Network Security Administrator

Module IV: Physical Security

Module Objectives
~Physical

Security ~Types Of Attacks ~Physical Security Threats ~Access Controls ~Mantrap ~Fire Safety

~ Laptop

security ~ Biometric Device

~ Desktop

Security ~ PC Security ~ Dumpster Diving ~ Physical Security Checklist

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Module Flow
Physical Security Types Of Attacks Physical Security Threats

Fire Safety

Mantrap

Access Controls

Laptop security

Biometric Device

Desktop Security

Physical Security Checklist EC-Council

Dumpster Diving

PC Security

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Physical Security
~

Attacker gaining access to physical security can obtain critical information related to an organization Few checks that should be ensured are:
Servers and work stations should be secured Routers, switches and other network equipment should be used as an access point to the network Wireless access point of the network should be protected Laptops should be secured when connected externally on the network IT assets should be managed and theft prevented

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Internet Security
~

Trusted Networks
Networks inside the network security perimeter

Untrusted Networks
Networks outside the security perimeter lacking privileges over administrator and security policies

Unknown Networks
Networks neither trusted nor untrusted Resides outsides the security perimeter

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Statistics
~

According to CSI/FBI Computer Crime Security Survey 2005, nearly 40% of victims ignore reporting computer intrusions According to Nationwide Mutual Insurance, 16% of the debit card victims bear the cost of fraudulent purchases A survey conducted by Nationwide on consumers revealed that 21% of the information are accessed by hackers from their home, car, mailbox, trash, wallet, etc The Global State of Information Security 2005, survey revealed that 37% had information security strategy and 24% of the respondents are still in the development process
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Types of Attackers
~

The explorer
Intruder who browses through all the site to know how things process Ex-employees and current employees who are displeased with the organization Intelligent agencies that deploy spies to gain confidential information Exploit computer systems to carry out terrorist attacks Attacks information security by stealing credit card numbers from e-commerce site and breach bank accounts

The discontented workers

The spy

The terrorist

The thief

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Types of Attackers (cont)

~

The hacktivist Related to cyber form of activism Utilize scripts and other automated attack tools, ignorant of what to do when unauthorized access is gained Sneaker for performing ethical hacking Mercenary hacker for performing social engineering attacks Some companys competing with each other tend to attain others confidential information Rival countries attacking information security of other countries
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

The script kiddies

Hacker for hire

The competition

Enemy countries

EC-Council

Physical Security Threats

~ ~

Basic need for computers security is to avoid physical access by unauthorized persons Ensure security in following areas:
Access control
Constantly keep watch over unauthorized access of devices

Electricity
Guard against voltage fluctuations

Climatic conditions
Regulate the temperature of place wherein devices are located

Fire
Prevent fire and install fire alerting mechanism

Water
Secure machinery from floods and moisture

Backups
Refrain back ups away from magnetic fields

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Physical Access Controls

~

Facilitates monitoring of the physical activities of the people within and outside the organization Facilities Management
Group of people who manage access controls for a particular building structure

Secure Facility
Physical location equipped with access controls that intended to reduce the risks from physical threats

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Physical Security Controls

~

Walls, Fencing and Gates

Prevents unauthorized access to the secure facility

Guards
Estimate each situation as it arise by applying human reasoning

Dogs
Protects most valuable resource by strong sense of smell and hearing power

ID Cards and Badges

Permits authorized individual access within the secure facility

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Physical Security Controls

~

Electronic Monitoring Records the events in areas that other physical security controls may miss, using VCRs and CCTs

Alarms and Alarm Systems Provide notification for the occurrence of predefined events using sensors and alarms

Computer Rooms and Wiring Closets Guarantees the confidentiality, integrity and availability of critical data by wiring secretly

Interior Walls and Doors Allows entry to only authorized people

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Locks and Keys

~

Types of Lock
Mechanical
Having key of carefully shaped pieces of metal

Electromechanical
Accepts keys like ID cards, radio signals, PINs

Categories of Lock
Manual
Fixed into doors and cannot be changed

Programmable
Allows key changes and can be changed

Electronic
Combination of sensor and mechanical lock and fixed into alarm system

Biometric
Uses physical characteristics of a person as a key EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

TEMPEST
~ ~ ~

Refers to investigating and understanding compromised emanations (CE) Compromising emanations are defined as unintentiorial intelligence-bearing signals Sources of TEMPEST signals:
Functional sources:
Use switching transistors, oscillators. signal generators, synchronizers, line drivers, and line relays for generating electromagnetic energy

Incidental sources:
Use electromechanical switches and brush-type motor for generating electromagnetic energy

TEMPEST signals:
RED Baseband Signals (U) Modulated Spurious Carriers (U) (U) Impulsive Emanations Propagation of TEMPEST Signals (U)
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Mantrap
~ ~

Provides alternate access for resources Consists of two separate doors with an airlock in between Restricts access to secure areas Permits users to enter the first door and requires authentication access to exit from the second door Security is provided in three ways:
Pose difficulty in intruding into a single door Evaluates a person before discharging Permits only one user at a time

~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Mantrap: Diagrammatical Representation

Request for access (Normally Open) Request for access (Normally Closed) Door Closed Switch (Closed = Secure) Request for access (Normally Open) Request for access (Normally Closed) Door Closed Switch (Closed = Secure)

Door 1 Inputs Door 1 Outputs

Magnetic Lock Electric Strike Green Light Door 1 Inputs

Door 2 Inputs Door 2 Outputs

Magnetic Lock Electric Strike Green Light00 Door 2 Inputs

Src:http://www.securitymagazine.com/Security/FILES/IMAGES/134664.gif Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited EC-Council

Fire Safety: Fire Suppression, Gaseous Emission Systems

~

Fire Suppression
Portable System:
Class A (interrupts ability of the fuel to be ignited) Class B (removes oxygen from the fire) Class C (uses nonconducting agents) Class D (uses special agents for combustible metal fire) Wet-pipe system

Gaseous System:
Dry-pipe system Pre-action system

Gaseous Emission Systems

Self-pressurizing or pressurized with additional agent
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Fire Safety: Fire Detection

~

Major Categories
Manual:
Includes human responses, manually activated alarms, etc

Automatic:
Includes automatic fire alarm consisting sensors

Basic Types
Thermal Detection:
Senses the heat in area by fixed temperature and rate of rise methods

Smoke Detection:
Senses the smoke by photoelectric sensors, ionization sensor and air-aspirating detectors

Flame Detection:
Senses the infrared or ultraviolet light produced by open flame

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Failure of Supporting Utilities: Heating, Ventilation, Air Conditioning

~

Temperature Extreme high or less temperature causes damage to sensitive hardware High Humidity: Results in short-circuiting of electrical parts Low Humidity: Increases the static electricity in the environment

Humidity

Static Electricity Increases electrostatic discharge that causes damage to sensitive circuits or shuts down the system Provides the way for intruders to break into the system
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Ventilation Shafts

EC-Council

Failures of Supporting Utilities: Power Management and Conditioning

~

Grounding Guarantees proper discharge of returning flow of current to the ground

Emergency Shutoff Stops power immediately if risk due to current arises

Water Problems Less or excess of water both causes a real, dangerous threats

Structural Collapse Natural calamities causes failures of building structures

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Uninterruptible Power Supplies

~

Backup power source that detects interruption of power to the power equipment
Standby or Offline UPS:
Offline battery backup that senses the interruption of power

Ferroresonant Standby UPS:

Enhancement of standby UPS having ferroresonant transformer that provides power conditioning and line filtering to primary power source

Line-Interactive UPS:
Having pair of inverters and converters that charges the battery and gives power when needed

True Online UPS:

Primary power source acts as a battery that provides continuous supply of power to the system

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Skimming
~

Process where the account information stored on the magnetic stripe of a credit/debit card is copied for using an ATM Retrieves the PIN information A skimming device is a small electronic device that has the size of a pager Skimming devices are of two types:
Device that cause ATM to malfunction Device that do not cause ATM to malfunction

~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Laptop Security: Physical Security Countermeasures

~ ~ ~ ~

Deploy secure cable and locks to safeguard laptops Use safes made up of polycarbonate material Activate motion sensors and alarms for tracking stolen laptops Fix warning labels containing tracking information on the laptops to deter thieves Other solutions applied are: Installing encryption software Using personal firewall Disabling infrared ports, wireless cards and plug out PCMCIA cards when not in use

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Laptop Security: Information Security Countermeasures

~ ~ ~ ~ ~

Create passwords that are difficult to guess Use device locking software to password protect USB ports and infrared ports Perform regular updates on operating system software to identify loopholes and vulnerabilities Install antivirus and Spyware detection software Other measures include:
Disabling unnecessary user accounts and sessions of last user login Maintaining backup for all significant data stored

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Biometric Device
~ ~ ~

Provides biological identification of person involving eyes, voice, fingerprints, etc Performs either identification or authentication Scan technologies:
Finger scan:
Identifies the configuration of peaks and valleys, or ridges, which distinguish one fingerprint from another

Facial scan:
Finding faces, matching faces against a database, and manually resolving 'matches' returned by the facial-scan system

Retinal scan:
Automatically image who place their eyes in the correct position and authenticate users based on the distinction of iris and the retina

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Printer Security
~ ~ ~ ~ ~ ~

Restrict the use of printers for sensitive research data Be acquaint of the physical location of the printer as well as its functions and features Secure printer against physical threats like fire, flood and earthquakes Hold knowledge on the printer services, replaced components and the discarded non-repairable units Modify and replace the chip on the printers circuit board to secure data against third-party interception Configure printer with printer server that allows multitasking and employs mechanisms to control access

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Desktop Security
~

People:
Education and awareness:
Educating people about the vulnerabilities and awareness to promote security consciousness among the users

Enforcement:
Ensures the security policy designed is effective and implemented

Process:
Level of governance required for each organization Policies, baselines and procedures for building management support, system configuration and operational steps respectively User classification for desktop access and effective access control Review and audit to check and verify the compliance against baseline Penetration testing for managing desktop security

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Desktop Security (cont)

~

Technology:
Centralized management:
Authorizes client applications to desktop Enables users to login from anywhere in the organization network and access the authorized information Ensures authorized users is granted access to each application

Password protection:

Single Sign-On (SSO):

Passwords for multiple applications are captured and stored permanently and auto verified against every subsequent access
Desktop lock:
Protects unattended desktop from unauthorized access Detects the presence of virus on file stored via anti-virus software installed Preserves the confidentiality and integrity of the information

Virus detection: File encryption: Personal firewall:

Protects against external threats

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

PC Security: Boot Access

~

Dual booting: Uses boot loader that enables the user to choose the operating system to boot Advantages: Installing multiple operating systems on a single system minimizes the number of required systems Guides the user in installing operating systems like Linux on Windows platform Boot devices: Rescue disks used to recover corrupted systems User can boot from the CD or the floppy Examples: Trinux TOMSRTBT

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

PC Security: BIOS Security

~

BIOS:
BIOS settings secures the system Many tools exists that breach BIOS settings Configuring BIOS and LILO settings prevents such breaches Flashing the BIOS is another technique to devoid the BIOS C-MOS memory which involves three ways:
Identification and utilization of special jumper Disable the small lithium battery on the motherboard Electrically short out two or more pins form the C-MOS memory

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

BIOS Security: LILO Abuse

~ ~ ~ ~ ~

Widely used boot loader for Linux known as Linux Loader Configuring LILO writes prompt to the console and waits for user input By default, boots Linux or Windows against no user input /etc/lilo.conf, configuration file holds all the possible boot options required by LILO Booting Linux to single user mode requires specifying:
LILO Boot : linux 1 (or) LILO Boot : linux t

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Premise Security
~ ~

Premises is the physical area wherein the hardware is located Security should be thrust in the following areas by identifying: Malicious damage that threatens the business requirements Non-availability of essential services Accidental damage Equipment theft Unauthorized access to confidential information Physical threats like fire, flood, etc

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Reception Area
~ ~

Benchmark normal arrival routines of persons and compare new arrival behavior Offer proper space, correct eye contact and non confrontational facial expressions or posture while encountering people Heed to intuition and sixth sense to prevent perilous situations to the organization Council people based on the requirements by guiding them to the respective staff who offer the genuine assistance Distinct suspicious persons:
Thieves, who comprise of opportunists and probers Solicitors and pedlars Charity organizations Ex-employees of the organization People involved in moving office properties
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

~ ~

EC-Council

Office Security
~

Weak elements of office involve work areas, garbage bins, consoles and laptops Examples of locations that are prone to attacks:
Post fix attached to the monitor containing passwords Open desk draw containing sensitive information Note book containing user names, system names and passwords Printouts, floppy disks, CD-ROMs, archive tapes and fax machines that hold information such as source code, email, database records Telephone list can be used to perform war dialing attack Manuals, memos, charts, calendars and letterheads that contain confidential information, agendas, network configuration, services, etc
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Dumpster Diving
~ ~

Searching the garbage of the targeted company to acquire information Obtained information may include credit card receipts, phone books, calendars, manuals, tapes, CDs, floppies, etc Sensitive information, though removed still resides in the systems recycle bin and can be restored back to the normal location Countermeasures:
Delete all contents from the storage device to prevent Shredding of hard copies of data

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Physical Security Checklist

~

Physical security protects:

Stored information resources Operating location Functions of the information systems Fix strong windows and locks Place servers in dedicated rooms behind locked doors and windows Install air-conditioning and fire detection systems Maintain an inventory of all systems, memory, processors, etc Maintain backups of critical information Insure business against unforeseen hazards

Checklist for ensuring security are:

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Summary
~ ~ ~ ~ ~ ~ ~ ~ ~

Attacker gaining access to physical security can obtain critical information related to an organization According to CSI/FBI Computer Crime Security Survey 2005, nearly 40% of victims ignore reporting computer intrusions Tempest refers to investigating and understanding compromised emanations (CE) Mantrap provides alternate access for resources Skimming is a process where the account information stored on the magnetic stripe of a credit/debit card is copied for using an ATM Biometric performs either identification or authentication Printer Security restricts the use of printers for sensitive research data Premises is the physical area wherein the hardware is located Dumpster diving is searching the garbage of the targeted company to acquire information
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council