Video Content Lesson 9

Question 2

Application Issues

Answer 2

Software Development
Application Environments
Malicious Code
Agents
Applets
Objects

Question 3

Software Development

Answer 3

Often viewed as art (not as formal as engineering)
Developers are naturally feature-oriented
Large software projects offer high exposure to errors
Developers want software to work (therefore don’t have them test it)
Many developers and testers lack security training
Pressure to deliver often requires cutting corners (less care with security)

Question 4

Application Environments

Answer 4

2 basic types
1-Local environment (Application (or application partition) runs largely on one platform)
Most code runs on a local machine
Applications may connect to remote resources for additional information or functionality (database or remote validation)
Platform can be volatile since user interface components tend to mature quickly (change a lot and frequently update application)
2-Distributed environment (application components execute on multiple machines; Web application, app server application, database)

Question 5

Malicious Code

Answer 5

Any program, procedure, or other sequence of instructions that makes unauthorized modifications or triggers unauthorized actions
Common types of malicious code (viruses, worms, Trojan horses, Logic bombs)
Largest vulnerability for Local Environment is introducing malicious code
Scan and evaluate all code coming into your machine

Question 6

Agents

Answer 6

Distributed Environment (Model)
Agent - Program or process that performs services on behalf of another process (principal)
EX - Web browser is principle asks app server for service (agent)
Generally an agent works on a different environment from the principal
Agents routinely prepare data for transfer from client to server
EX web interface interfaced to database data; application access to e-mail data

Question 7

Applets

Answer 7

Distributed Environment (Model)
Similar to agents, but generally platform-independent
Applets work on many different client platforms
Java - interpreted, multithreaded language written by Sun Microsystems
Distributed programs run on the client in a limited memory area called a sandbox
Client must have Java Virtual Machine (JVM)
ActiveX - Microsoft’s answer to Java (programs or controls run in distributed mode on the client) (No sandbox therefore potentials for malicious activities; usually limited to MS environment)

Question 8

Objects

Answer 8

Object-oriented Programming (OOP)
Object is collection of data and collection of functions that operate on that data
Programs are developed as reusable objects
object reuse promotes stability and error reduction
Encapsulation allows for data hiding
Data and private routines are stored as a unit
Only access to data is through predefined methods
Ideal for local and distributed models

Question 9

Databases and Warehousing

Answer 9

Databases
Relational Databases
Record Identification
Query Language
Data Access Methods
Data Warehouses
Aggregation
Inference
Polyinstantiation

Question 10

Databases

Answer 10

collection of data often of different types
Database Management System (DBMS)
Architectures
1-hierarchical (inverted tree)
2-Network (Mesh) (hard coded links)
3-Relational (FOCUS of EXAM)
4-Object-oriented (data and functions reside together)

Question 11

Relational Databases

Answer 11

Based on Relational Algebra
Data stored logically in collection of tables
Tables are made up of Field (columns)
In a true relational database, there are NO relationships stored in the database
indexes are sorted lists of record pointers that provide relationship clues

Question 12

Record Identification

Answer 12

Relational databases are (easy to use, easy to program, and easy to understand)
columns are (Fields)
Rows are (Records)
Candidate Key (Field or collection of fields that can uniquely identify a record)
Primary key is (one of the candidate key used to uniquely identify a record, reference tables, fetch data from tables, and enforce referential integrity)
Enforcing Referential Integrity is done by using the primary key of one table in another table (known as the foreign key)
Foreign Key is the primary key from another table

Question 13

Query Language

Answer 13

All databases requires some sort of query language to extract data
SQL (Structured Query Language) is the most popular
Most vendors have extensions (Oracle - PL/SQL; Microsoft - Transact SQL)

Question 14

Data Access Methods

Answer 14

Common Data Access Methods
1-ODBC (Open Database Connectivity) (provides SQL database for disparate environments; Database driver lives between the application and the database; Application and database MUST both be ODBC-compliant)
2-JDBC (Java Database Connectivity) (Similar to ODBC, but designed for Java programs
3-XML (eXtensible Markup Language) (convenient, self-describing format for data; easy to store and transmit between systems)
4-OLE DB (Object Linking and Embedding Database) (Microsoft API for accessing data; Interface implemented using the COM (Common Object Model); Interfaces with non-SQL databases and repositories)

Question 15

Data Warehouses

Answer 15

Repository of Information, generally from multiple databases or data sources
Data Mining (searching for data in data warehouses)

Question 16

Aggregation

Answer 16

Obtaining information of a higher sensitivity by combining information from lower levels of sensitivity
Functions (count(); Min(); Max(); Avg(); Total())
Allowing you to create summary of less secure information which may reveal more secure information

Question 17

Inference

Answer 17

The ability to deduce information about data at sensitivity level for which a user is not cleared
Time-sensitive information

Question 18

Polyinstantiation

Answer 18

Allows multiple database objects to exist with the same key (to avoid inference)
(won’t say whether or not a record exists)

Question 19

Data and Information Storage

Answer 19

Data Handling
Data Storage
Virtual Memory
Information Retrieval
Knowledge-based Systems
Audit and Assurance Mechanisms

Question 20

Data Handling

Answer 20

Data Storage locations provide different vulnerabilities for attackers
Some attacks occur as data moves from one location to another
Understand how to secure data access at each location

Question 21

Data Storage

Answer 21

Primary - memory available to the CPU (RAM or real memory) (Volatile Memory)
Secondary - Nonvolatile memory; Hard disk, magnetic tapes, removable media or mobile data, USB Drives, Memory Sticks/cards)

Question 22

Virtual Memory

Answer 22

Memory address space that exceeds the physical memory available
Done by (offsetting the addresses to physically reside in memory; all other information is stored in secondary storage; often called the swap device (this is often in nonvolatile secondary storage) (must purge this data))

Question 23

Information Retrieval

Answer 23

1-Random Access (can access memory locations in any order)
2-Sequential Access (can ONLY access memory in order)
Magnetic tapes are a popular type of sequential
Need to know Device type (how data is accessed; attacker prevention; how data is stored optimization of data retrieval)
Volatile Memory (contents are lost when power goes off) (Typically use random access memory (RAM)
Nonvolatile memory (secondary storage, maintains value without power; uses Read-only Memory (ROM))

Question 24

Knowledge-based Systems

Answer 24

1-Expert System (stores a large volume of data in one area of specialty; Simulates the knowledge and decisions of an expert)
2-Neural System (Starts with no knowledge; Learns as it is used)

Question 25

Audit and Assurance Mechanisms

Answer 25

Information Integrity (processed data reconciliation; for example, check totals)
Information Accuracy (data validation and verification) (server-based validation)
Information Auditing (Sensitive information access auditing)
Certification and accreditation
Information protection management (implementing controls to protect data transfer)
Configuration Management (implements formal procedures to control change)

Question 26

System Development Controls

Answer 26

Coding Controls
Development Life Cycle
Design
Certification
Certification Standards

Question 27

Coding Controls

Answer 27

Sloppy development provides a fertile breeding ground for malicious code vulnerabilities
Formal systems development procedures can reduce vulnerabilities
Software Configuration Management (SCM) - (Formal management and documentation of each step in the software development life cycle)
1-Making Decisions
2-Documenting the Decisions
3-Ensuring Stakeholders sign off on Decisions
4-Make New Decisions/Implement Previous Decisions
5-Look back to Ensure Decisions have been Followed

Question 28

Development Life Cycle

Answer 28

1-Conceptual Definition (Original request for action)
2-Functional requirements determination (What is the software to do?; Does the functional requirements solution satisfy the conceptual definition?)
3-Protection Specifications Development (What controls are necessary to protect the functional requirements?

Question 29

Design

Answer 29

4-Software designers take the functional requirements and the protection specifications and design a system
5-Code Review Walk-through (Software developers write the code that implements the design; Stakeholders review the code, ensuring that it satisfies all previous baselines)
6-System Test Review (Formal Testing Algorithms)
Constant review of previous steps to verify that it does what it is supposed to do

Question 30

Certification

Answer 30

7-Certify (Comprehensive technical review and evaluation of functionality)
8-Accreditation (Formal acceptance of the Designated Approving Authority (DAA) of the certification)
9-Implementation and maintenance (Post-implementation tasks–Bug Fixes and Enhancements)

Question 31

Certification Standards

Answer 31

There are two standards for certification and accreditation of computer systems
1-Defense Information Technology Security Certification and Accreditation Process (DITSCAP) - DoD Standard
2-National Information Assurance Certification and Accreditation Process (NIACAP) - US Executive Branch
Both Standards use Four Phases
Phase 1 - Definition (Build Team; Define Scope of Process)
Phase 2 - Verification (Verification of Development and Certification Analysis
Phase 3 - Validation (Further verification of certification analysis, with accreditation recommendations)
Phase 4 - Post-Accreditation (Assures that all changes comply with standards)

Question 32

Security Development Controls

Answer 32

Isolation Architecture
Administration Controls
Design Control
System Control
Modes of Operation
Integrity Levels
Service Level Agreement

Question 33

Isolation Architecture

Answer 33

Security Control Architecture
Process Isolation (Each process is confined to its own memory space; No process is going to be able to access memory outside its constrained space)
Hardware Segmentation (Physically isolating different pieces of hardware; Network Isolation)
Internal Architecture Segmentation (CPU segmentation)

Question 34

Administration Controls

Answer 34

Separation of Privilege (ensures that a single user will not be able to complete a sensitive task; Requires two or more authorized users to complete a task)
Accountability (Monitoring (watching the activities of users and holding them accountable); Log File Analysis; The more accountability is enforced, the more it becomes a preventive control)

Question 35

Design Control

Answer 35

Layering (Protection Rings; Each Process has a specific level of access granted; a higher privilege is required to operate the inner rings
Distinct Layer (only work on one layer)
Cumulative (able to work at specific layer and next layer of lower privilege)
Abstraction (Black box components) (know how to use it but don’t know what happens inside it)
Data Hiding (feature of Object Oriented Programming) (Hides the details of where the data is stored; Only carefully designed abstracted methods allow access to the data)

Question 36

System Control

Answer 36

System High (Monolithic security level that only allows handling of data that all users are cleared to access; If this system is a secret system, the only way anything can be accessed on the system is to possess a security clearance of secret or higher)
Security Kernel that handles all user requests for access, Reference Monitor Code is inside Security Kernel

Question 37

Modes of Operation

Answer 37

1-Supervisor Mode (mode or security level at which a process operates that needs direct access to outside resources)
2-User Model (mode at which most end user applications run)
Be careful NOT to go into Supervisor Mode unless absolutely necessary

Question 38

Integrity Levels

Answer 38

Network/System level of Integrity
Operating System level of Integrity
Database level of Integrity
File level of Integrity
Each level has different specific controls that you want to implement/protect

Question 39

Service Level Agreement

Answer 39

It is becoming more common to offload some of the responsibilities to a third party through an SLA (Service Level Agreement)
Guarantee Availability and a certain percentage of uptime
Throughput/bandwidth

Question 40

Malicious Code

Answer 40

Overview
Players
Viruses
Virus Types
OS Vulnerability
Other Malicious Code
Antivirus Protection

Question 41

Overview

Answer 41

Malicious Code is designed to target a specific system or human vulnerability
A Skilled virus developer knows your system intimately
Even amateurs can get code kits to make their own malicious code

Question 42

Players

Answer 42

Hackers (Originally referred to any person who had a passion for computers) (Media has created a negative connotation) (pure hackers learn and share their knowledge)
Crackers (What the media really refers to when they use the term hacker) (A person who attempts to compromise a system for an unauthorized purpose)
Phreaks (crackers who compromise telephone company systems to obtain free long distance services)
Virus Writers (Generally very talented programmers who write virus code to exploit some vulnerability)
Script Kiddies (Amateur cracker who has few true skills; uses various virus generation software to create virus code)

Question 43

Viruses

Answer 43

Code that modifies files that contain computer instructions to perform some unauthorized action
Over 57,000 virus strains floating around today
Often introduced via e-mail or downloaded programs
Results can be destructive
Damage may not be immediately evident

Question 44

Virus Types

Answer 44

Boot Sector Infectors (Viruses that infect Master Boot Record (MBR) or boot sector of a computer boot device; Boot scanning catches most of these viruses)
File infectors (viruses that modify or replace an executable file; virus activates when infected file is run)
Companion Virus (File infector that uses the same file name, but different extension with higher priority) (.com; .exe; .bat) (execution order)
Multipartite (virus that uses multiple infection schemes; generally starts with the MBR or boot sector; replicates and expands to possibly affect the entire system; multiple-level infection; Recovery must start from booting with a clean media then scanning the entire system)
Macro (A sequence of destructive instructions embedded in a common document; Word processor; spreadsheet; use of MACROs; keystroke is associated with a sequence of instructions; over 80% of all viruses are macro viruses; nearly all macro viruses attack Microsoft products)
Stealth Viruses (Virus that not only infects files, but also covers its tracks; may modify OS values to hide its existence and to fool antivirus software)
Polymorphic (Virus modifies itself as it travels from system to system; changes signature)

Question 45

OS Vulnerability

Answer 45

Malicious code is pervasive on all operating systems
Microsoft attracts the most attention
Viruses also exist for Mac OS and UNIX variants

Question 46

Other Malicious Code

Answer 46

Worm (similar to a virus, except a worm is a standalone program and does not need a host to infect; Typically live in active memory and often send themselves to other machines; uses e-mail; IRC)
Trojan Horses (program that appears to do something useful but actually exists for another purpose; generally depends on an unsuspecting victim)
Logic Bombs (executes instructions when a specific event occurs)
Trap Doors (entry point into code by the developer that bypasses all access controls; allows the developer to get in easily; once discovered anyone can use it)

Question 47

Antivirus Protection

Answer 47

Scanning
Disinfecting
shielding (active scanning of all files entering your computer)
Most are signature scanning (must update daily)
McAfee VirusScan
Norton AntiVirus
AVG

Question 48

Methods of Attack

Answer 48

Brute Force
Social Engineering
DoS-DDoS
Spoofing
Pseudo Flaw
Buffer Overflow
TOC-TOU
Rootkits

Question 49

Brute Force

Answer 49

Brute Force or exhaustive attack (attempts to crack passwords by trying every possible combination)
look for failed login attempts
List of commonly used passwords (dictionary attack) (same goal as brute force attack) (Submits passwords from a list of commonly used password strings) (fewer attempts needed to crack password)

Question 50

Social Engineering

Answer 50

Convincing a user to perform an unauthorized action
Often the easiest way to compromise a system
Most Effective Countermeasures is EDUCATION
Let users know that their actions affect security
Create secure passwords
Keep passwords secure (have policy)
Make sure that end users are aware of what can occur

Question 51

DoS-DDoS

Answer 51

Denial of Service - Any attack that denies authorized users access to a system
SYN Flood (Normal session starts with a packet with SYN flag set sent to Target Machine (your computer)) (The Target system responds with ACK, then waits for the source ACK) (3-way handshake) (Source machine doesn’t send ACK so Target macine waits) (if Source Machine sends lots of SYN it overloads target machine)
Distributed Denial of service (DDoS) (DoS that doesn’t come from one source)
1-Smurf Attack (Example - Sends an ICMP (ping) packet - Target Address is the victim machine and the source address is the broadcast address of some network; All machines on network respond to the ICMP sending it back to the target machine which overwhelms the target machine)
2-Teardrop attack (send large packet that is broken up into fragments with incorrect packet numbers (addresses) causing older protocols to crash or potentially crashing the whole machine)
3-Ping of Death (Similar to Teardrop attack except it sends packets which exceed maximum size limits causing program to crash)
Teardrop and Ping of Death are attacks that are oriented towards older versions of networking software

Question 52

Spoofing

Answer 52

Attacker sends the source address of a trusted machine instead of true address
Convinces a system to trust incoming packet
Allows entry past firewalls or filters
Session hijacking (intercepts the credentials of a valid session) (Act as if attacker is valid user)

Question 53

Pseudo Flaw

Answer 53

Introduce a Fake Vulnerability
Used to entice attackers away from sensitive information
Commonly used on honeypots (problem - honeypots are NOT generally used on a system that does not have important information)

Question 54

Buffer Overflow

Answer 54

Always a result of sloppy coding
Always preventable
Result of developer failing to validate input
Hidden code (Code that performs unauthorized actions; Logic Bomb; Trap Door)

Question 55

TOC-TOU

Answer 55

Time of Check/Time of Use (TOC/TOU)
Exploits timing vulnerabilities
Modifies object between the time of check and time of use
2 pass approach (check that object exists and permissions and OK for you to access object THEN Access Object and modify it)
Protection - Secure object from unauthorized access

Question 56

Rootkits

Answer 56

Freely available software to exploit known vulnerabilities and increase system access
Make sure all software is updated with the latest patch level