpg)
If there is not enough granularity of security users may be able to gain more
access permission than needed
![Page 131: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/131.jpg)
Development environment
Quality assurance
environment
Application (production) environment
![Page 132: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/132.jpg)
If there are multiple threads of execution occurring at the same time, a TOC/TOU attack is possible
Attack takes advantage of event timing dependencies in a multitasking operating system
To avoid TOC/TOU attacks, the operating system should use software locking
![Page 133: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/133.jpg)
Some of the ways attackers can try to use social influence over users include: Subtle intimidation Bluster Pulling rank Exploiting guilt Pleading for special treatment Exploiting a natural desire to be helpful Appealing to an underling’s subversive streak
![Page 134: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/134.jpg)
Backing up operating system and application software ensures productivity in the event of a system crash
Operation copies of software should be available in the event of a system crash
![Page 135: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/135.jpg)
Analysis of program code to determine or
provide evidence for the intent or authorship of a
program
![Page 136: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/136.jpg)
Examples of threats to resources include:
Disclosure of information
Denial-of-service (DoS)
attacks
Damaging or modifying data
Annoyance attacks
![Page 137: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/137.jpg)
Provides a protective area for program execution
![Page 138: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/138.jpg)
Type-safe language: Method of providing safe execution of programs Ensures that arrays stay in bounds, the pointers are
always valid, and code cannot violate variable typing
![Page 139: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/139.jpg)
Goal is to guarantee integrity, availability, and
usage of the correct version of all system
components
![Page 140: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/140.jpg)
The set of artifacts (configuration items)
under the jurisdiction of CM
How artifacts are named How artifacts enter and leave the controlled set
How an artifact under CM is allowed to
change
How different versions of an artifact under CM are
made available
How CM tools are used to enable and enforce
CM
![Page 141: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/141.jpg)
Protect shared software from unauthorized modification
with policies, developmental controls, and life cycle
controls
![Page 142: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/142.jpg)
Spend a few minutes studying the measuresprovided: Note the ones that will be of particular value in
your organization Note one or more concerns and issues that may
not fit under these measures
![Page 143: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/143.jpg)
Application Programming Interfaces Are the connectors for the Internet of Things (IoT),
allowing our devices to speak to each other The “unknown, unseen force”
![Page 144: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/144.jpg)
A means of expressing specific entities in a system by URL path elements
Allows interaction with a web-based system via simplified URLs
![Page 145: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/145.jpg)
Employ the same security mechanisms for your APIs as any web application your organization deploys
Do not create and implement your own security solutions
Unless your API is a free, read-only public API, do not use single key-based authentication
Do not pass unencrypted static keys
Use HMAC
![Page 146: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/146.jpg)
Basic Authentication
w/TLSOauth1.0a
Oauth2
![Page 147: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/147.jpg)
“RESTful web services should use session-based authentication, either by establishing a session token via a POST
or using an API key as a POST body argument or as a cookie. Usernames
and passwords, session tokens, and API keys should not appear in the URL, as
this can be captured in web server logs and makes them intrinsically
valuable….”
![Page 148: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/148.jpg)
![Page 149: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/149.jpg)
Federal agency mandated to
conduct security certification testing
Certification process is followed with authorization
![Page 150: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/150.jpg)
The revised process emphasizes: Building information security capabilities Maintaining awareness Providing essential information to senior leaders
![Page 151: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/151.jpg)
The risk management process changes the
traditional focus of C&A as a static, procedural activity to a more dynamic approach
![Page 152: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/152.jpg)
Encourages the use of automation
Integrates information security
Emphasizes selection, implementation, assessment, and monitoring of security controls
Links risk management processes at the information-
system level to risk management processes at the organization level
Establishes responsibility and accountability for security controls
![Page 153: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/153.jpg)
Which characteristic(s) embody the dynamic nature of the RMF compared with a more traditional approach?
Why?
![Page 154: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/154.jpg)
Why private organizations may choose certification: Control framework Low overhead Use of standards Includes all aspects of a system’s security
![Page 155: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/155.jpg)
With a partner, discuss why or why not you think it’s a good idea for private organizations to pursue certification.
![Page 156: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/156.jpg)
Systems and network device reporting is
important to the overall health and security of
systems
![Page 157: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/157.jpg)
Are records of actions and events that have taken place on a computer system
Provide a clear view of who owns a process, what action was initiated, when it was initiated, where the action occurred, and why the process ran
Are primary record keepers of system and network activity
![Page 158: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/158.jpg)
The enterprise should have auditing policies in place that
effectively and efficiently collect information regarding critical
events in the form of logs and to manage them appropriately
![Page 159: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/159.jpg)
VMware, Microsoft, Oracle, and Cisco
NIST SP 880-92 Guide to Computer Security Log
Management
NIST SP 800-137 ISCM for Federal Information
Systems and Organizations
CERT-IN Security Guidance CISG-2008-01
![Page 160: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/160.jpg)
Information integrity
Information accuracy
Character checks
Relationship checks
Transaction limits
Information auditing
![Page 161: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/161.jpg)
Risk An event that has a probability of occurring and
could have either a positive or negative impact to a project should that risk occur
![Page 162: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/162.jpg)
•Cause: Reduction in assigned personnel to design a
projectRisk event: The assigned personnel may not be adequate for
the activity Impact: If that event occurs, there may be an impact on
the project cost, schedule, or performance
![Page 163: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/163.jpg)
An ongoing process that continues through the life of a project
Includes processes for: Risk management planning Identification Analysis Monitoring Control
![Page 164: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/164.jpg)
When a risk is identified, it is: 1. Assessed to ascertain:
The probability of occurring The degree of impact to the schedule, scope,
cost, and quality2. Prioritized
![Page 165: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/165.jpg)
The assignment of risk priority is based on: The probability of occurrence The number of categories impacted The degree (high, medium, low) to which they
impact the project
![Page 166: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/166.jpg)
Risk register Document
risk statement
Mitigation steps
Contingency plan
![Page 167: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/167.jpg)
Contingency plans implemented prior to the risk occurring are pre-emptive actions
intended to reduce the impact
![Page 168: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/168.jpg)
Monitor all risks on a scheduled basis
![Page 169: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/169.jpg)
Integrate analysis and strategy into
the SDLC
Use standardized methods
Track and manage weaknesses
Memorialize resultant risk
decisions
![Page 170: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/170.jpg)
Implement policies and procedures to limit the
vulnerabilities by implementing
applicable vendor patches
![Page 171: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/171.jpg)
Ensure a patch management solution is
architected and implemented
![Page 172: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/172.jpg)
Use a Change Control Process
Read All Related Documentation
Testing
Have a Working Backup and Schedule Production Downtime
Always Have a Back-Out Plan
Forewarn Help Desk and Key User Groups
Target Non-Critical Servers First
![Page 173: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/173.jpg)
Not all findings need to be mitigated You must be in a position to provide: The finding How the risk was determined The remediation cost details
![Page 174: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/174.jpg)
Ishikawa Diagrams P-Diagrams
Preliminary Hazard Analysis
(PHA)
Failure Modes and Effect
Analysis (FMEA)
Failure Modes and Effect Criticality
Analysis (FMECA)
Hazard Analysis of Critical Control Points (HACCP)
![Page 175: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/175.jpg)
When mitigations are implemented, they must be tested
Development environments are supported with testing teams and quality assurance
![Page 176: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/176.jpg)
Security findings should be addressed the same as any other change request
Developer or system owner does not declare the risk mitigated without concurrence of an independent verification and validation (IV&V)
![Page 177: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/177.jpg)
• Code signing:‒ A technique that can be used to:
• Ensure code integrity• Determine who developed a piece of code• Determine the purposes for which a developer
intended a piece of code to be used
• Certificates:‒ Digital certificates that will help protect users
from downloading compromised files or applications
![Page 178: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/178.jpg)
Seal Digital signature
Unique identifier
![Page 179: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/179.jpg)
Cannot guarantee that a piece of code is free of security vulnerabilities
Cannot guarantee an app will not load unsafe or altered code during
execution
Is not a DRM or copy protection technology
![Page 180: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/180.jpg)
Whenever developers change or modify their software, even a small
tweak can have unexpected consequences
![Page 181: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/181.jpg)
Tests existing software applications to make sure that a change or addition has not broken any existing functionality
Catches bugs that may have been accidentally introduced into a new build or release candidate
Ensures that previously eradicated bugs continue to stay dead
![Page 182: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/182.jpg)
Test fixed bugs promptly
Test fixed bugs promptly
Watch for side effects of fixesWatch for side effects of fixes
Write a regression test for each bug
fixed
Write a regression test for each bug
fixed
If two or more tests are similar, get rid of the less
effective one
If two or more tests are similar, get rid of the less
effective one
Archive tests that the program
consistently passes
Archive tests that the program
consistently passes
Focus on functional issues, not design issues
Focus on functional issues, not design issues
Make changes to data and find
any resulting corruption
Make changes to data and find
any resulting corruption
Trace the effects of the changes
on program memory
Trace the effects of the changes
on program memory
![Page 183: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/183.jpg)
INSTRUCTIONSWork with a partner to identify at least three more strategies for success.
![Page 184: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/184.jpg)
Develop a standard battery of test cases that can be
run every time a new version of the program is
built
![Page 185: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/185.jpg)
A formal test conducted to determine whether a
system satisfies its acceptance criteria and to
enable the customer to determine whether or not
to accept the system
![Page 186: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/186.jpg)
In agile software development, acceptance tests/criteria are usually: Created by business customers Expressed in a business domain language
![Page 187: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/187.jpg)
![Page 188: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/188.jpg)
“Software assurance is the level of confidence that software is free from vulnerabilities, either intentionally designed into the
software or accidentally inserted at any time during its life cycle, and that it functions
in the intended manner.”
![Page 189: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/189.jpg)
Planning Contracting
Monitoring and Acceptance Follow-on
![Page 190: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/190.jpg)
Needs determination: Develop software requirements Create an acquisition strategy Develop evaluation criteria and an evaluation
plan
![Page 191: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/191.jpg)
Create/issue the solicitation
or RFP
Evaluate supplier
proposals
Finalize contract
negotiation
![Page 192: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/192.jpg)
Establish and consent to the contract work
schedule
Implement change control
procedures
Review and accept software
deliverables
![Page 193: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/193.jpg)
Sustainment Disposal or decommissioning
![Page 194: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/194.jpg)
1. What activities take place during the planning phase?
2. What activities take place during the monitoring and acceptance phase?
![Page 195: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/195.jpg)
Ensure a well-documented SwA policy and process is in place in the enterprise
![Page 196: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/196.jpg)
Unintentional errors
Intentional insertion of malicious code
Theft of vital information
Theft of personal information
Changed product
Inserted agents
Corrupted information
![Page 197: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/197.jpg)
“System and software assurance focuses on the management of risk and
assurance of safety, security, and dependability within the context of system
and software life cycles”
![Page 198: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/198.jpg)
How does the supplier ensure that an infrastructure for safety and security is established and
maintained?
How does the supplier ensure safety and security risks are identified and managed?
How does the supplier ensure safety and security
requirements are satisfied?
How does the supplier ensure that activities and products are
managed to achieve safety and security requirements and
objectives?
![Page 199: LVISSA CISSP Course Winter 2017 Domain 8lvissa.org › mentor_slides › LVISSA CISSP Course Winter 2017...Both aspects (Functionality and Security) need to be looked at from the start](https://reader036.vdocuments.mx/reader036/viewer/2022062602/5ed416ac8d46b66d226370ce/html5/thumbnails/199.jpg)
Understand the Software Development Life Cycle (SDLC) and how to apply security to itIdentify which security control(s) are
appropriate for the development environmentAssess the effectiveness of software
security