310 likes | 553 Views
Physical Security. Janice L. Diaz Amin A. Alkobadi. Definition.
E N D
Physical Security Janice L. Diaz Amin A. Alkobadi
Definition • Physical Security - the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism. (SearchSecurity.com)
Types of Physical Security • Walls, fences, and gates • Guards • Dogs • ID cards and badges • Locks and keys • Mantraps • Electronic Monitoring • Alarms • Computer rooms and wiring closets • Interior walls and doors
Locks Mechanical Lock Manual Lock Electronic lock Electro-Mechanical Lock
Locks Continued Proximity Reader Biometrics Finger Print Scanner and Iris Scanner
Alarms/Detectors Vibration Detector Fire Suppressor Fire Detector Motion Detector
Inadequate, Misuse, or Lack of Physical Security • All though there are many upon many tools for companies can use to protect their information technology, most use the improperly or not at all. • breaches of physical security can be carried out with little or no technical knowledge on the part of an attacker. Moreover, accidents and natural disasters are a part of everyday life, and in the long term, are inevitable. (SearchSecurity.com)
Inadequate, Misuse, or Lack of Physical Security • The threat of accidental or deliberate data theft hangs over companies and while many may think they have robust perimeter security protecting their IT – and similar security protecting their premises – there are too many glaring holes where the two should seamlessly blend. • According to forensics experts at Pinkerton, 70 per cent of data theft from a company is physical theft – from laptops and hard drives to CDs or increasingly higher capacity mini-storage units. • recent survey revealed 70 per cent of users would swap swipe card and login-in details for a chocolate bar. (Sturgeon, 2004)
Inadequate, Misuse, or Lack of Physical Security • "Biometrics is the only form of identification which positively identifies the user as being the person they say they are.“ – Simon Perry, VP of Computer Associates. • Physical security is not just there to 'count them in and count them back out again'. (Sturgeon, 2004)
The 10 Most Overlooked Aspects of Security • The Staff at Dark Reading have came together and created a detailed list of things corporations, exect and employee alike, over look when they are implementing or using their information technology.
The 10 Most Overlooked Aspects of Security • 1. Physical security • 2. Proper disposal of devices, storage media, and sensitive documents • 3. Background checks • 4. Getting control of the at-home user • 5. Taking advantage of built-in security functions • 8. Outsourcing of security functions • 9. Encryption • 10. Integration of security with software development
Physical Security • IT security and physical security staff in large organizations don't work with one another. • Companies are allocating surveillance technology in the wrong places. • Weak physical security • Social Engineering - non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. (A huge issue) • Getting the IT and physical security teams together is crucial to thwarting social engineering attacks like these. • Security awareness training needs to be stressed.
Proper disposal of devices, storage media, and sensitive documents • Companies that don’t have strong policies on garbage disposal. • Frequently-overlooked treasures for attackers is the discarded hard drive. • After upgrading companies often donate them. • Some IT departments are lax about wipe hard drives clean. • Used hard drives can be bought at auctions and fairs. Most if not all of those hard drives still have sensetive information in them. • Another piece of hardware with the same problem are cell phones and PDA’s • Oldest forms of stolen data: paper trash obtained through dumpster-diving.
Background Checks • Make sure those with the keys to the kingdom aren’t eavesdropping, stealing, or worse. • Make sure there are no unexplained gaps in a candidate's job history. • Background research can get even more detailed and expensive but also inexpensive as background research varies • You can learn about character issues by asking a candidate how they safeguard their own data. • Screening before employment begins is great but keeping tabs on them is better.
Getting Control of the At-Home User • Many IT Departments fail to monitor what users do with their machines at home. • During past year there has been a rash of laptop and PC theft. • Weakest Link: Top Execs – CEO’s and CFO’s • Storing sensative information on laptop • Leaving computers connected to VPN • Giving passwords out to Friends and Family • Prime targets of phishingand botnet attacks, and zombie infections. • Security assessments are rare • Eliminate VPN access and instead use biometric. • A home security audit, and training home users how to best protect their computer and the company network is also helpful.
Taking Advantage of Built-In Security Functions • Built-in security features in devices are often unexplored or overlooked. • Examples: • Trusted Computing Group’s Trusted Platform Module (TPM) 1.2 - a set of specifications that enables vendors to add a "security chip" microprocessor to any PC. It became standard issue on most PC hardware. • Client machines and files more secure and it's given us a lot more control in IT. • ETS 5.1 - a set of security tools and applications that leverage TPM chips to encrypt files, folders, and passwords on a laptop or PC. • Users of TPM 1.2 and ETS 1.1 can lock their hard drives, folders, and files via an encryption key that can only be decrypted by the authorized user. • TPM, many enterprises have yet to turn on their functionality. • Down side: • Built-in security items will cause IT department headaches. • End up looking for help • many IT organizations will probably forbid the use
Analyzing Trends in Security Log Files • Most IT and security pros have so much log data that they typically only skim it, or ignore it altogether. • Log files can be the key to recognizing an attack. • External attackers typically use methodical approaches that can be identified as log trends. • Internal attackers usually leave an audit trail in their logs that can be backtracked and exposed, enabling IT to catch the perpetrators red-handed. • You can effectively analyze log files with automated log file analyzers, security information management tools, and good old-fashioned detective work. • Network Behavior Anomaly Detection (NBAD) - continuously monitors application traffic (destination, source, protocol) but forces IT to manually associate user names with IP addresses. • Arcsight • LogLogic • netForensics • Securify • Identify trends and warning signs. • In the end, it’s usually a human analysis that identifies an attacker’s trail.
Training • Stupid things end users do: • Opening attachments from strangers. • Connecting to the closest WiFi connection while on the road. • Training is a critical, but often overlooked. • The “standard annual security awareness training session” is no longer enough. • Frequent security reminders are needed. • Awareness should be more "in your face" and "real”. • Examples: • Posters • computer-based training • compliance tracking • face-to-face interactive training. • Organization rely to much on firewalls, antivirus, intrusion detection, and vulnerability assessment and penetration testing. • When and organization technologies change, they don't bother to re-educate users. • Top execs are typically not well-educated in security awareness, which is a key reason IT security doesn't always get the support and funding it needs.
Outsourcing of Security Functions • Some security pros believe it is a risk of a security breach and are overlooking an excellent way to increase security capabilities and save money. • Enterprises are using outsourcing companies for labor-intensive tasks such as maintaining and upgrading firewalls or doing log file analysis. • Such an approach may cut the costs of handling these tasks while improving their overall efficiency. • Managed security services may offer a range of antivirus, anti-spyware, and intrusion detection. • Popular in small and medium-sized businesses but not with larger enterprises.
Encription • Encryption can be so complicated to manage. • Some IT department staff think encryption is complicated, expensive, or unnecessary. • To minimize unneeded and unwanted encrypting, “Pick your spots”. • Any place where data is portable and at risk. • Email, or business processes like payroll and benefits. • Encrypted data must remain easily searchable
Integration of Security with Software Development • Many developers don't properly code their operating systems, applications, and network device software with security in mind and enterprises that install the resulting software eventually pay the price. • Vulnerabilities and attacks would be less pervasive if developers had better processes for identifying coding problems and other bugs that lead to security woes. • CERT'sSecure Coding Initiative - standards for developers to create safer and less error-prone software while also decreasing overall costs. • ISO/IEC WG14 - working group for the programming language C is developing standards based on a Microsoft library that remediates common programming errors.
Conclusion • In conclusion, we have many tools and methods to keep our networks protected but many times they are over looked, ignored, or misused. As IT employees, it is our job to make sure security breeches are either in control in a timely fashion or non-existant all together. If not, we will be in for something catastrophic. • “It doesn't make sense to lock your door if your window is rolled down.”
Resources • Reading, T. S. (2006, NOVEMBER 29). The 10 Most Overlooked Aspects of Security . Retrieved from Dark Reading: http://www.darkreading.com/document.asp?doc_id=111067&page_number=2 • SearchSecurity.com. (n.d.). physical security. Retrieved from http://searchsecurity.techtarget.com: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1150976,00.html • Sturgeon, W. (2004, April 28). Time to marry network and physical security. Retrieved from Silicon.com: http://software.silicon.com/security/0,39024655,39120304,00.htm