Domain 3 Flashcards
Security Design
Security must be incorporated and addressed from the initial planning and design phases through disposal of the system.
- Without proper attention to security , an organization’s information technology can become a source of significant risk
- With careful planning from the earliest stages, however, security becomes an enabler to achieve the organizations mission.
NIST SP 800-160
System Security Engineering: Considerations for a Multidisciplinary approach in the engineering of Trustworthy Secure Systems.
SP 800-16 addresses the engineering-driven actions necessary to develop more defensible and survivable systems - including the components that compose and the services that depend on those systems.
DevOps
The DevOps development methodology is built on the premise that collaboration between developers and the operations team is essential.
Secure DevOps
Instead of security operating as a isolated discipline, Secure DevOps aims to integrate security into the development processes from inception.
- The Secure DevOps approach enables developers to learn more about how that they are developing and can be exploited.
- Secure DevOps proactively focused on survivability by providing reliable software with reduced attach surface.
Business Alignment
Business Alignment mandates that secure design principles are supported thorough the entire organization and incorporates various viewpoints.
Business Alignment Framework
- Zachman Framework
- Sherwood Applied Business Security Architecture.
Zachman Framework
The Zachman Framework provides a context for understanding a complex environment by intersecting views and viewpoints.
- Views: What, how, where, who, and when.
- Viewpoints: developer, systems, engineer, security, officer, application administrator, and end user.
Sherwood Applied Business Security Architecture. (SABSA)
The Sherwood Applied Business Security Architecture. (SABSA) provides a context for understanding a complex environment by intersecting views and life-cycle layers.
- Views: What, why, how, where, who, and when.
- Life-cycle Layers: Contextual, conceptual, logical, physical, component, and operational.
Information Security Models
Information Security Models focus on interactions and provide structure and rules to be followed to accomplish a specific objective (e.g. confidentiality, integrity, and availability)
Foundational Information Security Models
Foundational (lower level) model include State Machine, Non Inference, and Information Flow.
Relationship Information Security Models
Relationship (higher level) models include Bell-LaPadula, Biba, Clark -Wilson, Harrison-Ruzzo Ullman (HRU) and Brewer Nash.
Relationship security models address the interaction between subjects and objects.
State Machine Model
Conceptual model that ensures no matter what activity is taking place within a system, it is always trustworthy/
Non-inference model (multilevel)
Whatever happens at one security level does not directly or indirectly affect the security environment of other levels.
Information Flow model (multilevel)
Information will flow only in ways that do not violate the security policy of the system.
Subjects
Subjects are active entities, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state.
Objects
Objects are passive entities that contain or receive information or instructions
Bell-Lapadula
The goal the Bell-Lapadula model is confidentiality.
- Simple (read) confidentiality rule: A subject cannot read data at a higher security level (no read up) as secrets may be revealed to them.
- Star {*} (write) confidentiality rule. A subject cannot write information to a lower security level (no write down) as secrets may be revealed to others.
Biba
The goal of the Biba model is integrity.
- Simple (read) integrity rule: A subject cannot read data at a lower security level (no read down) as they might be misled.
- Star [*] (write) integrity rule: A subject cannot write information to a higher security level (no write up) as they might mislead others.
Clark-Wilson
The goal of the Clark-Wilson model is data integrity.
- Prevent unauthorized users from making modifications.
- Prevent authorized users from making improper modifications.
- Maintain internal and external consistency.
Clark-Wilson (Access Triple)
The Clark-Wilson users a three-part relationship (subject/program/object) known as access control triple.
Well formed transactions ensure that a user cannot alter data arbitrarily. Instead, data can be altered only in a specified way in order to preserve its internal consistency (access triple).
- Users cannot access and manipulate objects directly but must access information through a program.
Harrison-Ruzzo-Ullman Model (HRU)
The goal of Harrison-Ruzzo-Ullman Model (HRU) is integrity.
- A finite set of operations can be performed on an object to ensure integrity.
- Enforced by access permissions.
Brewer-Nash (Chinese Wall)
Brewer-Nash is a context-oriented commercial model designed to defend against conflict of interest.
- Access controls change dynamically depending upon a user’s previous actions.
Trusted System
A Trusted System has undergone sufficient benchmark testing, verification, and validation (by an independent third party) to ensure that the product meets the user requirements.
Functionality
Functionality is verification that a security control exists and that it works correctly at least once.
Assurance
Assurance is a degree of confidence that the system will act in a correct and predictable manner in every computing situation (trustworthy computing)
Security Evaluation Objectives
A security evaluation process assesses products against defined security requirements in a consistent and repeatable manner. Third-party labs rely on standard evaluation criteria.
TCSEC
Developed in 1983, Trusted Computing System Evaluation Criteria (TCSEC) was used to evaluate, classify, and select systems for the DoD based upon confidentiality requirements, Superseded by the Common Criteria.
Original publication as the “Orange Book”. Expanded to 20+ books known as the rainbow series.
ITSEC
Developed in 1991 by a consortium of European nations, IT Security Evaluation Criteria (ITSEC) is used to evaluate the functionality and assurance of a computer system based upon a vendor-defined set of requirements.
Functionality and assurance evaluated independently and separately.
Common Criteria
Developed in 1993 by the ISO, the Common Criteria provides a universal structure and language for expressing product and system requirements. the Common Criteria evaluates products against a protection profile and results are published.
- Common Criteria ratings categories are functional and assurance.
Protection Profile
A protection profile is a specific set of functional and assurance requirements for a category of products. A protection profile can be written by several different groups including vendors, customers, and accreditation agencies.
Security Target
A security Target is written by a product vendor, developer that explains the specifications of the product including functionality and assurance. requirements.
Target of Evaluation (TOE)
The Target of Evaluation (TOE) is the product or system that will be rated.
Certification
Certification is the process of evaluation, testing, and examining security controls. The evaluation compares the current system’s security posture with specific standards.
Accreditation
Accreditation is the process of an authority (management) granting approval to operate a system for a specified period of time with the understanding of the residual risks identified during the certification.
Trusted Computing Base
Trusted Computing Base is the combination of all the security mechanisms within a computer including hardware, software, and firmware.
BIOS
BIOS (Basic Input Output System) is non-volatile firmware used to perform hardware initialization during the booting process, and to provide run-time services for operating systems and programs.
UEFI
Unified Extensible Firmware Interface (UEFI) is an open standard interface layer between the firmware and the operating system that requires firmware updates to be digitally signed.
- Designed as a replacement for traditional PC BIOS.
- Additional functionality includes support for Secure Boot, network authentication, and universal graphics drivers.
- Protects against BIOS malware attacks including rootkits.
Secure Boot Attestation
Secure Boot Attestation that all boot loader components (e.g. OS Kernel, drivers) attest to their identity (digital signature) and the attestation is compared to the trusted list.
TPM
TPM A trusted platform module (TPM) is a special hardware chip installed on a computer’s motherboard that is responsible for protecting passwords, symmetric and asymmetric keys, hashes, and digital certificates are specific to that system hardware.
- The chip contains an RSA key used for encryption and authentication.
- TPMs are compatible with most operating systems.
HSM
Hardware Security Model (HSM) is a physical device whose function is secure cryptoprocessing.
- HSM take the form of an adapter cards,m USBs, or appliances.
- Fast, scalable, and expensive.
CPU Protection Rings
CPU Protection Rings are conceptual boundaries that control how processes are executed. A process is a set of instructions and assigned resources.
CPU Protection Rings
CPU Protection Rings are conceptual boundaries that control how processes are executed. A process is a set of instructions and assigned resources.
- Each process has a PID (Process ID) and a level of trust (ring number) assigned to it.
- The level of trust determines the level of access to system resources, drivers, and data.
CPU Protection Rings Levels
- Ring 0: OS Kernel and device Drivers.
- Ring 1 Operating System
- Ring 2: OS Utilities.
- Ring 3: Applications.
Set of CPU instructions and assigned resources.
Process.
Centralized Systems
In a centralized computing environment, processing occurs within mainframe or terminal host and clients, (terminals, thin clients) are limited to simple interaction and emulation.
- Security advantage is controls can be implemented and tightly controlled.
- Security disadvantage is that configuration errors and unaddressed vulnerabilities can impact all clienteles systems.
Client | Server Environments
In a heterogeneous client-server environment, processing is distributed and there is a inherent trust, which makes every endpoint a potential target and every connection a potential conduit.
Security Considerations:
- Privileged use.
- Outdated operating systems and applications.
- Malware distribution.
- Unauthorized remote access.
Distributed Systems
In a distributed system environment, there is no central Authority.
Security Considerations:
- Each node is responsible for its own security.
- Distributed ownership and management.
- Local data stores
- Peer-to-Peer (P2P) access.
- Malware Distribution.
Large-scale Parallel Systems
Large-scale Parallel Systems are disparate systems working in concert. Examples include cluster computing, grid computing, and cloud computing. Security Considerations:
- Distributed ownership and management.
- Dependencies (SPOF)
- Force multiplier effect (dramatic increased efficiency and/or capability.
- Big data aggregation.
Grid Computing
Grid Computing is a sharing of CPU and other resources across a network, in a way that all machines function as one large computer. Grid participants can be heterogeneous and multitasking. Security Considerations:
- Transmission between nodes.
- Authentication controls.
- Activity isolation
Industrial Control Systems (ICS)
Industrial Control Systems (ICS) are computer-based systems that monitor and control industrial processes that exists in the physical world. ICS are either data-driven or operated remotely.
Well-known industrial control systems include:
- Distributed control systems (DCS).
- Programmable logic controllers (PLC).
- Supervisory control and data acquisition (SCADA)
SCADA
SCADA usually refers to centralized systems which monitor and control entire sites, or complexes of systems spread out over large areas (e.g. electrical, grid, oil, and gas pipelines). Security Considerations:
- Weak Authentication.
- Use of outdated OS.
- Inability to patch systems.
- Unauthorized remote access.
Cloud Computing
Cloud Computing is a model for enabling ubiquitous, convenient, on-demand, network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Cloud Competing Service Models
- SaaS
- PaaS
- IaaS
Cloud Computing Deployment models
- Private Cloud
- Community Cloud
- Public Cloud
- Hybrid Cloud
Public Cloud
Provisioned for public use. Considerations:
- Location
- Multi-tenancy.
Community cloud
Provisioned for the exclusive use by a well-defined group. Considerations:
- Multi-tenancy
Private Cloud
Provisioned for exclusive of single organization. Considerations:
- Scalability.
Hybrid Cloud
The public and private cloud infrastructures communicate over an encrypted connection, using technology that allows for the portability of data and applications.
Cloud Access Security Brokers
Cloud Access Security Brokers (CASBs) are security policy points (software or appliance) placed between ‘the cloud’ and enterprise users.
- Security policies are interjected as cloud-based resources are accessed. for example, authentication, encryption, visibility, and DLP
Security as a Service (SecaaS)
Security as a Service (SecaaS) is the delivery of managed security services for public, private, and hybrid cloud environments.
- SeccaS relieves the burden of relying on the SaaS, PassS, or IaaS vendor for security protection and enforcement.
- Services include encryption, activity monitoring, DLP, malware detection, filtering, firewall, policy enforcement, email security, intrusion detection, authentication, and more.
Injection Attack
Tricking an application into including unintended commands in the data sent to an interpreter (e.g. OS, LDAP, SQL)
- Flaw: Improper input/output validation.
- Impact: Can result in unauthorized access, data exfiltration, and data corruption.
- Mitigation: Use of ‘safe’ API, positive ‘whitelist’ input output validation.
Broken Authentication
The attacker uses flaws in the authentication or session management Functions to impersonate users> Privileged accounts are frequently targeted.
Bluejacking
Bluejacking is injecting a unsolicited message.
Bluesnarfing
Bluesnarfing is unauthorized device pairing.
Blueborne
Blueborne exploits protocol weakness to take over the device
Embedded Systems Defined
An embedded system is an electronic product that contains a microprocessor and software designed to perform a specific task. An embedded system can either be fixed or programmable.
- The devices are designed for functionality and convenience - not security.
Embedded System components.
- System on a chip (SOC)
- Real-time OS (RTOS)
- APP
Internet of Things (IoT)
“The internet of things is the network of physical objects or ‘things’ embedded with electronics, software, sensors, and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator, and/or other connected devices. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.
Fog Computing
Architecture that uses collaborative edge computing devices for local resource pooling.
Term that describes the use of IT solutions that are managed outside of and without the knowledge of the IT department
ShadowIT
Cryptography Use Cases
- Confidentiality (encryption)
- Integrity (Hashing)
- Non-repudiation (digital signatures)
- Authentication (digital certificates)
Plaintext (clear-text)
Human readable.
Ciphertext
Encrypted and/or human unreadable text.
Cipher
A technique that transforms plaintext into ciphertext and back to clear-text.
Algorithm
A cryptographic algorithm is a mathematically complex modern cipher.
Stream Cypher
Algorithm that works with one bit at a time.
Example: RC4
Block Cypher
Algorithm that works with blocks of data.
Examples: DES, 3DES, AES, BLOWFISH, TWOFISH, IDEA
Cryptographic Key / Cryptovariable
Secret used with an algorithm.
- The key dictates what parts of the algorithm will be used, in what order, and with what values.
Key Space
Number of possible key combinations.
Key Stretching
The initial key is fed into an algorithm that outputs an enhanced (stronger) key.
Symmetric Key
Using a single key.
Asymmetric Key
Using two mathematically related keys (public / private)
Substitution Cipher
Substitution cipher replaces one character or bit for another character or bit. The key is the shift pattern.
Transposition Cipher
Transposition Cipher moves characters or bits to another place within the block. The key is the transposition code.
Confusion
Confusion is the process of changing the values. Complex substitution functions are used to create confusion. Substitution ciphers are enforced through confusion.
Diffusion
Diffusion is the process of changing the order sending bits through multiple rounds of transposition is used to create diffusion.
Lightweight Cryptography.
Emerging lightweight cryptographic algorithms are being developed to support low power devices as well as low latency and high resiliency requirements.
Strength of a Cryptographic Algorithm
Strength of a Cryptographic Algorithm is a combination of the algorithm, the algorithmic process, the length of the key, and the secrecy of the key. If one element is weak, the cryptosystem can potentially be compromised.
Workfactor
The work factor is the amount of time and effort it would take to penetrate (break) a cryptosystem.
Key Management
Key management describes the activities involving the handling of cryptographic keys and other related security parameters (e.g. passwords) during their entire life-cycle.
- A key should only be used for one purpose (e.g. encryption).
- Keys should be frequently changed to increase work-factor.
- Provate keys must be securely stored.
Key Escrow
Key Escrow is a proactive arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, a authorized third party may gain access to those keys.
Block Cipher Modes
- Electronic CodeBook (ECB)
- Cipher Block Chaining (CBC)
- Counter Mode (CTR)
- Galois/Counter Mode (GCM)
Electronic CodeBook (ECB)
With Electronic CodeBook (ECB) mode, each block is independent (doesn’t hide patterns - not suitable for long message).
Cipher Block Chaining (CBC)
Cipher Block Chaining (CBC) mode, includes an initialization vector (IV) and a compartment mode of the previous ciphertext to leverage randomization.
Counter Mode (CTR)
Counter Mode (CTR) mode does not have any dependencies. Converts block cipher to a stream cipher using XOR functions.
Galois/Counter Mode (GCM)
Galois/Counter Mode (GCM) is an efficient mode of operation for symmetric key cryptographic 128-bit blocks. GCM can take advantage of parallel processing.
Symmetric Algorithms
- DES
- 3DES
- AES
- Blowfish
- IDEA
- Twofish
- RC4
Data Encryption Standard
64-bit key size / 16 rounds of substitution and transposition.
- 1977 established a US Government standard
- 1998 demonstrated that it could be “broken” in less than 56 hours.
Triple DES (3DES)
64-bit key size / 48 rounds of substitution and transposition using either 2 or 3 key.
- 1999 replaced DES as a US Government standard.
- Considered deprecated.
Advanced Encryption Standard (Rijndael)
128- or 192- or 256-bit key / 10 or 12 or 14 rounds of substitution and transposition.
- 2002 replaced 3DES as a US Government standard.
Asymmetric Ciphers
- RSA
- ECC-Elliptic Curve Cryptosystem
- Diffie-Hellman
- El Gamal
RSA
Widely implemented.
- Defacto commercial standard.
- Works with both encryption and digital signatures.
ECC-Elliptic Curve Cryptosystem
Similar function to RSA but with smaller key sizes (require less computing power).
- Current US Government standard for Asymmetric encryption.
Diffie-Hellman
Primarily used for key agreement (key exchange)
- Allows two parties (in the same DH group) that have no prior knowledge of each other to jointly establish a shared secret key.
- DHE uses modular arithmetic to computer the shared secret..
- ECDH uses algebraic curves to generate keys.
El Gamal
Primarily used for transmitting digital signatures and key exchange.
Hashing
Hashing produces a visual representation of a data set. The objective of hashing is proving integrity.
- Validate that a message has not been changed during transmission (message digest).
- Verify that a forensic clone is intact.
Hash Function Characteristics.
In order to be considered secure, cryptographic hash functions must meet three criteria:
- Output must not be reversible (one-way-representation).
- Variable length input must produce fixed length output.
- Output must be unique.
Hashing Collision
If a hash function produces the same value for two different inputs, the result is known as a collision.
Message Digest (MDx)
MD5 has been shown to be subject to collision attacks and is ‘broken’
Secure Hash Algorithm (SHA)
Created by the NSA
- SHA-1 has been shown to be subject to collision attacks
- Sha-2 family is widely used and includes SHA-256, SHA-384, and SHA-512.
RIPEMD
RIPEMD was based on MD4; it has been replaced by RIPEMD-160
Hashed MAC
A hashed message authentication code (HMAC) is a hashed value that includes a symmetric key.
- An HMAC cannot be reproduced without knowing the key.
- An HMAC provides integrity and data origin authentication.
- HMAC is used by cryptographic protocols such as the TLS and IPsec to verify the integrity of transmitted data during secure communications.
Digital Signature
A digital sinature is a message digest that has been encrypted using a private key.
The goal of a digital signature is integrity and non-repudiation.
Non-repudiation
Non-repudiation means that the signer cannot deny sending the message. Conversely, the receiver can trust that the message came from the named signer.
Digital Signature Algorithms
- RSA
- Digital Signature Algorithms (DSA)
Digital Signature Algorithms (DSA)
Published by NIST in cooperation with the NSA US Government Digital Signature standard.
Public Key Infrastructure
Public Key Infrastructure consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working together in a comprehensive manner to enable secure communication.
x509
- Public Key Infrastructure x506 (PKIX) is the working group formed by the IETF to develop standards and models (known as x.509).
- Public Key Cryptography Standards (PKCS) is a set of voluntary standards created by RSA and other industry leaders.
Digital Certificates
Digital Certificates are the mechanisms to generate a private key and to associate a public key with a collection of components sufficient to authenticate the claimed owner.
- The x509 standards defines the certificate format and fields for public key.
- The x509 standard defines the distribution procedures.
- The current version of x509 for certificates is v3.
Self-Signed Certificate
A Self-Signed certificate is signed by the person creating it.
- The advantage is that there is no additional expense.
- The disadvantages is that a self-signed certificate can easily be impersonated, will present the user with a warning message and cannot be revoked.
- Use cases include a internal development server.
Trust Models (Chain of Trust)
A Trust Model defines how users trust other users, organizations, CAs and RAs within the PKI.
- Web of Trust.
- Third party (single Authority) Trust.
- Hierarchical Model.
Web of Trust
No central authority. Each user creates and signs their own certificate. Users sign each others public key indicating “trust”
Third party (single Authority) Trust.
A central third-party Certificate Authority (CA) signs a key and authenticates the owner.
Hierarchical Trust Model.
Extension of third party in which root CAs issues certificate to lower level “intermediate” CAs who can then issue certificates. Trust is inherited.
Trusted Certificate Life-Cycle.
- CSR - Certificate Signing Requrest (CSR).
- Certificate is issued
- Certificate is published
- Certificate is received
- Certificate is Installed
- Certificate renewed, suspended, revoked or expired.
- Key is destroyed.
Certificate Revocation List (CRL)
CA maintain list of certificates that have been revoked.
- Pull Model - CRL is downloaded by the user or organization.
- Push model - CRL is automatically sent out by the CA at regular intervals.
Online Certificate Status Protocol (OCSP)
Process designed to query the status of certificate in real-time.
- OCSP stapling is a time stamped (cached) OCSP response.
Cyptanalysis
The process of finding a cryptographic weakness (vulnerability)
Known Ciphertext
A sample of ciphertext is available without the plaintext associated with it.
Known Plaintext
A sample of ciphertext and the corresponding known plaintext is available.
Chosen Plaintext
Can choose the plaintext to get encrypted and obtain the corresponding ciphertext
Chosen Ciphertext
Can select the ciphertext and obtain the corresponding plaintext.
Cryptographic Key Attacks
- Brute Force
- Dictionary
- Frequency
- Replay
Brute Force Attack
Every possible key is tested (Online, Offline)
Dictionary Attack
List of known keys tested.
Frequency Attack
Looking for patterns to reveal the key.
Replay Attack
Attacker tries to reuse a cryptographic transmission.
Birthday Attack
Exploits the mathematics behind the birthday problem probability theory to cause collision.
Pass-the-hash Attack
Using captured hashed credentials from one machine to successfully gain control of another machine.
Rainbow Tables
Rainbow Tables are publicly available tables of pre-computed hashes.
Salting
Salts are values appended to the input to negate the value of rainbow tables.
Downgrade Attack
A Downgrade Attack is an attack on a system or communications protocol that forces degradation to a lower-quality crypto mode (if available) designed for backward compatibility
Weak Implementations
Attackers take advantage of miscommunications, weak keys, broken, or deprecated versions.
Physical Security Controls
Physical security principles of deter, detect, and delay* supported by a response plan are designed to frustrate and disrupt an adversary’s attack timeline.
- Deter: Stop or displace an attack.
- Detect: Verify an attack, initiate a response.
- Delay: Prevent the attack from reaching the asset (including measures to minimize the consequence of an attack)
Layered Defense (Defense-in-depth)
The premise of a layered defense model is that it an intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities. Layers defense is both physical and psychological.
Physical Security zones
The principles of deter, detect, and delay* extend to the following security zones.
- Beyond the perimeter
- Perimeter
- Within site
- Building
- Asset
Fail-Safe
Fail-Safe implies that in an emergency situation, controls will default to open.
Fail-Secure
Fail-Secure implies that in an emergency situation, controls will default to locked.
CPTED
The basic premise of Crime Prevention through Environmental Design (CPTED) is that the proper design and effective use of the physical environment can lead to a reduction in the incidence ad fear of crime.
Lighting
Lighting can be continuous, motion triggered, random, timed, or standby.
Lighting should be tamper proof and have a backup power supply.
Physical Signs
Signs for personnel safety and intruder deterrence.
Physical Barrier
fences, walls, gates, barricades, and bollards define perimeter.
Security Guards
Security personnel may be stationed at checkpoints, and patrol the area, manage surveillance, and respond to breaches and/or suspicious activity.
Conventional Lock
Key Controlled cylinder -susceptible to “bumping”.
Pick Resistant Lock
Conventional locks that have complex and difficult to reproduce keys.
Cipher Lock
Uses a programmable key pad.
Electronic (digital) Lock
Cipher lock with centralized control and auditing capabilities.
Biometric Lock
Biometric recognition - may also require a key code.
Entrance / Exit Access Controls
- ID Card / badge
- Smart Card
- Biometric
- Access logs
- Audit Logs
- Mantrap
ID Card / badge
Identification card with or without picture (non electronic)
Smart Card
Card with integrated circuitry used in conjunction with a card reader.
Biometric
Use of bio-metric technology to identify and authenticate a person.
Access Logs
Requirement to document access (sign-in/out)
Audit Logs
Logs generated by smart and biometric systems.
Mantrap
Two-tier barrier. Entry door on one side and an exit door on the opposite side. One door of a mantra cannot be unlocked and opened until the opposite door has been closed and locked.
Surveillance
Surveillance technologies such as closed-circuit TV (CCTV) and camera detect suspicious, abnormal, or unwanted behavior.
A surveillance system can:
- Identify the presence of an intruder
- Trigger an alarm or an alert
- Provide enough detail to determine the type of incident response.
- Provide Evidence.
Physical Intrusion Detection Systems types
- Proximity: Measure magnetic field.
- Motion: Detect physical disturbance.
- Photometric: Changes in light.
- Passive Infrared: Changes in Heat.
- Acoustical: Changes in noise
- Contact: - Electrical circuit si broken,
Data Center Considerations
- Located in the center of a facility with no external windows or doors.
- Located on floors other that the basement, first floor, and top floor.
- Full walls extending from floor to ceiling.
- Partitioned ceiling.
Airgap Isolation
Airgap Isolation refers computers or networks that are physically isolated from the internet or to any other computers that are connected to the internet.
Isolated Networks
A physically isolated network is completely disconnected from any other network, period.
Clean Room
Clean Room network/computer is located in a secured room or facility.
Data Center Temperature.
Data Centers (inclusive of server rooms and networking closets) need to be kept cool.
- Recommended temperature for an area containing computing devices is between 70-74 degrees Fahrenheit.
- Damaging temperatures: Computers >175F, Magnetic Storage >100F, Paper products >350F
Data Center Humidity
Data Center humidity can cause corrosion and low humidity can cause excessive static electricity.
- Relative humidity between 45-60% is acceptable for areas that are processing data.
- Electronic discharge (ESD) is the release of static electricity when two objects touch. ESD can damage or destroy electronic components.
EMI and RFI
Equipment copper cable are sensitive to electromagnetic interference (EMI) and radio frequency interference (RFI).
Equipment should have limited exposure to magnets, fluorescent lights, electric motors space heaters, and wireless access points.
Electromagnetic Interference (EMI)
Electromagnetic Interference (EMI) is due to electromagnetic conduction or radiation. Almost any type of electrical device can cause EMI
Radio Frequency Interference (RFI)
Radio Frequency Interference (RFI) is due to AM/FM and cellular tower transmissions.
Data Emanation
Data Emanation (or signal emanation) is the electromagnetic (EM) field generated by a coax or copper cable or network devices, which can be manipulated to eavesdrop on conversations or to steal data.
Faraday Cage
A Faraday Cage is shield is an enclosure used to block electromagnetic (EM) fields (incoming and outgoing).
Faraday bags are after used in digital forensics to prevent remote wiping and alteration of criminal digital evidence.
Blackout
Prolonged period without power
- Mitigating Control: Battery backup (UPS), Alternate power supply (generator), Supplier diversity,
Brownout
Prolonged period of low voltage.
- Mitigation control: Voltage regulator, surge protectors, power line conditioners, battery backups (UPS)
Sag
Moment of low voltage.
- Mitigation control: Voltage regulator, surge protectors, power line conditioners, battery backups (UPS)
Surge
Prolonged period of high voltage.
- Mitigation control: Voltage regulator, surge protectors, power line conditioners, battery backups (UPS)
Spike
Moment of high voltage.
- Mitigation control: Voltage regulator, surge protectors, power line conditioners, battery backups (UPS)
Power Supply Failure
Failure of internal power supply or fan.
- Mitigation control: Redundant power supply.
Fire protection elements
- Fire Prevention: is the first line of defense.
- Fire Detection: Is to realize that there is a fire while it is still small and controllable.
- Fire Suppression: Is the containment and actually dealing with the fire.
Fire Type “A”
Ordinary combustibles: wood, paper, rubber, fabrics, and many plastics.
Type of Extinguisher: Water, Dry Powder, Halon.
Fire Type “B”
Flammable Liquids and Gases: gasoline, oils, paint, lacquer, and tar.
Type of Extinguisher: carbon Dioxide, Dry Powder, Halon
Fire Type “C”
Fires involving Live electrical Equipment.
Type of Extinguisher: carbon Dioxide, Dry Powder, Halon
Fire Type “D”
Combustible Metals or Combustible Metal Alloys.
Type of Extinguisher: Special Agents.
Fire Type “K”
Fires in Cooking appliances that involve Combustible Cooking Media: Vegetable or Animal Oils, and Fats.
Water-based Fire Suppression Systems
Sprinkler system effective on Class A (ordinary combustible) fires.
Dry-Pipe
Sprinkler system effective on Class A (Ordinary combustible) fires Pipes do not have water in them until system is activated. Automatic Shut-off.
Halon
Pressurized Halon gas that removes oxygen from the air with no residue (Banned by the Montreal Protocol of 1987)
FM-200
Colorless, orderless gaseous halo-carbon with no residue. Safe for Humans.
Argonite
Mixture of argon and nitrogen gas. Although non-toxic, it can be dangerous for humans.
CO2
Pressurized gas - manual discharge required. Extremely dangerous to humans.
