Information Security © 2006 Eric Vanderburg

Information Security

Chapter 10Operational Security

Information Security © 2006 Eric Vanderburg

Physical Security• Often overlooked• Securing devices

– Remove or disable I/O hardware– Lock servers in the rack– Biometrics

• Server room /wiring closet

Information Security © 2006 Eric Vanderburg

Locks• Preset lock (key-in-knob lock) – automatically locks when

it is closed. • Deadbolt – harder to break – requires key to lock and

unlock• Cipher lock – button combination lock. It can also work at

certain times (more expensive)• Securing keys

– Track when keys are issued– Issue keys to authorized people– Inspect locks regularly– Change locks when keys are lost– Master keys should not be easily identified as a Master– Lock up unused/spare keys– Mark “Do not duplicate” on Master keys and remove the serial

number so they cannot be reordered

Information Security © 2006 Eric Vanderburg

Physical Security• Suspended ceiling – metal grid with ceiling tiles• HVAC (Heating Ventilation and Air Conditioning)

– ducts that can be used to gain building access. • Exposed door hinges – Hinges should be be on

the inside so that the pins cannot be removed from the outside.

• Provide adequate lighting• Monitor dead end corridors• Minimize the number of entry points• Post guards at secure locations or checkpoints• Install cameras

Information Security © 2006 Eric Vanderburg

Social Engineering• Train employees• Define what information is to be given out• People entering the facility should be pre-

approved and escorted through the building

Information Security © 2006 Eric Vanderburg

Wireless• Site surveys• Reposition APs• Adjust signal strength• Change antenna type from omni to patch or yagi• Use a different frequency (802.11b/g

802.11a)• Make structural changes

– Ground interior studded walls– Use metal windows treatments– Use thermally insulated glass with a copper film for

windows– Use metallic doped paints on walls– Line network closets with aluminum sheeting or

chicken wire.

Information Security © 2006 Eric Vanderburg

Wired Signals• Interferrence

– EMI (Electromagnetic Interference) – motor or lights– RFI (Radio Frequency Interference) – RF waves that

conflict with the signal in the cable– NEXT (Near End Crosstalk) – One wire causes

interference for another wire• Attenuation

– Signals decrease in strength over time– Regenerate the signal

• Equipment can be used to attempt to capture information traveling along a wire.

Information Security © 2006 Eric Vanderburg

Shielding• TEMPEST (Telecommunications

Electronics Material Protected from Emanating Spurious Transmissions)– Standard for stopping other from picking up

stray RFI or EMI signals from components– Applies to an entire system

• Faraday cage – metallic mesh enclosure that is grounded to prevent electromagnetic radiation from escaping or entering (used much in testing of equipment)

Information Security © 2006 Eric Vanderburg

Fire• Extinguishers• Automated

systems– Sprinklers– Dry chemical

systems– Clean agent

systems

Information Security © 2006 Eric Vanderburg

Business Continuity• A plan that explains how business will

continue when problems occur. • BCP (Business Continuity Plan) –

– Identify the goals of the business (these must be maintained)

– Formulate continuity strategies – changes that occur now for each event

– Develop a response – what should be done in each case

– Test the plan – run through a scenario/drill

Information Security © 2006 Eric Vanderburg

Continuity Planning• Largest issue is power

– UPS (Uninterruptible Power Supply)– Notify administrators of power outages– Notify users to log off– Prevent new users from logging on– Disconnect users and shut down

Information Security © 2006 Eric Vanderburg

Redundancy• RAID (Redundant Array of Inexpensive

Disks)– RAID 0– RAID 1– RAID 5– RAID 0+1– RAID 10

• Backups

Information Security © 2006 Eric Vanderburg

Disaster Recovery• DRP (Disaster Recovery Plan) – Plan for

how to deal with and recover from a catastrophic event– Purpose– Recovery team – who directs the plan– Preparation – what is done on a regular basis– Emergency Procedures – when the disaster

happens– Recovery Procedures – after the disaster

Information Security © 2006 Eric Vanderburg

Recovery• Hot Site

– All equipment necessary– Live communication links– Fully replicated

• Cold Site– Office space but no equipment

• Warm Site– Equipment is installed but communication

must be enabled– Recovered up to the last backup applied

Information Security © 2006 Eric Vanderburg

Acronyms• BCP, Business Continuity Plan• DRP, Disaster Recovery Plan• EMI, Electromagnetic Interference• NEXT, Near End Crosstalk• RFI, Radio Frequency Interference• RAID, Redundant Array of Independent Disks• TEMPEST, Telecommunications Electronics

Material Protected from Emanating Spurious Transmissions

• UPS, Uninterruptible Power Supply