Title: Chapter 9 Functional Policy: Physical Security and Social Engineering
1Chapter 9 Functional Policy
PhysicalSecurity and Social Engineering
- CWSP
- Certification Official Study Guide
- (Exam PW0-200)
- SECOND EDITION
2CWSP Exam Objectives Covered
- Describe appropriate installation locations for
wireless LAN hardware in order to avoid physical
theft and tampering, considering the following - Security implications of remote placement of
devices - Physical security for remote infrastructure
devices - Secure remote connections to wireless LAN
infrastructure devices - Perform a baseline analysis of a series of
wireless LAN attack scenarios and discuss their
impact on the organization. Attacks include the
following - Information theft and placement
- PHY and MAC Denial of Service
- Client hijacking
- Protocol analysis (eavesdropping)
- Social engineering
- Infrastructure hardware theft
- Access to unsecured console interfaces
3Introduction
- We will cover the basics of physical security so
that you can create effective physical security
policies. - We will also discuss social engineering in
greater depth than we have in other chapters. - Social engineering is a common method used to
circumvent both physical and technical security
measures and we must be able to protect against
it as best as possible.
4Physical Security
- Sometimes only physical security will suffice as
a preventative measure against network attacks. - It begins with allowing only authorized personnel
into and out of the organizations buildings. - Most medium and large office complexes now have
some type of security - It may include guards who monitor
- building entry/exit,
- card swiping
- tailgating, etc.
5Physical Security
- More secure buildings require
- visitors to sign in and
- be authorized by the receiving company, and
- be escorted as they make their way around the
building. - Receptionists can also provide another line of
defense against would-be attackers. - Visitors who show up without
- appointments, or
- technicians who show up to repair or upgrade
systems, - should all be escorted throughout the facility
only after someone else in - the company has authorized that person to have
access to the facility. - In addition to posting guards, physical security
also includes locking doors, cabinets, and
drawers and it may include video surveillance.
6Physical Security
- Like network security, physical security may be
layered. - A guard can be placed at the entrance to the
parking lot and another at the entrance to the
building. - This creates layers or rings of security that
make it more difficult for an attacker to get
close to your building and wireless network. - The similarities to network security do not end
with layering. - You can also employ authentication through the
use of issued badges and authorization through
the use of secure pass codes. - The same badge/card that gets the user into the
parking lot can be used to get him or her into
the building. - Once in the building, this card can limit an
individuals entry to authorized areas.
7Rogue Access Points Ad Hoc Networks
- A rogue access point can be placed on the wired
network either - intentionally but non-maliciously by an
uneducated employee, - Or intentionally and maliciously by an attacker
that has gained physical access to the premises. - An employee might install a rogue access point to
have wireless LAN access in his or her work area.
- This is a large breach in network security
- Prevention involves education about the risks of
doing so should be a requirement. - This education should include information on the
potential damage that can be caused by such rogue
devices.
8Rogue Access Points Ad Hoc Networks
- An attacker, who has illegally accessed the
building to install an unauthorized access point,
clearly intends to take some malicious action
toward an organization. - Even if this intention is simply that of
bandwidth theft for Internet access, the actions
taken on the Internet could reflect negatively on
the organization. - Keeping these individuals out of the facility in
the first place is the best approach to
eliminating the problem. - Increasing security against external intruders is
mostly a matter of training internal staff to
report suspicious activity and to question
everything and everyone that is suspicious around
them.
9Rogue Access Points Ad Hoc Networks
- The security policy must include documentation on
how rogues (including access points and ad hoc
networks) will be found, - How often the area will be scanned for rogues,
and - What to do when rogue devices are discovered.
- Searches should be focused on network backbone
segments as well as other areas - A device installed on the network backbone is
very dangerous because it bypasses the perimeter
firewalls - An IDS should be deployed
10Rogue Access Points Ad Hoc Networks Wireless
Intrusion Detection System(WIDS)
- WIDS will trigger alarms when rogue MAC addresses
or foreign SSIDs are detected on the wired or
wireless segments. - Attackers can use a variety of technologies and
frequencies - WIDS cannot predict all possible human behavior
and, therefore, an attacker may find a way to
place a rogue and circumvent your WIDS security. - Physical inspection of areas that have Ethernet
connections can help prevent such circumvention.
11Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- Physical security measures can help prevent RF
jamming and data flooding because the rings of
layered physical security make it difficult for
the attacker to get close enough to launch the
attack.
12Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- An RF jamming attack against a wireless LAN that
is more difficult to prevent, detect, or block - If the attacker is on your property you can have
him removed and arrested for trespassing - Otherwise you must prove that the interference is
intentional - If the interference is unintentional the law
will not help you.
13Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- An RF jamming attack against a wireless LAN that
is more difficult to prevent, detect, or block - If the attacker is on your property you can have
him removed and arrested for trespassing - Otherwise you must prove that the interference is
intentional - If the interference is unintentional the law
will not help you.
14Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- In places such as office buildings or companies
that are located next to roads or in the vicinity
of public places, there is nothing that can be
done to prevent someone from jamming the wireless
LAN. - The only foolproof method of avoiding an RF
jamming attack is not to have a wireless LAN that
uses unlicensed frequency bands. - It is rarely the case that the risk of such an
attack outweighs the benefits of having a
wireless LAN.
15Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- A great amount of land located around a facility
with a secure perimeter may also suffice because
jamming signals would dissipate greatly before
reaching the facility. - The same approach would work inside a facility
using wire mesh substances like chicken wire or
other RF shielding in the walls. - These prevention mechanisms are often impractical
due to high costs, leaving most organizations
completely exposed to an RF jamming attack. - This technology is sometimes called a Faraday
cage or Faraday barrier. Materials can be
purchased online to create such a device.
16Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- The text suggests you confirm the Faraday
Effect - Place you cell phone inside of a microwave oven
and close the door. - After a minute or so take the phone out and you
will have lost signal from the carrier. - Dont turn the Microwave Oven On
17Rogue Access Points Ad Hoc Networks RF Jamming
Data Flooding
- The text suggests you confirm the Faraday
Effect - Place you cell phone inside of a microwave oven
and close the door. - After a minute or so take the phone out and you
will have lost signal from the carrier. - Dont turn the Microwave Oven On
18Hardware Placement and Security
- When creating point-to-point or
point-to-multipoint links, you will often need to
place a wireless device in an open or public
area. - Strategic placement of these devices can keep
them from the view of the casual passer-by. - Good locations include
- Rooftops with little visibility from the ground
- Enclosures that look dull or non-descript
- Antenna towers that are high and cause risk of
obvious exposure should a thief attempt to climb
them - Telephone pole-type structures that are very hard
to climb without the proper equipment
19Hardware Placement and SecurityLink Design
- You must consider link design
- The antennas must be places where they have
necessary RF line of sight to the other end of
the link. - The antennas will likely need to be exposed where
they may be visible to a thief, but they can be
located some distance from the wireless device
using buried cables and amplifiers to compensate
for the distance. - This type of setup can make it difficult for a
thief to locate what is often the more expensive
part of the link the wireless bridge.
20Hardware Placement and SecurityPhysical Security
of Remote Devices
- If you are using physical enclosure cabinets,
they should be locked and use strong locks. - When mounting devices to poles or towers, they
should be protected from the weather and securely
fastened - You can secure mobile device enclosures with
metal fasteners and even with locks and chains or
straps. - When bridging devices are used in large indoor
areas, such as warehouses and arenas, they should
be secured in similar manner.
21Social Engineering
- An organizations employees are often the weakest
link in any security solution. - Employee awareness and training employees to
recognize and prevent social engineering and
hacking is critical. - Lack of training often leads to employee laziness
or lack of concern, - This leads to mistakes in dealing with social
engineering attacks. - Many good books available on social engineering
tactics used by expert intruders. - Employees should be encouraged to read these
books or attend a specialized course on social
engineering prevention. - Since wireless LAN security technologies have
advanced so rapidly, many hackers take advantage
of employees lack of education by using social
engineering tactics.
22Social Engineering Awareness
- Hackers rely on employees being ignorant,
forgetful, apathetic, or lazy to obtain the
information they need to compromise an
organizations security. - The immediate recognition of attempts at social
engineering should be added to employee
orientation, - even for temporary workers/consultants.
23Social Engineering Awareness
- Social engineering attacks come in many forms
including the ones listed as follows. - Dumpster diving
- Searching through the trash from an organization
to locate useful information such as memos,
company manuals, phone lists, organizational
charts, and security codes or keys. - Phone Calls
- Information might include usernames, passwords,
WEP keys or WPA preshared keys, and network
information. Primary targets of phone call social
engineering attacks are help desk personnel and
contractors
24Social Engineering Awareness
- Social engineering attacks come in many forms
including the ones listed as follows. - Email
- Reply-to and Sent-from email headers can easily
be forged making the email request look
legitimate. - Security information sent via email should be
encrypted. - Phishing is a common method of modern email-based
social engineering. Emails are sent with graphics
stolen from reputable websites like PayPal and
eBay and request that the user click a link to
update their profiles or other information.
25Social Engineering Awareness
- Social engineering attacks come in many forms
including the ones listed as follows. - Instant messaging is used in enterprises for
quick inter-departmental communication. - Many organizations use a standard naming
convention for Instant Messaging names. - If a social engineer gathers a phone directory
and information on the standard naming convention
for IM, - Then the attacker can masquerade as a legitimate
employee and request information from authorized
sources.
26Social EngineeringPrevention
- Customer support centers and help desks were
created to provide help - The support specialists usually forget or ignore
advice on preventing social engineering because
they are trying to do their jobs.
27Social EngineeringPrevention
- Customer support centers and help desks were
created to provide help - Some of the procedures support and administrative
personnel should adhere to include - Positively identify the person that is calling or
requesting help - Use established, secure channels for passing
security information (such as encrypted email) - Report suspicious activity or phone calls
- Establish procedures that eliminate password
exchanges. An administrator should never ask a
user for his password, nor even be able to view
any password on the system. - Shred company documents before throwing them in
the trash
28Social EngineeringAudits
- One way in which organizations can reduce the
threat of social engineering is to have their
defenses tested for weaknesses. - Penetration tests by security professionals
should include - social engineering attacks against organizational
staff. - The test could cover only the basics of wireless
LAN security such as asking for passwords, WEP
keys, and network security solutions currently
deployed. - The test can also be more comprehensive in order
to determine as much information as possible for
a thorough report. - Many organizations hesitate to perform this type
of audit because it can make employees
uncomfortable and even angry if the attack
succeeds. It is important to handle results of
these audits tactfully.
29Social EngineeringReporting
- Reports that are generated as part of security
monitoring procedures can provide valuable
information on how the network is being utilized
as well as where attacks are occurring. - The reports are only of value when they are
consistently reviewed in a timely manner. - Security reports that sit on the desk of an
administrator are useless if they permit an
attacker to access the network freely until
someone notices. - A proper reporting policy will include
- Information on who (what organizational position)
is accountable for generating the reports and - Who is responsible for reading the reports.
- Training should also be required for the
reviewers.
30Social EngineeringResponse Procedures
- When attacks are discovered on a wireless
network, the proper response can prevent the
attack from occurring again - 1. Positive identification Reports can
indicate attacks and false positives - 2. Confirmed attack - Upon determining if an
attack has taken place, - Damage must be assessed and confirmed, and the
appropriate manager(s) should be notified. - This notification list may include the director
of network operations or quite often senior
executives in the organization. - The level of severity will usually determine who
is notified first.
31Social EngineeringResponse Procedures
- 3. Immediate action If an attack is severe
- the wireless segment under attack may have to be
taken off line. - The documented wireless LAN security policy
should dictate appropriate procedures for each
type of attack scenario. - 4. Documentation
- All attack findings should be thoroughly
documented in a standard form - This documentation will later be used for a full
report to be given to executive management and
legal counsel.
32Social EngineeringResponse Procedures
- 5. Reporting
- If malicious activity and/or data theft has taken
place, - the appropriate authorities should be notified to
record the incident in case any arrests need to
be made at a future time. - Corporate legal counsel, police, and even IT
forensics experts may be needed in this situation.