Security fundamentals

Topic 11Maintaining operational security

Agenda

• Establishing site security• Secure removable media• Secure mobile devices• Secure disposal of equipment• Business continuity

Site security• Physical access control

– Secure with lock and key• Protection from theft, disasters and accidents• Unencrypted data can be accessed if physical access to servers can be

obtained• Access only to authorised personnel with a specific reason to access• Most maintenance and configuration tasks can be performed

remotely• Concentric rings: lock server room, lock rack cabinet etc• Sign-in log for access to server room, cameras, key cards, monitoring• Building integrity and security: floors, walls and ceilings

– Biometrics for access control (eg doors)• Fingerprints/hand geometry, retinal scans, speech or face recognition

Human factor

• Compromise between the need to protect and the need to provide access

• If security methods are too restrictive, users will try to circumvent them

• Educate and train users on the need to follow secure practices and the dangers and consequences of insecure practises– Social engineering to trick users into revealing information that

could compromise the system

Environment• Data centres and server rooms typically have

– Air conditioning, air filtration, humidity control, power conditioning• Fire suppression

– Flood the room with inert gas replacing the oxygen– Fire put out without water and foam– Emergency alarms for evacuation– FE-13 and FE-36 gas less damaging to ozone layer that halon

• Wireless networking– Issue of signal range, careful placement of antennas– Minimise transmission power levels – Shield the operational area– Encrypt wireless communications– Cellular communications has greater risks as it has a greater signal range

Disaster recovery• Any occurrence that prevents your network from operating properly• Backups:

– Regular backups and testing with regular restores– Operating systems and backup software must be installed first before recovery

begins – increases recovery time• Offsite storage

– Keeping offsite data confidential – vault or fireproof safe and protected with access control

– Replacement hardware – will backups work on newer hardware?• Secure recovery

– Alternate sites• Mirrored servers in a protected environment• Computers, office space, temporary workers• Test platform for emergency services• Hot site – immediate failover; cold site – restores required

– Disaster recovery plan• What tasks must be done• Who is responsible for doing them?

Securing removable media• How to secure confidential data and how to dispose of media• Floppy disks

– Disable floppy disk drives or remove– Clean by passing through a magnetic field

• Hard disks– Limit the use of removable disks to servers and physically secure

computers– Very portable, but fragile if dropped

• Writable optical media– 5GB on DVD, 700 MB on CD, small backups and archives– Protect disks from scratches and sunlight– Password protect the disk or encrypt the data if required– Limit writable drives (install CD, DVD Rom) and disable USB ports

Securing removable media• Magnetic tape

– Low cost, high speed, large capacity– Robotic tape changers for allow for unattended backups– QIC, DAT, DLT, LTO– Not random access– Limit the use of tape drives and encrypt the data

• Flash media– High capacity and small size– Protect data by encrypting– Disable USB ports

• Smart cards– Information on card is encrypted– Cards can be lost or stolen, so not sufficient to authenticate as the only

method– Authentication when used with PIN or password

Securing mobile devices

• Antitheft devices– Motion alarms, locking cables and tracking

equipment

• Identifying marks and colours– ID engraving

• Data encryption– Confidential data

• Monitor use when connected to the network

Secure disposal• Ensure permanent erasure of all data from computer

and media• To permanently destroy data:– Use specialised software to overwrite data multiple times– Cipher to remove data from cmd– Degauss by exposing to strong magnetic field– Physically destroy the media

• Floppies – magnetise and shred disks• Tapes – overwrite multiple times and shred• Hard drives – repeated overwriting• Optic media – destroy the disk, don’t burn due to toxic fumes

– Documents• Shred paper documents to protect from dumpster diving

Business continuity• Planning phase:

– Identify the mission-critical processes• Identify all of the resources required for the mission-critical

processes to operate• Rate the relative importance of the mission-critical

processes• Decide on a course of action to undertake for each mission-

critical process– If critical, move process to a branch office or activate a fallback

facility with backup equipment– If less critical, consider purchasing insurance to cover the

financial losses resulting from the interruption• Implement the plan• Test the plan regularly and train employees

Business continuity preparation• Backup data and store copies offsite• High availability and fault tolerance

– Raid for disk failure– Clustered servers for server failure– Mirrored servers at alternate location– Duplicate office configuration– Duplicate WAN links– Procurement plans and contracts to replace equipment and

personnel• Utilities

– Power• UPS, backup generator with failover switch

• Water• Mail and courier services

Lesson summary

• How to go about establishing site security• Types of removable media and mobile

devices, and how to secure them• How to securely dispose of equipment• What to consider to maintain business

continuity