application & systems development security - it consultingshinsoojung.pe.kr/cert/cissp4.pdf ·...

신수정신수정신수정신수정

Application & Systems DevelopmentSecurity

2001.9

신수정신수정신수정신수정Ph.D, CISSP, CISA, PMP

(e-mail: [email protected]: http://www.danam21.co.kr/sjs1234/ )

Danam Data Systems


Agenda ! Introduction

! Application Environment

! Control

! Application controls

! Databases Security

! Data warehousing

! Data Mining

! AI

! Attacks & Vulnerabilities

! System Development Controls

! SLA & SW-CMM

! Summary


Introduction


2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법

가가가가. . . . 정보보호정보보호정보보호정보보호 전문가를전문가를전문가를전문가를 입증하는입증하는입증하는입증하는 시험이시험이시험이시험이 아니라아니라아니라아니라 입문의입문의입문의입문의 시험임시험임시험임시험임....

나나나나. . . . 정보보호정보보호정보보호정보보호 전문가가전문가가전문가가전문가가 가져야가져야가져야가져야 할할할할 기본기본기본기본 공통공통공통공통 KnowledgeKnowledgeKnowledgeKnowledge를를를를 점검하는점검하는점검하는점검하는 시험시험시험시험임임임임....

다다다다. . . . 보안의보안의보안의보안의 관점을관점을관점을관점을 넓히는넓히는넓히는넓히는 계기가계기가계기가계기가 될될될될 수수수수 있는있는있는있는 시험임시험임시험임시험임....

라라라라. . . . 한국자격시험과한국자격시험과한국자격시험과한국자격시험과 미국자격시험의미국자격시험의미국자격시험의미국자격시험의 관점의관점의관점의관점의 차이가차이가차이가차이가 존재함존재함존재함존재함....

정보보안의정보보안의정보보안의정보보안의 General Common Sense

네트웍보안네트웍보안네트웍보안네트웍보안암호화암호화암호화암호화인증인증인증인증 보안관리보안관리보안관리보안관리 보안보안보안보안

메카니즘메카니즘메카니즘메카니즘OS보안보안보안보안

참고참고참고참고::::http://www.danam21.co.http://www.danam21.co.http://www.danam21.co.http://www.danam21.co.krkrkrkr/sjs1234/sjs1234/sjs1234/sjs1234

(1) CISSP Intro. –시험의시험의시험의시험의성격성격성격성격


가가가가. . . . 현실의현실의현실의현실의 매너리즘에서매너리즘에서매너리즘에서매너리즘에서 탈피하여탈피하여탈피하여탈피하여 작은작은작은작은 도전과도전과도전과도전과 성취의성취의성취의성취의 기회기회기회기회

나나나나. . . . 전반적인전반적인전반적인전반적인 정보보호관련정보보호관련정보보호관련정보보호관련 내용들을내용들을내용들을내용들을 정리해정리해정리해정리해 볼볼볼볼 수수수수 있는있는있는있는 기회기회기회기회

다다다다. . . . 남들이남들이남들이남들이 취득하니취득하니취득하니취득하니…라라라라. . . . 자신의자신의자신의자신의 전문성을전문성을전문성을전문성을 입증할입증할입증할입증할 여타여타여타여타 정보가정보가정보가정보가 없는없는없는없는 상황에서상황에서상황에서상황에서 남들에게남들에게남들에게남들에게 자신을자신을자신을자신을드러낼드러낼드러낼드러낼 수수수수 있는있는있는있는 좋은좋은좋은좋은 방법방법방법방법


2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. –시험의시험의시험의시험의의미의미의미의미


가가가가. . . . 포럼에포럼에포럼에포럼에 가입하여가입하여가입하여가입하여 전세계전세계전세계전세계 CISSPCISSPCISSPCISSP들과들과들과들과 정보공유정보공유정보공유정보공유

나나나나. . . . 국내활동에국내활동에국내활동에국내활동에 참여하여참여하여참여하여참여하여 교류교류교류교류 및및및및 정보공유정보공유정보공유정보공유

다다다다. . . . 자격은자격은자격은자격은 잊어버리고잊어버리고잊어버리고잊어버리고 진짜진짜진짜진짜 실력의실력의실력의실력의 배양배양배양배양

라라라라. . . . 후학의후학의후학의후학의 양성양성양성양성


2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. –자격취득후자격취득후자격취득후자격취득후


가가가가. . . . 범위범위범위범위: 10, 7: 10, 7: 10, 7: 10, 7

나나나나. . . . 자격자격자격자격: 3: 3: 3: 3년년년년, 3, 3, 3, 3년년년년

다다다다. . . . 활동분야활동분야활동분야활동분야: : : : Security, AuditorSecurity, AuditorSecurity, AuditorSecurity, Auditor

라라라라. . . . 합격선합격선합격선합격선: 70, 75: 70, 75: 70, 75: 70, 75

마마마마. . . . 합격률합격률합격률합격률: 30%, 30: 30%, 30: 30%, 30: 30%, 30----50%50%50%50%

바바바바. . . . 난이도난이도난이도난이도

사사사사. . . . 시험시기시험시기시험시기시험시기: 2: 2: 2: 2----3/3/3/3/년년년년, 1/, 1/, 1/, 1/년년년년

아아아아. . . . 전문성전문성전문성전문성

자자자자. . . . 우선순위는우선순위는우선순위는우선순위는????

개인적인개인적인개인적인개인적인 생각생각생각생각: : : : CISSPCISSPCISSPCISSP가가가가 CISACISACISACISA되기가되기가되기가되기가 CISACISACISACISA가가가가 CISSPCISSPCISSPCISSP되기되기되기되기 보다보다보다보다 쉬움쉬움쉬움쉬움…


2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. – CISA와와와와 CISSP


가가가가. . . . 아래의아래의아래의아래의 책을책을책을책을 봐라봐라봐라봐라....

- Information Security Management Handbook, Tipton & KrauseInformation Security Management Handbook, Tipton & KrauseInformation Security Management Handbook, Tipton & KrauseInformation Security Management Handbook, Tipton & Krause

- CISSP Examination Textbook, CISSP Examination Textbook, CISSP Examination Textbook, CISSP Examination Textbook, RaoRaoRaoRao

나나나나. . . . Hal TiptonHal TiptonHal TiptonHal Tipton의의의의 자료를자료를자료를자료를 봐라봐라봐라봐라

다다다다. . . . ISC2ISC2ISC2ISC2의의의의 Study GuideStudy GuideStudy GuideStudy Guide를를를를 봐라봐라봐라봐라

라라라라. . . . Ben Ben Ben Ben RothkeRothkeRothkeRothke의의의의 PPT PPT PPT PPT 를를를를 봐라봐라봐라봐라

마마마마. . . . 매일매일매일매일 한시간씩한시간씩한시간씩한시간씩 읽어라읽어라읽어라읽어라

바바바바. . . . 최소최소최소최소 한달은한달은한달은한달은 집중집중집중집중 공부해라공부해라공부해라공부해라....

사사사사. . . . 자신의자신의자신의자신의 Study noteStudy noteStudy noteStudy note를를를를 만들어라만들어라만들어라만들어라

아아아아. . . . 시험시험시험시험 2222주전에는주전에는주전에는주전에는 문제를문제를문제를문제를 풀어봐라풀어봐라풀어봐라풀어봐라

자자자자. . . . 한주전에는한주전에는한주전에는한주전에는 열심히열심히열심히열심히 복습을복습을복습을복습을 하라하라하라하라

차차차차. . . . Study groupStudy groupStudy groupStudy group을을을을 만들어서만들어서만들어서만들어서 서로서로서로서로 정보를정보를정보를정보를 공유하라공유하라공유하라공유하라

카카카카. . . . 아래의아래의아래의아래의 SiteSiteSiteSite를를를를 북마크하고북마크하고북마크하고북마크하고 자주자주자주자주 들르라들르라들르라들르라

---- www.cccure.orgwww.cccure.orgwww.cccure.orgwww.cccure.org, , , , www.isc2.orgwww.isc2.orgwww.isc2.orgwww.isc2.org, , , , www.sans.orgwww.sans.orgwww.sans.orgwww.sans.org, , , ,

www.www.www.www.cisspscisspscisspscissps.com.com.com.com

AdrienAdrienAdrienAdrien de de de de BeauprBeauprBeauprBeaupr의의의의 Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies 에서에서에서에서 발췌발췌발췌발췌

2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. –시험준비요령시험준비요령시험준비요령시험준비요령


타타타타. . . . 시험장에서는시험장에서는시험장에서는시험장에서는 마실것과마실것과마실것과마실것과 먹을것을먹을것을먹을것을먹을것을 가져가고가져가고가져가고가져가고 휴식을휴식을휴식을휴식을 취해라취해라취해라취해라....

파파파파. . . . 답을답을답을답을 쓰기전에쓰기전에쓰기전에쓰기전에 문제를문제를문제를문제를 최소최소최소최소 2222번이상은번이상은번이상은번이상은 열심히열심히열심히열심히 읽어라읽어라읽어라읽어라....

하하하하. 10. 10. 10. 10개의개의개의개의 도메인에도메인에도메인에도메인에 전문가가전문가가전문가가전문가가 될될될될 필요는필요는필요는필요는 없고없고없고없고 중요한중요한중요한중요한 개념을개념을개념을개념을 잡아라잡아라잡아라잡아라....

거거거거. . . . 시험을시험을시험을시험을 치기치기치기치기 위해위해위해위해 그그그그 분야의분야의분야의분야의 경험이경험이경험이경험이 꼭꼭꼭꼭 있을있을있을있을 필요는필요는필요는필요는 없다없다없다없다....

** ** ** ** 추가추가추가추가

가가가가. . . . 영어사전을영어사전을영어사전을영어사전을 가지고가지고가지고가지고 가라가라가라가라....

나나나나. . . . 시간이시간이시간이시간이 제한된제한된제한된제한된 경우경우경우경우 너무너무너무너무 파고파고파고파고 들어가지들어가지들어가지들어가지 말라말라말라말라....

다다다다. . . . 시험시간을시험시간을시험시간을시험시간을 잘잘잘잘 활용해라활용해라활용해라활용해라....

AdrienAdrienAdrienAdrien de de de de BeauprBeauprBeauprBeaupr의의의의 Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies Tips&Tricks to help you in your studies 에서에서에서에서 발췌발췌발췌발췌

2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. –시험준비요령시험준비요령시험준비요령시험준비요령


가가가가. . . . 전반적인전반적인전반적인전반적인 영역의영역의영역의영역의 이해이해이해이해

나나나나. . . . 핵심핵심핵심핵심 개념의개념의개념의개념의 파악파악파악파악

다다다다. . . . 수강생간의수강생간의수강생간의수강생간의 상호상호상호상호 교류교류교류교류

라라라라. . . . 기타기타기타기타 세부사항세부사항세부사항세부사항 파악파악파악파악 및및및및 문제풀이는문제풀이는문제풀이는문제풀이는 스스로스스로스스로스스로 공부공부공부공부

2. 2. 2. 2. CISSPCISSPCISSPCISSP의의의의 의미와의미와의미와의미와 시험준비방법시험준비방법시험준비방법시험준비방법(1) CISSP Intro. –시험준비과정의시험준비과정의시험준비과정의시험준비과정의의미의미의미의미


(2) Domain 4 Introduction

(1) Access controlSystems &

Methodology

(6) Security Architecture &

Model

(3) Security ManagementPractices

(9) Laws,Investigations and

Ethics

(2) Telecommunication

s & NetworkSecurity

(5) Cryptography

(4) Applications &System

developmentSecurity

(10) PhysicalSecurity

(8) Business continuity planning &

DRP

(7) OperationsSecurity

BS7799Security policySecurity organization Asset classification and control Personnel securityCommunication SecurityPhysical SecurityAccess controlSystem development Business continuityCompliance


Information systems function

cycles

Management subsystems

Management systems

Application systems

Application subsystemsTop managementIS management(9)

System Development management(4)Programming management(4)

Data administration(4)QA management

Security management(3,8,10)Operations management(7)

Boundary(interface)(1,5)Input(4)

Communications(2,5)Processing(4)Database(4)Output(4)

Managerial functionsThat must be performed to

ensure thatDevelopment, implementation,

operation, and maintenance of ISProceed in planned and

controlled manner

Application functionsThat need to be undertaken to

accomplish reliable information processing



Applications & System development Security 분야의분야의분야의분야의 특징특징특징특징

(1) 과도하게과도하게과도하게과도하게 잡다하다잡다하다잡다하다잡다하다.(2) 굉장히굉장히굉장히굉장히 많은많은많은많은 분야의분야의분야의분야의 많은많은많은많은 지식이지식이지식이지식이널려널려널려널려있어있어있어있어 모두들모두들모두들모두들귀찮아귀찮아귀찮아귀찮아 한다한다한다한다.(3) 깊이깊이깊이깊이공부하려면공부하려면공부하려면공부하려면한이한이한이한이없다없다없다없다.(4) 그러나그러나그러나그러나 문제는문제는문제는문제는 쉬운쉬운쉬운쉬운 편이다편이다편이다편이다.(5) 큰큰큰큰 맥락을맥락을맥락을맥락을 잡고잡고잡고잡고원리를원리를원리를원리를 이해한이해한이해한이해한 후후후후문제에문제에문제에문제에 적응하라적응하라적응하라적응하라.

Applications & System development Security 분야의분야의분야의분야의 구조구조구조구조

(1) Application control(2) DB Control(3) Attack/Vulnerability(4) System Development Control(5) 기타기타기타기타

Applications & System development Security 분야의분야의분야의분야의 특징특징특징특징

(1) 과도하게과도하게과도하게과도하게 잡다하다잡다하다잡다하다잡다하다.(2) 굉장히굉장히굉장히굉장히 많은많은많은많은 분야의분야의분야의분야의 많은많은많은많은 지식이지식이지식이지식이널려널려널려널려있어있어있어있어 모두들모두들모두들모두들귀찮아귀찮아귀찮아귀찮아 한다한다한다한다.(3) 깊이깊이깊이깊이공부하려면공부하려면공부하려면공부하려면한이한이한이한이없다없다없다없다.(4) 그러나그러나그러나그러나 문제는문제는문제는문제는 쉬운쉬운쉬운쉬운 편이다편이다편이다편이다.(5) 큰큰큰큰 맥락을맥락을맥락을맥락을 잡고잡고잡고잡고원리를원리를원리를원리를 이해한이해한이해한이해한 후후후후문제에문제에문제에문제에 적응하라적응하라적응하라적응하라.

Applications & System development Security 분야의분야의분야의분야의 구조구조구조구조

(1) Application control(2) DB Control(3) Attack/Vulnerability(4) System Development Control(5) 기타기타기타기타



Applications and systems development security refers to the controls that are included within systems and applications software and the steps used in their development. Applications refer to agents, applets, SW, DB, DW, KB systems.

• Application Issues• Database & DW• Data/Information storage• Knowledge-based Systems• System Development Controls• Malicious Code• Methods of Attack

참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2

3.3.3.3.CBK CBK CBK CBK 소개소개소개소개(3) Domain 4 핵심사항핵심사항핵심사항핵심사항


이해이해이해이해필요사항필요사항필요사항필요사항

• Security & controls of System development process, system life cycle, application control, DW, DM, KB systems, program interfaces, and concepts used to ensure data and application integrity, security and availability

참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2

3.3.3.3.CBK CBK CBK CBK 소개소개소개소개(3) Domain 4 핵심사항핵심사항핵심사항핵심사항


3.3.3.3.CBK CBK CBK CBK 소개소개소개소개

ClientApplication

Server Application DB

DW

request

response

Attack

DBSecurity

- ApplicationSecurity- Security Design

Application Development ProcessSecurity

(3) Domain 4 핵심사항핵심사항핵심사항핵심사항

Distributed Environment -C/S-Web…-..


3.3.3.3.CBK CBK CBK CBK 소개소개소개소개(4) Sample question

1. Which of the following can be used as a covert channel? 1) Storage and timing 2) Storage and low bits 3) Storage and permissions 4) Storage and classification

2. A department manager has read access to the salaries of the employees in his/her department but not to the salaries of employees in other departments. A database security mechanism that enforces this policy would typically be said to provide: 1) content-dependent access control 2) context-dependent access control 3) least privileges access control 4) ownership-based access control



3. A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle: 1) requirements definition phase 2) design phase 3) development phase 4) testing phase

4. In SQL where is the actual data stored: 1) Views 2) Tables 3) Schemas and sub-schemas 4) Index-sequential tables

5. Which of the following concepts is used in the java security model?1)white box2) black-box3) sand-box4) grey-box


Application Environment


(1) Application Environment

(1) Centralized environment- All IS work is performed in one place, either internal or external to the

organization.- From a management decision making viewpoint, centralization implies

central decision making at headquarters- A single central site for HW and data storage- The only remote facilities and communications involve computer terminals

for transaction processing and remote device for job entry and output.

(2) Decentralized Environment- Each department or functional unit of the organization performs its own

data processing work.- From a management decision making viewpoint, decentralization implies

decentralized decision making at the local level- Multiple independent computer sites with virtually no communications

between them.

(3) Distributed Environment- Communications & coordination among multiple locations- Architecture with standard programming interfaces, conventions, & server

functionality for distributing applications transparently across networks of heterogeneous computers.

(1) Centralized environment- All IS work is performed in one place, either internal or external to the

organization.- From a management decision making viewpoint, centralization implies

central decision making at headquarters- A single central site for HW and data storage- The only remote facilities and communications involve computer terminals

for transaction processing and remote device for job entry and output.

(2) Decentralized Environment- Each department or functional unit of the organization performs its own

data processing work.- From a management decision making viewpoint, decentralization implies

decentralized decision making at the local level- Multiple independent computer sites with virtually no communications

between them.

(3) Distributed Environment- Communications & coordination among multiple locations- Architecture with standard programming interfaces, conventions, & server

functionality for distributing applications transparently across networks of heterogeneous computers.


(2) Centralized vs. Distributed Systems

• Centralized systems– Biggest issue still mistakes, omissions– Protection by operating system/platform

• Physical data base integrity• Logical data base integrity• Element integrity

– Database and controlled access links– Layers of vulnerabilities– Examples and Vulnerabilities: Virus, Trojan horse, logic bomb,

worm

• Centralized systems– Biggest issue still mistakes, omissions– Protection by operating system/platform

• Physical data base integrity• Logical data base integrity• Element integrity

– Database and controlled access links– Layers of vulnerabilities– Examples and Vulnerabilities: Virus, Trojan horse, logic bomb,

worm


(2) Centralized vs. Distributed Systems

• Distributed systems– “Decentralized” - connected or unconnected but related

platforms running independent copies of software with independent copies of data

– “Dispersed” - interconnected and related platforms running the same software and using the same data, one of which (data or software) is centralized

– “Interoperable” or “Cooperative” - interconnected platforms running independent copies of software with independent copies of data

– Combines processing from dissimilar platforms– Independently execute/test each component

• Distributed systems– “Decentralized” - connected or unconnected but related

platforms running independent copies of software with independent copies of data

– “Dispersed” - interconnected and related platforms running the same software and using the same data, one of which (data or software) is centralized

– “Interoperable” or “Cooperative” - interconnected platforms running independent copies of software with independent copies of data

– Combines processing from dissimilar platforms– Independently execute/test each component


(3) Distributed Environment

(1) Portability: portable at source code level(2) Interoperability: share & exchange information(3) Transparency: hiding distribution details… but selective(4) Extensibility: extending…(5) Robustness & Security: necessary level of integrity, security &

reliability- Authorization & authentication- Access control- Logging- Security alarm

(1) Portability: portable at source code level(2) Interoperability: share & exchange information(3) Transparency: hiding distribution details… but selective(4) Extensibility: extending…(5) Robustness & Security: necessary level of integrity, security &

reliability- Authorization & authentication- Access control- Logging- Security alarm

(1) Objectives



(1) Definition: the coordination of data as application systems are distributed- Client/Server- Coorperative processing: a single computing process uses several, different

connected platforms- Distributed processing: a single computing process runs independently on

multiple, similar platforms

(2) Hardware- PC, connection, Host

(3) Roles- Server: handles data procession services and provides data to the client- Client- Communication system/LAN

(1) Definition: the coordination of data as application systems are distributed- Client/Server- Coorperative processing: a single computing process uses several, different

connected platforms- Distributed processing: a single computing process runs independently on

multiple, similar platforms

(2) Hardware- PC, connection, Host

(3) Roles- Server: handles data procession services and provides data to the client- Client- Communication system/LAN

(2) Client/Server Systems

Client Server DB

request

response



(4) Elements- Data storage/ data management system- Application system/OS/display device/user interface

(5) Risks- Technology/economic(cost)/operational(performance)- Implementation(user)/security

(6) Distribution of functionality- Front-end portion: local data manipulation, UI- Back-end portion:DB handling

(7) Benefits- Separation of data from application program- DB operations on server- performance- System development time and maintenance time is reduced- Eliminating inconsistent and redundant data- Providing data integrity & recovery

(4) Elements- Data storage/ data management system- Application system/OS/display device/user interface

(5) Risks- Technology/economic(cost)/operational(performance)- Implementation(user)/security

(6) Distribution of functionality- Front-end portion: local data manipulation, UI- Back-end portion:DB handling

(7) Benefits- Separation of data from application program- DB operations on server- performance- System development time and maintenance time is reduced- Eliminating inconsistent and redundant data- Providing data integrity & recovery




(8) Data management features- DD- Distributed data and distributed processing- Shared transaction logging and management(physical logging, logical

logging, write-ahead logging)- Shared buffering- Locking mechanism- Fault tolerance(disk duplexing, primary & shadow databases, fail-over)

(9) C/S implementation strategies- Simple file transfer approach- API approach- GUI-based approach- Peer-to-peer approach

(8) Data management features- DD- Distributed data and distributed processing- Shared transaction logging and management(physical logging, logical

logging, write-ahead logging)- Shared buffering- Locking mechanism- Fault tolerance(disk duplexing, primary & shadow databases, fail-over)

(9) C/S implementation strategies- Simple file transfer approach- API approach- GUI-based approach- Peer-to-peer approach




(1) Definition- Computing power is distributed to different locations

(2) Implementation cases- A large central computer + small, local processors with local DBs

performing local processing of data- Separate computer has its own data, and the data is shared between

systems

(3) Advantage

(4) Disadvantage

(5) Issues- security, cost-saving- Data conversion cost- Network failure

(1) Definition- Computing power is distributed to different locations

(2) Implementation cases- A large central computer + small, local processors with local DBs

performing local processing of data- Separate computer has its own data, and the data is shared between

systems

(3) Advantage

(4) Disadvantage

(5) Issues- security, cost-saving- Data conversion cost- Network failure

(3) Distributed Data Processing



(1) Definition- The management of geographically dispersed data by two or more DBMS

located on computers and using telecommunications for the exchange of commands, status messages, and data. - transparency

(2) Implementation cases- Bulk transmission- Via a common, network-wide retrieval language

(3) Advantage- economy or quality- Reliability- Flexibility

(4) Disadvantage- loss of economy of scale- Insufficient expertise- Security threat

(1) Definition- The management of geographically dispersed data by two or more DBMS

located on computers and using telecommunications for the exchange of commands, status messages, and data. - transparency

(2) Implementation cases- Bulk transmission- Via a common, network-wide retrieval language

(3) Advantage- economy or quality- Reliability- Flexibility

(4) Disadvantage- loss of economy of scale- Insufficient expertise- Security threat

(4) Distributed Database management



ClientWeb

Server

DB

request

Response(html)

(5) Web Environment

JSP(or ASP)

XML

EJB

WAS



(1) A distribute environment can include…- Agent: a term used to denote a user or an automated surrogate action on

behalf of a user- Applets: small applications which are downloaded and executed by WWW

browsers. - Object: a passive entity that contains or receives information

(2) Java & ActiveX- Java security model: “sandbox” for applet processing* sandbox: Java security model in which applets can operate, creating a safe “sandbox” for applet

processing - ActiveX security model: trust-relationship(digital signature called

Authenticode)

(3) Controls over Java & ActiveX- Prevent from Downloading of applets- Not on operational networks- Firewall- Only from trusted servers

(1) A distribute environment can include…- Agent: a term used to denote a user or an automated surrogate action on

behalf of a user- Applets: small applications which are downloaded and executed by WWW

browsers. - Object: a passive entity that contains or receives information

(2) Java & ActiveX- Java security model: “sandbox” for applet processing* sandbox: Java security model in which applets can operate, creating a safe “sandbox” for applet

processing - ActiveX security model: trust-relationship(digital signature called

Authenticode)

(3) Controls over Java & ActiveX- Prevent from Downloading of applets- Not on operational networks- Firewall- Only from trusted servers

(5) Risks & controls in distributed environment


(4) Application Controls

ConsistencyControls

ConsistencyControls

ContinuityControls

ContinuityControls

AccuracyControls

AccuracyControls

SecurityControlsSecurityControls

CompletenessControls

CompletenessControls

AuthorizationControls

AuthorizationControls

PreventivePreventive DetectiveDetective CorrectiveCorrective

O

O

O

O

O

O

O

O

O

O

O

O

O

O

O



1. Which of the following concepts is used in the java security model?1)white box2) black-box3) sand-box4) grey-box

2. 자바자바자바자바 애플릿은애플릿은애플릿은애플릿은어떤어떤어떤어떤 위험을위험을위험을위험을가지고가지고가지고가지고있는가있는가있는가있는가?

3. C/S computing us a special case of which one of the following processing environment?

1) parallel processing2) cooperative processing3) centralize processing4) decentralized processing


Control

Reference -COBIT-Information systems control & audit(Ron Weber, Prentice Hall)


(1) The Nature of control

Preventive controlEx) instructions are placed on a

source document to prevent clerks from filling it out incorrectly

Detective ControlEx) An input program identifies

incorrect data entered into system via a terminal

Corrective Control

Ex) A program uses special code that enable it to correct data corrupted because of noise on a communications line

A control is a system that prevents, detects, or corrects unlawful events.(경영목표를경영목표를경영목표를경영목표를달성하고달성하고달성하고달성하고원치않은원치않은원치않은원치않은사건의사건의사건의사건의발생을발생을발생을발생을방지방지방지방지, 적발적발적발적발, 수정할수정할수정할수정할수수수수있음을있음을있음을있음을보증하기보증하기보증하기보증하기위해위해위해위해수립된수립된수립된수립된정책정책정책정책,

절차절차절차절차, 업무업무업무업무수행방법수행방법수행방법수행방법& 조직구조조직구조조직구조조직구조-COBIT)* System: comprises a set of interrelated components that function together to achieve some

overall purpose.(요소요소요소요소들들들들(사람사람사람사람, 컴퓨터컴퓨터컴퓨터컴퓨터, 통신통신통신통신, 자료자료자료자료등등등등)이이이이상호상호상호상호유기적으로유기적으로유기적으로유기적으로연결연결연결연결되어되어되어되어일사분란하게일사분란하게일사분란하게일사분란하게내외부내외부내외부내외부환경환경환경환경에에에에대응해서대응해서대응해서대응해서공통적인공통적인공통적인공통적인목표목표목표목표를를를를달성하려는달성하려는달성하려는달성하려는체계체계체계체계)

* Unlawful event : can arise if unauthorized, inaccurate, incomplete, redundant, ineffective or inefficient input enters the system.

A control is a system that prevents, detects, or corrects unlawful events.(경영목표를경영목표를경영목표를경영목표를달성하고달성하고달성하고달성하고원치않은원치않은원치않은원치않은사건의사건의사건의사건의발생을발생을발생을발생을방지방지방지방지, 적발적발적발적발, 수정할수정할수정할수정할수수수수있음을있음을있음을있음을보증하기보증하기보증하기보증하기위해위해위해위해수립된수립된수립된수립된정책정책정책정책,

절차절차절차절차, 업무업무업무업무수행방법수행방법수행방법수행방법& 조직구조조직구조조직구조조직구조-COBIT)* System: comprises a set of interrelated components that function together to achieve some

overall purpose.(요소요소요소요소들들들들(사람사람사람사람, 컴퓨터컴퓨터컴퓨터컴퓨터, 통신통신통신통신, 자료자료자료자료등등등등)이이이이상호상호상호상호유기적으로유기적으로유기적으로유기적으로연결연결연결연결되어되어되어되어일사분란하게일사분란하게일사분란하게일사분란하게내외부내외부내외부내외부환경환경환경환경에에에에대응해서대응해서대응해서대응해서공통적인공통적인공통적인공통적인목표목표목표목표를를를를달성하려는달성하려는달성하려는달성하려는체계체계체계체계)

* Unlawful event : can arise if unauthorized, inaccurate, incomplete, redundant, ineffective or inefficient input enters the system.

Reduced the probability of unlawful events

occurring

Reduced the amount of losses that arise if the

unlawful events occurs


(1) The Nature of control

ASSETS

Exposure

Undesirable(Unlawful) Events-Access-Fraud-Errors

-Mischief

Preventive Preventive Preventive

Detective Detective

Corrective Corrective Corrective

Control


(2) Control & Security Requirement

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability of Information

effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources.

confidentiality - concerns protection of sensitive information from unauthorized disclosure.

integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations.

availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources.

compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.

reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.


Application Control

Reference -CISA Review Technical information manual -BS7799


(1) Introduction

• Application Control: 입력입력입력입력, 처리처리처리처리, 출력출력출력출력기능에기능에기능에기능에대한대한대한대한통제통제통제통제(ISACA)- 완전하고완전하고완전하고완전하고정확하고정확하고정확하고정확하고검증된검증된검증된검증된자료만이자료만이자료만이자료만이컴퓨터컴퓨터컴퓨터컴퓨터시스템에시스템에시스템에시스템에입력되고입력되고입력되고입력되고수정되는가수정되는가수정되는가수정되는가?- 처리가처리가처리가처리가업무를업무를업무를업무를정확히정확히정확히정확히수행하는가수행하는가수행하는가수행하는가?- 처리결과가처리결과가처리결과가처리결과가기대에기대에기대에기대에부응했는가부응했는가부응했는가부응했는가?- 데이터가데이터가데이터가데이터가유지유지유지유지관리관리관리관리되고되고되고되고있는가있는가있는가있는가?

• Security in Application systems(BS7799)- To prevent loss, modification or misuse of user data in application

systems- Appropriate controls & audit trails or activity logs should be designed

into application systems- These should include the validation of input data, internal processing

and output data- Additional controls may be required for systems that process, or have

an impact on, sensitive, valuable or critical organizational assets.

• Application Control: 입력입력입력입력, 처리처리처리처리, 출력출력출력출력기능에기능에기능에기능에대한대한대한대한통제통제통제통제(ISACA)- 완전하고완전하고완전하고완전하고정확하고정확하고정확하고정확하고검증된검증된검증된검증된자료만이자료만이자료만이자료만이컴퓨터컴퓨터컴퓨터컴퓨터시스템에시스템에시스템에시스템에입력되고입력되고입력되고입력되고수정되는가수정되는가수정되는가수정되는가?- 처리가처리가처리가처리가업무를업무를업무를업무를정확히정확히정확히정확히수행하는가수행하는가수행하는가수행하는가?- 처리결과가처리결과가처리결과가처리결과가기대에기대에기대에기대에부응했는가부응했는가부응했는가부응했는가?- 데이터가데이터가데이터가데이터가유지유지유지유지관리관리관리관리되고되고되고되고있는가있는가있는가있는가?

• Security in Application systems(BS7799)- To prevent loss, modification or misuse of user data in application

systems- Appropriate controls & audit trails or activity logs should be designed

into application systems- These should include the validation of input data, internal processing

and output data- Additional controls may be required for systems that process, or have

an impact on, sensitive, valuable or critical organizational assets.


(2) Input control/ Input data validation

• Data input to application systems should be validated to ensure that it is correct & appropriate

• Checks should be applied to - the input of business transactions- Standing data(name, address, credit limit, customer reference number…)- Parameter tables(sales prices, tax rate…)

• Controls- Input check(Out-of-range value check, Invalid characters in data fields, Missing

or incomplete data, Exceeding upper & lower data volume limits, Unauthorized or inconsistent control data)

- Periodic review of the content of key fields or data fields to confirm their validity & integrity

- Inspecting hard copy input documents for any unauthorized changes to input data

- Procedures for responding to validation error- Defining the responsibilities of all personnel involved in the data input process

• Data input to application systems should be validated to ensure that it is correct & appropriate

• Checks should be applied to - the input of business transactions- Standing data(name, address, credit limit, customer reference number…)- Parameter tables(sales prices, tax rate…)

• Controls- Input check(Out-of-range value check, Invalid characters in data fields, Missing

or incomplete data, Exceeding upper & lower data volume limits, Unauthorized or inconsistent control data)

- Periodic review of the content of key fields or data fields to confirm their validity & integrity

- Inspecting hard copy input documents for any unauthorized changes to input data

- Procedures for responding to validation error- Defining the responsibilities of all personnel involved in the data input process


(3) Processing control

• Data that has been correctly entered can be corrupted by processing errors or deliberate acts

• Considering- the use and location in programs of add & delete functions to implement

changes to data- The procedures to prevent programs running in the wrong order or running

after failure of prior processing- The use of correct programs to recover from failures to ensure the correct

processing of data

• Checks & controls- batch control- Balancing control- Validation of system-generated data- Hash totals - Checks to ensure that application programs are run at the correct time- Checks to ensure that programs are run in the correct order and terminate in

case of failure, and that further processing is halted until the problem in resolved.

• Data that has been correctly entered can be corrupted by processing errors or deliberate acts

• Considering- the use and location in programs of add & delete functions to implement

changes to data- The procedures to prevent programs running in the wrong order or running

after failure of prior processing- The use of correct programs to recover from failures to ensure the correct

processing of data

• Checks & controls- batch control- Balancing control- Validation of system-generated data- Hash totals - Checks to ensure that application programs are run at the correct time- Checks to ensure that programs are run in the correct order and terminate in

case of failure, and that further processing is halted until the problem in resolved.


(3) Processing control

• Batch totals- To ensure accuracy in data entry and processing, control totals can be

compared by the systems with manually calculated and entered control totals using the data fields such as quantities, dollars…

• Hash totals- This is a technique for improving data accuracy, whereby totals are obtained

on identifier(meaningless) data fields such as account no., employee no.,…• Run-to-run totals- This is a processing control whereby output control totals resulting from one

process or cycle are used as input control totals over subsequent processing. The control totals are used as a verification mechanism and link one process or cycle to another in a sequence.

• Batch totals- To ensure accuracy in data entry and processing, control totals can be

compared by the systems with manually calculated and entered control totals using the data fields such as quantities, dollars…

• Hash totals- This is a technique for improving data accuracy, whereby totals are obtained

on identifier(meaningless) data fields such as account no., employee no.,…• Run-to-run totals- This is a processing control whereby output control totals resulting from one

process or cycle are used as input control totals over subsequent processing. The control totals are used as a verification mechanism and link one process or cycle to another in a sequence.


(4) Message authentication

• Message authentication is a technique used to detect unauthorized changes to, or corruption of, the contents of a transmitted electronic message

• Message authentication should be considered for applications where there is a security requirement to protect the integrity of message content.

• Message authentication is a technique used to detect unauthorized changes to, or corruption of, the contents of a transmitted electronic message

• Message authentication should be considered for applications where there is a security requirement to protect the integrity of message content.


(5) Output control

• Data output from an application system should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances

• Output validation- plausibility checks- Reconciliation control counts- Providing sufficient information for a reader or subsequent processing system

to determine the accuracy, completeness, precision and classification of the information

- Procedures for responding to output validation tests- Defining the responsibilities of all personnel involved in the data output

process

• Data output from an application system should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances

• Output validation- plausibility checks- Reconciliation control counts- Providing sufficient information for a reader or subsequent processing system

to determine the accuracy, completeness, precision and classification of the information

- Procedures for responding to output validation tests- Defining the responsibilities of all personnel involved in the data output

process



1. The purpose of input control is to ensure the1) authorization of access to data files2) authorization of access to program files3) completeness, accuracy & validity of input

2. Under certain conditions; an update program ignors transaction with invalid transaction code types. A control which would detect the presence of such errors in processing is a

(check digit, hash total, limit test, reasonableness test)

3. As part of an account payable computer run in which checks to vendors are to be prepared, a manually derived figure of $1,111,111 is entered into the computer, The computer is programmed to display an error message if the total of checks prepared does not equal exactly this amount, The figure $1,111,111 in this context would be reffered to as

( A parity check, check digits, hash total, control total)


Database Security

Reference

- DB Security course (G. Pernul)

- Information systems control & audit(Ron Weber, Prentice Hall)

- Oracle Security (Diby Malaka)


(1) DBMS

DBMS Features- Persistence- Data sharing- Recovery- Database Language- Security & Integrity

DBMS Features- Persistence- Data sharing- Recovery- Database Language- Security & Integrity

(1) Overview


Defining data

Creating data

Refining/restructuring data

Retrieving data

External schema 1

External schema 2

External schema 3

Conceptualschema

Internalschema

Stored DB

IndividualUser view ofthe DB

Total logicalView of the DB-View integration

Total storagestructure of the DB

Instances ofThe DB definition

Internal/physicalmapping

Conceptual/Internalmapping

External/Conceptualmapping DA

DBA

(1) DBMS

(2) Design Approach


Defining data

Creating data

Refining/restructuring data

DA Responsibility

Data planning, determine user need Internal schema definition

DBA Responsibility

Retrieving data

Making data available to users

Informing & servicing users

Maintaining DB integrity

Monitoring operation

Advising users on data-collection Preparing program to create data

Specifying new conceptual and externalSchema definitions. Advising users

Specifying new internal Schemadefinitions, altering DB

Specifying retirement policies Implementing retirement policies

Determining EU requirements forTools; testing and evaluating tools

Determining programmer requirements for tools; testing and evaluating tools

Answering EU queries; educating;Establishing high-level policy

Answering programmers queries; educating;Establishing low-level policy

Developing standards; assisting EUTo formulate application controls

Implementing DB controls; assisting pro-grammers to formulate application controls

Monitoring EU patterns of DB use Monitoring programmer patterns of DB usePerformance and tuning

(1) DBMS

(3) DA & DBA’s role


(1) DBMS

(4) Data Models- Relational

• Tables– “Relation” (Table or set of columns in table)– With “Attributes” (Columns)– Having “Permissible values”– Specific Attribute is “Key” with unique values– Occurring in “Instances” (Rows)– “Tuple” of a Relation Instance

• Views– “Virtual” Relations (tables)– With selected “Attributes”– Linked by Key attributes

• Tables– “Relation” (Table or set of columns in table)– With “Attributes” (Columns)– Having “Permissible values”– Specific Attribute is “Key” with unique values– Occurring in “Instances” (Rows)– “Tuple” of a Relation Instance

• Views– “Virtual” Relations (tables)– With selected “Attributes”– Linked by Key attributes


(1) DBMS

(4) Data Models- Relational

• Grant/Revoke Privileges by Table, Column, Key set• Permissions by View combining specific Tables, Columns, Key sets

– Conceptually dividing the database into pieces to allow sensitive data to be hidden from unauthorized users

– Authorizations for specific views having specific attributes, and for actions to perform within those views

– DAC, by specific grant to user or group by owner– MAC, by classification level

• “Granularity” - fineness of control permissible in database controls - dependent upon database and implementation( ex) table(larger), row(smaller)-increasing concurrency, higher overhead)

• Issues: – Verifying access granted - DAC– Verifying that View limitations function - MAC– Preventing users from creating a copy (becoming “owner”) and granting

access to others

• Grant/Revoke Privileges by Table, Column, Key set• Permissions by View combining specific Tables, Columns, Key sets

– Conceptually dividing the database into pieces to allow sensitive data to be hidden from unauthorized users

– Authorizations for specific views having specific attributes, and for actions to perform within those views

– DAC, by specific grant to user or group by owner– MAC, by classification level

• “Granularity” - fineness of control permissible in database controls - dependent upon database and implementation( ex) table(larger), row(smaller)-increasing concurrency, higher overhead)

• Issues: – Verifying access granted - DAC– Verifying that View limitations function - MAC– Preventing users from creating a copy (becoming “owner”) and granting

access to others


• Objects• Operations/ State• Messages• Class• Instance• Inheritance• Polymorphism• Composite Objects

• Objects• Operations/ State• Messages• Class• Instance• Inheritance• Polymorphism• Composite Objects

(4) Data Models- Object-Oriented

(1) DBMS


(1) DBMS

(4) Data Models- Object-Oriented

• “Subjects”• “Objects”• “Methods” of accessing them• Controls using Encapsulation, Inheritance, Information hiding• “Granularity” - fineness of control permissible in database controls

• “Subjects”• “Objects”• “Methods” of accessing them• Controls using Encapsulation, Inheritance, Information hiding• “Granularity” - fineness of control permissible in database controls


(2) Framework of Data Security

(1) Secrecy- Direct retrieval, logical inference- Involves ‘read’ access of unauthorized user- Confidentiality, sensitivity, privacy…

(2) Integrity- includes the insertion of false data and the destruction of data- accuracy, authenticity…

(3) Availability- fault tolerance, recovery…

(1) Secrecy- Direct retrieval, logical inference- Involves ‘read’ access of unauthorized user- Confidentiality, sensitivity, privacy…

(2) Integrity- includes the insertion of false data and the destruction of data- accuracy, authenticity…

(3) Availability- fault tolerance, recovery…


(3) Basic Security mechanism

Identification, authentication

Authorization, access control

Integrity, consistency

Auditing

OS, (DBMS)

DBMS(Security enforcement module)

DBMS(data model, transaction manager)

OD, (DBMS)


(4) DBMS Security

(1) Within the DBMS- Access control methods(page, table, row, field locking)- User Access control- Views- Checkpoint/restart

(2) External to DBMS- Trusted front-end/Trusted path- Query engine- Integrity checking

(3) DBMS attacks- Inference attack(problem): It is an occurrence when a user is able to deduce

information to which they do not have privilege from information to which they do have privilege

- Aggregation: It is an occurrence when a user’s right to several pieces of information results in knowledge they do not have right.

- Database views- Queries- Bypass

(1) Within the DBMS- Access control methods(page, table, row, field locking)- User Access control- Views- Checkpoint/restart

(2) External to DBMS- Trusted front-end/Trusted path- Query engine- Integrity checking

(3) DBMS attacks- Inference attack(problem): It is an occurrence when a user is able to deduce

information to which they do not have privilege from information to which they do have privilege

- Aggregation: It is an occurrence when a user’s right to several pieces of information results in knowledge they do not have right.

- Database views- Queries- Bypass


(5) Security Policy

A Security model is an abstraction used to represent a security policy of an organization.

(1) Security object- Passive entity, that contains or receives information(database, relation, view,…)

(2) Security subject- Active entity, often in the form of a person or process operating on behalf of a

user. Security subjects are responsible for a change of database state and cause information to flow within different objects and subjects

A Security model is an abstraction used to represent a security policy of an organization.

(1) Security object- Passive entity, that contains or receives information(database, relation, view,…)

(2) Security subject- Active entity, often in the form of a person or process operating on behalf of a

user. Security subjects are responsible for a change of database state and cause information to flow within different objects and subjects

Models of security


(5) Security Policy

Are stated in terms of - security objects- Security subjects- Access privilege

(1) Basic primitives- Users can protect the data they own- The owner may grant access to users- The owner may define the type of access given to others- Granting and revoking of access permission is under the discretion of the users

themselves

(2) Advantages- A well known technique- Most of the common commercial DBMS support it

Are stated in terms of - security objects- Security subjects- Access privilege

(1) Basic primitives- Users can protect the data they own- The owner may grant access to users- The owner may define the type of access given to others- Granting and revoking of access permission is under the discretion of the users

themselves

(2) Advantages- A well known technique- Most of the common commercial DBMS support it

Discretionary access control model


(5) Security Policy

Let O be a set of security objects, S be a set of security subjects, T be a set of access privilege, and in order to represent content-based rules P be a set of predicates.

The tuple <o,s,t,p> is called access rule and a function f is defined to determine if an authorization f(o,s,t,p) is valid or not:

F:O x S x T x P ->{ True, False}

For any <o,s,t,p>, if f(o,s,t,p) evaluates into True, subject s has authorization t to access object o within the range defined by predicate p.

The principle of delegation of rights; A right is the (o,t,p)-portion of the access rule. A subject si who holds the right (o,t,p) maybe allowed to delegate that right to another subject sj (i =\ j).

Let O be a set of security objects, S be a set of security subjects, T be a set of access privilege, and in order to represent content-based rules P be a set of predicates.

The tuple <o,s,t,p> is called access rule and a function f is defined to determine if an authorization f(o,s,t,p) is valid or not:

F:O x S x T x P ->{ True, False}

For any <o,s,t,p>, if f(o,s,t,p) evaluates into True, subject s has authorization t to access object o within the range defined by predicate p.

The principle of delegation of rights; A right is the (o,t,p)-portion of the access rule. A subject si who holds the right (o,t,p) maybe allowed to delegate that right to another subject sj (i =\ j).

Discretionary access control model


(5) Security Policy

Security objects and security subjects are assigned to security labels.

Confidential < Classified < Secret < Top_SecretePublic < Company_confidential< High_Security

The security level of an object O is called its classification, class (O). A subject S must be cleared to access sensitive information, clear(S).

A subject can access an object if the clearance level of the subject is at least as high as the classification of the object.

Clear (S) >= Class(O)

Security objects and security subjects are assigned to security labels.

Confidential < Classified < Secret < Top_SecretePublic < Company_confidential< High_Security

The security level of an object O is called its classification, class (O). A subject S must be cleared to access sensitive information, clear(S).

A subject can access an object if the clearance level of the subject is at least as high as the classification of the object.

Clear (S) >= Class(O)

Military security model

Cf) MLS(multi-level security) policy : security policies preventing information flowing downwards from a high security level to a low security level. Allow a subject to read an object only if the subject’s security level dominates the object classification level . –Mandatory security policy


(5) Security Policy

Each Security object is associated with one or more projects, called compartments. A security subject is allowed to access an object if the subject has a need to know

the content of the object.

Example:

Compartments: {medical data, financial data, private data}Comp (O) = {medical data, financial data }

For S access is granted if Comp(O) NTK(S)

NTK(S1)={medical data, financial data, private data}NTK(S2)={medical data}NTK(S3)={private data}

Each Security object is associated with one or more projects, called compartments. A security subject is allowed to access an object if the subject has a need to know

the content of the object.

Example:

Compartments: {medical data, financial data, private data}Comp (O) = {medical data, financial data }

For S access is granted if Comp(O) NTK(S)

NTK(S1)={medical data, financial data, private data}NTK(S2)={medical data}NTK(S3)={private data}

Need-to-know principle


(5) Security Policy

Objective of the model : trying to keep secrets

A security level contains two components, an entry of a hierachical list of sensitive levels and a member of a set of compartments

(1) Simple Security Property:Successful read access: Clear(S)>= Class(O)

(2) *_propertySuccessful write access: Class(O)>= Clear(S)

Objective of the model : trying to keep secrets

A security level contains two components, an entry of a hierachical list of sensitive levels and a member of a set of compartments

(1) Simple Security Property:Successful read access: Clear(S)>= Class(O)

(2) *_propertySuccessful write access: Class(O)>= Clear(S)

Bell and Lapadula Model


(5) Security Policy

Objective of the model : trying to keep the integrity

Biba defines integrity levels which are analogous to the sensitivity level of BLP objects with a high level of integrity should not modified from subjects with a lower level of integrity.

(1) Simple Security Property:Subject S can modify object O if I(S) >= I(O)

(2) Integrity *_propertyIf subject S has read access to object O with integrity level I(O), S can have write

access to object P only if I(O) >= I(P).

Objective of the model : trying to keep the integrity

Biba defines integrity levels which are analogous to the sensitivity level of BLP objects with a high level of integrity should not modified from subjects with a lower level of integrity.

(1) Simple Security Property:Subject S can modify object O if I(S) >= I(O)

(2) Integrity *_propertyIf subject S has read access to object O with integrity level I(O), S can have write

access to object P only if I(O) >= I(P).

Biba model


(6) Applying Security policies to Database Models

(1) DAC – SQL based systems

(2) DB View- Query simplicity- Structural simplicity- Security- Performance- Update restrictions

(3) Grant/Revoke

(1) DAC – SQL based systems

(2) DB View- Query simplicity- Structural simplicity- Security- Performance- Update restrictions

(3) Grant/Revoke

(1) Discretionary DB Security



(1) Name-dependant restriction- Users either have access to a named data resource or they do not have access

to the resource

(2) Content-dependent restriction- Users are permitted or denied access to a data resource depending on its

contents

(3) Context-dependent restriction- Users are permitted or denied access to a data resource depending on the

context in which they are seeking access.

(4) History-dependent restriction- Users are permitted or denied access to a data resource depending on the time

series of access to and actions they have undertaken on data resources.

(1) Name-dependant restriction- Users either have access to a named data resource or they do not have access

to the resource

(2) Content-dependent restriction- Users are permitted or denied access to a data resource depending on its

contents

(3) Context-dependent restriction- Users are permitted or denied access to a data resource depending on the

context in which they are seeking access.

(4) History-dependent restriction- Users are permitted or denied access to a data resource depending on the time

series of access to and actions they have undertaken on data resources.

DAC Access control



View



Grant/Revoke



Grant/Revoke

Propagation Problem !



(1) Users enforce the security policy(2) Many views cannot be updated. For different read and write restrictions 2

views are necessary(3) Limitation due to grant & revoke(4) Trojan Horse attack(5) Copy problem

(1) Users enforce the security policy(2) Many views cannot be updated. For different read and write restrictions 2

views are necessary(3) Limitation due to grant & revoke(4) Trojan Horse attack(5) Copy problem

DAC Limitation


(1) MAC- resources는는는는 classification으로으로으로으로, users는는는는 clearance level로로로로할당할당할당할당- User가가가가 resource에에에에 access하는하는하는하는 rule : BLP, Biba model 등의등의등의등의 policy 활용활용활용활용

(2) DB에에에에적용적용적용적용- MLS Relational DB- Classification levels can be assigned to specific data items/attributes in a

record/relation and to records/relations as a whole. The value of the classification level is then compared against the users’s clearance level to determine whether the data item /attributes or records/relations will be made available to the user

- View를를를를 implement하는하는하는하는방법방법방법방법(1)-하나의하나의하나의하나의 record/relation tuple or instance에에에에있는있는있는있는데이터를데이터를데이터를데이터를 filtering 하고하고하고하고사용자에게사용자에게사용자에게사용자에게가용한가용한가용한가용한데이터를데이터를데이터를데이터를결정하기결정하기결정하기결정하기위해위해위해위해conditional rule를를를를사용사용사용사용 -> single tuple

- View를를를를 implement하는하는하는하는방법방법방법방법(2)-각각각각 clearance level에에에에따라따라따라따라보안과보안과보안과보안과무결성무결성무결성무결성법칙을법칙을법칙을법칙을만족하는만족하는만족하는만족하는 multiple tuple을을을을생성생성생성생성(polyinstantiation)

(1) MAC- resources는는는는 classification으로으로으로으로, users는는는는 clearance level로로로로할당할당할당할당- User가가가가 resource에에에에 access하는하는하는하는 rule : BLP, Biba model 등의등의등의등의 policy 활용활용활용활용

(2) DB에에에에적용적용적용적용- MLS Relational DB- Classification levels can be assigned to specific data items/attributes in a

record/relation and to records/relations as a whole. The value of the classification level is then compared against the users’s clearance level to determine whether the data item /attributes or records/relations will be made available to the user

- View를를를를 implement하는하는하는하는방법방법방법방법(1)-하나의하나의하나의하나의 record/relation tuple or instance에에에에있는있는있는있는데이터를데이터를데이터를데이터를 filtering 하고하고하고하고사용자에게사용자에게사용자에게사용자에게가용한가용한가용한가용한데이터를데이터를데이터를데이터를결정하기결정하기결정하기결정하기위해위해위해위해conditional rule를를를를사용사용사용사용 -> single tuple

- View를를를를 implement하는하는하는하는방법방법방법방법(2)-각각각각 clearance level에에에에따라따라따라따라보안과보안과보안과보안과무결성무결성무결성무결성법칙을법칙을법칙을법칙을만족하는만족하는만족하는만족하는 multiple tuple을을을을생성생성생성생성(polyinstantiation)

(2) Mandatory access controls




MAC



Polyinstantiation is necessary!

- If the DBMS should not inform a lower trusted user that tries to insert data that the data is already in the system

- If a higher trusted user wishes to change lower classified data- To avoid covert signalling channels….

MLS(Multilevel Secure ) relational DBMS- MLS relational data model, supports polyinstantiation on dB, relation, tuple

and attribute levels- Extended relational data model, polyinstantiation on tuple level.

Polyinstantiation is necessary!

- If the DBMS should not inform a lower trusted user that tries to insert data that the data is already in the system

- If a higher trusted user wishes to change lower classified data- To avoid covert signalling channels….

MLS(Multilevel Secure ) relational DBMS- MLS relational data model, supports polyinstantiation on dB, relation, tuple

and attribute levels- Extended relational data model, polyinstantiation on tuple level.

MAC



(1) BLP requires labeled objects and subjects at an initial design phase(2) Static security model only limited relevance in DBMSs(3) Very Complex(integrity, n-person…)(4) performance

(1) BLP requires labeled objects and subjects at an initial design phase(2) Static security model only limited relevance in DBMSs(3) Very Complex(integrity, n-person…)(4) performance

MAC Limitation



(1) Classification: hierachical levels that denotes the sensitivity of the information they label

(2) Categories: non-hierachical delineations or compartments within each classifications. Categories only provide a finer level of granularity within a classification

(3) Label notation: classification:category, category…(4) Relationships between labels: domination- a user’s ability to access an object is based on whether his label dominates

the label of the object- One label dominates another label if its classification is greater than or

equal to that of the other label, and its categories are superset of the other’s categories

Ex) Secret: alpha , unclassified: alpha, secret:beta



(1) Clearance: the range of labels for which is authorized to read and/or write information. A user can only access objects within his clearance

Ex) A user’s clearance: unclassified through Secret:Alpha(2) DAC Policy- a user must be granted the appropriate privilege to access an object(3) MAC policy: a user’s label must meet the certain criteria for the user to

access an object- to perform a read or SELECT, operation, a user’s label must dominate that

of the object- To perform a write or INSERT, UPDATE, or DELETE, operation, a user’s

label must match that of the object. (while BLP allows the ability to write to objects at higher labels, most OS do not support this model, unless a user has a specific previlege allowing him to write up.



(1) Covert channel and information flows: paths that a user at a higher label can use to communicate information to a user at a lower label in the violation of MAC policy

- when MAC policy is strictly enforced, covert channels cannot be exposed and used. However, under a more relaxed MAC policy, certain operations within the DB can expose these channels


(7) Integrity controls

(1) E-R model Integrity constraints- Uniqueness: 한한한한 entity의의의의각각각각 instance는는는는 unique해야해야해야해야함함함함- Maximum cardinality/ Minimum cardinality: entity의의의의 instance들의들의들의들의최대최대최대최대및및및및

최소최소최소최소갯수갯수갯수갯수- Entity identifier: 각각각각값이값이값이값이유일하게유일하게유일하게유일하게 entity의의의의각각각각 instance를를를를정의하는정의하는정의하는정의하는

attribute를를를를지정함지정함지정함지정함.- Value type of identifier: attributes의의의의 allowed value type 지정지정지정지정- Value set of identifier: attributes의의의의 allowed value set 지정지정지정지정

(2) Relational data model Integrity constraints- Key: candidate key는는는는 relation의의의의각각각각 tuple을을을을유일하게유일하게유일하게유일하게정의해야정의해야정의해야정의해야함함함함.- Entity:primary key는는는는 null value가가가가되면되면되면되면안됨안됨안됨안됨.- Referential: relation 상의상의상의상의 tuple들들들들사이에사이에사이에사이에 consistency가가가가유지되어야유지되어야유지되어야유지되어야함함함함.

(1) E-R model Integrity constraints- Uniqueness: 한한한한 entity의의의의각각각각 instance는는는는 unique해야해야해야해야함함함함- Maximum cardinality/ Minimum cardinality: entity의의의의 instance들의들의들의들의최대최대최대최대및및및및

최소최소최소최소갯수갯수갯수갯수- Entity identifier: 각각각각값이값이값이값이유일하게유일하게유일하게유일하게 entity의의의의각각각각 instance를를를를정의하는정의하는정의하는정의하는

attribute를를를를지정함지정함지정함지정함.- Value type of identifier: attributes의의의의 allowed value type 지정지정지정지정- Value set of identifier: attributes의의의의 allowed value set 지정지정지정지정

(2) Relational data model Integrity constraints- Key: candidate key는는는는 relation의의의의각각각각 tuple을을을을유일하게유일하게유일하게유일하게정의해야정의해야정의해야정의해야함함함함.- Entity:primary key는는는는 null value가가가가되면되면되면되면안됨안됨안됨안됨.- Referential: relation 상의상의상의상의 tuple들들들들사이에사이에사이에사이에 consistency가가가가유지되어야유지되어야유지되어야유지되어야함함함함.


(8) Concurrency controls

(1) Nature of the shared data resource problem: integrity problem- 해결책해결책해결책해결책: lock out one process from a data resource while it is being used by another

process-> deadlock의의의의문제점문제점문제점문제점발생발생발생발생( 두두두두프로세스가프로세스가프로세스가프로세스가서로서로서로서로 필요한필요한필요한필요한데이터를데이터를데이터를데이터를 release하길하길하길하길기다림기다림기다림기다림)

(2) The problem of deadlock(3) Solutions to deadlock(4) Preventing deadlock( two phase locking)- transaction의의의의 effect를를를를 propagate하기하기하기하기위해위해위해위해필요한필요한필요한필요한모든모든모든모든데이터를데이터를데이터를데이터를획득하여획득하여획득하여획득하여다른다른다른다른

프로세스로프로세스로프로세스로프로세스로부터부터부터부터 lock을을을을함함함함. 데이터데이터데이터데이터 items들에들에들에들에대한대한대한대한모든모든모든모든 update가가가가완료될때까지완료될때까지완료될때까지완료될때까지 data item들은들은들은들은 release되지되지되지되지않음않음않음않음.

- growing phase : the transaction acquires locks without releasing locks- Shrinking phase: when the transaction releases a lock -> release all locks

(1) Nature of the shared data resource problem: integrity problem- 해결책해결책해결책해결책: lock out one process from a data resource while it is being used by another

process-> deadlock의의의의문제점문제점문제점문제점발생발생발생발생( 두두두두프로세스가프로세스가프로세스가프로세스가서로서로서로서로 필요한필요한필요한필요한데이터를데이터를데이터를데이터를 release하길하길하길하길기다림기다림기다림기다림)

(2) The problem of deadlock(3) Solutions to deadlock(4) Preventing deadlock( two phase locking)- transaction의의의의 effect를를를를 propagate하기하기하기하기위해위해위해위해필요한필요한필요한필요한모든모든모든모든데이터를데이터를데이터를데이터를획득하여획득하여획득하여획득하여다른다른다른다른

프로세스로프로세스로프로세스로프로세스로부터부터부터부터 lock을을을을함함함함. 데이터데이터데이터데이터 items들에들에들에들에대한대한대한대한모든모든모든모든 update가가가가완료될때까지완료될때까지완료될때까지완료될때까지 data item들은들은들은들은 release되지되지되지되지않음않음않음않음.

- growing phase : the transaction acquires locks without releasing locks- Shrinking phase: when the transaction releases a lock -> release all locks

Process P Process Q

Data source1

Data source2

Time t Time t

Time t+1

Salesperson 1

PART A100

PART B150

Time t80 Time t

100

Time t+150

Salesperson 2

Time t+190


(9) DB Security Administration

(1) Guard your backup & development environment- Backup- Development environment

(2) Know your default user and application accounts

(3) Control the distribution of database names and locations

(4) Use auditing effectively

(5) Make password changes mandatory yet simple

(6) Isolate your production database

(1) Guard your backup & development environment- Backup- Development environment

(2) Know your default user and application accounts

(3) Control the distribution of database names and locations

(4) Use auditing effectively

(5) Make password changes mandatory yet simple

(6) Isolate your production database

By Kelvin Loney



(1) Data security policy- which user have access to a specific schema object- The specific types of actions a user can perform on the object- Level of data security on the sensitivity of the data stored in DB.

(2) Make sure- only authorized users can perform modifications, deletions, or additions on

sensitive tables

(3) Audit procedures- ex) tables that store salary codes and amounts in a payroll application for inserts,

updates, and deletes.

(1) Data security policy- which user have access to a specific schema object- The specific types of actions a user can perform on the object- Level of data security on the sensitivity of the data stored in DB.

(2) Make sure- only authorized users can perform modifications, deletions, or additions on

sensitive tables

(3) Audit procedures- ex) tables that store salary codes and amounts in a payroll application for inserts,

updates, and deletes.

Data Security



(1) User security policy- Security for different classes of users

(2) Password encryption- encrypted passwords for both C/S and S/S connections

(3) Role- a specific group

(1) User security policy- Security for different classes of users

(2) Password encryption- encrypted passwords for both C/S and S/S connections

(3) Role- a specific group

User Security

(1) DBA or security administrator- Creating and maintaining objects- Tuning and DB performance- Creating new users and roles and assigning privileges- Performing backups, startups, shutdowns- Recovering the database in emergency situations- Learning and experimenting with DB capabilities, for inexperienced DBAs

(2) Classifying privileges- system privileges, Object privileges

(1) DBA or security administrator- Creating and maintaining objects- Tuning and DB performance- Creating new users and roles and assigning privileges- Performing backups, startups, shutdowns- Recovering the database in emergency situations- Learning and experimenting with DB capabilities, for inexperienced DBAs

(2) Classifying privileges- system privileges, Object privileges

Administrator security



Restricting application development access only to test environments(1) Developers should not have the privileges to create new schema objects in

the live production DB(2) The DBA should be responsible for creating all the required tables, indexes,

procedures, and packages on production DB(3) Specifying resource limits for all application developers

Restricting application development access only to test environments(1) Developers should not have the privileges to create new schema objects in

the live production DB(2) The DBA should be responsible for creating all the required tables, indexes,

procedures, and packages on production DB(3) Specifying resource limits for all application developers

Application developer security

(1) Performing application maintenance tasks(2) Creating and altering tables, indexes, views and other schema objects: Yes(3) Creating tablespace, rollback segments, DB startup, shutdown: No

(1) Performing application maintenance tasks(2) Creating and altering tables, indexes, views and other schema objects: Yes(3) Creating tablespace, rollback segments, DB startup, shutdown: No

Application administrator security



(1) Locking passwords: failed_login_attempts(2) Aging and expiring passwords: password_reuse_time(3) Tracking history(4) Verifying complexity

(1) Locking passwords: failed_login_attempts(2) Aging and expiring passwords: password_reuse_time(3) Tracking history(4) Verifying complexity

Password management

(1) Auditing is the process of tracking the important events in the database as defined by the DBA as part of the auditing strategy

(2) Detection, gathering historical data(3) Performance problem

(1) Auditing is the process of tracking the important events in the database as defined by the DBA as part of the auditing strategy

(2) Detection, gathering historical data(3) Performance problem

System auditing


(10) Miscellanies

(1) Often the username & password for the database are stored in plain text(2) The actual call and the returned data are sent as clear text over the network(3) Verification of access level of the user using the ODBC application(4) Calling applications must be checked to ensure they do not attempt to

combine data from multiple data sources(aggregation of data)(5) Calling applications must be checked that they do not attempted to exploit

the ODBC driver elevated system access

(1) Often the username & password for the database are stored in plain text(2) The actual call and the returned data are sent as clear text over the network(3) Verification of access level of the user using the ODBC application(4) Calling applications must be checked to ensure they do not attempt to

combine data from multiple data sources(aggregation of data)(5) Calling applications must be checked that they do not attempted to exploit

the ODBC driver elevated system access

ODBC Security

Cf.) Open Database Connectivity (ODBC) is a widely accepted application programming interface (API) for database access. ODBC is designed for maximum interoperability—that is, the ability of a single application to access different database management systems (DBMSs) with the same source code. Database applications call functions in the ODBC interface, which are implemented in database-specific modules called drivers.


(11) Sample questions

(1) Which of the following has the objective to control & manage data from a central location?

( database, DD, data storage)

(2) Which one of the following models does NOT include data integrity?(Biba, BLPz,..)

(3) The purpose of polyinstantiation is to prevent?

(low level users from infererring the existence of data in other database)

(4) Which of the following controls is most effective in the restriction of views in a database?

(preventative, corrective, detective)

(6) 자신의자신의자신의자신의 부서직원의부서직원의부서직원의부서직원의 급여만급여만급여만급여만 READ하고하고하고하고타타타타 부서직원의부서직원의부서직원의부서직원의 급여는급여는급여는급여는 READ할할할할 수수수수 없다없다없다없다. 이러한이러한이러한이러한DB security security policy는는는는?

(context-dependent, content-dependent, ownership-based)

(7) When a database error has been detected requiring a backing out a process, a mechanism that permits starting the process at designated places in the process is called a?

(restarter, reboot, checkpoint, journal)

(8) What is the definition of granularity as it applies to computer security?


Data-warehouse

Reference

- DW Concept

- Data Security(Chris Silbernagel)


(1) DW의의의의정의정의정의정의

데이터웨어하우스데이터웨어하우스데이터웨어하우스데이터웨어하우스 ((((Data Warehouse)Data Warehouse)Data Warehouse)Data Warehouse)

− 의사결정지원시스템의 기반으로 사용되는 읽기읽기읽기읽기 전용전용전용전용 분석 데이터베이스

− 기업 전체의 전략적 관점에서 효율적인 의사결정 지원을 위하여 데이터의 시계열적인 축

적과 통합을 목표로 하는 데이터의데이터의데이터의데이터의 저장고저장고저장고저장고

데이터웨어하우징데이터웨어하우징데이터웨어하우징데이터웨어하우징 ((((Data Warehousing)Data Warehousing)Data Warehousing)Data Warehousing)

데이터의 수집 및 처리에서 도출되는 정보의 활용에 이르는 일련의일련의일련의일련의 프로세스프로세스프로세스프로세스

OLAP (OLAP (OLAP (OLAP (OnLineOnLineOnLineOnLine Analytic Processing)Analytic Processing)Analytic Processing)Analytic Processing)

– 데이터의 다차원 분석을 통한 정보추출 프로세스

– 기존의 SQL과 같은 가설 확인 중심의 조회 방식


DW 정의정의정의정의" 수년간의수년간의수년간의수년간의(Historical)

" 기업의기업의기업의기업의운영계운영계운영계운영계 시스템에서시스템에서시스템에서시스템에서생긴생긴생긴생긴내부내부내부내부데이터와데이터와데이터와데이터와(Internal Data)

" 외부외부외부외부데이터를데이터를데이터를데이터를(External Data)

" 주제별로주제별로주제별로주제별로통합하여통합하여통합하여통합하여(Subject-oriented)

" 별도의별도의별도의별도의 프로그래밍프로그래밍프로그래밍프로그래밍 없이없이없이없이(End-User Computing)

" 즉시즉시즉시즉시(On-line)

" 여러여러여러여러각도에서각도에서각도에서각도에서 분석분석분석분석가능케가능케가능케가능케하는하는하는하는(Multi-Dimensional analysis) 통합시스템이다통합시스템이다통합시스템이다통합시스템이다.

" time-variant, non-volatile

DW의의의의장점장점장점장점" 신속하게신속하게신속하게신속하게 구축할구축할구축할구축할수수수수 있다있다있다있다.

" 정형화된정형화된정형화된정형화된장표와장표와장표와장표와비정형비정형비정형비정형장표장표장표장표모두를모두를모두를모두를프로그래밍프로그래밍프로그래밍프로그래밍없이없이없이없이구현할구현할구현할구현할수수수수있다있다있다있다.

" 사용자사용자사용자사용자요구에요구에요구에요구에신속하게신속하게신속하게신속하게대응할대응할대응할대응할수수수수있다있다있다있다.

" 저렴한저렴한저렴한저렴한비용으로비용으로비용으로비용으로구축가능구축가능구축가능구축가능




데데데데이이이이터터터터획획획획득득득득

DM

DM

DM

외부데이터

데데데데이이이이터터터터배배배배포포포포

EDW

기존운영시스템 전사통합데이터체계 적용업무환경

DSS

EIS

CRM

Explore

생산

회계

인사

" 데이터데이터데이터데이터획득획득획득획득

" 운영운영운영운영시스템시스템시스템시스템혹은혹은혹은혹은외부로부터외부로부터외부로부터외부로부터데이터를데이터를데이터를데이터를추출하여추출하여추출하여추출하여검증검증검증검증, 변형변형변형변형, 가공가공가공가공, 집계집계집계집계과정을과정을과정을과정을거쳐거쳐거쳐거쳐 EDW DB에에에에전송하는전송하는전송하는전송하는기능기능기능기능

ETT(Extraction, Transformation, Transportation) 라고라고라고라고함함함함

" 데이터데이터데이터데이터획득획득획득획득후의후의후의후의 데이터데이터데이터데이터정합성을정합성을정합성을정합성을 항상항상항상항상보장하는보장하는보장하는보장하는 체계를체계를체계를체계를갖추어야만갖추어야만갖추어야만갖추어야만사용자들이사용자들이사용자들이사용자들이신뢰하고신뢰하고신뢰하고신뢰하고정보를정보를정보를정보를활용할활용할활용할활용할수수수수있음있음있음있음


(2) Datawarehouse

• The purpose of DW is information retrieval & data analysis• It is the process of extracting and transferring operational data into informational data &

loading it into a central data store or “warehouse”• Once loaded, users can access the warehouse through query & analysis tool• Data integrity and security issues are equally applicable to warehouses as they are to

databases• DB vs. DW- A database contains raw data- A DW contained massaged data- Users query many points with heterogeneous databases- Users query only a single point with DW.

• The purpose of DW is information retrieval & data analysis• It is the process of extracting and transferring operational data into informational data &

loading it into a central data store or “warehouse”• Once loaded, users can access the warehouse through query & analysis tool• Data integrity and security issues are equally applicable to warehouses as they are to

databases• DB vs. DW- A database contains raw data- A DW contained massaged data- Users query many points with heterogeneous databases- Users query only a single point with DW.


(3) DW Security

(1) Understand, and accept the purpose of your Warehouse- Analytical: 소수소수소수소수- Standardized reporting : 다수다수다수다수- Data homogenization/consolidation

(2) Application vs. database level security- security table- Security vs. value- Performance- Usefulness

(3) Four types of data security- Individual- Group- Hierarchical- Conglomeration

(4) Security plan- the design of the security plan must be completed before you finalize the design of DW- Maintenance security in DW is difficult

(1) Understand, and accept the purpose of your Warehouse- Analytical: 소수소수소수소수- Standardized reporting : 다수다수다수다수- Data homogenization/consolidation

(2) Application vs. database level security- security table- Security vs. value- Performance- Usefulness

(3) Four types of data security- Individual- Group- Hierarchical- Conglomeration

(4) Security plan- the design of the security plan must be completed before you finalize the design of DW- Maintenance security in DW is difficult

By Chris Silbernagel


Data-Mining

Reference -장남식장남식장남식장남식교수교수교수교수 Presentation material 중중중중


가설가설가설가설 확인확인확인확인 중심의중심의중심의중심의 기존기존기존기존 조회조회조회조회 방식방식방식방식

질의질의질의질의도구도구도구도구

A지역에 거주하는사람들의

평균 월수입과에어컨 보유현황을보여주시오.

시각화시각화시각화시각화도구도구도구도구

OLAPOLAPOLAPOLAP도구도구도구도구

가설가설

데이터데이터데이터데이터

(1) Data Mining


가설가설가설가설 발견발견발견발견 중심의중심의중심의중심의 데이터마이닝데이터마이닝데이터마이닝데이터마이닝 방식방식방식방식

데이터데이터데이터데이터마이닝마이닝마이닝마이닝

A상품을구매한고객들의특성을보여주시오.

• 수입이 2백만원 이상인40대의 남성으로서R지역에 거주.

• 수입이 2백만원 이상으로 C직종에 종사.

가설가설

검증검증

데이터데이터데이터데이터

정보

(1) Data Mining


분석분석분석분석 방식에방식에방식에방식에 따른따른따른따른 정보의정보의정보의정보의 깊이깊이깊이깊이

숨겨진정보 (데이터마이닝으로가능)

다차원적정보 (OLAP으로가능)

기본적인정보 (SQL로가능)

Data Mining, Pieter Adriaans &Dolf Zantinge,1998.

정보

(1) Data Mining


전통적전통적전통적전통적 통계통계통계통계

의사결정나무의사결정나무의사결정나무의사결정나무

신경망신경망신경망신경망

동시발생동시발생동시발생동시발생 매트릭스매트릭스매트릭스매트릭스

KKKK----평균군집화평균군집화평균군집화평균군집화

전통적전통적전통적전통적 통계통계통계통계

의사결정나무의사결정나무의사결정나무의사결정나무

신경망신경망신경망신경망

동시발생동시발생동시발생동시발생 매트릭스매트릭스매트릭스매트릭스

KKKK----평균군집화평균군집화평균군집화평균군집화

주요기법주요기법주요기법주요기법주요기법주요기법주요기법주요기법

연관연관연관연관((((Association) Association) Association) Association) 규칙규칙규칙규칙

연속연속연속연속((((Sequence) Sequence) Sequence) Sequence) 규칙규칙규칙규칙

분류분류분류분류((((Classification) Classification) Classification) Classification) 규칙규칙규칙규칙

데이터데이터데이터데이터 군집화군집화군집화군집화 ((((Clustering)Clustering)Clustering)Clustering)

연관연관연관연관((((Association) Association) Association) Association) 규칙규칙규칙규칙

연속연속연속연속((((Sequence) Sequence) Sequence) Sequence) 규칙규칙규칙규칙

분류분류분류분류((((Classification) Classification) Classification) Classification) 규칙규칙규칙규칙

데이터데이터데이터데이터 군집화군집화군집화군집화 ((((Clustering)Clustering)Clustering)Clustering)

정보형태정보형태정보형태정보형태정보형태정보형태정보형태정보형태 데이터데이터데이터데이터안에안에안에안에존재하는존재하는존재하는존재하는

항목간의항목간의항목간의항목간의종속관계종속관계종속관계종속관계

연관규칙의연관규칙의연관규칙의연관규칙의일종으로일종으로일종으로일종으로시간의시간의시간의시간의흐름이흐름이흐름이흐름이

포함되어있는포함되어있는포함되어있는포함되어있는항목간의항목간의항목간의항목간의종속관계종속관계종속관계종속관계

부류를부류를부류를부류를서로서로서로서로구분하는구분하는구분하는구분하는

레코드의레코드의레코드의레코드의특성특성특성특성

데이터를데이터를데이터를데이터를유사한유사한유사한유사한특성을특성을특성을특성을지닌지닌지닌지닌

몇몇몇몇개의개의개의개의소그룹으로소그룹으로소그룹으로소그룹으로나눈나눈나눈나눈것것것것

(2) 정보의정보의정보의정보의형태형태형태형태및및및및기법기법기법기법


(3) Data Mining

• Data mining– Analyzing databases for trends/anomalies using automated tools without

knowledge of data– Data mining is the process of posing a series of queries to extract

information from the databases– Data mining techniques can also be used as intrusion detection, fraud

detection, and auditing the databases– The inference problem occurs via data mining tool.– Data mining is a user tool to select information from a DW.– Data mining is an auditing tool to detect fraud, intrusions, and security

problems in a DW

• Data mining– Analyzing databases for trends/anomalies using automated tools without

knowledge of data– Data mining is the process of posing a series of queries to extract

information from the databases– Data mining techniques can also be used as intrusion detection, fraud

detection, and auditing the databases– The inference problem occurs via data mining tool.– Data mining is a user tool to select information from a DW.– Data mining is an auditing tool to detect fraud, intrusions, and security

problems in a DW


(4) Security Issue

• Data mining– Data mining techniques can also be used as intrusion detection, fraud

detection, and auditing the databases– The inference problem occurs via data mining tool.– Data mining is an auditing tool to detect fraud, intrusions, and security

problems in a DW

• Data mining– Data mining techniques can also be used as intrusion detection, fraud

detection, and auditing the databases– The inference problem occurs via data mining tool.– Data mining is an auditing tool to detect fraud, intrusions, and security

problems in a DW


Artificial Intelligence

Reference -장남식장남식장남식장남식교수교수교수교수 Presentation material 중중중중


(1) Knowledge-Based Systems

• Knowledge-base system– System to query a collection of knowledge expressed using a formal

knowledge representation language

• Artificial Neural Network – Simple processors networked on a uni-directional communications

channel that operate on local data and input from the connection– able to learn from example and to generalize

• Fuzzy Logic

• Expert Systems

• Knowledge-base system– System to query a collection of knowledge expressed using a formal

knowledge representation language

• Artificial Neural Network – Simple processors networked on a uni-directional communications

channel that operate on local data and input from the connection– able to learn from example and to generalize

• Fuzzy Logic

• Expert Systems


• 전문가시스템(expert system)– 1950년대종합적문제해결기개발실패– 특정분야의문제해결에초점

– 전문가의비구조적인지식을복제하고축적하려는목적

– DEDRAL(분광분자분석), MACSYMA(수학문제해결), MYCIN(질병진단), PROSPECTOR(지질탐사)

– 지식엔지니어가전문가의지식을추출

– IF-THEN 규칙– 의미틀(semantic frame)과의미망(semantic net)– 전문가시스템셸(ES shell)을이용한손쉬운개발

(2) Expert System


• 지식베이스

– 사실과규칙으로구성된

집합

• 추론엔진

– 전문가시스템의수뇌

– 결론의도출과형성을위한방법론의제공

• 블랙보드

– 임시작업메모리

• 사용자인터페이스

– 대화관리모듈

• 설명장치/판단기– 추론의근거를설명

사용자사용자사용자사용자인터페이스인터페이스인터페이스인터페이스

추천된 행위

설명설명설명설명 장치장치장치장치

추론엔진추론엔진추론엔진추론엔진

블랙보드블랙보드블랙보드블랙보드(작업메모리) 지식지식지식지식 정제정제정제정제

지식베이스지식베이스지식베이스지식베이스 사실: 해당 도메인 영역에 알려진 것 규칙: 논리적 추론

사용자

지식엔지니어

전문가의지식

자문자문자문자문 환경환경환경환경 개발개발개발개발 환경환경환경환경

특정사건에대한 사실

(2) Expert System


• 인공신경망(artificial neural nets)– 생물의뉴런(neuron)과신경망을모방한모델– 반복적인시행착오(trial and error)에의한기계적학습(machine learning)이가능– Brainmaker, Neuralframe, DataEngine 등의제품– Network of many very simple processors(unit) each with a small amount of local memory– Units connected by unidirectional communication channel– Units operate only on local data & inputs received via connections– Training rule enables learning from examples & ability to do generalization

경계(boundary)

입력

(3) Neural Network


• 퍼지로직(fuzzy logic)– 1965년미국의자데(Zadeh) 교수가소개– 불분명과모호성의처리

• 불연속적인경계보다는연속상에놓여진개념에대한분류이론• 확률값인멤버십함수(membership function) 사용• 언어변수(linguistic variable) 사용

확률확률확률확률(probability)

나이나이나이나이

20 400

1

µ

확률확률확률확률(probability)

나이나이나이나이

20 40

0

1

µ

5037 65 67 70 80

초년 중년 노년

(4) Fuzzy logic


(5) Security Issue

• Expert System- systems will react based on rules, if rules are faulty, response will be faulty• Neural networks- Decisions are only as good as the experience they are given

• Expert System- systems will react based on rules, if rules are faulty, response will be faulty• Neural networks- Decisions are only as good as the experience they are given

Vulnerabilites

• Knowledge Base- Protect the KB as you would any database- Because of its specialized nature, integrity usually can not be cross checked

• Expert system & Neural networks- Routinely verify decisions based on expected outcomes of expected input- Changes to the rules must go through the change control process- As with a KB, verification of the integrity of data if difficult- Risks of wrong decisions must be weighed routinely- Develop baselines of expected performance

• Knowledge Base- Protect the KB as you would any database- Because of its specialized nature, integrity usually can not be cross checked

• Expert system & Neural networks- Routinely verify decisions based on expected outcomes of expected input- Changes to the rules must go through the change control process- As with a KB, verification of the integrity of data if difficult- Risks of wrong decisions must be weighed routinely- Develop baselines of expected performance

Protection issues


Attacks & Vulnerability


(1) Programming/data Attack

• Salami attack: In data security, pertains to fraud, spread over a large number of individual transaction.

• Data diddling: The entering of false data into a computer system• Fraud• Logic bomb• Mistakes• Boundary errors• Validation errors• Covert channels• Buffer overflow: Excessive information provided to a memory buffer without

appropriate bounds checking. Can result in an elevation of privilege

• Salami attack: In data security, pertains to fraud, spread over a large number of individual transaction.

• Data diddling: The entering of false data into a computer system• Fraud• Logic bomb• Mistakes• Boundary errors• Validation errors• Covert channels• Buffer overflow: Excessive information provided to a memory buffer without

appropriate bounds checking. Can result in an elevation of privilege


(2) Malicious code

• Malicious Code– Virus: A virus infects programs already in existence by inserting new

code. The virus’ primary function is to reproduce.(boot, system, compression, stealth, multipartite, self-garbling, polymorphic, macro…)

– Trojan Horse: A program which performs a useful function, but also performs an unexpected action as well. Useful program containing hidden code exploiting the authorization of process to violate security

– Worm: it produces on its own rather than requiring a program “host”. Characteristics of a worm include replication activated by creating process, and replication occurs across communication links for network worms.

– Bomb: logic bomb, time bomb– Trap door: allows a user to gain more access to more system functions

than are normally available. A hidden mechanism to bypass protection measure

– Applet : platform-independent download-and-run mini-program used in Java programming

• Malicious Code– Virus: A virus infects programs already in existence by inserting new

code. The virus’ primary function is to reproduce.(boot, system, compression, stealth, multipartite, self-garbling, polymorphic, macro…)

– Trojan Horse: A program which performs a useful function, but also performs an unexpected action as well. Useful program containing hidden code exploiting the authorization of process to violate security

– Worm: it produces on its own rather than requiring a program “host”. Characteristics of a worm include replication activated by creating process, and replication occurs across communication links for network worms.

– Bomb: logic bomb, time bomb– Trap door: allows a user to gain more access to more system functions

than are normally available. A hidden mechanism to bypass protection measure

– Applet : platform-independent download-and-run mini-program used in Java programming


• Detecting– Execute monitors(free space의의의의감소감소감소감소, many unexpected disk access 등등등등)– File monitors(checksum, filesize, timestamping)– Virus detectors

• Preventing– Electronic bulletin board/E-mail– Floppy disks– Network access– 정품설치후정품설치후정품설치후정품설치후즉시즉시즉시즉시백업백업백업백업, trusted source의의의의 SW만만만만사용사용사용사용, disk protection

• Eliminating virus after infection– Isolate the system: 네트웍에서네트웍에서네트웍에서네트웍에서끊음끊음끊음끊음

– Backup all data– Reinitialize the system: low-level format– Reboot the system– Copy viral protection SW onto the system– Reinstall application SW– Reinstall data

• Detecting– Execute monitors(free space의의의의감소감소감소감소, many unexpected disk access 등등등등)– File monitors(checksum, filesize, timestamping)– Virus detectors

• Preventing– Electronic bulletin board/E-mail– Floppy disks– Network access– 정품설치후정품설치후정품설치후정품설치후즉시즉시즉시즉시백업백업백업백업, trusted source의의의의 SW만만만만사용사용사용사용, disk protection

• Eliminating virus after infection– Isolate the system: 네트웍에서네트웍에서네트웍에서네트웍에서끊음끊음끊음끊음

– Backup all data– Reinitialize the system: low-level format– Reboot the system– Copy viral protection SW onto the system– Reinstall application SW– Reinstall data

(2) Malicious code


• Data problems– Aggregation - building new objects from existing objects– Inference deriving information not explicit– Object reuse/garbage collection - reclaiming information from dynamic storage– Data contamination

• Malicious Code

• Access problems– Trap door - secret way in– Back door (trap door or worm hole) - unapproved method of accessing the system.

Programs what bypass traditional security check on a system. Allowing an attacker to gain access to a machine without providing system password and getting logged.

– Covert channel - Unapproved communications link between application and another(access control은은은은깨지깨지깨지깨지않으면서않으면서않으면서않으면서 security police를를를를깸깸깸깸). A communication channel that

allows a process to transfer information in a manner that violates the system’s security policy.

– Physical access to the area

• Data problems– Aggregation - building new objects from existing objects– Inference deriving information not explicit– Object reuse/garbage collection - reclaiming information from dynamic storage– Data contamination

• Malicious Code

• Access problems– Trap door - secret way in– Back door (trap door or worm hole) - unapproved method of accessing the system.

Programs what bypass traditional security check on a system. Allowing an attacker to gain access to a machine without providing system password and getting logged.

– Covert channel - Unapproved communications link between application and another(access control은은은은깨지깨지깨지깨지않으면서않으면서않으면서않으면서 security police를를를를깸깸깸깸). A communication channel that

allows a process to transfer information in a manner that violates the system’s security policy.

– Physical access to the area

(3) Vulnerabilities


• Covert storage channel- A covert channel that involves the direct or indirect writing of a storage

location by one process and the direct or indirect reading of the storage location by another process. Cover channels typically involve a finite resource that is shared by two subjects at different security level.

• Covert timing channel- One process signals to another by modulating own system use- Real response time observed by second process affected

• Object reuse- Media must contain no residual data- Must be overwritten or degausses before reuse

• Covert storage channel- A covert channel that involves the direct or indirect writing of a storage

location by one process and the direct or indirect reading of the storage location by another process. Cover channels typically involve a finite resource that is shared by two subjects at different security level.

• Covert timing channel- One process signals to another by modulating own system use- Real response time observed by second process affected

• Object reuse- Media must contain no residual data- Must be overwritten or degausses before reuse

(3) Vulnerabilities


(3) Vulnerabilities

Disclosure

AggregationInferenceObject reuseTrojan horseTrapdoorBackdoorUncontrolled applicationaccess

Modification

Data contaminationMalicious codeLogic bombs

DOS

Processor or server disruptionNetwork disruptionworms


• Summary- Spoofing/Eavesdropping- Unable to identify/track access/updates- Theft of information or hard assets- Improper access to information- Improper update of information- Improper destruction of information- Lack of or inadequate data validation- Data overwrites- Incorrect internal processing- Direct data access

• Summary- Spoofing/Eavesdropping- Unable to identify/track access/updates- Theft of information or hard assets- Improper access to information- Improper update of information- Improper destruction of information- Lack of or inadequate data validation- Data overwrites- Incorrect internal processing- Direct data access

(3) Vulnerabilities


(1) Shareware를를를를다운로드다운로드다운로드다운로드받았다받았다받았다받았다. 뒤에뒤에뒤에뒤에이이이이프로그램이프로그램이프로그램이프로그램이네트웍네트웍네트웍네트웍로그인로그인로그인로그인시도를시도를시도를시도를기록한다는기록한다는기록한다는기록한다는것을것을것을것을발견했다발견했다발견했다발견했다. 이이이이프로그램의프로그램의프로그램의프로그램의유형은유형은유형은유형은?

(2) Identify the damaging act where the network is searched for idle computing resources and executes the program in small segments?

(3) Which one of the following best describes a logic bomb?(Functions triggered by a specified condition)(4) What types of files do Macro virus infect? (Office file)(5) What is the name of a malicious computer program that replicates itself by attaching to other

program?

(1) Shareware를를를를다운로드다운로드다운로드다운로드받았다받았다받았다받았다. 뒤에뒤에뒤에뒤에이이이이프로그램이프로그램이프로그램이프로그램이네트웍네트웍네트웍네트웍로그인로그인로그인로그인시도를시도를시도를시도를기록한다는기록한다는기록한다는기록한다는것을것을것을것을발견했다발견했다발견했다발견했다. 이이이이프로그램의프로그램의프로그램의프로그램의유형은유형은유형은유형은?

(2) Identify the damaging act where the network is searched for idle computing resources and executes the program in small segments?

(3) Which one of the following best describes a logic bomb?(Functions triggered by a specified condition)(4) What types of files do Macro virus infect? (Office file)(5) What is the name of a malicious computer program that replicates itself by attaching to other

program?

(4) Malicious codes/Attack


Object-Oriented Concept & OODB

Reference

- CBK

- Object-oriented Technology (David Taylor)


(1) OO Concept

(1) Class: pattern, template for object(2) Object: variable+method - reusable(3) Message: receiver+message+parameter(4) Instance(5) Inheritance: object deriving data & functionality automatically from another object(6) Encapsulation: Object’s protection of private data from outside access(7) Information hiding(8) Overloading, polymorphism(9) Composite objects

(1) Class: pattern, template for object(2) Object: variable+method - reusable(3) Message: receiver+message+parameter(4) Instance(5) Inheritance: object deriving data & functionality automatically from another object(6) Encapsulation: Object’s protection of private data from outside access(7) Information hiding(8) Overloading, polymorphism(9) Composite objects

OO Concept


(2) Object-Oriented Analysis

(1) Understand application; Identify behaviors -> Initial behavior of system(2) Derive objects using the behavior perspective -> Objects & Objects behavior(3) Start Classifying objects (4) Identify relationship among objects(5) Model processes

(1) Understand application; Identify behaviors -> Initial behavior of system(2) Derive objects using the behavior perspective -> Objects & Objects behavior(3) Start Classifying objects (4) Identify relationship among objects(5) Model processes


(3) OODB

Objectives- Supporting object-oriented programs- Storing complex information- Building intelligent databases

Objectives- Supporting object-oriented programs- Storing complex information- Building intelligent databases

Objectives

(1) Conventional DB- no provision for handling the infinite variety of data types that OOL permit- Never intended to store the methods that objects contain

(2) Solution?- Object converter with RDB, NDB, HDB: complex objects -> simpler component

(3) ODBMS

(1) Conventional DB- no provision for handling the infinite variety of data types that OOL permit- Never intended to store the methods that objects contain

(2) Solution?- Object converter with RDB, NDB, HDB: complex objects -> simpler component

(3) ODBMS

(1) Preserving objects


(3) OODB

(1) Network model + relational model(2) Composite objects: Objects that contain other objects (reference to other objects)(3) Inheritance(4) Retrieval (all the joins have been precomputed)

(1) Network model + relational model(2) Composite objects: Objects that contain other objects (reference to other objects)(3) Inheritance(4) Retrieval (all the joins have been precomputed)

(2) Storing complex information

DeptJob Title

Manager

Clerk

SHin KimLee Park

Accounting

Employees

Shipping


(3) OODB

(1) Passive ODB(2) Active ODB: stores objects with “live” methods that can be activated directly in the database(3) Applications in Object Databases(4) Expert system

(1) Passive ODB(2) Active ODB: stores objects with “live” methods that can be activated directly in the database(3) Applications in Object Databases(4) Expert system

(3) Building intelligent DB


(3) OODB

OO Concept

OODB

Class hireachy DB schema

Relational DB

Class Table

Instance(Object) Record

Instance variable Column(field)

Object Identifier PK

Class inheritance X

Define, delete, modify relation, fieldDefine, delete, modify instance, variable

Send/ receive message X

Select, joinX


(3) OODB

Issues

• ISSUES– Polyinstantiation

• Producing a more defined version of an object by iteratively replacing variables with other variables or values

• Information located in more than one location for use by more than one user, usually having different security levels

• Requires sensitive information to be removed when stored at lower levels

• Insuring integrity with multiple updates going on is difficult– Polymorphism

• Different objects responding to a common command in different ways

• ISSUES– Polyinstantiation

• Producing a more defined version of an object by iteratively replacing variables with other variables or values

• Information located in more than one location for use by more than one user, usually having different security levels

• Requires sensitive information to be removed when stored at lower levels

• Insuring integrity with multiple updates going on is difficult– Polymorphism

• Different objects responding to a common command in different ways


(4) OO-related Concept

(1) OLE(Object Linking & embedding)- Allow applications to share functionality by live data exchange & embedded data- The capability to call one program from another is linking- The capability o put piece of data in a foreign program is embedding(2) COM(common object model)- current standard for OLE on a standalone machine

(3) DCOM(Distributed common object model)- current standard for OLE shared across a network

(4) CORBA(Common object request broker architecture)- OMG spec- Provides standard interface definition between OMG-compliant objects(5) ORB(Object Request Brokers)

(1) OLE(Object Linking & embedding)- Allow applications to share functionality by live data exchange & embedded data- The capability to call one program from another is linking- The capability o put piece of data in a foreign program is embedding(2) COM(common object model)- current standard for OLE on a standalone machine

(3) DCOM(Distributed common object model)- current standard for OLE shared across a network

(4) CORBA(Common object request broker architecture)- OMG spec- Provides standard interface definition between OMG-compliant objects(5) ORB(Object Request Brokers)


System Development Security

* ISC2 guide* Guideline for security of computer application by FLIPS


(1) Summary(Security In SDLC)

-Functional requirements definition-System environment specification

-Conceptual definition-Conceptual proposal & initial study(1) Project Initiation

(2) Functional design Analysis & Planning

-System Functional design-Detailed planning of functionalbreakdown

-Code design review

(3) System Design specification

Programming & documentation(4) Software development

-HW installation/integration-Pre-implementation testing,

installation

(5) Installation, Evaluation& Testing

Program change & minormodification

(6) Maintenance/ Operation

-Major modification or replacement-Sold, given away or discard

(7) Revision/replacement/destruction

-Perform risk analysis & sensitive application recertification

- Periodic audit

-Identify security needs-initial risk analysis-identify security framework

-Security area in project plan-Define security requirements/Risk analysis- Preliminary security test plan- Include security requirement in contracts-Security requirement baseline

-Define security specifications-Update security test plan-Security areas in formal baseline

-Write /procure & install security related code-Perform unit tests, evaluate security code- Include approved components in baseline

-Test security components-Test security in integrated system-Install security code–Document security control- Conduct acceptance test- verify project security


(2) SDLC Control

Project Initiation

(1) Identify user needs – Identify security needs(2) Evaluate alternatives –initial risk analysis(3) Select/approve approaches – identify security framework


(2) SDLC Control

• Security feasibility: Unrealistic plan for a computer application may result in security problem for which there is no cost-effective solution

- source data accuracy: will the data supplied to application system be accurate & complete enough to support its intended uses without harmful side effects?

- User identify verification: can users of the system be adequately identified & authenticated so they can be held accountable for their actions?

- Restricted interface: are the user interfaces to the system sufficiently restricted so that adequate security is feasible?

- Separation of duties: do the boundaries between system & relatedmanual activities provide maximum separation of duties and independent review?

- Facility security: Is the proposed processing facility adequately secure?


(2) SDLC Control

• Initial risk assessment: If security risks are not considered, cost-benefit analyses may favor a system plan with unnecessary exposure to failures. Initial assessment should only estimate the damage that could result from major failures that might occur in spite of controls.

- Impact of major failures: inaccurate data, falsified data, disclosed data, lost data, unavailable data or services

- Frequency of major failures: during the initial phase, it is not possible to estimate the frequency of a major failure by evaluating the effectiveness of controls because those controls have not yet been designed. Nevertheless, it is possible to make a very rough estimate the likelihood of a major failure.


(2) SDLC Control

Functional design Analysis & Planning

(1) Prepare project plan – Security area in project plan(2) Develop functional requirement –Define security

requirements/Risk analysis(3) Preliminary test plans – Preliminary security test plan(4) Select acquisiton strategy – Include security requirement in

RFPs, contracts(5) Establish formal functional baseline – has Security

requirement


(2) SDLC Control

• Definition of security requirements: Many security problems can be traced to a poorly thought out security plan or to an inadequatedefinition of what the software supposed to do.

- Application system interface- Responsibilities associated with each interface- Separation of duties- Sensitive objects & operations: sensitivity, function…- Error tolerance: the expected reliability and validity of data- Availability requirement- Requirement for basic controls- Management considerations• Risk Assessment: thorough risk analysis including safeguard selection

be performed at the beginning of the design phase to assure thatappropriate cost-effective security controls are integral to the system’s design.


(2) SDLC Control

System Design specification

(1) Develop detailed design – Define security specifications(2) Update testing goals & plans –Update security test plan(3) Establish formal baseline – Security areas in formal baseline


(2) SDLC Control

• Designing for security: Inadequate security which is difficult to improve without a major redesign of the system

- Unnecessary programming- Restricted user interfaces- Human engineering- Shared computer facilities- Isolation of critical code: the code & system data that is critical to

security should be well identified so it can be easily audited and protected

- Backup & recovery- Use of available control: OS, facility may already provide a variety of

controls- Design review: omissions and inadequacies…


• Baseline controls- Backup- Access control- Physical & Logical(Role-based access control)- Audit trails- Change control- Documentation- (Contingency ):checkpoint/restart, Disk mirroring, RAID- (Encryption)

• Supplementary controls- sensitivity/criticality/granularity: data & system classification- Integration with procedural, OS, Network control- (Encryption)

(2) SDLC Control

Security Design


(2) SDLC Control

Software development

(1) Construct form detailed design specifications – write /procure & install security related code

(2) Perform & evaluate unit tests –Perform unit tests, evaluate security code

(3) Implement detailed design – Include approved components in formal baseline


(2) SDLC Control

• Programming practice for security: programming errors that affect security, especially flaws in the implementation of security controls, fraudulent additions or changes to the application code by programmers.

- Peer review- Program library- Documentation of security-related code- Programmer association with operational system: when possible,

programmers should not be in a position to receive benefits fromsystem when it becomes operational

- Redundant computation- Program development tool


(2) SDLC Control

Installation, Evaluation & Testing

(1) Test system components – test security components(2) Validate system performance –Test security in integrated

system(3) Install system – Install security code(4) Prepare project manual – document security control(5) Perform acceptance test – conduct acceptance test(6) Accept system – verify project security


(2) SDLC Control

• Test & Evaluation: Errors and omissions that affect security, especially flaws in the implementation of security control

- Test plan- Static evaluation – techniques which involve examination and analysis

of the system documentation and code, represent the most effective way to detect deliberate traps or other unauthorized modifications. * code review, penetration studies, source code analyzer

- Dynamic testing – techniques involving executing of the application systems, or portion of the system, with test data and comparing the actual result with expected or known results* program analyzer


Unit Testing- individual modules within a programUnit Testing- individual modules within a program

Desk checking-프로그래머가프로그래머가프로그래머가프로그래머가검토검토검토검토

Static Analysis tests: 코드의코드의코드의코드의직접적인직접적인직접적인직접적인검사를검사를검사를검사를통한통한통한통한모듈의모듈의모듈의모듈의품질품질품질품질평가평가평가평가

Structured walk-throughs-다른다른다른다른 독립적인독립적인독립적인독립적인 프로그래머들의프로그래머들의프로그래머들의프로그래머들의

그룹이그룹이그룹이그룹이검토검토검토검토

Design & code inspection-특수한특수한특수한특수한검토그룹이검토그룹이검토그룹이검토그룹이 검토검토검토검토, 공식적인공식적인공식적인공식적인체크리스트를체크리스트를체크리스트를체크리스트를사용하고사용하고사용하고사용하고결과를결과를결과를결과를문서화함문서화함문서화함문서화함. 공식화검토공식화검토공식화검토공식화검토

Black-box test-모듈의모듈의모듈의모듈의내부로직은내부로직은내부로직은내부로직은 검사되지검사되지검사되지검사되지않고않고않고않고, 테스트테스트테스트테스트케이스가케이스가케이스가케이스가모듈의모듈의모듈의모듈의요구스펙에요구스펙에요구스펙에요구스펙에

근거하여근거하여근거하여근거하여설계됨설계됨설계됨설계됨

Dynamic Analysis tests: 모듈의모듈의모듈의모듈의테스트가테스트가테스트가테스트가기계에서기계에서기계에서기계에서수행됨수행됨수행됨수행됨

White-box test-테스트테스트테스트테스트케이스가케이스가케이스가케이스가 모듈의모듈의모듈의모듈의내부로직이내부로직이내부로직이내부로직이검사된후검사된후검사된후검사된후설계됨설계됨설계됨설계됨. 테스트테스트테스트테스트케이스가케이스가케이스가케이스가프로그램내의프로그램내의프로그램내의프로그램내의여러여러여러여러실행실행실행실행결로를결로를결로를결로를거침거침거침거침

Test data based onRequirement spec. Output

Integration Testing evaluate groups of program modules to determine - whether their interfaces are defective- overall, whether they fail to meet their requirements specs.

Integration Testing evaluate groups of program modules to determine - whether their interfaces are defective- overall, whether they fail to meet their requirements specs.

(2) SDLC Control


• Testing control- Test data- Data validation- Bound checking(field size, date…)

• Test methods- Unit test- Integration test- Whole-of program test(system test, user test)- QA test

• Testing control- Test data- Data validation- Bound checking(field size, date…)

• Test methods- Unit test- Integration test- Whole-of program test(system test, user test)- QA test

Testing

Program test

Program test

Program test

System TestQA Test

User Test

(2) SDLC Control


(2) SDLC Control

Maintenance/ Operation

(1) Perform risk analysis & sensitive application recertificationwhen significant change occurs

(2) Periodic audit


(2) SDLC Control

• Acceptance– Verification that performance and security requirements have been

met• Accreditation

– Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC)

• Certification– Formal testing of security safeguards

• Operational assurance– Verification that a system is operating according to its security

requirements• Assurance

– Degree of confidence that the implemented security measures work as intended

• Acceptance– Verification that performance and security requirements have been

met• Accreditation

– Formal acceptance of security adequacy, authorization for operation and acceptance of existing risk (QC)

• Certification– Formal testing of security safeguards

• Operational assurance– Verification that a system is operating according to its security

requirements• Assurance

– Degree of confidence that the implemented security measures work as intended


• Systems Development Life Cycle– Organizations understaffed, wear too many hats– Separation of duties seldom complete– Infosec seldom involved in initial stages of development– Risks seldom adequately assessed– Exposure points and controls seldom adequately determined– Code checks are often skimped

• Approvals are often perfunctory• Development process continues without formal approval

– Few limits on access to program code– Change control for programs only

• Systems Development Life Cycle– Organizations understaffed, wear too many hats– Separation of duties seldom complete– Infosec seldom involved in initial stages of development– Risks seldom adequately assessed– Exposure points and controls seldom adequately determined– Code checks are often skimped

• Approvals are often perfunctory• Development process continues without formal approval

– Few limits on access to program code– Change control for programs only

(2) SDLC Control

The Real World


(3) Operational Issues

• Implementation and Operation– Authorization

• All support personnel should be authorized

– Risk Reduction • All code should be reviewed prior to implementation - Change

Management

– Separation of Duties• Development staff should not review, implement systems• Development staff should not support production data• Development staff should not manage security function• Operator: No programming capability

• 용어설명용어설명용어설명용어설명: Production, Citizen programmers

• Implementation and Operation– Authorization

• All support personnel should be authorized

– Risk Reduction • All code should be reviewed prior to implementation - Change

Management

– Separation of Duties• Development staff should not review, implement systems• Development staff should not support production data• Development staff should not manage security function• Operator: No programming capability

• 용어설명용어설명용어설명용어설명: Production, Citizen programmers



– Accountability• No access should be permitted directly to database• Production data should be managed by users, not support staff• All access to production data should be logged

– Least Privilege• Access control• Access should be given to necessary data fields only

– Layered Defense• Access controls should be used in addition to system access

– Configuration Management• The management of security features and assurances through control

of changes made to system’s HW, SW, firmware, documentation, test cases, test fixtures, and test documentation throughout the development and operational life of the system

– Accountability• No access should be permitted directly to database• Production data should be managed by users, not support staff• All access to production data should be logged

– Least Privilege• Access control• Access should be given to necessary data fields only

– Layered Defense• Access controls should be used in addition to system access

– Configuration Management• The management of security features and assurances through control

of changes made to system’s HW, SW, firmware, documentation, test cases, test fixtures, and test documentation throughout the development and operational life of the system



• Implementation and Operation– Organizations understaffed, wear too many hats– Separation of duties seldom complete– Development staff often support production systems– IT staff often maintain production data– Access is often granted on basis of “least effort”

• Implementation and Operation– Organizations understaffed, wear too many hats– Separation of duties seldom complete– Development staff often support production systems– IT staff often maintain production data– Access is often granted on basis of “least effort”

The Real World


• To control all changes to production programs• Changes must be authorized, tested & recorded• Programmers through controlled libraries• Change system must be certified & acccredited• Policy

• To control all changes to production programs• Changes must be authorized, tested & recorded• Programmers through controlled libraries• Change system must be certified & acccredited• Policy

Change Control: Concept

• Request change• Analyze change request• Record change request• Submit request for approval• Develop change• Make version change

• Request change• Analyze change request• Record change request• Submit request for approval• Develop change• Make version change

Process



SLA & CMM


(1) SLA

(1) SLA: turnaround, response time, the level of maintenance support, the costs, the penalties

(2) What can go wrong in SLA- SLA may not be documented properly or may not be distinguished

clearly between functional users and application systems- Adequate tools and techniques may not be available to measure

service levels or the available tools may not be used- Missed service levels may not followed up in a timely and proper

manner- Short, readable, and meaningful summary and trend reports may not

be available to the computer operations and functional user management describing system outages, system performance problems and service level shortfalls

(1) SLA: turnaround, response time, the level of maintenance support, the costs, the penalties

(2) What can go wrong in SLA- SLA may not be documented properly or may not be distinguished

clearly between functional users and application systems- Adequate tools and techniques may not be available to measure

service levels or the available tools may not be used- Missed service levels may not followed up in a timely and proper

manner- Short, readable, and meaningful summary and trend reports may not

be available to the computer operations and functional user management describing system outages, system performance problems and service level shortfalls


(2) SW-CMM

(1) Initial- Ad-hoc process, occasionally chaotic

(2) Repeatable- Cost, schedule, functionality are tracked; earlier successes can be repeated

(3) Defined- Process documented, standardized, integrated

(4) Managed- Detailed measures collected; process or product controlled

(5) Optimizing- Continuous process improvement

(1) Initial- Ad-hoc process, occasionally chaotic

(2) Repeatable- Cost, schedule, functionality are tracked; earlier successes can be repeated

(3) Defined- Process documented, standardized, integrated

(4) Managed- Detailed measures collected; process or product controlled

(5) Optimizing- Continuous process improvement


(1) At what stage of application development process should the security department become envolved?

(prior to the implementation, prior to system testing, during unit testing, during requirement development)

(2) System development controls are based on?(a standard methodology for project performance)(3) Which of the following is the final step in authorizing a system for secure operation?( certification, authorization, accreditation)(4) When building or acquiring new application systems, which of the following specifically deals

with data security requirement?(A sequencing plan, A system life cycle, A technical architecture, A logical architecture)

(5) Which of the following should have extremely limited access in a C/S environment?(source code, object code, executable code)(6) “establishing and maintaining the integrity of products of the SW project during throughout

the project life cycle? (requirement management, configuration management, design management)

(7) What is not the appropriate role of the IS security analyst in the application system development or acquisition project: policeman , control evaluator , control consultant , application user

(8) In SW-CMM, continuous process improvement? (managed, optimized, defined, repeatable)

(1) At what stage of application development process should the security department become envolved?

(prior to the implementation, prior to system testing, during unit testing, during requirement development)

(2) System development controls are based on?(a standard methodology for project performance)(3) Which of the following is the final step in authorizing a system for secure operation?( certification, authorization, accreditation)(4) When building or acquiring new application systems, which of the following specifically deals

with data security requirement?(A sequencing plan, A system life cycle, A technical architecture, A logical architecture)

(5) Which of the following should have extremely limited access in a C/S environment?(source code, object code, executable code)(6) “establishing and maintaining the integrity of products of the SW project during throughout

the project life cycle? (requirement management, configuration management, design management)

(7) What is not the appropriate role of the IS security analyst in the application system development or acquisition project: policeman , control evaluator , control consultant , application user

(8) In SW-CMM, continuous process improvement? (managed, optimized, defined, repeatable)

System Development Controls

(5) System Development Control


GOOD LUCK!!!!

application & systems development security - it consultingshinsoojung.pe.kr/cert/cissp4.pdf ·...

Documents