When discussing basic equipment controls another important area you should consider is the security of portable devices and hard drives. In today's world there is an ever-increasing number of portable devices such as hard drives as well as laptops, tablet PCs, and similar types of systems. Mobile devices have made working remotely easier, but at the same time the devices have introduced problems with the inevitable loss or theft of the device and the data it carries. Hard drives with sensitive data represent a real risk for the organization if they are lost, stolen, or misplaced. Consider a report from http://www.searchsecurity.com that cited a 2009 case in which Health Net Inc. reported the loss of patient data as the result of a data security breach that led to the loss of data affecting 1.5 million customers. In this case, the breach took place when an external hard drive that contained a mixture of medical data, Social Security numbers, and other personally identifiable information was lost.

The solution to such problems is the application of encryption. Encryption can be applied on the file, folder, or an entire hard disk and provide a strong level of protection. Applying encryption to an entire disk is known as full disk encryption or full volume encryption. Full drive encryption, which is a technique that can be implemented in hardware or software, encrypts all the data on a selected volume or disk as selected by the owners of the system. With the widespread availability of full disk encryption, a security professional should evaluate the viability of drive encryption for mobile devices as a solution to theft, loss, and the unauthorized access to data. Software programs such as Pretty Good Privacy (PGP), TrueCrypt, and BitLocker can be used to lock files and folders. Microsoft offers data encryption programs such as BitLocker and Encrypted File System (EFS) as part of the operating system in Windows Vista and Windows 2000.

While discussing mobile devices, don't forget the multitude of mobile storage options. Companies used to be concerned about individuals carrying off sensitive information on floppies. In today's world, however, things have changed due largely to the availability and storage capacities available on new devices. Today, companies have to seriously consider the problems posed by mobile storage. Observe the situation in most workplaces; it is easy to see a sea of iPods, universal serial bus (USB) thumb drives, portable hard drives, cell phones with cameras, and even CD/DVD blanks and burners. Each of these devices has the potential to move massive amounts of information out of an organization quickly and quietly. Think for a moment about today's most common mobile storage device: the USB flash drive. These devices can carry upwards of 64GB of data in a package that is smaller than a pack of gum. Also consider the fact that USB flash drives are common in an ever-increasing number of forms, from watches to Swiss army knives to pens, making them more difficult to detect. A December 2009 report from http://www.military.com describes a recent hacking attack that occurred when a South Korean officer failed to remove a USB thumb drive when the system switched from a restricted-access intranet to the Internet. Attackers were able to access top secret information.

The examples cited here, as well as countless others, illustrate that even an item as seemingly harmless as a thumb drive can become dangerous when connected to a system that is part of a network. Under the right conditions, a thumb drive can be loaded with malicious code and inserted into a computer. Because many systems have features such as auto run enabled, the applications run automatically. Just the sheer number of these portable devices (and their small size) raises the concern of network administrators and security professionals alike. As a security professional, one of your bigger challenges is dealing with devices such as thumb drives. While the devices are a definite security risk, they are universally recognized as convenient. The security professional will be required to discuss the security versus convenience issue with management to enlighten all involved of risks inherent in the system and any possible countermeasure. Whatever the decision might be in an organization, there is a need to establish some policies to enforce management's decision. This policy should address all types of media controls, how they are used, and what devices such media can be connected to.

Organizations should consider the implementation, or appropriate media controls, that dictate how floppy disks, CDs, DVDs, hard drives, portable storage, paper documents, and other forms of media are handled. Controls should dictate how sensitive media will be controlled, handled, and destroyed in an approved manner. Most important, the organization will need to make a decision about what employees can bring into the company and install on a computer. Included in this discussion will be portable drives, CD burners, cameras, and other devices. Management also needs to dictate how each of these approved forms of storage can be handled. Finally, a decision on how media is to be disposed of must be determined.

Media can be disposed of in many acceptable ways, each depending on the type of data it was used to store and the type of media it happens to be. Paper documents can be shredded, CDs can be destroyed, and magnetic media can be degaussed. Hard drives should be sanitized. (Sanitization is the process of clearing all identified content so no data remnants can be recovered.) When sanitization is performed, none of the original information is easily recovered. Some of the methods used for sanitization are as follows:

While fax machines are nowhere near as popular as they were in the 1990s, they still remain an area of concern for the security professional. Digital fax machines have been in use since the 1970s and continue to be used. When fax machines were originally designed, it was not with security in mind, so information in faxes is transmitted completely unprotected. Fax transmissions can potentially be intercepted, sniffed, and decoded by the clever and astute attacker. Additionally, once at the destination, faxes typically sit in a tray waiting for the owner to retrieve them, which sometimes takes a long time. Faxes are vulnerable at this point because anyone can retrieve the fax and review its contents. Another issue is that cheap fax machines use ribbons; therefore, anyone with access to the trash can retrieve the ribbon and use it as a virtual carbon copy of the original document.

When performing a security assessment for an organization it is important to take note of any fax machines present, what they are used for, and any policies that dictate the use of such devices. Worth noting is the fact that most organizations that have fax numbers may not have a physical fax, having replaced the devices with fax servers instead, which are not as obvious to spot. These devices can send faxes as well as receive faxes and route them to a user's e-mail. While it may be argued that this is better than a fax machine, it is not enough to secure the transmission of confidential information by fax. As an additional and more robust level of security, activity logs and exception reports should be collected to monitor for potential security problems.

In today's world, more companies are reliant on a technology known as private branch exchange (PBX) for intraoffice phone communication. These devices make attractive targets for an attacker, and if misconfigured have the capability to be hacked; under the right conditions, it is possible that an attacker can make anonymous and free phone calls. To secure this portion of the communication infrastructure, default passwords need to be changed, and remote maintenance must be restricted. These systems are not usually run by security professionals and may not be as secure as the network infrastructure. Individuals that target such devices are known as phreakers.

A rapidly growing technology, Voice over IP (VoIP) is more than likely something you will have to address in your security planning. VoIP allows the placing of telephone calls over computer networks and the Internet. VoIP has the ability to transmit voice signals as data packets over the network in real-time and provide the same level of service as you would expect with traditional phone service.

Because voice is transmitted over the network as data packets much like any other data, it is susceptible to most of the attacks that affect regular data transmission. Attacks such as packet sniffing and capture can easily capture phone calls transmitted over the network; in fact, due to the sheer volume of calls that may be placed at any one time, a single attack can intercept and affect numerous calls.

Fences are one of the physical boundaries that provide the most visible and imposing deterrent. Depending on the construction, placement, and type of fence in place, it may deter only the casual intruder or a more determined individual. As fences change in construction, height, and even color, they also can provide a psychological deterrent. For example, consider an eight-foot iron fence with thick bars painted flat black; such a barrier can definitely represent a psychological deterrent. Ideally, a fence should put limit an intruder's access to a facility as well as provide a psychological barrier.

Depending on the company or organization involved, the goal of erecting a fence may vary from stopping casual intruders to providing a formidable barrier to entry. Fences work well at preventing unauthorized individuals from gaining access to specific areas, but also force individuals that have or want access to move to specific chokepoints to enter the facility. When determining the type of fence to use, it is important to get an idea of what the organization may need to satisfy the goals of the security plan. To get a better idea, review Table 4-1, which contains a sampling of fence types and the construction and design of each. Fences should be eight feet long or greater to deter determined intruders.

In situations where security is even more of a concern, and just the placement of a fence may not be enough, it is possible to layer other protective systems. For example, a perimeter intrusion and detection assessment system (PIDA) can be used. This special fencing system works as an intrusion detection system (IDS) in that it has sensors which can detect intruders. While these systems are expensive, they offer an enhanced level of protection over standard fences. In addition to cost, the downside of these systems is that it is possible that they may produce false positives due to environmental factors such as a stray deer, high winds, or other natural events.

Fences are an effective barrier, but they must work in concert with other security measures and structures. A gate is a chokepoint or a point where all traffic must enter or exit the facility. All gates are not created equal, however, and if you select the incorrect one, you won't get proper security. In fact, choosing the incorrect gate can even detract from an otherwise effective security measure. A correctly chosen gate provides an effective deterrent and a barrier that will slow down an intruder, whereas an incorrectly chosen barrier may not deter anyone but the casual intruder. UL Standard number 325 describes gate requirements. Gates are divided into the following four classifications:

Bollards are devices that can take many forms, but the goal is the same: prevent entry into designated areas by motor vehicle traffic. To get an idea of a location where bollards would be ideal and how they function, consider an electronics superstore such as Best Buy. In this case, lots of valuable merchandise is present and someone could very easily back a truck through the front doors after hours, load up on merchandise, and drive away quickly before law enforcement arrives. In the same situation, the placement of heavy steel posts or concrete barriers would stop a motor vehicle from even reaching the doors. Many companies use bollards to prevent vehicles from going into areas in which they are not permitted. Bollards, which can be concrete or steel, block vehicular traffic or protect areas where pedestrians may be entering or leaving buildings. While fences act as a first line of defense, bollards are a close second as they can deter individuals from ramming a facility with a motor vehicle.

Bollards can come in many shapes, sizes, and types. Some are permanent, while others pop up as needed to block a speeding car from ramming a building or ram-raiding. Ram-raiding is a type of smash and grab burglary in which a heavy vehicle is driven through the windows or doors of a closed shop, usually one selling electronics or jewelry, to quickly rob it.

Except for the majority of exterior doors, most doors are not designed or placed with security in mind. While doors in a home environment that are not designed with security as a goal are fine, the same cannot be said for those in a business environment. Business environments should always consider solid core doors as the primary option for doors unless otherwise specified. The advantages between solid and hollow are obvious when you consider just how easily hollow core doors can be defeated. Consider that an attacker with a good pair of boots on can kick through a hollow core door quite easily. A door designed for security will be very solid and durable and have hardened hardware. While the tendency for businesses to cut costs wherever possible is a known fact, it should be discouraged when purchasing doors by selecting the type of door only after security needs have been assessed. Low-cost doors are easy to breach, kick in, smash, or compromise. A solid core door should always be used for the protection of a server room or other critical assets. Doors also need to have a fire rating assigned to them, which is another item to be considered before installing. Doors come in many configurations, including the following:

Is just having a well-selected door the end of the problem? Absolutely not; you must consider the frame that the door is attached to. A good door connected to a poorly designed or constructed frame can be the Achilles heel of an otherwise good security mechanism. During a security review, it is also important to examine not only the doors in place but also the hardware used to attach the door to the frame and the frame itself. Consider the fact that something as simple as installing the hinges incorrectly to a door and frame can make them easy for a potential intruder with a screwdriver to bypass. Critical areas secured with doors should be hinged to the inside. This type of design makes it much harder for a criminal to gain access. This means that hinges and strike plates must be secure. Some doors are hinged on the outside and are designed to open out. Exterior doors are a good example of this. While the hinges are protected, the open-out feature of the door provides an invaluable safeguard against people getting trapped in a building in the event of a fire or other emergency. These doors are more expensive because they are harder to install and remove. Common places to observe these types of doors are shopping malls and other public facilities, specifically the exit doors. In some cases, exit doors are even equipped with a panic bar that can help when large crowds rush the door and need to leave quickly.

Companies should also be concerned about the flow of traffic into the facility. This is the type of situation where a device known as a mantrap can prove helpful. A mantrap is a structure that replaces a normal single door with a phone booth-sized object with a door on each side. When an individual enters the mantrap there is only enough space for one person at a time, and only one door can be opened at a time. The structure's design allows individuals to be screened via a camera or code to ensure that every individual is supposed to be entering and (in some cases) exiting the area. While mantraps are designed to regulate the flow of traffic in and out of an area, they specifically stop piggybacking, which is the practice of one individual actually opening the door to let several enter.

Another type of physical control device in common usage is the turnstile, which is commonly used at sporting events, subways, and amusement parks. Turnstiles can be used to slow the flow of traffic into areas or even ensure that individuals are properly screened and authenticated prior to entering an area.

Working in concert with doors are the walls that the doors or mantraps are embedded into. A reinforced wall can keep a determined attacker from entering an area through any point other than the defined doors. On the other hand, a poorly constructed wall may present no obstacle at all and allow an intruder to kick through. Construction of walls should take into consideration several factors in addition to security, such as the capability to slow the spread of fires. Walls should run from the slab to the roof. Consider one of the more common mistakes that can be a detriment to security: the false wall. These are walls that run from the floor up to the ceiling, but the ceiling isn't real; it's but a drop ceiling that has a good amount of space between it and the roof. An attacker needs only a table, a chair, or a friend for a foothold to push up the ceiling tile and climb over. If asked to perform a physical security assessment of a data center or other type of high value physical asset, check to see that the wall runs past the drop ceiling. Also tap on the wall gently and check to see whether it is hollow or of a solid construction.

For ceilings, the weight-bearing load and fire ratings must be considered. For dropped ceilings, the walls should extend above the ceiling, especially in sensitive areas. Any ceiling-mounted air ducts should be small enough to prevent an intruder from crawling through them. The slab of the facility needs to have the proper weight load, fire rating, and drains. When dealing with raised floors, you will want to make sure the flooring is grounded and nonconducting. In areas with raised floors, the walls should extend below the false floor.

Windows serve several purposes in any building or workplace: "opening up" the office to let more light in and giving the inhabitants a look at the world outside. But what about the security aspect? While windows let people enjoy the view, security can never be overlooked. Depending on the placement and use of windows, anything from tinted to shatterproof windows may be required to ensure that security is preserved. It is also important to consider that in some situations the windows may need to be enhanced through the use of sensors or alarms. Window types include the following:

For areas where proper doors, fences, gates, and other structures cannot offer the required security, other options include guards or dogs. Guards can serve several functions just by being present; guards can be very real deterrents in addition to introducing the "human element" of security—they have the ability to make decisions and think through situations. While computerized systems can provide vital security on the physical side, such systems have not reached the level where the human element can be replaced. Guards add discernment to onsite security.

Of course, as the old saying goes, "You don't get something for nothing" and guards are no exception to this old rule. Guards need to be screened before hiring, background checks and criminal background need to be performed, and, if needed, security clearances must be obtained. Interestingly enough, however, increased technology has in part driven the need for security guards. More and more businesses have closed-circuit television (CCTV), premise control equipment, intrusion detection systems, and other computerized surveillance devices. Guards can monitor such systems. They can fill dual roles, and monitor, greet, and escort visitors, too.

Guards cost money. However, if a company does not have the money for a guard, there are other options. Dogs have been used for centuries for perimeter security. Breeds such as German shepherds guard facilities and critical assets. While it is true that dogs are loyal, obedient, and steadfast, they are not perfect and might possibly bite or harm the wrong person because they do not have the level of discernment that human beings possess. Because of these factors, dogs are usually restricted to exterior premise control and should be used with caution.

Construction of a facility has as much to do with the environment in which the facility is to be located as does the security it will be responsible for maintaining. As an example, a facility built in Tulsa, Oklahoma, has much different requirements from one built in Anchorage, Alaska. One is concerned with tornadoes; the other with snowstorms. The security professional is expected in most cases to provide input on the design or construction of a new facility or the functionality of a preexisting facility that the company is considering. When this situation arises consider the following factors:

Lighting is perhaps one of the lowest-cost security controls that can be implemented by an organization. Lighting can provide a welcome addition to locations such as parking garages and building perimeters. Consider the fact that when properly placed, lighting can eliminate shadows and the spots that cameras or guards can't monitor, as well as reduce the places in which an intruder can hide. Effective lighting means the system is designed to put the light where it is needed and in the proper wattage as appropriate. Lights are designed for specific types of applications. Some of the more common types of lights include these:

Two issues that occur with lighting are overlighting and glare. Too much light, or overly bright lights, can bleed over to the adjacent owner's property and be a source of complaints. Too much light can also lead to a false sense of security because a company may feel that because all areas are lit, intrusion is unlikely. Additionally, when lighting is chosen incorrectly, it is possible to introduce high levels of glare. Glare can make it tough for those tasked with monitoring an area to observe all the activities that may be occurring. When placing lighting, avoid any placement that directs the lighting toward the facility and instead direct the lights toward fences, gates, or other areas of concern such as access points. Also consider the problems associated with glare when guards are present; for example, if guards are tasked with checking IDs at a checkpoint into a facility, ensure that the lights are not directed toward the guards. This offers good glare protection to the security force and guards.

Alarms and physical intrusion detection systems can also increase physical security. Alarms typically are used to provide an alert mechanism if a potential break-in or fire has been detected. Alarms can have a combination of audible and visual indicators that allow people to see and hear the alarm and react to the alert. Alarms are of no use if no one can hear or see the alert and respond accordingly. More advanced alarm systems even include the ability to contact fire or police services if the alarm is activated after business hours, for example. Of course, a drawback is the simple fact that if an alarm system is tied to the police or fire department, false alarms could result in being assessed fines.

Additional options that can enhance physical intrusion detection are motion, audio, infrared wave pattern, and capacitance detection systems. Of these systems, infrared detection tends to be one of the most common, but like any system, these have both pros and cons. Infrared systems are expensive and they may be larger than other comparable devices, but at the same time the systems can detect activity outside the normal visual range. Another popular form of intrusion detection systems are those devices sensitive to changes in weight, and such systems may be useful when used with mantraps because they can detect changes in weight that may signal a thief.

If asked to provide guidance to an organization on what type of IDS to consider implementing, always take the situation into account. What is important to avoid is placing a too complex or inappropriate IDS for the given situation. For example, systems that detect weight changes may not be as important or may even be completely unnecessary in situations where theft is not a concern. Also keep in mind that IDSs are not foolproof and are not an excuse for avoiding using common sense or other security controls. Any guidance on what type of IDS to implement should also mention that human involvement is essential.

Another mechanism that can be used to protect people and potentially deter crime is CCTV. CCTV usually works in conjunction with guards or other monitoring mechanisms to extend their capacity. When dealing with surveillance devices, you must understand factors such as focal length, lens types, depth of field, and illumination requirements. As an example, the requirement of a camera that will be placed outside in an area of varying light is much different from one placed inside in a fixed lighting environment. Also, there is the issue of focal length, which defines the camera's effectiveness in viewing objects from a horizontal and vertical view. Short focal lengths provide wider angle views while longer focal lengths provide more narrow views.

When considering placement of CCTV, keep in mind areas such as perimeter entrances and critical access points. Activity can be either monitored live by a security officer, or recorded and reviewed later. If no one is monitoring the CCTV system, it effectively becomes a detective control because it will not prevent a crime. In these situations, the organization is effectively alerted to the crime only after the fact, when the recordings are reviewed.

Locks, which come in many types, sizes, and shapes, are an effective means of physical access control. Locks are by far the most widely implemented security control due largely to the wide range of options available as well as the low costs of the devices.

Lock types include the following:

Warded locks are the simplest form of mechanical lock. The design of mechanical locks uses a series of wards that a key must match up to in order to open the lock. While it is the cheapest type of mechanical lock it is also the easiest to pick. Pin and tumbler locks are considered more advanced. These locks contain more parts and are harder to pick than warded locks. When the correct key is inserted into the cylinder of a pin and tumbler lock, the pins are lifted to the right height so that the device can open or close. More advanced and technically complex than warded or pin and tumbler locks are cipher locks, which have a keypad of fixed or random numbers that requires a specific combination to open the lock.

Before selecting a lock, consider the fact that not all locks are alike, and locks come in different grades. The grade of the lock specifies its level of construction. The three basic grades of locks are as follows:

While locks are good physical deterrents and work quite well as a delaying mechanism, a lock can be bypassed through lock picking. Criminals tend to pick locks because it is a stealthy way to bypass a lock and can make it harder for the victim to determine what has happened.

The basic components used to pick locks are these:

Together, these tools can be used to pick a lock. One example of a basic technique used to pick a lock is scraping. With this technique, tension is held on the lock with the tension wrench while the pins are scraped quickly. Pins are then placed in a mechanical bind and will be stuck in the unlocked position. With practice, this can be done quickly so that all the pins stick and the lock is disengaged.

Tokens and biometrics are two ways to control individuals as they move throughout a facility or attempt to access specific areas. Tokens are available in many types and can range from basic ID cards to more intelligent forms of authentication systems. Tokens used for authentication can make an access decision electronically and come in several different configurations, including the following:

Contactless cards do not require the card to be inserted or slid through a reader. These devices function by detecting the proximity of the card to the sensor. An example of this technology is radio frequency ID (RFID). RFID is an extremely small electronic device that is composed of a microchip and antenna. Many RFID devices are passive devices. Passive devices have no battery or power source because they are powered by the RFID reader. The reader generates an electromagnetic signal that induces a current in the RFID tag.

Another form of authentication is biometrics. Biometric authentication is based on a behavioral or physiological characteristic that is unique to an individual. Biometric authentication systems have gained market share because they are seen as a good replacement for password-based authentication systems. Different biometric systems have various levels of accuracy. The accuracy of a biometric device is measured by the percentage of Type 1 and Type 2 errors it produces. Type 1 errors or false rejections are reflected by what is known as the false rejection rate (FRR). This is a measurement of the percentage of individuals who should have been granted, but were not allowed access. A Type 2 error or false acceptance is reflected by the false acceptance rate (FAR) which is a measurement of the percentage of individuals who have gained access but should not have been granted such.

Some common biometric systems include the following:

No matter what means of authentication you use, a physical access control needs to fit the situation in which will be applied. As an example, if the processing time of a biometric system is slow, users tend to just hold the door open for others rather than wait for the additional processing time. Another example is an iris scanner, which may be installed at all employee entrances, yet later causes complaints from employees who are physically challenged or in wheelchairs because they cannot easily use the newly installed system. Consider who will be using the system and if it may be appropriate given the situation and user base.

Every organization must deal with the threats that are present in the environment each day. Threats can be natural, human, or technical. Natural threats can include items such as fires, floods, hurricanes, tropical storms, tidal waves, and earthquakes.

Human threats are not always as predictable as natural threats. For example, anyone living in California knows that earthquakes will hit, but they just can't say when. However, an organization may expect someone to attempt or even succeed in breaking in to the company, but the attempt may never come. The point here is that aside from natural disasters, you must think of other threats such as hackers who do not issue notices when an attack is coming. Any organization can be threatened by outsiders or insiders: people that are apparently trusted or unknown individuals.

Human threats can include the following:

Any company can also be at risk due to technical issues. A truck driver can knock down a power pole in front of the company, or a hard drive in a server might fail. Each can and will affect the capability of the company to continue to provide needed services. Whenever a security professional is asked to perform a physical review, don't neglect physical controls that are needed to protect against these or any of the various types of issues that are present. Any equipment failure and loss of service can affect the physical security of the organization.

Hardware keyloggers are physical devices used to record everything a person types on the keyboard. These devices are usually installed while the user is away from the desk. Keystroke loggers can be used for legal or illegal purposes, such as the following:

Physical keyloggers can store millions of keystrokes on a small device that is plugged in between the keyboard and the computer. Some keyloggers are built into keyboards. The process is transparent to the end user and can be detected only by finding the keylogger.

Keyloggers can be the following:

Sniffing is the basis for a large number of network-based attacks. If attackers can gain access to the network via a physical network connection, they can begin to capture traffic. Sniffing can be passive or active. Passive sniffing relies on a feature of network cards called "promiscuous mode." When placed in promiscuous mode, a network card passes all packets on to the operating system, rather than just those unicast or broadcast to the host.

Active sniffing, on the other hand, relies on injecting packets into the network, causing traffic that should not be sent to your system to be sent to your system. Active sniffing was developed largely in response to switched networks. Sniffing is dangerous in that it allows hackers access to traffic they should not see. An example of a sniffer capture is shown in Figure 4-1.

Figure 4-1. Wireshark sniffer.

While you will read more about wireless networks and their security vulnerabilities in Chapter 8, we will mention some of the basics here as a brief introduction. Sniffing is not restricted to wired networks. Wireless signals emanating from cell phones, wireless local area networks (WLANs), Bluetooth devices, and other modern equipment can also be intercepted and analyzed by an attacker with the right equipment. Even when signals cannot be intercepted, they can still potentially be jammed. For example, a cell phone jammer could transmit a signal on the same frequencies that cell phones do and then prevent all cell phone communication within a given area.

Moving on to other current technologies, the discussion now turns to another wireless technology: Bluetooth, which is a short-range communication technology that has been shown to be vulnerable to attack. One such attack is Bluejacking, which allows an individual to send unsolicited messages over Bluetooth to other Bluetooth devices. WLANs are also vulnerable to attacks. These attacks can be categorized into four basic categories: eavesdropping, open authentication, rogue access points, and denial of service.

Finally, the attacker may attempt to set up a fake access point to intercept wireless traffic. Such techniques make use of a rogue access point. This fake access point is used to launch a man-in-the-middle attack. Attackers simply place their own access points in the same area as users and attempt to get them to log on.