PART III Security in the Infrastructure n n n n Chapter Chapter Chapter Chapter 10 Physical Security Infrastructure Security Authentication and Remote Access Infrastructure CHAPTER Physical Security In this chapter, you will •฀Describe฀how฀physical฀security฀directly฀affects฀computer฀and฀network฀security •฀Discuss฀steps฀that฀can฀be฀taken฀to฀help฀mitigate฀physical฀security฀risks •฀Review฀nontraditional฀security฀elements฀such฀as฀HVAC฀systems฀and฀fire฀suppression •฀Understand฀electronic฀access฀controls฀and฀the฀principles฀of฀convergence For most American homes, locks are the primary means of achieving physical security, and almost every American locks the doors to his or her home upon leaving the residence Some go even further and set up intrusion alarm systems in addition to locks All these precautions are considered necessary because people believe they have something significant inside the house that needs to be protected, such as important possessions and important people Physical security is an important topic for businesses dealing with the security of information systems Businesses are responsible for securing their profitability, which requires a combination of several aspects: They need to secure employees, product inventory, trade secrets, and strategy information These and other important assets affect the profitability of a company and its future survival Companies therefore perform many activities to attempt to provide physical security—locking doors, installing alarm systems, using safes, posting security guards, setting access controls, and more Most companies today have committed a large amount of effort into network security and information systems security In this chapter, you will learn about how these two security efforts are linked, and you’ll learn several methods by which companies can minimize their exposure to physical security events that can diminish their network security The Security Problem The problem that faces professionals charged with securing a company’s network can be stated rather simply: Physical access negates all other security measures No matter how impenetrable the firewall and intrusion detection system (IDS), if an attacker can find a way to walk up to and touch a server, he can break into it The more remarkable thing is that gaining physical access to a number of machines is not that difficult 187 CompTIA Security+ All-in-One Exam Guide, Third Edition 188 Consider that most network security measures are, from necessity, directed at protecting a company from the Internet This fact results in a lot of companies allowing any kind of traffic on the local area network (LAN) So if an attacker attempts to gain access to a server over the Internet and fails, he may be able to gain physical access to the receptionist’s machine, and by quickly compromising it, he can use it as a remotely controlled zombie to attack what he is really after Physically securing information assets doesn’t mean just the servers; it means protecting the physical access to all the organization’s computers and its entire network infrastructure Physical access to a corporation’s systems can allow an attacker to perform a number of interesting activities, starting with simply plugging into an open Ethernet jack The advent of handheld devices with the ability to run operating systems with full networking support has made this attack scenario even more feasible Prior to handheld devices, the attacker would have to work in a secluded area with dedicated access to the Ethernet for a time The attacker would sit down with a laptop and run a variety of tools against the network, and working internally typically put the attacker behind the firewall and IDS Today’s capable PDAs can assist these efforts by allowing attackers to place the small device onto the network to act as a wireless bridge The attacker can then use a laptop to attack a network remotely via the bridge from outside the building If power is available near the Ethernet jack, this type of attack can also be accomplished with an off-the-shelf access point The attacker’s only challenge is finding an Ethernet jack that isn’t covered by furniture or some other obstruction Another simple attack that can be used when an attacker has physical access is called a bootdisk Before bootable CD-ROMs or DVD-ROMs were available, a boot floppy was used to start the system and prepare the hard drives to load the operating system Since many machines still have floppy drives, boot floppies can still be used These floppies can contain a number of programs, but the most typical ones would be NTFSDOS or a floppy-based Linux distribution that can be used to perform a number of tasks, including mounting the hard drives and performing at least read operations Once an attacker is able to read a hard drive, the password file can be copied off the machine for offline password cracking attacks If write access to the drive is obtained, the attacker could alter the password file or place a remote control program to be executed automatically upon the next boot, guaranteeing continued access to the machine Bootable CD-ROMs and DVD-ROMs are a danger for the same reason—perhaps even more so, because they can carry a variety of payloads such as malware or even entire operating systems An operating system designed to run the entire machine from an optical disc without using the hard drive is commonly referred to as a LiveCD LiveCDs contain a bootable version of an entire operating system, typically a variant of Linux, complete with drivers for most devices LiveCDs give an attacker a greater array of tools than could be loaded onto a floppy disk For example, an attacker would likely have access to the hard disk and also to an operational network interface that would allow him to send the drive data over the Internet if properly connected These bootable operating systems could also be custom built to contain any tool that runs under Linux, allowing an attacker a standard bootable attack image or a standard bootable forensics image, or something customized for the tools he likes to use Bootable USB flash drives Chapter 7: Physical Security 189 EXAM TIP Drive฀imaging฀is฀a฀threat฀because฀all฀existing฀access฀controls฀to฀ data฀can฀be฀bypassed฀and฀all฀the฀data฀once฀stored฀on฀the฀drive฀can฀be฀read฀ from฀the฀image PART III emulate the function of a CD-ROM and provide a device that is both physically smaller and logically larger Flash drives are now commonly available that provide 32 gigabytes of storage, with more expensive versions stretching that capacity to 64, 128, and even 256 GB Electronic miniaturization has made these devices small enough to be unnoticed; a recent version extends only 5mm from the USB port Made bootable, these devices can contain entire specialized operating systems, and unlike a bootable CDROM, these devices can also be written to, providing an offload point for collected data if an attacker chooses to leave the device and return later These types of devices have spawned a new kind of attack in which a CD, DVD, or flash drive is left in an opportunistic place near an organization This CD or flash drive is typically loaded with malware and is referred to as a road apple Relying on curious people to plug the device into their work computer to see what’s on it, occasionally they may also try to tempt the passerby with enticing descriptions like “Employee Salaries” or even as simple as “Confidential.” Once a user loads the CD-ROM, the malware will attempt to infect the machine The use of bootdisks of all types leads to the next area of concern: creating an image of the hard drive for later investigation Some form of bootable media is often used to load the imaging software Drive imaging is the process of copying the entire contents of a hard drive to a single file on a different media This process is often used by people who perform forensic investigations of computers Typically, a bootable media is used to start the computer and load the drive imaging software This software is designed to make a bit-by-bit copy of the hard drive to a file on another media, usually another hard drive or CD-R/ DVD-R media Drive imaging is used in investigations to make an exact copy that can be observed and taken apart, while keeping the original exactly as it was for evidence purposes From an attacker’s perspective, drive imaging software is useful because it pulls all information from a computer’s hard drive while still leaving the machine in its original state The information contains every bit of data that was on this computer: any locally stored documents, locally stored e-mails, and every other piece of information that the hard drive contained This data could be very valuable if the machine held sensitive information about the company Physical access is the most common way of imaging a drive, and the biggest benefit for the attacker is that drive imaging leaves absolutely no trace of the crime While you can very little to prevent drive imaging, you can minimize its impact The use of encryption even for a few important files will provide protection Full encryption of the drive will protect all files stored on it Alternatively, placing files on a centralized file server will keep them from being imaged from an individual machine, but if an attacker is able to image the file server, the data will be copied CompTIA Security+ All-in-One Exam Guide, Third Edition 190 An even simpler version of the drive imaging attack is to steal the computer outright Computer theft typically occurs for monetary gain—the thief later selling his prize We’re concerned with the theft of a computer to obtain the data it holds, however While physical thievery is not a technical attack, it is often carried in conjunction with a bit of social engineering—for example, the thief might appear to be a legitimate computer repair person and may be allowed to walk out of the building with a laptop or other system in his possession For anyone who discounts this type of attack, consider this incident: In Australia, two individuals entered a government computer room and managed to walk off with two large servers They not only escaped with two valuable computers, but they got the data they contained as well A denial-of-service (DoS) attack can also be performed with physical access Physical access to the computers can be much more effective than a network-based DoS The theft of a computer, using a bootdisk to erase all data on the drives, or simply unplugging computers, are all effective DoS attacks Depending on the company’s quality and frequency of backing up critical systems, a DoS attack using these methods can have lasting effects Physical access can negate almost all the security that the network attempts to provide Considering this, you must determine the level of physical access that attackers might obtain Of special consideration are persons with authorized access to the building but who are not authorized users of the systems Janitorial personnel and others have authorized access to many areas, but they not have authorized system access An attacker could pose as one of these individuals or attempt to gain access to the facilities through them Physical Security Safeguards While it is difficult, if not impossible, to be totally secure, many steps can be taken to mitigate the risk to information systems from a physical threat The following sections discuss policies and procedures as well as access control methods Then the chapter explores various authentication methods and how they can help protect against physical threats Walls and Guards The primary defense against a majority of physical attacks are the barriers between the assets and a potential attacker—walls and doors Some organizations also employ fullor part-time private security staff to attempt to protect their assets These barriers provide the foundation upon which all other security initiatives are based, but the security must be designed carefully, as an attacker has to find only a single gap to gain access Walls may have been one of the first inventions of man Once he learned to use natural obstacles such as mountains to separate him from his enemy, he next learned to build his own mountain for the same purpose Hadrian’s Wall in England, the Great Wall of China, and the Berlin Wall are all famous examples of such basic physical defenses The walls of any building serve the same purpose, but on a smaller scale: they Chapter 7: Physical Security 191 EXAM TIP All฀entry฀points฀to฀server฀rooms฀and฀wiring฀closets฀should฀be฀ closely฀controlled฀and฀if฀possible฀have฀access฀logged฀through฀an฀access฀control฀ system Guards provide an excellent security measure, because a visible guard has a direct responsibility for security Other employees expect security guards to behave a certain way with regard to securing the facility Guards typically monitor entrances and exits and can maintain access logs of who has visited and departed from the building In many organizations everyone who passes through security as a visitor signs the log, which can be useful in tracing who was at what location and why Security personnel can be helpful in securing information assets, but proper protection must be provided Security guards are typically not computer security experts, so they need to be educated about network security as well as physical security involving users They are the company’s eyes and ears for suspicious activity, so the network security department needs to train them to notice suspicious network activity as well Multiple extensions ringing in sequence during the night, computers rebooting all at once, or strange people parked in the parking lot with laptop computers are all indicators of a network attack that might be missed Many traditional physical security tools such as access controls and CCTV camera systems are transitioning from closed hardwired systems to Ethernet- and IP-based systems This transition opens up the devices to network attacks traditionally performed on computers With physical security systems being implemented using the IP network, everyone in physical security must become smarter about network security Policies and Procedures A policy’s effectiveness depends on the culture of an organization, so all of the policies mentioned here should be followed up by functional procedures that are designed to implement them Physical security policies and procedures relate to two distinct areas: those that affect the computers themselves and those that affect users PART III provide barriers to physical access to company assets In the case of information assets, as a general rule the most valuable assets are contained on company servers To protect the physical servers, you must look in all directions: Doors and windows should be safeguarded and a minimum number of each should be used in a server room Less obvious entry points should also be considered: Is a drop ceiling used in the server room? Do the interior walls extend to the actual roof, raised floors, or crawlspaces? Access to the server room should be limited to the people who need access, not to all employees of the organization If you are going to use a wall to protect an asset, make sure no obvious holes appear in that wall Outside of the building’s walls, many organizations prefer to have a perimeter fence as a physical first layer of defense Chain-link type fencing is most commonly used, and it can be enhanced with barbed wire Antiscale fencing, which looks like very tall vertical poles placed close together to form a fence, is used in high-security implementations that require additional scale and tamper resistance CompTIA Security+ All-in-One Exam Guide, Third Edition 192 To mitigate the risk to computers, physical security needs to be extended to the computers themselves To combat the threat of bootdisks, the simplest answer is to remove or disable floppy drives from all desktop systems that not require them The continued advance of hard drive capacity has pushed file sizes beyond what floppies can typically hold LANs with constant Internet connectivity have made network services the focus of how files are moved and distributed These two factors have reduced floppy usage to the point where computer manufacturers are making floppy drives accessory options instead of standard features The second boot device to consider is the CD-ROM/DVD-ROM drive This device can probably also be removed from or disabled on a number of machines A DVD can not only be used as a boot device, but it can be exploited via the autorun feature that some operating systems support Autorun was designed as a convenience for users, so that when a CD containing an application is inserted, the computer will instantly prompt for input versus having to explore the CD filesystem and find the executable file Unfortunately, since the autorun file runs an executable, it can be programmed to anything an attacker wants If autorun is programmed maliciously, it could run an executable that installs malicious code that could allow an attacker to later gain remote control of the machine Disabling autorun is an easy task: In Windows XP, you simply right-click the DVD drive icon and set all media types to No Action This ability can also be disabled by Active Directory settings Turning off the autorun feature is an easy step that improves security; however, disabling autorun is only half the solution Since the optical drive can be used as a boot device, a CD loaded with its own operating system (called a LiveCD) could be used to boot the computer with malicious system code This separate operating system will bypass any passwords on the host machine and can access locally stored files Some users will undoubtedly insist on having DVD drives in their machines, but, if possible, the drives should be removed from every machine If removal is not feasible, particularly on machines that require CD-ROM/DVD use, you can remove the optical drive from the boot sequence in the computer’s BIOS To prevent an attacker from editing the boot order, BIOS passwords should be set These passwords should be unique to the machine and, if possible, complex, using multiple uppercase and lowercase characters as well as numerics Considering how often these passwords will be used, it is a good idea to list them all in an encrypted file so that a master passphrase will provide access to them As mentioned, floppy drives are being eliminated from manufacturers’ machines because of their limited usefulness, but new devices are being adopted in their place, such as USB devices USB ports have greatly expanded users’ ability to connect devices to their computers USB ports automatically recognize a device plugging into the system and usually work without the user needing to add drivers or configure software This has spawned a legion of USB devices, from MP3 players to CD burners The most interesting of these, for security purposes, are the USB flash memory– based storage devices USB drive keys, which are basically flash memory with a USB interface in a device typically about the size of your thumb, provide a way to move files Chapter 7: Physical Security 193 EXAM TIP USB฀devices฀can฀be฀used฀to฀inject฀malicious฀code฀onto฀any฀ machine฀to฀which฀they฀are฀attached.฀They฀can฀be฀used฀to฀download฀malicious฀ code฀from฀machine฀to฀machine฀without฀using฀the฀network The outright theft of a computer is a simple physical attack This attack can be mitigated in a number of ways, but the most effective method is to lock up equipment that contains important data Insurance can cover the loss of the physical equipment, but this can little to get a business up and running again quickly after a theft Therefore, special access controls for server rooms, as well as simply locking the rack cabinets when maintenance is not being performed, are good ways to secure an area From a data standpoint, mission-critical or high-value information should be stored on a server only This can mitigate the risk of a desktop or laptop being stolen for the data it contains Laptops are popular targets for thieves and should be locked inside a desk when not in use, or special computer lockdown cables can be used to secure them If desktop towers are used, use computer desks that provide a space in which to lock the computer In some cases valuable media will be stored in a safe designed for this purpose All of these measures can improve the physical security of the computers themselves, but most of them can be defeated by attackers if users are not knowledgeable about the security program and not follow it The rise in laptop thefts has spawned new applications that try to prevent access to the data, modeled on the remote wipe capabilities of smartphones These new applications are remote deletion tools that will delete the hard drive contents if the computer becomes connected to the Internet Other applications attempt to provide laptop location services or Internet-based tracing of PART III easily from computer to computer When plugged into a USB port, these devices automount and behave like any other drive attached to the computer Their small size and relatively large capacity, coupled with instant read-write ability, present security problems They can easily be used by an individual with malicious intent to conceal the removal of files or data from the building or to bring malicious files into the building and onto the company network In addition, well-intentioned users could accidentally introduce malicious code from USB devices by using them on an infected home machine and then bringing the infected device to the office, allowing the malware to bypass perimeter protections and possibly infect the organization If USB devices are allowed, aggressive virus scanning should be implemented throughout the organization The devices can be disallowed via Active Directory settings or with a Windows registry key entry They could also be disallowed by unloading and disabling the USB drivers from users’ machines, which will stop all USB devices from working—however, doing this can create more trouble if users have USB keyboards and mice Editing the registry key is probably the most effective solution for users who are not authorized to use these devices Additionally, the road apple attack mentioned earlier can be especially effective with USB devices, and if not caught quickly by anti-malware programs, could infect multiple computers This attack relies on social engineering to be successful, so users who have authorization for USB drives must be educated about the potential dangers of their use CompTIA Security+ All-in-One Exam Guide, Third Edition 194 where a stolen laptop has been Currently the majority of these are software-based and easily disabled by a determined attacker; however, hardware manufacturers are beginning to offer these applications and are integrating them directly into the BIOS as well as the functions of the cell modem, allowing the remote deletion to work even when the computer is not connected to the Internet The incorporation of security keys into an embedded TPM chip on the motherboard, and the subsequent use of these keys to encrypt/decrypt the hard drive, adds significant hurdles for adversaries attempting to obtain data or use a stolen device Although there is no such thing as perfect security, the TPM platform has been shown to provide “good enough” security for almost any case Users are often mentioned as the “weakest link in the security chain,” and that can also apply to physical security Fortunately, in physical security, users are often one of the primary beneficiaries of the security itself A security program protects a company’s information assets, but it also protects the people of the organization A good security program will provide tangible benefits to employees, helping them to support and reinforce the security program Users need to be aware of security issues, and they need to be involved in security enforcement A healthy company culture of security will go a long way toward assisting in this effort If, for example, workers in the office notice a strange person visiting their work areas, they should challenge the individual’s presence—this is especially important if visitor badges are required for entry to the facility A policy of having a visible badge with the employee’s photo on it also assists everyone in recognizing people who not belong Users should be briefed on the proper departments or personnel to contact when they suspect a security violation Users can perform one of the most simple, yet important, information security tasks: locking a workstation immediately before they step away from it While a locking screensaver is a good policy, setting it to less than 15 minutes is often counter-productive to active use on the job An attacker only needs to be lucky enough to catch a machine that has been left alone for minutes It is also important to know about workers typically overlooked in the organization New hires should undergo a background check before being given access to network resources This policy should also apply to all personnel who will have unescorted physical access to the facility, including janitorial and maintenance workers Access Controls and Monitoring Access control means control of doors and entry points The design and construction of all types of access control systems as well as the physical barriers to which they are most complementary are fully discussed in other texts Here, we explore a few important points to help you safeguard the information infrastructure, especially where it meets with the physical access control system This section talks about layered access systems, as well as electronic door control systems It also discusses closed circuit television (CCTV) systems and the implications of different CCTV system types Locks have been discussed as a primary element of security Although locks have been used for hundreds of years, their design has not changed much: a metal “token” Chapter 7: Physical Security 195 PART III is used to align pins in a mechanical device As all mechanical devices have tolerances, it is possible to sneak-through these tolerances by “picking” the lock As we humans are always trying to build a better mousetrap, high-security locks have been designed to defeat attacks; these locks are more sophisticated than a standard home deadbolt system Typically found in commercial applications that require high security, these locks are made to resist picking and drilling, as well as other common attacks such as simply pounding the lock through the door Another common feature of high-security locks is key control Key control refers to the restrictions placed on making a copy of the key In most residential locks, a trip to the hardware store will allow you to make a copy of the key Key control locks use patented keyways that can only be copied at a locksmith, and they keep records on authorized users of a particular key High-end lock security is more important now that attacks such as “bump keys” are well known and widely available A bump key is a key cut with all notches to the maximum depth, also known as “all nines.” This key uses a technique that has been around a long time, but has recently gained a lot of popularity The key is inserted into the lock and then sharply struck, bouncing the lock pins up above the shear line and allowing the lock to open High-security locks attempt to prevent this type of attack through various mechanical means such as nontraditional pin layout, sidebars, and even magnetic keys Layered access is an important concept in security It is often mentioned in conversations about network security perimeters, but in this chapter it relates to the concept of physical security perimeters To help prevent an attacker from gaining access to important assets, these assets should be placed inside multiple perimeters Servers should be placed in a separate secure area, ideally with a separate authentication mechanism For example, if an organization has an electronic door control system using contactless access cards, a combination of the card and a separate PIN code would be required to open the door to the server room Access to the server room should be limited to staff with a legitimate need to work on the servers To layer the protection, the area surrounding the server room should also be limited to people who need to work in that area Many organizations use electronic access control systems to control the opening of doors The use of proximity readers and contactless access cards provides user information to the control panel Doorways are electronically controlled via electronic door strikes and magnetic locks These devices rely on an electronic signal from the control panel to release the mechanism that keeps the door closed These devices are integrated into an access control system that controls and logs entry into all the doors connected to it, typically through the use of access tokens Security is improved by having a centralized system that can instantly grant or refuse access based upon access lists and the reading of a token that is given to the user This kind of system also logs user access, providing nonrepudiation of a specific user’s presence in a controlled environment The system will allow logging of personnel entry, auditing of personnel movements, and real-time monitoring of the access controls One caution about these kinds of systems is that they usually work with a software package that runs on a computer, and as such this computer should not be attached to the company network While attaching it to the network can allow easy administration, CompTIA Security+ All-in-One Exam Guide, Third Edition 196 the last thing you want is for an attacker to have control of the system that allows physical access to your facility With this control, an attacker could input the ID of a badge that she owns, allowing full legitimate access to an area the system controls Another problem with such a system is that it logs only the person who initially used the card to open the door—so no logs exist for doors that are propped open to allow others access, or of people “tailgating” through a door opened with a card The implementation of a mantrap is one way to combat this function A mantrap comprises two doors closely spaced that require the user to card through one and then the other sequentially Mantraps make it nearly impossible to trail through a doorway undetected—if you happen to catch the first door, you will be trapped in by the second door Door systems, like many systems, have two design methodologies, fail-safe, or fail-secure While fail-safe is a common enough phrase to enter the lexicon, think about what it really means—being safe when a system fails In the case of these electronic door systems, fail-safe means that the door is unlocked should power fail Fail-secure means that the system will lock the door when power is lost This can also apply when door systems are manually bypassed It is important to know how each door will react to a system failure, not only for security but also for fire code compliance, as fail-secure is not allowed for certain doors in a building A common term is fail-open, and these could be construed as fail-safe doors, for when failure occurs, they will be open The terms fail-safe and fail-secure are used to prevent confusion on what is “open” during failure—the mechanism, or the door EXAM TIP A฀mantrap฀door฀arrangement฀can฀prevent฀unauthorized฀people฀ from฀following฀authorized฀users฀through฀an฀access฀controlled฀door,฀which฀is฀ also฀known฀as฀“tailgating.” CCTVs are similar to the door control systems—they can be very effective, but how they are implemented is an important consideration The use of CCTV cameras for surveillance purposes dates back to at least 1961, when the London Transport train station installed cameras The development of smaller camera components and lower costs has caused a boon in the CCTV industry since then CCTV cameras are used to video monitor a workplace for security purposes These systems are commonplace in places such as banks and jewelry stores, places with highvalue merchandise that is attractive to thieves As the expense of these systems dropped, they became practical for many more industry segments Traditional cameras are analog based and require a video multiplexer to combine all the signals and make multiple views appear on a monitor IP-based cameras are changing that, as most of them are standalone units viewable through a web browser These IP-based systems add useful functionality, such as the ability to check on the building from the Internet This network functionality, however, makes the cameras subject to normal IP-based network attacks The last thing that anyone would want would be a DoS attack launched at the CCTV system just as a break-in was planned For this reason, IP-based CCTV cameras should be placed on their own separate network that can be accessed only by security personnel The same physical separation applies to any IP-based camera infrastructure Older time-lapse tape recorders are slowly being replaced with digital video recorders Chapter 7: Physical Security 197 While the advance in technology is significant, be careful if and when these devices become IP-enabled, since they will become a security issue, just like everything else that touches the network If you depend on the CCTV system to protect your organization’s assets, carefully consider camera placement and the type of cameras used Different iris types, focal lengths, and color or infrared capabilities are all options that make one camera superior over another in a specific location Environmental Controls PART III While the confidentiality of information is important, so is its availability Sophisticated environmental controls are needed for current data centers Electromagnetic Interference (EMI) is also an environmental issue Finally, fire suppression is an important consideration when dealing with information systems Controlling a data center’s temperature and humidity is important to keeping servers running Heating ventilating and air conditioning (HVAC) systems are critical for keeping data centers cool, because typical servers put out between 1000 and 2000 BTUs of heat Enough servers in a confined area will create conditions too hot for the machines to continue to operate This problem is made worse with the advent of bladestyle computing systems and with many other devices shrinking in size While they are physically smaller, they tend to still expel the same amount of heat This is known as increased data center density, more servers and devices per rack, putting a greater load on the cooling systems This encourages the use of a hot aisle, cold aisle layout A data center that is arranged into hot and cold aisles dictates that all the intake fans on all equipment face the cold aisle, and the exhaust fans all face the opposite aisle The HVAC system is then designed to push cool air underneath the raised floor and up through perforated tiles on the cold aisle Hot air from the hot aisle is captured by return air ducts for the HVAC system The use of this layout is designed to control airflow, with the purpose being never to mix the hot and cold air This requires the use of blocking plates and side plates to close open rack slots The benefits of this arrangement are that cooling is more efficient and can handle higher density The failure of HVAC systems for any reason is cause for concern Rising copper prices have made HVAC systems the targets for thieves, and general vandalism can result in costly downtime Properly securing these systems is important in helping prevent an attacker from performing a physical DoS attack on your servers Environmental monitoring when it pertains to information technology is the electronic tracking of temperature and humidity in the data center The use of thermometers to measure temperature dates back to the seventeenth century Everyone is familiar with the classic analog temperature reading provided by the red liquid and glass tube type of thermometer, but increasingly, measurement of temperature is electronic Consumer-grade models are inexpensive and can receive readings from remote wireless transmitters This allows readings from indoor and outdoor locations More advanced units can track data on temperature, pressure, humidity, windspeed, rainfall, and a host of other data Since data centers commonly have a lot of network infrastructure and are increasingly remotely controlled, it makes the most sense to add these environmental sensors to the network Modern monitoring applications use an array of sensors to CompTIA Security+ All-in-One Exam Guide, Third Edition 198 measure air flow, temperature, humidity, and pressure Coupled with database software, the environmental conditions of the data center can be mapped over time to allow for expansion planning and alerts when there is a problem Part of this monitoring includes fire detection, which is also an essential complement to fire suppression systems discussed in the next section Detectors may be able to detect a fire in its very early stages, before a fire suppression system is activated, and sound a warning that potentially enables employees to address the fire before it becomes serious enough for the fire suppression equipment to kick in There are several different types of fire detectors One type, of which there are two varieties, is activated by smoke The two varieties of smoke detector are ionization and photoelectric A photoelectric detector is good for potentially providing advance warning of a smoldering fire This type of device monitors an internal beam of light If something degrades the light, for example by obstructing it, the detector assumes it is something like smoke, and the alarm sounds An ionization style of detector uses an ionization chamber and a small radioactive source to detect fast-burning fires The chamber consists of two plates, one with a positive charge and one with a negative charge Oxygen and nitrogen particles in the air become “ionized” (an ion is freed from the molecule) The freed ion, which has a negative charge, is attracted to the positive plate, and the remaining part of the molecule, now with a positive charge, is attracted to the negative plate This movement of particles creates a very small electric current that the device measures Smoke inhibits this process, and the detector will detect the resulting drop in current and sound an alarm Both of these devices are often referred to generically as smoke detectors, and combinations of both varieties are possible Another type of fire detector is activated by heat These devices also come in two varieties Fixed-temperature or fixed-point devices activate if the temperature in the area ever exceeds some predefined level Rate-of-rise or rate-of-increase temperature devices activate when there is a sudden increase in local temperature that may indicate the beginning stages of a fire Rate-of-rise sensors can provide an earlier warning but are also responsible for more false warnings A third type of detector is flame activated This type of device relies on the flames from the fire to provide a change in the infrared energy that can be detected Flame-activated devices are generally more expensive than the other two types but can frequently detect a fire sooner Fire Suppression According to the Fire Suppression Systems Association (www.fssa.net), 43 percent of businesses that close as a result of a significant fire never reopen An additional 29 percent fail within three years of the event The ability to respond to a fire quickly and effectively is thus critical to the long-term success of any organization Addressing potential fire hazards and vulnerabilities has long been a concern of organizations in their risk analysis process Fire suppression systems should be specialized for the data center Standard sprinkler-based systems are not optimal for data centers because water will ruin large electrical infrastructures and most integrated circuit–based devices—that is, computers Water-based fire suppression systems have long been, and still are today, the primary tool to address and control structural fires This is based on the simple fact that water is Chapter 7: Physical Security 199 effective at fire suppression and in most areas of the world, water is abundant While you may not have a water-based sprinkler system in your infrastructure, if the blaze needs to be extinguished by firefighting personnel, they will be using water Considering the amount of electrical equipment found in today’s office environments and the fact that, for obvious reasons, this equipment does not react well to large applications of water, it is important to know what to with equipment if it does become subjected to water The 2009 NFPA 75: Standard for the Protection of Information Technology Equipment outlines measures that can be taken to minimize the damage to electronic equipment exposed to water This guidance includes these suggestions: •฀ Open฀cabinet฀doors,฀remove฀side฀panels฀and฀covers,฀and฀pull฀out฀chassis฀ drawers to allow water to run out of equipment •฀ Use฀compressed฀air฀at฀no฀higher฀than฀50฀psi฀to฀blow฀out฀trapped฀water •฀ Use฀handheld฀dryers฀on฀the฀lowest฀setting฀to฀dry฀connectors,฀backplane,฀ wirewraps, and printed circuit boards •฀ Use฀cotton-tipped฀swabs฀for฀hard-to-reach฀places.฀Lightly฀dab฀the฀surfaces฀ to remove residual moisture Do not use cotton-tipped swabs on wirewrap terminals •฀ Water-displacement฀aerosol฀sprays฀containing฀Freon-alcohol฀mixtures฀ are effective as a first step in drying critical components Follow up with professional restoration as soon as possible Even if these guidelines are followed, damage to the systems may have already occurred Since water is so destructive to electronic equipment, not only because of the immediate problems of electronic shorts to the system, but also because of longer-term corrosive damage water can cause, alternative fire suppression methods have been sought Gas-based systems are a good alternative, though they also carry special concerns Halon was used for many years, and existing installations may still have it for fire suppression in data centers A fire needs fuel, oxygen, and high temperatures for the chemical combustion to occur If you remove any of these, the fire will not continue Halon interferes with the chemical combustion present in a fire by displacing the oxygen present in the room Even though halon production was banned in 1994, a number of these systems still exist today They were originally popular because halon will mix quickly with the air in a room and will not cause harm to computer systems Halon is also dangerous to humans, especially when subjected to extremely hot temperatures (such as might be found during a fire), when it can degrade into other toxic chemicals As a result of these dangers, and also because halon has been linked with the issue of ozone depletion, halon is banned in new fire suppression systems It is important to note that under the Environmental Protection Agency (EPA) rules that mandated no further production of halon, existing systems were not required to be destroyed Replacing the halon in a discharged system, however, will be a problem, since only existing stockpiles of halon may be used and the cost is becoming prohibitive For this reason, many organizations are switching to alternative solutions PART III •฀ Set฀up฀fans฀to฀move฀room-temperature฀air฀through฀the฀equipment฀for฀general฀ drying Move portable equipment to dry air-conditioned areas CompTIA Security+ All-in-One Exam Guide, Third Edition 200 These alternatives are known as clean-agent fire suppression systems, since they not only provide fire suppression capabilities but also protect the contents of the room, including documents, and electronic equipment Examples of clean agents include carbon dioxide, argon, Inergen, and FM-200 (heptafluoropropane) Carbon dioxide (CO ) has been used as a fire suppression agent for a long time The Bell Telephone Company used portable CO extinguishers in the early part of the twentieth century Carbon dioxide extinguishers attack all three necessary elements for a fire to occur CO displaces oxygen so that the amount of oxygen remaining is insufficient to sustain the fire It also provides some cooling in the fire zone and reduces the concentration of “gasified” fuel Argon extinguishes fire by lowering the oxygen concentration below the 15 percent level required for combustible items to burn Argon systems are designed to reduce the oxygen content to about 12.5 percent, which is below the 15 percent needed for the fire but is still above the 10 percent required by the EPA for human safety Inergen, a product of Ansul Corporation, is composed of three gases: 52 percent nitrogen, 40 percent argon, and percent carbon dioxide In a manner similar to pure argon systems, Inergen systems reduce the level of oxygen to about 12.5 percent, which is sufficient for human safety but not sufficient to sustain a fire Another chemical used to phase out halon is FE-13, or trifluoromethane This chemical was originally developed as a chemical refrigerant and works to suppress fires by inhibiting the combustion chain reaction FE-13 is gaseous, leaves behind no residue that would harm equipment, and is considered safe to use in occupied areas Other halocarbons are also approved for use in replacing halon systems, including FM-200 (heptafluoropropane), a chemical used as a propellant for asthma medication dispensers Electromagnetic interference (EMI) can plague any type of electronics, but the density of circuitry in the typical data center can make it a haven for EMI EMI is defined as the disturbance on an electrical circuit caused by that circuit’s reception of electromagnetic radiation Magnetic radiation enters the circuit by induction, where magnetic waves create a charge on the circuit The amount of sensitivity to this magnetic field depends on a number of factors, including the length of the circuit, which can act like an antenna EMI is grouped into two general types, narrowband and broadband Narrowband is, by its nature, electromagnetic energy with a small frequency band, and therefore is typically sourced from a device that is purposefully transmitting in the specified band Broadband covers a wider array of frequencies, and is typically caused by some type of general electrical power use such as power lines, or electric motors In the United States, the Federal Communications Commission has responsibility for regulating products that produce EMI, and has a program for equipment manufacturers to adhere to standards for EMI immunity Modern circuitry is designed to resist EMI Cabling is a good example; the twist in unshielded twisted pair or Category cable is there to prevent EMI EMI is also controlled by the metal computer cases that are grounded; by providing an easy path to ground, the case acts as an EMI shield A larger example would be a Faraday cage or Faraday shield, which is an enclosure of conductive material that is grounded These can be room-sized or built into a building’s construction; the critical element is that there is no significant gap in the enclosure material These measures can help shield EMI, especially in high radio frequency environments While we have talked about the shielding necessary to keep EMI radiation out of your circuitry, there is also technology 2 Chapter 7: Physical Security 201 to try and help keep it in Known by some as TEMPEST, it is also known as Van Eck emissions A computer’s monitor or LCD display produces electromagnetic radiation that can be remotely observed with the correct equipment TEMPEST was the code word for an NSA program to secure equipment from this type of eavesdropping While some of the information about TEMPEST is still classified, there are guides on the Internet that describe protective measures, such as shielding and electromagnetic resistant enclosures A company has even developed a commercial paint that offers radio frequency shielding Authentication Access Tokens Access tokens are defined as “something you have.” An access token is a physical object that identifies specific access rights, and in authentication falls into the “something you have” factor Your house key, for example, is a basic physical access token that allows you access into your home Although keys have been used to unlock devices for centuries, they have several limitations Keys are paired exclusively with a lock or a set of locks, and they are not easily changed It is easy to add an authorized user by giving the user a copy of the key, but it is far more difficult to give that user selective access unless that specified area is already set up as a separate key It is also difficult to take access away from a single key or key holder, which usually requires a rekey of the whole system In many businesses, physical access authentication has moved to contactless radio frequency cards and proximity readers When passed near a card reader, the card sends out a code using radio waves The reader picks up this code and transmits it to the control panel The control panel checks the code against the reader from which it is being read and the type of access the card has in its database The advantages of this kind of token-based system include the fact that any card can be deleted from the system without affecting any other card or the rest of the system In addition, all doors connected to the system can be segmented in any form or fashion to create multiple access areas, with different permissions for each one The tokens themselves can also be grouped in multiple ways to provide different access levels to different groups of people All of the PART III Authentication is the process by which a user proves that she is who she says she is Authentication is performed to allow or deny a person access to a physical space The heart of any access control system is to allow access to authorized users and to make sure access is denied to unauthorized people Authentication is required because many companies have grown so large that not every employee knows every other employee, so it can be difficult to tell by sight who is supposed to be where Electronic access control systems were spawned from the need to have more logging and control than provided by the older method of metallic keys Most electronic systems currently use a tokenbased card that if passed near a reader, and if you have permission from the system, will unlock the door strike and let you pass into the area Newer technology attempts to make the authentication process easier and more secure The following sections discuss how tokens and biometrics are being used for authentication It also looks into how multiple-factor authentication can be used for physical access CompTIA Security+ All-in-One Exam Guide, Third Edition 202 access levels or segmentation of doors can be modified quickly and easily if building space is retasked Newer technologies are adding capabilities to the standard tokenbased systems The advent of smart cards (cards that contain integrated circuits) has enabled cryptographic types of authentication Smart card technology has proven reliable enough that it is now part of a governmental standard for physical and logical authentication Known as or Personal Identity Verification (PIV) cards, they adhere to the FIPS 201 standard This smart card includes a cryptographic chip and connector, as well as a contactless proximity card circuit It also has standards for a printed photo and name printing on the front Biometric data can be stored on the card, providing an additional authentication factor, and if the PIV standard is followed, several forms of identification are needed to get a card The primary drawback of token-based authentication is that only the token is being authenticated Therefore, the theft of the token could grant anyone who possessed the token access to what the system protects The risk of theft of the token can be offset by the use of multiple-factor authentication One of the ways that people have tried to achieve multiple-factor authentication is to add a biometric factor to the system Biometrics Biometrics use the measurements of certain biological factors to identify one specific person from others These factors are based on parts of the human body that are unique The most well-known of these unique biological factors is the fingerprint However, many others can be used—for instance, the retina or iris of the eye, the geometry of the hand, and the geometry of the face When these are used for authentication, there is a two-part process, enrollment and then authentication During enrollment, a computer takes the image of the biological factor and reduces it to a numeric value When the user attempts to authenticate, this feature is scanned by the reader, and the computer compares the numeric value being read to the one stored in the database If they match, access is allowed Since these physical factors are unique, theoretically only the actual authorized person would be allowed access In the real world, however, the theory behind biometrics breaks down Tokens that have a digital code work very well because everything remains in the digital realm A computer checks your code, such as 123, against the database; if the computer finds 123 and that number has access, the computer opens the door Biometrics, however, take an analog signal, such as a fingerprint or a face, and attempt to digitize it, and it is then matched against the digits in the database The problem with an analog signal is that it might not encode the exact same way twice For example, if you came to work with a bandage on your chin, would the face-based biometrics grant you access or deny it? Engineers who designed these systems understood that if a system was set to exact checking, an encoded biometric might never grant access since it might never scan the biometric exactly the same way twice Therefore, most systems have tried to allow a certain amount of error in the scan, while not allowing too much This leads to the concepts of false positives and false negatives A false positive occurs when a biometric is scanned and allows access to someone who is not authorized—for example, two people who have very similar fingerprints might be recognized as the same person by the computer, which grants access to the wrong person A false negative occurs when the system denies access to someone who is actually authorized—for example, a user at the hand Chapter 7: Physical Security 203 Figure 7-1 Overlapping฀ Probabilities Probability distributions Figure 7-2 False฀Positive PART III geometry scanner forgot to wear a ring he usually wears and the computer doesn’t recognize his hand and denies him access For biometric authentication to work properly, and also be trusted, it must minimize the existence of both false positives and false negatives To that, a balance between exacting and error must be created so that the machines allow a little physical variance—but not too much When a decision is made on information and an associated range of probabilities, the conditions exist for a false decision Figure 7.1 illustrates two overlapping probabilities; an item belongs to either the red curve or the blue curve, but not both The problem in deciding which curve an item belongs to occurs when the curves overlap When there is an overlapping area, it is typically referred to as the false positive and false negative rate Note that in the accompanying figures, the size of overlap is greatly exaggerated to make it easy to see Figure 7.2 illustrates a false positive detection If the value observed is the dotted line, then it could be considered either a match or a nonmatch If in fact it should not match, and the system tags it as a match, it is a false positive In biometrics, a false positive would allow access to an unauthorized party Figure 7.3 illustrates a false negative detection If the value observed is the dotted line, then it could be considered either a match or a nonmatch If in fact it should match, and the system tags it as a nonmatch, it is a false negative A false negative would prevent an authorized user from obtaining access To solve the false positive and false negative issue, the probabilistic engine must produce two sets of curves that not overlap This is equivalent to very low,