370 likes | 512 Views
Chapter 10: Operational Security. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Harden physical security with access controls Minimize social engineering Secure the physical environment Define business continuity Plan for disaster recovery.
E N D
Chapter 10: Operational Security Security+ Guide to Network Security Fundamentals Second Edition
Objectives • Harden physical security with access controls • Minimize social engineering • Secure the physical environment • Define business continuity • Plan for disaster recovery Security+ Guide to Network Security Fundamentals, 2e
Hardening Physical Security with Access Controls • Adequate physical security is one of the first lines of defense against attacks • Protects equipment and the infrastructure itself • Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize Security+ Guide to Network Security Fundamentals, 2e
Hardening Physical Security with Access Controls (continued) • Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file • Access control also refers to restricting physical access to computers or network devices Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers • Most servers are rack-mounted servers • A rack-mounted server is 175 inches (445 cm) tall and can be stacked with up to 50 other servers in a closely confined area • Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers (continued) Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers (continued) Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers (continued) • In addition to securing a device itself, you should also secure the room containing the device • Two basic types of door locks require a key: • A preset lock (key-in-knob lock) requires only a key for unlocking the door from the outside • A deadbolt lock extends a solid metal bar into the door frame for extra security • To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers (continued) • Cipher locks are combination locks that use buttons you push in the proper sequence to open the door • Can be programmed to allow only the code of certain people to be valid on specific dates and times • Basic models can cost several hundred dollars each while advanced models can run much higher • Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing) Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Physical Barriers (continued) • Other physical vulnerabilities should be addressed, including: • Suspended ceilings • HVAC ducts • Exposed door hinges • Insufficient lighting • Dead-end corridors Security+ Guide to Network Security Fundamentals, 2e
Controlling Access with Biometrics • Biometrics uses a person’s unique characteristics to authenticate that person • Some human characteristics used for identification include fingerprint, face, hand, iris, retina, and voice • Many high-end biometric scanners are expensive, can be difficult to use, and can produce false positives (accepting unauthorized users) or false negatives (restricting authorized users) Security+ Guide to Network Security Fundamentals, 2e
Minimizing Social Engineering • The best defenses against social engineering are a strong security policy along with adequate training • An organization must establish clear and direct policies regarding what information can be given out and under what circumstances Security+ Guide to Network Security Fundamentals, 2e
Securing the Physical Environment • Take steps to secure the environment itself to reduce the risk of attacks: • Limiting the range of wireless data signals • Shielding wired signals • Controlling the environment • Suppressing the risk of fires Security+ Guide to Network Security Fundamentals, 2e
Limiting Wireless Signal Range • Use the following techniques to limit the wireless signal range: • Relocate the access point • Substitute 80211a for 80211b • Add directional antenna • Reduce power • Cover the device • Modify the building Security+ Guide to Network Security Fundamentals, 2e
Shielding a Wired Signal • The insulation and shielding that covers a copper cable does not always prevent a signal from leaking out or having an even stronger signal affect the data transmission on the cable • This interference (noise) can be of several types • Radio frequency interference (RFI) refers to interference caused by broadcast signals from a radio frequency (RF) transmitter, such as from a commercial radio or television transmitter Security+ Guide to Network Security Fundamentals, 2e
Shielding a Wired Signal (continued) • Electromagnetic interference (EMI) may be caused by a variety of sources • A motor of another source of intense electrical activity can create an electromagnetic signal that interferes with a data signal • EMI can also be caused by cellular telephones, citizens’ band and police radios, small office or household appliances, fluorescent lights, or loose electrical connections Security+ Guide to Network Security Fundamentals, 2e
Shielding a Wired Signal (continued) • The source of near end crosstalk (NEXT) interference is usually from another data signal being transmitted • Loss of signal strength is known as attenuation • Two types of defenses are commonly referenced for shielding a signal • Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST) • Faraday cage Security+ Guide to Network Security Fundamentals, 2e
Shielding a Wired Signal (continued) • TEMPEST • Classified standard developed by the US government to prevent attackers from picking up stray RFI and EMI signals from government buildings • Faraday cage • Metallic enclosure that prevents the entry or escape of an electromagnetic field • Consists of a fine-mesh copper screening directly connected to an earth ground Security+ Guide to Network Security Fundamentals, 2e
Reducing the Risk of Fires • In order for a fire to occur, four entities must be present at the same time: • Sufficient oxygen to sustain the combustion • Enough heat to raise the material to its ignition temperature • Some type of fuel or combustible material • A chemical reaction that is the fire itself Security+ Guide to Network Security Fundamentals, 2e
Reducing the Risk of Fires (continued) • Refer to page 355 for the types of fires, their fuel source, how they can be extinguished, and the types of handheld fire extinguishers that should be used • Stationary fire suppression systems that integrate into the building’s infrastructure and release a suppressant in the entire room are used Security+ Guide to Network Security Fundamentals, 2e
Reducing the Risk of Fires (continued) • Systems can be classified as: • Water sprinkler systems that spray the room with pressurized water • Dry chemical systems that disperse a fine, dry powder over the fire • Clean agent systems that do not harm people, documents, or electrical equipment in the room Security+ Guide to Network Security Fundamentals, 2e
Understanding Business Continuity • Process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize • Business continuity management is concerned with developing a business continuity plan (BCP) addressing how the organization can continue in the event that risks materialize Security+ Guide to Network Security Fundamentals, 2e
Understanding Business Continuity (continued) • The basic steps in creating a BCP: • Understand the business • Formulate continuity strategies • Develop a response • Test the plan Security+ Guide to Network Security Fundamentals, 2e
Maintaining Utilities • Disruption of utilities should be of primary concern for all organizations • The primary utility that a BCP should address is electrical service • An uninterruptible power supply (UPS) is an external device located between an outlet for electrical power and another device • Primary purpose is to continue to supply power if the electrical power fails Security+ Guide to Network Security Fundamentals, 2e
Maintaining Utilities (continued) • A UPS can complete the following tasks: • Send a special message to the network administrator’s computer, or page or telephone the network manager to indicate that the power has failed • Notify all users that they must finish their work immediately and log off • Prevent any new users from logging on • Disconnect users and shut down the server Security+ Guide to Network Security Fundamentals, 2e
Establishing High Availability through Fault Tolerance • The ability to endure failures (fault tolerance) can keep systems available to an organization • Prevents a single problem from escalating into a total disaster • Can best be achieved by maintaining redundancy • Fault-tolerant server hard drives are based on a standard known as Redundant Array of Independent Drives (RAID) Security+ Guide to Network Security Fundamentals, 2e
Creating and Maintaining Backups • Data backups are an essential element in any BCP • Backup software can internally designate which files have already been backed up by setting an archive bit in the properties of the file • Four basic types of backups: • Full backup • Differential backup • Incremental backup • Copy backup Security+ Guide to Network Security Fundamentals, 2e
Creating and Maintaining Backups (continued) Security+ Guide to Network Security Fundamentals, 2e
Creating and Maintaining Backups (continued) • Develop a strategy for performing backups to make sure you are storing the data your organization needs • A grandfather-father-son backup system divides backups into three sets: • A daily backup (son) • A weekly backup (father) • A monthly backup (grandfather) Security+ Guide to Network Security Fundamentals, 2e
Creating and Maintaining Backups (continued) Security+ Guide to Network Security Fundamentals, 2e
Planning for Disaster Recovery • Business continuity is concerned with addressing anything that could affect the continuation of service • Disaster recovery is more narrowly focused on recovering from major disasters that could cease operations for an extended period of time • Preparing for disaster recovery always involves having a plan in place Security+ Guide to Network Security Fundamentals, 2e
Creating a Disaster Recovery Plan (DRP) • A DRP is different from a business continuity plan • Typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning • Should be a detailed document that is updated regularly • All DRPs are different, but they should address the common features shown in the outline on pages 367 and 368 of the text Security+ Guide to Network Security Fundamentals, 2e
Identifying Secure Recovery • Major disasters may require that the organization temporarily move to another location • Three basic types of alternate sites are used during or directly after a disaster • Hot site • Cold site • Warm site Security+ Guide to Network Security Fundamentals, 2e
Identifying Secure Recovery (continued) • A hot site is generally run by a commercial disaster recovery service that allows a business to continue computer and network operations to maintain business continuity • A cold site provides office space but customer must provide and install all equipment needed to continue operations • A warm site has all equipment installed but does not have active Internet or telecommunications facilities Security+ Guide to Network Security Fundamentals, 2e
Protecting Backups • Data backups must be protected from theft and normal environmental elements • Tape backups should be protected against strong magnetic fields, which can destroy a tape • Be sure backup tapes are located in a secure environment that is adequately protected Security+ Guide to Network Security Fundamentals, 2e
Summary • Adequate physical security is one of the first lines of defense against attacks • Physical security involves restricting with access controls, minimizing social engineering attacks, and securing the environment and infrastructure • Business continuity is the process of assessing risks and developing a management strategy to ensure that business can continue if risks materialize Security+ Guide to Network Security Fundamentals, 2e
Summary (continued) • Disaster recovery is focused on recovering from major disasters that could potentially cause the organization to cease operations for an extended period of time • A DRP typically addresses what to do if a major catastrophe occurs that could cause the organization to cease functioning Security+ Guide to Network Security Fundamentals, 2e