Chapter 9 Functional Policy: Physical Security and Social Engineering

1
Chapter 9 Functional Policy
PhysicalSecurity and Social Engineering

• CWSP
• Certification Official Study Guide
• (Exam PW0-200)
• SECOND EDITION

2
CWSP Exam Objectives Covered

• Describe appropriate installation locations for
  wireless LAN hardware in order to avoid physical
  theft and tampering, considering the following
• Security implications of remote placement of
  devices
• Physical security for remote infrastructure
  devices
• Secure remote connections to wireless LAN
  infrastructure devices
• Perform a baseline analysis of a series of
  wireless LAN attack scenarios and discuss their
  impact on the organization. Attacks include the
  following
• Information theft and placement
• PHY and MAC Denial of Service
• Client hijacking
• Protocol analysis (eavesdropping)
• Social engineering
• Infrastructure hardware theft
• Access to unsecured console interfaces

3
Introduction

• We will cover the basics of physical security so
  that you can create effective physical security
  policies.
• We will also discuss social engineering in
  greater depth than we have in other chapters.
• Social engineering is a common method used to
  circumvent both physical and technical security
  measures and we must be able to protect against
  it as best as possible.

4
Physical Security

• Sometimes only physical security will suffice as
  a preventative measure against network attacks.
• It begins with allowing only authorized personnel
  into and out of the organizations buildings.
• Most medium and large office complexes now have
  some type of security
• It may include guards who monitor
• building entry/exit,
• card swiping
• tailgating, etc.

5
Physical Security

• More secure buildings require
• visitors to sign in and
• be authorized by the receiving company, and
• be escorted as they make their way around the
  building.
• Receptionists can also provide another line of
  defense against would-be attackers.
• Visitors who show up without
• appointments, or
• technicians who show up to repair or upgrade
  systems,
• should all be escorted throughout the facility
  only after someone else in
• the company has authorized that person to have
  access to the facility.
• In addition to posting guards, physical security
  also includes locking doors, cabinets, and
  drawers and it may include video surveillance.

6
Physical Security

• Like network security, physical security may be
  layered.
• A guard can be placed at the entrance to the
  parking lot and another at the entrance to the
  building.
• This creates layers or rings of security that
  make it more difficult for an attacker to get
  close to your building and wireless network.
• The similarities to network security do not end
  with layering.
• You can also employ authentication through the
  use of issued badges and authorization through
  the use of secure pass codes.
• The same badge/card that gets the user into the
  parking lot can be used to get him or her into
  the building.
• Once in the building, this card can limit an
  individuals entry to authorized areas.

7
Rogue Access Points Ad Hoc Networks

• A rogue access point can be placed on the wired
  network either
• intentionally but non-maliciously by an
  uneducated employee,
• Or intentionally and maliciously by an attacker
  that has gained physical access to the premises.
• An employee might install a rogue access point to
  have wireless LAN access in his or her work area.
  
• This is a large breach in network security
• Prevention involves education about the risks of
  doing so should be a requirement.
• This education should include information on the
  potential damage that can be caused by such rogue
  devices.

8
Rogue Access Points Ad Hoc Networks

• An attacker, who has illegally accessed the
  building to install an unauthorized access point,
  clearly intends to take some malicious action
  toward an organization.
• Even if this intention is simply that of
  bandwidth theft for Internet access, the actions
  taken on the Internet could reflect negatively on
  the organization.
• Keeping these individuals out of the facility in
  the first place is the best approach to
  eliminating the problem.
• Increasing security against external intruders is
  mostly a matter of training internal staff to
  report suspicious activity and to question
  everything and everyone that is suspicious around
  them.

9
Rogue Access Points Ad Hoc Networks

• The security policy must include documentation on
  how rogues (including access points and ad hoc
  networks) will be found,
• How often the area will be scanned for rogues,
  and
• What to do when rogue devices are discovered.
• Searches should be focused on network backbone
  segments as well as other areas
• A device installed on the network backbone is
  very dangerous because it bypasses the perimeter
  firewalls
• An IDS should be deployed

10
Rogue Access Points Ad Hoc Networks Wireless
Intrusion Detection System(WIDS)

• WIDS will trigger alarms when rogue MAC addresses
  or foreign SSIDs are detected on the wired or
  wireless segments.
• Attackers can use a variety of technologies and
  frequencies
• WIDS cannot predict all possible human behavior
  and, therefore, an attacker may find a way to
  place a rogue and circumvent your WIDS security.
• Physical inspection of areas that have Ethernet
  connections can help prevent such circumvention.

11
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• Physical security measures can help prevent RF
  jamming and data flooding because the rings of
  layered physical security make it difficult for
  the attacker to get close enough to launch the
  attack.

12
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• An RF jamming attack against a wireless LAN that
  is more difficult to prevent, detect, or block
• If the attacker is on your property you can have
  him removed and arrested for trespassing
• Otherwise you must prove that the interference is
  intentional
• If the interference is unintentional the law
  will not help you.

13
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• An RF jamming attack against a wireless LAN that
  is more difficult to prevent, detect, or block
• If the attacker is on your property you can have
  him removed and arrested for trespassing
• Otherwise you must prove that the interference is
  intentional
• If the interference is unintentional the law
  will not help you.

14
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• In places such as office buildings or companies
  that are located next to roads or in the vicinity
  of public places, there is nothing that can be
  done to prevent someone from jamming the wireless
  LAN.
• The only foolproof method of avoiding an RF
  jamming attack is not to have a wireless LAN that
  uses unlicensed frequency bands.
• It is rarely the case that the risk of such an
  attack outweighs the benefits of having a
  wireless LAN.

15
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• A great amount of land located around a facility
  with a secure perimeter may also suffice because
  jamming signals would dissipate greatly before
  reaching the facility.
• The same approach would work inside a facility
  using wire mesh substances like chicken wire or
  other RF shielding in the walls.
• These prevention mechanisms are often impractical
  due to high costs, leaving most organizations
  completely exposed to an RF jamming attack.
• This technology is sometimes called a Faraday
  cage or Faraday barrier. Materials can be
  purchased online to create such a device.

16
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• The text suggests you confirm the Faraday
  Effect
• Place you cell phone inside of a microwave oven
  and close the door.
• After a minute or so take the phone out and you
  will have lost signal from the carrier.
• Dont turn the Microwave Oven On

17
Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding

• The text suggests you confirm the Faraday
  Effect
• Place you cell phone inside of a microwave oven
  and close the door.
• After a minute or so take the phone out and you
  will have lost signal from the carrier.
• Dont turn the Microwave Oven On

18
Hardware Placement and Security

• When creating point-to-point or
  point-to-multipoint links, you will often need to
  place a wireless device in an open or public
  area.
• Strategic placement of these devices can keep
  them from the view of the casual passer-by.
• Good locations include
• Rooftops with little visibility from the ground
• Enclosures that look dull or non-descript
• Antenna towers that are high and cause risk of
  obvious exposure should a thief attempt to climb
  them
• Telephone pole-type structures that are very hard
  to climb without the proper equipment

19
Hardware Placement and SecurityLink Design

• You must consider link design
• The antennas must be places where they have
  necessary RF line of sight to the other end of
  the link.
• The antennas will likely need to be exposed where
  they may be visible to a thief, but they can be
  located some distance from the wireless device
  using buried cables and amplifiers to compensate
  for the distance.
• This type of setup can make it difficult for a
  thief to locate what is often the more expensive
  part of the link the wireless bridge.

20
Hardware Placement and SecurityPhysical Security
of Remote Devices

• If you are using physical enclosure cabinets,
  they should be locked and use strong locks.
• When mounting devices to poles or towers, they
  should be protected from the weather and securely
  fastened
• You can secure mobile device enclosures with
  metal fasteners and even with locks and chains or
  straps.
• When bridging devices are used in large indoor
  areas, such as warehouses and arenas, they should
  be secured in similar manner.

21
Social Engineering

• An organizations employees are often the weakest
  link in any security solution.
• Employee awareness and training employees to
  recognize and prevent social engineering and
  hacking is critical.
• Lack of training often leads to employee laziness
  or lack of concern,
• This leads to mistakes in dealing with social
  engineering attacks.
• Many good books available on social engineering
  tactics used by expert intruders.
• Employees should be encouraged to read these
  books or attend a specialized course on social
  engineering prevention.
• Since wireless LAN security technologies have
  advanced so rapidly, many hackers take advantage
  of employees lack of education by using social
  engineering tactics.

22
Social Engineering Awareness

• Hackers rely on employees being ignorant,
  forgetful, apathetic, or lazy to obtain the
  information they need to compromise an
  organizations security.
• The immediate recognition of attempts at social
  engineering should be added to employee
  orientation,
• even for temporary workers/consultants.

23
Social Engineering Awareness

• Social engineering attacks come in many forms
  including the ones listed as follows.
• Dumpster diving
• Searching through the trash from an organization
  to locate useful information such as memos,
  company manuals, phone lists, organizational
  charts, and security codes or keys.
• Phone Calls
• Information might include usernames, passwords,
  WEP keys or WPA preshared keys, and network
  information. Primary targets of phone call social
  engineering attacks are help desk personnel and
  contractors

24
Social Engineering Awareness

• Social engineering attacks come in many forms
  including the ones listed as follows.
• Email
• Reply-to and Sent-from email headers can easily
  be forged making the email request look
  legitimate.
• Security information sent via email should be
  encrypted.
• Phishing is a common method of modern email-based
  social engineering. Emails are sent with graphics
  stolen from reputable websites like PayPal and
  eBay and request that the user click a link to
  update their profiles or other information.

25
Social Engineering Awareness

• Social engineering attacks come in many forms
  including the ones listed as follows.
• Instant messaging is used in enterprises for
  quick inter-departmental communication.
• Many organizations use a standard naming
  convention for Instant Messaging names.
• If a social engineer gathers a phone directory
  and information on the standard naming convention
  for IM,
• Then the attacker can masquerade as a legitimate
  employee and request information from authorized
  sources.

26
Social EngineeringPrevention

• Customer support centers and help desks were
  created to provide help
• The support specialists usually forget or ignore
  advice on preventing social engineering because
  they are trying to do their jobs.

27
Social EngineeringPrevention

• Customer support centers and help desks were
  created to provide help
• Some of the procedures support and administrative
  personnel should adhere to include
• Positively identify the person that is calling or
  requesting help
• Use established, secure channels for passing
  security information (such as encrypted email)
• Report suspicious activity or phone calls
• Establish procedures that eliminate password
  exchanges. An administrator should never ask a
  user for his password, nor even be able to view
  any password on the system.
• Shred company documents before throwing them in
  the trash

28
Social EngineeringAudits

• One way in which organizations can reduce the
  threat of social engineering is to have their
  defenses tested for weaknesses.
• Penetration tests by security professionals
  should include
• social engineering attacks against organizational
  staff.
• The test could cover only the basics of wireless
  LAN security such as asking for passwords, WEP
  keys, and network security solutions currently
  deployed.
• The test can also be more comprehensive in order
  to determine as much information as possible for
  a thorough report.
• Many organizations hesitate to perform this type
  of audit because it can make employees
  uncomfortable and even angry if the attack
  succeeds. It is important to handle results of
  these audits tactfully.

29
Social EngineeringReporting

• Reports that are generated as part of security
  monitoring procedures can provide valuable
  information on how the network is being utilized
  as well as where attacks are occurring.
• The reports are only of value when they are
  consistently reviewed in a timely manner.
• Security reports that sit on the desk of an
  administrator are useless if they permit an
  attacker to access the network freely until
  someone notices.
• A proper reporting policy will include
• Information on who (what organizational position)
  is accountable for generating the reports and
• Who is responsible for reading the reports.
• Training should also be required for the
  reviewers.

30
Social EngineeringResponse Procedures

• When attacks are discovered on a wireless
  network, the proper response can prevent the
  attack from occurring again
• 1. Positive identification Reports can
  indicate attacks and false positives
• 2. Confirmed attack - Upon determining if an
  attack has taken place,
• Damage must be assessed and confirmed, and the
  appropriate manager(s) should be notified.
• This notification list may include the director
  of network operations or quite often senior
  executives in the organization.
• The level of severity will usually determine who
  is notified first.

31
Social EngineeringResponse Procedures

• 3. Immediate action If an attack is severe
• the wireless segment under attack may have to be
  taken off line.
• The documented wireless LAN security policy
  should dictate appropriate procedures for each
  type of attack scenario.
• 4. Documentation
• All attack findings should be thoroughly
  documented in a standard form
• This documentation will later be used for a full
  report to be given to executive management and
  legal counsel.

32
Social EngineeringResponse Procedures

• 5. Reporting
• If malicious activity and/or data theft has taken
  place,
• the appropriate authorities should be notified to
  record the incident in case any arrests need to
  be made at a future time.
• Corporate legal counsel, police, and even IT
  forensics experts may be needed in this situation.