Lesson 8The Impact of Physical Security on Network Security

1
Lesson 8-The Impact of Physical Security on
Network Security
2
Background

• Businesses have the responsibility of attempting
  to secure their profitability.
• They need to secure
• Employees
• Product inventory
• Trade secrets
• Strategy information
• ChoicePoint identity theft - One other
  interesting item to note in the ChoicePoint
  breach is the company's position that this was
  not a network security breach, or a "hack."

3
Physical Access

• Physical access negates all other security
  measures.
• Physical access allows an attacker to plug into
  an open Ethernet port with a wireless device and
  bypass internally based firewalls and IDS.
• A simple attack that can be used with physical
  access is by using a boot disk floppy, CDROM or
  USB drive.
• Information can recorded from keyloggers and
  keyboard activity
• Changes to the operating system gives control to
  others
• Password file can be cracked.

4
Boot Disk and Imaging

• Bootable CD-ROMs may contain a bootable version
  of an entire operating system complete with
  drivers (knoppix and auditor).
• Drive imaging - it doesnt change the hard drive
  and leaves no trace of the crime. Used in
  forensic work.
• A simpler version of the drive imaging attack is
  outright theft of computers.
• The theft of computers a boot disk to erase all
  data or unplugging computers is more effective
  for a physical DoS attacks rather than a network
  DoS attack.

5
Policy and Procedures

• Policy and procedures for both computers and
  users must be in place to mitigate the risk.
• Computers
• Remove or disable floppy drives on all desktops
  that do not require them.
• Remove or disable the CD-ROM/DVD-ROM as it can
  boot or auto-run.
• Password the BIOS
• Disable USB devices if possible. If not, educate
  users regarding the dangers. USB ports expand the
  ability for users to connect devices and have
  them auto-recognize and work without additional
  drivers or software.
• Physically secure the computer - Special access
  to server rooms should be considered. There
  should be minimal distribution of sensitive data.

6
Policy and Procedures

• Users weakest link in security chain
• Need to be aware of security issues
• Need to be involved in security enforcement
• Need to know who to contact
• Secure their computers when they walk away
• Security guards need to be educated about proper
  network security as well as physical security.
  For example
• Multiple extensions ringing in sequence in the
  middle of the night
• Strange people in the parking lot with laptops
• Computers rebooting frequently

7
Access Controls

• Access controls means physical barriers.
• Layered access provides several perimeters around
  assets.
• Servers placed in a secure area with separate
  authentication method
• Access to servers by authorized personnel only
• Server room should be limited to IT staff
• Electronic access systems need to be secured and
  not part of the corporate network.

8
Closed Circuit TV and Authentication

• CCTVs can be very effective, but should be
  implemented carefully.
• IP-based CCTVs and IP-based cameras
• Have access to the internet and are a security
  risk
• Should be placedc on their own network and
  accessed by security personnel only.
• Access controls, network or physical, do not work
  without some form of authentication.
• Access tokens (keys) are the traditional form of
  physical access authentication. Some of the
  limitations of keys are
• They are difficult to change.
• They are easy to copy.
• They are difficult to invalidate.

9
Smart Cards and Biometrics

• Smart cards
• Advantage - can enable cryptographic type of
  authentication,
• Disadvantage - primary drawback is that the token
  is actually being authenticated.
• Biometrics is the measurement of biological
  factors for identifying a specific person.
• These factors are based upon parts of the human
  body that are unique. A computer takes the image
  of the factor (analog) and reduces it to a
  numeric value (digitizes it).
• When users enter an area, they get re-scanned by
  the reader, and the computer compares the numeric
  value being read to the one stored in the
  database.
• Since these factors are unique, then
  theoretically only the authorized persons can
  open the door.

10
Biometric Errors

• Biometric Problems Analog may not encode
  (digitize) the same way twice. Therefore
  systems allow some error in the scan while not
  allowing too much.
• This introduces the concept of false positives
  and false negatives.
• A false positive biometric allows access to an
  unauthorized individual.
• A false negative biometric system denies access
  to someone who is authorized.
• Stolen Factors (fingerprint from glass).
• There is a chance of attackers stealing the
  uniqueness factor the machine scans and
  reproducing it to fool the scanner.
• Parts of the human body can change forcing the
  biometric system to allow a higher tolerance for
  variance in the biometric being read.

11
Multiple Factor Authentication

• Authentication can be separated into three broad
  categories
• What you are (for example, biometrics)
• What you have (for example, tokens)
• What you know (for example, passwords)
• Multiple factor authentication is simply the
  combination of two or more types of
  authentication.
• Multiple factor authentication makes it very
  difficult for an attacker to have the correct
  materials for authentication.
• This method of authentication reduces risk of
  stolen tokens.
• It also enhances biometric security.

12
Radio Frequency Cards

• When contactless radio frequency cards (rfid)
  are passed near a card reader, the card sends out
  a code via radio. The reader picks up this code
  and transmits it to the control panel. The
  control panel checks the code against the reader
  it is being read from and the type of access the
  card has in its database.
• Advantages of Radio Frequency Cards
• Any card can be deleted from the system.
• Some people think they are going to be used by
  the government to track humans.
  http//www.wired.com/news/technology/0,70308-0.htm
  l?twrss.index