360 likes | 621 Views
Security Guide to Network Security Fundamentals, 2e. 2. Objectives. Harden physical security with access controlsMinimize social engineeringSecure the physical environmentDefine business continuityPlan for disaster recovery. Security Guide to Network Security Fundamentals, 2e. 3. Hardening Physical Security with Access Controls.
E N D
1. Chapter 10: Operational Security Security+ Guide to Network Security Fundamentals
Second Edition
2. Security+ Guide to Network Security Fundamentals, 2e 2 Objectives Harden physical security with access controls
Minimize social engineering
Secure the physical environment
Define business continuity
Plan for disaster recovery
3. Security+ Guide to Network Security Fundamentals, 2e 3 Hardening Physical Security with Access Controls Adequate physical security is one of the first lines of defense against attacks
Protects equipment and the infrastructure itself
Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize
4. Security+ Guide to Network Security Fundamentals, 2e 4 Hardening Physical Security with Access Controls (continued) Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file
Access control also refers to restricting physical access to computers or network devices
5. Security+ Guide to Network Security Fundamentals, 2e 5 Controlling Access with Physical Barriers Most servers are rack-mounted servers
A rack-mounted server is 175 inches (445 cm) tall and can be stacked with up to 50 other servers in a closely confined area
Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard
6. Security+ Guide to Network Security Fundamentals, 2e 6 Controlling Access with Physical Barriers (continued)
7. Security+ Guide to Network Security Fundamentals, 2e 7 Controlling Access with Physical Barriers (continued)
8. Security+ Guide to Network Security Fundamentals, 2e 8 Controlling Access with Physical Barriers (continued) In addition to securing a device itself, you should also secure the room containing the device
Two basic types of door locks require a key:
A preset lock (key-in-knob lock) requires only a key for unlocking the door from the outside
A deadbolt lock extends a solid metal bar into the door frame for extra security
To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text
9. Security+ Guide to Network Security Fundamentals, 2e 9 Controlling Access with Physical Barriers (continued) Cipher locks are combination locks that use buttons you push in the proper sequence to open the door
Can be programmed to allow only the code of certain people to be valid on specific dates and times
Basic models can cost several hundred dollars each while advanced models can run much higher
Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing)
10. Security+ Guide to Network Security Fundamentals, 2e 10 Controlling Access with Physical Barriers (continued) Other physical vulnerabilities should be addressed, including:
Suspended ceilings
HVAC ducts
Exposed door hinges
Insufficient lighting
Dead-end corridors
11. Security+ Guide to Network Security Fundamentals, 2e 11 Controlling Access with Biometrics Biometrics uses a person’s unique characteristics to authenticate that person
Some human characteristics used for identification include fingerprint, face, hand, iris, retina, and voice
Many high-end biometric scanners are expensive, can be difficult to use, and can produce false positives (accepting unauthorized users) or false negatives (restricting authorized users)
12. Security+ Guide to Network Security Fundamentals, 2e 12 Minimizing Social Engineering The best defenses against social engineering are a strong security policy along with adequate training
An organization must establish clear and direct policies regarding what information can be given out and under what circumstances
13. Security+ Guide to Network Security Fundamentals, 2e 13 Securing the Physical Environment Take steps to secure the environment itself to reduce the risk of attacks:
Limiting the range of wireless data signals
Shielding wired signals
Controlling the environment
Suppressing the risk of fires
14. Security+ Guide to Network Security Fundamentals, 2e 14 Limiting Wireless Signal Range Use the following techniques to limit the wireless signal range:
Relocate the access point
Substitute 80211a for 80211b
Add directional antenna
Reduce power
Cover the device
Modify the building
15. Security+ Guide to Network Security Fundamentals, 2e 15 Shielding a Wired Signal The insulation and shielding that covers a copper cable does not always prevent a signal from leaking out or having an even stronger signal affect the data transmission on the cable
This interference (noise) can be of several types
Radio frequency interference (RFI) refers to interference caused by broadcast signals from a radio frequency (RF) transmitter, such as from a commercial radio or television transmitter
16. Security+ Guide to Network Security Fundamentals, 2e 16 Shielding a Wired Signal (continued) Electromagnetic interference (EMI) may be caused by a variety of sources
A motor of another source of intense electrical activity can create an electromagnetic signal that interferes with a data signal
EMI can also be caused by cellular telephones, citizens’ band and police radios, small office or household appliances, fluorescent lights, or loose electrical connections
17. Security+ Guide to Network Security Fundamentals, 2e 17 Shielding a Wired Signal (continued) The source of near end crosstalk (NEXT) interference is usually from another data signal being transmitted
Loss of signal strength is known as attenuation
Two types of defenses are commonly referenced for shielding a signal
Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST)
Faraday cage
18. Security+ Guide to Network Security Fundamentals, 2e 18 Shielding a Wired Signal (continued) TEMPEST
Classified standard developed by the US government to prevent attackers from picking up stray RFI and EMI signals from government buildings
Faraday cage
Metallic enclosure that prevents the entry or escape of an electromagnetic field
Consists of a fine-mesh copper screening directly connected to an earth ground
19. Security+ Guide to Network Security Fundamentals, 2e 19 Reducing the Risk of Fires In order for a fire to occur, four entities must be present at the same time:
Sufficient oxygen to sustain the combustion
Enough heat to raise the material to its ignition temperature
Some type of fuel or combustible material
A chemical reaction that is the fire itself
20. Security+ Guide to Network Security Fundamentals, 2e 20 Reducing the Risk of Fires (continued) Refer to page 355 for the types of fires, their fuel source, how they can be extinguished, and the types of handheld fire extinguishers that should be used
Stationary fire suppression systems that integrate into the building’s infrastructure and release a suppressant in the entire room are used
21. Security+ Guide to Network Security Fundamentals, 2e 21 Reducing the Risk of Fires (continued) Systems can be classified as:
Water sprinkler systems that spray the room with pressurized water
Dry chemical systems that disperse a fine, dry powder over the fire
Clean agent systems that do not harm people, documents, or electrical equipment in the room
22. Security+ Guide to Network Security Fundamentals, 2e 22 Understanding Business Continuity Process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize
Business continuity management is concerned with developing a business continuity plan (BCP) addressing how the organization can continue in the event that risks materialize
23. Security+ Guide to Network Security Fundamentals, 2e 23 Understanding Business Continuity (continued) The basic steps in creating a BCP:
Understand the business
Formulate continuity strategies
Develop a response
Test the plan
24. Security+ Guide to Network Security Fundamentals, 2e 24 Maintaining Utilities Disruption of utilities should be of primary concern for all organizations
The primary utility that a BCP should address is electrical service
An uninterruptible power supply (UPS) is an external device located between an outlet for electrical power and another device
Primary purpose is to continue to supply power if the electrical power fails
25. Security+ Guide to Network Security Fundamentals, 2e 25 Maintaining Utilities (continued) A UPS can complete the following tasks:
Send a special message to the network administrator’s computer, or page or telephone the network manager to indicate that the power has failed
Notify all users that they must finish their work immediately and log off
Prevent any new users from logging on
Disconnect users and shut down the server
26. Security+ Guide to Network Security Fundamentals, 2e 26 Establishing High Availability through Fault Tolerance The ability to endure failures (fault tolerance) can keep systems available to an organization
Prevents a single problem from escalating into a total disaster
Can best be achieved by maintaining redundancy
Fault-tolerant server hard drives are based on a standard known as Redundant Array of Independent Drives (RAID)
27. Security+ Guide to Network Security Fundamentals, 2e 27 Creating and Maintaining Backups Data backups are an essential element in any BCP
Backup software can internally designate which files have already been backed up by setting an archive bit in the properties of the file
Four basic types of backups:
Full backup
Differential backup
Incremental backup
Copy backup
28. Security+ Guide to Network Security Fundamentals, 2e 28 Creating and Maintaining Backups (continued)
29. Security+ Guide to Network Security Fundamentals, 2e 29 Creating and Maintaining Backups (continued) Develop a strategy for performing backups to make sure you are storing the data your organization needs
A grandfather-father-son backup system divides backups into three sets:
A daily backup (son)
A weekly backup (father)
A monthly backup (grandfather)
30. Security+ Guide to Network Security Fundamentals, 2e 30 Creating and Maintaining Backups (continued)
31. Security+ Guide to Network Security Fundamentals, 2e 31 Planning for Disaster Recovery Business continuity is concerned with addressing anything that could affect the continuation of service
Disaster recovery is more narrowly focused on recovering from major disasters that could cease operations for an extended period of time
Preparing for disaster recovery always involves having a plan in place
32. Security+ Guide to Network Security Fundamentals, 2e 32 Creating a Disaster Recovery Plan (DRP) A DRP is different from a business continuity plan
Typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning
Should be a detailed document that is updated regularly
All DRPs are different, but they should address the common features shown in the outline on pages 367 and 368 of the text
33. Security+ Guide to Network Security Fundamentals, 2e 33 Identifying Secure Recovery Major disasters may require that the organization temporarily move to another location
Three basic types of alternate sites are used during or directly after a disaster
Hot site
Cold site
Warm site
34. Security+ Guide to Network Security Fundamentals, 2e 34 Identifying Secure Recovery (continued) A hot site is generally run by a commercial disaster recovery service that allows a business to continue computer and network operations to maintain business continuity
A cold site provides office space but customer must provide and install all equipment needed to continue operations
A warm site has all equipment installed but does not have active Internet or telecommunications facilities
35. Security+ Guide to Network Security Fundamentals, 2e 35 Protecting Backups Data backups must be protected from theft and normal environmental elements
Tape backups should be protected against strong magnetic fields, which can destroy a tape
Be sure backup tapes are located in a secure environment that is adequately protected
36. Security+ Guide to Network Security Fundamentals, 2e 36 Summary Adequate physical security is one of the first lines of defense against attacks
Physical security involves restricting with access controls, minimizing social engineering attacks, and securing the environment and infrastructure
Business continuity is the process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize
37. Security+ Guide to Network Security Fundamentals, 2e 37 Summary (continued) Disaster recovery is focused on recovering from major disasters that could potentially cause the organization to cease operations for an extended period of time
A DRP typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning