Common Architecture Flaws and Security
Issues
No security architecture is complete and totally secure. Every
computer system has weaknesses and vulnerabilities. The goal of
security models and architectures is to address as many known
weaknesses as possible. Due to this fact, corrective actions must be
taken to resolve security issues. The following sections present some of
the more common security issues that affect computer systems in
relation to vulnerabilities of security architectures. You should
understand each of the issues and how they can degrade the overall
security of your system. Some issues and flaws overlap one another
and are used in creative ways to attack systems. Although the
following discussion covers the most common flaws, the list is not
exhaustive. Attackers are very clever.
Covert Channels
A covert channel is a method that is used to pass information over a
path that is not normally used for communication. Because the path is
not normally used for communication, it may not be protected by the
system’s normal security controls. Using a covert channel provides a
means to violate, bypass, or circumvent a security policy undetected.
Covert channels are one of the important examples of vulnerabilities of
security architectures.
As you might imagine, a covert channel is the opposite of an overt
channel. An overt channel is a known, expected, authorized, designed,
monitored, and controlled method of communication.
There are two basic types of covert channels:
Covert Timing Channel A covert timing channel conveys
information by altering the performance of a system component or
modifying a resource’s timing in a predictable manner. Using a covert
timing channel is generally a method to secretly transfer data and is
very difficult to detect.
Covert Storage Channel A covert storage channel conveys
information by writing data to a common storage area where another
process can read it. When assessing the security of software, be
diligent for any process that writes to any area of memory that another
process can read.
Both types of covert channels rely on the use of communication
techniques to exchange information with otherwise unauthorized
subjects. Because the covert channel is outside the normal data
transfer environment, detecting it can be difficult. The best defense is
to implement auditing and analyze log files for any covert channel
activity.
Attacks Based on Design or Coding Flaws and Security
Issues
Certain attacks may result from poor design techniques, questionable
implementation practices and procedures, or poor or inadequate
testing. Some attacks may result from deliberate design decisions
when special points of entry built into code to circumvent access
controls, login, or other security checks often added to code while
under development are not removed when that code is put into
production. For what we hope are obvious reasons, such points of
egress are properly called back doors because they avoid security
measures by design (they’re covered later in this chapter in
“Maintenance Hooks and Privileged Programs”). Extensive testing and
code review are required to uncover such covert means of access,
which are easy to remove during final phases of development but can
be incredibly difficult to detect during the testing and maintenance
phases.
Although functionality testing is commonplace for commercial code
and applications, separate testing for security issues has been gaining
attention and credibility only in the past few years, courtesy of widely
publicized virus and worm attacks, SQL injection attacks, cross-site
scripting attacks, and occasional defacements of or disruptions to
widely used public sites online. You might benefit from viewing the
OWASP Top 10 Web Application Security Risks report at
https://www.owasp.org/images/7/72/OWASP_Top_10-
2017_%28en%29.pdf.pdf.
In the sections that follow, we cover common sources of attack or
vulnerabilities of security architectures that can be attributed to
failures in design, implementation, prerelease code cleanup, or out-
and-out coding mistakes. Although they’re avoidable, finding and
fixing such flaws requires rigorous security-conscious design from the
beginning of a development project and extra time and effort spent in
testing and analysis. This helps to explain the often lamentable state of
software security, but it does not excuse it!
Humans will never write completely secure (flawless) code. Source
code analysis tools implemented throughout the appdev cycle will
minimize the number of flaws in the production release, and the flaws
identified prior to production release will cost much less to mitigate.
The concepts of code review and testing are covered in Chapter 15,
“Security Assessment and Testing.”
Trusted Recovery
When an unprepared system crashes and subsequently recovers, two
opportunities to compromise its security controls may arise. Many
systems unload security controls as part of their shutdown procedures.
Trusted recovery ensures that all security controls remain intact in the
event of a crash. During a trusted recovery, the system ensures that
there are no opportunities for access to occur when security controls
are disabled. Even the recovery phase runs with all controls intact.
For example, suppose a system crashes while a database transaction is
being written to disk for a database classified as top secret. An
unprotected system might allow an unauthorized user to access that
temporary data before it gets written to disk. A system that supports
trusted recovery ensures that no data confidentiality violations occur,
even during the crash. This process requires careful planning and
detailed procedures for handling system failures. Although automated
recovery procedures may make up a portion of the entire recovery,
manual intervention may still be required. Obviously, if such manual
action is needed, appropriate identification and authentication for
personnel performing recovery is likewise essential.
Input and Parameter Checking
One of the most notorious security violations is a buffer overflow. This
violation occurs when programmers fail to validate input data
sufficiently, particularly when they do not impose a limit on the
amount of data their software will accept as input. Because such data
is usually stored in an input buffer, when the normal maximum size of
the buffer is exceeded, the extra data is called overflow. Thus, the type
of attack that results when someone attempts to supply malicious
instructions or code as part of program input is called a buffer
overflow. Unfortunately, in many systems such overflow data is often
executed directly by the system under attack at a high level of privilege
or at whatever level of privilege attaches to the process accepting such
input. For nearly all types of operating systems, including Windows,
Unix, Linux, and others, buffer overflows expose some of the most
glaring and profound opportunities for compromise and attack of any
kind of known security vulnerability.
The party responsible for a buffer overflow vulnerability is always the
programmer whose code allowed nonsanitized or unsanitized input.
Due diligence from programmers can eradicate buffer overflows
completely, but only if programmers check all input and parameters
before storing them in any data structure (and limit how much data
can be proffered as input). Proper data validation is the only way to do
away with buffer overflows. Otherwise, discovery of buffer overflows
leads to a familiar pattern of critical security updates that must be
applied to affected systems to close the point of attack.
Maintenance Hooks and Privileged Programs
Maintenance hooks are entry points into a system that are known only
by the developer of the system. Such entry points are also called back
doors. Although the existence of maintenance hooks is a clear
violation of security policy, they still pop up in many systems. The
original purpose of back doors was to provide guaranteed access to the
system for maintenance reasons or if regular access was inadvertently
disabled. The problem is that this type of access bypasses all security
controls and provides free access to anyone who knows that the back
doors exist. It is imperative that you explicitly prohibit such entry
points and monitor your audit logs to uncover any activity that may
indicate unauthorized administrator access.
Another common system vulnerability is the practice of executing a
program whose security level is elevated during execution. Such
programs must be carefully written and tested so they do not allow any
exit and/or entry points that would leave a subject with a higher
security rating. Ensure that all programs that operate at a high
security level are accessible only to appropriate users and that they are
hardened against misuse. A good example of this is root-owned world-
writable executable scripts in the Unix/Linux OS environment. This
major security flaw is overlooked all too often. Anyone can modify the
script, and it will execute under root context allowing users to be
created, resulting in backdoor access.
Incremental Attacks
Some forms of attack occur in slow, gradual increments rather than
through obvious or recognizable attempts to compromise system
security or integrity. Two such forms of attack are data diddling and
the salami attack.
Data diddling occurs when an attacker gains access to a system and
makes small, random, or incremental changes to data during storage,
processing, input, output, or transaction rather than obviously altering
file contents or damaging or deleting entire files. Such changes can be
difficult to detect unless files and data are protected by encryption or
unless some kind of integrity check (such as a checksum or message
digest) is routinely performed and applied each time a file is read or
written. Encrypted file systems, file-level encryption techniques, or
some form of file monitoring (which includes integrity checks like
those performed by applications such as Tripwire and other file
integrity monitoring [FIM] tools) usually offer adequate guarantees
that no data diddling is under way. Data diddling is often considered
an attack performed more often by insiders rather than outsiders (in
other words, external intruders). It should be obvious that since data
diddling is an attack that alters data, it is considered an active attack.
The salami attack is more mythical by all published reports. The name
of the attack refers to a systematic whittling at assets in accounts or
other records with financial value, where very small amounts are
deducted from balances regularly and routinely. Metaphorically, the
attack may be explained as stealing a very thin slice from a salami each
time it’s put on the slicing machine when it’s being accessed by a
paying customer. In reality, though no documented examples of such
an attack are available, most security experts concede that salami
attacks are possible, especially when organizational insiders could be
involved. Only by proper separation of duties and proper control over
code can organizations completely prevent or eliminate such an attack.
Setting financial transaction monitors to track very small transfers of
funds or other items of value should help to detect such activity;
regular employee notification of the practice should help to discourage
attempts at such attacks.
If you want an entertaining method of learning about the
salami attack or the salami technique, view the movies Office
Space, Sneakers, and Superman III. You can also read the article
from Wired about an attack of this nature from 2008:
https://www.wired.com/2008/05/man-allegedly-b/.
Programming
We have already mentioned the biggest flaw in programming: the
buffer overflow, which can occur if the programmer fails to check or
sanitize the format and/or the size of input data. There are other
potential flaws with programs. Any program that does not handle any
exception gracefully is in danger of exiting in an unstable state. It is
possible to cleverly crash a program after it has increased its security
level to carry out a normal task. If an attacker is successful in crashing
the program at the right time, they can attain the higher security level
and cause damage to the confidentiality, integrity, and availability of
your system.
All programs that are executed directly or indirectly must be fully
tested to comply with your security model. Make sure you have the
latest version of any software installed, and be aware of any known
security vulnerabilities. Because each security model, and each
security policy, is different, you must ensure that the software you
execute does not exceed the authority you allow. Writing secure code
is difficult, but it’s certainly possible. Make sure all programs you use
are designed to address security concerns. Please see Chapter 15 for
more information on code review and testing.
Timing, State Changes, and Communication
Disconnects
Computer systems perform tasks with rigid precision. Computers excel
at repeatable tasks. Attackers can develop attacks based on the
predictability of task execution. The common sequence of events for
an algorithm is to check that a resource is available and then access it
if you are permitted. The time of check (TOC) is the time at which the
subject checks on the status of the object. There may be several
decisions to make before returning to the object to access it. When the
decision is made to access the object, the procedure accesses it at the
time of use (TOU). The difference between the TOC and the TOU is
sometimes large enough for an attacker to replace the original object
with another object that suits their own needs. Time of check to time
of use (TOCTOU) attacks are often called race conditions because the
attacker is racing with the legitimate process to replace the object
before it is used.
A classic example of a TOCTTOU attack is replacing a data file after its
identity has been verified but before data is read. By replacing one
authentic data file with another file of the attacker’s choosing and
design, an attacker can potentially direct the actions of a program in
many ways. Of course, the attacker would have to have in-depth
knowledge of the program and system under attack.
Likewise, attackers can attempt to take action between two known
states when the state of a resource or the entire system changes.
Communication disconnects also provide small windows that an
attacker might seek to exploit. Anytime a status check of a resource
precedes action on the resource, a window of opportunity exists for a
potential attack in the brief interval between check and action. These
attacks must be addressed in your security policy and in your security
model. TOCTTOU attacks, race condition exploits, and
communication disconnects are known as state attacks because they
attack timing, data flow control, and transition between one system
state to another.
Technology and Process Integration
It is important to evaluate and understand the vulnerabilities in
system architectures, especially in regard to technology and process
integration. As multiple technologies and complex processes are
intertwined in the act of crafting new and unique business functions,
new issues and security problems often surface. As systems are
integrated, attention should be paid to potential single points of failure
as well as to emergent weaknesses in service-oriented architecture
(SOA). An SOA constructs new applications or functions out of
existing but separate and distinct software services. The resulting
application is often new; thus, its security issues are unknown,
untested, and unprotected. All new deployments, especially new
applications or functions, need to be thoroughly vetted before they are
allowed to go live into a production network or the public internet.
Electromagnetic Radiation
Simply because of the kinds of electronic components from which
they’re built, many computer hardware devices emit electromagnetic
(EM) radiation during normal operation. The process of
communicating with other machines or peripheral equipment creates
emanations that can be intercepted. It’s even possible to re-create
keyboard input or monitor output by intercepting and processing
electromagnetic radiation from the keyboard and computer monitor.
You can also detect and read network packets passively (that is,
without actually tapping into the cable) as they pass along a network
segment. These emanation leaks can cause serious security issues but
are generally easy to address.
The easiest way to eliminate electromagnetic radiation interception is
to reduce emanation through cable shielding or conduit and block
unauthorized personnel and devices from getting too close to
equipment or cabling by applying physical security controls. By
reducing the signal strength and increasing the physical buffer around
sensitive equipment, you can dramatically reduce the risk of signal
interception.
As discussed previously, several TEMPEST technologies could provide
protection against EM radiation eavesdropping. These include
Faraday cages, jamming or noise generators, and control zones. A
Faraday cage is a special enclosure that acts as an EM capacitor.
When a Faraday cage is in use, no EM signals can enter or leave the
enclosed area. Jamming or noise generators use the idea that it is
difficult or impossible to retrieve a signal when there is too much
interference. Thus, by broadcasting your own interference, you can
prevent unwanted EM interception. The only issue with this concept is
that you have to ensure that the interference won’t affect the normal
operations of your devices. One way to ensure that is to use control
zones, which are Faraday cages used to block purposely broadcast
interference. For example, if you wanted to use wireless networking
within a few rooms of your office but not allow it anywhere else, you
could enclose those rooms in a single Faraday cage and then plant
several noise generators outside the control zone. This would allow
normal wireless networking within the designated rooms but
completely prevent normal use and eavesdropping anywhere outside
those designated areas.
Summary
Designing secure computing systems is a complex task, and many
security engineers have dedicated their entire careers to
understanding the innermost workings of information systems and
ensuring that they support the core security functions required to
safely operate in the current environment. Many security professionals
don’t necessarily require an in-depth knowledge of these principles,
but they should have at least a broad understanding of the basic
fundamentals that drive the process to enhance security within their
own organizations.
Such understanding begins with an investigation of hardware,
software, and firmware and how those pieces fit into the security
puzzle. It’s important to understand the principles of common
computer and network organizations, architectures, and designs,
including addressing (both physical and symbolic), the difference
between address space and memory space, and machine types (real,
virtual, multistate, multitasking, multiprogramming, multiprocessing,
multiprocessor, and multiuser).
Additionally, a security professional must have a solid understanding
of operating states (single-state, multistate), operating modes (user,
supervisor, privileged), storage types (primary, secondary, real,
virtual, volatile, nonvolatile, random, sequential), and protection
mechanisms (layering, abstraction, data hiding, process isolation,
hardware segmentation, principle of least privilege, separation of
privilege, accountability).
No matter how sophisticated a security model is, flaws exist that
attackers can exploit. Some flaws, such as buffer overflows and
maintenance hooks, are introduced by programmers, whereas others,
such as covert channels, are architectural design issues. It is important
to understand the impact of such issues and modify the security
architecture when appropriate to compensate.
Exam Essentials
Be able to explain the differences between multitasking,
multithreading, multiprocessing, and multiprogramming.
Multitasking is the simultaneous execution of more than one
application on a computer and is managed by the operating system.
Multithreading permits multiple concurrent tasks to be performed
within a single process. Multiprocessing is the use of more than one
processor to increase computing power. Multiprogramming is similar
to multitasking but takes place on mainframe systems and requires
specific programming.
Understand the differences between single-state processors
and multistate processors. Single-state processors are capable of
operating at only one security level at a time, whereas multistate
processors can simultaneously operate at multiple security levels.
Describe the four security modes approved by the federal
government for processing classified information. Dedicated
systems require that all users have appropriate clearance, access
permissions, and need to know for all information stored on the
system. System high mode removes the need-to-know requirement.
Compartmented mode removes the need-to-know requirement and
the access permission requirement. Multilevel mode removes all three
requirements.
Explain the two layered operating modes used by most
modern processors. User applications operate in a limited
instruction set environment known as user mode. The operating
system performs controlled operations in privileged mode, also known
as system mode, kernel mode, and supervisory mode.
Describe the different types of memory used by a computer.
ROM is nonvolatile and can’t be written to by the end user. The end
user can write data to PROM chips only once. EPROM/UVEPROM
chips may be erased through the use of ultraviolet light and then can
have new data written to them. EEPROM chips may be erased with
electrical current and then have new data written to them. RAM chips
are volatile and lose their contents when the computer is powered off.
Know the security issues surrounding memory components.
Some security issues surround memory components: the fact that data
may remain on the chip after power is removed and the control of
access to memory in a multiuser system.
Describe the different characteristics of storage devices used
by computers. Primary storage is the same as memory. Secondary
storage consists of magnetic, flash, and optical media that must be
first read into primary memory before the CPU can use the data.
Random access storage devices can be read at any point, whereas
sequential access devices require scanning through all the data
physically stored before the desired location.
Know the security issues surrounding secondary storage
devices. There are three main security issues surrounding secondary
storage devices: removable media can be used to steal data, access
controls and encryption must be applied to protect data, and data can
remain on the media even after file deletion or media formatting.
Understand security risks that input and output devices can
pose. Input/output devices can be subject to eavesdropping and
tapping, used to smuggle data out of an organization, or used to create
unauthorized, insecure points of entry into an organization’s systems
and networks. Be prepared to recognize and mitigate such
vulnerabilities.
Know the purpose of firmware. Firmware is software stored on a
ROM chip. At the computer level, it contains the basic instructions
needed to start a computer. Firmware is also used to provide operating
instructions in peripheral devices such as printers.
Be able to describe process isolation, layering, abstraction,
data hiding, and hardware segmentation. Process isolation
ensures that individual processes can access only their own data.
Layering creates different realms of security within a process and
limits communication between them. Abstraction creates “black-box”
interfaces for programmers to use without requiring knowledge of an
algorithm’s or device’s inner workings. Data hiding prevents
information from being read from a different security level. Hardware
segmentation enforces process isolation with physical controls.
Understand how a security policy drives system design,
implementation, testing, and deployment. The role of a security
policy is to inform and guide the design, development,
implementation, testing, and maintenance of some particular system.
Understand cloud computing. Cloud computing is the popular
term referring to a concept of computing where processing and storage
are performed elsewhere over a network connection rather than
locally. Cloud computing is often thought of as Internet-based
computing.
Understand the risks associated with cloud computing and
virtualization. Cloud computing and virtualization, especially when
combined, have serious risks associated with them. Once sensitive,
confidential, or proprietary data leaves the confines of the
organization, it also leaves the protections imposed by the
organizational security policy and resultant infrastructure. Cloud
services and their personnel might not adhere to the same security
standards as your organization.
Understand hypervisors. The hypervisor, also known as the virtual
machine monitor (VMM), is the component of virtualization that
creates, manages, and operates the virtual machines.
Know about the type I hypervisor. A type I hypervisor is a native
or bare-metal hypervisor. In this configuration, there is no host OS;
instead, the hypervisor installs directly onto the hardware where the
host OS would normally reside.
Know about the type II hypervisor. A type II hypervisor is a
hosted hypervisor. In this configuration, a standard regular OS is
present on the hardware, and the hypervisor is then installed as
another software application.
Define CASB. A cloud access security broker (CASB) is a security
policy enforcement solution that may be installed on-premises, or it
may be cloud based.
Understand SECaaS. Security as a service (SECaaS) is a cloud
provider concept in which security is provided to an organization
through or by an online entity.
Understand smart devices. A smart device is a range of mobile
devices that offer the user a plethora of customization options,
typically through installing apps, and may take advantage of on-device
or in-the-cloud artificial intelligence (AI) processing.
Comprehend IoT. The Internet of Things (IoT) is a new subcategory
or maybe even a new class of devices connected to the internet in order
to provide automation, remote control, or AI processing to traditional
or new appliances or devices in a home or office setting.
Understand mobile device security. Device security involves the
range of potential security options or features that may be available for
a mobile device. Not all portable electronic devices (PEDs) have good
security features. PED security features include full device encryption,
remote wiping, lockout, screen locks, GPS, application control, storage
segmentation, asset tracking, inventory control, mobile device
management, device access control, removable storage, and the
disabling of unused features.
Understand mobile device application security. The
applications and functions used on a mobile device need to be secured.
Related concepts include key management, credential management,
authentication, geotagging, encryption, application whitelisting, and
transitive trust/authentication.
Understand BYOD. Bring your own device (BYOD) is a policy that
allows employees to bring their own personal mobile devices to work
and then use those devices to connect to (or through) the company
network to business resources and/or the internet. Although BYOD
may improve employee morale and job satisfaction, it increases
security risks to the organization. Related issues include data
ownership, support ownership, patch management, antivirus
management, forensics, privacy, on-boarding/off-boarding, adherence
to corporate policies, user acceptance, architecture/infrastructure
considerations, legal concerns, acceptable use policies, and on-board
cameras/video.
Understand embedded systems and static environments. An
embedded system is typically designed around a limited set of specific
functions in relation to the larger product of which it’s a component.
Static environments are applications, OSs, hardware sets, or networks
that are configured for a specific need, capability, or function, and
then set to remain unaltered.
Understand embedded systems and static environment
security concerns. Static environments, embedded systems, and
other limited or single-purpose computing environments need security
management. These techniques may include network segmentation,
security layers, application firewalls, manual updates, firmware
version control, wrappers, and control redundancy and diversity.
Understand how the principle of least privilege, separation
of privilege, and accountability apply to computer
architecture. The principle of least privilege ensures that only a
minimum number of processes are authorized to run in supervisory
mode. Separation of privilege increases the granularity of secure
operations. Accountability ensures that an audit trail exists to trace
operations back to their source.
Be able to explain what covert channels are. A covert channel is
any method that is used to pass information but that is not normally
used for information.
Understand what buffer overflows and input checking are. A
buffer overflow occurs when the programmer fails to check the size of
input data prior to writing the data into a specific memory location. In
fact, any failure to validate input data could result in a security
violation.
Describe common flaws to security architectures. In addition
to buffer overflows, programmers can leave back doors and privileged
programs on a system after it is deployed. Even well-written systems
can be susceptible to time-of-check-to-time-of-use (TOCTTOU)
attacks. Any state change could be a potential window of opportunity
for an attacker to compromise a system.
Written Lab
1. Name the three standard cloud-based X as a service options and
briefly describe them.
2. What are the four security modes for systems processing classified
information?
3. Name the three pairs of aspects or features used to describe
storage.
4. Name some vulnerabilities found in distributed architectures.
Review Questions
1. Many PC operating systems provide functionality that enables
them to support the simultaneous execution of multiple
applications on single-processor systems. What term is used to
describe this capability?
A. Multiprogramming
B. Multithreading
C. Multitasking
D. Multiprocessing
2. What technology provides an organization with the best control
over BYOD equipment?
A. Application whitelisting
B. Mobile device management
C. Encrypted removable storage
D. Geotagging
3. You have three applications running on a single-core single-
processor system that supports multitasking. One of those
applications is a word processing program that is managing two
threads simultaneously. The other two applications are using only
one thread of execution. How many application threads are
running on the processor at any given time?
A. One
B. Two
C. Three
D. Four
4. What type of federal government computing system requires that
all individuals accessing the system have a need to know all of the
information processed by that system?
A. Dedicated
B. System high
C. Compartmented
D. Multilevel
5. What is a security risk of an embedded system that is not
commonly found in a standard PC?
A. Software flaws
B. Access to the internet
C. Control of a mechanism in the physical world
D. Power loss
6. Which of the following describes a community cloud?
A. A cloud environment maintained, used, and paid for by a group
of users or organizations for their shared benefit, such as
collaboration and data exchange
B. A cloud service within a corporate network and isolated from
the internet
C. A cloud service that is accessible to the general public typically
over an internet connection
D. A cloud service that is partially hosted within an organization
for private use and that uses external services to offer resources
to outsiders
7. What is the concept of a computer implemented as part of a larger
system that is typically designed around a limited set of specific
functions (such as management, monitoring, and control) in
relation to the larger product of which it’s a component?
A. IoT
B. Application appliance
C. SoC
D. Embedded system
8. Which one of the following types of memory might retain
information after being removed from a computer and, therefore,
represent a security risk?
A. Static RAM
B. Dynamic RAM
C. Secondary memory
D. Real memory
9. What is the most effective means of reducing the risk of losing the
data on a mobile device, such as a notebook computer?
A. Defining a strong logon password
B. Minimizing sensitive data stored on the mobile device
C. Using a cable lock
D. Encrypting the hard drive
10. What type of electrical component serves as the primary building
block for dynamic RAM chips?
A. Capacitor
B. Resistor
C. Flip-flop
D. Transistor
11. Which one of the following storage devices is most likely to require
encryption technology in order to maintain data security in a
networked environment?
A. Hard disk
B. Backup tape
C. Removable drives
D. RAM
12. In which of the following security modes can you be assured that
all users have access permissions for all information processed by
the system but will not necessarily need to know of all that
information?
A. Dedicated
B. System high
C. Compartmented
D. Multilevel
13. The most commonly overlooked aspect of mobile phone
eavesdropping is related to which of the following?
A. Storage device encryption
B. Screen locks
C. Overhearing conversations
D. Wireless networking
14. What type of memory device is usually used to contain a
computer’s motherboard BIOS?
A. PROM
B. EEPROM
C. ROM
D. EPROM
15. What type of memory is directly available to the CPU and is often
part of the CPU?
A. RAM
B. ROM
C. Register memory
D. Virtual memory
16. You are the IT security manager for a retail merchant organization
that is just going online with an e-commerce website. You hired
several programmers to craft the code that is the backbone of your
new web sales system. However, you are concerned that while the
new code functions well, it might not be secure. You begin to
review the code, the systems design, and the services architecture
to track down issues and concerns. Which of the following do you
hope to find in order to prevent or protect against XSS?
A. Input validation
B. Defensive coding
C. Allowing script input
D. Escaping metacharacters
17. What form of attack abuses a program’s lack of length limitation on
the data it receives before storing the input in memory, which can
lead to arbitrary code execution?
A. ARP poisoning
B. XSS
C. Domain hijacking
D. Buffer overflow
18. What security principle helps prevent users from accessing
memory spaces assigned to applications being run by other users?
A. Separation of privilege
B. Layering
C. Process isolation
D. Least privilege
19. Which security principle mandates that only a minimum number
of operating system processes should run in supervisory mode?
A. Abstraction
B. Layering
C. Data hiding
D. Least privilege
20. Which security principle takes the concept of process isolation and
implements it using physical controls?
A. Hardware segmentation
B. Data hiding
C. Layering
D. Abstraction
Chapter 10
Physical Security Requirements
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER
INCLUDE:
Domain 3: Security Architecture and Engineering
3.10 Apply security principles to site and facility design
3.11 Implement site and facility security controls
3.11.1 Wiring closets/intermediate distribution facilities
3.11.2 Server rooms/data centers
3.11.3 Media storage facilities
3.11.4 Evidence storage
3.11.5 Restricted and work area security
3.11.6 Utilities and Heating, Ventilation, and Air
Conditioning (HVAC)
3.11.7 Environmental issues
3.11.8 Fire prevention, detection, and suppression
Domain 7: Security Operations
7.15 Implement and manage physical security
7.15.1 Perimeter security controls
7.15.2 Internal security controls
The topic of physical and environmental security is
referenced in several domains. The two primary occurrences are in
domain 3, “Security Architecture and Engineering,” and
domain 7, “Security Operations.” Several subsections of these two
domains of the Common Body of Knowledge (CBK) for the CISSP
certification exam deal with topics and issues related to facility
security, including foundational principles, design and
implementation, fire protection, perimeter security, internal security,
and many more.
The purpose of physical security is to protect against physical threats.
The following physical threats are among the most common: fire and
smoke, water (rising/falling), earth movement (earthquakes,
landslides, volcanoes), storms (wind, lightning, rain, snow, sleet, ice),
sabotage/vandalism, explosion/destruction, building collapse, toxic
materials, utility loss (power, heating, cooling, air, water), equipment
failure, theft, and personnel loss (strikes, illness, access, transport).
This chapter explores these issues and discusses safeguards and
countermeasures to protect against them. In many cases, you’ll need a
disaster recovery plan or a business continuity plan should a serious
physical threat (such as an explosion, sabotage, or natural disaster)
occur. Chapter 3, “Business Continuity Planning,” and Chapter 18,
“Disaster Recovery Planning,” cover those topics in detail.
Apply Security Principles to Site and Facility
Design
It should be blatantly obvious at this point that without control over
the physical environment, no collection of administrative, technical, or
logical access controls can provide adequate security. If a malicious
person can gain physical access to your facility or equipment, they can
do just about anything they want, from destruction to disclosure or
alteration. Physical controls are your first line of defense, and people
are your last.
There are many aspects of implementing and maintaining physical
security. A core element is selecting or designing the facility to house
your information technology (IT) infrastructure and your
organization’s operations. The process of selecting or designing
facilities security always starts with a plan.
Secure Facility Plan
A secure facility plan outlines the security needs of your organization
and emphasizes methods or mechanisms to employ to provide
security. Such a plan is developed through a process known as critical
path analysis. Critical path analysis is a systematic effort to identify
relationships between mission-critical applications, processes, and
operations and all the necessary supporting elements. For example, an
e-commerce server used to sell products over the web relies on
internet access, computer hardware, electricity, temperature control,
storage facility, and so on.
When critical path analysis is performed properly, a complete picture
of the interdependencies and interactions necessary to sustain the
organization is produced. Once that analysis is complete, its results
serve as a list of items to secure. The first step in designing a secure IT
infrastructure is providing security for the basic requirements of the
organization and its computers. These basic requirements include
electricity, environmental controls (in other words, a building, air
conditioning, heating, humidity control, and so on), and
water/sewage.
While examining for critical paths, it is also important to evaluate
completed or potential technology convergence. Technology
convergence is the tendency for various technologies, solutions,
utilities, and systems to evolve and merge over time. Often this results
in multiple systems performing similar or redundant tasks or one
system taking over the feature and abilities of another. While in some
instances this can result in improved efficiency and cost savings, it can
also represent a single point of failure and become a more valuable
target for hackers and intruders. For example, if voice, video, fax, and
data traffic all share a single connection path rather than individual
paths, a single act of sabotage to the main connection is all that is
required for intruders or thieves to sever external communications.
Security staff should participate in site and facility design
considerations. Otherwise, many important aspects of physical
security essential for the existence of logical security may be
overlooked. With security staff involved in the physical facility design,
you can be assured that your long-term security goals as an
organization will be supported not just by your policies, personnel,
and electronic equipment, but by the building itself.
Site Selection
Site selection should be based on the security needs of the
organization. Cost, location, and size are important, but addressing the
requirements of security should always take precedence. When
choosing a site on which to build a facility or selecting a preexisting
structure, be sure to examine every aspect of its location carefully.
Securing assets depends largely on site security, which involves
numerous considerations and situational elements. Site location and
construction play a crucial role in the overall site selection process.
Susceptibility to riots, looting, break-ins, and vandalism or location
within a high-crime area are obviously all poor choices but cannot
always be dictated or controlled. Environmental threats such as fault
lines, tornado/hurricane regions, and close proximity to other natural
disasters present significant issues for the site selection process as well
because you can’t always avoid such threats.
Proximity to other buildings and businesses is another crucial
consideration. What sorts of attention do they draw, and how does
that affect your operation or facility? If a nearby business attracts too
many visitors, generates lots of noise, causes vibrations, or handles
dangerous materials, they could harm your employees or buildings.
Proximity to emergency-response personnel is another consideration,
along with other elements. Some companies can afford to buy or build
their own campuses to keep neighboring elements out of play and to
enable tighter access control and monitoring. However, not every
company can exercise this option and must make do with what’s
available and affordable instead.
At a minimum, ensure that the building is designed to withstand fairly
extreme weather conditions and that it can deter or fend off overt
break-in attempts. Vulnerable entry points such as windows and doors
tend to dominate such analysis, but you should also evaluate objects
(trees, shrubs, or man-made items) that can obscure break-in
attempts.
Visibility
Visibility is important. What is the surrounding terrain? Would it be
easy to approach the facility by vehicle or on foot without being seen?
The makeup of the surrounding area is also important. Is it in or near
a residential, business, or industrial area? What is the local crime rate?
Where are the closest emergency services located (fire, medical,
police)? What unique hazards may be found in the vicinity (chemical
plants, homeless shelters, universities, construction sites, and so on)?
Another element of visibility is related to the area monitored by a
security camera. Be sure the locations and capabilities of the security
cameras are coordinated with the interior and exterior design of the
facility. Cameras should be positioned to have clear site lines of all
exterior walls, entrance and exit points, and interior hallways.
Natural Disasters
Another concern is the potential impact that natural disasters could
make in the area. Is it prone to earthquakes, mudslides, sinkholes,
fires, floods, hurricanes, tornadoes, falling rocks, snow, rainfall, ice,
humidity, heat, extreme cold, and so on? You must prepare for natural
disasters and equip your IT environment to either survive an event or
be replaced easily. As mentioned earlier, the topics of business
continuity and disaster planning are covered in Chapters 3 and 18,
respectively.
Facility Design
When designing the construction of a facility, you must understand
the level of security that your organization needs. A proper level of
security must be planned and designed before construction begins.
Important issues to consider include combustibility, fire rating,
construction materials, load rating, placement, and control of items
such as walls, doors, ceilings, flooring, HVAC, power, water, sewage,
gas, and so on. Forced intrusion, emergency access, resistance to
entry, direction of entries and exits, use of alarms, and conductivity
are other important aspects to evaluate. Every element within a facility
should be evaluated in terms of how it could be used for and against
the protection of the IT infrastructure and personnel (for example,
positive flows for air and water from inside a facility to outside its
boundaries).
There’s also a well-established school of thought on “secure
architecture” that’s often called Crime Prevention through
Environmental Design (CPTED). The guiding idea is to structure the
physical environment and surroundings to influence individual
decisions that potential offenders make before committing any
criminal acts. The International CPTED Association is an excellent
source for information on this subject (www.cpted.net), as is Oscar
Newman’s book Creating Defensible Space, published by HUD’s
Office of Policy Development and Research (you can obtain a free PDF
download at www.defensiblespace.com/book.htm).
Implement Site and Facility Security Controls
The security controls implemented to manage physical security can be
divided into three groups: administrative, technical, and physical.
Because these are the same categories used to describe access controls,
it is vital to focus on the physical security aspects of these controls.
Administrative physical security controls include facility construction
and selection, site management, personnel controls, awareness
training, and emergency response and procedures. Technical physical
security controls include access controls; intrusion detection; alarms;
closed-circuit television (CCTV); monitoring; heating, ventilation, and
air conditioning (HVAC) power supplies; and fire detection and
suppression. Physical controls for physical security include fencing,
lighting, locks, construction materials, mantraps, dogs, and guards.
Corporate vs. Personal Property
Many business environments have both visible and invisible
physical security controls. You see them at the post office, at the
corner store, and in certain areas of your own computing
environment. They are so pervasive that some people choose where
they live based on their presence, as in gated access communities
or secure apartment complexes.
Alison is a security analyst for a major technology corporation that
specializes in data management. This company includes an in-
house security staff (guards, administrators, and so on) that is
capable of handling physical security breaches.
Brad experienced an intrusion—into his personal vehicle in the
company parking lot. He asks Alison whether she observed or
recorded anyone breaking into and entering his vehicle, but this is
a personal item and not a company possession, and she has no
control or regulation over damage to employee assets.
This is understandably unnerving for Brad, but he understands
that she’s protecting the business and not his belongings. When or
where would you think it would be necessary to implement security
measures for both? The usual answer is anywhere business assets
are or might be involved. Had Brad been using a company vehicle
parked in the company parking lot, then perhaps Alison could
make allowances for an incidental break-in involving Brad’s things,
but even then she isn’t responsible for their safekeeping. On the
other hand, where key people are also important assets (executive
staff at most enterprises, security analysts who work in sensitive
positions, heads of state, and so forth), protection and safeguards
usually extend to embrace them and their belongings as part of
asset protection and risk mitigation. Of course, if danger to
employees or what they carry with them becomes a problem,
securing the parking garage with key cards and installing CCTV
monitors on every floor begins to make sense. Simply put, if the
costs of allowing break-ins to occur exceeds that of installing
preventive measures, it’s prudent to put them in place.
When designing physical security for an environment, focus on the
functional order in which controls should be used. The order is as
follows:
1. Deterrence
2. Denial
3. Detection
4. Delay
Security controls should be deployed so that initial attempts to access
physical assets are deterred (boundary restrictions accomplish this). If
deterrence fails, then direct access to physical assets should be denied
(for example, locked vault doors). If denial fails, your system needs to
detect intrusion (for example, using motion sensors), and the intruder
should be delayed sufficiently in their access attempts to enable
authorities to respond (for example, a cable lock on the asset). It’s
important to remember this order when deploying physical security
controls: first deterrence, then denial, then detection, then delay.
Equipment Failure
No matter the quality of the equipment your organization chooses to
purchase and install, eventually it will fail. Understanding and
preparing for this eventuality helps ensure the ongoing availability of
your IT infrastructure and should help you to protect the integrity and
availability of your resources.
Preparing for equipment failure can take many forms. In some non-
mission-critical situations, simply knowing where you can purchase
replacement parts for a 48-hour replacement timeline is sufficient. In
other situations, maintaining onsite replacement parts is mandatory.
Keep in mind that the response time in returning a system to a fully
functioning state is directly proportional to the cost involved in
maintaining such a solution. Costs include storage, transportation,
pre-purchasing, and maintaining onsite installation and restoration
expertise. In some cases, maintaining onsite replacements is not
feasible. For those cases, establishing a service-level agreement (SLA)
with the hardware vendor is essential. An SLA clearly defines the
response time a vendor will provide in the event of an equipment
failure emergency.
Aging hardware should be scheduled for replacement and/or repair.
The schedule for such operations should be based on the mean time to
failure (MTTF) and mean time to repair (MTTR) estimates
established for each device or on prevailing best organizational
practices for managing the hardware lifecycle. MTTF is the expected
typical functional lifetime of the device given a specific operating
environment. MTTR is the average length of time required to perform
a repair on the device. A device can often undergo numerous repairs
before a catastrophic failure is expected. Be sure to schedule all
devices to be replaced before their MTTF expires. An additional
measurement is that of the mean time between failures (MTBF). This
is an estimation of the time between the first and any subsequent
failures. If the MTTF and MTBF values are the same or fairly similar,
manufacturers often only list the MTTF to represent both values.
When a device is sent out for repairs, you need to have an alternate
solution or a backup device to fill in for the duration of the repair time.
Often, waiting until a minor failure occurs before a repair is performed
is satisfactory, but waiting until a complete failure occurs before
replacement is an unacceptable security practice.
Wiring Closets
Wiring closets used to be a small closet where the telecommunications
cables were organized for the building using punch-down blocks.
Today, a wiring closet is still used for organizational purposes, but it
serves as an important infrastructure purpose as well. A modern
wiring closet is where the networking cables for a whole building or
just a floor are connected to other essential equipment, such as patch
panels, switches, routers, local area network (LAN) extenders, and
backbone channels. Other more technical names for wiring closets
include premises wire distribution room andintermediate
distribution facilities (IDF). It is fairly common to have one or more
racks of interconnection devices stationed in a wiring closet (see
Figure 10.1).
Larger buildings may require multiple wiring closets in order to stay
within the maximum cable run limitations. For the common copper-
based twisted-pair cabling, the maximum run length is 100 meters.
However, in electrically noisy environments, this run length can be
significantly reduced. Wiring closets also serve as a convenient
location to link multiple floors together. In such a multistory
configuration, the wiring closets are often located directly above or
below each other on their respective floor.
FIGURE 10.1 A typical wiring closet
Source: https://www.flickr.com/photos/clonedmilkmen/4390901323/
Wiring closets are also commonly used to house and manage the
wiring for many other important elements of a building, including
alarm systems, circuit breaker panels, telephone punch-down blocks,
wireless access points, and video systems, including security cameras.
Wiring closet security is extremely important. Most of the security for
a wiring closet focuses on preventing physical unauthorized access. If
an unauthorized intruder gains access to the area, they may be able to
steal equipment, pull or cut cables, or even plant a listening device.
Thus, the security policy for the wiring closet should include a few
ground rules, such as the following:
Never use the wiring closet as a general storage area.
Have adequate locks, which might include biometric elements.
Keep the area tidy.
Do not store flammable items in the area.
Set up video surveillance to monitor activity inside the wiring
closet.
Use a door open sensor to log entries.
Do not give keys to anyone except the authorized administrator.
Perform regular physical inspections of the wiring closet’s security
and contents.
Include the wiring closet in the organization’s environmental
management and monitoring, in order to ensure appropriate
environmental control and monitoring, as well as detect damaging
conditions such as flooding or fire.
It is also important to notify your building management of your wiring
closet security policy and access restrictions. This will further reduce
unauthorized access attempts.
Wiring closets are just one element of a cable plant management
policy. A cable plant is the collection of interconnected cables and
intermediary devices (such as cross-connects, patch panels, and
switches) that establish the physical network. Elements of a cable
plant include the following:
Entrance facility: Also known as the demarcation point, this is the
entrance point to the building where the cable from the provider
connects the internal cable plant.
Equipment room: This is the main wiring closet for the building,
often connected to or adjacent to the entrance facility.
Backbone distribution system: This provides wired connections
between the equipment room and the telecommunications rooms,
including cross-floor connections.
Telecommunications room: Also known as the wiring closet, this
serves the connection needs of a floor or a section of a large
building by providing space for networking equipment and cabling
systems. It also serves as the interconnection point between the
backbone distribution system and the horizontal distribution
system.
Horizontal distribution system: This provides the connection
between the telecommunication room and work areas, often
including cabling, cross-connection blocks, patch panels, and
supporting hardware infrastructure (such as cable trays, cable
hangers, and conduits).
Server Rooms/Data Centers
Server rooms, data centers, communications rooms, wiring closets,
server vaults, and IT closets are enclosed, restricted, and protected
rooms where your mission-critical servers and network devices are
housed. Centralized server rooms need not be human compatible. In
fact, the more human incompatible a server room is, the more
protection it will offer against casual and determined attacks. Human
incompatibility can be accomplished by including Halotron, PyroGen,
or other halon-substitute oxygen-displacement fire detection and
extinguishing systems, low temperatures, little or no lighting, and
equipment stacked with little room to maneuver. Server rooms should
be designed to support optimal operation of the IT infrastructure and
to block unauthorized human access or intervention.
Server rooms should be located at the core of the building. Try to avoid
locating these rooms on the ground floor, on the top floor, and in the
basement whenever possible. Additionally, the server room should be
located away from water, gas, and sewage lines. These pose too large a
risk of leakage or flooding, which can cause serious damage and
downtime.
The walls of your server room should also have a one-hour
minimum fire rating.
Making Servers Inaccessible
The running joke in the IT security realm is that the most secure
computer is one that is disconnected from the network and sealed
in a room with no doors or windows. No, seriously, that’s the joke.
But there’s a massive grain of truth and irony in it as well.
Carlos operates security processes and platforms for a financial
banking firm, and he knows all about one-way systems and
unreachable devices. Sensitive business transactions occur in
fractions of a second, and one wrong move could pose serious risks
to data and involved parties.
In his experience, Carlos knows that the least accessible and least
human-friendly places are his most valuable assets, so he stores
many of his machines inside a separate bank vault. You’d have to
be a talented burglar, a skilled safecracker, and a determined
computer attacker to breach his security defenses.
Not all business applications and processes warrant this extreme
sort of prevention. What security recommendations might you
suggest to make a server more inconvenient or inaccessible, short
of dedicating a vault? An interior room with limited access, no
windows, and only one entry/exit point makes an excellent
substitute when an empty vault isn’t available. The key is to select a
space with limited access and then to establish serious hurdles to
entry (especially unauthorized entry). CCTV monitoring on the
door and motion detectors inside the space can also help maintain
proper attention to who is coming and going.
For many organizations their datacenter and their server room are one
and the same. For some organizations, a datacenter is an external
location used to house the bulk of their backend computer servers,
data storage equipment, and network management equipment. This
could be a separate building nearby the primary offices or it could be a
remote location. A datacenter might be owned and managed
exclusively by your organization, or it could be a leased service from a
datacenter provider. A datacenter could be a single-tenant
configuration or a multitenant configuration. No matter what the
variation, in addition to the concerns of a server room, many other
concepts are likely relevant.
In many datacenters and server rooms, a variety of technical controls
are employed as access control mechanisms to manage physical
access. These include, but are not limited to: smart/dumb cards,
proximity readers, biometrics, intrusion detection systems (IDSs), and
a design based around defense in depth.
Smartcards
Smartcards are credit-card-sized IDs, badges, or security passes with
an embedded magnetic strip, bar code, or integrated circuit chip. They
contain information about the authorized bearer that can be used for
identification and/or authentication purposes. Some smartcards can
even process information or store reasonable amounts of data in a
memory chip. A smartcard may be known by several phrases or terms:
An identity token containing integrated circuits (ICs)
A processor IC card
An IC card with an ISO 7816 interface
Smartcards are often viewed as a complete security solution, but they
should not be considered complete by themselves. As with any single
security mechanism, smartcards are subject to weaknesses and
vulnerabilities. Smartcards can fall prey to physical attacks, logical
attacks, Trojan horse attacks, or social-engineering attacks. In most
cases, a smartcard is used in a multifactor configuration. Thus, theft or
loss of a smartcard does not result in easy impersonation. The most
common form of multifactor used in relation to a smartcard is the
requirement of a PIN. You’ll find additional information about
smartcards in Chapter 13, “Managing Identity and Authentication.”
Memory cards are machine-readable ID cards with a magnetic strip.
Like a credit card, debit card, or ATM card, memory cards can retain a
small amount of data but are unable to process data like a smartcard.
Memory cards often function as a type of two-factor control: the card
is “something you have” and its personal identification number (PIN)
is “something you know.” However, memory cards are easy to copy or
duplicate and are insufficient for authentication purposes in a secure
environment.
Proximity Readers
In addition to smart/dumb cards, proximity readers can be used to
control physical access. A proximity reader can be a passive device, a
field-powered device, or a transponder. The proximity device is worn
or held by the authorized bearer. When it passes a proximity reader,
the reader is able to determine who the bearer is and whether they
have authorized access. A passive device reflects or otherwise alters
the electromagnetic field generated by the reader. This alteration is
detected by the reader.
The passive device has no active electronics; it is just a small magnet
with specific properties (like antitheft devices commonly found on
DVDs). A field-powered device has electronics that activate when the
device enters the electromagnetic field that the reader generates. Such
devices actually generate electricity from an EM field to power
themselves (such as card readers that require only that the access card
be waved within inches of the reader to unlock doors). A transponder
device is self-powered and transmits a signal received by the reader.
This can occur consistently or only at the press of a button (like a
garage door opener or car alarm key fob).
In addition to smart/dumb cards and proximity readers, physical
access can be managed with radio-frequency identification (RFID) or
biometric access control devices. See Chapter 13 for a description of
biometric devices. These and other devices, such as cable locks, can
support the protection and securing of equipment.
Intrusion Detection Systems
Intrusion detection systems (IDSs) are systems—automated or manual
—designed to detect an attempted intrusion, breach, or attack; the use
of an unauthorized entry/point; or the occurrence of some specific
event at an unauthorized or abnormal time. Intrusion detection
systems used to monitor physical activity may include security guards,
automated access controls, and motion detectors as well as other
specialty monitoring techniques. These are discussed in more detail in
the later sections “Motion Detectors” and “Intrusion Alarms.”
Physical intrusion detection systems, also called burglar alarms,
detect unauthorized activities and notify the authorities (internal
security or external law enforcement). The most common type of
system uses a simple circuit (aka dry contact switches) consisting of
foil tape in entrance points to detect when a door or window has been
opened.
An intrusion detection mechanism is useful only if it is connected to an
intrusion alarm. (See “Intrusion Alarms” later in this chapter.) An
intrusion alarm notifies authorities about a breach of physical security.
There are two aspects of any intrusion detection and alarm system that
can cause it to fail: how it gets its power and how it communicates. If
the system loses power, the alarm will not function. Thus, a reliable
detection and alarm system has a battery backup with enough stored
power for 24 hours of operation.
If communication lines are cut, an alarm may not function and
security personnel and emergency services will not be notified. Thus, a
reliable detection and alarm system incorporates a heartbeat sensor
for line supervision. A heartbeat sensor is a mechanism by which the
communication pathway is either constantly or periodically checked
with a test signal. If the receiving station detects a failed heartbeat
signal, the alarm triggers automatically. Both measures are designed
to prevent intruders from circumventing the detection and alarm
system.
Access Abuses
No matter what form of physical access control is used, a security
guard or other monitoring system must be deployed to prevent abuse,
masquerading, and piggybacking. Examples of abuses of physical
access controls are propping open secured doors and bypassing locks
or access controls. Masquerading is using someone else’s security ID
to gain entry into a facility. Piggybacking is following someone
through a secured gate or doorway without being identified or
authorized personally. Detecting abuses like these can be done by
creating audit trails and retaining access logs.
Audit trails and access logs are useful tools even for physical access
control. They may need to be created manually by security guards. Or
they can be generated automatically if sufficient automated access
control mechanisms (such as smartcards and certain proximity
readers) are in use. The time at which a subject requests entry, the
result of the authentication process, and the length of time the secured
gate remains open are important elements to include in audit trails
and access logs. In addition to using the electronic or paper trail,
consider monitoring entry points with closed circuit television (CCTV)
or security cameras. CCTV enables you to compare the audit trails and
access logs with a visual recording of the events. Such information is
critical to reconstruct the events for an intrusion, breach, or attack.
Emanation Security
Many electrical devices emanate electrical signals or radiation that can
be intercepted by unauthorized individuals. These signals may contain
confidential, sensitive, or private data. Obvious examples of
emanation devices are wireless networking equipment and mobile
phones, but many other devices are vulnerable to interception. Other
examples include monitors, modems, and internal or external media
drives (hard drives, USB thumb drives, CDs, and so on). With the right
equipment, unauthorized users can intercept electromagnetic or radio
frequency signals (collectively known as emanations) from these
devices and interpret them to extract confidential data.
Clearly, if a device emits a signal that someone outside your
organization can intercept, some security protection is needed. The
types of countermeasures and safeguards used to protect against
emanation attacks are known as TEMPEST countermeasures.
TEMPEST was originally a government research study aimed at
protecting electronic equipment from the electromagnetic pulse
(EMP) emitted during nuclear explosions. It has since expanded to a
general study of monitoring emanations and preventing their
interception. Thus, TEMPEST is now a formal name for a broad
category of activities.
TEMPEST countermeasures include Faraday cages, white noise, and
control zones.
Faraday Cage A Faraday cage is a box, mobile room, or entire
building designed with an external metal skin, often a wire mesh that
fully surrounds an area on all sides (in other words, front, back, left,
right, top, and bottom). This metal skin acts as an electromagnetic
interference (EMI)-absorbing capacitor (which is why it’s named after
Michael Faraday, a pioneer in the field of electromagnetism) that
prevents electromagnetic signals (emanations) from exiting or
entering the area that the cage encloses. Faraday cages are quite
effective at blocking EM signals. In fact, inside an active Faraday cage,
mobile phones do not work, and you can’t pick up broadcast radio or
television stations.
White Noise White noise simply means broadcasting false traffic at
all times to mask and hide the presence of real emanations. White
noise can consist of a real signal from another source that is not
confidential, a constant signal at a specific frequency, a randomly
variable signal (such as the white noise heard between radio stations
or television stations), or even a jam signal that causes interception
equipment to fail. White noise is most effective when created around
the perimeter of an area so that it is broadcast outward to protect the
internal area where emanations may be needed for normal operations.
White noise describes any random sound, signal, or
process that can drown out meaningful information. This can vary
from audible frequencies to inaudible electronic transmissions,
and it may even involve the deliberate act of creating line or traffic
noise to disguise origins or disrupt listening devices.
Control Zone A third type of TEMPEST countermeasure, a control
zone, is simply the implementation of either a Faraday cage or white
noise generation or both to protect a specific area in an environment;
the rest of the environment is not affected. A control zone can be a
room, a floor, or an entire building. Control zones are those areas
where emanation signals are supported and used by necessary
equipment, such as wireless networking, mobile phones, radios, and
televisions. Outside the control zones, emanation interception is
blocked or prevented through the use of various TEMPEST
countermeasures.
Media Storage Facilities
Media storage facilities should be designed to securely store blank
media, reusable media, and installation media. Whether hard drives,
flash memory devices, optical disks, or tapes, media should be
controlled against theft and corruption. New blank media should be
secured to prevent someone from stealing it or planting malware on it.
Media that is reused, such as thumb drives, flash memory cards, or
portable hard drives, should be protected against theft and data
remnant recovery. Data remnants are the remaining data elements
left on a storage device after a standard deletion or formatting process.
Such a process clears out the directory structure and marks clusters as
available for use but leaves the original data in the clusters. A simple
un-deletion utility or data recovery scanner can often recover access to
these files. Restricting access to media and using secure wiping
solutions can reduce this risk.
Installation media needs to be protected against theft and malware
planting. This will ensure that when a new installation needs to be
performed, the media is available and safe for use.
Here are some means of implementing secure media storage facilities:
Store media in a locked cabinet or safe.
Have a librarian or custodian who manages access to the locked
media cabinet.
Use a check-in/check-out process to track who retrieves, uses, and
returns media from storage.
For reusable media, when the device is returned, run a secure drive
sanitization or zeroization (a procedure that erases data by
replacing it with meaningless data such as zeroes) process to
remove all data remnants.
Media can also be verified using a hash-based integrity check
mechanism to ensure either that valid files remain valid or that a
media has been properly and fully sanitized to retain no remnants
of previous use.
For more security-intensive organizations, it may be necessary to place
a security notification label on media to indicate its use classification
or employ RFID/NFC asset tracking tags on media. It also might be
important to use a storage cabinet that is more like a safe than an
office supply shelf. Higher levels of protection could also include fire,
flood, electromagnetic field, and temperature monitoring and
protection.
Evidence Storage
Evidence storage is quickly becoming a necessity for all businesses, not
just law enforcement–related organizations. As cybercrime events
continue to increase, it is important to retain logs, audit trails, and
other records of digital events. It also may be necessary to retain image
copies of drives or snapshots of virtual machines for future
comparison. This may be related to internal corporate investigations
or to law enforcement–based forensic analysis. In either case,
preserving datasets that might be used as evidence is essential to the
favorable conclusion to a corporate internal investigation or a law
enforcement investigation of cybercrime.
Secure evidence storage is likely to involve the following:
A dedicated storage system distinct from the production network
Potentially keeping the storage system offline when not actively
having new datasets transferred to it
Blocking Internet connectivity to and from the storage system
Tracking all activities on the evidence storage system
Calculating hashes for all datasets stored on the system
Limiting access to the security administrator and legal counsel
Encrypting all datasets stored on the system
There may be additional security requirements for an evidence storage
solution based on your local regulations, industry, or contractual
obligations.
Restricted and Work Area Security
The design and configuration of internal security, including work areas
and visitor areas, should be considered carefully. There should not be
equal access to all locations within a facility. Areas that contain assets
of higher value or importance should have more restricted access. For
example, anyone who enters the facility should be able to access the
restrooms and the public telephone without going into sensitive areas,
but only network administrators and security staff should have access
to the server room. Valuable and confidential assets should be located
in the heart or center of protection provided by a facility. In effect, you
should focus on deploying concentric circles of physical protection.
This type of configuration requires increased levels of authorization to
gain access into more sensitive areas inside the facility.
Walls or partitions can be used to separate similar but distinct work
areas. Such divisions deter casual shoulder surfing or eavesdropping
(shoulder surfing is the act of gathering information from a system by
observing the monitor or the use of the keyboard by the operator).
Floor-to-ceiling walls should be used to separate areas with differing
levels of sensitivity and confidentiality (where false or suspended
ceilings are present, walls should cut these off as well to provide an
unbroken physical barrier between more and less secure areas).
Each work area should be evaluated and assigned a classification just
as IT assets are classified. Only people with clearance or classifications
corresponding to the classification of the work area should be allowed
access. Areas with different purposes or uses should be assigned
different levels of access or restrictions. The more access to assets the
equipment within an area offers, the more important become the
restrictions that are used to control who enters those areas and what
activities they are allowed to perform.
Your facility security design process should support the
implementation and operation of internal security. In addition to the
management of workers in proper work spaces, you should address
visitors and visitor control. Should there be an escort requirement for
visitors, and what other forms of visitor control should be
implemented? In addition to basic physical security tools such as keys
and locks, mechanisms such as mantraps, video cameras, written logs,
security guards, and RFID ID tags should be implemented.
An example of a secure or restricted work area is that of the Sensitive
Compartmented Information Facility (SCIF). A SCIF is often used by
government and military contractors to provide a secure environment
for highly sensitive data storage and computation. The purpose of a
SCIF is to store, view, and update sensitive compartmented
information (SCI), which is a type of classified information. A SCIF
has restricted access to limit entrance to those individuals with a
specific business need and authorization to access the data contained
within. This is usually determined by the individual’s clearance level
and SCI approval level. In most cases, a SCIF has restrictions against
using or possessing photography, video, or other recording devices
while in the secured area. A SCIF can be established in a ground-based
facility, an aircraft, or floating platform. A SCIF can be a permanent
installation or a temporary establishment. A SCIF is typically located
within a structure, although an entire structure can be implemented as
a SCIF.
Utilities and HVAC Considerations
Power supplied by electric companies is not always consistent and
clean. Most electronic equipment demands clean power to function
properly. Equipment damage from power fluctuations is a common
occurrence. Many organizations opt to manage their own power
through various means. An uninterruptible power supply (UPS) is a
type of self-charging battery that can be used to supply consistent
clean power to sensitive equipment. A UPS functions by taking power
in from the wall outlet, storing it in a battery, pulling power out of the
battery, and then feeding that power to whatever devices are
connected to it. By directing current through its battery, it is able to
maintain a consistent clean power supply. This concept is known as a
double conversion UPS. A UPS has a second function, one that is often
used as a selling point: it provides continuous power even after the
primary power source fails. A UPS can continue to supply power for
minutes or hours, depending on its capacity and how much power the
equipment attached to it needs. The switching from power grid to
battery-supplied power occurs instantaneously with no interruption of
power supplied to the equipment.
Another form of UPS is the line-interactive UPS. This type of system
has a surge protector, battery charger/inverter, and voltage regulator
positioned between the grid power source and the equipment. The
battery is not in-line under normal conditions. If the grid fails, the
power is pulled from the battery inverter and voltage regulator to
provide uninterrupted power to the equipment.
A battery backup or fail-over battery is not a form of UPS as there is
usually a period of time (even if just a moment) of complete power loss
to the equipment as the grid source of power fails and a switching
event occurs to retrieve power from a battery.
Another means to ensure that equipment is not harmed by power
fluctuations requires use of power strips with surge protectors. A surge
protector includes a fuse that will blow before power levels change
enough to cause damage to equipment. However, once a surge
protector’s fuse or circuit is tripped, current flow is completely
interrupted. Surge protectors should be used only when instant
termination of electricity will not cause damage or loss to the
equipment. Otherwise, a UPS should be employed instead.
If maintaining operations for a considerable time in spite of a
brownout or blackout is a necessity, onsite electric generators are
required. Such generators turn on automatically when a power failure
is detected. Most generators operate using a fuel tank of liquid or
gaseous propellant that must be maintained to ensure reliability.
Electric generators are considered alternate or backup power sources.
The problems with power are numerous. Here is a list of terms
associated with power issues you should know:
Fault: A momentary loss of power
Blackout: A complete loss of power
Sag: Momentary low voltage
Brownout: Prolonged low voltage
Spike: Momentary high voltage
Surge: Prolonged high voltage
Inrush: An initial surge of power usually associated with
connecting to a power source, whether primary or
alternate/secondary
Noise: A steady interfering power disturbance or fluctuation
Transient: A short duration of line noise disturbance
Clean: Nonfluctuating pure power
Ground: The wire in an electrical circuit that is grounded
When experiencing a power issue, it is important to determine where
the fault is occurring. If the issue takes place outside your meter then
it is to be repaired by the power company, whereas any internal issues
are your responsibility.
Noise
Noise can cause more than just problems with how equipment
functions; it can also interfere with the quality of communications,
transmissions, and playback. Noise generated by electric current can
affect any means of data transmission that relies on electromagnetic
transport mechanisms, such as telephone, cellular, television, audio,
radio, and network mechanisms.
There are two types of electromagnetic interference (EMI): common
mode and traverse mode. Common mode noise is generated by a
difference in power between the hot and ground wires of a power
source or operating electrical equipment. Traverse mode noise is
generated by a difference in power between the hot and neutral wires
of a power source or operating electrical equipment.
Radio-frequency interference (RFI) is another source of noise and
interference that can affect many of the same systems as EMI. A wide
range of common electrical appliances generate RFI, including
fluorescent lights, electrical cables, electric space heaters, computers,
elevators, motors, and electric magnets, so it’s important to locate all
such equipment when deploying IT systems and infrastructure
elements.
Protecting your power supply and your equipment from noise is an
important part of maintaining a productive and functioning
environment for your IT infrastructure. Steps to take for this kind of
protection include providing for sufficient power conditioning,
establishing proper grounding, shielding all cables, and limiting
exposure to EMI and RFI sources.
Temperature, Humidity, and Static
In addition to power considerations, maintaining the environment
involves control over the HVAC mechanisms. Rooms intended
primarily to house computers should generally be kept between 60
and 75 degrees Fahrenheit (15 and 23 degrees Celsius). However, there
are some extreme environments that run their equipment as low as 50
degrees Fahrenheit and others that run above 90 degrees Fahrenheit.
Humidity in a computer room should be maintained between 40 and
60 percent. Too much humidity can cause corrosion. Too little
humidity causes static electricity. Even on antistatic carpeting, if the
environment has low humidity it is still possible to generate 20,000-
volt static discharges. As you can see in Table 10.1, even minimal levels
of static discharge can destroy electronic equipment.
TABLE 10.1 Static voltage and damage
Static Possible damage
voltage
40 Destruction of sensitive circuits and other electronic
components
1,000 Scrambling of monitor displays
1,500 Destruction of data stored on hard drives
2,000 Abrupt system shutdown
4,000 Printer jam or component damage
17,000 Permanent circuit damage
Water Issues (e.g., Leakage, Flooding)
Water issues, such as leakage and flooding, should be addressed in
your environmental safety policy and procedures. Plumbing leaks are
not an everyday occurrence, but when they do happen, they can cause
significant damage.
Water and electricity don’t mix. If your computer systems come in
contact with water, especially while they are operating, damage is sure
to occur. Plus, water and electricity create a serious risk of
electrocution for nearby personnel. Whenever possible, locate server
rooms, datacenters, and critical computer equipment away from any
water source or transport pipes. You may also want to install water
detection circuits on the floor around mission-critical systems. Water-
detection circuits will sound an alarm and alert you if water is
encroaching upon the equipment.
To minimize emergencies, be familiar with shutoff valves and drainage
locations. In addition to monitoring for plumbing leaks, you should
evaluate your facility’s ability to handle severe rain or flooding in its
vicinity. Is the facility located on a hill or in a valley? Is there sufficient
drainage? Is there a history of flooding or accumulation of standing
water? Is a server room in the basement or on the first floor?
Fire Prevention, Detection, and Suppression
Fire prevention, detection, and suppression must not be overlooked.
Protecting personnel from harm should always be the most important
goal of any security or protection system. In addition to protecting
people, fire detection and suppression is designed to keep damage
caused by fire, smoke, heat, and suppression materials to a minimum,
especially as regards the IT infrastructure.
Standard fire prevention and resolution training involve knowledge of
the fire triangle (see Figure 10.2). The three corners of the triangle
represent fire, heat, and oxygen. The center of the triangle represents
the chemical reaction among these three elements. The point of the
fire triangle is to illustrate that if you can remove any one of the four
items from the fire triangle, the fire can be extinguished. Different
suppression mediums address different aspects of the fire:
Water suppresses the temperature.
Soda acid and other dry powders suppress the fuel supply.
CO suppresses the oxygen supply.
2
Halon substitutes and other nonflammable gases interfere with the
chemistry of combustion and/or suppress the oxygen supply.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
(ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 700
- 701 - 750
- 751 - 800
- 801 - 850
- 851 - 900
- 901 - 950
- 951 - 1000
- 1001 - 1050
- 1051 - 1100
- 1101 - 1150
- 1151 - 1200
- 1201 - 1250
- 1251 - 1300
- 1301 - 1350
- 1351 - 1400
- 1401 - 1450
- 1451 - 1500
- 1501 - 1550
- 1551 - 1600
- 1601 - 1606
Pages:
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 700
- 701 - 750
- 751 - 800
- 801 - 850
- 851 - 900
- 901 - 950
- 951 - 1000
- 1001 - 1050
- 1051 - 1100
- 1101 - 1150
- 1151 - 1200
- 1201 - 1250
- 1251 - 1300
- 1301 - 1350
- 1351 - 1400
- 1401 - 1450
- 1451 - 1500
- 1501 - 1550
- 1551 - 1600
- 1601 - 1606
Pages: