Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Understand physical security.
Implement physical security.
Understand disaster recovery.
Understand business continuity.
Physical security is a topic that is all too often overlooked by security professionals. Most IT security personnel think of security in terms of firewalls, anti-virus, and other technological solutions. However, the fact is that physical security is just as important as technological security.
Disaster recovery is another area that many IT professionals find to be less exciting than technological security; however, it is a key part of network security.
Both the ISC2 CISSP exam and the CompTIA Security+ exam strongly emphasize physical security and disaster recovery. This should be an indication of how important these topics are.
Physical security is actually a multi-faceted topic. The most obvious issue is to physically secure machines, but beyond that you must consider issues such as controlling access to your building and knowing how to respond to fires. Monitoring systems such as alarms and cameras are also a part of physical security.
Physical security begins with controlling access to the building and to key rooms within the building. At the most basic level it includes having a locked door on the server room. In addition to that you must also have some way of controlling who has access to that room. A highly recommended approach is a swipe card or password key entry system that records who enters the room and when. You should also consider the room itself. It should not have a window, or if it does it should be a reinforced window and someone outside should not be able to easily view inside the room. The room should also be fireproof, because a fire in the server room would be a significant disaster.
The server room is obviously a key item to secure, but it is not the only item. If routers or switches are distributed in the building, they must be in locations that are not easily accessible by unauthorized personnel. Locked closets make a good location for these items. Locking down workstations so they are secured to the desk is also a common practice. This makes theft of those computers significantly more difficult.
Essentially any device that is itself valuable or contains data that is valuable must be physically secured. Equipping mobile business phones with the ability to remotely wipe them is also becoming common practice. That way if they become stolen or lost, the administrator can remotely wipe all data on the phone.
After you have secured the equipment you must also control access to the building itself. A common method is to have a locked door or turnstile that requires an employee ID to enter. A sign-in sheet is also a good way to track who enters and exits your office. The level of effort put into securing physical access to the building will vary depending on the organizations security needs.
A man trap is an often-used security mechanism in high-security environments. A man trap consists of two doors with a short hallway between them. The second door cannot open until the first door is closed. This prevents tailgating, which is the process of an unauthorized person following an authorized person through a secure door. This can be further enhanced by having each door use a different authentication method. Perhaps the first door requires a key and the second requires a passcode. This two-factor authentication system would be difficult for an intruder to circumvent.
Other methods of securing building access include the external areas of a building. For example, a parking lot can be designed so that a person must make turns every 50 feet or so to exit. This prevents a thief or intruder from “speeding away” and makes it more likely that someone will be able to note their license plate, or that even police might arrive before they escape.
Fences are also important. Having some level of fencing is essential. High-security environments might use a tall fence, even topped with concertina wire. This might not be appropriate for many organizations, but even a decorative hedge row provides some level of barrier to slow down intruders.
Lighting is also important. Intruders usually prefer to enter in the dark to reduce the chance of being noticed or even caught. A well-lighted external building impedes intruders’ intentions to enter surreptitiously. Furthermore, internal lighting can also be helpful. You probably notice that many retail stores leave the store lights on after closing. This allows passing police officers to easily see whether someone is in the building.
Video monitoring is becoming more affordable and more sophisticated. High-definition video cameras, including cameras with night vision capability are now fairly inexpensive. Retail stores often find that by placing cameras in highly visible areas, the incidence of theft declines. Stoplights equipped with cameras usually reduce the number of people who run red lights.
Placing cameras in or around your facility requires a little bit of thought. First and foremost the cameras must be placed so that they have an unobstructed view of the areas you want to monitor. At a minimum all entrances and exits should have camera monitoring. You might also want cameras in main internal hallways, just outside critical areas (that is, server rooms), and possibly around the perimeter of your building. The cameras also need to be placed so that they are not easily disabled by an intruder. This usually means placing them at a height that is difficult for someone to reach.
You should also consider the type of cameras you are placing. If you don’t have adequate external lighting, then night vision capable cameras are important. You might want cameras that transmit their signal to a remote location for storage. If you choose to transmit the camera feed, make sure the signal is secure so that someone cannot easily tap into the signal.
Obviously, a fire will destroy servers and other equipment. Having adequate fire alarms and fire extinguishers in your facility is important. Fire extinguishers can be classified by what types of fire they are able to put out:
Class A— Ordinary combustibles such as wood or paper.
Class B— Flammable liquids such as grease, oil, or gasoline.
Class D— Flammable Metals
Fire suppression systems are common in larger office buildings. These systems are divided into two categories: Wet pipe and dry pipe.
Wet Pipe
Always contains water
Most popular and reliable
165° fuse melts
Can freeze in winter
Pipe breaks can cause floods
Dry Pipe
No water in pipe
Preferred for computer installations
Water held back by clapper
Air Blows out of pipe, water flows
Having a plan to address fires is important. Depending on budget and security needs your plan can be as simple as well-placed smoke alarms and a fire extinguisher or as complex as a series of fire suppression systems with an alarm system that automatically notifies the fire department.
Before we can discuss disaster recovery, we have to define what a disaster is. A disaster is any event that significantly disrupts your organizations operations. A hard drive crash on a critical server is a disaster. Other examples include fire, earthquake, your telecom provider being down, a labor strike that affects shipping to and from your business, and a hacker deleting critical files. Just keep in mind that any event that can significantly disrupt your organizations operations is a disaster.
You should have a disaster recovery plan (DRP) in place to guide a return business to normal operations. This must include a number of items. You must address personnel issues, which means being able to find temporary personnel if needed, and being able to contact the personnel you have employed. It also includes having specific people assigned to specific tasks. If a disaster occurs, who in your organization is tasked with the following:
Locating alternative facilities?
Getting equipment to those facilities?
Installing and configuring software?
Setting up the network at the new facility?
Contacting staff, vendors, and customers?
These are just a few questions that a disaster recovery plan must address; your organization may have more issues that would need addressed during a disaster.
A business continuity plan (BCP) is similar to a disaster recovery plan but with a different focus. The DRP is designed to get the organization back to full functionality as quickly as possible. A business continuity plan is designed to get minimal business functions back up and running at least at some level so you can conduct some type of business. An example would be a retail store whose credit card processing system is down. Disaster recovery is concerned with getting the system back up and running; business continuity is concerned with simply offering a temporary solution, such as processing credit cards manually.
To successfully formulate a business continuity plan one must consider which systems are most critical for your business and have an alternative plan in case those systems go down. The alternative plan need not be perfect, just functional.
Before you can create a realistic DRP or BCP you have to do business impact analysis (BIA) of what damage to your organization a given disaster might be. Consider a web server crash. If your organization is an e-commerce business, then a web server crash is a very serious disaster. However, if your business is an accounting firm and the Web site is just a way for new customers to find you, then a web server crash is less critical. You can still do business and earn revenue while the web server is down. You should make a spreadsheet of various likely or plausible disasters and do a basic business impact analysis for each.
An issue to consider in your BIA includes the maximum tolerable downtime (MTD). How long can a given system be down before the effect is catastrophic and the business is unlikely to recover? Another item to consider is the mean time to repair (MTTR). How long is it likely to take to repair a given system if it is down? These factors help you to determine the business impact of a given disaster.
At some point all equipment fails, so being fault tolerant is important. At the most basic level fault tolerance for a server means having a backup. If the server fails, did you back up the data so you can restore it? Although database administrators might use a number of different types of data backups, from a security point of view the three primary back up types are:
Full— All changes
Differential— All changes since last full backup
Incremental— All changes since last backup of any type
Consider a scenario where you do a full backup at 2 a.m. each morning. However, you are concerned about the possibility of a server crash before the next full backup. So you want to do a backup every two hours. The type of backup you choose will determine the efficiency of doing those frequent backups and the time needed to restore. Let’s consider each type of backup in a crash scenario and what would happen if the system crashes at 10:05 a.m.
Full: In this scenario you do a full backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You just have to restore the last full backup, which was done at 10 a.m. This makes restoration much simpler. However, running a full backup every 2 hours is very time consuming and resource intensive and will have a significant negative impact on your server’s performance.
Differential: In this scenario you do a differential backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You need to restore the last full backup done at 2 a.m., and the most recent differential backup done at 10 a.m.. This is just a little more complicated than the full backup strategy. However, those differential backups are going to get larger each time you do them, and thus more time consuming and resource intensive. Although they won’t have the same impact as doing full backups, they will still slow down your network.
Incremental: In this scenario you do an incremental backup at 4 a.m., 6 a.m., ...10 a.m., and then the system crashes. You need to restore the last full backup done at 2 a.m., and then each incremental backup done since then, and they must be restored in order. This is a much more complex restore, but each incremental backup is small and does not take much time nor consume many resources.
There is no “best” backup strategy. Which one you select will depend on your organization’s needs. Whatever backup strategy you choose, you must periodically test it. The only effective way to test your backup strategy is to actually restore the backup data to a test machine.
The other fundamental aspect of fault tolerance is RAID, or redundant array of independent disks. RAID allows your servers to have more than one hard drive, so that if the main hard drive fails, the system keeps functioning. The primary RAID levels are described here:
RAID 0 (striped disks) distributes data across multiple disks in a way that gives improved speed at any given instant. This offers NO fault tolerance.
RAID 1 mirrors the contents of the disks, making a form of 1:1 ratio real-time backup. This is also called mirroring.
RAID 3 or 4 (striped disks with dedicated parity) combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk.
RAID 5 (striped disks with distributed parity) combines three or more disks in a way that protects data against the loss of any one disk. It is similar to RAID 3 but the parity is not stored on one dedicated drive; instead parity information is interspersed across the drive array. The storage capacity of the array is a function of the number of drives minus the space needed to store parity.
RAID 6 (striped disks with dual parity) combines four or more disks in a way that protects data against loss of any two disks.
RAID 1+0 (or 10) is a mirrored data set (RAID 1) that is then striped (RAID 0), hence the “1+0” name. A RAID 1+0 array requires a minimum of four drives: two mirrored drives to hold half of the striped data, plus another two mirrored for the other half of the data.
My personal opinion is that a server without at least RAID level 1 is gross negligence on the part of the network administrator. Using RAID 5 with servers is actually very popular.
Although RAID and backup strategies are the fundamental issues of fault tolerance, any backup system provides additional fault tolerance. This can include uninterruptable power supplies, backup generators, or redundant Internet connections.
1. How should a company test the integrity of its backup data?
A. By conducting another backup
B. By using software to recover deleted files
C. By actually restoring the backup
D. By using testing software
2. This method is primarily run when time and tape space permits and is used for the system archive or baselined tape sets:
A. Full backup method
B. Incremental backup method
C. Differential backup method
D. Tape backup method
3. Business Continuity Plan development depends most on:
A. Directives of Senior Management
B. Business Impact Analysis (BIA)
C. Scope and Plan Initiation
D. Skills of BCP committee
4. Which of the following focuses on sustaining an organization’s business functions during and after a disruption?
A. Business continuity plan
B. Business recovery plan
C. Continuity of operations plan
D. Disaster recovery plan
5. Which RAID level uses mirroring?
A. 1
B. 2
C. 4
D. 5
A. A trusted security domain
B. A logical access control mechanism
C. A double-door facility used for physical access control
D. A fire suppression device
7. ______ is the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
A. BIA
B. DRP
C. RTO
D. RPO
8. RAID ____ combines three or more disks in a way that protects data against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array and dedicating it to storing parity information. The storage capacity of the array is reduced by one disk.
A. 1
B. 3
C. 5
D. 6
9. Which RAID level offers dual parity?
A. 3
B. 4
C. 5
D. 6
10. Which of the following determines the actual damage to the business if a given disaster occurs to a given system?
A. DRP
B. BIA
C. BCP
D. ROI
Create a disaster recovery plan for a fictitious business that has the following characteristics:
This is an urgent care clinic.
4 doctors 10 nurses, 2 nurse practitioners.
They are open 7 days a week, 18 hours per day.
The primary issue is treating patients.
3.129.71.164