Chapter 17: Physical Security Flashcards
physical security is often overlooked
One of the most basic and best controls to protect physical interaction are PASSWORDS
90% of users use dictionary words or proper names
47% use their own name or pet’s name
Ways to protect your system with a password:
USE PW ON SCREENSAVER
LOCK COMPUTER AFTER CERTAIN AMOUNT OF TIME
WARNING BANNERS //high-profile msg appears stating user of a system is held accountable for their actions and they may be monitored
Second physical security issue: THEFT
In particular: Hard drives such as USBs or FireWires
One way to secure these devices is through ENCRYPTION
Tools: PGP (pretty good privacy), TrueCrypt, Microsoft BitLocker
POD SLURPING //using a portable storage device to steal data quickly
Con of Drive Encryption //decrease in system performance
techniques to stop dumpster diving (of CDs, DVDs, Drives, etc)
DRIVE WIPING
ZEROIZATION
DEGAUSSING
DRIVE WIPING //act of overwriting all information on the drive (typically several times. i.e. DoD.5200.28-STD) can be reused
ZEROIZATION //associated with cryptography; mechanical cryptographic devices would reset to 0 to prevent anyone from recovering the key; Overwrites the data with ZEROES
DEGAUSSING // permanently destroy contents of hard drive or magnetic media; POWERFUL MAGNET uses field strength to penetrate the media and reverse the polarity of the magnetic particles (cannot be reused)
The only method more secure is physical destruction
Consider the following physical structures when Site Surveying
Fences //how high the fence looks can psychologicaly deter an intruder
Gates
Doors and Mantraps (or portals) //strong doors or locks for important rooms such as room with severs, frames and the hinges it is on is also important //Mantraps are phone booth sized object with door on either side and only enough space to hold on occupant where a code must be entered to pass visual screening
Locks // include two types Mechanical (ward and pin and tumbler) or Cipher locks (smart)
Walls, Ceilings, Floors //should be sturdy,
FALSE ceilings are not good which is where a wall goes up to a DROP ceiling but not to the roof of a building
Ceiling mounted air ducts should be smaller then allowance for person to crawl in
For floors, some floors are raised meaning there exists space underneath it (listening devices can be placed)
BOLLARDS can be used to stop vehicles from backing into a building, hitting the window, and allowing intruder in
Windows //tinted, shatterproof helps; sensors
Basic components used to pick locks are:
TENSION WRENCHES //small, angled, flathead screwdrivers
PICKS //similar to dentist picks
Technique for picking is called
SCRAPING //tension held on lock by tension wrench while pins are scraped quickly; Pins are then placed in mechanical bind and stuck in the unlocked position
Forms of Authentication:
Contactless cards//ran by RFID
BIOMETRICS //physiological characteristic unique to individual
accuracy of these are measured by % it produces of two types of errors
FRR (false rejection rate/type 1 error) //measurement of % of individuals who should have gotten in but were not allowed
FAR (false acceptance rate/type 2 error) //gained access but shouldn’t have
Forms of Biometrics include:
Finger Scan //finger print
Hand Geometry Systems //finger and hand print
Palm Scan //creases and ridges
Retina Pattern Systems
Iris Recognition //blood vessels in back of eye
Voice Recognition
Keyboard Dynamics //analyzes user’s speed and pattern of typing
Types of windows
Standard //lowest level of protection
Polycarbonate Acrylic //superior protection
Wire Reinforced //shatterproof
Laminated //like automobile, laminate is added between layers of glass to increase strength and decrease shatter potential
Solar Film //moderate level of security and decreases shatter
Security Film //transparent film to increase strength in case of breakage or explosion
Defense in Depth
delay attacker rather than prevent an attack
Layer controls; for physical security, minimum of 3 layers
First line of defense is the BUILDING PERIMETER fences, gates, bollards
2nd layer is BUILDING EXTERIOR roof, walls, floor, doors, ceilings, windows
3rd layer is INTERIOR CONTROLS Locks, safes, containers, cabinets, interior lighting, policies and procedures placed on computers
Which of the following is a defective control when not used in real time?
a//fences
b//alarms
c//cctv
d//locks
c//alarms, they detect and react but do not prevent attackers
For a fence to deter a determined intruder, it should be at least how many feet tall?
a//4
b//5
c//6
d//10
c//6
During an assessment you discovered that the target company was using a fax machine. Which of the following is the least important?
a//the phone # is publicly available
b//fax machine is an open, unsecured area
c//faxes frequently sit in the printer tray
d//the fax machine uses a ribbon
A. A publicly available phone number is not a
security risk in many cases as the machine may be
one that can be sent information from anywhere.
