Security fundamentals

1. Security fundamentals Topic 11 Maintaining operational security

2. Agenda • Establishing site security • Secure removable media • Secure mobile devices • Secure disposal of equipment • Business continuity

3. Site security • Physical access control • Secure with lock and key • Protection from theft, disasters and accidents • Unencrypted data can be accessed if physical access to servers can be obtained • Access only to authorised personnel with a specific reason to access • Most maintenance and configuration tasks can be performed remotely • Concentric rings: lock server room, lock rack cabinet etc • Sign-in log for access to server room, cameras, key cards, monitoring • Building integrity and security: floors, walls and ceilings • Biometrics for access control (eg doors) • Fingerprints/hand geometry, retinal scans, speech or face recognition

4. Human factor • Compromise between the need to protect and the need to provide access • If security methods are too restrictive, users will try to circumvent them • Educate and train users on the need to follow secure practices and the dangers and consequences of insecure practises • Social engineering to trick users into revealing information that could compromise the system

5. Environment • Data centres and server rooms typically have • Air conditioning, air filtration, humidity control, power conditioning • Fire suppression • Flood the room with inert gas replacing the oxygen • Fire put out without water and foam • Emergency alarms for evacuation • FE-13 and FE-36 gas less damaging to ozone layer that halon • Wireless networking • Issue of signal range, careful placement of antennas • Minimise transmission power levels • Shield the operational area • Encrypt wireless communications • Cellular communications has greater risks as it has a greater signal range

6. Disaster recovery • Any occurrence that prevents your network from operating properly • Backups: • Regular backups and testing with regular restores • Operating systems and backup software must be installed first before recovery begins – increases recovery time • Offsite storage • Keeping offsite data confidential – vault or fireproof safe and protected with access control • Replacement hardware – will backups work on newer hardware? • Secure recovery • Alternate sites • Mirrored servers in a protected environment • Computers, office space, temporary workers • Test platform for emergency services • Hot site – immediate failover; cold site – restores required • Disaster recovery plan • What tasks must be done • Who is responsible for doing them?

7. Securing removable media • How to secure confidential data and how to dispose of media • Floppy disks • Disable floppy disk drives or remove • Clean by passing through a magnetic field • Hard disks • Limit the use of removable disks to servers and physically secure computers • Very portable, but fragile if dropped • Writable optical media • 5GB on DVD, 700 MB on CD, small backups and archives • Protect disks from scratches and sunlight • Password protect the disk or encrypt the data if required • Limit writable drives (install CD, DVD Rom) and disable USB ports

8. Securing removable media • Magnetic tape • Low cost, high speed, large capacity • Robotic tape changers for allow for unattended backups • QIC, DAT, DLT, LTO • Not random access • Limit the use of tape drives and encrypt the data • Flash media • High capacity and small size • Protect data by encrypting • Disable USB ports • Smart cards • Information on card is encrypted • Cards can be lost or stolen, so not sufficient to authenticate as the only method • Authentication when used with PIN or password

9. Securing mobile devices • Antitheft devices • Motion alarms, locking cables and tracking equipment • Identifying marks and colours • ID engraving • Data encryption • Confidential data • Monitor use when connected to the network

10. Secure disposal • Ensure permanent erasure of all data from computer and media • To permanently destroy data: • Use specialised software to overwrite data multiple times • Cipher to remove data from cmd • Degauss by exposing to strong magnetic field • Physically destroy the media • Floppies – magnetise and shred disks • Tapes – overwrite multiple times and shred • Hard drives – repeated overwriting • Optic media – destroy the disk, don’t burn due to toxic fumes • Documents • Shred paper documents to protect from dumpster diving

11. Business continuity • Planning phase: • Identify the mission-critical processes • Identify all of the resources required for the mission-critical processes to operate • Rate the relative importance of the mission-critical processes • Decide on a course of action to undertake for each mission-critical process • If critical, move process to a branch office or activate a fallback facility with backup equipment • If less critical, consider purchasing insurance to cover the financial losses resulting from the interruption • Implement the plan • Test the plan regularly and train employees

12. Business continuity preparation • Backup data and store copies offsite • High availability and fault tolerance • Raid for disk failure • Clustered servers for server failure • Mirrored servers at alternate location • Duplicate office configuration • Duplicate WAN links • Procurement plans and contracts to replace equipment and personnel • Utilities • Power • UPS, backup generator with failover switch • Water • Mail and courier services

13. Lesson summary • How to go about establishing site security • Types of removable media and mobile devices, and how to secure them • How to securely dispose of equipment • What to consider to maintain business continuity