Software engineering is a systematic approach of analyzing, designing,

assessing, implementing, testing, maintaining and reengineering software

Elements to incorporate security into the process model:

❑ The inclusion of security requirements and measures into the specific process model
being used.
❑ The use of secure coding methods to prevent opportunities for security failures from
being introduced into the software’s design.
Process Models:
❑ Waterfall model
• characterized by a multi-step process where steps
follow each other in a linear, one-way fashion
❑ Spiral model
• has steps in phases that execute in a spiral fashion, repeating at
different levels with each revolution of the model
Four primary items where issue of security is significantly relevant:

1. Requirements process
2. Architectural design
3. Coding
4. Testing
ROI and Error Correction
❑ Correcting errors results in additional work and
expense.
❑ The level of rework and extent of extra work are direct
functions of how late in the development process the errors are
detected.
Secure Code Techniques

❑ Buffer Overflows
• The input buffer that is used to hold program input is overwritten with data that is
larger than the buffer can hold.
– Poor programming practice
– Programming language weaknesses
• Write solid code – regardless of the language used or the source of outside
input, prudent programming practice is to treat all input from outside a function
as hostile
• Proper string handling – a common event in programs and its functions are the
source of a large number of known buffer overflow vulnerabilities
❑ Code Injection
• a technique to introduce arbitrary code into a running computer
process
• can be done either locally or remotely through the
web
• a hacking or cracking technique to gain information or unauthorized
access to a system
• primary method of defense from this type of vulnerability is similar to
validate all inputs
❑ Least Privilege
• requires that the developer understand what privileges are required specifically for an
application to execute and access all its required resources
• computing concept of access or functionality within an operating system whereby a
user or program is granted minimum possible privileges to permit an action
• determine what needs to be accessed and what the appropriate level of permission
is, then use that level in design and implementation
• cost of failure:
– expensive and time-consuming access violation errors that are hard to track
down and correct
– when an exploit is found that allows some other program to use portions of the
code in an unauthorized fashion
❑Cryptographic Failures
• Choosing to develop own cryptographic algorithm
• Error in instantiating the algorithm
• Random number to generate a random key
• Storing private keys in areas where they can be recovered by
an unauthorized person
–Do not hard-code secret keys in code
Requirements Phase
❑ is the first step in a software development process model where the details for
all end- product requirements are documented.

Testing Phase
❑ last opportunity to determine that the software performs properly before the end
user experiences problems

❑ Early testing helps resolve errors at an earlier

stage and results in cleaner code.

❑ Security-related use cases can be used to test for specific security requirements.
protects your physical computer and networking facilities, and people

best computer security activities can easily be negated by a simple

physical attack

remains a vitally important component of your total security plan

tangible defenses that can protect your facility, equipment, and

information from theft, tampering, careless misuse, and natural
disasters
CIA Security Mnemonics:

❑ Confidentiality
• Where a secret should stay that way

❑ Integrity
• Which is received is identical to what was sent, what is retrieved should be
identical to what was stored

❑ Accessibility
• What is stored should be easy to retrieve, what you need or where you wish to
go should always be available
IRA Security Mnemonics:

❑ Identification
• Being able to prove you are who you say you are.

❑ Reliability
• All systems function as they should on demand,
even in a crisis.

❑ Authentication
• Making sure users can access only those areas for which they are authorized.
Examples of Physical Attacks

❑ Plugging into an Ethernet jack

• attacker usually sits with a laptop and run several tools against the network internally
• laptop can also be used to attack a network remotely from outside the building through PDAs
• an attack can also be done with an off-the-shelf access point if power there is available power near the
Ethernet jack

❑ Using Bootdisks
• enables attackers to make an image copy of the hard drive for future or offsite analysis
• Bootable media can be in the form of floppy disks, cds, flash drives or external hard drives that are often
used to load the imaging software.
• Drive imaging is the process of taking the entire contents of a hard drive and copying them to a different
media as a single file.

❑ Computer Theft
Steps to be taken to mitigate the risks of Physical attacks

❑ Removal of bootable devices when they are unnecessary can help mitigate bootdisk
attacks.
❑ BIOS passwords should be used to protect the boot sequence.
❑ USB devices are a threat and, if possible, USB drivers should be removed.
❑ Background checks of new hires help ensure security.
❑ Access controls should have layered areas and electronic access control systems.
❑ Electronic physical security systems need to be protected from network-based attacks.
❑ Authentication systems should use multiple factors when feasible.
❑ All users need security training.
Server Room Surveillance Cameras
Locks and Keys
❑ locked or guarded computer room has been the primary means of protecting
computer equipment and information from physical intrusion and unrestricted
access
❑ to gain access to a locked facility, a user should have to pass an authentication test
❑ Three classic ways in which you identify yourself for authentication purposes:

• What you know (e.g. a password)

• What you have (e.g. key, token, badge, or smart card)
• What you are (e.g. the fingerprint on your finger
which matches the one on file).

❑ Authentication techniques can be used for physical security such as for building or
computer room access and system access control.
❑ Two-Factor Authentication
• when two distinct techniques are used for authentication

❑ Mantraps
• an elaborate turnstiles used in highly-secured facilities designed to entrap a person on purpose

❑ Example of locks:

• Equipment locks – Bolting down your PC, router, switch, or other network device in its location to
keep someone from taking it.
• Cryptographic locks - Ultra-secure products are equipped with electronic devices known as smart
keys used to load initial cryptographic key information into the product.
Equipment Lock Mantraps
❑ Access tokens, such as keys, are the traditional form of physical access authentication.

❑ Keys are paired exclusively with a lock or a set of locks, and they are not easily changed.

❑ In many cases, physical access authentication has moved to remote radio frequency
cards and readers.

❑ Newer technologies are adding capabilities to the standard token-based systems.

• The cards that contain integrated circuits, called smartcards, has enabled cryptographic types of
authentication
Smart Card
the use of a person’s set of unique, examinable and quantifiable
physiological, behavioral, and morphological characteristics to provide
positive personal identification
Biometric devices sample a physical or behavioural trait and compare
it with the traits on file to determine whether you are who you claim to be.
can handle multiple-factor authentication, a combination of two or
more types of authentication from what you are, what you have, and what
you know
cuts across any one or a combination of the risk involved in stolen tokens,
disclosed passwords, and stolen biometric
Computerized biometric identification systems examine a particular trait
and use that information to decide whether you have the right to enter a
building, unlock a secured area, or access a system.
Surveys indicate that biometric devices, in order of
effectiveness, rank as follows (most secure to least
secure):

1. Retina pattern
2. Fingerprint
3. Handprint
4. Voice pattern
5. Keystroke pattern
6. Signature
In order of social acceptance, the order is practically the
opposite:

1. Keystroke pattern
2. Signature
3. Voice pattern
4. Handprint
5. Fingerprint
6. Retina pattern
Setbacks in Using Biometric Devices

❑ Biometrics may not encode the exact results twice allowing for a certain amount of error
in the scan

• A false positive is when a biometric is scanned and allows access to someone who is not
authorized.
• A false negative is when the system denies access to someone who is authorized.

❑ An attacker can steal the uniqueness factor that the machine scans and reproduce that
factor to gain access.

❑ Parts of the human body can change, allowing a higher tolerance for variance in the
biometric being read.
Disaster Recovery Plan (DRP)
❑ defines the data and resources necessary and the steps to take in order to restore
critical organizational processes
❑ answers the following questions for all critical functions:
• Who is responsible for the operation of this function?
• What do these individuals need to perform the function?
• When should this function be accomplished in
relation to other functions?
• Where will this function be performed?
• How is this function performed (what is the process)?
• Why is this function so important or critical to the
organization?

❑ A business impact assessment (BIA) or business impact analysis is the name often
used to describe the document created by addressing these questions.
Categories of Business Functions

❑ Critical – explains how important the business function is to the operations

❑ Necessary for normal processing – in normal operations the business function is requisite
but the organization can without it for a short period of time

❑ Desirable – in normal operations, the function is not required but it will enhance the
organization’s ability to conduct its objectives efficiently

❑ Optional – function is desirable to include but it does not have any effect on the operation of
the organization
Business Continuity Plan (BCP)

❑ Thefocus of business continuity plan is the continued operation of the

business or organization.

❑ Oftensee a more significant emphasis placed on the critical systems the

organization needs to operate.

❑ BCP describes the functions that are most critical, based on a previously
conducted BIA, and often describe the order in which functions should be
returned to operation.
Backups

❑ factors to consider in an organization’s data backup strategy:

• How frequently should backups be conducted?
• How extensive do the backups need to be?
• What is the process for conducting backups?
• Who is responsible for ensuring backups are created?
• Where will the backups be stored?
• How long will backups be kept?
• How many copies will be maintained?

❑ provide valid, uncorrupted data in the event of corruption or loss of the original file or the
media where the data was stored.
Types of Backups

❑ Full Backup – all files and software are copied onto the storage media

❑ Differential Backup – only the files and software that have changed since
the last full backup was completed need to be stored

❑ Incremental Backup – backs up selected files that have been changed

Backup – backs up only the actual data in the selected files that has
❑ Delta
changed
Backup Frequency and Retention

❑ Every organization should consider how long it can survive without current
data from which to operate. Then it can determine how long it will take to
restore from backups, using different methods, and decide how frequently
backups need to occur.

❑ Approaches or strategies to backup retention:

• Rule of three
• Keep the most recent copy of backups for various time intervals
❑ Twomajor costs that need to be considered in determining the optimal
backup frequency:
• Cost of the backup strategy chosen
• Cost of recovery if backup strategy is not implemented

❑ Elementsthat must be taken into consideration when calculating the cost of

the backup strategy:
• The cost of the backup media required for a single backup
• The storage costs for the backup media and the
retention policy
• The labor costs associated with performing a single backup
• The frequency with which backups are created
Backup Storage

❑ One of the elements to be factored into the cost of the backup

strategy is the expense of storing the backups.
❑ A simple strategy is to store all backups together for quick and
easy recovery.
❑ Keep copies of backups in separate locations.
Alternate Sites

❑ Hot sites – fully configured environment similar to the normal operating environment
that can be operational within a few hours

❑ Warm sites – partially configured, usually having the peripherals and software but
perhaps not the more expensive main processing computer

❑ Cold sites – have the basic environmental controls necessary to operate but will have
a few of the computing components necessary for processing

❑ Mobile backup sites – generally trailers with the required computers and electrical
power that can be driven to a location within hours of a disaster and set up to
commence processing immediately
Security Policies
❑ high-level statement produced by senior management that outlines what security
means to the organization and what the organization’s goals are for security
❑ describe how security is to be handled from an
organizational point of view
❑ should be reviewed on a regular basis and updated as needed

Acceptable Use Policy (AUP)

❑ outlines what the organization considers to be the appropriate use of company
resources, such as computer systems and networks
❑ ensure employee productivity while limiting organizational liability through
inappropriate use of the organization’s assets
❑ usually include explicit statements about the required procedures, rights, and
responsibilities of a technology user
Internet Usage Policy
❑ ensures maximum employee productivity and to limit potential liability to the
organization from inappropriate use of the Internet in a workplace
❑ needs to address what sites employees are
allowed to visit, and what sites are not

E-mail Usage Policy

❑ deals with what the company will allow employees to send in terms of e-
mail
❑ should state whether non-work e-mail traffic is allowed at all or is at least
severely restricted
❑ specify any disclaimers that must be attached to an employee’s message sent to
an individual outside of the company
Due Care or Due Diligence
❑ terms used in the legal and business community to address issues where one party’s
actions may have caused loss or injury to another’s
❑ organizations should take reasonable precautions to protect the information that it
maintains on other individuals

Separation of Duties
❑ principle employed in many organizations to ensure that no single individual has the
ability to conduct transactions alone
❑ may result to inefficiency and may actually be less secure because individuals may not
inspect transactions as thoroughly, since they know others may be reviewing them
❑ spreads responsibilities out over an organization so no single individual becomes the
indispensable individual with all of the unique knowledge about how to make everything
work
Password Management Policy
❑ should address the procedures used for selecting user
passwords, the frequency with which they must be changed,
and how they will be distributed
❑ should also address the issue of password cracking by
administrators to discover weak passwords that may have
been selected by employees
Privacy Policy

what an organization’s guiding principles will be in guarding

❑ explains
personal data that they are given access to

Service Level Agreements (SLA)

❑ arecontractual agreements between entities describing specified levels

of service that the servicing entity agrees to guarantee for the
customer
Code of Ethics

❑ a specific set of professional behaviors and values the professional interpreter must
know and must abide by, including confidentiality, accuracy, privacy, integrity. The
code should also state how employees should treat client and organizational data

Incident Response Policy

❑ associated procedures should be developed to outline how the organization will deal
with security incidents when they occur
❑ covers several phases and this includes preparation, detection, containment and
eradication, recovery, and follow-up actions
❑ Preparation

• Steps to be taken when an incident is discovered should be established.

• Points of contact should be determined.
• All employees should be trained to have an understanding of the steps to
take and who to call.
• An incident response team should be established, the equipment necessary
to detect, contain, and recover from an incident should be acquired, and
those who will use the equipment will need to be trained.
• Any additional training in areas such as computer forensics that are
determined to be necessary should be accomplished.
❑ Detection

• Incident response team should determine whether an actual incident has

occurred.
• Each reported incident must be investigated and treated as a possible
incident until it can be determined whether it is or is not.
• Develop a reporting template that can be supplied to an individual
suspecting an incident so that the necessary information is gathered in a
timely manner.
❑ Containment and Eradication

• Once the determination has been made that an incident has occurred, the team is going to contain the
problem.
• Another decision to be made is how to address
containment.
• Other possible containment activities include adding additional filtering rules or modifying existing rules on
firewalls, routers, or IDS, updating anti-virus software, or removing specific pieces of hardware or halting
specific software applications.
• Once the immediate problems have been contained, the cause of the incident needs to be addressed.

❑ Recovery

• After the incident has been contained and the malicious software or vulnerabilities have been solved, the
procedures can now be put into action. The goal here is to have the organization back to normal processing.
❑ Follow-Up Actions

• An after-action report should be created to outline what happened and how it was
addressed.
• Recommendations will most likely be made to improve processes and policies so
that a repeat incident will not occur.
• Training material may also need to be developed or modified as part of the new,
modified policies and procedures.