Industry-standard frameworks and reference architectures

A security framework is a guide or plan for keeping your organizational assets safe. It provides a structure to the implementation of security for both new organizations and those with a long history. A security framework should provide perspective that security is not just an IT concern, but an important business operational function. A well-designed security framework should address personnel issues, network security, portable and mobile equipment, operating systems, applications, servers and endpoint devices, network services, business processes, user tasks, communications, and data storage.

Industry-standard frameworks are those that are adopted and respected by a majority of organizations within a specific line of business. A reference architecture may accompany a security framework. Often a reference architecture is a detailed description of a fictitious organization and how security could be implemented. This concept serves as a guide for real-world organizations to use as a template to follow for adapting and implementing a framework.

Some security frameworks are designed to help new organizations implement their initial and foundational security elements, whereas others are designed to improve the existing in-place security infrastructure.

Benchmarks/secure configuration guides

A benchmark is a documented list of requirements that is used to determine whether or not a system, device, or software solution is allowed to operate within a securely management environment (Figure 3.1). A secure configuration guide is another term for a benchmark. It can also be known as a standard or a baseline.

A benchmark can include specific instructions on installation and configuration of a product. It may also suggest alterations, modifications, and supplemental tools, utilities, drivers, and controls to improve the security of the system. A benchmark may also recommend operational steps, SOPs (standard operation procedures), and end-user guides to maintain security while business tasks are taking place.

A benchmark can be adopted from external entities, such as government regulations, commercial guidance, or community recommendations. But ultimately, a benchmark should be customized for the organization’s assets, threats, and risks.

Defense-in-depth/layered security

Defense in depth is the use of multiple types of access controls in literal or theoretical concentric circles or layers. This form of layered security helps an organization avoid a monolithic security stance. A monolithic mentality is the belief that a single security mechanism is all that is required to provide sufficient security.

Only through the intelligent combination of countermeasures can you construct a defense that will resist significant and persistent attempts at compromise. Intruders or attackers would need to overcome multiple layers of defense to reach the protected assets.

As with any security solution, relying on a single security mechanism is unwise. Defense in depth, multilayered security, or diversity of defense uses multiple types of access controls in literal or theoretical concentric circles or layers. By having security control redundancy and diversity, an environment can avoid the pitfalls of a single security feature failing; the environment has several opportunities to deflect, deny, detect, and deter any threat. Of course, no security mechanism is perfect. Each individual security mechanism has a flaw or a workaround just waiting to be discovered and abused by a hacker.

Exam Essentials

Be aware of industry-standard frameworks. A security framework is a guide or plan for keeping your organizational assets safe. It provides guidance and a structure to the implementation of security for organizations. Security frameworks may be regulatory, nonregulatory, national, international, and/or industry-specific.

Understand benchmarks. A benchmark is a documented list of requirements that is used to determine whether a system, device, or software solution is allowed to operate within a secure management environment. Benchmarks may be platform- or vendor-specific or general-purpose.

Define defense in depth. Defense in depth or layered security is the use of multiple types of access controls in literal or theoretical concentric circles or layers. Defense in depth should include vendor diversity and control diversity.

Zones/topologies

A network zone is an area of a network designed for a specific purpose, such as internal use or external use. Network zones are logical and/or physical divisions or segments of a LAN that allow for supplementary layers of security and control (see Figure 3.2). Each security zone is an area of a network that has a single defined level of security. That security may focus on encoding authorized access, preventing access, protecting confidentiality and integrity, or limiting traffic flow. Different security zones usually host different types of resources with different levels of sensitivity. Zones are often designated and isolated through the use of unique IP subnets and firewalls. Another term for network zone is network topology. There are many types of network zones; several are covered in the next sections.

DMZ

A demilitarized zone (DMZ) is a special-purpose subnet. A network consists of networking components (such as cables and switches) and hosts (such as clients and servers). Often, large networks are logically and physically subdivided into smaller interconnected networks. These smaller networks are known as subnets. Subnets are usually fairly generic, but some have special uses and/or configurations.

A DMZ is an area of a network that is designed specifically for low-trust users to access specific systems, such as the public accessing a web server. If the DMZ (as a whole or as individual systems within the DMZ) is compromised, the private LAN isn’t necessarily affected or compromised. Access to a DMZ is usually controlled or restricted by a firewall and router system.

The DMZ can act as a buffer network between the public untrusted Internet and the private trusted LAN. This implementation is known as a screened subnet. It is deployed by placing the DMZ subnet between two firewalls, where one firewall leads to the Internet and the other to the private LAN.

A DMZ can also be deployed through the use of a multihomed firewall (see Figure 3.3). Such a firewall has three interfaces: one to the Internet, one to the private LAN, and one to the DMZ.

A DMZ gives an organization the ability to offer information services, such as web browsing, FTP, and email, to both the public and internal clients without compromising the security of the private LAN.

A typical scenario where a DMZ would be deployed is when an organization wants to offer resources, such as web server, email server, or file server, to the general public.

Extranet

An extranet (see Figure 3.4) is a privately controlled network segment or subnet that functions as a DMZ for business-to-business transactions. It allows an organization to offer specialized services to business partners, suppliers, distributors, or customers. Extranets are based on TCP/IP and often use the common Internet information services, such as web browsing, FTP, and email. Extranets aren’t accessible to the general public. They often require outside entities to connect using a VPN. This restricts unauthorized access and ensures that all communications with the extranet are secured. Another important security concern with extranets is that companies that are partners today may be competitors tomorrow. Thus, you should never place data into an extranet that you’re unwilling to let a future competitor have access to.

A common scenario for use of an extranet is when an organization needs to grant resource access to a business partner or external supplier. This allows the external entity to access the offered resources without exposing those resources to the open Internet and does not allow the external entities access into the private LAN.

NAT

In order for systems to communicate across the Internet, they must have an Internet-capable TCP/IP address. Unfortunately, leasing a sufficient number of public IP addresses to assign one to every system on a network is expensive. Plus, assigning public IP addresses to every system on the network means those systems can be accessed (or at least addressed) directly by external benign and malicious entities. One way around this issue is to use network address translation (NAT) (see Figure 3.5).

NAT converts the private IP addresses (see the discussion of RFC 1918) of internal systems found in the header of network packets into public IP addresses. It performs this operation on a one-to-one basis; thus, a single leased public IP address can allow a single internal system to access the Internet. Because Internet communications aren’t usually permanent or dedicated connections, a single public IP address could effectively support three or four internal systems if they never needed Internet access simultaneously. So, when NAT is used, a larger network needs to lease only a relatively small number of public IP addresses.

NAT provides the following benefits:

• It hides the IP addressing scheme and structure from external entities.
• It serves as a basic firewall by only allowing incoming traffic that is in response to an internal system’s request.
• It reduces expense by requiring fewer leased public IP addresses.
• It allows the use of private IP addresses (RFC 1918).

Closely related to NAT is port address translation (PAT), which allows a single public IP address to host up to 65,536 simultaneous communications from internal clients (a theoretical maximum; in practice, you should limit the number to 100 or fewer in most cases). Instead of mapping IP addresses on a one-to-one basis, PAT uses the Transport layer port numbers to host multiple simultaneous communications across each public IP address.

The use of the term NAT in the IT industry has come to include the concept of PAT. Thus, when you hear or read about NAT, you can assume that the material is referring to PAT. This is true for most OSs and services; it’s also true of the Security+ exam.

Another issue to be familiar with is that of NAT traversal (NAT-T). Traditional NAT doesn’t support IPSec VPNs, because of the requirements of the IPSec protocol and the changes NAT makes to packet headers. However, NAT-T was designed specifically to support IPSec and other tunneling VPN protocols, such as Layer 2 Tunneling Protocol (L2TP), so organizations can benefit from both NAT and VPNs across the same border device/interface.

As the conversion from IPv4 to IPv6 takes place, there will be a need for NATing between these two IP structures. V4-to-v6 gateways or NAT servers will become more prevalent as the migration gains momentum, in order to maintain connectivity between legacy IPv4 networks and updated IPv6 networks. Once a majority of systems are using IPv6, the number of v4-to-v6 NATing systems will decline.

Scenarios where NAT implementation is essential include when using private IP addresses from RFC 1918 or when wanting to prevent external initiation of communications to internal devices.

Segregation/segmentation/isolation

Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network. Logical network segmentation can be imposed with switches using VLANs, or through other traffic-control means, including MAC addresses, IP addresses, physical ports, TCP or UDP ports, protocols, or application filtering, routing, and access control management. Network segmentation can be used to isolate static environments in order to prevent changes and/or exploits from reaching them.

Security layers exist where devices with different levels of classification or sensitivity are grouped together and isolated from other groups with different security levels. This isolation can be absolute or one-directional. For example, a lower level may not be able to initiate communication with a higher level, but a higher level may initiate with a lower level. Isolation can also be logical or physical. Logical isolation requires the use of classification labels on data and packets, which must be respected and enforced by network management, OSs, and applications. Physical isolation requires implementing network segmentation or air gaps between networks of different security levels.

Bridging between networks can be a desired feature of network design. Network bridging is self-configuring, is inexpensive, maintains collision-domain isolation, is transparent to Layer 3+ protocols, and avoids the 5-4-3 rule’s Layer 1 limitations (see https://en.wikipedia.org/wiki/5-4-3_rule). However, network bridging isn’t always desirable. It doesn’t limit or divide broadcast domains, doesn’t scale well, can cause latency, and can result in loops. In order to eliminate these problems, you can implement network separation or segmentation. There are two means to accomplish this. First, if communication is necessary between network segments, you can implement IP subnets and use routers. Second, you can create physically separate networks that don’t need to communicate. This can also be accomplished using firewalls instead of routers to implement secured filtering and traffic management.

All networks are involved in scenarios where segregation, segmentation, and isolation are needed. Without establishing a distinction between internal private networks and external public networks, maintaining privacy, security, and control is very challenging for the protection of sensitive data and systems. Network segmentation should be used to divide communication areas based on sensitivity of activities, value of data, risk of data loss or disclosure, level of classification, physical location, or any other distinction deemed important to an organization.

Logical (VLAN)

A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. By default, all ports on a switch are part of VLAN 1. But as the switch administrator changes the VLAN assignment on a port-by-port basis, various ports can be grouped together and kept distinct from other VLAN port designations.

VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function, which can be provided either by an external router or by the switch’s internal software (one reason for the term multilayer switch). VLANs are treated like subnets but aren’t subnets. VLANs are created by switches. Subnets are created by IP address and subnet mask assignments.

VLAN management is the use of VLANs to control traffic for security or performance reasons. VLANs can be used to isolate traffic between network segments. This can be accomplished by not defining a route between different VLANs or by specifying a deny filter between certain VLANs (or certain members of a VLAN). Any network segment that doesn’t need to communicate with another in order to accomplish a work task/function shouldn’t be able to do so. Use VLANs to allow what is necessary and to block/deny anything that isn’t necessary. Remember, “deny by default; allow by exception” isn’t a guideline just for firewall rules, but for security in general.

A VLAN consists of network divisions that are logically created out of a physical network. They’re often created using switches (see Figure 3.6). Basically, the ports on a switch are numbered; each port is assigned the designation VLAN1 by default. Through the switch’s management interfaces, the device administrator can assign ports other designations, such as VLAN2 or VLAN3, in order to create additional virtual networks.

VLANs function in much the same way as traditional subnets. In order for communications to travel from one VLAN to another, the switch performs routing functions to control and filter traffic between its VLANs.

VLANs are used to segment a network logically without altering its physical topology. They’re easy to implement, have little administrative overhead, and are a hardware-based solution (specifically a Layer 3 switch). As networks are being crafted in virtual environments or in the cloud, software switches are often used. In these situations, VLANs are not hardware-based on or implemented by the software of a switch whether a physical device or a virtual system.

VLANs let you control and restrict broadcast traffic and reduce a network’s vulnerability to sniffers, because a switch treats each VLAN as a separate network division. In order to communicate between segments, the switch must provide a routing function. It’s the routing function that blocks broadcasts between subnets and VLANs, because a router (or any device performing Layer 3 routing functions, such as a Layer 3 switch) doesn’t forward Layer 2 Ethernet broadcasts. This feature of a switch blocks Ethernet broadcasts between VLANs and so helps protect against broadcast storms. A broadcast storm is a flood of unwanted Ethernet broadcast network traffic.

Tunneling/VPN

A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is usually encrypted. Numerous scenarios lend themselves to the deployment of VPNs; for example, VPNs can be used to connect two networks across the Internet (see Figure 3.7) or to allow distant clients to connect into an office local area network (LAN) across the Internet (see Figure 3.8). Once a VPN link is established, the network connectivity for the VPN client is exactly the same as a LAN connected by a cable connection. The only difference between a direct LAN cable connection and a VPN link is speed.

VPNs offer an excellent solution for remote users to access resources on a corporate LAN. They have the following advantages:

• They eliminate the need for expensive dial-up modem banks, including landline and ISDN.
• They do away with long-distance toll charges.
• They allow a user anywhere in the world with an Internet connection to establish a VPN link with the office network.
• They provide security for both authentication and data transmission.

Sometimes VPN protocols are called tunneling protocols. This naming convention is designed to focus attention on the tunneling capabilities of VPNs.

VPNs work through a process called encapsulation. As data is transmitted from one system to another across a VPN link, the normal LAN TCP/IP traffic is encapsulated (encased, or enclosed) in the VPN protocol. The VPN protocol acts like a security envelope that provides special delivery capabilities (for example, across the Internet) as well as security mechanisms (such as data encryption).

When firewalls, intrusion detection systems, antivirus scanners, or other packet-filtering and -monitoring security mechanisms are used, you must realize that the data payload of VPN traffic won’t be viewable, accessible, scannable, or filterable, because it’s encrypted. Thus, in order for these security mechanisms to function against VPN-transported data, they must be placed outside of the VPN tunnel to act on the data after it has been decrypted and returned back to normal LAN traffic.

VPNs provide the following critical functions:

• Access control restricts users from accessing resources on a network.
• Authentication proves the identity of communication partners.
• Confidentiality prevents unauthorized disclosure of secured data.
• Data integrity prevents unwanted changes of data while in transit.

VPN links are established using VPN protocols. There are several VPN protocols, but these are the four you should recognize:

• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Tunneling Protocol (L2TP)
• OpenVPN (SSL VPN, TLS VPN)
• Internet Protocol Security (IPsec) (see the Chapter 2 section “IPSec”)

PPTP was originally developed by Microsoft. L2TP was developed by combining features of Microsoft’s proprietary implementation of PPTP and Cisco’s Layer 2 Forwarding (L2F) VPN protocols. Since its development, L2TP has become an Internet standard (RFC 2661) and is quickly becoming widely supported.

Both L2TP and PPTP are based on Point-to-Point Protocol (PPP) and thus work well over various types of remote-access connections, including dial-up. L2TP can support just about any networking protocol. PPTP is limited to IP traffic. L2TP uses UDP port 1701, and PPTP uses TCP port 1723.

PPTP can use any of the authentication methods supported by PPP, including the following:

• Challenge Handshake Authentication Protocol (CHAP)
• Extensible Authentication Protocol (EAP)
• Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v.1)
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v.2)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)

Not all implementations of PPTP can provide data encryption. For example, when working with a PPTP VPN between Windows systems, the authentication protocol MS-CHAP v.2 enables data encryption.

L2TP can rely on PPP and thus on PPP’s supported authentication protocols. This is typically referenced as IEEE 802.1x (see Chapter 4, “Identity and Access Management,” and Chapter 6, “Cryptography and PKI,” for their sections on IEEE 802.1x), which is a derivative of EAP from PPP. IEEE 802.1x enables L2TP to leverage or borrow authentication services from any available AAA server on the network, such as RADIUS or TACACS+. L2TP does not offer native encryption, but it supports the use of encryption protocols, such as Internet Protocol Security (IPSec). Although it isn’t required, L2TP is most often deployed using IPsec.

L2TP can be used to tunnel any routable protocol but contains no native security features. When L2TP is used to encapsulate IPsec, it obtains authentication and data- encryption features because IPsec provides them. The main reason to use L2TP-encapsulated IPSec instead of naked IPSec is when needing to traverse a Layer 2 network that is either untrustworthy or its security is unknown. This can include a telco’s business connection offerings, such as Frame Relay and Asynchronous Transfer Mode (ATM) or the public switched telephone network (PSTN). Otherwise, IPSec can be used without the extra overhead of L2TP.

OpenVPN is based on TLS (formally SSL) and provides an easy-to-configure but robustly secured VPN option. OpenVPN is an open-source implementation that can use either preshared secrets (such as passwords) or certificates for authentication. Many wireless access points support OpenVPN, which has a native VPN option for using a home or business WAP as a VPN gateway.

Security device/technology placement

When designing the layout and structure of a network, it is important to consider the placement of security devices and related technology. The goal of planning the architecture and organization of the network infrastructure is to maximize security while minimizing downtime, compromises, or other interruptions to productivity.

Firewalls

For an introduction to firewalls, see the Chapter 2 section “Firewall.”

The placement or location of a firewall should be at any transition between network segments where there is any difference in risk, sensitivity, security, value, function, or purpose. It is standard security practice to deploy a hardware security firewall between an internal network and the Internet as well as between the Internet, a DMZ or extranet, and an intranet (Figure 3.9).

Software firewalls are also commonly deployed on every host system, both servers and clients, throughout the organizational network.

It may also be worth considering implementing firewalls between departments, satellite offices, VPNs, and even different buildings or floors.

SDN

The concept of OS virtualization has given rise to other virtualization topics, such as virtualized networks. A virtualized network or network virtualization is the combination of hardware and software networking components into a single integrated entity. The resulting system allows for software control over all network functions: management, traffic shaping, address assignment, and so on. A single management console or interface can be used to oversee every aspect of the network, a task that required physical presence at each hardware component in the past. Virtualized networks have become a popular means of infrastructure deployment and management by corporations worldwide. They allow organizations to implement or adapt other interesting network solutions, including software-defined networks, virtual SANs, guest operating systems, and port isolation.

Software-defined networking (SDN) is a unique approach to network operation, design, and management. The concept is based on the theory that the complexities of a traditional network with on-device configuration (routers and switches) often force an organization to stick with a single device vendor, such as Cisco, and limit the flexibility of the network to adapt to changing physical and business conditions. SDN aims at separating the infrastructure layer (hardware and hardware-based settings) from the control layer (network services of data transmission management). Furthermore, this also negates the need for the traditional networking concepts of IP addressing, subnets, routing, and the like to be programmed into or deciphered by hosted applications.

SDN offers a new network design that is directly programmable from a central location, is flexible, is vendor neutral, and is based on open standards. Using SDN frees an organization from having to purchase devices from a single vendor. It instead allows organizations to mix and match hardware as needed, such as to select the most cost-effective or highest throughput–rated devices, regardless of vendor. The configuration and management of hardware are then controlled through a centralized management interface. In addition, the settings applied to the hardware can be changed and adjusted dynamically as needed.

Another way of thinking about SDN is that it is effectively network virtualization. It allows data transmission paths, communication decision trees, and flow control to be virtualized in the SDN control layer rather than being handled on the hardware on a per-device basis.

Another interesting development arising out of the concept of virtualized networks is the virtual storage area network (SAN). A SAN is a network technology that combines multiple individual storage devices into a single consolidated network-accessible storage container. A virtual SAN or a software-defined shared storage system is a virtual re-creation of a SAN on top of a virtualized network or an SDN.

A storage area network (SAN) is a secondary network (distinct from the primary communications network) used to consolidate and manage various storage devices. SANs are often used to enhance networked storage devices such as hard drives, drive arrays, optical jukeboxes, and tape libraries so they can be made to appear to servers as if they were local storage.

SANs can offer greater storage isolation through the use of a dedicated network. This makes directly accessing stored data difficult and forces all access attempts to operate against a server’s restricted applications and interfaces.

Exam Essentials

Comprehend network zones. A network zone is an area of a network designed for a specific purpose, such as internal use or external use. Network zones are logical and/or physical divisions or segments of a LAN that allow for supplementary layers of security and control.

Understand DMZs. A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall.

Understand extranets. An extranet is an intranet that functions as a DMZ for business-to-business transactions. Extranets let organizations offer specialized services to business partners, suppliers, distributors, or customers.

Understand intranets. An intranet is a private network or private LAN.

Know about guest networks. A guest zone or a guest network is an area of a private network designated for use by temporary authorized visitors.

Understand honeynets. A honeynet consists of two or more networked honeypots used in tandem to monitor or re-create larger, more diverse network arrangements.

Be aware of NAT. NAT converts the IP addresses of internal systems found in the headers of network packets into public IP addresses. It hides the IP addressing scheme and structure from external entities. NAT serves as a basic firewall by only allowing incoming traffic that is in response to an internal system’s request. It reduces expense by requiring fewer leased public IP addresses, and it allows the use of private IP addresses (RFC 1918).

Understand PAT. Closely related to NAT is port address translation (PAT), which allows a single public IP address to host multiple simultaneous communications from internal clients. Instead of mapping IP addresses on a one-to-one basis, PAT uses the Transport layer port numbers to host multiple simultaneous communications across each public IP address.

Know RFC 1918. RFC 1918 defines the ranges of private IP addresses that aren’t routable across the Internet: 10.0.0.0–10.255.255.255 (10.0.0.0 /8 subnet), 1 Class A range; 172.16.0.0–172.31.255.255 (172.16.0.0 /12 subnet), 16 Class B ranges; and 192.168.0.0–192.168.255.255 (192.168.0.0 /16 subnet), 256 Class C ranges.

Understand network segmentation. Network segmentation involves controlling traffic among networked devices. Logical network segmentation can be imposed with switches using VLANs, or through other traffic-control means, including MAC addresses, IP addresses, physical ports, TCP or UDP ports, protocols, or application filtering, routing, and access control management.

Comprehend VLANs. Switches are often used to create virtual LANs (VLANs)—logical creations of subnets out of a single physical network. VLANs are used to logically segment a network without altering its physical topology. They are easy to implement, have little administrative overhead, and are a hardware-based solution.

Understand virtualization. Virtualization technology is used to host one or more OSs within the memory of a single host computer. Related issues include snapshots, patch compatibility, host availability/elasticity, security control testing, and sandboxing.

Understand VPNs. A virtual private network (VPN) is a communication tunnel between two entities across an intermediary network. In most cases, the intermediary network is an untrusted network, such as the Internet, and therefore the communication tunnel is also encrypted.

Know VPN protocols. PPTP, L2TP, OpenVPN, and IPSec are VPN protocols.

Understand PPTP. Point-to-Point Tunneling Protocol (PPTP) is based on PPP, is limited to IP traffic, and uses TCP port 1723. PPTP supports PAP, SPAP, CHAP, EAP, and MS-CHAP v.1 and v.2.

Know L2TP. Layer 2 Tunneling Protocol (L2TP) is based on PPTP and L2F, supports any LAN protocol, uses UDP port 1701, and often uses IPSec for encryption.

Understand OpenVPN. OpenVPN is based on TLS (formerly SSL) and provides an easy-to-configure but robustly secured VPN option.

Realize the importance of security device placement. When designing the layout and structure of a network, it is important to consider the placement of security devices and related technology. The goal of planning the architecture and organization of the network infrastructure is to maximize security while minimizing downtime, compromises, or other interruptions to productivity.

Understand software-defined networking. Software-defined networking (SDN) is a unique approach to network operation, design, and management. SDN aims at separating the infrastructure layer (hardware and hardware-based settings) from the control layer (network services of data transmission management).

Hardware/firmware security

Security is an integration of both hardware/firmware components and software elements. This section looks at several hardware and firmware security technologies.

FDE/SED

Full-disk encryption (FDE) or whole-disk encryption is often used to provide protection for an OS, its installed applications, and all locally stored data. FDE encrypts all of the data on a storage device with a single master symmetric encryption key. Anything written to the encrypted storage device, including standard files, temporary files, cached data, memory swapped data, and even the remnants of deletion and the contents of slack space, is encrypted when FDE is implemented.

However, whole-disk encryption provides only reasonable protection when the system is fully powered off. If a system is accessed by a hacker while it’s active, there are several ways around hard drive encryption. These include a FireWire direct memory access (DMA) attack, malware stealing the encryption key out of memory, slowing down memory-decay rates with liquid nitrogen, or even just user impersonation. The details of these attacks aren’t important for this exam. However, you should know that whole-disk encryption is only a partial security control.

To maximize the defensive strength of whole-disk encryption, you should use a long, complex passphrase to unlock the system on bootup. This passphrase shouldn’t be written down or used on any other system or for any other purpose. Whenever the system isn’t actively in use, it should be powered down (hibernation is fine, but not sleep mode) and physically locked against unauthorized access or theft. Hard drive encryption should be viewed as a delaying tactic, rather than as a true prevention of access to data stored on the hard drive.

Hard drive encryption can be provided by a software solution, as discussed previously, or through a hardware solution. One option is self-encrypting drives (SED). Some hard drive manufacturers offer hard drive products that include onboard hardware-based encryption services. However, most of these solutions are proprietary and don’t disclose their methods or algorithms, and some have been cracked with relatively easy hacks.

Using a trusted software encryption solution can be a cost-effective and secure choice. But realize that no form of hard drive encryption, hardware- or software-based, is guaranteed protection against all possible forms of attack.

USB encryption is usually related to USB storage devices, which can include both USB-connected hard drives as well as USB thumb drives. Some USB device manufacturers include encryption features in their products. These often have an autorun tool that is used to gain access to encrypted content once the user has been authenticated. An example of an encrypted USB device is an IronKey.

If encryption features aren’t provided by the manufacturer of a USB device, you can usually add them through a variety of commercial or open-source solutions. One of the best-known, respected, and trusted open-source solutions is VeraCrypt (Figure 3.10) (the revised and secure replacement for its abandoned predecessor, TrueCrypt). This tool can be used to encrypt files, folders, partitions, drive sections, or whole drives, whether internal, external, or USB.

Operating systems

Any secure system design requires the use of a secure operating system. Although no operating system is perfectly secure, the selection of the right operating system for a particular task or function can reduce the ongoing burden of security management.

Disabling unnecessary ports and services

A key element in securing a system is to reduce its attack surface. The attack surface is the area that is exposed to untrusted networks or entities and that is vulnerable to attack. If a system is hosting numerous services and protocols, its attack surface is larger than that of a system running only essential services and protocols. The image in Figure 3.11 is from nmap.org, the source site for this tool, https://nmap.org/images/nmap-401-demoscan-798x774.gif.

It’s tempting to install every service, component, application, and protocol available to you on every computer system you deploy. However, this temptation is in direct violation of the security best practice that each system should host only those services and protocols that are absolutely essential to its mission-critical operations.

Any unused application service ports should be specifically blocked or disabled. Port or interface disabling is a physical option that renders a connection port electrically useless. Port blocking is a service provided by a software or hardware firewall that blocks or drops packets directed toward disallowed ports.

Layer 4, the Transport layer, uses ports to indicate the protocol that is to receive the payload/content of the TCP or UDP packet. Ports also assist in supporting multiple simultaneous connections or sessions over a single IP address. There are 65,535 potential ports. See www.iana.org/assignments/port-numbers for a current complete list of ports and protocol associations.

There are a number of common protocol default ports you may want to know for exam purposes. Table 3.1 is a brief list of ports to consider memorizing. All listed ports are default ports, and custom configurations can use alternate port selections.

Protocol/service	Port(s)	Notes
FTP	TCP ports 20 (data) and 21 (control)
SSH	TCP port 22	All protocols encrypted by SSH also use TCP port 22, such as SFTP, SHTTP, SCP, SExec, and slogin.
SMTP	TCP port 25
DNS	TCP and UDP port 53	TCP port 53 is used for zone transfers, whereas UDP port 53 is used for queries.
HTTP	TCP port 80 or TCP port 8080
Post Office Protocol v3 (POP3)	TCP port 110
NetBIOS Session service	TCP port 139
Internet Message Access Protocol v4 (IMAP4)	TCP port 143
HTTPS	TCP port 443	(TCP port 80 in some configurations of TLS)
Remote Desktop Protocol (RDP)	TCP port 3389

The real issue is that software isn’t trusted. Software (services, applications, components, and protocols) is written by people, and therefore, in all likelihood, it isn’t perfect. But even if software lacked bugs, errors, oversights, mistakes, and so on, it would still represent a security risk. Software that is working as expected can often be exploited by a malicious entity. Therefore, every instance of software deployed onto a computer system represents a collection of additional vulnerability points that may be exposed to external, untrusted, and possibly malicious entities.

From this perspective, you should understand that all nonessential software elements should be removed from a system before it’s deployed on a network, especially if that network has Internet connectivity. But how do you know what is essential and what isn’t? Here is a basic methodology:

1. Plan the purpose of the system.
2. Identify the services, applications, and protocols needed to support that purpose. Make sure these are installed on the system.
3. Identify the services, applications, and protocols that are already present on the system. Remove all that aren’t needed.

Often, you won’t know if a specific service that appears on a system by default is needed. Thus, a trial-and-error test is required. If software elements aren’t clearly essential, disable them one by one and test the capabilities of the system. If the system performs as you expect, the software probably isn’t needed. If the system doesn’t perform as expected, then the software needs to be re-enabled. This process is known as application and system hardening.

You may discover that some services and protocols offer features and capabilities that aren’t necessary to the essential functions of your system. If so, find a way to disable or restrict those characteristics. This may include restricting ports or reconfiguring services through a management console.

The essential services on a system are usually easy to identify—they generally have recognizable names that correspond to the function of the server. However, you must determine which services are essential on your specific system. Services that are essential on a web server may not be essential on a file server or an email server. Some examples of possible essential services are as follows:

• File sharing
• Email
• Web
• File Transfer Protocol (FTP)
• Telnet
• SSH
• Remote access
• Network News Transfer Protocol (NNTP)
• Domain Name Service (DNS)
• Dynamic Host Configuration Protocol (DHCP)

Nonessential services are more difficult to identify. Just because a service doesn’t have the same name as an essential function of your server doesn’t mean it isn’t used by the underlying OS or as a support service. It’s extremely important to test and verify whether any service is being depended on by an essential service. However, several services are common candidates for nonessential services that you may want to locate and disable first (assuming you follow the testing method described earlier). These may include the following:

• NetBIOS
• Unix RPC
• Network File System (NFS)
• X services
• R services
• Trivial File Transfer Protocol (TFTP)
• NetMeeting
• Instant messaging
• Remote-control software
• Simple Network Management Protocol (SNMP)

Disable default accounts/passwords

If you don’t need it, don’t keep it. This may be an optional mantra for you in real life, but in terms of security, it’s the first of two—the second is, lock down what’s left. Getting rid of unnecessary services and accounts is just the beginning of proper security and environment hardening. Leaving behind default or unused accounts gives hackers and attackers more potential points of compromise.

Always change default passwords to something unique and complex. All default passwords are available online (Figure 3.12). If available, always turn on password protection and set a complex password. Don’t assume physical access control is good enough or that logical remote access isn’t possible. If you discover you have a device with a hard-coded default password (meaning the original from-the-vendor password cannot be disabled or replaced), then remove that device from the network and replace it with a device that offers real security configuration options.

Peripherals

System hardware and peripherals require physical access controls and protections in order to maintain the logical security imposed by software. Without access control over the facility and physical environment, otherwise secured systems can be quickly compromised. Physical protections are used to protect against physical attacks, whereas logical protections protect only against logical attacks. Without adequate layers of protection, security is nonexistent. This section discusses several issues related to peripherals that often lead to security compromise because they’re overlooked or deemed non-serious threats.

Exam Essentials

Understand hardware security. System hardware and peripherals require physical access controls and protections in order to maintain the logical security imposed by software. Without access control over the facility and physical environment, otherwise secured systems can be quickly compromised.

Know about FDE and SED. Full-disk encryption (FDE) or whole-disk encryption is often used to provide protection for an OS, its installed applications, and all locally stored data. FDE encrypts all of the data on a storage device with a single master symmetric encryption key. Another option is self-encrypting drives (SEDs).

Understand TPM. The trusted platform module (TPM) is both a specification for a cryptoprocessor and the chip in a mainboard supporting this function. A TPM chip is used to store and process cryptographic keys for a hardware-supported and -implemented hard drive encryption system.

Define HSM. A hardware security module (HSM) is a special-purpose cryptoprocessor used for a wide range of potential functions. The functions of an HSM can include accelerated cryptography operations, managing and storing encryption keys, offloading digital signature verification, and improving authentication.

Understand UEFI and BIOS. Basic input/output system (BIOS) is the basic low-end firmware or software embedded in the hardware’s electrically erasable programmable read- only memory (EEPROM). BIOS identifies and initiates the basic system hardware components. A replacement or improvement to BIOS is Unified Extensible Firmware Interface (UEFI). UEFI provides support for all of the same functions as that of BIOS with many improvements, such as support for larger hard drives (especially for booting), faster boot times, enhanced security features, and even the ability to use a mouse when making system changes.

Comprehend OS security. There is no fully secure OS. All of them have security flaws. Every OS needs some level of security management imposed on it.

Understand EMI shielding. Shielding is used to restrict or control interference from electromagnetic or radio frequency disturbances. This can include using shielded cabling or cabling that is resistant to interference, or running cables through shielded conduits.

Realize the importance of disabling unnecessary ports and services. If a system is hosting numerous services and protocols, its attack surface is larger than that of a system running only essential services and protocols.

Understand least functionality. One rule of thumb to adopt when designing and implementing security is that of least functionality. If you always select and install the solution with the least functionality or without any unnecessary additional capabilities and features, then you will likely have a more secure result than opting for any solution with more options than necessary.

Know the concept of trusted OS. Trusted OS is an access-control feature that requires a specific OS to be present in order to gain access to a resource. Another formal definition of trusted OS is any OS that has security features in compliance with government and/or military security standards that enable the enforcement of multilevel security policies.

Understand peripheral security. System hardware and peripherals require physical access controls and protections in order to maintain the logical security imposed by software.

Sandboxing

Sandboxing is a means of quarantine or isolation. It’s implemented to keep new or otherwise suspicious software from being able to cause harm to production systems. It can be used against applications or entire OSs.

Sandboxing is simple to implement in a virtualization context because you can isolate a virtual machine with a few mouse clicks or commands. Once the suspect code is deemed safe, you can release it to integrate with the environment. If it’s found to be malicious, unstable, or otherwise unwanted, it can quickly be removed from the environment with little difficulty.

Environment

The organization’s IT environment must be configured and segmented to properly implement staging. This often requires at least four main network divisions: development, test, staging, and production.

Secure baseline

The security posture is the level to which an organization is capable of withstanding an attack. An organization may have good or poor posture. A plan and implementation are parts of the security posture often known as the secure baseline or security baseline. These include detailed policies and procedures, implementation in the IT infrastructure and the facility, and proper training of all personnel.

One mechanism often used to help maintain a hardened system is to use a security baseline, a standardized minimal level of security that all systems in an organization must comply with. This lowest common denominator establishes a firm and reliable security structure on which to build trust and assurance. The security baseline is defined by the organization’s security policy. Creating or defining a baseline requires that you examine three key areas of an environment: the OS, the network, and the applications. It may include requirements of specific hardware components, OS versions, service packs, patches and upgrades, configuration settings, add-on applications, service settings, and more.

The basic procedure for establishing a security baseline or hardening a system is as follows:

1. Remove unneeded components, such as protocols, applications, services, and hardware (including device drivers).
2. Update and patch the OS and all installed applications, services, and protocols.
3. Configure all installed software as securely as possible.
4. Impose restrictions on information distribution for the system, its active services, and its hosted resources.

Documentation is an important aspect of establishing a security baseline and implementing security in an environment. Every aspect of a system, from design to implementation, tuning, and securing, should be documented. A lack of sufficient documentation is often the primary cause of difficulty in locking down or securing a server. Without proper documentation, all the details about the OS, hardware configuration, applications, services, updates, patches, configuration, and so on must be discovered before security improvements can be implemented. With proper documentation, a security professional can quickly add to the existing security without having to reexamine the entire environment.

A security template is a set of security settings that can be mechanically applied to a computer to establish a specific configuration. Security templates can be used to establish baselines or bring a system up to compliance with a security policy. They can be custom-designed for workstations and server functions or purposes. Security templates are a generic concept; however, specific security templates can be applied via Windows’ Group Policy system.

Security templates can be built by hand or by extracting settings from a preconfigured master. Once a security template exists, you can use it to configure a new or existing machine (by applying the template to the target either manually or through a Group Policy object [GPO]), or to compare the current configuration to the desired configuration. This latter process is known as security template analysis and often results in a report detailing the gaps in compliance.

Operating system hardening is the process of reducing vulnerabilities, managing risk, and improving the security provided by or for an OS. This is usually accomplished by taking advantage of an OS’s native security features and supplementing them with add-on applications such as firewalls, antivirus software, and malicious-code scanners. There are several online sources of security configuration hardening and configuration checklists, such as the NIST Security Configuration Checklists Program site at http://csrc.nist.gov/groups/SNS/checklists/ (Figure 3.13), which can be used as a starting point for crafting an organization-specific set of SOPs.

Hardening an OS includes protecting the system from both intentional directed attacks and unintentional or accidental damage. This can include implementing security countermeasures as well as fault-tolerant solutions for both hardware and software. Some of the actions that are often included in a system-hardening procedure include the following:

• Deploy the latest version of the OS.
• Apply any service packs or updates to the OS.
• Update the versions of all device drivers.
• Verify that all remote-management or remote-connectivity solutions that are active are secure. Avoid FTP, Telnet, and other clear-text or weak authentication protocols.
• Disable all unnecessary services, protocols, and applications.
• Remove or securely configure Simple Network Management Protocol (SNMP).
• Synchronize time zones and clocks across the network with an Internet time server.
• Configure event-viewer log settings to maximize capture and storage of audit events.
• Rename default accounts, such as administrator, guest, and admin.
• Enforce strong passwords on all accounts.
• Force password changes on a periodic basis.
• Restrict access to administrative groups and accounts.
• Hide the last-logged-on user’s account name.
• Enforce account lockout.
• Configure a legal warning message that’s displayed at logon.
• If file sharing is used, force the use of secure sharing protocols or use virtual private networks (VPNs).
• Use a security and vulnerability scanner against the system.
• Scan for open ports.
• Disable Internet Control Message Protocol (ICMP) functionality on publicly accessible systems.
• Consider disabling NetBIOS.
• Configure auditing.
• Configure backups.

The filesystem in use on a system greatly affects the security offered by that system. A filesystem that incorporates security, such as access control and auditing, is a more secure choice than a filesystem without incorporated security. One great example of a secured filesystem is the Microsoft New Technology File System (NTFS). It offers file- and folder-level access permissions and auditing capabilities. Examples of filesystems that don’t include security are file allocation table (FAT) and FAT32.

Integrity measurement

The primary means of integrity measurement or assessment is the use of a hash. See the Chapter 6 section, “Hashing,” for details.

Exam Essentials

Understand secure staging. Secure staging is the controlled process of configuration and deployment for new systems, whether hardware or software. The goal of a secure staging process is to ensure compliance with the organization’s security policies and configuration baselines while minimizing risks associated with exposing an insecure system to a private network or even the Internet.

Comprehend sandboxing. Sandboxing is a means of quarantine or isolation. It’s implemented to restrict new or otherwise suspicious software from being able to cause harm to production systems.

Understand a secure IT environment. The organization’s IT environment must be configured and segmented to properly implement staging. This often requires at least four main network divisions: development, test, staging, and production.

Realize the importance of a security baseline. A plan and implementation are parts of the security posture often known as the secure baseline or security baseline. These include detailed policies and procedures, implementation in the IT infrastructure and the facility, and proper training of all personnel.

SCADA/ICS

Supervisory control and data acquisition (SCADA) is a type of industrial control system (ICS). An ICS is a form of computer-management device that controls industrial processes and machines. SCADA is used across many industries, including manufacturing, fabrication, electricity generation and distribution, water distribution, sewage processing, and oil refining. A SCADA system can operate as a stand-alone device, be networked together with other SCADA systems, or be networked with traditional IT systems.

Most SCADA systems are designed with minimal human interfaces. Often, they use mechanical buttons and knobs or simple LCD screen interfaces (similar to what you might have on a business printer or a GPS navigation device). However, networked SCADA devices may have more complex remote-control software interfaces.

In theory, the static design of SCADA and the minimal human interface should make the system fairly resistant to compromise or modification. Thus, little security was built into SCADA devices, especially in the past. But there have been several well-known compromises of SCADA; for example, Stuxnet delivered the first-ever rootkit to a SCADA system located in a nuclear facility. Many SCADA vendors have started implementing security improvements into their solutions in order to prevent or at least reduce future compromises.

Smart devices/IoT

Smart devices are a range of mobile devices that offer the user a plethora of customization options, typically through installing apps, and may take advantage of on-device or in-the-cloud artificial intelligence (AI) processing. The products that can be labeled “smart devices” are constantly expanding and already include smartphones, tablets, music players, home assistants, extreme sport cameras, and fitness trackers.

Android is a mobile device OS based on Linux, which was acquired by Google in 2005. In 2008, the first devices hosting Android were made available to the public. The Android source code is made open source through the Apache license, but most devices also include proprietary software. Although it’s mostly intended for use on phones and tablets, Android is being used on a wide range of devices, including televisions, game consoles, digital cameras, microwaves, watches, e-readers, cordless phones, and ski goggles.

The use of Android in phones and tablets isn’t a good example of a static environment. These devices allow for a wide range of user customization: you can install both Google Play Store apps and apps from unknown external sources (such as Amazon’s App Store), and many devices support the replacement of the default version of Android with a customized or alternate version. However, when Android is used on other devices, it can be implemented as something closer to a static system.

Whether static or not, Android has numerous security vulnerabilities. These include being exposed to malicious apps, running scripts from malicious websites, and allowing insecure data transmissions. Android devices can often be rooted (breaking their security and access limitations) in order to grant the user full root-level access to the device’s low-level configuration settings. Rooting increases a device’s security risk, because all running code inherits root privileges.

Improvements are made to Android security as new updates are released. Users can adjust numerous configuration settings to reduce vulnerabilities and risks. Also, users may be able to install apps that add additional security features to the platform.

iOS is the mobile device OS from Apple that is available on the iPhone, iPad, iPod, and Apple TV. iOS isn’t licensed for use on any non-Apple hardware. Thus, Apple is in full control of the features and capabilities of iOS. However, iOS is also a poor example of a static environment, because users can install any of over one million apps from the Apple App Store. Also, it’s often possible to jailbreak iOS (breaking Apple’s security and access restrictions), allowing users to install apps from third parties and gain greater control over low-level settings. Jailbreaking an iOS device reduces its security and exposes the device to potential compromise. Users can adjust device settings to increase an iOS device’s security and install many apps that can add security features.

The Internet of Things (IoT) is a new subcategory or even a new class of devices that are Internet-connected in order to provide automation, remote control, or AI processing to traditional or new appliances or devices in a home or office setting. IoT devices are sometimes revolutionary adaptations of functions or operations we may have been performing locally and manually for decades, which we would not want to ever be without again. Other IoT devices are nothing more than expensive gimmicky gadgets that, after the first few moments of use, are forgotten about and/or discarded. The security issues related to IoT are about access and encryption. All too often an IoT device was not designed with security as a core concept or even an afterthought. This has already resulted in numerous home and office network security breaches. Additionally, once an attacker has remote access to or through an IoT device, they may be able to access other devices on the compromised network. When electing to install IoT equipment, evaluate the security of the device as well as the security reputation of the vendor. If the new device does not have the ability to meet or accept your existing security baseline, then don’t compromise your security just for a flashy gadget.

One possible secure compromise is to deploy a distinct network for the IoT equipment, which is kept separate and isolated from the primary network. This configuration is often known as the three dumb routers (Figure 3.14) (see https://www.grc.com/sn/ sn-545.pdf or https://www.pcper.com/reviews/General-Tech/Steve-Gibsons- Three-Router-Solution-IOT-Insecurity).

While we often associate smart devices and IoT with home or personal use, they are also a concern to every organization. This is partly due to the use of mobile devices by employees within the company’s facilities and even on the organizational network. These concerns are often addressed in a BYOD, COPE, or CYOD policy (see the Chapter 2 section “Deployment models” for more information). Another aspect of network professional concern is that many IoT or networked automation devices are being added to the business environment. This includes environmental controls, such as HVAC management, air quality control, debris and smoke detection, lighting controls, door automation, personnel and asset tracking, and consumable inventory management and auto-reordering (such as coffee, snacks, printer toner, paper, and other office supplies). Thus, both smart devices and IoT devices are potential elements of a modern business network that need appropriate security management and oversight. For some additional reading on the importance of proper security management of smart devices and IoT equipment, please see “NIST Initiatives in IoT” at https://www.nist.gov/itl/applied-cybersecurity/nist-initiatives-iot.

HVAC

HVAC (heating, ventilation, and air conditioning) can be controlled by an embedded solution (which might be also known as a smart device or an IoT device). See the previous discussion on smart devices for security issues, and see the later section “HVAC” under “Environmental controls.” Physical security controls protect against physical attacks, while logical and technical controls only protect against logical and technical attacks.

SoC

A System on a Chip (SoC) is an integrated circuit (IC) or chip that has all of the elements of a computer integrated into a single chip. This often includes the main CPU, memory, a GPU, WiFi, wired networking, peripheral interfaces (such as USB), and power management. In most cases the only item missing from a SoC compared to a full computer is bulk storage. Often a bulk storage device must be attached or connected to the SoC to store its programs and other files, since the SoC usually contains only enough memory to retain its own firmware or OS.

The security risks of an SoC include the fact that the firmware or OS of an SoC is often minimal, which leaves little room for most security features. An SoC may be able to filter input (such as by length or to escape metacharacters), reject unsigned code, provide basic firewall filtering, use communication encryption, and offer secure authentication. But these features are not universally available on all SoC products. A few devices that use a SoC include the mini-computer Raspberry Pi, fitness trackers, smart watches, and some smartphones.

RTOS

A real-time operating system (RTOS) is designed to process or handle data as it arrives on the system with minimal latency or delay. An RTOS is usually stored on read-only memory (ROM) and is designed to operate in a hard real-time or soft real-time condition. A hard real-time solution is for mission-critical operations where delay must be eliminated or minimized for safety, such as autonomous cars. A soft real-time solution is used when some level of modest delay is acceptable under typical or normal conditions, as it is for most consumer electronics, such as the delay between a digitizing pen and a graphics program on a computer.

RTOSs can be event-driven or time-sharing. An event-driven RTOS will switch between operations or tasks based on preassigned priorities. A time-sharing RTOS will switch between operations or tasks based on clock interrupts or specific time intervals. An RTOS is often implemented when scheduling or timing is the most critical part of the task to be performed.

A security concern using RTOSs is that these systems are often very focused and single-purpose, leaving little room for security. They often use custom or proprietary code, which may include unknown bugs or flaws that could be discovered by attackers. An RTOS might be overloaded or distracted with bogus data sets or process requests by malware. When deploying or using RTOSs, use isolation and communication monitoring to minimize abuses.

Printers/MFDs

See the earlier section “Printers/MFDs” under “Peripherals” for an introduction to their security implications. A printer or multifunction device (MFD) can be considered an embedded device if it has integrated network capabilities that allow it to operate as an independent network node rather than a direct-attached dependent device. Thus, network-attached printers and other similar devices pose an increased security risk because they often house full-fledged computers within their chassis. Network security managers need to include all such devices in their security management strategy in order to prevent these devices from being the targets of attack, used to house malware or attack tools, or grant outsiders remote-control access.

Camera systems

See the earlier section “Digital cameras” under “Peripherals” for an introduction to their security implications. Some camera systems include an SoC or embedded components that grant them network capabilities. Cameras that operate as network nodes can be remotely controlled; can provide automation functions; and may be able to perform various specialty functions, such as time-lapse recording, tracking, facial recognition, or infrared or color-filtered recording. Such devices may be targeted by attackers, be infected by malware, or be remotely controlled by hackers. Network security managers need to include all such devices in their security management strategy to prevent these compromises.

Special purpose

The concept of embedded systems is rapidly expanding as computer control, remote access, remote management, automation, monitoring, and AI processing are being applied to professional and personal events, activities, and tasks. In addition to the concepts mentioned previously in this section, there are a handful of additional special purpose embedded systems you should be familiar with. These include mainframes, game consoles, medical devices, vehicles, and aircraft/UAVs.

Mainframes are high-end computer systems used to perform highly complex calculations and provide bulk data processing. Older mainframes may be considered static environments because they were often designed around a single task or supported a single mission-critical application. These configurations didn’t offer significant flexibility, but they did provide for high stability and long-term operation. Many mainframes were able to operate for decades.

Modern mainframes are much more flexible and are often used to provide high-speed computation power in support of numerous virtual machines. Each virtual machine can be used to host a unique OS and in turn support a wide range of applications. If a modern mainframe is implemented to provide fixed or static support of one OS or application, it may be considered a static environment.

Game consoles, whether home systems or portable systems, are potentially examples of static systems and embedded systems. The OS of a game console is generally fixed and is changed only when the vendor releases a system upgrade. Such upgrades are often a mixture of OS, application, and firmware improvements. Although game console capabilities are generally focused on playing games and media, modern consoles may offer support for a range of cultivated and third-party applications. The more flexible and open-ended the app support, the less of a static system it becomes.

Exam Essentials

Understand embedded systems. An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it’s a component.

Comprehend static environments. Static environments are applications, OSs, hardware sets, or networks that are configured for a specific need, capability, or function, and then set to remain unaltered. Examples include SCADA, embedded systems, Android, iOS, mainframes, game consoles, and in-vehicle computing systems.

Understand static environment security methods. Static environments, embedded systems, and other limited or single-purpose computing environments need security management. These techniques may include network segmentation, security layers, application firewalls, manual updates, firmware version control, wrappers, and control redundancy and diversity.

Know SCADA and ICS. Supervisory control and data acquisition (SCADA) is a type of industrial control system (ICS). An ICS is a form of computer-management device that controls industrial processes and machines. SCADA is used across many industries.

Understand smart devices. A smart device is a mobile device that offers the user a plethora of customization options, typically through installing apps, and may take advantage of on-device or in-the-cloud artificial intelligence (AI) processing.

Comprehend IoT. The Internet of Things (IoT) is a new subcategory or maybe even a new class of devices connected to the Internet in order to provide automation, remote control, or AI processing to traditional or new appliances or devices in a home or office setting.

Understand SoC. A System on a Chip (SoC) is an integrated circuit (IC) or chip that has all of the elements of a computer integrated into a single chip.

Know RTOS. A real-time operating system (RTOS) is designed to process or handle data as it arrives onto the system with minimal latency or delay. An RTOS is usually stored on read-only memory (ROM) and is designed to operate in a hard real-time or soft real-time condition.

Development life-cycle models

A development life-cycle model is a methodical ordering of the tasks of creating a new product or revising an existing one. A formal software development life-cycle (SDLC) model helps to ensure a more reliable and stable product by establishing a standardized process by which new ideas become actual software. Software development has only existed as long as computers—less than 100 years. Modern software is only 30 or 40 years old. The earliest forms of software development management were forged in the 1970s and 1980s, but it wasn’t until 1991, when the Software Engineering Institute established the Capability Maturity Model (CMM), that software management concepts were formally established and widely adopted.

Waterfall vs. Agile

Two of the dominant SDLC concepts are the waterfall model and the Agile model. The waterfall model (Figure 3.15) consists of seven stages, or steps. The original idea was that project development would proceed through these steps in order from first to last, with the restriction that returning to an earlier phase was not allowed. The name waterfall is derived from the concept of steps of rocks in a waterfall, where water falls onto each step to then move on down to the next, and the water is unable to flow back up. A more recent revision of the waterfall model allows for some movement back into earlier phases (hence the up arrows in the image) in order to address oversights or mistakes discovered in later phases.

The primary criticism of the waterfall model is the limitation to only return to the immediately previous phase. This prevents returning to the earliest phases to correct concept and design issues that are not discovered until later in the development process. Thus, it forces the completion of a product that is known to be flawed or not to fulfill goals.

To address this concern, the modified waterfall model was crafted. This version adds a verification and validation process to each phase so that as a phase is completed, a review process ensures that each phase’s purposes, functions, and goals were successfully and correctly fulfilled.

However, this model modification was not widely adopted before another variation was crafted, known as the spiral model. The spiral model (Figure 3.16) is designed around repeating the earlier phases multiple times, known as iterations, in order to ensure that each element and aspect of each phase is fulfilled in the final product.

In the diagram, each spiral traverses the first four initial phases. At the completion of an iteration, a prototype of the solution (P1, P2, …) is developed and tested. Based on the prototype, the spiral path is repeated. Multiple iterations are completed until the prototype fulfills all or most of the requirements of the initial phase or design goals and functions, at which point the final prototype becomes the final product.

One of the most modern SDLC models is Agile, based around adaptive development, where focusing on a working product and fulfilling customer needs is prioritized over rigid adherence to a process, use of specific tools, and detailed documentation. Agile focuses on an adaptive approach to development; it supports early delivery, continuous improvement, and flexible and prompt response to changes.

In 2001, 17 Agile development pioneers crafted the Manifesto for Agile Software Development (http://agilemanifesto.org), which states the core philosophy as follows:

We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.

Furthermore, the Agile Manifesto prescribed 12 principles that guide the development philosophy:

“Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.

Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.

Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.

Business people and developers must work together daily throughout the project.

Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.

The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.

Working software is the primary measure of progress.

Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.

Continuous attention to technical excellence and good design enhances agility.

Simplicity—the art of maximizing the amount of work not done—is essential.

The best architectures, requirements, and designs emerge from self-organizing teams.

At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”

Agile is quickly becoming the dominant SDLC model, adopted by programming groups both large and small.

Secure DevOps

DevOps, or development and operations, is a new IT movement in which many elements and functions of IT management are being integrated into a single automated solution. DevOps typically consists of IT development, operations, security, and quality assurance. Secure DevOps is a variant of DevOps that prioritizes security in the collection of tasks performed under this new umbrella concept. DevOps is adopted by organizations crafting software solutions for internal use as well as products destined for public distribution. DevOps has many goals, including reducing time to market, improving quality, maintaining reliability, and implementing security into the design and development process.

Transforming DevOps into secure DevOps, or at least prioritizing security within DevOps, often includes several components, as discussed in the next sections.

Version control and change management

Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to manage change systematically. Change management usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms. The records of changes to an environment are then used to identify agents of change, whether those agents are objects, subjects, programs, communication pathways, or the network itself.

The goal of change management is to ensure that no change leads to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. Change management can be implemented on any system, no matter what its level of security. Ultimately, change management improves the security of an environment by protecting implemented security from unintentional, tangential, or affected diminishments. Although an important goal of change management is to prevent unwanted reductions in security, its primary purpose is to make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management.

Change management should be used to oversee alterations to every aspect of a system, including hardware configuration and OS and application software. Change management should be included in design, development, testing, evaluation, implementation, distribution, evolution, growth, ongoing operation, and modification. It requires a detailed inventory of every component and configuration. It also requires the collection and maintenance of complete documentation for every system component, from hardware to software and from configuration settings to security features.

The change-control process of configuration, version control, or change management has several goals or requirements:

• Implement changes in a monitored and orderly manner. Changes are always controlled.
• A formalized testing process is included to verify that a change produces expected results.
• All changes can be reversed.
• Users are informed of changes before they occur to prevent loss of productivity.
• The effects of changes are systematically analyzed.
• The negative impact of changes on capabilities, functionality, and performance is minimized.

One example of a change-management process is a parallel run, which is a type of new system deployment testing where the new system and the old system are run in parallel. Each major or significant user process is performed on each system simultaneously to ensure that the new system supports all required business functionality that the old system supported or provided.

Change is the antithesis of security. In fact, change often results in reduced security. Therefore, security environments often implement a system of change management to minimize the negative impact of change on security. Change documentation is one aspect of a change-management system: it’s the process of writing out the details of changes to be made to a system, a computer, software, a network, and so on before they’re implemented. Then, the change documentation is transformed into a procedural document that is followed to the letter to implement the desired changes. After the changes are implemented, the system is tested to see whether security was negatively affected. If security has decreased, the change documentation can be used to guide the reversal of the changes to restore the system to a previous state in which stronger security was enforced.

Provisioning and deprovisioning

Provisioning is preallocation. When needing to deploy several new instances of a server to increase resource availability, the IT manager must provision hardware server resources to allocate to the new server instances. Provisioning is used to ensure that sufficient resources are available to support and maintain a system, software, or solution. Provisioning helps prevent the deployment of a new element without sufficient resources to support it.

Deprovisioning can be focused on two elements. It can focus on streamlining and fine-tuning resource allocation to existing systems for a more efficient distribution of resources. This can result in freeing sufficient resources to launch additional instances of a server. Deprovisioning can also focus on the release of resources from a server being decommissioned so that those resources return to the availability pool for use by other future servers.

Secure coding techniques

Secure coding concepts are those efforts designed to implement security into software as it’s being developed. Security should be designed into the concept of a new solution, but programmers still need to code the security elements properly and avoid common pitfalls and mistakes while coding.

Code quality and testing

No amount of network hardening, auditing, or user training can compensate for bad programming. Solid application security is essential to the long-term survival of any organization. Application security begins with secure coding and design, which is then maintained over the life of the software through testing and patching. Code quality needs to be assessed prior to execution. Software testing needs to be performed prior to distribution.

Before deploying a new application into the production environment, you should install it into a lab or pilot environment. Once testing is complete, the deployment procedure should include the crafting of an installation how-to, which must include not only the steps for deployment but also the baseline of initial configuration. This can be a written baseline or a template file that can be applied. The purpose of an application configuration baseline is to ensure compliance with policy and reduce human error. Baselines can be reapplied periodically or validated against changing work conditions as needed.

Sandboxing

A sandbox is a software implementation of a constrained execution space used to contain an application. Sandboxing (Figure 3.17) is often used to protect the overall computer from a new, unknown, untested application. The sandbox provides the contained application with direct or indirect access to sufficient system resources to execute, but not the ability to make changes to the surrounding environment or storage devices (beyond its own files). Sandboxing is commonly used for software testing and evaluating potential malware, and it is the basis for the concept of virtualization.

Compiled vs. runtime code

Most applications are written in a high-level language that is more similar to human language, such as English, than to the 1s and 0s that make up machine language. High-level languages are easier for people to learn and use in crafting new software solutions. However, high-level languages must ultimately be converted to machine language in order to execute the intended operations.

If the code is converted to machine language using a compiler crafting an output executable, then the language is described as compiled. The resulting executable file can be run at any time.

If the code remains in its original human-readable form and is converted into machine language only at the moment of execution, the language is a runtime compiled language. Some runtime languages will compile/convert the entire code at once into machine language for execution, whereas others will compile/convert only one line at a time (sometimes known as just-in-time execution or compilation).

Compiled code is harder for an attacker to inject malware into, but it is harder to detect such malware. Runtime code is easier for an attacker to inject malware into, but it is easier to detect such malware.

Exam Essentials

Understand SDLC. A development life-cycle model is a methodical ordering of the tasks of creating a new product or revising an existing one. A formal software development life-cycle (SDLC) model helps ensure a more reliable and stable product by establishing a standard process by which new ideas become actual software.

Know the waterfall model. The waterfall model consists of seven stages or steps. The original idea was that project development would proceed through these steps in order from first to last with the restriction that returning to an earlier phase was not allowed.

Understand Agile. The Agile model is based on adaptive development, where focusing on a working product and fulfilling customer needs is prioritized over rigid adherence to a process, use of specific tools, or detailed documentation. Agile focuses on an adaptive approach to development and supports early delivery and continuous improvement, along with flexible and prompt responses to changes.

Comprehend secure DevOps. DevOps, or development and operations, is a new IT movement in which many elements and functions of IT management are being integrated into a single automated solution. DevOps typically consists of IT development, operations, security, and quality assurance. Secure DevOps is a variant of DevOps that prioritizes security in the collection of tasks performed under this new umbrella concept.

Understand change management. The goal of change management is to ensure that change does not lead to reduced or compromised security. Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. This usually involves extensive planning, testing, logging, auditing, and monitoring of activities related to security controls and mechanisms.

Know provisioning and deprovisioning. Provisioning is preallocation. Provisioning is used to ensure that sufficient resources are available to support and maintain a system, software, or solution. Deprovisioning can focus on streamlining and fine-tuning resource allocation to existing systems for a more efficient distribution of resources. It can also focus on the release of resources from a server that is being decommissioned so that those resources return to the availability pool for use by other future servers.

Understand secure coding concepts. Secure coding concepts are those efforts designed to implement security into software as it’s being developed. Security should be designed into the concept of a new solution, but programmers still need to code the security elements properly and avoid common pitfalls and mistakes while coding.

Comprehend error handling. When a process, a procedure, or an input causes an error, the system should revert to a more secure state. This could include resetting to a previous state of operation, rebooting back into a secured state, or recycling the connection state to revert to secured communications.

Understand input validation. Input validation checks each and every input received before it’s allowed to be processed. The check could be a length, a character type, a language type, a domain, or even a timing check to prevent unknown, unwanted, or unexpected content from making it to the core program.

Know about normalization. Normalization is a database programming and management technique used to reduce redundancy. The goal of normalization is to prevent redundant data, which is a waste of space and can also increase processing load.

Understand stored procedures. A stored procedure is a subroutine or software module that can be called upon or accessed by applications interacting with an RDBMS.

Know code signing. Code signing is the activity of crafting a digital signature of a software program in order to confirm that it was not changed and who it is from.

Understand obfuscation and camouflage. Obfuscation or camouflage is the coding practice of crafting code specifically to be difficult for other programmers to decipher.

Comprehend code reuse. Code reuse is the inclusion of preexisting code in a new program. Code reuse can be a way to quicken the development process.

Understand dead code. Dead code is any section of software that is executed but the output or result of the execution is not used by any other process. Effectively the execution of dead code is a waste of time and resources.

Know server-side validation. Server-side validation is suited for protecting a system against input submitted by a malicious user. It should include a check for input length, a filter for known scriptable or malicious content (such as SQL commands or script calls), and a metacharacter filter.

Understand client-side validation. Client-side validation focuses on providing better responses or feedback to the typical user. It can be used to indicate whether input meets certain requirements, such as length, value, content, and so on.

Know memory management. Software should include proper memory management, such as preallocating memory buffers but also limiting the input sent to those buffers. Including input limit checks is part of secure coding practices.

Understand third-party libraries and SDKs. Third-party software libraries and software development kits (SDKs) are often essential tools for a programmer. Using preexisting code can allow programmers to focus on their custom code and logic.

Comprehend code quality and testing. Application security begins with secure coding and design, which is then maintained over the life of the software through testing and patching.

Understand static code analyzers. Static code analyzers review the raw source code of a product without the program being executed. This debugging effort focuses on locating flaws in the software code before the program is run on a target or customer system.

Know dynamic analysis. Dynamic analysis is the testing and evaluation of software code while the program is executing. The executing code is then subjected to a range of inputs to evaluate its behavior and responses.

Understand fuzzing. Fuzzing is a software-testing technique that generates inputs for targeted programs. The goal of fuzz-testing is to discover input sets that cause errors, failures, and crashes, or to discover other defects in the targeted program.

Know about stress testing. Stress testing is another variation of dynamic analysis in which a hardware or software product is subjected to various levels of workload in order to evaluate its ability to operate and function under stress.

Understand sandboxing. A sandbox is a software implementation of a constrained execution space used to contain an application. Sandboxing is often used to protect the overall computer from a new, unknown, untested application.

Comprehend model verification. Model verification is often part of software development processes; it is used to ensure that the crafted code remains in compliance with a development process, architectural model, or design limitations.

Understand compiled code. If the code is converted to machine language using a compiler crafting an output executable, then the language is a compiled language.

Know about runtime code. If the code remains in its original human-readable form and then gets converted into machine language only at the moment of execution, the language is a runtime compiled language.

Hypervisor

The hypervisor, also known as the virtual machine monitor (VMM), is the component of virtualization that creates, manages, and operates the virtual machines. The computer running the hypervisor is known as the host OS, and the OSs running within a hypervisor-supported virtual machine are known as guest OSs.

Type I

A type I hypervisor (Figure 3.18, top) is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside. Type 1 hypervisors are often used to support server virtualization. This allows for maximization of the hardware resources while eliminating any risks or resource reduction caused by a host OS.

Application cells/containers

Another variation of virtualization is that focusing on applications instead of entire operating systems. Application cells or application containers (Figure 3.19) are used to virtualize software so they can be ported to almost any OS.

VM sprawl avoidance

VM sprawl occurs when an organization deploys numerous virtual machines without an overarching IT management or security plan in place. Although VMs are easy to create and clone, they have the same licensing and security management requirements as a metal installed OS. Uncontrolled VM creation can quickly lead to a situation where manual oversight cannot keep up with system demand. To prevent or avoid VM sprawl, a policy for developing and deploying VMs must be established and enforced. This should include establishing a library of initial or foundation VM images that are to be used to develop and deploy new services.

VM escape protection

VM escaping occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OSs or to infiltrate a host OS. VM escaping can be a serious problem, but steps can be implemented to minimize the risk. First, keep highly sensitive systems and data on separate physical machines. An organization should already be concerned about over- consolidation resulting in a single point of failure, so running numerous hardware servers so each supports a handful of guest OSs helps with this risk. Keeping enough physical servers on hand to maintain physical isolation between highly sensitive guest OSs will further protect against VM escaping. Second, keep all hypervisor software current with vendor-released patches. Third, monitor attack, exposure, and abuse indexes for new threats to your environment.

Cloud storage

Cloud storage is the idea of using storage capacity provided by a cloud vendor as a means to host data files for an organization. Cloud storage can be used as a form of backup or support for online data services. Cloud storage may be cost effective, but it is not always high speed or low latency. Most do not yet consider cloud storage as a replacement for physical backup media solutions, but rather as a supplement for organizational data protection.

Cloud deployment models

Cloud computing is a popular term that refers to performing processing and storage elsewhere, over a network connection, rather than locally. Cloud computing is often thought of as Internet-based computing. Ultimately, processing and storage occur on computers somewhere, but the distinction is that the local operator no longer needs to have that capacity or capability locally. Thus more users can use cloud resources on an on-demand basis. From the end users’ perspective, all the work of computing is performed “in the cloud,” so the complexity is isolated from them.

Cloud computing is a natural extension and evolution of virtualization, the Internet, distributed architecture, and the need for ubiquitous access to data and resources. However, it does have some security and IT policy issues: privacy concerns, regulation compliance difficulties, use of open-/closed-source solutions, adoption of open standards, and whether cloud-based data is actually secured (or even securable). The primary security concerns related to cloud computing are determining and clarifying what security responsibilities belong to the cloud provider and which are the customer’s obligation—this should be detailed in the SLA/contract.

On-premise vs. hosted vs. cloud

An on-premise solution is the traditional deployment concept in which an organization owns the hardware, licenses the software, and operates and maintains the systems on its own, usually within their own building.

A cloud solution is a deployment concept where an organization contracts with a third-party cloud provider. The cloud provider owns, operates, and maintains the hardware and software. The organization pays a monthly fee (often based on a per-user multiplier) to use the cloud solution.

A hosted solution is a deployment concept where the organization must license software and then operates and maintains the software. The hosting provider owns, operates, and maintains the hardware that supports the organization’s software.

On-premise solutions do not have ongoing monthly costs, but may be more costly because of initial up-front costs of obtaining hardware and licensing. On-premise solutions offer full customization, provide local control over security, do not require Internet connectivity, and provide local control over updates and changes. However, they also require significant administrative involvement for updates and changes, require local backup and management, and are more challenging to scale.

Cloud solutions often have lower up-front costs, lower maintenance costs, vendor-maintained security, and scalable resources, and they usually have high levels of uptime and availability from anywhere (over the Internet). However, cloud solutions do not offer customer control over OS and software, such as updates and configuration changes; offer minimal customization; and are often inaccessible without Internet connectivity. In addition, the security policies of the cloud provider might not match those of the organization.

VDI/VDE

See the Chapter 2 section “VDI” for a description of the virtual desktop infrastructure (VDI) model. Virtual desktop environment (VDE) is an alternate term for VDI.

Cloud access security broker

A cloud access security broker (CASB) is a security policy enforcement solution that may be installed on-premise or may be cloud-based. The goal of a CASB is to enforce proper security measures and ensure that they are implemented between a cloud solution and a customer organization.

Security as a Service

Security as a Service (SECaaS) is a cloud provider concept in which security is provided to an organization through or by an online entity. The purpose of an SECaaS solution is to reduce the cost and overhead of implementing and managing security locally. SECaaS often implements software-only security components that do not need dedicated on-premise hardware. SECaaS security components can include a wide range of security products, including authentication, authorization, auditing/accounting, antimalware, intrusion detection, penetration testing, and security event management.

Exam Essentials

Understand the risks associated with cloud computing and virtualization. Cloud computing and virtualization, especially when combined, have serious risks associated with them. Once sensitive, confidential, or proprietary data leaves the confines of the organization, it also leaves the protections imposed by the organizational security policy and resultant infrastructure. Cloud services and their personnel might not adhere to the same security standards as your organization.

Comprehend cloud computing. Cloud computing involves performing processing and storage elsewhere, over a network connection, rather than locally. Cloud computing is often thought of as Internet-based computing.

Understand hypervisors. The hypervisor, also known as the virtual machine monitor (VMM), is the component of virtualization that creates, manages, and operates the virtual machines.

Know about the type I hypervisor. A type I hypervisor is a native or bare-metal hypervisor. In this configuration, there is no host OS; instead, the hypervisor installs directly onto the hardware where the host OS would normally reside.

Know about the type II hypervisor. A type II hypervisor is a hosted hypervisor. In this configuration, a standard regular OS is present on the hardware, and the hypervisor is then installed as another software application.

Understand application cells/containers. Application cells or application containers are used to virtualize software so they can be ported to almost any OS.

Comprehend VM sprawl avoidance. VM sprawl occurs when an organization deploys numerous virtual machines without an overarching IT management or security plan in place. To prevent or avoid VM sprawl, a policy must be established and enforced regarding the procedure for developing and deploying VMs.

Understand VM escaping. VM escaping occurs when software within a guest OS is able to breach the isolation protection provided by the hypervisor in order to violate the container of other guest OSs or to infiltrate a host OS.

Know about cloud storage. Cloud storage is the idea of using storage capacity provided by a cloud vendor as a means to host data files for an organization. Cloud storage can be used as form of backup or support for online data services.

Understand cloud deployment models. Cloud deployment models include SaaS, PaaS, IaaS, private, public, hybrid, and community.

Define CASB. A cloud access security broker (CASB) is a security policy enforcement solution that may be installed on-premise, or may be cloud based.

Understand SECaaS. Security as a Service (SECaaS) is a cloud provider concept in which security is provided to an organization through or by an online entity.

Automation/scripting

Automation is the control of systems on a regular scheduled, periodic, or triggered basis that does not require manual hands-on interaction. Automation is often critical to a resilient security infrastructure. Automation includes concepts such as scheduled backups, archiving of log files, blocking of failed access attempts, and blocking communications based on invalid content in initial packets or due to traffic seeming like a port scan. Automation can also be implemented using scripting. Scripting is the crafting of a file of individual lines of commands that are executed one after another. Scripts can be set to launch on a schedule or based on a triggering event.

Templates

A template is a preestablished starting point. A template can be crafted for a plethora of concerns in an environment, including a security policy, a procedure, a contract, a submission form, a system image, a software configuration, and a firewall rule set. Starting security documentation, configuration, or management with a template is likely to produce more consistent and reliable results.

Master image

A master image or gold master is a crafted setup and configuration of a software product or an entire computer system. A master image is created just after the target system has been manually installed, patched, and configured. A master image is employed to quickly roll out new versions of a system. For example, when deploying 100 new workstations, you can install the master image of the preferred workstation software deployment configuration to quickly bring the new devices into compliance with production needs and security requirements.

Non-persistence

A nonpersistent system is a computer system that does not allow, support, or retain changes. Thus, between uses and/or reboots, the operating environment and installed software are exactly the same. A persistent system is one where changes are possible. Changes may be performed by authorized users, administrators, automated processes, or malware. To reduce the risk of change, various protection and recovery measures may need to be established.

Elasticity

Elasticity is the ability of a system to adapt to workload changes by allocating or provisioning resources in an automatic responsive manner. Elasticity is a common feature of cloud computing, where additional system resources or even additional hardware resources can be provisioned to a server when demand for its services increases.

Scalability

Scalability is the ability for a system to handle an ever-increasing level or load of work. It can also be the potential for a system to be expanded to accommodate future growth. Some amount of additional capacity can be implemented into a system so it can take advantage of the dormant resources automatically as need demands. A cloud system can further automate scalability by enabling servers to auto-clone across to other virtualization hosts as demand requires.

Distributive allocation

Distributive or distributed allocation is the concept of provisioning resources across multiple servers or services as needed, rather than preallocation or concentrating resources based exclusively on physical system location. This is a form of load balancing but with a focus on the supporting resources rather than the traffic or request load.

Redundancy

This concept applies to various aspects of operational security, including business continuity, backups, and avoiding single points of failure as a means to protect availability.

Redundancy is the implementation of secondary or alternate solutions. Commonly, redundancy refers to having alternate means to perform work tasks or accomplish IT functions. Redundancy helps reduce single points of failure and improves fault tolerance. When there are multiple pathways, copies, devices, and so on, there is reduced likelihood of downtime when something fails.

When backup systems or redundant servers exist, there needs to be a means by which you can switch over to the backup in the event the primary system is compromised or fails. Rollover, or failover, means redirecting workload or traffic to a backup system when the primary system fails. Rollover can be automatic or manual. Manual rollover, also known as cold rollover, requires an administrator to perform some change in software or hardware configuration to switch the traffic load over from the down primary to a secondary server. With automatic rollover, also known as hot rollover, the switch from primary to secondary system is performed automatically as soon as a problem is encountered. Fail-secure,fail-safe, and fail-soft are terms related to these issues. A system that is fail-secure is able to resort to a secure state when an error or security violation is encountered (also known as fail-closed). Fail-safe is a similar feature, but human safety is protected in the event of system failure. However, these two terms are often used interchangeably in logical or technical context to mean a system that is secure after a failure. Fail-soft describes a refinement of the fail-secure capability: only the portion of a system that encountered or experienced the failure or security breach is disabled or secured, whereas the rest of the system continues to function normally.

The insecure inverse of these is the fail-open response. With a fail-open result, all defenses or preventions are disabled or retracted. Thus, a door defaults to being unlocked or even wide open, and electric security defaults to open, unlimited access.

Fault tolerance

Fault tolerance is the ability of a system to handle or respond to failure smoothly. This can include software, hardware, or power failure.

Any element in your IT infrastructure, component in your physical environment, or person on your staff can be a single point of failure. A single point of failure is any element—such as a device, service, protocol, or communication link—that would cause total or significant downtime if compromised, violated, or destroyed, affecting the ability of members of your organization to perform essential work tasks. To avoid single points of failure, you should design your networks and your physical environment with redundancy and backups by doing such things as deploying dual-network backbones. By using systems, devices, and solutions with fault-tolerant capabilities, you improve resistance to single-point-of-failure vulnerabilities. Taking steps to establish a way to provide alternate processing, failover capabilities, and quick recovery also helps avoid single points of failure.

Another type of redundancy related to servers is clustering. Clustering means deploying two or more duplicate servers in such a way as to share the workload of a mission-critical application. Users see the clustered systems as a single entity. A cluster controller manages traffic to and among the clustered systems to balance the workload across all clustered servers. As changes occur on one of the clustered systems, they are immediately duplicated to all other cluster partners.

The use of redundant servers is another example of avoiding single points of failure. A redundant server is a mirror or duplicate of a primary server that receives all data changes immediately after they are made on the primary server. In the event of a failure of the primary server, the secondary or redundant server can immediately take over and replace the primary server in providing services to the network.

This switchover system can be either hot or cold. A hot switchover or hot failover is an automatic system that can often perform the task nearly instantaneously. A cold switchover or cold failover is a manual system that requires an administrator to perform the manual task of switching from the primary to the secondary system, and thus it often involves noticeable downtime.

Redundant servers can be located in the same server vault as the primary or can be located offsite. Offsite positioning of the redundant server offers a greater amount of security so that whatever disaster damaged the primary server is unlikely to be able to damage the secondary, offsite server. However, offsite redundant servers are more expensive due to the cost of housing them, as well as real-time communication links needed to support the mirroring operations.

High availability

Availability is the assurance of sufficient bandwidth and timely access to resources. High availability means the availability of a system has been secured to offer very reliable assurance that the system will be online, active, and able to respond to requests in a timely manner, and that there will be sufficient bandwidth to accomplish requested tasks in the time required. Both of these concerns are central to maintaining continuity of operations. Availability is often measured in terms of the nines (Table 3.2)—a percentage of availability within a given time frame, such as a year, month, week, or day. Many organizations strive to achieve five or size nines of availability.

High availability is a form of fault tolerance—or, rather, a benefit of providing reliable fault tolerance. Fault tolerance is the ability of a network, system, or computer to withstand a certain level of failures, faults, or problems and continue to provide reliable service. Fault tolerance is also a means of avoiding single points of failure. As mentioned earlier, a single point of failure is any system, software, or device that is mission-critical to the entire environment. If that one element fails, then the entire environment fails. Your environments should be designed with redundancy so that there are no single points of failure. Such a redundant design is fault tolerant.

Another example of a high-availability solution is server clustering (see Figure 3.20). Server clustering is a technology that connects several duplicate systems together so they act cooperatively. If one system in a cluster fails, the other systems take over its workload. From a user’s perspective, the cluster is a single entity with a single resource access name.

Maintaining an onsite stash of spare parts can reduce downtime. Having an in-house supply of critical parts, devices, media, and so on enables fast repair and function restoration. A replacement part can then be ordered from the vendor and returned to the onsite spare-parts storage. Unexpected downtime due to hardware failure is a common cause of loss of availability. Planning for faster repairs improves uptime and eliminates lengthy downtimes caused by delayed shipping from vendors.

To avoid single points of failure completely, every communication pathway should be redundant. Thus, every link from the LAN to a carrier network or ISP should be duplicated. This can be accomplished by leasing two lines from the same ISP (which is the most basic form of redundant connection) or from different ISPs. The use of redundant ISPs reduces the likelihood that a failure at a single ISP will cause your organization significant connectivity downtime. However, the best redundant ISP configuration requires the two (or more) selected ISPs to use distinct Internet or network backbones.

Power is an essential utility for any organization, but especially those dependent on their IT infrastructure. In addition to basic elements such as power conditioners and UPS devices, many organizations opt for an onsite backup generator to provide power during complete blackouts. A variety of backup generators are available, in terms of both size and fuel.

An uninterruptible power supply (UPS) is an essential element of any computing environment. A UPS provides several important services and features. First, a UPS is a power conditioner to ensure that only clean, pure, nonfluctuating power is fed to computer equipment. Second, in the event of a loss of power, the internal battery can provide power for a short period of time. The larger the battery, the longer the UPS can provide power. Third, when the battery reaches the end of its charge, it can signal the computer system to initiate a graceful shutdown in order to prevent data loss.

RAID

One example of a high-availability solution is a redundant array of independent disks (RAID). A RAID solution employs multiple hard drives in a single storage volume, as illustrated in Figure 3.21. RAID 0 provides performance improvement but not fault tolerance known as striping, it uses multiple drives as a single volume. RAID 1 provides mirroring, meaning the data written to one drive is exactly duplicated to a second drive in real time. RAID 5 provides striping with parity: three or more drives are used in unison, and one drive’s worth of space is consumed with parity information. The parity information is stored across all drives. If any single drive of a RAID 5 volume fails, the parity information is used to rebuild the contents of the lost drive on the fly. A new drive can replace the failed drive, and the RAID 5 system rebuilds the contents of the lost drive onto the replacement drive. RAID 5 can only support the failure of one disk drive.

Exam Essentials

Understand automation and scripting. Automation is the control of systems on a regular scheduled, periodic, or triggered basis that does not require manual hands-on interaction. Automation is often critical to a resilient security infrastructure. Scripting is the crafting of a file of individual lines of commands that are executed one after another. Scripts can be set to launch on a schedule or based on a triggering event.

Know about master images. A master image is a crafted setup and configuration of a software product or an entire computer system. A master image is created just after the target system has been manually installed, patched, and configured.

Understand nonpersistence. A nonpersistent system is one where changes are possible. Changes may be performed by authorized users, administrators, automated processes, or malware. Due to the risk of change, various protection and recovery measures may need to be established.

Comprehend snapshots. A snapshot is a copy of the live current operating environment.

Understand revert to known state. Revert to known state is a type of backup or recovery process. Many databases support a known state reversion in order to return back to a state of data before edits or changes were implemented.

Know about roll back to known configuration. Roll back to known configuration is a concept similar to that of revert to known state, but a known configuration is just a collection of settings, not likely to include any software elements, such as code present before a patch was applied.

Understand live boot media. Live boot media is a portable storage device that can be used to boot a computer. Live boot media contains a read-to-run or portable version of an operating system.

Comprehend elasticity. Elasticity is the ability of a system to adapt to workload changes by allocating or provisioning resources in an automatic responsive manner.

Understand scalability. Scalability is the ability of a system to handle an ever-increasing level or load of work. It can also be the potential for a system to be expanded to handle or accommodate future growth.

Know about distributive allocation. Distributive allocation or distributed allocation is the concept of provisioning resources across multiple servers or services as needed, rather than using preallocation or concentrating resources based exclusively on physical system location.

Understand redundancy. Redundancy is the implementation of secondary or alternate solutions. Commonly, redundancy refers to having alternate means to perform work tasks or accomplish IT functions. Redundancy helps reduce single points of failure and improves fault tolerance.

Comprehend fault tolerance. Fault tolerance is the ability of a network, system, or computer to withstand a certain level of failures, faults, or problems and continue to provide reliable service. Fault tolerance is also a form of avoiding single points of failure. A single point of failure is any system, software, or device that is mission-critical to the entire environment.

Understand high availability. High availability means the availability of a system has been secured to offer very reliable assurance that the system will be online, active, and able to respond to requests in a timely manner, and that there will be sufficient bandwidth to accomplish requested tasks in the time required. RAID is a high-availability solution.

Know about the continuity of operations/high availability. Availability is the assurance of sufficient bandwidth and timely access to resources. High availability means the availability of a system has been secured to offer very reliable assurance that the system will be online, active, and able to respond to requests in a timely manner, and that there will be sufficient bandwidth to accomplish requested tasks in the time required. Both of these concerns are central to maintaining continuity of operations.

Understand RAID. One example of a high-availability solution is a redundant array of independent disks (RAID). A RAID solution employs multiple hard drives in a single storage volume with some level of drive loss protection (with the exception of RAID 0).

Lighting

Lighting is a commonly used form of perimeter security control. The primary purpose of lighting is to discourage casual intruders, trespassers, prowlers, or would-be thieves who would rather perform their misdeeds in the dark, such as vandalism, theft, and loitering. However, lighting is not a strong deterrent. It should not be used as the primary or sole protection mechanism except in areas with a low threat level.

Lighting should be combined with guards, dogs, CCTV, or some other form of intrusion detection or surveillance mechanism. Lighting must not cause a nuisance or problem for nearby residents, roads, railways, airports, and so on. It should also never cause glare or a reflective distraction to guards, dogs, and monitoring equipment, which could otherwise aid attackers during break-in attempts.

Signs

Signs can be used to declare areas off limits to those who are not authorized, indicate that security cameras are in use, and disclose safety warnings. Signs are useful in deterring minor criminal activity, establishing a basis for recording events, and guiding people into compliance or adherence with rules or safety precautions.

Fencing/gate/cage

A fence is a perimeter-defining device. Fencing protects against casual trespassing and clearly identifies the geographic boundaries of a property. Fences are used to clearly differentiate between areas that are under a specific level of security protection and those that aren’t. Fencing can include a wide range of components, materials, and construction methods. It can consist of stripes painted on the ground, chain-link fences, barbed wire, concrete walls, or invisible perimeters that use laser, motion, or heat detectors. Various types of fences are effective against different types of intruders:

• Fences 3 to 4 feet high deter casual trespassers.
• Fences 6 to 7 feet high are too hard to climb easily and deter most intruders except determined ones.
• Fences 8 or more feet high with three strands of barbed wire deter even determined intruders.

A gate is a controlled exit and entry point in a fence. The deterrent level of a gate must be equivalent to the deterrent level of the fence to sustain the effectiveness of the fence as a whole. Hinges and locking/closing mechanisms should be hardened against tampering, destruction, or removal. When a gate is closed, it should not offer any additional access vulnerabilities. Keep the number of gates to a minimum. They can be manned by guards, or not. When they’re not protected by guards, the use of dogs or electronic monitoring is recommended.

A cage is an enclosed fence area that can be used to protect assets from being accessed by unauthorized individuals. Cages can be used inside or outside. For a cage to be most effective, it needs to have a secured floor and ceiling.

Security guards

All physical security controls, whether static deterrents or active detection and surveillance mechanisms, ultimately rely on personnel to intervene and stop actual intrusions and attacks. Security guards exist to fulfill this need. Guards can be posted around a perimeter or inside to monitor access points or watch detection and surveillance monitors. The real benefit of guards is that they are able to adapt and react to various conditions or situations. Guards can learn and recognize attack and intrusion activities and patterns, adjust to a changing environment, and make decisions and judgment calls. Security guards are often an appropriate security control when immediate situation handling and decision-making onsite is necessary.

Unfortunately, using security guards is not a perfect solution. There are numerous disadvantages to deploying, maintaining, and relying on security guards. Not all environments and facilities support security guards. This may be because of actual human incompatibility or the layout, design, location, and construction of the facility. Not all security guards are themselves reliable. Prescreening, bonding, and training do not guarantee that you won’t end up with an ineffective or unreliable security guard.

Even if a guard is initially reliable, guards are subject to physical injury and illness, take vacations, can become distracted, and are vulnerable to social engineering. In addition, security guards usually offer protection only up to the point at which their lives are endangered. Security guards are usually unaware of the scope of the operations in a facility and therefore are not thoroughly equipped to know how to respond to every situation. Finally, security guards are expensive.

The presence of security guards at an entrance or around the perimeter of a security boundary serves as a deterrent to intruders and provides a form of physical barrier. Guard dogs can also protect against intrusion by detecting the presence of unauthorized visitors.

A security guard can check each person’s credentials before granting entry. You can also use a biometrically controlled door. In either entrance-control system, a log or list of entries and exits, along with visitors and escorts, can be maintained. Such a log will assist in tracking down suspects or verifying that all personnel are accounted for in the event of an emergency.

In the realm of physical security, access controls are mechanisms designed to manage and control entrance into a location such as a building, a parking lot, a room, or even a specific box or server rack. Being able to control who can gain physical proximity to your environment (especially your computers and networking equipment) lets you provide true security for your data, assets, and other resources.

One method to control access is to issue each valid worker an ID badge that can be either a simple photo ID or an electronic smartcard. A photo ID requires a security guard to view, discriminate, and then grant or deny access. In this process, the security guard can also add the name and action to an access roster. A smartcard can be used with an automated system that can electronically unlock and even open doors when a valid smartcard is swiped. Smartcard use is also easy to log and monitor. Additionally, the same smartcard used for facility access can also serve as a photo ID as well as an authentication factor for accessing the company network.

Alarms

Alarms or physical IDSs are systems—automated or manual—designed to detect an attempted intrusion, breach, or attack; the use of an unauthorized entry point; or the occurrence of some specific event at an unauthorized or abnormal time. IDSs used to monitor physical activity may include security guards, automated access controls, and motion detectors as well as other specialty monitoring techniques.

Physical IDSs, also called burglar alarms, detect unauthorized activities and notify the authorities (internal security or external law enforcement). The most common type of system uses a simple circuit (aka dry contact switch) consisting of foil tape in entrance points to detect when a door or window has been opened.

An intrusion detection mechanism is useful only if it is connected to an intrusion alarm. An intrusion alarm notifies authorities about a breach of physical security.

Two aspects of any intrusion detection and alarm system can cause it to fail: how it gets its power and how it communicates. If the system loses power, the alarm will not function. Thus, a reliable detection and alarm system has a battery backup with enough stored power for 24 hours of operation.

If communication lines are cut, an alarm may not function, and security personnel and emergency services will not be notified. Thus, a reliable detection and alarm system incorporates a heartbeat sensor for line supervision. A heartbeat sensor is a mechanism by which the communication pathway is either constantly or periodically checked with a test signal. If the receiving station detects a failed heartbeat signal, the alarm triggers automatically. Both measures are designed to prevent intruders from circumventing the detection and alarm system.

Whenever a motion detector registers a significant or meaningful change in the environment, it triggers an alarm. An alarm is a separate mechanism that triggers a deterrent, a repellent, and/or a notification:

Deterrent Alarms Alarms that trigger deterrents may engage additional locks, shut doors, and so on. The goal of such an alarm is to make further intrusion or attack more difficult.

Repellent Alarms Alarms that trigger repellents usually sound an audio siren or bell and turn on lights. These kinds of alarms are used to discourage intruders or attackers from continuing their malicious or trespassing activities and force them off the premises.

Notification Alarms Alarms that trigger notification are often silent from the intruder/attacker perspective but record data about the incident and notify administrators, security guards, and law enforcement. A recording of an incident can take the form of log files and/or CCTV tapes. The purpose of a silent alarm is to bring authorized security personnel to the location of the intrusion or attack in hopes of catching the person(s) committing the unwanted or unauthorized acts.

Alarms are also categorized by where they are located:

Local Alarm System Local alarm systems must broadcast an audible (up to 120 decibel [db]) alarm signal that can be easily heard up to 400 feet away. Additionally, they must be protected from tampering and disablement, usually by security guards. For a local alarm system to be effective, a security team or guards who can respond when the alarm is triggered must be positioned nearby.

Central Station System A central station system alarm is usually silent locally, but offsite monitoring agents are notified so they can respond to the security breach. Most residential security systems are of this type. Most central station systems are well-known or national security companies, such as Brinks and ADT. A proprietary system is similar to a central station system, but the host organization has its own onsite security staff waiting to respond to security breaches.

Auxiliary Station System Alarm systems can be added to either local or centralized alarm systems. When the security perimeter is breached, emergency services are notified to respond to the incident at the location. This could include fire, police, and medical services.

Two or more of these types of intrusion and alarm systems can be incorporated into a single solution.

Safe

Any device or removable media containing highly sensitive information should be kept locked securely in a safe when not in active use. You can install a department-wide safe that is managed by a single person, or you can install per-desk safes. A per-desk safe is often smaller, but it lets workers store devices and documentation securely while also allowing quick access.

Long-term storage of media and devices may require safes as well. Safes may be present onsite, or you can contract with an offsite storage facility to provide a safe for secured storage.

Secure cabinets/enclosures

Cabinets, device enclosures, rack-mounting systems, patch panels, wiring closets, and other equipment and cable containers can provide additional physical security through the use of locking mechanisms. Locking cabinets and other forms of containers can block or reduce access to power switches, adapter ports, media bays, and cable runs. Locking cabinets can be used in server rooms or in workspace areas. These can also include desks that give workers access to the monitor, mouse, and keyboard but sequester the main system chassis inside a locked desk compartment.

Protected distribution/Protected cabling

Protected distribution or protective distribution systems (PDSs) (also known as protected cabling systems) are the means by which cables are protected against unauthorized access or harm. The goals of PDSs are to deter violations, detect access attempts, and otherwise prevent compromise of cables. Elements of PDS implementation can include protective conduits, sealed connections, and regular human inspections. Some PDS implementations require intrusion or compromise detection within the conduits.

Airgap

See the earlier section “Physical” for a discussion of the security benefits of this type of network segmentation.

Mantrap

Some high-value or high-security environments may also employ mantraps as a means to control access to the most secured, dangerous, or valuable areas of a facility. A mantrap is a form of high-security barrier entrance device (see Figure 3.23). It’s a small room with two doors: one in the trusted environment and one opening to the outside. The mantrap works like this:

1. A person enters the mantrap.
2. Both doors are locked.
3. The person must properly authenticate to unlock the inner door to gain entry. If the authentication fails, security personnel are notified, and the intruder is detained in the mantrap.

Mantraps often contain scales and cameras in order to prevent piggybacking. Piggybacking occurs when one person authenticates, opens a door, and lets another person enter without that second person authenticating to the system.

Faraday cage

A Faraday cage (Figure 3.24) is an enclosure that blocks or absorbs electromagnetic fields or signals. Faraday cage containers, computer cases, rack-mount systems, rooms, or even building materials are used to create a blockage against the transmission of data, information, metadata, or other emanations from computers and other electronics. Devices inside a Faraday cage can use electromagnetic (EM) fields for communications, such as wireless or Bluetooth, but devices outside the cage will not be able to eavesdrop on the signals of the systems within the cage.

Lock types

Although you need walls and fences to protect boundaries, there must be a means for authorized personnel to cross these barriers into the secured environment. Doors and gates can be locked and controlled in such a way that only authorized people can unlock and/or enter through them. Such control can take the form of a lock with a key that only authorized people possess. Locks are used to keep doors and containers secured in order to protect assets.

Hardware conventional locks and even electronic or smart locks are used to keep specific doors or other access portals closed and prevent entry or access to all but authorized individuals. With the risks of lock picking and bumping, locks resistant to such attacks must be used whenever valuable assets are to be protected from tampering or theft.

Doors used to control entrance into secured areas can be protected by locks that are keyed to biometrics. A biometric lock requires that the person present a biometric factor, such as a finger, a hand, or a retina to the scanner, which in turn transmits the fingerprint, hand, or retina scan to the validation mechanism. Only after the biometric is verified is the door unlocked and the person allowed entry. When biometrics are used to control entrance into secured areas, they serve as a mechanism of identity proofing as well as authentication.

However, door access systems need not be exclusively biometric. Smartcards and even traditional metal keys can function as authentication factors for physical entry points.

Many door access systems, whether supporting biometrics, smartcards, or even PINs, are designed around the electronic access control (EAC) concept. An EAC system is a door-locking and -access mechanism that uses an electromagnet to keep a door closed, a reader to accept access credentials, and a door-close spring and sensor to ensure that the door recloses within a reasonable timeframe.

Biometrics

Biometrics is the term used to describe the collection of physical attributes of the human body that can be used as identification or authentication factors. Biometrics fall into the authentication factor category of something you are: you, as a human, have the element of identification as part of your physical body. Biometrics include fingerprints, palm scans (use of the entire palm as if it were a fingerprint), hand geometry (geometric dimensions of the silhouette of a hand), retinal scans (pattern of blood vessels at the back of the eye), iris scans (colored area of the eye around the pupil), facial recognition, voice recognition, signature dynamics, and keyboard dynamics.

Although biometrics are a stronger form of authentication than passwords alone, biometrics in and of themselves aren’t the best solution. Even with biometrics, implementing multifactor authentication is the most secure solution.

The key element in deploying biometrics as an element of authentication is a biometric device or a biometric reader. This is the hardware designed to read, scan, or view the body part that is to be presented as proof of identification.

See the Chapter 4 section “Biometric factors” for more about the benefits and limitations of biometrics.

Barricades/bollards

Barricades, in addition to fencing (discussed earlier), are used to control both foot traffic and vehicles. K-rails (often seen during road construction), large planters, zigzag queues, bollards, and tire shredders are all examples of barricades. When used properly, they can control crowds and prevent vehicles from being used to cause damage to your building.

Tokens/cards

A token device or an access card can be used as an element in authentication when gaining physical entry into a facility. See the Chapter 4 sections “Tokens,” “Physical access control,” and “Certificate-based authentication.”

Environmental controls

Environmental monitoring is the process of measuring and evaluating the quality of the environment within a given structure. This can focus on general or basic concerns, such as temperature, humidity, dust, smoke, and other debris. However, more advanced systems can include chemical, biological, radiological, and microbiological detectors.

When you’re designing a secure facility, it’s important to keep various environmental factors in mind. These include the following:

• Controlling the temperature and humidity
• Minimizing smoke and airborne dust and debris
• Minimizing vibrations
• Preventing food and drink from being consumed near sensitive equipment
• Avoiding strong magnetic fields
• Managing electromagnetic and radio frequency interference
• Conditioning the power supply
• Managing static electricity
• Providing proper fire detection and suppression

Hot and cold aisles

Hot and cold aisles are a means of maintaining optimum operating temperature in large server rooms. The overall technique is to arrange server racks in lines separated by aisles (Figure 3.25). Then the airflow system is designed so hot, rising air is captured by air-intake vents on the ceiling, whereas cold air is returned in opposing aisles from either the ceiling or the floor. Thus, every other aisle is hot, then cold. This creates a circulating air pattern that is intended to optimize the cooling process.

Cable locks

A cable lock is used to keep smaller pieces of equipment from being easy to steal. Many devices, most commonly portable computers, have a Kensington Security Slot (K-Slot) that is designed as a connection point for a cable lock. The K-Slot was originally developed by Kensington, which continues to develop new cable lock security devices.

A cable lock usually isn’t an impenetrable security device, since most portable systems are constructed with thin metal and plastic. However, a thief will be reluctant to swipe a cable-locked device, because the damage caused by forcing the cable lock out of the K-Slot will be obvious when they attempt to pawn or sell the device.

Screen filters

It may be worthwhile to install screen filters, also called privacy filters, which reduce the range of visibility of a screen down to a maximum of 30 degrees from perpendicular (Figure 3.26). These types of screens are designed to prevent someone sitting directly next to you, such as on an airplane, from being able to see the contents of your display.

Cameras

Video surveillance, video monitoring, closed-circuit television (CCTV), and security cameras are all means to deter unwanted activity and create a digital record of the occurrence of events. Cameras should be positioned to watch exit and entry points allowing any change in authorization level—for example, doors allowing entry into a facility from outside, doors allowing entry into work areas from common areas, and doors allowing entry into high-security areas from work areas. Cameras should also be used to monitor activities around valuable assets and resources, such as server rooms, safes, vaults, and component closets, as well as to provide additional protection in public areas such as parking structures and walkways.

Cameras should be configured to record to storage media. This has traditionally been some sort of tape, such as VCR tape. However, modern systems may record to DVD, NVRAM, or hard drives and may do so over a wired or even an encrypted wireless connection.

Cameras vary in type. Typical security cameras operate by recording visible-light images and often require additional lighting in low-light areas. Alternative camera types include those that record only when motion is detected, those that are able to record in infrared, and those that can automatically track movement.

Video records may be used to detect policy violations, track personnel movements, or capture an intruder on film. Video recordings should be monitored in real time or reviewed on a periodic basis in order to provide a detective benefit. Just the visible presence of video cameras can provide a deterrent effect to would-be perpetrators.

A camera is primarily used to detect and record unwanted or unauthorized activity. If someone is aware that a camera is present and will record their actions, that person is less likely to perform actions that are violations. This is generally known as a deterrent.

A security guard is able to move around a facility to potentially view places a camera is unable to see. Security guards are often as much a deterrent as they are a detective control. They can respond to varying issues and can adjust their actions based on changing conditions.

Both cameras and guards have useful security features, but both require proper use to be beneficial, both have their own unique requirements for use, and both are costly in their own ways.

Motion detection

A motion detector, or motion sensor, is a device that senses movement or sound in a specific area. Many types of motion detection exist, including infrared, heat, wave pattern, capacitance, photoelectric, and passive audio:

• An infrared motion detector monitors for significant or meaningful changes in the infrared lighting pattern of a monitored area.
• A heat-based motion detector monitors for significant or meaningful changes in the heat levels and patterns in a monitored area.
• A wave-pattern motion detector transmits a consistent low-frequency ultrasonic or high-frequency microwave signal into a monitored area and monitors for significant or meaningful changes or disturbances in the reflected pattern.
• A capacitance motion detector senses changes in the electrical or magnetic field surrounding a monitored object.
• A photoelectric motion detector senses changes in visible light levels for the monitored area. Photoelectric motion detectors are usually deployed in internal rooms that have no windows and are kept dark.
• A passive audio motion detector listens for abnormal sounds in the monitored area.

The proper technology of motion detection should be selected for the environment where it will be deployed, in order to minimize false positives and false negatives.

Logs

Logs of physical access should be maintained. These can be created automatically through the use of smartcards for gaining access into the facility or manually by a security guide who will indicate entrance after inspecting each person’s ID. The purpose of physical access logs is to establish context for logical logs produced by servers, workstations, and networking equipment. The logs are also helpful in the event of an emergency in order to determine whether everyone has escaped a building safely or if rescue teams should be sent in.

Infrared detection

Infrared detection is often used by security cameras to see in perceived darkness or to detect movement in an area. These concepts were discussed in the previous sections “Cameras” and “Motion detection.”

Key management

Key management in relation to physical security focuses on the issuance of physical metal keys to those who need access into secured rooms, areas, or containers. A detailed log should be maintained of who was issued which key for which room/container and for what purpose. Regular auditing should be performed to ensure the responsible party still possesses the key and discloses whether or not the key has been exposed to theft or duplication. Keys should be numbered and, when possible, labeled or identified as not to be duplicated (so a locksmith will refuse to make a copy). Keys should be returned to the key manager when access is no longer required by that individual. When a worker who was in possession of a key is terminated, that lock and key should be replaced.

Digital or electronic key management relates to cryptography and is covered throughout Chapter 6.

Exam Essentials

Understand physical access control. Physical access control refers to mechanisms designed to manage and control entrance into a location. Being able to control who can gain physical proximity to your environment (especially your computers and networking equipment) allows you to provide true security for your data, assets, and other resources. Without physical access control, you have no security.

Know about lighting. Lighting is a commonly used form of perimeter security control. The primary purpose of lighting is to discourage casual intruders, trespassers, prowlers, or would-be thieves who would rather perform their misdeeds in the dark, such as vandalism, theft, and loitering.

Understand signs. Signs can be used to declare areas as off limits to those who are not authorized, to indicate that security cameras are in use, and to disclose safety warnings.

Know about fencing, gates, and cages. A fence is a perimeter-defining device. Fencing protects against casual trespassing and clearly identifies the geographic boundaries of a property. Fences are used to clearly differentiate between areas that are under a specific level of security protection and those that aren’t. A gate is a controlled exit and entry point in a fence. A cage is an enclosed fence area that can be used to protect assets from being accessed by unauthorized individuals.

Understand security guards. All physical security controls, whether static deterrents or active detection and surveillance mechanisms, ultimately rely on personnel to intervene and stop actual intrusions and attacks. Security guards exist to fulfill this need.

Comprehend alarms. Physical IDSs, also called burglar alarms, detect unauthorized activities and notify the authorities (internal security or external law enforcement).

Understand safes. Any device or removable media containing highly sensitive information should be kept locked securely in a safe when not in active use.

Know about PDS. Protected distribution or protective distribution systems (PDSs) (also known as protected cabling systems) are the means by which cables are protected against unauthorized access or harm.

Understand mantraps. A mantrap is a form of high-security barrier entrance device. It’s a small room with two doors: one to the trusted environment and one to the outside. A person must properly authenticate to unlock the inner door and gain entry.

Realize the importance of a Faraday cage. A Faraday cage is an enclosure that blocks or absorbs electromagnetic fields or signals.

Understand biometrics. Biometrics is the collection of physical attributes of the human body that can be used as authentication factors (something you are). Biometrics include fingerprints, palm scans (use of the entire palm as if it were a fingerprint), hand geometry (geometric dimensions of the silhouette of a hand), retinal scans (pattern of blood vessels at the back of the eye), iris scans (colored area of the eye around the pupil), facial recognition, voice recognition, signature dynamics, and keyboard dynamics.

Comprehend environmental monitoring. Environmental monitoring is the process of measuring and evaluating the quality of the environment within a given structure.

Understand humidity management. Throughout the organization, humidity levels should be managed to keep the relative humidity between 40 and 60 percent. Low humidity allows static electricity buildup, with discharges capable of damaging most electronic equipment. High humidity can allow condensation, which leads to corrosion.

Know about hot and cold aisles. Hot and cold aisles are a means of maintaining optimum operating temperature in large server rooms.

Understand fire suppression. Early fire detection and suppression is important because the earlier the discovery, the less damage will be caused to the facility and equipment. Personnel safety is always of utmost importance.

Know about cable locks. A cable lock is used to keep smaller pieces of equipment from being easy to steal.

Understand screen filters. It may be worthwhile to install screen filters that reduce the range of visibility of a screen down to a maximum of 4 degrees from perpendicular.

Know about cameras. Video surveillance, video monitoring, closed-circuit television (CCTV), and security cameras are all means to deter unwanted activity and create a digital record of the occurrence of events.

Understand motion detection. A motion detector, or motion sensor, is a device that senses movement or sound in a specific area. Many types of motion detection exist, including infrared, heat, wave pattern, capacitance, photoelectric, and passive audio.