The seventh domain in the SSCP CBK is Systems and Applications Security. This domain accounts for 17% of the SSCP exam.
The Systems and Applications Security domain defines five (5) tasks that a certified SSCP should be able to perform:
- Identify and Analyze Malicious Code and Activity
- Implement and Operate Endpoint Device Security
- Operate and Configure Cloud Security
- Secure Big Data Systems
- Operate and Secure Virtual Environments
This is part 7 in a 7-part series on the (ISC)2 SSCP Common Body of Knowledge (CBK).
Remember: An SSCP who can recall this information will likely pass the exam, but the SSCP who can explain how these concepts are applied in real-world situations is more likely to get hired.
Identify and Analyze Malicious Code and Activity
Malicious code (or malware) is software that’s intentionally designed to cause damage.
Take ransomware for example. Ransomware encrypts the contents of a user’s computer. The attacker then tries to extort money out of the victim in exchange for the decryption key. The Stuxnet worm is another example of malicious code, malware with a very specific purpose. Stuxnet targeted the software that controlled centrifuges in nuclear facilities, causing them to spin faster and faster until they literally broke apart.
You can prevent or negate the effects of malware using a combination of the following countermeasures:
- Use malware scanners specifically designed to find known instances of malware on your computer, and then delete that malware entirely.
- Use anti-malware programs designed to identify attempts to install malicious code on your computer, preventing the malware from infecting your machine in the first place.
- Software vendors can use code signing, a method by which the authors of legitimate code use digital signatures to help you verify that the code you installed is definitely the same code they produced. This protects users from both counterfeit apps and infected files posing as legitimate software.
- You can also run programs in a sandbox, an isolated environment that prevents malware from actually infecting your computer. Security researchers often use sandbox environments to intentionally execute malware so they can analyze its behavior in a safe, controlled manner.
Malicious code is often used in conjunction with other attack methods, such as:
- Social Engineering – Tricking a user into unknowingly installing malware on a machine that user controls.
- Insider Threat – Abusing your access as a workforce member (employee, contractor, etc.) to install malware on an internal system.
- Data Theft – Installing malware designed to find sensitive data (e.g., credit cards, national identifiers, health records, intellectual property) and transmit that data outside of the organization to a system controller by the attacker.
- DDoS – Distributed Denial of Service attacks can consume all of an organization’s external systems, making those systems unavailable to authorized users. In 2010, the tool Low Orbit Ion Cannon (LOIC) was famously used to target a number of high profile organizations.
- Spoofing – Impersonating another system or organization.
- Phishing – A specific type of social engineering attack that involves carefully crafted email messages.
- Pharming – Redirecting an organization’s website to another domain, one controlled by an attacker.
- Spam – Unsolicited email messages, traditionally intended to convince the recipient to pay for goods or services so that the spammer can receive some or all of that revenue.
- Botnets – When a computer is infected with malicious software, it may become a participant in a larger network of compromised computers. The bot master, or controller of that botnet, will then sell computing resources to criminals who would like to use a large number of computers to launch one of the attacks listed above.
Many of countermeasures we discussed in previous domains are also effective against malware, including system hardening, patching, and even sandboxing (which we just introduced earlier in this section). One critically important countermeasure that can be uniquely effective against these types of attacks is user security awareness training. Teach your employees how to detect and respond to these attacks, and you can start relying on the technical countermeasures as a backup when an attack is sophisticated enough to deceive your end users.
Implement and Operate Endpoint Device Security
In the Network and Communications Security domain, we discussed network-based intrusion detection & prevention systems. At the endpoint level, we see a similar technology.
Host intrusion detection systems (HIDS) and host intrusion prevention systems (HIPS) are software programs that perform the same function as their network-based counterparts: the first detects and alerts on suspicious activity, and the second automatically takes corrective action.
Another common endpoint security control is a host-based firewall. Just like its network counterpart, this firewall uses a defined set of rules to determine which systems the endpoint is allowed to communicate with, as well as the ports those communications are allowed to use.
The concept of application whitelisting is widely touted to be the most effective endpoint device security control, although in truth, it’s not always as easy to implement and maintain as the other controls listed here. Application whitelisting is the practice of defining a set of known applications that are allowed to run on the endpoint. If ANY application attempts to run other than those in the whitelist, it is forced to close and an administrator is alerted.
Although ransomware uses encryption as weapon, endpoint encryption can be a very effective positive security control. Have ever misplaced your smartphone? It was relief when you found it, right? What could an attacker access if they had access to your smartphone? Possibly social media accounts, email accounts, and maybe even online banking services.
How bad would it be if an attacker gained physical access to a lost or stolen laptop? For the organization as a whole, it could much worse. In the United States, organizations are legally required to report lost or stolen laptops if those endpoints might contain personally identifiable information (PII) or electronic protected healthcare information (ePHI). If the device is encrypted, however, those notification requirements (and the accompanying fines) are no longer necessary.
Although encryption is often enabled through software, certain hardware vendors have added special microprocessors to their equipment in order to enable hardware level encryption. This control is known as a Trusted Platform Module (TPM). While encryption can be software-based or hardware-based, it’s important for you as an SSCP to monitor for encryption vulnerabilities. This enables you to take action when necessary, and to avoid a false sense of security when relying on an encryption implementation with known weaknesses.
As your organization relies more and more on mobile endpoints, you’ll want to consider the security benefits of a mobile device management solution. Mobile device management (MDM) is a specialized asset management solution designed for devices that are frequently off-network. Remember our telework discussion in Domain 6 – Network and Communications Security? MDM solutions enable you to both secure and support remote devices.
Two common models for supporting mobile device usage are BYOD and COPE.
Bring Your Own Device (BYOD) is a model that allows employees to do just that: bring their own mobile devices to work. BYOD comes with management, legal, and support challenges, though. Are you allowed to install company software on a non-company endpoint? Who does the employee contact when they have technical issues with their device? If an employee is being investigated for corporate violations, are you legally allowed to search that employee’s personal device for evidence of wrongdoing? That’s a slippery, slippery slope.
Corporate Owned, Personally Enabled (COPE) is a slightly different model that attempts to address those challenges. It may be more expensive for an organization to buy mobile devices for end users, but the questions of management, legality, and supportability of those devices are MUCH easier to answer.
Enabling secure browsing via a sandbox, if available, is a great way to provide an additional layer of endpoint security. By restricting web content to only execute in that logically separated sandbox, you reduce the risk that malicious code will be able to jump from the browser to the device operating system.
Operate and Configure Cloud Security
The days of exclusively on-premise networks have come and gone. Organizations have been embracing cloud computing at a steadily increasing pace, and that trend is only going to continue. With an increased usage of cloud computing comes an increased need for an understanding of cloud security.
The three (3) most common cloud computing operating models are:
- Public – An organization shares cloud computing resources with other organizations.
- Private – An organization’s cloud computing resources are reserved exclusively for that organization.
- Hybrid – An organization uses a blend of public cloud, private cloud, and on-premise computing resources.
Organizations may also turn to cloud computing for service models traditionally reserved for on-premise solutions, services such as DNS, email, proxies, and VPN. Understanding where each service resides (cloud or on-premise) is a key first step in securing these services.
Cloud service providers often take advantage of virtualization to be able to provide rapid release, scalable solutions to their customers. Virtualization is the process of providing fully functional computers and network devices via software instead. A hardware host system may contain multiple virtual guest systems. That host system that controls and manages all of the virtual guests is known as the hypervisor.
Once you begin moving your data to someone else’s data center, you need to consider more than just the technical differences. You also need to investigate the legal and privacy concerns. For example:
- Surveillance – Who else can see your data?
- Data Ownership – If law enforcement asks for a copy of the data as part of an investigation, who decides whether or not to turn it over?
- Jurisdiction – Where is cloud service provider’s data center physically located? What laws apply, based on location?
- eDiscovery – In the event that you need data as part of an official legal request, will you be able to access all requested data? How will you collect that data in order to provide it to the requesting party?
You also need to consider data storage and transmission concerns. For example:
- Archiving – Does the cloud service provider’s backup strategy align with your business needs?
- Recovery – More importantly, how will they recovery from a product incident and get you up and running again?
- Resilience – Have they implemented the necessary (redundant) resources to ensure that your systems and applications are always there when you expect them to be?
It would be in your best interest to ensure that you’ve thoroughly documented your third-party/outsourcing requirements, and that you’ve contractually obligated your service providers to meet those requirements. Those requirements should contain (at a minimum):
- Service Level Agreements – Measurable metrics that clearly outline your service expectations (often around availability).
- Data Portability – Assurances that, in the event that either party decides to terminate the agreement, you can get your data back.
- Data Destruction – Assurances that your data will be securely erased from any media (hard drives, backup tapes, etc.) before that media leaves your cloud service provider’s physical control.
- Auditing – You may reserve the right to audit the provider’s controls, either directly or through an independent third party.
Cloud service provider relationships can be incredibly beneficial to your organization, as long as nothing goes wrong. The best way to ensure that nothing goes wrong is to determine which responsibilities belong to you and which responsibilities belong to the service provider.
One of the best visual explanations of those responsibilities is documented in Amazon Web Services’ (AWS) Shared Responsibility Model.
Secure Big Data Systems
As the Internet continues to grow, so does the amount of data produced on a daily basis. As organizations collect that data, the resulting data sets are enormous. We’re able to analyze that data for patterns and trends, making sense of the data, discovering (creating) information that we’ve never had access to before. That, my friend, is what’s known as big data.
And you can imagine that criminals want access to those data and all the secrets they contain.
When working with sets of big data, and with all of the systems and applications we use to work with big data, it’s important that we build security in. We need to address architecture or design vulnerabilities before they become expensive, unwieldy, or impossible to contain.
When it comes to application security, there’s no better resource than the Open Web Application Security Project (OWASP). OWASP provides guidance to groups ranging from software developers to security architects, helping them understand what it really means to incorporate security into an application’s design.
OWASP has dozens of projects, all security-focused, all open source. The Secure Application Design Project shines a spotlight on design flaws that could lead to exploitable vulnerabilities. More importantly, this project provides guidance on how to avoid those flaws. Combined with the Application Security Architecture Cheat Sheet, you have a wealth of application security knowledge at your fingertips.
The most popular OWASP project, the Top Ten Project, highlights the ten (10) application vulnerabilities that present the most significant risk to a deployed web application. This list is updated every few years, and while it’s not meant to be a comprehensive list of application vulnerabilities, it is definitely a great starting point for organizations, developers, and security professionals seeking a starting point in their application security efforts.
The current OWASP Top Ten Project contains the following list of web application security risks, in order of most severe to least severe:
- A1 – Injection
- A2 – Broken Authentication
- A3 – Sensitive Data Exposure
- A4 – XML External Entities (XXE)
- A5 – Broken Access Control
- A6 – Security Misconfiguration
- A7 – Cross-Site Scripting (XSS)
- A8 – Insecure Deserialization
- A9 – Using Components with Known Vulnerabilities
- A10 – Insufficient Logging and Monitoring
Spend some time exploring the OWASP website, watching videos, and attending local chapter meetings, and you’ll build you application security knowledge quickly.
Operate and Secure Virtual Environments
Keep in mind that the same principles that guide the security of physical environments apply to virtual environments as well. Understanding how physical and virtual environments differ from one another is the key to selecting the right controls for each one.
The introduction of virtual machines was accompanied by the introduction of virtual networks. Software-defined networking involves significantly fewer cables, and planes. Remember our discussion about data planes and control planes from the Network and Communications Security domain? Those same concepts apply here. Instead of rewiring a network closet when you need to change things up, you make a configuration change in a management program, and it has the same end result.
Understanding how to secure the hypervisor is one of the key differences between securing physical machines and securing virtual machines. Ever heard the phrase “keys to the kingdom” used to describe something really, really important? That’s the hypervisor, the software host operating system that controls all of the virtual guest systems on a network. If an attacker gets administrative rights to the hypervisor, that attacker controls every single system managed by the hypervisor.
While many of same basic endpoint security practices apply to securing hypervisors (system hardening, patching, etc.), you will also want to look for vendor guidance on how to secure a specific technology. VMware, for example, has built their entire business on virtualization technology. If you want to see their guidance on hypervisor security, you can read this whitepaper they published about their vSphere solution.
Virtual hosts are sometimes referred to as virtual appliances. The key distinction is that virtual appliances are pre-configured and (almost) ready to go as soon as you bring them online. Vendors often offer virtual appliances as turnkey alternatives to their physical offerings.
Virtual environments are able to do more with less by sharing resources on the virtual host machine, including shared storage. Shared storage is a pool of storage resources (e.g., disks) that are available to multiple users. Shared storage enables administrators to be more efficient in how they purchase and allocate disk space for users. However, the risk of an attacker gaining access to sensitive data may increase, especially if that attacker can exploit a technical vulnerability or security reconfiguration in that environment.
Some of the most notable benefits of virtualization are in the area of continuity and resilience. When an entire server can be stored in a single file, it becomes much easier to migrate that server from one location to another without causing a business disruption. It also becomes easier to create and restore backups, in the event that a hypervisor experiences some sort of hardware failure. Virtualization has been a game changer for security professionals with business continuity and disaster recovery responsibilities.
When it comes to virtualization attacks and countermeasures, protecting the hypervisor should be your top priority. Not only should you stay on top of hypervisor security patches (which are separate from Windows and Linux operating system patches), but you need to take a close look at the security configuration options. Make sure you lock down the administrative interface with reasonable and appropriate access controls. Also, investigate how the hypervisor communicates with the guest operating systems and with other external systems. If you’ve properly secured both the host and the network communications, it’s much less likely an attacker will be able to compromise your virtual infrastructure.
What Else Should I Know About Systems and Applications Security?
This is a high level introduction to the concepts you need to know as an SSCP, based on the (ISC)2 SSCP Certification Exam Outline. It’s not intended to be a deep-dive into everything you need to know in order to pass the exam.
You’ll increase your chances of passing the exam the first time if you read these two (2) books next:
- Start with the SSCP All-in-One Exam Guide (2nd Edition).
- Then read the (ISC)2 SSCP Official Study Guide.
If you prefer videos to books, use our list of recommended online training providers to take advantage of FREE offers to help you prepare for the exam.
Keep at it!
SSCP Domain 6 – Network and Communications Security