CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

Describe the difference between certification and accreditation and the various types of accreditation. Understand the certification and accreditation processes used by the U.S. Department of Defense and all other executive government agencies. Describe the differences between system accreditation, site accreditation, and type accreditation.

Explain the ring protection scheme. Understand the four rings of the ring protection scheme and the activities that typically occur within each ring. Know that most operating systems only implement Level 0 (privileged or supervisory mode) and Level 3 (protected or user mode).

Describe the function of the security kernel and reference monitor. The security kernel is the core set of operating system services that handles user requests for access to system resources. The reference monitor is a portion of the security kernel that validates user requests against the system’s access control mechanisms.

Understand the four security modes approved by the Department of Defense. Know the differences between compartmented security mode, dedicated security mode, multilevel security mode, and system-high security mode. Understand the different types of classified information that can be processed in each mode and the types of users that can access each system.

Written Lab

Answer the following questions about data and application security issues.

1.How does a worm travel from system to system?

2.Describe three benefits of using applets instead of server-side code for web applications.

3.What are the three requirements set for an operational reference monitor in a secure computing system?

4.What operating systems are capable of processing ActiveX controls posted on a website?

5.What type of key is selected by the database developer to uniquely identify data within a relational database table?

6.What database security technique appears to permit the insertion of multiple rows sharing the same uniquely identifying information?

7.What type of storage is commonly referred to as a RAM disk?

8.Name the four phases of the DITSCAP and NIACAP processes.

9.Identify the three types of accreditation granted to systems under the DITSCAP and NIACAP processes.

10.How far backward does the waterfall model allow developers to travel when a development flaw is discovered?

212 Chapter 7 Data and Application Security Issues

Review Questions

1.Which one of the following malicious code objects might be inserted in an application by a disgruntled software developer with the purpose of destroying system data upon the deletion of the developer’s account (presumably following their termination)?

A.Virus

B.Worm

C.Trojan horse

D.Logic bomb

2.What term is used to describe code objects that act on behalf of a user while operating in an unattended manner?

A.Agent

B.Worm

C.Applet

D.Browser

3.An application or system that is distributed to a number of different locations is evaluated for what type of information system security accreditation?

A.System accreditation

B.Site accreditation

C.Application accreditation

D.Type accreditation

4.Which of the following characteristics can be used to differentiate worms from viruses?

A.Worms infect a system by overwriting data in the Master Boot Record of a storage device.

B.Worms always spread from system to system without user intervention.

C.Worms always carry a malicious payload that impacts infected systems.

D.All of the above.

5.What programming language(s) can be used to develop ActiveX controls for use on an Internet site?

A.Visual Basic

B.C

C.Java

D.All of the above

6.For what type of information system security accreditation is a major application or general support system evaluated?

A.System accreditation

B.Site accreditation

C.Application accreditation

D.Type accreditation

7.Which one of the following key types is used to enforce referential integrity between database tables?

A.Candidate key

B.Primary key

C.Foreign key

D.Super key

8.Richard believes that a database user is misusing his privileges to gain information about the company’s overall business trends by issuing queries that combine data from a large number of records. What process is the database user taking advantage of?

A.Inference

B.Contamination

C.Polyinstantiation

D.Aggregation

9.What database technique can be used to prevent unauthorized users from determining classified information by noticing the absence of information normally available to them?

A.Inference

B.Manipulation

C.Polyinstantiation

D.Aggregation

10.Which one of the following terms cannot be used to describe the main RAM of a typical computer system?

A.Nonvolatile

B.Sequential access

C.Real memory

D.Primary memory

214 Chapter 7 Data and Application Security Issues

11.What type of information is used to form the basis of an expert system’s decision-making process?

A.A series of weighted layered computations

B.Combined input from a number of human experts, weighted according to past performance

C.A series of “if/then” rules codified in a knowledge base

D.A biological decision-making process that simulates the reasoning process used by the human mind

12.Which one of the following intrusion detection systems makes use of an expert system to detect anomalous user activity?

A.PIX

B.IDIOT

C.AAFID

D.NIDES

13.For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated?

A.System accreditation

B.Site accreditation

C.Application accreditation

D.Type accreditation

14.Which software development life cycle model allows for multiple iterations of the development process, resulting in multiple prototypes, each produced according to a complete design and testing process?

A.Software Capability Maturity Model

B.Waterfall model

C.Development cycle

D.Spiral model

15.In systems utilizing a ring protection scheme, at what level does the security kernel reside?

A.Level 0

B.Level 1

C.Level 2

D.Level 3

16.Which database security risk occurs when data from a higher classification level is mixed with data from a lower classification level?

A.Aggregation

B.Inference

C.Contamination

D.Polyinstantiation

17.Which of the following programming languages is least prone to the insertion of malicious code by a third party?

A.C++

B.Java

C.VBScript

D.FORTRAN

18.Which one of the following is not part of the change control process?

A.Request control

B.Release control

C.Configuration audit

D.Change control

19.What transaction management principle ensures that two transactions do not interfere with each other as they operate on the same data?

A.Atomicity

B.Consistency

C.Isolation

D.Durability

20.Which subset of the Structured Query Language is used to create and modify the database schema?

A.Data Definition Language

B.Data Structure Language

C.Database Schema Language

D.Database Manipulation Language

216 Chapter 7 Data and Application Security Issues

Answers to Review Questions

1.D. Logic bombs are malicious code objects programmed to lie dormant until certain logical condition, such as a certain date, time, system event, or other criteria, are met. At that time, they spring into action, triggering their malicious payload.

2.A. Intelligent agents are code objects programmed to perform certain operations on behalf of a user in their absence. They are also often referred to as bots.

3.D. An application or system that is distributed to a number of different locations is evaluated for the DITSCAP and NIACAP type accreditation.

4.B. The major difference between viruses and worms is that worms are self-replicating whereas viruses require user intervention to spread from system to system. Infection of the Master Boot Record is a characteristic of a subclass of viruses known as MBR viruses. Both viruses and worms are capable of carrying malicious payloads.

5.D. Microsoft’s ActiveX technology supports a number of programming languages, including Visual Basic, C, C++, and Java. On the other hand, only the Java language may be used to write Java applets.

6.A. A major application or general support system is evaluated for DITSCAP and NIACAP system accreditation.

7.C. Foreign keys are used to enforce referential integrity constraints between tables that participate in a relationship.

8.D. In this case, the process the database user is taking advantage of is aggregation. Aggregation attacks involve the use of specialized database functions to combine information from a large number of database records to reveal information that may be more sensitive than the information in individual records would reveal.

9.C. Polyinstantiation allows the insertion of multiple records that appear to have the same primary key values into a database at different classification levels.

10.B. Random access memory (RAM) allows for the direct addressing of any point within the resource. A sequential access storage medium, such as a magnetic tape, requires scanning through the entire media from the beginning to reach a specific address.

11.C. Expert systems utilize a knowledge base consisting of a series of “if/then” statements to form decisions based upon the previous experience of human experts.

12.D. The Next-Generation Intrusion Detection Expert System (NIDES) system is an expert sys- tem-based intrusion detection system. PIX is a firewall, and IDIOT and AAFID are intrusion detection systems that do not utilize expert systems.

13.B. The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.

14.D. The spiral model allows developers to repeat iterations of another life cycle model (such as the waterfall model) to produce a number of fully tested prototypes.

15.A. The security kernel and reference monitor reside at Level 0 in the ring protection scheme, where they have unrestricted access to all system resources.

16.C. Contamination is the mixing of data from a higher classification level and/or need-to-know requirement with data from a lower classification level and/or need-to-know requirement.

17.C. Of the languages listed, VBScript is the least prone to modification by third parties because it is an interpreted language whereas the other three languages (C++, Java, and FORTRAN) are compiled languages.

18.C. Configuration audit is part of the configuration management process rather than the change control process.

19.C. The isolation principle states that two transactions operating on the same data must be temporally separated from each other such that one does not interfere with the other.

20.A. The Data Manipulation Language (DML) is used to make modifications to a relational database’s schema.

218 Chapter 7 Data and Application Security Issues

Answers to Written Lab

Following are answers to the questions in this chapter’s written lab:

1.Worms travel from system to system under their own power by exploiting flaws in networking software.

2.The processing burden is shifted from the server to the client, allowing the web server to handle a greater number of simultaneous requests. The client uses local resources to process the data, usually resulting in a quicker response. The privacy of client data is protected because information does not need to be transmitted to the web server.

3.It must be tamperproof, it must always be invoked, and it must be small enough to be subject to analysis and tests, the completeness of which can be assured.

4.Microsoft Windows platforms only.

5.Primary key.

6.Polyinstantiation.

7.Virtual storage.

8.Definition, Verification, Validation, and Post Accreditation.

9.System accreditation, site accreditation, and type accreditation.

10.One phase.

In previous chapters, you learned about many general security principles and the policy and procedure mechanisms that help security practitioners develop adequate protection against mali-

cious individuals. This chapter takes an in-depth look at some of the specific threats faced on a daily basis by administrators in the field.

This material is not only critical for the CISSP exam, it’s also some of the most basic information a computer security professional must understand to effectively practice their trade. We’ll begin this chapter by looking at the risks posed by malicious code objects—viruses, worms, logic bombs, and Trojan horses. We’ll then take a look at some of the other security exploits used by someone attempting to gain unauthorized access to a system or to prevent legitimate users from gaining such access.

Malicious Code

Malicious code objects include a broad range of programmed computer security threats that exploit various network, operating system, software, and physical security vulnerabilities to spread malicious payloads to computer systems. Some malicious code objects, such as computer viruses and Trojan horses, depend upon irresponsible computer use by human beings to spread from system to system with any success. Other objects, such as worms, spread rapidly among vulnerable systems under their own power.

All computer security practitioners must be familiar with the risks posed by the various types of malicious code objects so they can develop adequate countermeasures to protect the systems under their care as well as implement appropriate responses if their systems are compromised.

Sources

Where does malicious code come from? In the early days of computer security, malicious code writers were extremely skilled (albeit misguided) software developers who took pride in carefully crafting innovative malicious code techniques. Indeed, they actually served a somewhat useful function by exposing security holes in popular software packages and operating systems, raising the security awareness of the computing community. For an example of this type of code writer, see the sidebar in this chapter entitled “RTM and the Internet Worm.”

Modern times have given rise to the script kiddie—the malicious individual who doesn’t understand the technology behind security vulnerabilities but downloads ready-to-use software (or scripts) from the Internet and uses them to launch attacks against remote systems. This trend