Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2257 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Module XXI Physical Security Ethical Hacking and Countermeasures Version 6 Ethical Hacking and Countermeasures v6 Module XXI: Physical Security Exam 312-50 Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2258 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Real World Scenario Michael, a practicing computer security consultant, was asked to do a physical security test by the Chief of a well-known database firm. Their database was considered to have a major competitive edge. They believed their systems were secure, but wanted to be sure of it. Michael went to the firm on the pretext of meeting its Chief. Before entering the lobby, Michael had driven around the building and checked for loopholes in the physical security, where he could easily slip into the building. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Real World Scenario He walked to the loading bays, up the stairs, and proceeded through the warehouse, to what was an obvious entrance into the office building. Michael also knew of the location of the computer room. He took the elevator down, and entered the room, which was secured with cipher locks and access cards. He went straight to the tape racks. There, he studied the racks, as if looking for specific information. He grabbed a tape with an identifier that looked something like ACCT95QTR1. The entire process lasted no more than 15 minutes. During that time, Michael breached their physical security by entering the building and taking a tape.  Real World Scenario Source: www.miora.com/articles/awareness.htm Michael is a practicing computer security consultant. A well-known firm was believed to have one of the largest databases of information about a certain topic. That database was considered the firm’s major competitive edge. The people in the firm believed their systems were secure, but still asked Michael to perform a security assessment, just to be sure. On the first day of the assessment, Michael walked into the lobby and announced that he was there to see Jack. The guard doubled as the receptionist. He phoned Jack to announce Michael’s presence and asked Jack to come and get Michael. Company policy did not allow visitors to be unattended. Before entering the lobby, Michael had driven around the building. He noticed that the parking lot encircled the building completely, and that the loading bays in the rear of the building were quite busy. He told the guard he had forgotten something in his car, and would return shortly. He walked to the loading bays, walked up the stairs, and proceeded to give everybody and everything the once-over. Dressed in a suit, it looked like he was on an inspection tour, and no one challenged his Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2259 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. presence. He even stopped to chat with a few employees. Then he walked through the warehouse to what was an obvious entrance to the office area. He walked purposefully, yet not too quickly. The door could be accessed via a key card that Michael did not have. When someone entered the warehouse from the office area, Michael walked towards the door, and the employee, who had swiped his access card, politely held the door for Michael. Michael knew the location of the computer room. He took the elevator down. There was the computer room, with cipher locks and access cards guarding every entrance. As he walked towards the door, another polite employee held the door for him. Michael nodded and entered. He went straight to the tape racks. There, he studied the racks, as if looking for specific information. He grabbed a tape with an identifier that looked something like ACCT95QTR1. He tucked the tape under his arm, exited the room, and took the elevator to the second floor. There, looking lost and confused, he asked someone for the location of Jack's office. They said his office was exactly where he was, but one floor up. He went there, sat in Jack’s office, and waited. A few minutes later, Jack walked into his office and saw Michael. They had never met, but he knew who Michael was. The entire escapade lasted no more than 15 minutes. In that time, Michael had breached their physical security by entering the building and taking a tape. He also could have used Jack's computer to browse their internal network, since he had left the computer logged on with no screen saver. The tape that Michael had in his hand was obviously an accounting tape, containing information for the first quarter of the year. Not all evaluations begin this way, but most organizations have vulnerabilities as obvious as this one. If it isn't a physical security problem, it is a logical one or a security management problem. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2260 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://www.bdafrica.com/  News The business community of Kenya has decided to make major modifications in its security model because of increased looting and damage of property at the time of post-poll violence. Security companies and the business community said that the new models contain use of security measures to secure business premises and use of new technologies to monitor business premises. Ken wood, the managing director of GS4 said that the premises access controls in Kenya are very “weak” which allow unwanted people to enter into the business premises. He also said that companies should setup more effective high quality closed circuit cameras (CCTVs). The Nairobi Central Business District Association (NCBDA) is also installing the CCTV cameras along the city streets to prevent crime. The chief executive officer of the NCBDA “Wangui Muchiri” said that crimes have reduced to zero percent due to the installation of cameras in areas. The association is intended to appoint all partners including security companies and police to install CCTV cameras in the city. In South Africa’s Johannesburg, the crimes have reduced 60% due to installation of CCTV cameras. Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2261 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective This module will familiarize you with: Security Statistics Physical security Need for physical security Factors that affect physical security Physical Security checklist Locks Wireless Security Laptop Thefts Mantrap Challenges in Ensuring Physical Security Spyware Technologies Countermeasures Module Objective Physical security is as important as network security. Until now, most firms seem to concentrate more on network security, overlooking the loopholes in physical security of the organization’s environment. There has been an increase in laptop thefts across the globe. The importance of securing computing assets physically cannot be overemphasized. Importance of physical security must be communicated to employees through appropriate security policies. This is necessary to avoid any data tampering or unauthorized access of the systems. This module will look into the details of physical security, and advocate measures to strengthen physical security. This module will familiarize you with:  Security Statistics  Physical security  Need for physical security  Factors affecting physical security  Physical Security checklist  Locks  Wireless Security  Laptop Thefts  Mantrap  Challenges in Ensuring Physical Security  Spyware Technologies  Countermeasures Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2262 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Security Statistics Need For Physical Security Factors Affecting Physical Security Physical Security Wireless Security Physical Security Checklist Locks Mantrap Countermeasures Spyware Technologies Laptop Thefts Challenges in Ensuring Physical Security Module Flow Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2263 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Facts Receive alarm communications - 28% Access control technology with identification cards - 90% Companies require visitors to wear a badge or pass that identifies them as a visitor - 93% Explosion detection devices – 9% Emergency telephones in parking areas – 9% Police officers for security - 56% Companies use metal detectors for screen employees and visitors – 7% Source: http://www.aga.org/  Security Facts Computer theft incidents, especially of laptop and notebooks, have been on the rise. This has been largely attributed to a lack of physical security. Users need to be concerned about their responsibility in securing assets physically. Hardware and software security precautions complement each other in keeping a hacker at bay. The software installed on a stolen laptop can be hacked to gain unauthorized access. The following statistics of a survey, carried out on some of major companies, illustrate the state of current physical security measures implemented across the industry:  Receive alarm communications - 28%  Access control technology with identification cards - 90%  Companies require visitors to wear a badge or pass that identifies them as a visitor - 93%  Explosion detection devices – 9%  Emergency telephones in parking areas – 9%  Police officers for security - 56%  Companies use metal detectors to screen employees and visitors – 7% Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2264 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News Source: http://searchstorage.techtarget.c om  News Even after the major incident of the lost backup tapes and other security breaches in the last year, the Internal Revenue Service (IRC) was transmitting its private information by using unencrypted tapes until last fall. The IRS informed to the SearchStorage.com that its tax database is copied and distributed to the state agencies on the unencrypted tapes before 30, 2007. IRS had formal guidelines for agencies to place the tapes behind three layers of physical security such as inside a locked box and restrict access to "need- to-know" personnel. The IRS announced that now it is using a secure FTP site to send federal tax information rather than tapes. IRS defines that 106 page official tax information security guidelines for state agencies, “Agency employees will return information to the office which is obtained or will make the information undisclosable”. According to the IRS guidelines, “Agency which returns IRS information should use the receipt procedure and should protect the confidentiality during the transport.” Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2265 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Physical Security Since man always had something important to protect, he found various methods of protecting it Egyptians were the first to develop a working lock Physical security describes the measures that prevent or deter attackers from accessing a facility, resource, or information stored on the physical media Physical security is an important factor of computer security Major security actions that are involved with physical security are intended to protect the computer from climate conditions, even though most of them are targeted at protecting the computer from intruders who use, or attempt to use physical access to the computer to break into it  Understanding Physical Security As long as man has had something important to protect, he has found various methods of protecting it. Egyptians were the first to develop a working lock. To understand physical security, one needs to classify information and assets according to their sensitivity and importance to the organization. Why do people keep important documents, ornaments, jewelry or even certificates in a bank’s vault? The need of the hour is safety. Everyone wants his/her things to be safe, so why fall behind in securing the workplace? With the increasing workloads, employees tend to spend more time at the office. Many employees like to personalize their space and systems to make them feel more “at home.” While these enhancements can have a positive psychological effect, they can sometimes be a roadblock to the company’s security. The following points need to be considered for physical security:  Prevent attackers from gaining access to data stored in computers  Physical security is an added layer to computer network security  Physical security intends to protect the computer not only from climatic conditions, but more commonly, from intruders who use or attempt to use physical force to break into computers Ethical Hacking and Countermeasures v6 Exam 312-50 Certified Ethical Hacker Physical Security Module XXI Page | 2266 Ethical Hacking and Countermeasures v6 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Physical Security Physical security describes measures taken to protect personnel, critical assets, and systems against deliberate and accidental threats Physical security measures can be: Physical • Physical measures are taken to secure assets e.g. deploying security personnel Technical • Technical measures are taken to secure services and elements that support Information Technologies e.g. security for server rooms Operational • Common security measures are taken before performing an operation such as analyzing threats of an activity and taking appropriate countermeasures  Physical Security Physical security includes the measures to protect personnel, critical assets, and systems against deliberate attacks and accidents. It intends to prevent unauthorized access of information and other assets of a company. Physical security includes:  Physical Measures: o Deploying security personnel for providing security to physical structures o Installation of access controls systems o Intruder detection systems o Sensors o Fences o Biometrics o CCTV o Manual checking, fencing of premises, etc. o Technical Measures: Disabling removable media drives, etc. o Use of access cards at entry and exit points o Use of pass codes to access system resources  Operational Measures: o Identifying possible threats o Analyzing threats o Risk assessment, etc. Physical security measures vary according to needs and circumstances and depend on the cost of what is being protected. A prudent mix of physical, technical and operational measures help in ensuring sufficient physical security.