by Phil Martin
Right from the moment a product is deployed to production, continuous monitoring should kick in. In fact, in the best-case monitoring should automatically detect deployments and report on such activities. The primary goal for continuous monitoring from a security point of view is to report on the effectiveness of security controls. Since CIA includes ‘availability’, security monitoring is also concerned with up-time and performance statistics. This information is not only helpful to maintain a solid and secure environment but can also be directly applied to SLAs to ensure suppliers are delivering on their promises. Monitoring includes the use of vulnerability scanning, penetration testing and the use of intrusion detection systems. While a secure supply chain should not allow code that has been tampered with, continuous monitoring is often useful for detecting malicious code that has been injected into the source code or environment. Additionally, improper patch and upgrade processes can cause an environment’s configuration to weaken, and continuous monitoring can help in detecting such a scenario.
While continuous monitoring does include background automated activities that are always running, it also includes periodic manual audits and reviews. For example, penetration testing must be carried out occasionally, and audit trails must be manually reviewed. How often a system undergoes such activities should be directly tied to how important the system is to the business and can be directly influenced by external regulations or standards. For example, PCI DSS requires periodic scanning for malware threats. Obviously, in a supply chain provenance points should automatically kick off certain reviews and checkpoints. One of the bigger challenges in continuous monitoring is that it requires the involvement of all owners, but people continuously move into and out of roles. That is why role descriptions should always include a security component that describes responsibilities from a security perspective.
Incident handling is a natural result from proper continuous monitoring activities and is a reactive process to minimize the fallout of a ‘negative feature’. (The first time I heard that term I nearly fell out of my chair – talk about a politically-correct spin to hide how bad something is!) A good Incident handling process ensures issues are fixed by the correct supplier and rolled out in a secure and timely fashion.
Chapter 57: Step 8 - Retirement
The final phase of managing risk within the supply chain is encountered when the ‘never-imagined’ day comes to retire software. In some cases that day is better described as ‘oft-dreamed of’ depending on how painful a product might be to those who must use it.
Software retirement planning should actually start way back when the initial requirements were being written. If this is not carried out properly,
the risk of information disclosure increases dramatically. Not only must the software be turned off, access rights must be removed, and the data must be properly disposed of. We have already discussed media sanitization and disposal, so we will not cover that ground again. A huge effort during retirement is to ensure that data is properly migrated over into the new system if needed, and that the data remains in its present form until the new system has been completely approved and vetted.
Index
/GS, 166
1NF, 151
2NF, 152
3DES, 66
3NF, 152
acceptable use policy, 246
access certification, 288
access control list, 256
access control model, 255
access triple, 261
accidental user, 230
accountability, 83
accountable, 33
accreditation, 330
ACL, 256
acoustic cryptanalysis attack, 205
acquirer, 369
active fingerprinting, 342
active synthetic transaction, 308
active-active, 76
active-passive, 76
address space layout randomization, 254
advanced encryption standard, 66
advanced persistent threat, 44
adverse event, 128
AES, 66
AES 16, 279
aggregation, 149
AH, 271
AIW, 72, 362
ALE, 72, 361
alert, 128
algorithm, 64
allowable interruption window, 72, 362
ALSR, 254
ALU, 156
annual loss expectancy, 72, 361
annualized rate of occurrence, 72, 361
anonymous authentication, 78
anti-debugger code, 226
anti-reversing, 226
anti-tampering, 225
API, 252
application programming interface, 252
APT, 44
ARC, 220
archiving, 118
arithmetic logic unit, 156
ARO, 72, 361
assembler, 159
assembly language, 159
assurance case, 385
assurance methodology, 248
assurance plan, 385
asymmetric scheme, 66
at-rest, 62
attack bias, 100
attack surface, 21, 100
attack surface value, 100
attack tree, 236
audit, 127
audit trail, 83
auditing, 83
AUP, 246
authenticates, 36
authentication header, 271
authenticity, 370
authorization, 36, 81
automatic reference counting, 220
AV, 72
availability, 47
back doors, 46
banner grabbing, 343
BASEL II, 244
basic authentication, 78
basic input/output system, 115
bastion host, 23, 54, 125
BCP, 72, 365
bell-lapadula, 260
BIA, 72, 365
biba model, 260
big data, 275
binary analyzer, 291
binary code, 291
biometric authentication, 79
BIOS, 115
birthday attack, 166
black box testing, 338
blacklist, 186
blind sql injection, 183
blind sql injection attack, 205
block, 250
bootstrapping, 115, 204
branch locality, 219
brewer and nash model, 261
bring your own device, 119
broken authentication, 284
brokered trust model, 267
browser-based app, 281
brute force attack, 64
bug, 296
bug bands, 238
bug bars, 238
build process, 112
burning, 145
bus, 156
business continuity, 72, 364
business continuity plan, 72, 365
business impact analysis, 72, 365
BYOD, 119
byte patching, 352
bytecode, 162
bytecode scanner, 291
CA, 66
CAB, 140, 358
cache windowing, 180
caching, 77, 81
canonical, 216
canonicalization, 196
CAPTCHA, 194
CAS, 216
CASBs, 275
cascading triggers, 154
CCB, 358
CCM, 279
central processing unit, 156
CER, 79
CERT, 170
certificate authority, 66
certificate practice statement, 269
certificate revocation list, 269
certification, 329
certification authority, 269
certification practice statement, 67
certification revocation list, 67
change advisory board, 140, 358
change management, 137
channel, 100, 261
character, 250
check-in, 293
&n
bsp; check-out, 293
checksum, 71
chinese wall model, 261
CIA, 57
CIL, 162
ciphertext, 61
claim, 289
clark-wilson model, 260
clearing, 144
client certificate-based authentication, 78
clipping, 90
clipping level, 210
closed source, 351
cloud abuse, 279
cloud access security brokers, 275
cloud bursting, 279
cloud computing, 272
cloud controls matrix, 279
cloud security alliance, 263
CLR, 162
CMDB, 360
CMS, 360
CNG, 222
code access security, 165, 216
code analysis, 291
code coverage, 315
code escrow, 390
code review, 227
code signing, 226, 389
cohesive, 168
cold boot attack, 205
collision, 166
collision free, 166
commercial off-the-shelf, 142
commercial-off-the-shelf, 351
common intermediate language, 162
common language runtime, 162
common vulnerabilities and exposures, 171
common weakness enumeration, 172
community cloud, 273
compartmentalization, 88
compensating control, 30, 50, 104
compiled, 160
compiled language, 160
compiler, 159, 160
compiling, 160
complete mediation, 36, 81, 92
completely automated public turing test to tell computers and humans apart, 194
computer misuse act, 245
computer processer, 156
concept of operations, 117
concurrent users, 351
confidentiality, 24, 59
configuration management database, 360
configuration management system, 360
configuration parameter, 203
configuration/change board, 358
conformance, 370
connection pooling, 76
CONOPS, 117
content scanning, 344
contextually specific, 126
control, 104
control unit, 156
copyright, 350
core rbac, 257
corrective control, 50, 104
CORS, 280
COTS, 142, 351
coupling, 168
covert, 261
covert storage channel, 261
covert timing channel, 261
covert writing, 61
CPS, 67, 269
CPU, 156
crawlers, 355
CRC, 70
criticality, 242
CRL, 67, 269
cross-origin resource sharing, 280
crossover error rate, 79
cross-site request forgery, 191
cross-site scripting, 188
cryptanalysis, 64
cryptographic agilit, 222
cryptography api
next generation, 222
CSA, 263
CSRF, 191
curious attacker, 230
CVE, 171
CWE, 172
cyclic redundancy check, 70
cyclomatic complexity, 227, 299
DAC, 255
DAL, 99, 366
dangling pointer, 219
dark feature, 216
data access layer, 99, 366
data classification, 60, 241
data custodian, 243, 320
data definition language, 154
data encryption standard, 66
data execution prevention, 254
data flow diagrams, 234
data hiding, 252
data leakage prevention, 354
data lifecycle management, 243, 320
data manipulation language, 154
data owner, 320
data protection act, 245
data remanence, 144
data storage and data analytics as a service, 275
data-at-rest, 355
database view, 149
data-in-motion, 355
data-in-use, 355
DDL, 154
DDoS, 283
deadlock, 71
declarative security, 217
decommissioning, 142
decryption, 64
deep packet inspection, 355
defect, 308
defense in depth, 89
defense-in-depth, 20
definition list, 356
degaussing, 144, 247
delayed containment, 133
delayed signing, 226
demand security action, 217
denial of service, 35, 47, 75, 128, 283
deny first, 37
DEP, 254
DES, 66
desk checking, 250
destruction, 145, 247
detective control, 49, 104
deterrent control, 49, 104
deviational method, 250
device, 250
device driver, 251
DFD, 234
diagnosis matrix, 129
dictionary attack, 167
differential fault analysis attack, 205
digest, 65
digest authentication, 78
digital envelopes, 270
digital millennium copyright act, 323
digital rights management, 367
digital watermarking, 61
dilution, 146
directory, 288
directory information, 61
disaster recovery, 72, 364
disaster recovery as a service, 275
disaster recovery plan, 72, 365
disaster recovery testing, 302
disclaimer, 387
discretionary access control, 255
disintegration, 145
disposal, 142, 143
distant observation attack, 206
distributed denial of service, 283
DLM, 243, 320
DLP, 354
DMCA, 323
DML, 154
dns poisoning, 145
document type definitions, 202
domain, 252
dominates, 256
DoS, 35, 47, 75, 128, 283
double encoding, 188
double-submitted cookie, 194
DPI, 355
DRaaS, 275
driver, 170
DRM, 367
DRP, 72, 365
DSD, 257
DTDs, 202
dumb fuzzing, 347
dynamic code analysis, 291
dynamic linking, 160
dynamic separation of duty, 257
ECCN, 391
economy of mechanisms, 39, 91
EF, 72, 361
EIP, 213
electronic social engineering, 145
embedded system, 121
enablers, 100
encapsulation, 25, 168
encapsulation security payload, 271
encryption, 64
end-of-life, 142
endurance testing, 300
end-user license agreement, 351
enterprise, 351
enterprise service bus, 268
enticement, 125
entitlement management, 82
entrapment, 125
environment testing, 301
EOL, 142
equidistant locality, 219
ESB, 268
ESP, 158, 254, 271
EUDPD, 245
EULA, 351
european union personal data protection directive, 245
event, 128
executable space protection, 254
execution domain, 255
execution instruction counter, 213
execution stack pointer, 158
executive services, 252
expansion, 163
expo
rt control classification number, 391
exposure factor, 72, 361
extended instruction pointer, 213
extensible rights markup language, 368
fagan inspection process, 328
fail secure, 38, 90
failover, 41, 76
failover testing, 302
false acceptance rate, 79
false rejection rate, 79
FAR, 79
fast death, 220
fault injection attack, 122
federal information processing standard, 334
federal information processing standards, 336
federated identity, 275
federated trust model, 267
FHM, 250
file lock, 293
financial modernization act of 1999, 244
FIPS, 334, 336
firmware, 121
first normal form, 151
fishbone diagram, 136
flaw, 296
flaw hypothesis method, 250
FOCI, 375
foreign key, 152
foreign ownership and control of influence, 375
forensics as a service, 276
formal review, 328
forms authentication, 78
forward locking, 367
FRaaS, 276
freeware, 351
FRR, 79
full knowledge assessment, 337
full rbac, 258
function level check, 214
functional testing, 298
fuzz data, 346
fuzz testing, 206
fuzzing, 346
fuzzing oracle, 346
garbage collector, 220
general hierarchies, 257
generalization, 246
generation-based fuzzing, 347
generics, 221
ghost vulnerability, 204
GLBA, 244
GOTS, 351
government-off-the-shelf, 351
graham-denning model, 262
gramm-leach-bliley act, 244
hacktivist, 341
hardware security models, 151
harrison-ruzzo-ullman model, 262
hash, 65
health insurance portability and accountability act, 245
heap, 158
heuristic analyzer, 356
HIDS, 353
hierarchical rbac, 257
hierarchical storage management, 243, 321
high memory, 157
high-interaction honeypot, 354
high-level, 159
HIPAA, 245
holistic security, 54
honeynet, 25, 354
honeypot, 25, 125, 354
horizontal privilege escalation, 306
horizontal scaling, 77
host-based ids, 353
hotfix, 138
hru model, 262
HSM, 151, 243, 321
html encoding, 187
html5 local storage, 198
hybrid app, 281