CIS 2005 System Security

1
CIS 2005System Security Control

• Lecture 2
• Module 2 - Physical security

2
Module objectives are to

• list and describe the types of physical
  vulnerabilities that can cause loss of services
  in a computer system
• identify and describe the techniques and devices
  that may be used to guard against the four main
  types of physical vulnerability, namely natural
  disasters, power loss/fluctations, human
  intruders and electro-magnetic emanationand
• understand the importance of Contingency
  planning and contingency strategies available

3
Physical vs logical security

• Physical security
• vulnerabilities of hardware and their physical
  environment
• threats to physical assets
• protection of physical assets
• Logical security
• vulnerabilities, threats and controls of software
  and data

4
Physical threats

• Natural and environmental disasters
• Power failure/fluctuations
• Vandalism
• Espionage / interception of physical material
• Interception of electro-magnetic radiation

5
Natural and environmental disasters

• Location
• Basement open to floods
• Under water pipes open to dripping water
• Physical segregation/separation
• Keeping backups, standby sites etc. separate
• Structural design
• Brick structures withstand fire better
• Provide air-conditioning

6
Physical security measures (contd)

• Detection methods
• Fire alarm system / smoke detectors
• Access logs
• Video camera
• Physical access controls
• Guards
• Locks keys
• PIN pads and card access systems
• Biometric devices

7
Power Loss / Fluctuations

• Think about it, how many security controls are
  dependant on Power,
• not to mention the computer systems
• that we are trying to protect.

8
Power failure

• Undervoltage
• Brownout prolonged power undervoltage
• Blackout complete power failure
• Overvoltage
• power surge increase in the electrical power
• Spike momentary Overvoltage

9
Protection from power failure

• Surge protector/suppressor

• Uninterruptible power supply (UPS)

10
Human Intruders

• People unauthorized to be in the room, building
  or site, with malicious intent
• Theft
• Vandalism
• Put yourself in the Intruders shoes, what do you
  see.

11
Safe disposal of sensitive material

• Shredders
• Degaussers
• Devices used to destroy magnetic fields on any
  magnetic media such as a tape or a floppy disk.
• Overwriting
• DELETE command only changes directory pointer
  without actually erasing the file.

12
Emanations What are they?

• Electro-magnetic radiation/emissions
• Can be detected from a distance
• Initiatives (U.S.) have been put in place to
  certify computer equipment as not emitting
  detectible signals

13
Protection from Emanations

• Enclosure
• Enclose the device in a conductive case (copper)
• Modification
• Modify emitted signals by injecting fake signals

14
Contingency Planning issues

• Cost and speed of replacing equipment
• Cost / difficulty of replacing data and programs

These recovery issues along with your business
needs drive the controls used.
15
Contingency strategies

• Emergency plan
• Backup procedures
• including off-site backups
• Identify Single Point of Failures and reduce
• Examples Mirroring, Networking
• Cold/hot sites
• Any controls you suggest must satisfy the
  business needs not just the technical needs.

16
Emergency plan

• Names and telephone numbers of people and
  organisations to be notified (police, fire
  brigade, management, etc.)
• Procedures to be followed with the computer
  equipment (shutdown procedure, power cutoff, file
  removal, etc.)
• Employee evacuation procedures
• Who is allowed entry back into the facility

17
Backup methods

• Full (complete)
• duplicates all the files in the system
• Differential (selective)
• duplicates only files that have changed since
  last full backup
• Incremental
• duplicates only the files that have changed since
  the last backup (whether it was full or
  incremental)

18
Backup methods comparison
19
Backup schedule
20
Three-disk revolving backup
21
Remember the Principles of computer security?

• Easiest penetration
• Adequate protection
• Effectiveness
• Weakest link
• A backup system must adhere to the principles of
  adequate protection and effectiveness.

22
Cold/hot sites

• Cold site (1 week recovery)
• contains minimum hardware and software
  requirements for system to be re-installed
• Hot site (1 hour recovery)
• duplicate site ready for changeover

23
Where to get facilities

• In-house
• Mutual support
• Reciprocal arrangements
• Joint funding
• Commercial services
• Disaster recovery providers
• Vendor agreement

24
Risk Analysis Overview
Risk Analysis
What threats are out there ?
What vulnerabilities are present in your system ?
Likelihood of a threat/s being directed at your
system ?
Extent of damage that might be caused if the
system was compromised ?
Appropriate control measures that could be put in
place to prevent the system being compromised ?
25
Security Plan Overview
Risk Analysis
Security Plan
Articulate organisational security goals
Set security policy
Formalise outcome of Risk Analysis
Communicate to all people involved
Create a living document
All modules focus toward achieving a security
plan (Module 11) (Assignments 1 2)