SlideShare a Scribd company logo

Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-

Download as DOCX, PDF
W
WilheminaRossi174

Chapter 4 Secure Design Principles Copyright © 2014 by McGraw-Hill Education. Introduction This chapter covers information security principles. Every network security implementation is based on a model. The CIA triad is perhaps the most well-known model, with focus on confidentiality, integrity, and availability of data. Other models focus on other aspects of information security Firewalls as a primary defense is a perimeter security model Relying on several different security mechanisms is a layered defense model Every security design includes assumptions about what is trusted and what is not trusted, and who can go where. Countermeasures Copyright © 2014 by McGraw-Hill Education. The CIA Triad The CIA triad is a data-centric model to help people think about security, although it is neither perfect nor all-inclusive. Confidentiality: Restriction of access to data only to those who are authorized to use it “confidential” implies access to one set of data by many sources “private” means the data is accessible only to a single source Integrity: Assurance that data has not been altered Availability: Assurance that a service will be available when needed Copyright © 2014 by McGraw-Hill Education. Alternatives to the CIA Triad Parkerian Hexad Confidentiality, Integrity, Availability, Control, Authenticity, Utility U.S. DoD “Five Pillars of Information Assurance” Confidentiality, Integrity, Availability, Authenticity, Non-repudiation OECD guidelines The Organization for Economic Co-operation and Development Confidentiality, Integrity, Availability, Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. NIST 800-27 Proposes 33 principles for securing technology systems Copyright © 2014 by McGraw-Hill Education. Best-known Attributes of Security Confidentiality Integrity Availability Accountability Accuracy Authenticity Awareness Completeness Consistency Control Democracy Ethics Legality Non-repudiation Ownership Physical possession Reassessment Relevance Response Responsibility Risk assessment Security design and implementation Security management Timeliness Utility Copyright © 2014 by McGraw-Hill Education. Defense Models The Lollipop Hard, crunchy shell; soft, chewy center Once the hard, crunchy exterior is broken, the soft, chewy center is exposed Not the best defense model The Onion Layered strategy Defense in depth Must be peeled away by the attacker, layer by layer, with plenty of crying Copyright © 2014 by McGraw-Hill Education. Zones of Trust Different areas of a network trust each other in different ways Copyright © 2014 by McGraw-Hill Education. Best Practices Secure the physical environment. Harden the operating system. Keep patches updated. Use an antivirus scanner (with real-time scanning). Use firewall software. Secure network share permissions. Use encryption. Secure applications. Back up ...

1 of 25
Chapter 4 Secure Design Principles Copyright © 2014 by McGraw-Hill Education. Introduction This chapter covers information security principles. Every network security implementation is based on a model. The CIA triad is perhaps the most well-known model, with focus on confidentiality, integrity, and availability of data. Other models focus on other aspects of information security Firewalls as a primary defense is a perimeter security model Relying on several different security mechanisms is a layered defense model Every security design includes assumptions about what is trusted and what is not trusted, and who can go where. Countermeasures Copyright © 2014 by McGraw-Hill Education. The CIA Triad The CIA triad is a data-centric model to help people think about security, although it is neither perfect nor all-inclusive.
Confidentiality: Restriction of access to data only to those who are authorized to use it “confidential” implies access to one set of data by many sources “private” means the data is accessible only to a single source Integrity: Assurance that data has not been altered Availability: Assurance that a service will be available when needed Copyright © 2014 by McGraw-Hill Education. Alternatives to the CIA Triad Parkerian Hexad Confidentiality, Integrity, Availability, Control, Authenticity, Utility U.S. DoD “Five Pillars of Information Assurance” Confidentiality, Integrity, Availability, Authenticity, Non- repudiation OECD guidelines The Organization for Economic Co-operation and Development Confidentiality, Integrity, Availability, Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. NIST 800-27 Proposes 33 principles for securing technology systems Copyright © 2014 by McGraw-Hill Education. Best-known Attributes of Security Confidentiality
Integrity Availability Accountability Accuracy Authenticity Awareness Completeness Consistency Control Democracy Ethics Legality Non-repudiation Ownership Physical possession Reassessment Relevance Response Responsibility Risk assessment Security design and implementation Security management Timeliness Utility Copyright © 2014 by McGraw-Hill Education. Defense Models The Lollipop Hard, crunchy shell; soft, chewy center Once the hard, crunchy exterior is broken, the soft, chewy
center is exposed Not the best defense model The Onion Layered strategy Defense in depth Must be peeled away by the attacker, layer by layer, with plenty of crying Copyright © 2014 by McGraw-Hill Education. Zones of Trust Different areas of a network trust each other in different ways Copyright © 2014 by McGraw-Hill Education. Best Practices Secure the physical environment. Harden the operating system. Keep patches updated. Use an antivirus scanner (with real-time scanning). Use firewall software. Secure network share permissions. Use encryption. Secure applications. Back up the system. Create a computer security defense plan. Implement ARP poisoning defenses. Copyright © 2014 by McGraw-Hill Education.
Secure the Physical Environment Lock down PCs and laptops. Password-protect boot. Password-protect CMOS. Disable peripheral device boot. Copyright © 2014 by McGraw-Hill Education. Harden the Operating System 1. Reduce the attack surface of systems by turning off unneeded services. 2. Install secure software. 3. Configure software settings securely. 4. Patch systems regularly and quickly. 5. Segment the network into zones of trust and place systems into those zones based on their communication needs and Internet exposure. 6. Strengthen authentication processes. 7. Limit the number (and privileges) of administrators. Copyright © 2014 by McGraw-Hill Education. Keep Patches Updated In most cases, the vulnerabilities exploited are widely known, and the affected vendors have already released patches. Attacks against unpatched systems are widely successful.
Copyright © 2014 by McGraw-Hill Education. Use an Antivirus Scanner Essential Forced, automatic updates Enabled for real-time protection Copyright © 2014 by McGraw-Hill Education. Use Firewall Software Stateful inspection systems capable of analyzing threats occurring anywhere in layers 3 through 7. Able to collate separate events into one threat description. Block unwanted inbound connections. Block unauthorized software applications (such as Trojans) from initiating outbound traffic. Copyright © 2014 by McGraw-Hill Education. Secure Network Share Permissions One of the most common ways a attacker or worm spreads By default, Windows assigns the Everyone group Full Control on every newly created share This is the opposite of the least privilege principle (maybe it should be called the most privilege principle)
Copyright © 2014 by McGraw-Hill Education. Use Encryption Protects passwords Protects data ’nuff said Copyright © 2014 by McGraw-Hill Education. Secure Applications Applications should be configured with the vendors’ recommended security settings. Block active e-mail content from executing. Block dangerous file attachments. Install applications to nonstandard directories and ports. Enforce policies to designate what software is allowed to run on a particular computer. Eradicate or secure P2P services. Make sure any new programs in your environment are developed securely. Copyright © 2014 by McGraw-Hill Education. Back Up the System Recover modified, corrupted, or deleted files. Worms and viruses often delete files, format hard drives, or
intentionally corrupt data. You cannot always repair the damage and put the system back to the way it was prior to an exploit, so backups are essential. Copyright © 2014 by McGraw-Hill Education. Create a Computer Security Defense Plan 1. Inventory the assets to protect. 2. Decide the value of each asset and its chance of being exploited in order to come up with a quantifiable exposure risk. 3. Develop a plan to tighten the security on your protected assets. Assets with the highest exposure risk should be given the most protection, but make sure all assets get some baseline level of security. 4. Develop and document security baseline tools and methods. For example, a security template for end-user workstations Apply security templates to workstations 5. Use vulnerability testing tools to confirm appropriate configurations. 6. Do periodic testing to make sure security settings stay implemented. 7. Change and update the plan as dictated by new events and risks. Copyright © 2014 by McGraw-Hill Education. Implement ARP Poisoning Defenses ARP poisoning attacks are one of the most common and
effective threats against network infrastructures (especially wireless networks). ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. A form of man-in-the-middle attack that allow an attacker to intercept and modify network traffic, invisibly. Thus, these attacks merit their own special countermeasures. Defenses include Static ARP tables Port rate limiting DHCP snooping with dynamic ARP inspection (DAI). Dynamic Host Configuration Protocol. This is a method for automatically configuring TCP/IP network settings on computers, printers, and other network devices Copyright © 2014 by McGraw-Hill Education. Summary The CIA triad is a well-known model, but there are many others. The onion model is a better defense than the lollipop. Trust is an important consideration in every network. Attacks can come from automated malicious code or from manual attackers. You can implement many countermeasures to minimize the risk of a successful attack, including securing the physical environment, keeping patches updated, using an antivirus scanner, using a firewall, securing user accounts, securing the file system, securing network shares, and securing applications. Security settings should be automated whenever possible and
should be part of a computer security defense plan. Copyright © 2014 by McGraw-Hill Education. Systems Diagrams & Visualization (UML & Data Flow) Example Fast Food Restaurant System Diagrams & Visualization Example - Fast Food Restaurant • Create Data Flow and UML Diagrams to show the process of ordering food at a Fast-Food Restaurant. • Who are the players in the process (customer, clerk, cooks...)? • What automated systems are used in the process? • What activities work well, and which do not? • What changes have you noticed over the years to make the processes better (for the customer and for the business)? • What changes would you make to improve the processes and
performance? • What data can be stored and used to analyze the performance of the systems (i.e. how can Analytics be used)? FastFood - Use Case Diagram Customer Cashier Place Order Pay Order Deliver Order The Use Case diagram is a high-level diagram that identifies an Actor’s interactions with a system. It is not meant to get into details. Details are covered in other types of diagrams. A Customer places an order with a Cashier (or Kiosk) and then pays the Cashier (or via the Kiosk). The Cashier then delivers the order to the Customer. Notice this does not try to show the different between a drive-in transaction versus a walk-in; Or a person or a kiosk (like Taco Bell or McDonalds)
FastFood Activity Diagram Cashier Order System Payment System Cook Process Payment Process Order Request Payment Refund Difference Enter Order Display Order & Total Process Payment Confirm Payment & Refund Cook ItemsProcess Order Stage Items Order Complete?
NO YES Deliver Order Stage Order Receive Order The Activity diagram provides details on the activities of a process using “Swim Lanes”. In this case, the customer places the order with the Cashier who enters the order and receives details from the Order system and enters the payment and receives details from the Payment system. Note in this diagram that the actual order is not transmitted to the Cook until the transactions are processed. How might this diagram be different if the customer used a Kiosk rather than a Cashier? FastFood - Sequence Diagram returnRefund (refund)
placeOrder (orderList, exceptions) enterOrder (orderList, exceptions) displayOrder (orderList, exceptions, totalCost) confirmOrder (orderList, exceptions, totalCost) payBill (payment) processPayment (payment) confirmPayment (payment, refund) processOrder (orderList, exceptions) stageOrder (preparedItems) deliverOrder (packagedItems) x x Customer Cashier Order System Payment System The Sequence diagram shows the
sequence of activities. The Customer places an order as a list of items (with exceptions) and the Cashier enters them into the Order system. The order is displayed back. The Customer makes a payment which triggers the order to the Cook and to the Payment system. The payment is displayed back, and the Cashier refunds any overpayment. The Cook stages the order items, and the Cashier gives them to the Customer when complete. Notice bars that extend down and represent the approximate time needed to satisfy an action. The X’s at the bottom represent the last actions. These just happen to end at the same time. Payment System Cook FastFood - Communication Diagram :: orderSystem:: paymentSystem 1. Place Order 5. Pay Bill
2. Enter Order 3. Display Order 8. Confirm Payment 10. Stage Order Customer Cashier Cook6. Process Order 4. Confirm Order 9. Refund 11. Deliver Order 7. Process Payment The Communication diagram shows the interaction of the actors/systems. Notice the numbers represent the sequence. Notice the symbols used to represent a system. FastFood Data Flow Diagram Level 0 1
Place Order 2 Calculate Bill 3 Pay Bill 4 Prepare Order 5 Package Order 6 Deliver Order Customer Refund Item Price Payment Amount
Total Bill Order List & Exceptions Packaged Order Prepared Items D1 Temp Data Store Order List & Exceptions Payment The Data Flow diagram shows how data flows within the process. This is Level 0 which is the highest level. A Temp Data Store is shown and could be incorporated in the next levels. FastFood - Statechart Diagram Pending Order Customer Places
Order Confirmed Order Payment Made Staged Order Cooked Items placed in Bin Packaged Order Items placed in Bag Order given to Customer Request Payment Customer Notified of Cost Cook Order Order sent to Cook for Processing
The Statechart diagram shows states (i.e. waiting for something) within the process. Once the Customer places the order, it is ‘pending’ approval (awaiting cashier data entry and system response). Once the Customer is told the cost, it is ‘pending’ customer acceptance and payment. Once payment is made, it is ‘pending’ acceptance by the cashier or card processor. Etc. Notice the loops indicating that all items are not finished cooking at the same time and are bagged as they are ready and discovered by the Cashier. FastFood - Class Diagram Cashier orderList exceptions totalCost payment
refund preparedItems packagedOrder Cook orderList exceptions preparedItems Order System orderList exceptions totalCost Payment System payment refund Customer places Order Order delivered to Customer Enter into Confirms to Processes a
Confirmed to The Class diagram shows the structure of a system. The top box provides the name of the class. The middle box contains the attributes (fields) of the class. The bottom box contains the operations the class can execute. Lines connect and describe the actions taken (Cashier processes a Payment and the Payment is confirmed by the Cashier); etc. receiveCustomerOrder() deliverOrderToCustomer() enterOrderInOrderSystem() placeOrderWithCook() receiveCustomerPayment() processPaymentInPaySystem() returnRefundToCustomer() processOrder() displayOrder() processPayment() confirmPayment()
cookOrder() stageOrder() Systems Diagrams and Visualization Project Create the following UML diagrams to visualize the process of completing the IT project from the previous exercise (providing IT services for a new building): • Use Case diagram • Activity diagram • Communications diagram • Data Flow diagram Assume the following basic processes: 1. Procurement of all resources. 2. Setup of PCs and network servers. 3. Deployment and Testing of resources to the IT Area/Office. 4. Deployment and Testing of resources to the Administrative Area. 5. Deployment and Testing of resources to the Conference
Room. 6. Deployment and Testing of resources to the Meeting Room. 7. Deployment and Testing of resources to the Individual Offices. 8. Deployment and Testing of resources to the Computer Labs. 9. Testing of all Other Locations. • Create a Use Case diagram to show all actors and the basic processes above o Procurement, Setup, Deployment & testing of each major location. • Create an Activity diagram to show the deployment and testing of resources into the Computer Labs o Network connectivity testing requires interaction between the PC and Network Specialist o Projector connectivity testing requires interaction between the PC and AV Specialist. • Create a Communications diagram to show collaboration between the PC Specialist, the Network Specialist and the AV Specialist during deployment and testing of resources into the Computer Labs. o If network connectivity issues arise, the PC Specialist will
communicate with the Network Specialist. o If projector connectivity issues arise, the PC Specialist will communicate with the AV Specialist. • Create a Data Flow diagram to show the Procurement of all resources, based on this additional information: o The PC Specialist enters all purchases into the Purchase Application system once the resources are purchased. o The PC Specialists closes all purchases in the Purchase Application system once the resources are received.

More Related Content

Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-

  • 1. Chapter 4 Secure Design Principles Copyright © 2014 by McGraw-Hill Education. Introduction This chapter covers information security principles. Every network security implementation is based on a model. The CIA triad is perhaps the most well-known model, with focus on confidentiality, integrity, and availability of data. Other models focus on other aspects of information security Firewalls as a primary defense is a perimeter security model Relying on several different security mechanisms is a layered defense model Every security design includes assumptions about what is trusted and what is not trusted, and who can go where. Countermeasures Copyright © 2014 by McGraw-Hill Education. The CIA Triad The CIA triad is a data-centric model to help people think about security, although it is neither perfect nor all-inclusive.
  • 2. Confidentiality: Restriction of access to data only to those who are authorized to use it “confidential” implies access to one set of data by many sources “private” means the data is accessible only to a single source Integrity: Assurance that data has not been altered Availability: Assurance that a service will be available when needed Copyright © 2014 by McGraw-Hill Education. Alternatives to the CIA Triad Parkerian Hexad Confidentiality, Integrity, Availability, Control, Authenticity, Utility U.S. DoD “Five Pillars of Information Assurance” Confidentiality, Integrity, Availability, Authenticity, Non- repudiation OECD guidelines The Organization for Economic Co-operation and Development Confidentiality, Integrity, Availability, Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. NIST 800-27 Proposes 33 principles for securing technology systems Copyright © 2014 by McGraw-Hill Education. Best-known Attributes of Security Confidentiality
  • 3. Integrity Availability Accountability Accuracy Authenticity Awareness Completeness Consistency Control Democracy Ethics Legality Non-repudiation Ownership Physical possession Reassessment Relevance Response Responsibility Risk assessment Security design and implementation Security management Timeliness Utility Copyright © 2014 by McGraw-Hill Education. Defense Models The Lollipop Hard, crunchy shell; soft, chewy center Once the hard, crunchy exterior is broken, the soft, chewy
  • 4. center is exposed Not the best defense model The Onion Layered strategy Defense in depth Must be peeled away by the attacker, layer by layer, with plenty of crying Copyright © 2014 by McGraw-Hill Education. Zones of Trust Different areas of a network trust each other in different ways Copyright © 2014 by McGraw-Hill Education. Best Practices Secure the physical environment. Harden the operating system. Keep patches updated. Use an antivirus scanner (with real-time scanning). Use firewall software. Secure network share permissions. Use encryption. Secure applications. Back up the system. Create a computer security defense plan. Implement ARP poisoning defenses. Copyright © 2014 by McGraw-Hill Education.
  • 5. Secure the Physical Environment Lock down PCs and laptops. Password-protect boot. Password-protect CMOS. Disable peripheral device boot. Copyright © 2014 by McGraw-Hill Education. Harden the Operating System 1. Reduce the attack surface of systems by turning off unneeded services. 2. Install secure software. 3. Configure software settings securely. 4. Patch systems regularly and quickly. 5. Segment the network into zones of trust and place systems into those zones based on their communication needs and Internet exposure. 6. Strengthen authentication processes. 7. Limit the number (and privileges) of administrators. Copyright © 2014 by McGraw-Hill Education. Keep Patches Updated In most cases, the vulnerabilities exploited are widely known, and the affected vendors have already released patches. Attacks against unpatched systems are widely successful.
  • 6. Copyright © 2014 by McGraw-Hill Education. Use an Antivirus Scanner Essential Forced, automatic updates Enabled for real-time protection Copyright © 2014 by McGraw-Hill Education. Use Firewall Software Stateful inspection systems capable of analyzing threats occurring anywhere in layers 3 through 7. Able to collate separate events into one threat description. Block unwanted inbound connections. Block unauthorized software applications (such as Trojans) from initiating outbound traffic. Copyright © 2014 by McGraw-Hill Education. Secure Network Share Permissions One of the most common ways a attacker or worm spreads By default, Windows assigns the Everyone group Full Control on every newly created share This is the opposite of the least privilege principle (maybe it should be called the most privilege principle)
  • 7. Copyright © 2014 by McGraw-Hill Education. Use Encryption Protects passwords Protects data ’nuff said Copyright © 2014 by McGraw-Hill Education. Secure Applications Applications should be configured with the vendors’ recommended security settings. Block active e-mail content from executing. Block dangerous file attachments. Install applications to nonstandard directories and ports. Enforce policies to designate what software is allowed to run on a particular computer. Eradicate or secure P2P services. Make sure any new programs in your environment are developed securely. Copyright © 2014 by McGraw-Hill Education. Back Up the System Recover modified, corrupted, or deleted files. Worms and viruses often delete files, format hard drives, or
  • 8. intentionally corrupt data. You cannot always repair the damage and put the system back to the way it was prior to an exploit, so backups are essential. Copyright © 2014 by McGraw-Hill Education. Create a Computer Security Defense Plan 1. Inventory the assets to protect. 2. Decide the value of each asset and its chance of being exploited in order to come up with a quantifiable exposure risk. 3. Develop a plan to tighten the security on your protected assets. Assets with the highest exposure risk should be given the most protection, but make sure all assets get some baseline level of security. 4. Develop and document security baseline tools and methods. For example, a security template for end-user workstations Apply security templates to workstations 5. Use vulnerability testing tools to confirm appropriate configurations. 6. Do periodic testing to make sure security settings stay implemented. 7. Change and update the plan as dictated by new events and risks. Copyright © 2014 by McGraw-Hill Education. Implement ARP Poisoning Defenses ARP poisoning attacks are one of the most common and
  • 9. effective threats against network infrastructures (especially wireless networks). ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. A form of man-in-the-middle attack that allow an attacker to intercept and modify network traffic, invisibly. Thus, these attacks merit their own special countermeasures. Defenses include Static ARP tables Port rate limiting DHCP snooping with dynamic ARP inspection (DAI). Dynamic Host Configuration Protocol. This is a method for automatically configuring TCP/IP network settings on computers, printers, and other network devices Copyright © 2014 by McGraw-Hill Education. Summary The CIA triad is a well-known model, but there are many others. The onion model is a better defense than the lollipop. Trust is an important consideration in every network. Attacks can come from automated malicious code or from manual attackers. You can implement many countermeasures to minimize the risk of a successful attack, including securing the physical environment, keeping patches updated, using an antivirus scanner, using a firewall, securing user accounts, securing the file system, securing network shares, and securing applications. Security settings should be automated whenever possible and
  • 10. should be part of a computer security defense plan. Copyright © 2014 by McGraw-Hill Education. Systems Diagrams & Visualization (UML & Data Flow) Example Fast Food Restaurant System Diagrams & Visualization Example - Fast Food Restaurant • Create Data Flow and UML Diagrams to show the process of ordering food at a Fast-Food Restaurant. • Who are the players in the process (customer, clerk, cooks...)? • What automated systems are used in the process? • What activities work well, and which do not? • What changes have you noticed over the years to make the processes better (for the customer and for the business)? • What changes would you make to improve the processes and
  • 11. performance? • What data can be stored and used to analyze the performance of the systems (i.e. how can Analytics be used)? FastFood - Use Case Diagram Customer Cashier Place Order Pay Order Deliver Order The Use Case diagram is a high-level diagram that identifies an Actor’s interactions with a system. It is not meant to get into details. Details are covered in other types of diagrams. A Customer places an order with a Cashier (or Kiosk) and then pays the Cashier (or via the Kiosk). The Cashier then delivers the order to the Customer. Notice this does not try to show the different between a drive-in transaction versus a walk-in; Or a person or a kiosk (like Taco Bell or McDonalds)
  • 12. FastFood Activity Diagram Cashier Order System Payment System Cook Process Payment Process Order Request Payment Refund Difference Enter Order Display Order & Total Process Payment Confirm Payment & Refund Cook ItemsProcess Order Stage Items Order Complete?
  • 13. NO YES Deliver Order Stage Order Receive Order The Activity diagram provides details on the activities of a process using “Swim Lanes”. In this case, the customer places the order with the Cashier who enters the order and receives details from the Order system and enters the payment and receives details from the Payment system. Note in this diagram that the actual order is not transmitted to the Cook until the transactions are processed. How might this diagram be different if the customer used a Kiosk rather than a Cashier? FastFood - Sequence Diagram returnRefund (refund)
  • 14. placeOrder (orderList, exceptions) enterOrder (orderList, exceptions) displayOrder (orderList, exceptions, totalCost) confirmOrder (orderList, exceptions, totalCost) payBill (payment) processPayment (payment) confirmPayment (payment, refund) processOrder (orderList, exceptions) stageOrder (preparedItems) deliverOrder (packagedItems) x x Customer Cashier Order System Payment System The Sequence diagram shows the
  • 15. sequence of activities. The Customer places an order as a list of items (with exceptions) and the Cashier enters them into the Order system. The order is displayed back. The Customer makes a payment which triggers the order to the Cook and to the Payment system. The payment is displayed back, and the Cashier refunds any overpayment. The Cook stages the order items, and the Cashier gives them to the Customer when complete. Notice bars that extend down and represent the approximate time needed to satisfy an action. The X’s at the bottom represent the last actions. These just happen to end at the same time. Payment System Cook FastFood - Communication Diagram :: orderSystem:: paymentSystem 1. Place Order 5. Pay Bill
  • 16. 2. Enter Order 3. Display Order 8. Confirm Payment 10. Stage Order Customer Cashier Cook6. Process Order 4. Confirm Order 9. Refund 11. Deliver Order 7. Process Payment The Communication diagram shows the interaction of the actors/systems. Notice the numbers represent the sequence. Notice the symbols used to represent a system. FastFood Data Flow Diagram Level 0 1
  • 18. Total Bill Order List & Exceptions Packaged Order Prepared Items D1 Temp Data Store Order List & Exceptions Payment The Data Flow diagram shows how data flows within the process. This is Level 0 which is the highest level. A Temp Data Store is shown and could be incorporated in the next levels. FastFood - Statechart Diagram Pending Order Customer Places
  • 19. Order Confirmed Order Payment Made Staged Order Cooked Items placed in Bin Packaged Order Items placed in Bag Order given to Customer Request Payment Customer Notified of Cost Cook Order Order sent to Cook for Processing
  • 20. The Statechart diagram shows states (i.e. waiting for something) within the process. Once the Customer places the order, it is ‘pending’ approval (awaiting cashier data entry and system response). Once the Customer is told the cost, it is ‘pending’ customer acceptance and payment. Once payment is made, it is ‘pending’ acceptance by the cashier or card processor. Etc. Notice the loops indicating that all items are not finished cooking at the same time and are bagged as they are ready and discovered by the Cashier. FastFood - Class Diagram Cashier orderList exceptions totalCost payment
  • 22. Confirmed to The Class diagram shows the structure of a system. The top box provides the name of the class. The middle box contains the attributes (fields) of the class. The bottom box contains the operations the class can execute. Lines connect and describe the actions taken (Cashier processes a Payment and the Payment is confirmed by the Cashier); etc. receiveCustomerOrder() deliverOrderToCustomer() enterOrderInOrderSystem() placeOrderWithCook() receiveCustomerPayment() processPaymentInPaySystem() returnRefundToCustomer() processOrder() displayOrder() processPayment() confirmPayment()
  • 23. cookOrder() stageOrder() Systems Diagrams and Visualization Project Create the following UML diagrams to visualize the process of completing the IT project from the previous exercise (providing IT services for a new building): • Use Case diagram • Activity diagram • Communications diagram • Data Flow diagram Assume the following basic processes: 1. Procurement of all resources. 2. Setup of PCs and network servers. 3. Deployment and Testing of resources to the IT Area/Office. 4. Deployment and Testing of resources to the Administrative Area. 5. Deployment and Testing of resources to the Conference
  • 24. Room. 6. Deployment and Testing of resources to the Meeting Room. 7. Deployment and Testing of resources to the Individual Offices. 8. Deployment and Testing of resources to the Computer Labs. 9. Testing of all Other Locations. • Create a Use Case diagram to show all actors and the basic processes above o Procurement, Setup, Deployment & testing of each major location. • Create an Activity diagram to show the deployment and testing of resources into the Computer Labs o Network connectivity testing requires interaction between the PC and Network Specialist o Projector connectivity testing requires interaction between the PC and AV Specialist. • Create a Communications diagram to show collaboration between the PC Specialist, the Network Specialist and the AV Specialist during deployment and testing of resources into the Computer Labs. o If network connectivity issues arise, the PC Specialist will
  • 25. communicate with the Network Specialist. o If projector connectivity issues arise, the PC Specialist will communicate with the AV Specialist. • Create a Data Flow diagram to show the Procurement of all resources, based on this additional information: o The PC Specialist enters all purchases into the Purchase Application system once the resources are purchased. o The PC Specialists closes all purchases in the Purchase Application system once the resources are received.