Key TermMcCumber Cube A graphical representation of the architectural approach

1. Key Term
2. McCumber Cube A graphical representation of the architectural approach widely used in
3. computer and information security; commonly shown as a cube composed of 3×3×3 cells, similar
4. to a Rubik’s Cube.
5. 18 Chapter 1
6. Policy Education Technology
7. Confidentiality
8. Integrity
9. Availability
10. Policy Education Technology
11. Storage Processing Transmission
12. Confidentiality
13. Integrity
14. Availability
15. Storage Processing Transmission
16. Figure 1-9 The McCumber Cube 13
17. © Cengage Learning 2015
18. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
19. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
20. 1
21. Components of an Information System
22. Key Term
23. information system (IS) The entire set of software, hardware, data, people, procedures, and
24. networks that enable the use of information resources in the organization.
25. As shown in Figure 1-10, an information system (IS) is much more than computer hardware;
26. it is the entire set of people, procedures, and technology that enable business to use informa-
27. tion. The six critical components of hardware, software, networks, people, procedures, and
28. data enable information to be input, processed, output, and stored. Each of these IS compo-
29. nents has its own strengths and weaknesses, as well as its own characteristics and uses. Each
30. component of the information system also has its own security requirements.
31. ‡ Software
32. The software component of an IS includes applications, operating systems, and assorted com-
33. mand utilities. Software is perhaps the most difficult IS component to secure. The exploita-
34. tion of errors in software programming accounts for a substantial portion of the attacks on
35. information. The information technology industry is rife with reports warning of holes,
36. bugs, weaknesses, or other fundamental problems in software. In fact, many facets of daily
37. life are affected by buggy software, from smartphones that crash to flawed automotive con-
38. trol computers that lead to recalls.
39. Software carries the lifeblood of information through an organization. Unfortunately, soft-
40. ware programs are often created under the constraints of project management, which limit
41. time, costs, and manpower. Information security is all too often implemented as an
42. Components of an Information System 19
43. People
44. Procedures
45. Hardware
46. Data
47. Networks
48. Software
49. Figure 1-10 Components of an information system
50. © Cengage Learning 2015
51. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
52. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
53. afterthought rather than developed as an integral component from the beginning. In this way,
54. software programs become an easy target of accidental or intentional attacks.
55. ‡ Hardware
56. Hardware is the physical technology that houses and executes the software, stores and trans-
57. ports the data, and provides interfaces for the entry and removal of information from the sys-
58. tem. Physical security policies deal with hardware as a physical asset and with the protection
59. of physical assets from harm or theft. Applying the traditional tools of physical security, such
60. as locks and keys, restricts access to and interaction with the hardware components of an
61. information system. Securing the physical location of computers and the computers them-
62. selves is important because a breach of physical security can result in a loss of information.
63. Unfortunately, most information systems are built on hardware platforms that cannot guar-
64. antee any level of information security if unrestricted hardware access is possible.
65. Before September 11, 2001, laptop thefts in airports were common. A two-person team
66. worked to steal a computer as its owner passed it through the conveyor scanning devices.
67. The first perpetrator entered the security area ahead of an unsuspecting target and quickly
68. went through. Then, the second perpetrator waited behind until the target placed the com-
69. puter on the baggage scanner. As the computer was whisked through, the second perpetrator
70. slipped ahead of the victim and entered the metal detector with a substantial collection of
71. keys, coins, and the like, slowing the detection process and allowing the first perpetrator to
72. grab the computer and disappear in a crowded walkway.
73. While the security response to September 11 did tighten the security process at airports, hard-
74. ware can still be stolen in airports and other public places. Although laptops and notebook
75. computers might be worth a few thousand dollars, the information stored on them can be
76. worth a great deal more to organizations and individuals.
77. ‡ Data
78. Data stored, processed, and transmitted by a computer system must be protected. Data is
79. often the most valuable asset of an organization and therefore is the main target of inten-
80. tional attacks. Systems developed in recent years are likely to make use of database manage-
81. ment systems. When used properly, they should improve the security of the data and the
82. applications that rely on the data. Unfortunately, many system development projects do not
83. make full use of the database management system’s security capabilities, and in some cases
84. the database is implemented in ways that make them less secure than traditional file systems.
85. Because data and information exist in physical form in many organizations as paper reports,
86. handwritten notes, and computer printouts, the protection of physical information is as
87. important as the protection of electronic, computer-based information.
88. ‡ People
89. Though often overlooked in computer security considerations, people have always been a threat
90. to information security. Legend has it that around 200 B.C., a great army threatened the secu-
91. rity and stability of the Chinese empire. So ferocious were the Hun invaders that the Chinese
92. emperor commanded the construction of a great wall that would defend against them. Around
93. 1275 A.D., Kublai Khan finally achieved what the Huns had been trying for more than a thou-
94. sand years. Initially, the Khan’s army tried to climb over, dig under, and break through the wall.
95. 20 Chapter 1
96. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
97. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
98. 1
99. In the end, the Khan simply bribed the gatekeeper—and the rest is history. Whether this event
100. actually occurred or not, the moral of the story is that people can be the weakest link in an orga-
101. nization’s information security program. Unless policy, education and training, awareness, and
102. technology are properly employed to prevent people from accidentally or intentionally damag-
103. ing or losing information, they will remain the weakest link. Social engineering can prey on the
104. tendency to cut corners and the commonplace nature of human error. It can be used to manipu-
105. late people to obtain access information about a system. This topic is discussed in more detail in
106. Chapter 2, “The Need for Security.”
107. ‡ Procedures
108. Procedures are another frequently overlooked component of an IS. Procedures are written
109. instructions for accomplishing a specific task. When an unauthorized user obtains an organi-
110. zation’s procedures, it poses a threat to the integrity of the information. For example, a con-
111. sultant to a bank learned how to wire funds by using the computer center’s procedures,
112. which were readily available. By taking advantage of a security weakness (lack of authentica-
113. tion), the bank consultant ordered millions of dollars to be transferred by wire to his own
114. account. Lax security procedures caused the loss of more than $10 million before the situa-
115. tion was corrected. Most organizations distribute procedures to employees so they can access
116. the information system, but many of these companies often fail to provide proper education
117. for using the procedures safely. Educating employees about safeguarding procedures is as
118. important as physically securing the information system. After all, procedures are informa-
119. tion in their own right. Therefore, knowledge of procedures, as with all critical information,
120. should be disseminated among members of an organization on a need-to-know basis.
121. ‡ Networks
122. Networking is the IS component that created much of the need for increased computer and
123. information security. When information systems are connected to each other to form local area
124. networks (LANs), and these LANs are connected to other networks such as the Internet, new
125. security challenges rapidly emerge. The physical technology that enables network functions is
126. becoming more accessible to organizations of every size. Applying the traditional tools of physi-
127. cal security, such as locks and keys, to restrict access to the system’s hardware components is
128. still important. However, when computer systems are networked, this approach is no longer
129. enough. Steps to provide network security are essential, as is implementing alarm and intrusion
130. systems to make system owners aware of ongoing compromises.
131. Balancing Information Security and Access
132. Even with the best planning and implementation, it is impossible to obtain perfect information
133. security. Recall James Anderson’s statement from the beginning of this chapter, which empha-
134. sizes the need to balance security and access. Information security cannot be absolute: it is a
135. process, not a goal. You can make a system available to anyone, anywhere, anytime, through
136. any means. However, such unrestricted access poses a danger to the security of the informa-
137. tion. On the other hand, a completely secure information system would not allow anyone
138. access. For instance, when challenged to achieve a TCSEC C-2 level security certification for
139. Balancing Information Security and Access 21
140. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
141. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
142. its Windows operating system, Microsoft had to remove all networking components and oper-
143. ate the computer only from the console in a secured room. 15
144. To achieve balance—that is, to operate an information system that satisfies the user and the
145. security professional—the security level must allow reasonable access, yet protect against
146. threats. Figure 1-11 shows some of the competing voices that must be considered when bal-
147. ancing information security and access.
148. Because of today’s security concerns and issues, an information system or data processing
149. department can get too entrenched in the management and protection of systems. An imbal-
150. ance can occur when the needs of the end user are undermined by obsessive focus on protect-
151. ing and administering the information systems. Information security technologists and end
152. users must recognize that both groups share the same overall goals of the organization—to
153. ensure that data is available when, where, and how it is needed, with minimal delays or obsta-
154. cles. In an ideal world, this level of availability can be met even after addressing concerns
155. about loss, damage, interception, or destruction.
156. Approaches to Information Security Implementation
157. Key Terms
158. bottom-up approach A method of establishing security policies that begins as a grassroots
159. effort in which systems administrators attempt to improve the security of their systems.
160. top-down approach A methodology of establishing security policies that is initiated by upper
161. management.
162. 22 Chapter 1
163. Security
164. Access
165. User 1: Encrypting
166. e-mail is a hassle.
167. User 2: Encrypting
168. e-mail slows me down.
169. CISO: Encryption is
170. needed to protect secrets
171. of the organization.
172. Figure 1-11 Balancing information security and access
173. © Cengage Learning 2015
174. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
175. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
176. 1
177. The implementation of information security in an organization must begin somewhere, and
178. cannot happen overnight. Securing information assets is an incremental process that requires
179. coordination, time, and patience. Information security can begin as a grassroots effort in
180. which systems administrators attempt to improve the security of their systems. This is often
181. referred to as a bottom-up approach. The key advantage of the bottom-up approach is the
182. technical expertise of individual administrators. By working with information systems on a
183. day-to-day basis, these administrators possess in-depth knowledge that can greatly enhance
184. the development of an information security system. They know and understand the threats to
185. their systems and the mechanisms needed to protect them successfully. Unfortunately, the
186. bottom-up approach seldom works because it lacks critical features such as participant sup-
187. port and organizational staying power.
188. The top-down approach has a higher probability of success. With this approach, the project is
189. initiated by upper-level managers who issue policies, procedures, and processes; dictate the
190. goals and expected outcomes; and determine accountability for each required action. This
191. approach has strong upper-management support, a dedicated champion, usually dedicated
192. funding, a clear planning and implementation process, and the means of influencing organiza-
193. tional culture. The most successful kind of top-down approach also involves a formal develop-
194. ment strategy known as a systems development life cycle.
195. For any organization-wide effort to succeed, management must buy into and fully support it.
196. The champion’s role in this effort cannot be overstated. Typically, the champion is an execu-
197. tive, such as a chief information officer (CIO) or the vice president of information technology
198. (VP-IT), who moves the project forward, ensures that it is properly managed, and pushes for
199. acceptance throughout the organization. Without this high-level support, many mid-level
200. administrators fail to make time for the project or dismiss it as a low priority. The involve-
201. ment and support of end users is also critical to the success of this type of project. Users are
202. most directly affected by the process and outcome of the project and must be included in the
203. information security process. Key end users should be assigned to a developmental team
204. known as the joint application development (or design) team (JAD). To succeed, the JAD
205. must have staying power. It must be able to survive employee turnover and should not be vul-
206. nerable to changes in the personnel team that is developing the information security system.
207. This means the processes and procedures must be documented and integrated into the organi-
208. zational culture. They must be adopted and promoted by the organization’s management.
209. The organizational hierarchy and its relationship to the bottom-up and top-down approaches
210. are illustrated in Figure 1-12.
211. Security in the Systems Life Cycle
212. Key Terms
213. security systems development life cycle (SecSDLC) A methodology for the design and
214. implementation of security systems based on the systems development life cycle. The two life
215. cycles contain the same general phases.
216. systems development life cycle (SDLC) A methodology for the design and implementation of
217. an information system. The SDLC contains different phases depending on the methodology
218. deployed, but generally the phases address the investigation, analysis, design, implementation,
219. and maintenance of an information system.
220. Security in the Systems Life Cycle 23
221. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
222. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
223. Information security must be managed like any other major system in an organization. One
224. approach for implementing an information security system in an organization with little or no
225. formal security in place is to use a variation of a systems development life cycle (SDLC): the
226. security systems development life cycle (SecSDLC). To understand a security systems develop-
227. ment life cycle, you must first understand the principles of the method on which it is based.
228. ‡ The Systems Development Life Cycle
229. Key Terms
230. methodology A formal approach to solving a problem based on a structured sequence of
231. procedures.
232. waterfall model A type of SDLC in which each phase of the process “flows from” the
233. information gained in the previous phase, with multiple opportunities to return to previous
234. phases and make adjustments.
235. An SDLC is a methodology for the design and implementation of an information system.
236. Using a methodology ensures a rigorous process with a clearly defined goal and increases
237. the probability of success. Once a methodology has been adopted, the key milestones are
238. established and a team is selected and made accountable for accomplishing the project goals.
239. The traditional SDLC consists of six general phases. If you have taken a system analysis and
240. design course, you may have been exposed to a model consisting of a different number of
241. phases. SDLC models range from three to twelve phases, all of which have been mapped
242. 24 Chapter 1
243. CEO
244. CFO CIO COO
245. CISO VP-Systems VP-Networks
246. security
247. mgr
248. systems
249. mgr
250. network
251. mgr
252. security
253. admin
254. systems
255. admin
256. network
257. admin
258. security
259. tech
260. systems
261. tech
262. network
263. tech
264. Top-down approach Bottom-up approach
265. Figure 1-12 Approaches to information security implementation
266. © Cengage Learning 2015
267. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
268. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
269. 1
270. into the six presented here. The waterfall model pictured in Figure 1-13 illustrates that each
271. phase begins with the results and information gained from the previous phase.
272. A traditional form of the SDLC is not the only approach in widespread use. Other
273. approaches to the development process include iterative and incremental, the spiral method,
274. rapid application development (RAD), JAD, agile (extreme programming), V-shaped, and
275. many other practices. Each of these approaches has its advantages and disadvantages, and
276. each can be effective under the right circumstances. People who work in specialty areas of
277. information security that support the software assurance process (described later in this chap-
278. ter) must be conversant in each of these methodologies. However, we will use the more
279. widely accepted traditional approach for this discussion.
280. At the end of each phase of the traditional SDLC comes a structured review or reality check,
281. during which the team determines if the project should be continued, discontinued, out-
282. sourced, postponed, or returned to an earlier phase. This determination depends on whether
283. the project is proceeding as expected and whether it needs additional expertise, organiza-
284. tional knowledge, or other resources.
285. Once the system is implemented, it is maintained and modified over the remainder of its working
286. life. Any information systems implementation may have multiple iterations as the cycle is repeated
287. over time. Only by constant examination and renewal can any system, especially an information
288. security program, perform up to expectations in a constantly changing environment.
289. The following sections describe each phase of a traditional SDLC. 16
290. Investigation The first phase, investigation, is the most important. What problem is the
291. system being developed to solve? The investigation phase begins by examining the event or
292. plan that initiates the process. During this phase, the objectives, constraints, and scope of
293. the project are specified. A preliminary cost-benefit analysis evaluates the perceived benefits
294. and their appropriate levels of cost. At the conclusion of this phase and at every phase after-
295. ward, a process will be undertaken to assess economic, technical, and behavioral feasibilities
296. and ensure that implementation is worth the organization’s time and effort.
297. Security in the Systems Life Cycle 25
298. Maintenance
299. and Change
300. Repeat when system no longer viable
301. Investigation
302. Analysis
303. Logical Design
304. Physical Design
305. Implementation
306. Figure 1-13 SDLC waterfall methodology
307. © Cengage Learning 2015
308. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
309. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
310. Analysis The analysis phase begins with the information gained during the investigation
311. phase. This phase consists primarily of assessments of the organization, its current systems,
312. and its capability to support the proposed systems. Analysts begin by determining what the
313. new system is expected to do and how it will interact with existing systems. This phase ends
314. with documentation of the findings and an update of the feasibility analysis.
315. Logical Design In the logical design phase, the information gained from the analysis
316. phase is used to begin creating a systems solution for a business problem. In any systems
317. solution, the first and driving factor must be the business need. Based on the business need,
318. applications are selected to provide needed services, and then the team chooses data support
319. and structures capable of providing the needed inputs. Finally, based on all of this, specific
320. technologies are delineated to implement the physical solution. The logical design, therefore,
321. is the blueprint for the desired solution. The logical design is implementation independent,
322. meaning that it contains no reference to specific technologies, vendors, or products. Instead,
323. it addresses how the proposed system will solve the problem at hand. In this stage, analysts
324. generate estimates of costs and benefits to allow for a general comparison of available
325. options. At the end of this phase, another feasibility analysis is performed.
326. Physical Design During the physical design phase, specific technologies are selected to
327. support the alternatives identified and evaluated in the logical design. The selected compo-
328. nents are evaluated based on a make-or-buy decision—the option to develop components
329. in-house or purchase them from a vendor. Final designs integrate various components and
330. technologies. After yet another feasibility analysis, the entire solution is presented to the
331. organization’s management for approval.
332. Implementation In the implementation phase, any needed software is created. Compo-
333. nents are ordered, received, and tested. Afterward, users are trained and supporting docu-
334. mentation created. Once all components are tested individually, they are installed and tested
335. as a system. A feasibility analysis is again prepared, and the sponsors are then presented
336. with the system for a performance review and acceptance test.
337. Maintenance and Change The maintenance and change phase is the longest and most
338. expensive of the process. This phase consists of the tasks necessary to support and modify the
339. system for the remainder of its useful life cycle. Even though formal development may conclude
340. during this phase, the life cycle of the project continues until the team determines that the pro-
341. cess should begin again from the investigation phase. At periodic points, the system is tested for
342. compliance, and the feasibility of continuance versus discontinuance is evaluated. Upgrades,
343. updates, and patches are managed. As the needs of the organization change, the systems that
344. support the organization must also change. The people who manage and support the systems
345. must continually monitor their effectiveness in relation to the organization’s environment.
346. When a current system can no longer support the evolving mission of the organization, the
347. project is terminated and a new project is implemented.
348. For more information on SDLCs, see the Department of Justice’s Information Resource
349. Management Department document on SDLC Guidance at www.justice.gov/jmd/irm/lifecycle
350. /table.htm.
351. 26 Chapter 1
352. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
353. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
354. 1
355. ‡ The Security Systems Development Life Cycle
356. The same phases used in the traditional SDLC can be adapted to support the implementation
357. of an information security project. While the two processes may differ in intent and specific
358. activities, the overall methodology is the same. At its heart, implementing information secu-
359. rity involves identifying specific threats and creating specific controls to counter them. The
360. SecSDLC unifies this process and makes it a coherent program rather than a series of ran-
361. dom, seemingly unconnected actions. (Other organizations use a risk management approach
362. to implement information security systems, as you will learn in subsequent chapters.)
363. Investigation The investigation phase of the SecSDLC begins with a directive from upper
364. management that dictates the process, outcomes, and goals of the project, as well as its budget
365. and other constraints. Frequently, this phase begins with an enterprise information security
366. policy (EISP), discussed in detail in Chapter 5, which outlines the implementation of a security
367. program within the organization. Teams of responsible managers, employees, and contractors
368. are organized; problems are analyzed; and the scope of the project is defined along with specific
369. goals and objectives and any additional constraints not covered in the program policy. Finally,
370. an organizational feasibility analysis is performed to determine whether the organization has
371. the resources and commitment necessary to conduct a successful security analysis and design.
372. Analysis In the analysis phase, the documents from the investigation phase are studied.
373. The development team conducts a preliminary analysis of existing security policies or pro-
374. grams, documented current threats, and associated controls. This phase also includes an
375. analysis of relevant legal issues that could affect the design of the security solution. Increas-
376. ingly, privacy laws have become a major consideration when making decisions about infor-
377. mation systems that manage personal information. Recently, many states have implemented
378. legislation that make certain computer-related activities illegal. A detailed understanding of
379. these issues is vital. Risk management, which is described in detail in Chapter 4, also begins
380. in this stage. Risk management focuses on identifying, assessing, and evaluating the levels of
381. risk in an organization, specifically the threats to its security and to the information it stores
382. and processes.
383. Logical Design The logical design phase creates and develops the blueprints for infor-
384. mation security, and examines and implements key policies that influence later decisions. At
385. this stage, the team also plans incident response actions to be taken in the event of partial or
386. catastrophic loss. The planning answers the following questions:
387. ●
388. Continuity planning: How will business continue in the event of a loss?
389. ●
390. Incident response: What steps are taken when an attack occurs?
391. ●
392. Disaster recovery: What must be done to recover information and vital systems imme-
393. diately after a disastrous event?
394. Next, a feasibility analysis determines whether the project should be continued or
395. outsourced.
396. Physical Design The physical design phase evaluates the information security technol-
397. ogy needed to support the blueprint as it has been outlined in the logical design. The final phys-
398. ical design is usually chosen from several competing alternatives, each of which could meet the
399. Security in the Systems Life Cycle 27
400. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
401. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
402. logical design requirements. The information security blueprint may be revisited from time to
403. time to keep it in line with changes needed when the physical design is completed. Criteria for
404. determining the definition of successful solutions are also prepared during this phase. This
405. phase includes designs for physical security measures to support the proposed technological
406. solutions. At the end of this phase, a feasibility study determines the organization’s readiness
407. for the proposed project, and then the champion and sponsors are presented with the design.
408. All parties involved have a chance to approve the project before implementation begins.
409. Implementation The implementation phase of the SecSDLC is similar to that of the tra-
410. ditional SDLC. The security solutions are acquired (made or bought), tested, implemented,
411. and tested again. Personnel issues are evaluated, and specific training and education pro-
412. grams are conducted. Finally, the entire tested package is presented to upper management
413. for final approval.
414. Maintenance and Change Maintenance and change is the last phase, and perhaps the
415. most important one, given the ever-changing threat environment. Today’s information security
416. systems need constant monitoring, testing, modification, updating, and repairing. Applications
417. systems developed within the framework of the traditional SDLC are not designed to anticipate
418. a software attack that requires some degree of application reconstruction. In information secu-
419. rity, the battle for stable, reliable systems is a defensive one. Often, repairing damage and
420. restoring information is a constant effort against an unseen adversary. As new threats emerge
421. and old threats evolve, an organization’s information security profile must constantly adapt to
422. prevent threats from successfully penetrating sensitive data. This constant vigilance and secu-
423. rity can be compared to that of a fortress, where threats both from outside and within must be
424. constantly monitored and checked with continuously new and more innovative technologies.
425. Table 1-2 summarizes the steps performed both in the systems development life cycle and
426. the security systems development life cycle. Because the security systems development life
427. cycle is based on the systems development life cycle, the steps in the cycles are similar. The
428. steps common to both cycles are outlined in column 2. Column 3 shows the steps unique
429. to the security systems development life cycle that are performed in each phase.
430. ‡ Software Assurance—Security in the SDLC
431. Key Term
432. software assurance (SA) A methodological approach to the development of software that
433. seeks to build security into the development life cycle rather than address it at later stages. SA
434. attempts to intentionally create software free of vulnerabilities and provide effective, efficient
435. software that users can deploy with confidence.
436. Many of the information security issues facing modern information systems have their root
437. cause in the software elements of the system. Secure systems require secure or at least securable
438. software. The development of systems and the software they use is often accomplished using a
439. methodology, such as the SDLC described earlier. Many organizations recognize the need to
440. include planning for security objectives in the SDLC they use to create systems, and have estab-
441. lished procedures to create software that is more capable of being deployed in a secure fashion.
442. This approach to software development is known as software assurance, or SA.
443. 28 Chapter 1
444. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
445. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
446. 1
447. Security in the Systems Life Cycle 29
448. Phases
449. Steps common to both the systems
450. development life cycle and the
451. security systems development life
452. cycle
453. Steps unique to the security
454. systems development life cycle
455. Phase 1: Investigation
456. ●
457. Outline project scope and goals
458. ●
459. Estimate costs
460. ●
461. Evaluate existing resources
462. ●
463. Analyze feasibility
464. ●
465. Management defines project
466. processes and goals and documents
467. these in the program security
468. policy
469. Phase 2: Analysis
470. ●
471. Assess current system against plan
472. developed in Phase 1
473. ●
474. Develop preliminary system
475. requirements
476. ●
477. Study integration of new system
478. with existing system
479. ●
480. Document findings and update
481. feasibility analysis
482. ●
483. Analyze existing security policies
484. and programs
485. ●
486. Analyze current threats and
487. controls
488. ●
489. Examine legal issues
490. ●
491. Perform risk analysis
492. Phase 3: Logical Design
493. ●
494. Assess current business needs
495. against plan developed in Phase 2
496. ●
497. Select applications, data support,
498. and structures
499. ●
500. Generate multiple solutions for
501. consideration
502. ●
503. Document findings and update
504. feasibility analysis
505. ●
506. Develop security blueprint
507. ●
508. Plan incident response actions
509. ●
510. Plan business response to disaster
511. ●
512. Determine feasibility of continuing
513. and/or outsourcing the project
514. Phase 4: Physical Design
515. ●
516. Select technologies to support
517. solutions developed in
518. Phase 3
519. ●
520. Select the best solution
521. ●
522. Decide to make or buy components
523. ●
524. Document findings and update
525. feasibility analysis
526. ●
527. Select technologies needed to
528. support security blueprint
529. ●
530. Develop definition of successful
531. solution
532. ●
533. Design physical security measures
534. to support technological
535. solutions
536. ●
537. Review and approve project
538. Phase 5: Implementation
539. ●
540. Develop or buy software
541. ●
542. Order components
543. ●
544. Document the system
545. ●
546. Train users
547. ●
548. Update feasibility analysis
549. ●
550. Present system to users
551. ●
552. Test system and review
553. performance
554. ●
555. Buy or develop security solutions
556. ●
557. At end of phase, present tested
558. package to management for
559. approval
560. Phase 6: Maintenance and
561. Change
562. ●
563. Support and modify system during
564. its useful life
565. ●
566. Test periodically for compliance
567. with business needs
568. ●
569. Upgrade and patch as necessary
570. ●
571. Constantly monitor, test, modify,
572. update, and repair to meet
573. changing threats
574. Table 1-2 SDLC and SecSDLC Phases Summary
575. © Cengage Learning 2015
576. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
577. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
578. Organizations are increasingly working to build security into the SDLC to prevent security
579. problems before they begin. A national effort is underway to create a common body of
580. knowledge focused on secure software development. The U.S. Department of Defense
581. launched a Software Assurance Initiative in 2003. This initial process was led by Joe
582. Jarzombek and was endorsed and supported by the Department of Homeland Security (DHS),
583. which joined the program in 2004. This program initiative resulted in the publication of the
584. Secure Software Assurance (SwA) Common Body of Knowledge (CBK). 17 A working group
585. drawn from industry, government, and academia was formed to examine two key questions:
586. 1. What are the engineering activities or aspects of activities that are relevant to achieving
587. secure software?
588. 2. What knowledge is needed to perform these activities or aspects?
589. Based on the findings of this working group and a host of existing external documents and
590. standards, the SwA CBK was developed and published to serve as a guideline. While this
591. work has not yet been adopted as a standard or even a policy requirement of government
592. agencies, it serves as a strongly recommended guide to developing more secure applications.
593. The SwA CBK, which is a work in progress, contains the following sections:
594. ●
595. Nature of Dangers
596. ●
597. Fundamental Concepts and Principles
598. ●
599. Ethics, Law, and Governance
600. ●
601. Secure Software Requirements
602. ●
603. Secure Software Design
604. ●
605. Secure Software Construction
606. ●
607. Secure Software Verification, Validation, and Evaluation
608. ●
609. Secure Software Tools and Methods
610. ●
611. Secure Software Processes
612. ●
613. Secure Software Project Management
614. ●
615. Acquisition of Secure Software
616. ●
617. Secure Software Sustainment 18
618. The following sections provide insight into the stages that should be incorporated into the
619. software SDLC.
620. ‡ Software Design Principles
621. Good software development should result in a finished product that meets all of its design
622. specifications. Information security considerations are a critical component of those specifica-
623. tions, though that has not always been true. Leaders in software development J. H. Saltzer
624. and M. D. Schroeder note that:
625. The protection of information in computer systems [… and] the usefulness of a set of
626. protection mechanismsdependsuponthe ability ofa system toprevent securityviola-
627. tions. In practice, producing a system at any level of functionality that actually does
628. prevent all such unauthorized acts has proved to be extremely difficult. Sophisticated
629. 30 Chapter 1
630. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
631. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
632. 1
633. usersofmostsystems areawareofat least oneway tocrash thesystem, denyingother
634. users authorized access to stored information. Penetration exercises involving a large
635. number of different general-purpose systems all have shown that users can construct
636. programs that can obtain unauthorized access to information stored within. Even in
637. systems designed and implemented with security as an important objective, design
638. and implementation flaws provide paths that circumvent the intended access con-
639. straints. Design and construction techniques that systematically exclude flaws are
640. the topic of much research activity, but no complete method applicable to the con-
641. struction of large general-purpose systems exists yet… 19
642. This statement could be about software development in the early part of the 21st century, but
643. it actually dates back to 1975, before information security and software assurance became
644. critical factors for many organizations. In the same article, the authors provide insight into
645. what are now commonplace security principles:
646. ●
647. Economy of mechanism: Keep the design as simple and small as possible.
648. ●
649. Fail-safe defaults: Base access decisions on permission rather than exclusion.
650. ●
651. Complete mediation: Every access to every object must be checked for authority.
652. ●
653. Open design: The design should not be secret, but rather depend on the possession of
654. keys or passwords.
655. ●
656. Separation of privilege: Where feasible, a protection mechanism should require two
657. keys to unlock, rather than one.
658. ●
659. Least privilege: Every program and every user of the system should operate using the
660. least set of privileges necessary to complete the job.
661. ●
662. Least common mechanism: Minimize mechanisms (or shared variables) common to
663. more than one user and depended on by all users.
664. ●
665. Psychological acceptability: It is essential that the human interface be designed for ease of
666. use, so that users routinely and automatically apply the protection mechanisms correctly. 20
667. Many of the common problems associated with programming approaches that don’t follow
668. the software assurance methodology are discussed in Chapter 2, “The Need for Security.”
669. For more information on software assurance and the national effort to develop an SA common
670. body of knowledge and supporting curriculum, visit https://buildsecurityin.us-cert.gov/dhs/dhs-
671. software-assurance-resources.
672. ‡ The NIST Approach to Securing the SDLC
673. Each phase of the SDLC should include consideration for the security of the system being
674. assembled as well as the information it uses. Whether the system is custom-made and built
675. from scratch, purchased and then customized, or commercial off-the-shelf software (COTS),
676. the implementing organization is responsible for ensuring its secure use. This means that
677. each implementation of a system is secure and does not risk compromising the confidential-
678. ity, integrity, and availability of the organization’s information assets. The following section,
679. adapted from NIST Special Publication 800-64, rev. 2, provides an overview of the security
680. considerations for each phase of the SDLC.
681. Security in the Systems Life Cycle 31
682. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
683. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
684. To be most effective, information security must be integrated into the SDLC
685. from system inception. Early integration of security in the SDLC enables agen-
686. cies to maximize return on investment in their security programs, through:
687. ●
688. Early identification and mitigation of security vulnerabilities and misconfi-
689. gurations, resulting in lower cost of security control implementation and
690. vulnerability mitigation;
691. ●
692. Awareness of potential engineering challenges caused by mandatory secu-
693. rity controls;
694. ●
695. Identification of shared security services and reuse of security strategies and
696. tools to reduce development cost and schedule while improving security
697. posture through proven methods and techniques; and
698. ●
699. Facilitation of informed executive decision making through comprehensive
700. risk management in a timely manner. […]
701. Initiation
702. During this first phase of the development life cycle, security considerations are
703. key to diligent and early integration, thereby ensuring that threats, requirements,
704. and potential constraints in functionality and integration are considered. At this
705. point, security is looked at more in terms of business risks with input from the
706. information security office. For example, an agency may identify a political risk
707. resulting from a prominent Web site being modified or made unavailable during
708. a critical business period, resulting in decreased trust by citizens.
709. Key security activities for this phase include:
710. ●
711. Initial delineation of business requirements in terms of confidentiality,
712. integrity, and availability;
713. ●
714. Determination of information categorization and identification of known
715. special handling requirements to transmit, store, or create information such
716. as personally identifiable information; and
717. ●
718. Determination of any privacy requirements.
719. Early planning and awareness will result in cost and time saving through proper
720. risk management planning. Security discussions should be performed as part of
721. (not separately from) the development project to ensure solid understandings
722. among project personnel of business decisions and their risk implications to the
723. overall development project. […]
724. Development/Acquisition
725. This section addresses security considerations unique to the second SDLC phase.
726. Key security activities for this phase include:
727. ●
728. Conduct the risk assessment and use the results to supplement the baseline
729. security controls;
730. ●
731. Analyze security requirements;
732. 32 Chapter 1
733. Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
734. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
735. 1
736. ●