Lesson 3-Operational/Organizational Security. Background. The operational model of computer security stated that:. Prevention technologies prevent unauthorized individuals from gaining access to systems or data. In an operational environment, prevention is difficult.
Background • The operational model of computer security stated that: • Prevention technologies prevent unauthorized individuals from gaining access to systems or data. • In an operational environment, prevention is difficult. • Relying on prevention technologies alone is not sufficient. • They are put in place and generally left alone (static). • Detection and response technologies are dynamic. • They acknowledge that security is an ongoing process.
Security Operations • Policies • High-level, broad statements of what the organization wants to accomplish. • Made by the management when laying out the organization's position on some issues. • Standards • Mandatory elements regarding the implementation of a policy. • Accepted specifications of specific details on how a policy is to be implemented or enforced. • Procedures • Step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task. • Guidelines • Recommendations relating to a policy. • Not mandatory.
Policy Cycle • As the network constantly changes, the policies, procedures, and guidelines should be periodically monitored, evaluated and changed if necessary. • The four steps of the policy life cycle are: • Plan (Adjust) = Users develop the policies, procedures, and guidelines that design the security components to protect the network. • Implement = Implementation of any policy, procedure, or guideline requires an instruction period to learn about its contents. • Monitor = ensures that hardware and software, policies, procedures, and guidelines are effective in securing the systems. • Evaluate = includes a vulnerability assessment and penetration test of the system to ensure that security meets expectations. After evaluating the organization’s stand on security, the process restarts at step one, this time adjusting the security mechanisms that are in place. Evaluation is a continuous process.
IDS • An Intrusion Detection System is often a part of the security perimeter and is used for monitoring. • The IDS may be placed on the inside of the firewall, or the outside, or on both sides. • The specific location depends upon what a company is more concerned about (the insider threat or external threats). • Beyond this security perimeter is the corporate network. • This is simple depiction. An actual network may have numerous subnets and extranets.
More Complex Networks • Organizations may have a telephone network connected to the public switched telephone network (PSTN). • The potential exists for unauthorized modems, and hence the telephone network must be considered as a source of access for the data network. • The biggest danger to any organization is from an insider rather than external attacks.
Physical Security • Physical access to computer systems and networks should be restricted to authorized users. • Points of entry such as doors and windows should be examined. • Floors and ceiling should be scrutinized for possible access points. • There should be increased security for servers, firewalls, IDS • Monitoring systems? Alarm systems or security camera? • Who has access to the facility? • What procedures are in place to respond to unauthorized access? • Physical access control can be based on: • Something that individuals have (key). • Something that they know (the combination). • Something that they are (biometrics). • PDAs and Laptops need to be protected.
Locks • A lock is the most common physical access control device. • Combination locks are something the individual knows, but they must be remembered and are hard to control. • Locks with keys depend on something the individual has (the key). • Key locks are simple and easy to use, but the key may be lost. • Keys may also be copied and can be hard to control. • Newer locks replace the traditional key with a card that must be passed through a reader or placed against it. • The individual may also have to provide a personal access code, thus making this form of access both a something-you-know and something-you-have method.
Access Control Logs • Other common physical security devices: • video surveillance • control logs (sign-in logs). • Sign-in logs do not provide an actual barrier. • They provide a record of access. • When used in conjunction with a guard who verifies an individual's identity, they dissuade potential adversaries from attempting to gain access • Guards provide an extra level of examination of individuals • Security guards can counter piggybacking.
Biometrics • Biometrics: • Uses something unique about the individual. • It is expensive. • Can control access to computer systems, networks, and physical access control devices. • Biometrics provides an additional layer of security. • Biometrics is normally used in conjunction with another method. • Biometric devices are not 100 percent accurate and may allow access to unauthorized individuals.
Weaknesses of Authentication • All forms of authentication have weaknesses that can be exploited. • For this reason, “strong authentication” or “two-factor authentication” should be used. • These methods use two of the three different types of authentication (something that the users have, know, or are) • WHAT ARE SOME OTHER MULTIFACTOR AUTHENTICATION?
Physical Barriers • Physical barriers help implement the physical-world equivalent of layered security. • The outermost layer of physical security contains the public activities - guards, concrete blocks to stop cars, open spaces. • Signs should indicate what is private and what is public. • An individual progresses through the layers. • The barriers and security mechanisms should become less public to make it more difficult for observers to determine what mechanisms are in place.
Environmental • HVAC systems are often computer-controlled and provide remote access via telephone connections. • These connections should be protected in a similar manner as computer modems • Electrical power is subject to momentary surges and disruption. • Surge protectors protect sensitive electronic equipment from fluctuations in voltage. • Uninterruptible Power Supply (UPS) should be considered for critical systems so that a loss of power will not halt processing.
Natural Disasters • Storms and floods require devices to sense water in a facility to warn pending problems. • Frequent hurricanes, earthquakes, and tornadoes in an area require reinforced facilities to protect important processing equipment. • All of these provide reasons for having an active program to ensure frequent backup of critical data and off-site storage. • Off-site storage total loss of the organization's critical data. • When considering backup and contingency plans, it is also important to consider backup processing locations in case a disaster not only destroys the data at the organization's primary site but all processing equipment as well.
Fire Suppression • A fire needs fuel, oxygen, and high temperatures for the chemical combustion to occur. If any of these are removed, fire will not continue. • Water-based fire suppression systems are primarily used to address and control structural fires. If items get wet: • Open cabinet doors, remove side panels and pull out chassis drawers to allow water to run out. • Set up fans to move room-temperature air through equipment • Use compressed air at no higher tha 50 psi to blow out trapped water • Use hand held dryers on lowest settings.
Halon • Halon-based fire suppression systems interferes with the chemical combustion in a fire. • It mixes quickly with the air in a room and does not cause harm to computer systems. • It is dangerous to humans when subjected to extreme temperatures (fire) and degrades into toxic chemicals. • It is linked with ozone depletion and has been banned since 1994 • Although EPA mandates no further production, existing systems are not required to be destroyed.
Clean Agent • Clean-Agent Fire Suppression Systems have replaced Halon and include cardon dioxide, Argon Inergen, and FM200 (heptafluoropropane). • CO2 displaces oxygen so that the amount of oxygen remaining is insufficient to sustain the fire. It provides cooling in the fire zone and reduces the concentration of “gasified” fuel. • Argon extinguishes fire by lowering the oxygen concentration below the 15 percent required for items to burn to about 12.5 percent. • Inergen is composed of three gases: 52 percent nitrogen, 40 percent argon, and 8 percent carbon dioxide. • Like argon systems, Inergen systems reduce the level of oxygen to about 12.5 percent, which is sufficient for human safety but not sufficient to sustain a fire.
Hand-held Fire Extinguishers • Hand-held fire extinguishers: • Can be used if a fire is caught and contained before automatic systems discharge. • Result in significant savings in time and equipment costs (including the recharging of the automatic system). • Are commonly used in offices.
Detection • Fire detection devices locate a fire before a fire suppression system is activated. • Smoke detectors - ionization and photoelectric. Both these devices are often referred to as smoke detectors, and combinations of both varieties are possible. • A photoelectric device monitors an internal beam of light. • If something degrades the light by obstructing it, the detector assumes it is smoke and the alarm sounds. • An ionization chamber uses a small radioactive source to detect fast-burning fires. • The chamber has two plates, one positive and one negative. • Oxygen and nitrogen particles become “ionized.” • The movement of particles creates a small electric current that the device measures. • Smoke inhibits this process, and the drop in current is detected and an alarm is sounded.
Fire Detection • Fire detector are activated by heat or flame. • Heat • Fixed-temperature or fixed-point devices activate if the temperature in the area ever exceeds a predefined level. • Rate-of-rise or rate-of-increase devices activate when there is a sudden increase in the local temperature • Rate-of-rise sensors provide an early warning and are also responsible for more false warnings. • Flame • The flames from the fire provides a change in the infrared energy • More expensive but can frequently detect a fire sooner.
Wireless Networks • Wireless communication generally refers to cellular phones. • A cell phone network consists of phones, cells, hardware and software • The base stations are made up of antennas, receivers, transmitters and amplifiers. • An individual may exit and enter multiple cells. • Bluetooth is a short range Personal Area Network (PAN) targeted at Mobile phones, PDAs, Peripherals and Laptop computers • Bluetooth creates a low-cost wireless communication network. • The IEEE 802.11 (WiFi) standards are well suited for a computer LANs. • Wireless networks are also a security risk. • The coverage areas of the access points are not easily controlled. • The network becomes vulnerable to attack.
Emanation Security • Electronic Eavesdropping could be accomplished by picking up and then decoding the electromagnetic interference produced by the monitors. • TEMPEST – (Transient Electromagnetic Pulse Emanation Standard) both a description for a program in the military to control electronic emanations from electrical equipment • emanations security (EMSAC) Measures designed to reduce the susceptibility to eavesdropping. The term is primarily used in the military. See TEMPEST and emanation. • With the appropriate equipment, the exact image of what is being displayed can be re-created some distance away.
Shielding • There are three ways to prevent these emanations from being picked up by an attacker: • Put the equipment beyond the point that the emanations can be picked. • Provide shielding for the equipment itself. • Provide a shielded enclosure (such as a room) to put the equipment. • All these solutions can be costly. • The cost of shielding is so substantial that in most cases, it probably cannot be justified. • A “TEMPEST-approved” computer will cost at least double what a normal computer would cost.