Terms you'll need to understand:
Tuple
Polyinstantiation
Inference
Certification
Accreditation
Database
Malware
Buffer overflow
Techniques you'll need to master:
Identifying the system development life cycle
Understanding database design
Stating the steps of the development life cycle
Recognizing the different types of failure states
Recognizing the four primary types of databases
Well-written applications are the key to good security. As such, this chapter focuses on the security requirements that are needed when developing applications. Although this chapter won't make you into a programmer, it will help you understand the steps required to build robust and secure applications.
To become certified as a CISSP, ISC2 expects test candidates to understand how to develop secure applications, know the steps of the system development life cycle, have knowledge of database design and structure, and be able to recognize and respond to malicious code and system vulnerabilities.
Just as in other chapters, this one starts off by looking at some of the threats. As a CISSP, you will be responsible for identifying risk and vulnerabilities, and then finding ways to minimize the impact that could happen if a threat agent gives rise to a threat that exploits a vulnerability.
Malicious code is a threat. The computer you are using likely has antivirus software loaded on it, to detect and prevent computer viruses, which are one type of malicious code. Many types of malicious code exist, but generally, malicious code can be defined as any program that is specifically written to damage, penetrate, or break a system. This genre of software can include Trojans, denial-of-service tools, remote-access Trojans, logic bombs, viruses, worms, and back doors.
Viruses and worms are nothing new; they have been around since the dawn of the computer era. What has changed through the years is the way in which viruses infect systems. There are three broad categories of propagation:
Master boot record infection—. This form is the oldest of malicious code techniques. It functions by attacking the master boot record of floppy disks or the hard drive. This was effective in the days when everyone passed around floppy disks.
File infection—. A slightly newer form of virus that relies on the user to execute the file. Extensions such as .com and .exe are typically used. Some form of social engineering is usually used to get the user to execute the program.
Macro infection—. The most modern type of virus began appearing in the 1990s. Macro viruses exploit scripting services installed on your computer. Most of you probably remember the “I Love You” virus, a prime example of a macro infector.
Note
Many antivirus programs work by means of file signature. File signature programs examine boot sectors, files, and sections of program code that are known to be vulnerable to viral programs. Although the programs are efficient, they are only as good as their last update. They must be updated regularly to detect the most recent type of computer viruses.
Worms, unlike viruses, require no interaction on the user's part to replicate and spread. One of the first worms to be released on the Internet was the RTM worm. It was developed by Robert Morris back in 1998 and was meant to be only a proof of concept. Its accidental release brought home the fact that these types of code can do massive damage to the Internet.
Today these are the biggest changes to viruses and worms:
Buffer overflow attacks are used by individuals to gain access to systems or to elevate their privilege. Buffer overflows occur when programmers use unsecured functions or don't enforce limits on buffers. Basically, the programmer is not practicing good coding techniques. If an attacker can find this vulnerable code, he can attempt to inject and run his malicious code on that system. If the original code executed with administrator or root rights, those privileges are granted to the attacker. The end result is that, many times, the attacker will gain a command prompt on the system under attack. When this occurs, the attacker has complete control.
DoS attacks are usually intended to disable or disrupt computer services or resources. Although this sometimes can be accidental, it is most often a deliberate act. DoS attacks are sometimes used in a final act of desperation when an attacker cannot gain access to a system. DoS is also occasionally used in blackmail attempts: “Meet my demands or I will shut down your network.” Because specific DoS attacks have been discussed in other chapters, only the names of common attacks are provided in the following list:
Smurf
Fraggle
Teardrop
Ping of death
Land
SYN attack
One step above the DoS attack is the DDoS attack. DDoS is similar to DoS, in that the goal of the attack is a disruption of service. However, it is more powerful, in that it uses a large number of previously compromised systems to direct a coordinated attack against the target. These systems, known as zombies, wait until the attacker signals the attack. A DDoS attack can be devastating because of the tremendous amount of traffic generated. DDoS attack tools include these:
Trinoo
Shaft
Tribal Flood Network
TFN 2K
Stacheldraht
Application developers should never assume that users will input the correct data. A user who is bent on malicious activity will attempt to stretch the protocol or application in an attempt to find possible vulnerabilities. An example is an order quantity field on a web page that accepts negative values. Buyers typically don't order negative quantities of an item. Attackers think outside the box, and so should programmers when developing applications. Parameter problems are best solved by implementing pre-validation and post-validation control.
Databases are a common target of malformed input. An attacker can attempt to insert database or SQL commands to disrupt the normal operation of the database. This could cause the database to become unstable and leak information. This type of attack is known as SQL injection. The attacker searches for web pages in which to insert SQL commands. Attackers use logic such as 1 = 1-- or a single quote, such as ' to test the database for vulnerabilities. Responses such as the one shown in the following code give the attacker the feedback needed to know that the database is vulnerable to attack.
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'sa_login' to a column of data type int. /index.asp, line 5
Although knowing the syntax and response used for a database attack is not required exam knowledge, it is useful to know as you attempt to secure your infrastructure. Other security issues that can be tied directly to input validation include these:
Client-side validation
Cross-site scripting
Direct OS commands
Path traversal
Unicode encoding
URL encoding
All of these issues can be addressed by performing proper input validation.
Many of us have dealt with programs such as adware, browser hijackers, surveillance programs, or web bugs. Although spyware programs are nothing new, they continue to grow in virulence and sophistication. There is some debate as to whether these programs are aggressive marketing gone too far or a real invasion of privacy.
Spyware programs are typically installed when the user downloads a free piece of software that contains spyware in the installation package. Vendors justify these programs by declaring that spyware programs allow them to offer their products for free and that if users do not want to install the spyware, they can refrain from installing their programs by opting to purchase a for-pay copy that doesn't include the spyware.
Other spyware programs are less up front about giving you an option to install and might be loaded onto your computer by just visiting a website with a browser that is vulnerable. Spyware programs have become rather advanced. Some have incorporated concepts such as Alternate Data Streams (ADS). This hacker technique allows the spyware distributor to stream one file behind another. A quick search of the drive will find no trace of the offending executable because there is no entry in the File Allocation Table (FAT), where the directory listing of all files is kept. Removing these programs requires one or more specialized tools, such as HijackThis. Other defenses against spyware include changing to an alternate browser, staying current on your patch management, and not downloading or installing adware-supported programs.
Many times back-door programs are used to access and control a computer. These programs are associated with Trojans and other malicious code that can be used to trick the user into installing them. Once installed, these programs operate on high-order or unused ports to communicate with the attacker. Many of the programs give the attacker complete control of the victim's computer and allow him or her to execute programs, access the Registry, turn on the camera and mic, control the browser, and start and stop applications. Common back-door programs include these:
Back Orifice
SubSeven
NetBus
Beast
Trapdoors, unlike back doors, are used by programmers as a secret entry point into a program. These can be used to allow someone to gain functionality to the program without going through the usual security procedures. Programmers find these useful during application development; however, they should be removed before the code is finalized.
One of the ways in which malicious code can be detected is through the use of change-detection software. This software can detect changes to system and configuration files. Most of these programs work by storing a hashing algorithm of the original file in a database. Periodically, the file is rechecked and the hashed values are compared. If the two values do not match, the program can trigger an alert to signal that there might have been a compromise.
Checksums and hashed values are widely used. Most software vendors list the fingerprints of their programs on their websites because this give customers a way to ensure they have the authentic file. Popular programs that perform this function include Tripwire and MD5sum.
As previously discussed, buffer overflows are one way in which an attacker can attempt to compromise application security; therefore, it is important that the developer exam the ways in which the application can fail and attempt to contain the damage. Well-coded applications have built-in recovery procedures, such as the following:
Fail safe—. If a failure is detected, the system is protected from compromise by termination of services or disabling of the system.
Fail soft—. A detected failure terminates the noncritical process or application while the system continues to function.
A framework for system development can make the development process much easier and more structured. Many different models exist; although some have more steps than the others, overall the goal is the same: to control the process and add security at each level of the process. Two examples of this include NIST 800-64, “Security Considerations in the Information System Development Life Cycle,” and NIST 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems.” NIST 800-14 separates the development into five distinct steps:
This step of the process usually includes a meeting with everyone who is involved with the project. This is a good opportunity to make sure everyone gets a chance to meet and that everyone understands the goals of the project. A plan must be developed to map the process and develop deadlines and submission dates.
A sensitivity assessment should also be conducted. This should help identify the type of information that will be processed and its level of sensitivity. Discussions should be held to determine the level of risk involved in handling this data and to establish the results from its accidental exposure. These items must be completed before the system design specifications are locked in.
In this step, the system is designed, developed, programmed, and acquired. Programmers work to develop the application code. Security should be the focus here, as the programmers work to ensure that input and output controls, audit mechanisms, and file-protection schemes are used. Examples of input controls include dollar counts, transaction counts, error detection, and correction. Example output controls include validity checking and authorizing controls. It's important that programmers don't assume that systems are always installed and operated in trusted environments.
This step occurs when the application coding is complete. The acceptance testing and implementation should not be performed by the programmers. Testing should be performed by a different group of individuals. These tasks are usually assigned to auditors or quality assurance engineers. The important concept here is separation of duties. If the code is built and verified by the same individuals, errors can be missed and security functions can be bypassed.
When the issues and concerns have been worked out between the QA engineers and the programmers, the application is ready for deployment.
At this step, the application is prepared for release into its intended environment. Certification and accreditation are the final steps involved in accepting the application and agreeing that it is ready for use.
This step of the process is reached when the application or system is no longer needed. Those involved in this step of the process must consider the disposal of the application, archiving of any information or data that might be needed in the future, disk sanitization (to ensure confidentiality), and the disposal of equipment. This is an important step that is sometimes overlooked.
So, what is the most important concept of software development? Finding a good process and sticking to it. Several proven software-development process are detailed next.
Probably the most well-known software-development process is the waterfall model. This model operates as the name suggests: Developers are limited to going back only one stage; therefore, the process flows logically from one stage to the next. An advantage of this method is that it provides a sense of order and is easily documented. The primary disadvantage is that it does not work large and complex projects.
This model was developed in 1988 by Barry Boehm. Each phase of the spiral model starts with a design goal and ends with the client review. The client can be either internal or external, and is responsible for reviewing the progress. Analysis and engineering efforts are applied at each phase of the project. An advantage of the spiral model is that it takes risk much more seriously. Each phase a of the project contains its own risk assessment. Each time a risk assessment is performed, estimated costs to complete and schedules are revised and then a decision is made to continue or cancel the project. The disadvantage of this method is that it is much slower and takes longer to complete.
JAD is a process that was developed at IBM in 1977. Its purpose is to accelerate the design of information technology solutions. An advantage of JAD is that it helps developers work effectively with users to develop applications that work. A disadvantage is that it requires users, expert developers, and technical experts to work closely together throughout the entire process. Projects that are good candidates for JAD include some of the following characteristics:
Involve a group of users whose responsibilities cross department or division boundaries
Considered critical to the future success of the organization
Involve users who are willing to participate
Developed in a workshop environment
Use a facilitator who has no vested interest in the outcome
RAD is a fast application-development process that was created to deliver fast results. RAD is not suitable for all projects. An advantage of RAD is that it works well for projects that are on strict time limits and must be developed quickly. However, this can also be a disadvantage if the quick decisions lead to poor design and product. That is why you won't see RAD used for things such as shuttle launches or other highly critical systems. Two of the most popular RAD systems for Microsoft Windows are Delphi and Visual Basic.
CASE enhances the software development life cycle by using software tools and automation to perform systematic analysis, design, development, and implementation of software products. Its advantage is that it is useful for large, complex projects that involve multiple software components and a lot of people. Its disadvantages include that it requires building and maintaining software tools, and training developers to understand how to use the tools effectively. CASE can be used for tasks such as these:
Modeling real-world processes and data flow that will pass through the application
Developing data models to better understand the process
Developing a process and functional descriptions of the model
Producing databases and procedures for their management
Change management is a formalized process. Its purpose is to control modifications made to systems and programs, and to analyze the request, examine its feasibility and impact, and develop a timeline to implement approved changes. The change-management process gives all concerned parties an opportunity to voice opinions and concerns before changes are made.
These are the six steps for change management:
Define change-management processes and practices.
Receive change requests.
Plan and document the implementation of changes.
Implement and monitor the changes. Develop a means of backing out of proposed changes, if necessary.
Evaluate and report on implemented changes.
Modify the change-management plan, if necessary.
Programming languages are used to convert sets of instructions into a vocabulary that a computer can understand. The goal is to compile instructions into a format that will allow the computer to complete a specific task (see Figure 7.1). Over the years, these languages have evolved into generations:
Generation 1: Machine language, the native language of a computer.
Generation 2: Assembly language, human-readable notation that translates easily into machine language.
Generation 3: High-level language—programming languages such as C+ and FORTRAN.
Generation 4: Very high-level language, typically those used to access databases. SQL is an example of a fourth-generation language.
Generation 5: Natural language. These are categorized by their use of inference engines and natural language processing. Mercury and Prolog are two examples of fifth-generation languages.
After the code is written, it must be translated into a format that the computer will understand. These are the three most common methods:
Assembler—. A program translates assembly language into machine language.
Compiler—. A compiler translates a high-level language into machine language.
Interpreter—. Instead of compiling the entire program, an interpreter translates the program line by line. Interpreters have a fetch-and-execute cycle. An interpreted language is much slower than a compiled or assembly language.
Hundreds of different programming languages exist. Many have been written to fill a specific niche or market demand. Examples of common programming languages include these:
Active X—. This language forms a foundation for higher-level software services, such as transferring and sharing information among applications. ActiveX controls are a Component Object Model (COM) technology.
COBOL—. Common Business Oriented Language is a third-generation programming language used for business finance and administration.
C, C-Plus, C++—. The C programming language replaced B and was designed by Dennis Ritchie. C was originally designed for UNIX and is very popular and widely used.
FORTRAN—. This language features an optimized compiler that is widely used by scientists for writing numerically intensive programs.
HTML—. Hypertext Markup Language is a markup language that is used to create web pages.
Java—. This is a relatively new language, developed in 1995 by Sun Microsystems.
Visual Basic—. This programming language was designed to be used by anyone, and it makes it possible to develop practical programs quickly.
Object-oriented programming (OOP) is a modular form of programming that supports object technology. It allows pieces of software to be reused and interchanged between programs. This method of programming has been widely embraced because it is more efficient and results in lower programming costs. Because it makes use of modules, a programmer can easily modify an existing program. New modules can be inserted into the program that inherit features from existing objects. Objects that share a particular structure and behavior are said to belong to a particular class. Code from one class can be passed down to another through the process of inheritance. Java and C++ are two examples of OOP languages.
Some of the major concerns and issues of OOP include these:
Encapsulation—. This is the act of hiding the functionality of a process inside classes. It allows a developer to separate distinct parts of code so there is no direct interaction between the various parts.
Polymorphism—. Technically, this means that one thing has the capability to take on many shapes. In OOP, it is used to invoke a method on a class without having to care about how the job gets done. The results will be different because variables within the object itself might be different. Even though the same methods are being passed to different objects, the results will not be the same.
Polyinstantiation—. Users at different security levels will see different information about the same object. This is widely used by the government and military and can be used to protect sensitive or secret information. Without polyinstantiation, an attacker might be able to use inference to determine secret information.
Common Object Request Broker Architecture (CORBA) is vendor-independent middleware. Its purpose is to tie together different vendor products so they can seamlessly work together over distributed networks. The heart of the CORBA system is the Object Request Broker (ORB). The ORB simplifies the process of a client requesting server objects. The ORB finds the object; transparently activates it, if necessary; and then delivers the requested object back to the client.
Databases are important to business, government, and individuals because they provide a way to catalog, index, and retrieve related information and facts. They are widely used. If you have booked a reservation on a plane, looked up the history of a used car you were thinking about buying, or researched the ancestry of your family, you have most likely used a database to accomplish this function. Databases can be centralized or distributed, depending on the database-management system (DBMS) that has been implemented. The DBMS allows the database administrator to control all aspects of the database, including its design, functionality, and security. Database types include these:
Hierarchical database-management system—. This form of database links structures in a tree structure. Each record can have only one owner and because of this, a restriction hierarchical database often can't be used to relate to structures in the real world.
Network database-management system—. This type of database was developed to be more flexible than the hierarchical database. The network database model is considered a lattice structure because each record can have multiple parent and child records.
Relational database-management system—. This form of database is considered a collection of tables that are linked by their primary keys. Many organizations use software based on the relational database design. Most relational databases use SQL as their query language.
Object-oriented database-management system—. This type of database is relatively new and was designed to overcome some of the limitations of large relational databases. Object-oriented databases don't use a high-level language such as SQL. These databases support modeling and the creation of data as objects.
Note
Inference is a key security issue when dealing with databases. Inference is possible when authorized individuals can deduce information from accessing and reviewing authorized information. As an example, Mike knows that Clement is working on a secret project and that the governmental agency he works for is looking for steganography experts. Therefore, Mike infers that this is the project Clement is working on.
Transaction management is a big concern because locking mechanisms are needed to ensure that only one user at a time can alter data and that transactions are valid and complete. Programmers involved in database management talk about the ACID test when discussing whether a database-management system has been properly designed to handle transactions.
Atomicity—. Results of a transaction are either all or nothing.
Consistency—. Transactions are processed only if they meet system-defined integrity constraints.
Isolation—. The results of a transaction are invisible to all other transactions until the original transaction is complete.
Durability—. Once complete, the results of the transaction are permanent.
If you are not familiar with the world of databases, you might not be familiar with some other terms. These are listed here:
Aggregation—. The process of combining several low-sensitivity items, with the result being that these items produce a higher-sensitivity data item.
Foreign key—. An attribute in one table whose value matches the primary key in another table.
Granularity—. Term that refers to the control one has over the view someone has of the database. Highly granular databases have the capability to restrict certain fields or rows from unauthorized individuals.
Relation—. Data that is represented by a collection of tables.
Tuple—. Represents a relationship among a set of values. In an RDBMS, it is synonymous with record.
Schema—. The structure of the entire database. It defines how it is structured.
Primary key—. Uniquely identifies each row and assists with indexing the table.
A data warehouse is a database that contains data from many different databases. These warehouses have been combined, integrated, and structured so that they can be used to provide trend analysis and make business decisions. Data warehousing is used to get a strategic view.
Data mining is the process of analyzing data to find and understand patterns and relationships about the data. The result of data mining is metadata, or data about data. The patterns discovered in this data can help companies understand their competitors and understand usage patterns of their customers to carry out targeted marketing. Data mining is used to get a tactical view. As an example, a store might discover that digital camera buyers also purchase blank CDs, so by moving blank CDs to the camera department, they experience higher sales.
Knowledge management seeks to make use of all the knowledge of the organization. It attempts to tie together databases, document management, business processes, and information systems. It is used to interpret the data derived from these systems and automate the knowledge extraction. This knowledge-discovery process takes the form of data mining, in which patterns are discovered through artificial intelligence techniques. These are the three main approaches to knowledge extraction:
Classification approach—. Used for pattern discovery and in situations when large databases must be reduced to only a few individual records
Probabilistic approach—. Used in planning and control systems, and in applications that involve uncertainty
Statistical approach—. Used to construct rules and generalize patterns in the data
www.jebcl.com/riskdo/riskdo.htm—. Risk assessment do's and don'ts
www.zdnet.com.au/insight/0,39023731,20281524,00.htm—. Six steps to change management
http://computing-dictionary.thefreedictionary.com/object-oriented%20programming—. Object-oriented programming
www.linuxsecurity.com/content/view/119087/49/—. Buffer overflows
http://lockdowncorp.com/trojandemo.html—. How Trojan horse programs work
www.garykessler.net/library/ddos.html—. The history of DDoS attacks
www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenceandWhyItMatters.php—. SQL injection and database manipulation
www.omg.org/gettingstarted/corbafaq.htm—. CORBA FAQ
www.cultural.com/web/security/compusec.glossary.html—. Common security terms