Information Security © 2006 Eric Vanderburg
Information Security
Chapter 10Operational Security
Information Security © 2006 Eric Vanderburg
Physical Security• Often overlooked• Securing devices
– Remove or disable I/O hardware– Lock servers in the rack– Biometrics
• Server room /wiring closet
Information Security © 2006 Eric Vanderburg
Locks• Preset lock (key-in-knob lock) – automatically locks when
it is closed. • Deadbolt – harder to break – requires key to lock and
unlock• Cipher lock – button combination lock. It can also work at
certain times (more expensive)• Securing keys
– Track when keys are issued– Issue keys to authorized people– Inspect locks regularly– Change locks when keys are lost– Master keys should not be easily identified as a Master– Lock up unused/spare keys– Mark “Do not duplicate” on Master keys and remove the serial
number so they cannot be reordered
Information Security © 2006 Eric Vanderburg
Physical Security• Suspended ceiling – metal grid with ceiling tiles• HVAC (Heating Ventilation and Air Conditioning)
– ducts that can be used to gain building access. • Exposed door hinges – Hinges should be be on
the inside so that the pins cannot be removed from the outside.
• Provide adequate lighting• Monitor dead end corridors• Minimize the number of entry points• Post guards at secure locations or checkpoints• Install cameras
Information Security © 2006 Eric Vanderburg
Social Engineering• Train employees• Define what information is to be given out• People entering the facility should be pre-
approved and escorted through the building
Information Security © 2006 Eric Vanderburg
Wireless• Site surveys• Reposition APs• Adjust signal strength• Change antenna type from omni to patch or yagi• Use a different frequency (802.11b/g
802.11a)• Make structural changes
– Ground interior studded walls– Use metal windows treatments– Use thermally insulated glass with a copper film for
windows– Use metallic doped paints on walls– Line network closets with aluminum sheeting or
chicken wire.
Information Security © 2006 Eric Vanderburg
Wired Signals• Interferrence
– EMI (Electromagnetic Interference) – motor or lights– RFI (Radio Frequency Interference) – RF waves that
conflict with the signal in the cable– NEXT (Near End Crosstalk) – One wire causes
interference for another wire• Attenuation
– Signals decrease in strength over time– Regenerate the signal
• Equipment can be used to attempt to capture information traveling along a wire.
Information Security © 2006 Eric Vanderburg
Shielding• TEMPEST (Telecommunications
Electronics Material Protected from Emanating Spurious Transmissions)– Standard for stopping other from picking up
stray RFI or EMI signals from components– Applies to an entire system
• Faraday cage – metallic mesh enclosure that is grounded to prevent electromagnetic radiation from escaping or entering (used much in testing of equipment)
Information Security © 2006 Eric Vanderburg
Fire• Extinguishers• Automated
systems– Sprinklers– Dry chemical
systems– Clean agent
systems
Information Security © 2006 Eric Vanderburg
Business Continuity• A plan that explains how business will
continue when problems occur. • BCP (Business Continuity Plan) –
– Identify the goals of the business (these must be maintained)
– Formulate continuity strategies – changes that occur now for each event
– Develop a response – what should be done in each case
– Test the plan – run through a scenario/drill
Information Security © 2006 Eric Vanderburg
Continuity Planning• Largest issue is power
– UPS (Uninterruptible Power Supply)– Notify administrators of power outages– Notify users to log off– Prevent new users from logging on– Disconnect users and shut down
Information Security © 2006 Eric Vanderburg
Redundancy• RAID (Redundant Array of Inexpensive
Disks)– RAID 0– RAID 1– RAID 5– RAID 0+1– RAID 10
• Backups
Information Security © 2006 Eric Vanderburg
Disaster Recovery• DRP (Disaster Recovery Plan) – Plan for
how to deal with and recover from a catastrophic event– Purpose– Recovery team – who directs the plan– Preparation – what is done on a regular basis– Emergency Procedures – when the disaster
happens– Recovery Procedures – after the disaster
Information Security © 2006 Eric Vanderburg
Recovery• Hot Site
– All equipment necessary– Live communication links– Fully replicated
• Cold Site– Office space but no equipment
• Warm Site– Equipment is installed but communication
must be enabled– Recovered up to the last backup applied
Information Security © 2006 Eric Vanderburg
Acronyms• BCP, Business Continuity Plan• DRP, Disaster Recovery Plan• EMI, Electromagnetic Interference• NEXT, Near End Crosstalk• RFI, Radio Frequency Interference• RAID, Redundant Array of Independent Disks• TEMPEST, Telecommunications Electronics
Material Protected from Emanating Spurious Transmissions
• UPS, Uninterruptible Power Supply