Download presentation
Presentation is loading. Please wait.
Published byBrook Helen Douglas Modified over 9 years ago
1
CIST 1601 Information Security Fundamentals Chapter 10 Physical and Hardware-Based Security Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
2
Physical Security It is much easier for an attacker to walk into a reception area, masquerade as a vendor agent, and get access to the server than to get into a physically secured area that utilizes a guest sign-in and sign-out sheet. Unsecured equipment is vulnerable to social engineering attacks. Lock the door(s) to the server room. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Mandatory physical access controls are common in government facilities and military installations where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Physical security addresses the following major categories of risks: Physical theft Loss of an asset Unauthorized disclosure of information Interruption of critical services Power failure Physical damage to hardware assets Threats affecting confidentiality Integrity and availability of critical resources
3
Understanding Physical and Network Security The goal of a physical security policy is to allow only trusted use of resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model the organization has chosen. In a physical penetration attack, a targeted hacker enters the premises of an organization and gains access to computer systems or plugs a laptop computer into an organization’s internal network. A physical penetration attack is a social engineering attack that is typically considered the most dangerous type of targeted hacker attack because computer network equipment is typically not well protected inside an organization’s physical location. Keeping computers and networks secure involves more than just the technical aspects of the systems and networks. You must address the physical environment and the business as it exists. Doing so involves evaluating physical security, social engineering issues, and environmental issues. Physical Security (7:16)
4
Understanding Physical and Network Security The external entrance to the building/perimeter, the entrance to the computer center, and the entrance to the computer room should be secured, monitored and protected by alarm systems. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Video or CCTV cameras should be posted in key locations so that the entire area is covered. Place cameras near entrances and exits to capture each visitor who comes in and out of the parking lot. Place cameras strategically so that every are of the parking lot can be seen by a camera’s field of vision. CCTV is the most common method of surveillance. The picture is viewed or recorded, but not broadcast. It was originally developed as a means of security for banks. Motion detectors can alert security personnel of intruders or suspicious activity on the company’s premises. These devices must be properly configured because they are extremely sensitive. External motion detectors can be based on light, sound, infrared, or ultrasonic technology. Networking devices such as routers, and servers that contain mission-critical data should be stored in a secured computer center. The entrances to your computer center should be individually secured and monitored. Unsecured equipment is vulnerable to social engineering attacks. It is much easier for an attacker to walk into a reception area, say she is here to do some work on the server, and get access than to get into a physically secured area with a guest sign-in and sign-out sheet. In very high-security areas, frosted or painted glass can be used to eliminate direct visual observation of user actions, and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors, network switching, and system operation.
5
Implementing Access Control Physical Barriers Access control is the primary process of preventing access to physical systems. A minimum of three physical barriers should be used to secure the company premises and network devices from intruders and theft. Each barrier should be secured, monitored and protected by alarm systems. In a three barrier system, securing the entrance to the building is the first barrier, securing the entrance to the computer center is the second barrier, and securing the entrance to the computer room is the third barrier. The three-layer security model
6
Implementing Access Control Physical Barriers High-security installations use a type of intermediate access-control mechanism called a mantrap. A mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Mantraps require visual identification, as well as authentication, to gain access. A mantrap limits access to a small number of individuals. A mantrap has bullet-proof glass, high- strength doors, and locks; and is designed to physically contain an unauthorized individual between its doors until security officials can deal with the offender.
7
Perimeter security, whether physical or technological, is the first line of defense in your security model, and is intended to prevent unauthorized access to resources inside a building or facility. The perimeter is the outermost (farthest away from the objective) barrier. Perimeter security involves creating a perimeter or outer boundary for a physical space. In the physical environment, perimeter security is accomplished using external walls, locks, doors, surveillance systems, and alarm systems. This isn’t functionally any different from a network, which uses border routers, intrusion detection systems, and firewalls to prevent unauthorized access. Implementing Access Control Perimeter Security Network perimeter defense
8
A security zone is an area within a building where access is monitored and controlled. In a building, floors, sections of floors, and even offices can be broken down into smaller areas. These smaller zones are referred to as security zones. Security zones allow intrusions to be detected in specific parts of the building. An alarm system that identifies a zone of intrusion can inform security personnel about an intruder’s location in the building Security zones can be monitored individually if needed. Partitions, Perimeter, and Floor security zones are access methods that can break large areas into smaller areas that can be monitored individually. The networking equivalent of a security zone is a network security zone. If you divide a network into smaller sections, each zone can have its own security considerations and measures—just like a physical security zone. Implementing Access Control Security Zones Network security zones. The division of the network is accomplished by implementing VLANs and instituting DMZs
9
Partitioning is the process of breaking a network into smaller components that can each be individually protected. The concept is the same as building walls in an office building. Network partitioning involves the creation of private networks within larger networks. Partitions can be isolated from each other using routers and firewalls. Unless a physical device (such as a router) separates these partitioned networks, all the signals are shared across the wire. This device accomplishes the same function as a hallway or locked door—from a purely physical perspective. Partitioning and security zones are essentially interchangeable. In a typical installation, a zone would encompass one floor, while a partition would include one room. Implementing Access Control Partitioning Network partitioning separating networks from each other in a larger network
10
Biometrics is any security based upon a user’s physical characteristics, such as a retinal pattern or fingerprint, to uniquely identify a person for security authentication. Fingerprint matching involves the scanning and matching of a thumbprint or fingerprint, and is the older biometric method used these days. Fingerprint scans are still popular these days because the fingerprints of an individual are unique. The iris scan method uses the iris pattern of the eyeball to identify an individual. This biometric method is both easy to use and noninvasive. These devices should be coupled into security-oriented computer systems that record all access attempts. They should also be under surveillance in order to prevent individuals from bypassing them. Many laptops sold now have a fingerprint reader built in. Implementing Access Control Biometrics
11
Biometrics Biometric devices typically use either a hand pattern or a retinal scan to accomplish this. Iris profile biometric devices identify an individual by using the colored part of the eye that surrounds the pupil. Facial geometry identifies a user based on the profile and characteristics of the face. A retina scan identifies an individual by using the blood vessel pattern at the back of the eyeball. A retinal scan is a very secure form of evidence used in high-security companies and government agencies. When using biometrics, remember that each method has its own degree of error ratios, and some methods may seem invasive to the users and may not be accepted gracefully. The false acceptance rate (FAR) is a measure if the likelihood that the access system will wrongly accept an access attempt. In other words, it will allow access to an unauthorized user. The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. In false rejection, the system fails to recognize an authorized person and rejects that person as unauthorized. The only way for an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) form of authentication.
12
Maintaining Environmental and Power Controls - Environmental Monitoring Computer systems require temperature and humidity control for reliable service. Humidity control prevents the buildup of static electricity in the environment. If the humidity drops much below 50 percent, electronic components are extremely vulnerable to damage from electrostatic shock. A high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. Overcooling causes condensation on equipment, and too dry leads to excessive static. Environmental concerns also include considerations about water and flood damage as well as fire suppression. Moisture monitors would automatically kill power in a computer room if moisture were detected. The fire-suppression systems in most buildings consist of water under pressure, and the water damage from putting out even a small fire could wipe out an entire data center. HVAC and Temperature/Humidity (3:53) Environmental Monitoring, EMI Shielding, Video Monitoring (4:04)
13
Power systems help keep the electrical service constant, and they ensure smooth operations. Without electricity you have no network. Computer systems are susceptible to power and interference problems. A computer requires a steady input of AC power to produce reliable DC voltage for its electronic systems. Brownouts are short-term decreases in voltage levels that most often occur when motors are started or are triggered by faults on the utility provider’s system. Power variations called noise are also referred to as electromagnetic interference (EMI). To protect your environment from such damaging fluctuations in power, always connect your sensitive electronic equipment to power conditioners, surge protectors, and a UPS, which provides the best protection of all. Surge protectors are passive devices that are used to protect electrical components from power spikes, or surges in the power line. Surge protectors usually utilize Metal Oxide Varistors (MOVs) to shunt the voltage spike to ground. In a Continuous UPS, also called an “online” UPS, the computer is always running off of battery power, and the battery is continuously being recharged. There is no switchover time, and these supplies generally provide the best isolation from power line problems. A Standby power supply (SPS) is also referred to as an “offline” UPS. In this type of supply, power usually derives directly from the power line, until power fails. A Ferroresonant UPS system maintains a constant output voltage even with a varying input voltage and provides good protection against line noise. Power Systems
14
Power conditioner devices assist in keeping the electrical service constant by monitoring and regulating the power in the building. These devices can activate backup power supplies, and can include filters, surge suppressors, and temporary voltage regulation. Backup power systems are used when a continuous power supply is needed in power loss situations. Backup power systems are used either for: Short-term usage An Uninterruptible Power Supply (UPS) system is a backup power system that utilizes batteries to provide short-term power when a power loss is detected. Long-term usage Power generators kick in if a power loss is detected, and they provide power until disabled. This can be done through the use of a gas-powered generator. A generator can be used for rolling blackouts, emergency blackouts, or electrical problems. Power Systems
15
Shielding refers to the process of preventing electronic emissions from your computer systems being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. An efficient and cost-effective way to protect a large quantity of equipment from electronic eavesdropping is to place the equipment into a well-grounded metal box called a Farady cage. A Faraday cage is a grounded wire or metal mesh “cage” that is embedded into the walls of a room to prevent EMI & RFI seepage. EMI Shielding
16
Electromagnetic Interference and Radio Frequency Interference Motors, lights, and other types of electromechanical objects cause EMI, which can cause circuit overload, spikes, or electrical component failure. Making sure that all signal lines are properly shielded and grounded can minimize EMI. Devices that generate EMI should be as physically distant from cabling as is feasible because this type of energy tends to dissipate quickly with distance. RFI is the by product of electrical processes, similar to EMI. Receivers tend to become desensitized when they’re exposed to strong RF signals. This makes the receiver in the WAP seemingly go deaf to normal-strength signals. TEMPEST is the certification given to electronic devices that emit minimal RF. The TEMPEST certification is difficult to acquire, and it significantly increases the cost of systems. You are most likely to find TEMPEST equipment in government, military, and corporate environments that process government/military classified information. Electromagnetic interference (EMI) pickup in a data cable RF desensitization occurring as a result of cellular phone interference
17
Hot and Cold Aisles In server rooms, there are often multiple rows of servers located in racks. The rows of servers are known as aisles, and they can be cooled as hot aisles and cold aisles. With a hot aisle, hot air outlets are used to cool the equipment, while with cold aisles, cold air intake is used to cool it. Combining the two, you have cold air intake from below the aisle and hot air outtake above it, providing constant circulation. It is important that the hot air exhausting from one aisle of racks not be the intake air pulled in by the next row of racks, or overheating will occur. Air handlers must move the hot air out, while cold air, usually coming from beneath a raised floor, is supplied as the intake air. Hot and Cold Aisles (1:45) Hot aisle/cold aisle server row orientation.
18
Fire Extinguishers Four primary types of fire extinguishers are available, classified by the types of fires they put out: A, B, C, and D. Common multipurpose extinguishers are A-B, B-C, and ABC. The recommended procedure for using a fire extinguisher is called the PASS method: Pull, Aim, Squeeze, and Sweep. Fire extinguishers usually operate for only a few seconds and have a limited effective range of from three to eight feet. Fire Suppression - Fire Extinguishers Fire Suppression (2:28)
19
Electrical wiring and distribution boxes are the most probable cause of fires in data centers. The critical components of a fire are oxygen, heat, and fuel. When you remove any of these components, a fire cannot be caused. For Class A fires, which are trash, wood, and paper, water or soda acid will decrease the fire’s temperature and extinguish its flames. For example, soda acid removes the fuel while water reduces the temperature. For Class B fires, which are flammable liquids, gases, and greases, are usually put out using foam. Carbon dioxide can be used to suppress Class B fires that include liquids, such as petroleum products and coolants. For Class C fires, which are energized electrical equipment, electrical fires, and burning wires, are put out using extinguishers based on carbon dioxide. An electrical fire can reoccur quite quickly if the voltage is not removed. This is one of the bigger concerns with regard to electrical fires. The best type extinguisher would be the Type C extinguisher (non-conductive dry- chemical for electrical fires). For Class D fires, which are fires that involve combustible metals such as magnesium, titanium, potassium, and sodium. The two types of extinguishing agents for Class D fires are sodium chloride and a copper- based dry powder. Fire Suppression
20
Fixed Systems Fixed systems are usually part of the building systems. The most common fixed systems combine fire detectors with fire-suppression systems, where the detectors usually trigger either because of a rapid temperature change or because of excessive smoke. A water-based fire-suppression system is easy to maintain, reliable, and inexpensive, but can result in damage to energized electrical equipment such as computers, monitors, printers, routers and switches. A gas-based fire-suppression system displaces the oxygen in the room, thereby removing the oxygen component of a fire but can suffocate anybody that remains in the room. Carbon dioxide extinguishers have replaced halon extinguishers. They don’t leave a harmful residue, making them a good choice for an electrical fire on a computer or other electrical devices. Fire Suppression - Fixed Systems Water-based fire-suppression system
21
Wet-pipe system The pipe in the wet pipe system has water under pressure in it at all times. Dry-pipe system In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. One of the reasons for using a dry-pipe system is that when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Fire Suppression - Fixed Systems
22
The End
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.