Module 4: Systems Security Engineering: Lesson 1: Systems Development Methodologies

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Module 4: Systems Security Engineering

Lesson 1: Systems Development Methodologies


System development is the planning, development, test, deployment, and maintenance of an information system
o The goal is to ensure the information security is built to system
A lifecycle is the management an information system from start to finish
SDLC (Systems Development Lifecycle) ensures security to be built-in in the system development
o Initiation: Define and document the need and purpose of a new system
o Development/Acquisition: Design and develop or acquire the new system
o Implementation: Test, evaluate, and deploy the new system into operations
o Operation/Maintenance: system performs its function and is maintained over the course of operations
o Disposal: system is decommissioned or taken out of operations
Waterfall model is a continuous development lifecycle
o Incremental steps: Requirements, design, implementation, ops/maintenance, disposal
Spiral Model allows multiple instances of any development models
o Spiral Steps: Determine Objectives, Identify/Resolve Risks, Develop/Test, Plan Next Iteration
SCMM uses “maturity” levels focused on software process
o SCMM levels: Initial, Repeatable, Defined, Managed, Optimizing
IDEAL model is Initiating, Diagnosing, Establishing, Acting and Learning
o IDEAL phases: Initiating, Diagnosing, Establishing, Acting and Leveraging
Agile Framework focuses on a flexible and adaptive approach to development process
o Quotes from Manifesto: “Individuals and interactions over processes and tools”, “Working software over
comprehensive documentation”, “Customer collaboration over contract negotiation”, “Responding to change
over following a plan”

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

Lesson 2: Understanding Security Models


Security Model - a conceptual idea of how to identify and enforce security on the system
o Design security from the “ground up” based on the system requirements

Lesson 3: The Rainbow Series


Rainbow series - a set of computing security standards created by the DoD identified by book cover color
TCB are the parts of the system that protects
TCSEC is the orange book with 4 divisions outlining the different protection levels

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

Lesson 4: Common Criteria Security Framework


ISO/IEC 15408 defines the Common Criteria (CC) is a common standard to evaluate hardware or software products
ST is a high-level description outlining what is going to be evaluated
TOE is the software, hardware, and/or firmware and the evaluation guidance
Evaluation criteria is the reference for evaluation
SFR evaluates the TOE security functions and objectives
SAR provides assurance that TOE meets requirements
EAL levels are 1 (lowest) to 7 (highest):
o EAL 1: Functionally Tested
o EAL 2: Structurally Tested
o EAL 3: Methodically Tested and Checked
o EAL 4: Methodically Designed, Tested, and Reviewed
o EAL 5: Semi-Formally Designed and Tested

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

o EAL 6: Semi-Formally Verified Design and Tested


o EAL 7: Formally Verified Design and Tested
PP is an outline of the protection needs for the TOE and the required EAL
Conformance ensures the TOE meets the functional requirements
Strict (meets) and demonstrable (suitable) conformance

Lesson 5: Understanding Security Controls


Security controls - the policies, procedures, safeguards, countermeasures to enforce security
Security controls establish a baseline of minimal security implementations
Administrative controls are typically policies, processes, procedures
Physical controls are physical protective mechanisms
Technical are logical/technical protective mechanisms
Preventative controls prevent unauthorized actions from occurring
Detective controls detect or discover that an unauthorized action
Corrective controls correct or modify following an unauthorized action
Compensating controls compensate for a known risk, vulnerability, or threat
Deterrent controls discourage or deter potential violations
Directive controls direct subjects to comply with a security policy
Recovery controls recover from a violation of a security policy
Security controls are frequently combined to meet security policies and objectives

Lesson 6: Security Control Frameworks


Control Frameworks create a common approach and implementation of systems security

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

Outline common processes and common security practices


Make assessment and audit easier for security for compliance
NIST SP 800-53 focuses on security and privacy controls for Federal Information Systems mandated by FISMA
Controls depend on risk, data overlays, and/or priority and baseline allocation
18 security control families of management, technical, and operational security controls
Commonly implemented using NIST SP 800-37
COBIT by ISACA provides an IT governance framework for regulatory compliance
Derived from COSO, a corporate governance framework
Designed for financial organizations but can be used by anyone
COBIT Principals:
o Meeting Stakeholder Needs
o Covering the Enterprise End to End
o Applying a Single Integrated Framework
o Enabling a Holistic Approach
o Separating Governance From Management

Lesson 7: Selecting Security Controls


Security controls - the policies, procedures, safeguards, countermeasures
Select security controls that will meet organizational and regulatory policies
Use industry or regulated standards
o Common standards: ISO/IEC 27001, NIST SP 800-53, COBIT
Identify the specific types of the organizations data

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

Select every single data type that requires protection


Identifying data types help create the baseline of protection
Use the high watermark for the highest level of protection
Select the security controls using the highest level of protection
Create the SCL/control set from a control catalog
Scoping analyzing security controls to ensure they apply
Tailoring is adding/removing security controls
Stakeholders must approve the SCL/control set
Implement safeguards and countermeasures to meet security controls
o Safeguards/countermeasures depend on the organization
Consider risk assessment results, technology, organization industry and more
Every information system and data protection needs are unique

Lesson 8: Information Systems Architecture


There are many factors that determine the system design such as purpose, risk, location, and more
Architecture is how a system is designed, constructed, and connected
There are several architecture frameworks (Zachman, ToGAF, DoDAF, etc.)
Zachman architecture framework that uses primitive interrogatives and viewpoints to understand system relationships
ToGAF enterprise architecture framework for enterprise IT systems that uses ADM for continuous improvement
DoDAF enterprise architecture framework for DoD based systems
Open systems is a publicly accessible system that is connected to the internet
Closed systems private system that is not accessible to the outside world

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

Distributed systems connected by a network to create a single system

Lesson 9: Systems Security Architecture


Security architecture is the art of building security into the system
SABSA framework integrates security architecture into other architecture frameworks
SABSA is similar to to Zachman and focuses on risk driven architecture design
Local environment is isolated to a single computing device
Development is an isolated build environment
Integration is an isolated technology test environment
Test is a formal verification environment
Production/Operations is the live environment
With user access and permissions Define roles/permissions, require unique environment accounts, and enforce least
privilege and need-to-know
With system interfaces limit, filter, and encrypt
Use IPSEC VPN and 2 factor authentication for remote access
API interfaces should be limited and require authentication (API keys)
Vendors and contractors should be vetted, and have proper agreements in place
Do not allow maintenance hooks for any vendors or contractors
Maintain accurate configuration management for inventory, assets, and documentation
Ensure all environments are compliant with any applicable security policies and industry regulations
Modes Of Operations

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
Module 4: Systems Security Engineering

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.

You might also like