Social Engineering, User Education, and Facilities Security
This chapter covers the following subjects:
Social Engineering: This section delves into the methods and techniques that social engineers can employ to gain access to buildings and systems and obtain company data and personal information. It also covers the various ways that these social engineers can be defeated.
User Education: Here we briefly discuss how to train up your users on the basics of security. Don’t forget, it’s not all about tech; the user is a vulnerability and can be exploited too. The key is understanding—the more the users know, the better equipped they will be to properly secure themselves.
Facilities Security: An organization’s facilities, such as its building, vehicles, and other property and equipment, can all be targets. Proper management and securing of facilities can help to protect company assets as well as the employees. It is important for a security person to consider fire suppression methods, heating, cooling, ventilation, shielding, and how to protect the server room. This section covers fire suppression methods, such as fire extinguishers, sprinkler systems, and special hazard protection, as well as HVAC, shielding, and some basic vehicle security.
The idea behind this chapter is to examine people and their behavior, and your organization’s facilities.
When I say “people,” I mean both kinds of people: social engineers who might try to exploit your organization, and the employees of an organization. In this chapter and the next we’ll discuss how to protect employees’ privacy, while still protecting your infrastructure from them! Policies and procedures can help to protect legitimate individuals and help protect the infrastructure from malicious individuals and social engineers.
An organization’s facilities include the building and its environmental controls, vehicles, and anything else owned by the organization. Everything is connected these days, so everything needs to be protected. Server rooms and data centers can be protected through the use of fire suppression systems, shielding, and more. But even those systems, and other systems such as electrical systems, should be implemented with an eye on security at all times.
The concepts covered in this chapter are a bit of a hodge-podge; content is less about computers, and more on the periphery of technology security, but I have tried to line everything up in a way that will make for easy reading and recall. We start with social engineering. No matter how much technology you implement, people still have to deal with people, and that opens the door for con artists. Then we’ll move on to user education. The best way to prevent social engineering attacks is to increase your users’ knowledge. Finally, we’ll get into the organization’s building and facilities. It’s all connected—attackers who use social engineering methods will target users and the facilities of an organization.
Let’s discuss a low note in our society. Because that is what information security–
based social engineering is—a low form of behavior, but an effective one. It is estimated that 1 out of 10 people is conned every year through social engineering methods, and as many as half of them don’t even know it has occurred. It’s glorified in the movies, but in real life it can have devastating consequences to an organization and to innocent individuals.
We mentioned in Chapter 1, “Introduction to Security,” that social engineering is the act of manipulating users into revealing confidential information or performing other actions detrimental to the user. Examples of social engineering are common in everyday life. A basic example would be a person asking for your username and password over the phone; often the person uses flattery to gain information. Malicious people use various forms of social engineering in an attempt to steal whatever you have of value: your money, information, identity, confidential company data, or IT equipment. Social engineering experts use techniques and principles such as the following:
Urgency, scarcity, and even emergency
The grooming of trust/familiarity/liking
Persistence and patience
Relating to the user: using company jargon, consensus/popular decision, and social facts and proof
Embedding of questions within conversations
Social engineers will rely on information. For example, open source intelligence (OSINT) is a way that attackers can gain knowledge about a target. OSINT includes media, public government data, commercial data, and academic publications. That’s one of the reasons I don’t accurately detail specific exploits in this book, because it could be a source of data for a potential attacker! Social engineers also use tools such as social networking sites and P2P software to obtain information disclosure either directly or through data aggregation. The main reason that social engineering succeeds is due to a lack of user awareness. But social engineering can also be effective in environments in which the IT personnel have little training, and in public areas; for example, public buildings with shared office space. Let’s discuss some of the more common types of social engineering.
Pretexting is when a person invents a scenario, or pretext, in the hope of persuading a victim to divulge information. Preparation and some prior information are often needed before attempting a pretext; impersonation is often a key element. By impersonating the appropriate personnel or third-party entities, a person performing a pretext hopes to obtain records about an organization, its data, and its personnel. IT people and employees should always be on the lookout for impersonators and always ask for identification. If there is any doubt, the issue should be escalated to your supervisor and/or a call should be made to the authorities.
The malicious insider is one of the most insidious threats. Instead of impersonating personnel as is done in pretexting, the person actually becomes personnel! This attack is often used as part of a corporate espionage plan. Think that all IT techs are 100% honorable? In high-tech, you will find an assortment of atrocities, including the malicious insider threat. The insider might have been sent by a competing organization to obtain a job/consulting position with a certain company, or perhaps is approached by the competing organization while already working for the company that is the target. It is often initiated by organizations from another country. Once the insider is situated, that person can easily get access to secure data, PII, financials, engineering plans, and so on, and pass them on to the infiltrating organization. Of course, the penalties for this are high, but the potential rewards can be quite enticing to the properly “motivated” individual. Companies will therefore often run thorough background checks and credit checks and have human resources go through an entire set of psychological questions. Then, when a person is hired, there is a sort of trial period where the person is allowed very little access to secure data and secure environments.
Now, a malicious insider doesn’t necessarily have to be a person. It could be a device or bug that was inserted into the organization by a person using social engineering skills; for example, rogue PIN pad devices, audio and video sensors (bugs), keyloggers, and so on. This requires physical access to the building in one way or another, so identification and authentication become of paramount importance.
Warning! As of the writing of this book, malicious insider threats are severely underappreciated by many organizations. They shouldn’t be, because the malicious insider has the best chance of obtaining a desired result; a far better chance than the outsider. Think about it: if you wanted to steal 100,000 credit card numbers so that you could charge $1 to each—making a fortune, but causing no great stress to the credit card holders—how would you do it? Would you attempt a whole lot of MITM attacks? Would you try to hack through the bank’s firewall and IDS/IPS, tip-toe around the honeypot, and so on? Or would you attempt to get inside. The risk is greater, of course, for the person. It is much easier to get caught. But the potential for success outweighs the risk in comparison to trying to hack the system from the outside. The number of compromises to banks and chains of stores done in this manner is staggering.
Diversion theft is when a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location. This happens more often than you would think, and millions of dollars’ worth of IT equipment is stolen in this manner every day. It is important that couriers and other shippers know exactly where they are supposed to be delivering items, and that they are given an organization contact name, number, and possibly security code in case there is any confusion.
Phishing is the attempt at fraudulently obtaining private information. A phisher usually masquerades as someone else, perhaps another entity. There are two main differences between phishing and pretexting. First, phishing is usually done by electronic communication, not in person. Second, little information about the target is necessary. A phisher may target thousands of individuals without much concern as to their background. An example of phishing would be an e-mail that requests verification of private information. The e-mail probably leads to a malicious website designed to lure people into a false sense of security to fraudulently obtain information. The website often looks like a legitimate website. A common phishing technique is to pose as a vendor (such as an online retailer or domain registrar) and send the target e-mail confirmations of orders that they supposedly placed.
This is a triple-whammy. First, the orders are obviously fake; a person might say “Hey, wait! I didn’t place these orders!” and perhaps click the link(s) in the e-mail, leading the person to the false web page. Second, if a person thinks it’s a legitimate order (perhaps the person does many orders, and the fraudulent one looks like another legitimate one), the person might click a link to track the order, again leading to the bogus web page. Third, once at the web page, the person is asked to enter her credentials for her account (which then leads to credit card fraud and ID theft), and in addition to that the page might have Trojans and other malicious scripts that are delivered to the unsuspecting person on exit. Sheesh, talk about cyber-bullying!
Generally, no information about the target is necessary for a phishing attack. However, some “phishermen” actually target specific groups of people or even specific individuals. This is known as spear phishing. And when an attacker targets senior executives (CEOs, CFOs, and so on) it is known as whaling. Whaling attacks are much more detailed and require that the attacker know a good deal of information about the target (much of which is freely available on the Internet).
The concept of phishing is also accomplished by telephone. Phone phishing, known as vishing, works in the same manner as phishing but is initiated by a phone call (often using VoIP systems). The phone call often sounds like a prerecorded message from a legitimate institution (bank, online retailer, donation collector, and so on). The message asks the unsuspecting person for confidential information such as name, bank account numbers, codes, and so on; all under the guise of needing to verify information for the person’s protection. It’s really the opposite, of course, and many people are caught unawares by these types of scams every day. By using automated systems (such as the ones telemarketers use), vishing can be perpetuated on large groups of people with little effort.
A similar technique using automated systems is known as war-dialing. This is when a device (modem or other system) is used to scan a list of telephone numbers and dial them in search of computer systems and fax machines. The technique sifts out the phone numbers associated with voice lines, and the numbers associated with computers. It results in a list that can later be used by other attackers for various purposes.
Many different types of social engineering are often lumped into what is referred to as phishing, but actual phishing for private information is normally limited to e-mail and websites. To defend against this, a phishing filter or add-on should be installed and enabled on the web browser. Also, a person should be trained to realize that institutions will not call or e-mail requesting private information. If people are not sure, they should hang up the phone or simply delete the e-mail. A quick way to find out whether an e-mail is phishing for information is to hover over a link. You will see a URL domain name that is far different from that of the institution that the phisher is claiming to be, probably a URL located in a distant country. Many of these phishers are also probably engaging in spy-phishing: a combination of spyware and phishing that effectively makes use of spyware applications. A spyware application of this sort is downloaded to the target, which then enables additional phishing attempts that go beyond the initial phishing website.
A hoax is the attempt at deceiving people into believing something that is false. The differences between hoaxes and phishing can be quite gray. However, hoaxes can come in person, or through other means of communication, whereas phishing is generally relegated to e-communication and phone. Although phishing can occur at any time, and with the specific goal of obtaining private information, a hoax can often be perpetuated on holidays or other special days and could be carried out simply for fun. Regardless, hoaxes can use up valuable organization resources: e-mail replies, Internet bandwidth used, time spent, and so on. An example of a “harmless” hoax was Google’s supposed name change to “Topeka” on April Fools’ Day 2010. An example of a financially harmful hoax was the supposed assassination of Bill Gates on April Fools’ Day 2003. This hoax led to stock market fluctuations and loss of profit in Asia. Some companies place a time limit on jokes and hoaxes indicating that the affected person has become nonproductive; for example, 3% of the workday.
Pretexting, malicious insider attempts, diversion theft, phishing, and hoaxes are all known as confidence tricks, thus the term con, and are committed by “bunko” artists. However, there are even lower ways to get access to people’s information; these often are used with the previous methods. These include shoulder surfing, eavesdropping, dumpster diving, baiting, and piggybacking.
Shoulder surfing is when a person uses direct observation to find out a target’s password, PIN, or other such authentication information. The simple resolution for this is for the user to shield the screen, keypad, or other authentication-requesting devices. A more aggressive approach is to courteously ask the suspected shoulder surfer to move along. Also, private information should never be left on a desk or out in the open. Computers should be locked or logged off when the user is not in the immediate area. From a more technical perspective, password masking can be implemented (if not already), where typed passwords only show as asterisks or dots on the screen. Always check if your systems, applications, and devices use password masking. Some lesser devices (such as SOHO routers) may not implement password masking by default, and that might go against company policy due to the inherent lack of security. Shoulder surfing, along with eavesdropping, and dumpster diving are examples of no-tech hacking.
Eavesdropping is when a person uses direct observation to “listen” in to a conversation. This could be a person hiding around the corner or a person tapping into a phone conversation. Soundproof rooms are often employed to stop eavesdropping, and encrypted phone sessions can also be implemented.
Dumpster diving is when a person literally scavenges for private information in garbage and recycling containers. Any sensitive documents should be stored in a safe place as long as possible. When they are no longer necessary, they should be shredded. (Some organizations incinerate their documents.) Information might be found not only on paper, but also on hard drives or removable media. Proper recycling and/or destruction of hard drives is covered later in this chapter.
Baiting is when a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in plain view. It might have an interesting logo or distinctive look about it. When a person takes it and connects it to his computer, the malware infects the computer and attempts to take control of it and/or the network the computer is a member of.
Piggybacking is when an unauthorized person tags along with an authorized person to gain entry to a restricted area—usually with the person’s consent. Tailgating is essentially the same with one difference: it is usually without the authorized person’s consent. Both of these can be defeated through the use of mantraps. A mantrap is a small space that can usually only fit one person. It has two sets of interlocking doors; the first set must be closed before the other will open, creating a sort of waiting room where people are identified (and cannot escape!). This technique is often used in server rooms and data centers. Multifactor authentication is often used in conjunction with a mantrap; for example, using a proximity card and PIN at the first door, and biometric scan at the second. A mantrap is an example of a preventive security control. Turnstiles, double entry doors, and employing security guards are other less expensive (and less effective) solutions to the problem of piggybacking and tailgating and help address confidentiality in general.
The watering hole attack is a strategy that targets users based on the common websites that they frequent. The attacker loads malware beforehand on one or more websites in the hopes that the user(s) will access those sites and activate the malware, ultimately infecting the user’s system and possibly spreading through the network. To figure out the browsing habits of users, the attacker might guess or use direct observation. So, this attack may also build upon other social engineering methods such as eavesdropping, pretexting, and phishing.
Popular websites such as Google, Microsoft, and so on will be difficult to infect with malware. It’s the smaller websites that the attacker will go after. For example, let’s take a company that manufactures widgets. Chances are that the company will need to purchase plastic and other resources to build the widgets. It follows that users will connect to suppliers’ websites often via the Internet or possibly an intranet. Typically, suppliers’ websites are known for a lack of security and make excellent targets. If many users in the company go to these same websites, and often, it’s just a matter of time before one clicks on the wrong website element, or gets tricked in another manner. Then, malware gets installed to the client computer and possibly spreads throughout the company. An attacker might also redirect users to other websites where other scams or more hardcore malware (such as ransomware) are located.
The problem is that you as a security administrator can’t actively prevent the malware on the targeted websites. You can suggest prevention methods to those companies—such as software patches and secure coding—but can’t force them into action. So, you should focus on localized prevention methods including user training, reducing web browser functionality, blacklisting of websites, and monitoring in the form of anti-malware software, IDS/IPS, and more—essentially, all of the methods we have discussed earlier in this book.
Table 17-1 summarizes the various types of social engineering we have discussed in this section.
When a person invents a scenario, or pretext, in the hope of persuading a victim to divulge information.
Malicious insider threat
When a person works at an organization with the secret purpose of obtaining secret information, financial information, design work, and PII.
When a thief attempts to take responsibility for a shipment by diverting the delivery to a nearby location.
The attempt at fraudulently obtaining private information, usually done electronically.
Vishing is done by phone.
Spear phishing targets specific individuals.
Whaling targets senior executives.
The attempt at deceiving people into believing something that is false.
When a person uses direct observation to find out a target’s password, PIN, or other such authentication information.
When a person uses direct observation to “listen” in to a conversation. This could be a person hiding around the corner or a person tapping into a phone conversation.
When a person literally scavenges for private information in garbage and recycling containers.
When a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in plain view in the hopes that unknowing people will bring it back to their computer and access it.
When an unauthorized person tags along with an authorized person to gain entry to a restricted area.
Watering hole attack
When an attacker targets users’ specific browsing habits in the hopes that they will access particular websites and activate the malware hidden within them.
In some cases, social engineering is easier than other, more technical ways of hacking information. For example, if a malicious individual wanted a person’s password, it might be a lot easier to trick the person into giving her password than to try to crack it.
The user could be the single most exploitable resource of a company. I think that the previous section about social engineering provides a good argument to support that opinion. People aren’t computers. Some might be compared to robots (perhaps unfairly), but no matter how logical and disciplined a person might be, there is always the potential for human error. So, until firewalls are developed for people’s brains, education becomes the best method to prevent social engineering attacks and malware infection, not to mention user error.
As an IT manager, I’ve always made it a point to incorporate technology and security training for as many employees as possible. This would include classroom/conference room training, written materials, digital courses, even funny posters in the cafeteria. I’d use whatever platform I could to get the point across. The key is to make it accessible to the user, and to make it interesting and fun.
There are several roadblocks when it comes to user training. The first is organizational acceptance. Are the executives of a company on board with the idea? As time moves on, we see that more and more executives include user education as a matter of course. However, if you come across an individual who is against the idea because of a “lack” of budgeting or time, then your counter is to simply show that person a news article about one of the many successful attacks that have occurred recently. Then show a case study of the amount of time and money that the affected company lost due to the attack, and—in most cases—how easily it could have been prevented. Then, there are the employees to be trained themselves. Some will put up a fight when it comes to education. Again, the secret ingredient here is to pique the interest of the users. Get them involved, make it fun, create a reward system, and use your imagination. Some organizations employ IT trainers on a full-time basis or as consultants. Good IT trainers know how to get through to the typical employee. Other organizations will offer incentives for attending training, or penalties for not attending—though statistics show that incentives usually work better than penalties.
You can also attempt role-playing. I’m not talking about a role-playing game such as Dungeons & Dragons! Rather, having the employees act out different organizational roles, such as system administrators, privileged users, executive users, data owners, system owners, and of course, typical end users. Throw in the hacker and/or con artist as the “bad guy” roles and you can really teach in a fun way. Create scenarios where people can learn in a tangible way how attacks are carried out and how they can be prevented. Quiz the employees, but keep it light. The idea is for employees to expand their knowledge into other areas of the company, a sort of table-top job rotation so to speak. Develop the situations and solutions properly, and the whole organization becomes a stronger and more secure unit, thanks to you. Come on, you know you always aspired to be a Dungeon Master!
Finally, there is the time factor. People have projects and tasks to complete, and usually aren’t even given enough time for that! Where does the time for training come from? This is when the mindset of loyalty to the company comes in—and human resources can usually be helpful in cultivating that mindset. The whole outlook should be based on the idea of overall efficiency and benefits to the company and individual. By sitting in on security training, the user will save time over the long term and will ultimately become a more knowledgeable person.
Anyway, for the Security+ certification, how the training gets accomplished isn’t as important as what is covered in training. The following is a basic list of rules you can convey when training employees:
Never, under any circumstances, give out any authentication details such as passwords, PINs, company ID, tokens, smart cards, and so on.
Always shield keypads and screens when entering authentication information.
Adhere to the organization’s clean desk policy, which states that all documents, electronics, personally owned devices, and other items be put away (or locked away) when the user is not at his or her desk, or other work area.
Always screen your e-mail and phone calls carefully and keep a log of events. This is also known as communications vetting.
Use encryption when possible to protect e-mails, phone calls, and data.
If there is any doubt as to the legitimacy of a person, e-mail, or phone call, document the situation and escalate it to your supervisor, security, or the authorities.
Never pick up, and make use of, any unknown removable media.
Always shred any sensitive information destined for the garbage or recycling.
Always comply with company policy when it comes to data handling and disposal. For example, if a hard drive, USB flash drive, memory stick, or optical disc is no longer being used, make sure it is disposed of properly. If the user is not sure, contact the IT department or facilities department of the organization to find out if it should be recycled, or destroyed.
Always track and expedite shipments.
*** Be extremely careful when using a web browser. Double-check everything that is typed before pressing Enter or clicking Go. Don’t click on anything unless you know exactly what it is. I triple-starred this one because web-based attacks account for a huge percentage of damage to organizations.
When training employees, try to keep them interested; infuse some fun and be silly if you want to. For instance, the first bullet said to never give out authentication details. Pundits tell us to never say never. Well, if it’s okay for them, then it’s okay for us. And in this case, it’s vital to the health of your organization—not to mention you. You see what I mean? Or, if you don’t want to be silly, then consider imparting some real examples. Use examples of social engineering so that your trainees can make the connection between actual social engineering methods and their defenses. Make them understand that social engineers don’t care how powerful an organization’s firewall is or how many armed guards the company has. They get past technology and other types of security by exploiting the weaknesses inherent in human nature.
The previous lists of social engineering methods and defenses are in no way finite. There are so many ways to con a person and so many ways to defend against the con. However, some of the best weapons against social engineering, aside from user education and awareness, are policies and procedures, and their constant analysis. We’ll be discussing those in the following chapter.
Although it is usually the duty of the IT director and building management to take care of the installation, maintenance, and repair of facilities related to technology, you also should have a basic knowledge of how these systems function. Significant concepts include environmental controls such as fire suppression and HVAC, shielding of equipment, and company vehicles. By far, the concept a person would spend the most time dealing with when planning a server room or data center is fire suppression.
We talked about fire suppression somewhat in Chapter 16, “Redundancy and Disaster Recovery,” but we need to dig a bit deeper into the types you can employ, and some of the policies and procedures involved with fire suppression. Fire suppression is the process of controlling and/or extinguishing fires to protect an organization’s employees, its data, and its equipment. There are basically three types of fire suppression you should know: handheld fire extinguisher solutions, sprinkler systems, and special hazard protection systems such as those used in server rooms.
Be careful when selecting a handheld fire extinguisher. There are several types to choose from; they vary depending on what type of environment you work in. Keep in mind that any one of these will probably cause damage to computers, phones, and other electronics. With only a couple exceptions, these solutions should not be used in a server room or other critical areas of your organization. Here are some of the classifications of fires and their indicators on corresponding fire extinguishers:
Fire Class A: Denoted by a green triangle, this class defines use for ordinary fires consuming solid combustibles such as wood. Think A for “ash” to help remember this type. Water-based extinguishers are suitable for Class A fires only and should not be used in a server room.
Fire Class B: Represented by a red square, this type defines use for flammable liquid and gas fires. I like to remember this by associating B with “butane” because butane is a highly flammable gas.
Fire Class C: Indicated with a blue circle, this type defines use for electrical fires—for example, when an outlet is overloaded. Think C for “copper” as in copper electrical wiring to aid in memorizing this type. If a fire occurs in a server room, and you don’t have a special hazard system (not wise), the multipurpose BC extinguisher (CO2) is the best handheld extinguisher to use. Electrical fires are the most likely type of fire in a server room.
Fire Class D: Designated with a yellow decagon, this type defines use for combustible metal fires such as magnesium, titanium, and lithium. A Class D extinguisher is effective in case a laptop’s batteries spontaneously ignite. Chemical laboratories and PC repair labs should definitely have one of these available. Metal fires can easily and quickly spread to become ordinary fires. These fire extinguishers are usually yellow; it is one of only a couple that deviate from the standard red color. Also, this is the only other exception when it comes to the use of extinguishers in a critical area of your organization. Because of those two reasons, I like to remember it by associating D with “deviate.”
Fire Class K: Symbolized as a black hexagon, this type is for cooking oil fires. This is one type of extinguisher that should be in any kitchen. This is important if your organization has a cafeteria with cooking equipment. Think K for “kitchen” when remembering this type.
The previous bulleted list is not an official standard but is used by most manufacturers of fire extinguishers in the United States. Other countries might have a slightly different system.
In general, the most common type of fire extinguisher used in a building is the multipurpose dry-chemical ABC extinguisher. However, this is extremely messy—it gets into everything! Plus, it can cause corrosion to computer components over time. For server rooms, BC extinguishers are sometimes employed; the most common is the carbon dioxide (CO2) extinguisher. The CO2 extinguisher displaces oxygen, which is needed for a fire to burn, in addition to heat and fuel, which collectively make up the fire triangle. CO2 extinguishers are relatively safe for computer components, especially compared to ABC extinguishers. However, the CO2 extinguisher can possibly cause damage to computer components from electrostatic discharge (ESD), although this is rare. Also, if carbon dioxide is released in an enclosed space where people are present, there is a risk of suffocation. If the organization has the money, it is far more preferable to use an ABC-rated Halotron extinguisher in the server room—or better yet, a special hazard protection system.
Older extinguishants, such as halon, are not used anymore because they are harmful to the environment. Less-developed countries might still use them, but most governments have banned the use of halon. If you see one of these, it should be replaced with a newer extinguisher that uses environment-safe halocarbon agents such as Halotron or FE-36. These are known as gaseous clean agents that are not only safe on humans and safe for IT equipment, but are better for the environment as well. Gaseous fire suppression systems are the best for server rooms.
The most common type of fire sprinkler system consists of a pressurized water supply system that can deliver a high quantity of water to an entire building via a piping distribution system. This is known as a wet pipe sprinkler system. Typical to these systems are sprinkler heads with glass bulbs (often red) or two-part metal links. When a certain amount of predetermined heat reaches the bulb or link, it causes it to shatter or break, applying pressure to the sprinkler cap and initiating the flow of water from that sprinkler and perhaps others in the same zone. The entire system is usually controlled by a valve assembly, often located in the building’s basement. Some organizations might have a need for a dry pipe system, which is necessary in spaces where the temperature of that area of the building can be cold enough to freeze the water in a wet pipe system. In this type of system, the pipes are pressurized with air, and water is sent through the system only if necessary; for example, during a fire.
Regardless of the system, an organization should conduct periodic fire drills to simulate a real fire and sprinkler system activation. Afterward, the security administrator should simulate disaster recovery procedures, as detailed in Chapter 16.
Most local municipalities require that organizations possess a sprinkler system that covers all the building’s floor space. However, the standard wet pipe or dry pipe systems are not acceptable in server rooms because if set off, they will most likely damage the equipment within. If a person were working in the server room and somehow damaged a pipe, it could discharge; possibly sending a few servers to the scrap heap. Instead, another option for a server room would be a pre-action sprinkler system (and possibly a special hazard protection system in addition to that). A pre-action sprinkler system is similar to a dry pipe system, but there are requirements for it to be set off such as heat or smoke. So, even if a person were to damage one of the pipes in the sprinkler system, the pre-action system would not be set off.
I’ve mentioned several times that your server room contains the livelihood of your organization—its data. If you don’t protect the data, you’ll be out of a job. One way to protect the server room is by installing a clean agent fire suppression system. Special clean agent fire extinguishers, such as Halotron and FE-36, are recommended for server rooms because they leave no residue after the fire is extinguished, reducing the likelihood of damage to computer systems and networking equipment. Also, they are rated as ABC, so they can put out not only electrical fires, but also the ash fire that will most likely ensue. All the other systems mentioned up to this point can easily cause computer failure if they are discharged.
The ultimate solution would be to equip the server room with a special hazard protection system, a clean agent system, such as FM-200. This gaseous system would be installed in addition to the pre-action system (or other dry pipe system) if the organization can afford it. This system uses a large tank that stores a clean agent fire extinguishant in the form of a liquid. It is sprayed from one or more nozzles in the ceiling of the server room in gas form. A system such as this can put out most classes of fires in seconds. This type of product does not do damage to equipment and can be used safely when people are present. However, most of these systems also employ a very loud alarm that tells all personnel to leave the server room; it’s usually so loud and abrasive that you are compelled to leave! It is wise to run through fire suppression alarm tests and fire drills, ensuring that the alarm will sound when necessary and that IT personnel know what to do when the alarm sounds, namely, leave. In some cases, these systems will shut the door automatically after a certain timeout. In these cases, procedures should be written out specifying what to do if a fire occurs. Drilling is of utmost importance in these environments to make certain that everyone knows to leave the server room quickly if a fire occurs. Again, after drills have been completed, the appropriate IT personnel should simulate disaster recovery procedures, if necessary. If the system was installed properly and does its job, this simulation should be minimal.
HVAC, or heating, ventilating, and air conditioning, is important for server rooms, data centers, and other technology-oriented areas of your building. Servers run hot—their CPUs can make the temperature inside the case skyrocket. This heat needs to be dissipated and exhausted outside the case. All the heat from servers and other networking equipment is enough to make your server room fry!
To alleviate the situation, organizations install a heavy-duty air-conditioning system used solely for the server room. This can provide an appropriate ambient temperature for the servers. Often, the system also includes a humidity control. As we know, static electricity is our enemy. By increasing humidity, we decrease the buildup of static electricity and the chance of ESD. Also, this can enable us to keep our equipment from getting too humid, which can also cause failure. It is important to have this system on its own dedicated circuit that is rated properly.
Because most AC systems use refrigerant, it is important to locate the device and any pipes away from where servers and other equipment will be situated, or use a pipeless system. The controls for this system should be within the server room, perhaps protected by a key code. This way, only authorized IT personnel (who have access to the server room) can change the temperature or humidity. This control can also be hooked up to the door access system or other monitoring systems to log who made changes and when.
Another way to improve the heat situation is to circulate the air, and one smart way to do this is to install hot and cold aisles. To illustrate this concept, imagine that you had several rows of servers inside cabinets, all of which are resting on a raised floor. You would set up the fronts of the cabinets of each row to face each other, forming a cold aisle (the row you would normally walk down to access the servers). The cold air is pumped into this aisle from the raised floor. Since most servers and other IT equipment use front-to-back heat dissipation, the heat should be exhausted out behind the row. That’s where the hot aisle is, along with network cables, power cables, and so on. The hot air is exhausted through the raised floor or through exhaust ducts in the ceiling.
A heating system is rarely needed in a server room, unless the organization’s building is in the coldest of environments. This is due to the amount of heat that all the servers give off, and the fact that they usually run 24/7.
If there is a power failure that cannot be alleviated by use of a UPS and/or backup generator, you might opt to shut down all but the most necessary of systems temporarily. Some organizations enforce this by way of a written policy. To help monitor HVAC systems and their power consumption, industrial control systems (ICSs) such as the supervisory control and data acquisition (SCADA) computer-controlled system will be used. A system such as SCADA combines hardware monitoring devices (pressure gauges, electrodes, remote terminal units that connect to sensors) with software that is run on an admin’s (or building management employee’s) workstation, allowing the admin to monitor the HVAC system in real time. There could also be a human-machine interface (HMI) that displays SCADA animations on a separate screen in a strategic place in the building. SCADA systems are vulnerable to viruses (such as Stuxnet) that can be used to access design files. To protect against this, the workstation that runs the software portion of SCADA should have its AV software updated, and any separate physical interfaces, displays, and sensors should be secured and perhaps be placed within view of a CCTV system.
Aside from monitoring HVAC, heating and ventilation systems are usually beyond the knowledge of the IT people, and any maintenance or repair of such systems should be directed to qualified professionals. Sometimes, the building management is responsible for such systems, but more than likely the organization is responsible for the installation, repair, and maintenance. What’s important to know for the exam is that HVAC systems address the need for availability of data.
ANT, a proprietary wireless sensor technology originally incorporated into sports and fitness sensors, is also finding its way into industrial applications, as well as health-based devices, home automation, and more. Watch out for proprietary technologies that can communicate wirelessly and devise means to detect them and prohibit them from accessing your organization’s network.
We have already established that EMI and RFI can corrupt legitimate signals and can possibly create unwelcome emanations. Shielding can help to prevent these problems. Although these have been briefly discussed previously, let’s get into a little more detail with a few examples:
Shielded twisted-pair (STP) cable: By using STP cable, you employ a shield around the wires inside the cable, reducing the levels of interference on the cable segment. This can help with computers suffering from intermittent data loss.
HVAC shielding: By installing a shield around air conditioners and other similar equipment, you end up shielding them, and thereby keep EMI generated by that equipment inside the shield.
Faraday cage: There are several types of Faraday cages. Screened cables such as coaxial cables for TV are basic examples. Booster bags lined with aluminum foil would be another example. But the term Faraday cage is usually applied to an entire room. If an entire room is shielded, electromagnetic energy cannot pass through the walls in either direction. So, if a person attempts to use a cell phone inside the cage, it will not function properly, because the signal cannot go beyond the cage walls; the cell phone cannot acquire a signal from a cell phone tower. More important, devices such as cell phones, motors, and wireless access points that create electromagnetic fields and are outside the cage cannot disrupt electromagnetic-sensitive devices that reside inside the cage.
By using shielding effectively, you can limit just about any type of interference. Some server rooms are shielded entirely to stop any type of wireless transmissions from entering or exiting the room. This can be an expensive proposition and is more common in data centers and advanced technology computer rooms. The pinnacle of shielding technology and research is TEMPEST, which, according to some organizations, stands for Transient ElectroMagnetic Pulse Emanations Standard, though the U.S. government has denied that the word is an acronym at all. The TEMPEST standards (as defined by the U.S. government) deal with the studies into compromising emissions, which are broken down into different levels according to particular environments and strictness of shielding necessary to those environments. Because computers and monitors give off electromagnetic radiation, there is a chance, if an attacker uses the proper antenna, that information could be recorded. The TEMPEST standards govern the limiting of EM radiation, reducing the chance of the leakage of data. A TEMPEST-certified building can prevent wireless devices from being hacked by war-driving attacks and other similar wireless attacks. TEMPEST shielding (and other types of shielding) can also help to prevent damage caused by a high-energy electromagnetic pulse (EMP). Also known as a spike or a pinch, a high-energy EMP can be generated in a nuclear or non-nuclear fashion. The chances of a high-energy EMP occurring near your facility is very rare, but some organizations and many government facilities require protection from it.
An organization’s vehicles might include cars, trucks, tractor trailers, boats, planes, drones, and more. Nowadays, they all have integrated computers, and so, of course, they are all hackable. Plus, the operator of the vehicle will probably carry some kind of mobile device, which may or may not interface with the vehicle. We just opened up a can of worms—of the mobile variety.
Have no fear though, by applying the principles in this book, we can prevent most of the attacks and issues that can occur, because most of them are similar.
To start, many vehicles are equipped with Apple CarPlay, Android Auto, or a similar mobile device projection standard, allowing for seamless integration with the operator’s smartphone or tablet. Depending on the policies of an organization embracing BYOD, CYOD, or COPE, the organization might consider disabling this technology as it can pose a separate security risk. In some cases, malware stored on a mobile device can be transferred to the automotive computer(s), when connected via USB. With any group of connected systems, it is possible to subvert one technology to gain access to another. For example, an automobile will use the Controller Area Network (CAN) bus to allow communications between the dozens of control units, including the engine control unit and possibly the onscreen display. There are potential vulnerabilities all over the place if the system isn’t designed well. And with so many auto manufacturers and models, the risk level only increases.
Because of this, many organizations will opt for fleet vehicles that do not include an in-dash computer/mobile device projection system to reduce risk and to save money. Vehicles might also have an SD card slot, used to update GPS/maps or other automotive software. Infected SD cards could possibly be used (by a person with physical access) to corrupt the GPS system of the vehicle with the potential for location information being sent via the operator’s mobile device or from the vehicle itself. SD card slots can be disabled on some vehicles and the settings for the on-board computer can be blocked with a passcode or password.
Manufacturers and organizations will also implement a network security measure known as an air gap. An air gap is a method of isolating an entity, effectively separating it from everything else—the entity could be a CPU, a system, or an entire network. The concept could be applied to just about anything. As we know, one of the best ways to secure a thing is to isolate it. In the case of the CAN bus, the engine control unit is usually air gapped. Industrial control systems such as SCADA are often air gapped. So are mission-critical and life-critical controls used in nuclear power plants or aviation vehicles. It could also be an entire network that needs to be separated—this is common in military and government scenarios, and might also require the implementation of a Faraday cage or TEMPEST solution. If two entities are involved in an air gap, for example, two networks, they are often categorized as classified (secure or high side) and unclassified (insecure or low side), but it’s the classified entity that is considered to be the real air-gapped system. Data can easily be transferred from the low side to the high side, but for high side to low side data transfer, the procedures are much more strict, and quite possibly require physical moving of the data. For example, in Chapter 15, “PKI and Encryption Protocols,” we discussed the concept of the offline certificate authority (CA), where certificates and keys are physically moved from that system to subsidiary CAs, and in fact are also done vice versa, making the air gap more secure.
It should go without saying that all vehicles should have appropriate locking systems and possibly additional authentication methods such as passcodes, proximity keys, and biometrics. By preventing access to unwanted individuals, you can protect many of the internal systems of a vehicle.
But what about wireless systems? Many vehicles now use Wi-Fi and Bluetooth, as well as proprietary technologies. We have detailed many vulnerabilities to these already. Use the prevention methods described previously in the book. Also, consider if Wi-Fi and/or Bluetooth are really necessary, and if not, disable them within the vehicle’s on-board computer settings. Or, utilize passcodes for Bluetooth. And consider the geofencing mindset: reduce the Wi-Fi power levels in order to decrease the Wi-Fi area.
Another vehicle that has become much more common is the unmanned aerial vehicle (UAV), commonly known as a drone. The applications of a UAV are seemingly endless, including security and defense applications. From a larger perspective, the risk associated with UAV technology is a double-edged sword—because you have organization-operated UAVs and attacker-operated UAVs. First, if an organization owns and uses UAV technology, it can be exploited like any other technology. For example, a UAV can be a target for command and control (C2) attacks, data link jamming, sensor jamming, and spoofing. An attacker might be trying to capture information, or compromise the UAV to take over navigation. The organization that owns the UAV can prevent this by using best coding practices (SDLC), encryption, mutual authentication, and UAV-specific security standards. Secondly, a well-funded attacker might own UAV technology and use it for reconnaissance, potentially spying on an organization, or gaining access to a wireless network—if properly equipped. On the prevention side, an organization should once again consider their geofencing policy, and have strong Wi-Fi encryption protocols in place. Plus, physical security methods (as discussed in Chapter 10, “Physical Security and Authentication Models”) should be in place as well as no-fly-zone policies.
The bottom line is this: Incorporate your security policies and procedures into any vehicles that your organization uses. It’s all part of that attitude we’ve used throughout the book—essentially, anything with a CPU and memory is a computer, and any computer can be compromised given time and effort. As a last note, by this definition of “computer,” we can safely say that computers are just about everywhere. Govern them accordingly.
So that wraps up this chapter about people and facilities. It was a bit helter-skelter as far as the listing of content, but in a way, all the concepts are intertwined. For example, you don’t want attackers to gain access to your building. But if they do, then you don’t want them to gain access to your server room (among other things). So, you implement things such as multifactor authentication, and just in case, you implement shielding to help prevent any wireless intrusion. These are physical security controls and are easily understood.
If only it were so easy to shield people from the con: from what we call social engineering. Any technology can be ultimately exploited by a smart person and some social engineering skills—and this is less tangible, and not as easily understood or as easily prevented. People who employ social engineering rely on authority, intimidation, impersonation, trust, persistence, and a lot of patience. This enables them to perform cons such as pretexting and hoaxes, and steal information through phishing, baiting, shoulder surfing, eavesdropping, and other methods. While this whole book is full of ways to prevent the con artist from obtaining data, secrets, and PII, it is the user education and awareness that might be the best defense. Knowledge is power, but users need to be trained in an interesting manner in order to effectively stop the threat of social engineering.
Environmental controls are security controls that are put in place to protect employees, servers, and the organization’s data. They include fire extinguishers, sprinkler systems, special hazard systems (such as FM-200), hot and cold aisles, SCADA-based systems, and shielding. The security of these depends on physical keys, proximity and smart card systems, video surveillance, security guards, alarms, and so forth. When it comes to building facilities, environmental controls might be a large piece of what you will be called on to secure, in addition to vehicles, equipment, electrical systems, and anything else that falls under that category. We’ve only scratched the surface when it comes to what is within the realm of “facilities.” You will not be expected to know everything on the subject. However, be ready to work with your organization’s facilities department and human resources department to accomplish what we have discussed in this chapter.
Use the features in this section to study and review the topics in this chapter.
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 17-2 lists a reference of these key topics and the page number on which each is found.
Key Topic Element
Summary of social engineering types
Fire extinguisher types
Define the following key terms from this chapter, and check your answers in the glossary:
pretexting, diversion theft, phishing, spear phishing, whaling, vishing, hoax, shoulder surfing, eavesdropping, dumpster diving, baiting, piggybacking, tailgating, mantrap, watering hole attack, fire suppression, wet pipe sprinkler system, pre-action sprinkler system, special hazard protection system, hot and cold aisles, supervisory control and data acquisition (SCADA), Faraday cage, TEMPEST, Controller Area Network (CAN), air gap
Complete the Real-World Scenarios found on the companion website (www.pearsonitcertification.com/title/9780789758996). You will find a PDF containing the scenario and questions, and also supporting videos and simulations.
Answer the following review questions. Check your answers with the correct answers that follow.
1. Jeff wants to employ a Faraday cage. What will this accomplish?
A. It will increase the level of wireless encryption.
B. It will reduce data emanations.
C. It will increase EMI.
D. It will decrease the level of wireless emanations.
2. If a fire occurs in the server room, which device is the best method to put it out?
A. Class A extinguisher
B. Class B extinguisher
C. Class C extinguisher
D. Class D extinguisher
3. What devices will not be able to communicate in a Faraday cage? (Select the two best answers.)
4. You go out the back door of your building and notice someone looking through your company’s trash. If this person were trying to acquire sensitive information, what would this attack be known as?
B. Dumpster diving
5. User education can help to defend against which of the following? (Select the three best answers.)
A. Social engineering
C. Rainbow tables
D. Dumpster diving
6. Which of these is an example of social engineering?
A. Asking for a username and password over the phone
B. Using someone else’s unsecured wireless network
C. Hacking into a router
7. What is the most common reason that social engineering succeeds?
A. Lack of vulnerability testing
B. People sharing passwords
C. Lack of auditing
D. Lack of user awareness
8. In which two environments would social engineering attacks be most effective? (Select the two best answers.)
A. Public building with shared office space
B. Company with a dedicated IT staff
C. Locked building
D. Military facility
E. An organization whose IT personnel have little training
9. Of the following definitions, which would be an example of eavesdropping?
A. Overhearing parts of a conversation
B. Monitoring network traffic
C. Another person looking through your files
D. A computer capturing information from a sender
10. Of the following, which type of fire suppression can prevent damage to computers and servers?
A. Class A
D. ABC extinguishers
11. A man pretending to be a data communications repair technician enters your building and states that there is networking trouble and he needs access to the server room. What is this an example of?
A. Man-in-the-middle attack
C. Social engineering
D. Chain of custody
12. Turnstiles, double entry doors, and security guards are all preventative measures for what kind of social engineering?
A. Dumpster diving
13. In addition to bribery and forgery, which of the following are the most common techniques that attackers use to socially engineer people? (Select the two best answers.)
B. Assuming a position of authority
C. Dumpster diving
D. WHOIS search
14. You need to protect your data center from unauthorized entry at all times. Which is the best type of physical security to implement?
B. Video surveillance
C. Nightly security guards
15. Which of the following targets specific people?
D. Spear phishing
16. Why would you implement password masking?
A. To deter tailgating
B. To deter shoulder surfing
C. To deter impersonation
D. To deter hoaxes
17. A targeted e-mail attack is received by your organization’s CFO. What is this an example of?
D. Spear phishing
18. Which of the following environmental variables reduces the possibility of static discharges (ESD)?
19. Which of the following is a strategy that targets users based on the common websites that they frequent?
B. Hot/cold aisle
D. Watering hole
20. You have been ordered to implement a secure shredding system as well as privacy screens. What two attacks is your organization attempting to mitigate?
A. Shoulder surfing
D. Dumpster diving
1. B. The Faraday cage will reduce data emanations. The cage is essentially an enclosure (of which there are various types) of conducting material that can block external electric fields and stop internal electric fields from leaving the cage, thus reducing or eliminating data emanations from such devices as cell phones.
2. C. When you think Class C, think copper. Extinguishers rated as Class C can suppress electrical fires, which are the most likely kind in a server room.
3. A and C. Signals cannot emanate outside a Faraday cage. Therefore, smartphones and tablets (by default) will not work inside the Faraday cage. Generally, a Faraday cage is “constructed” for a server room, data center, or other similar location. Servers and switches are common in these places and are normally wired to the network, so they should be able to communicate with the outside world.
4. B. Dumpster diving is when a person goes through a company’s trash to find sensitive information about an individual or a company. Browsing is not an attack but something you do when connected to the Internet. Phishing is known as acquiring sensitive information through the use of electronic communication. Nowadays, hacking is a general term used to describe many different types of attacks.
5. A, B, and D. User education and awareness can help defend against social engineering attacks, phishing, and dumpster diving. Rainbow tables are lookup tables used when recovering passwords.
6. A. Social engineering is the practice of obtaining confidential information by manipulating people. Using someone else’s network is just theft. Hacking into a router is just that, hacking. And a virus is a self-spreading program that may or may not cause damage to files and applications.
7. D. User awareness is extremely important when attempting to defend against social engineering attacks. Vulnerability testing and auditing are definitely important as part of a complete security plan but will not necessarily help defend against social engineering and definitely will not help as much as user awareness training. People should not share passwords.
8. A and E. Public buildings with shared office space and organizations with IT employees who have little training are environments in which social engineering attacks are common and would be most successful. Social engineering will be less successful in secret buildings, buildings with a decent level of security such as military facilities, and organizations with dedicated and well-trained IT staff.
9. A. Eavesdropping is when people listen to a conversation that they are not part of. A security administrator should keep in mind that someone could always be listening, and thus should always try to protect against this.
10. C. CO2 is the best answer that will prevent damage to computers because CO2 is air-based, not water-based. CO2 displaces oxygen. Fire needs oxygen; without it the fire will go out. All the other options have substances that can damage computers. However, because CO2 can possibly cause ESD damage, the best solution in a server room would be Halotron or FE-36.
11. C. Any person pretending to be a data communications repair person would be attempting a social engineering attack.
12. C. Turnstiles, double entry doors, and security guards are all examples of preventative measures that attempt to defeat piggybacking. Dumpster diving is when a person looks through a coworker’s trash or a building’s trash to retrieve information. Impersonation is when a person attempts to represent another person, possibly with the other person’s identification. Eavesdropping is when a person overhears another person’s conversation.
13. A and C. The most common techniques that attackers use to socially engineer people include flattery, dumpster diving, bribery, and forgery. Although assuming a position of authority is an example of social engineering, it is not one of the most common. A WHOIS search is not necessarily malicious; it can be accomplished by anyone and can be done for legitimate reasons. This type of search can tell a person who runs a particular website or who owns a domain name.
14. A. Mantraps are the best solution listed—they are the closest to foolproof of the listed answers. Mantraps (if installed properly) are strong enough to keep a human inside until he completes the authentication process or is escorted off the premises. This is a type of preventive security control meant to stop tailgating and piggybacking. Video surveillance will not prevent an unauthorized person from entering your data center; rather, it is a detective security control. Security guards are a good idea, but if they work only at night, then they can’t prevent unauthorized access at all times. 802.1X is an excellent authentication method, but it is logically implemented as software and devices; it is not a physical security control.
15. D. Spear phishing is a targeted attack, unlike regular phishing, which usually works by contacting large groups of people. Pharming is when a website’s traffic is redirected to another, illegitimate, website. Vishing is the phone/VoIP version of phishing.
16. B. Password masking is when the characters a user types into a password field are replaced, usually by asterisks. This is done to prevent shoulder surfing. Tailgating is when an unauthorized person follows an authorized person into a secure area, without the second person’s consent. Impersonation is when a person masquerades as another, authorized user. A hoax is an attempt at deceiving people into believing something that is false.
17. C. Whaling is a type of spear phishing that targets senior executives such as CFOs. Regular old phishing does not target anyone, but instead tries to contact as many people as possible until an unsuspecting victim can be found. Vishing is the telephone-based version of phishing. Spear phishing does target individuals but not senior executives.
18. A. Humidity (if increased) can reduce the chance of static discharges. Temperature does not have an effect on computer systems (within reason). EMI and RFI are types of interference that in some cases could possibly increase the chance of static discharge.
19. D. The watering hole attack is a strategy that targets users based on the common websites that they frequent. A pre-action sprinkler system is similar to a dry pipe system, but there are requirements for it to be set off such as heat or smoke. Implementing hot and cold aisles in server rooms is a way to improve air circulation. Supervisory control and data acquisition (SCADA) systems combine hardware monitoring devices (pressure gauges, electrodes, remote terminal units that connect to sensors) with software that is run on an admin’s (or building management employee’s) workstation, allowing the admin to monitor the HVAC system in real time.
20. A and D. The privacy screens are being implemented to prevent shoulder surfing. The secure shredding system is being implemented to mitigate dumpster diving. Impersonation is when an unauthorized person masquerades as a legitimate, authorized person. Phishing is when an attacker attempts to fraudulently obtain information through e-mail scams. Tailgating is when a person (without proper credentials) attempts to gain access to an unauthorized area by following someone else in.