Data Security

How to Protect Devices

Securing a Host involves:

Protecting the physical device.

Securing the Operating System.

Using Security-based software applications.

Monitoring Logs.

Secure the devices to prevent unauthorized users from gaining physical access to equipment.

Securing devices includes:

Physical access security – using hardware locks

Host hardware security

Mobile device security?

Type of hardware locks

Keyed entry locks – use a key to open the lock from outside.

Privacy locks – locked door can be opened from outside via a small hole (bathroom door).

Patio locks – lock from inside but cannot be opened from the outside.

Passage locks – door closes but cannot be locked (used in closets and hallways).

Keyed entry lock is minimal security, because it does not lock when the door is closed.

The locked door can be opened with a thin plastic (credit card) or the knob can be broken with a hammer.

Commercial door locks include:

Storeroom locks – outside is always locked, entry is by key only and inside is unlocked.

Store entry double cylinder – key in either knob locks or unlocks both at the same time.

Communicating double cylinder lock – key unlocks its own knob independently.

?

Key Management

Key management procedures:

If a key is lost or stolen, change locks immediately.

Inspect all locks on a regular basis.

Issue keys only to authorized persons.

Keep records of who uses and returns keys.

Keep track of keys issued, with their number and ID, for both master and duplicate keys.

Master keys should not have any marks identifying them as masters.

Secure unused keys in a locked safe.

Setup a procedure to monitor the use of all locks and keys and update the procedure as necessary.

When duplicates of master keys are made, mark them “Do not duplicate” and wipe out the manufacturer’s serial number to prevent ordering of duplicates.

Cipher locks are used in conjunction with Tailgate Sensors.

Tailgate Sensors use multiple Infrared Beams to prevent a 2nd person following (tailgating) the first person.

Infrared Beams are monitored to determine the number of persons walking through and in which direction they are walking.

If 2 people are walking in the same direction an alarm can sound.

Physical To

A Physical Token (like an ID Badge) can be used to identify a person.

ID Badge can contain a magnetic stripe that can be swiped or a barcode identifier that can be scanned.

Newer ID Badges emits a signal identifying the owner of the ID Badge.

The ID Badge is fitted with a tiny Radio Frequency Identification (RFID) tag inside the ID Badge.

A Proximity Reader detects the signal emitted by the RFID in at the back of the ID Badge.

The user does not have to remove the ID Badge to swipe or scan.

Closed-Circuit Television (CCTV) uses video cameras to transmit a specific and limited set of receivers.

Video Surveillance using CCTV is used in:

Banks

Casinos

Airports

Military installations

CCTV Cameras can be:

Fixed in a single position

A small dome which allows a technician to move the camera 3600 for a panoramic view.

Motion tracking and will follow any movement.

Hardware Security involves protecting Host Systems (Laptops, Net-books and Tablet computers).

A Cable Lock is used to secure the Host Systems to a desk.

Software that hides itself like a Rootkit can report back internal IP Address, External IP Address, nearby Routers and Name of the Wireless Access Point to which a Laptop is connected to.

Laptops with built-in Web Cams can also be instructed to take pictures of the user (thief).

Locking Cabinets can be prewired for electrical power and network connections.

Laptops stored in the locking cabinets can charge their batteries and receive software updates when not in use.

Data in the laptops can be protected with encryption.

Mobile Devices (Smartphones, tablets, netbooks and laptops) security provisions are:

Strong Passwords.

Locking the Screen when the device is inactive for a period of time.

Encrypting Data stored on the device

Remote Wipe/Sanitation – wipe and reset to default factory setting.

GPS Tracking – pinpoint within 330 feet (100 m).

Voice Encryption – mask the content of the voice communication.

Remote Wipe/Sanitation can be used before reassigning the device to another user.

Some require the IT Department activate Remote Wipe/Sanitation so that the next time the device connects to the e-mails server, all data will be erased.

But a thief could:

Steal the device.

Turn it off before the Remote Wipe/Sanitation process begins.

Remove the Memory Card in the device that contains the data.

Global Positioning System (GPS) is real-time tracking allows emergency responders to locate within 100 meters.

GPS Tracking can be active all the time or only when a 911 call is made.

Google Android OS can remotely delete an App that is downloaded and found to be dangerous.

The steps to secure an OS are:

Develop a Security Policy – Document that states what must be done.

Perform Host Software Baseline – Checklist outlines how the Policy will be enforced.

Configure Operating System (OS) Security Settings – a Template.

Deploy the Settings – via Group Policy.

Implement Patch Management – using Patches and Service Packs.

Security Policy is a document that defines the defense mechanisms an organization will employ in order to keep information secure.

Baseline is a checklist of major security considerations for a system.

It becomes the starting point for solid security.

A Baseline for a Desktop will be different from that for a File Server.

OS Security Settings consists of:

Changing Default Settings (allowing Guest Accounts).

Eliminating unnecessary Software (removing Games).

Stopping unnecessary Services.

Disabling unnecessary Protocols.

Enabling OS Security features (turning on Firewall).

Security Template

Security Template is a collection of Security Configuration Settings including:

Account Policies.

User Rights.

Event Log Settings.

Restricted Groups.

System Services.

File Permissions.

Registry Permissions.

Predefined Security Templates can be imported to the Host.

These settings can be modified to create a Custom Security Template.

The Custom Security Template can then be exported to other Hosts.

Security Templates can be deployed to each Host manually.

These can also be deployed automatically via Group Policies in Active Directory (AD) Domains.

?

Early Operating Systems were simply program loaders to launch Applications.

Today the OS consists of millions of lines of codes.

DOS had 4,000 lines of code.

Windows 7 has 50 million lines of code.

Complexity of OS introduces vulnerability.

Patches are updates to an OS to fix any discovered vulnerability.

Hotfix is software (fix) that addresses a specific customer situation.

Service Pack is software that is a cumulative package of all security updates plus additional features.

Operating Systems perform Automatic Updates.

Microsoft releases its patches on 2nd Tuesday of each month called “Patch Tuesday.”

Attackers unleash attacks on Wednesday!!

Patches can create new problems.

Therefore, test the patch prior to deploying to the rest of the network.

Connect only 1 Update Server to download the patch from the OS vendor.

Deploy the tested patch to other PCs.

Disadvantage of Update Service is the cost of hardware and personnel needed to maintain it.

Third-party Anti-malware Software Packages include:

Anti-virus

Anti-spam

Pop-up Blockers

Anti-spyware

Host-based Firewalls

Anti-virus (AV) software:

Examines the PC for any infections

Monitor PC activity

Scan new documents for virus when the file is:

Open

Created

Closed

If a Virus is detected, the options are:

Clean the file

Quarantine the file

Delete the file

Bayesian Filtering divides e-mails that have arrived into 2 piles, Spam and Not-spam.

The filter analyzes each word in each e-mail and determines how frequently a word occurs in the Spam pile compared to the Not-spam pile.

The filter looks for the 15 words with the highest probability to calculate the message’s overall spam probability rating.

Bayesian Filtering trap a much higher percentage of spam than other techniques.

Blacklist is a list of senders whose e-mails are to be blocked.

Blacklist can be downloaded or created manually.

Whitelist is list of senders whose e-mails are to be accepted.

E-mails can be blocked from entire countries or regions.

Attachments of specific types can also be blocked.

Outlook automatically blocks over 80 different types of file attachments (Level 1 Attachments).

Level 1 Attachments are hidden from the user it cannot be opened, saved or printed.

Level 1 Attachments are of the type *.exe, *.bat, *.vbs, *.com etc.

System Events are actions performed by the Operating System (shutdown, start a service etc.)

Event Log records successful and/or unsuccessful events.

Client Requests and Server Responses can be used to reconstruct the sequence of events and determine the outcome.

Usage Information is useful for security monitoring.

Increase in inbound e-mail can indicate a virus attack.

System Event Logs record system events and can help identify performance issues.

Audit Logs records Security Events.

Account Information record:

Successful and failed Authentication attempts.

Account changes (create, delete, privilege escalation attempts etc.)

Application used and when it was used

?

Operational Information record:

Application startup/shutdown, failures

File access

Security Policy changes

Major application changes

Operational Information can help determine security compromises and operational failures.

Security Software can be network-based or system-based (host-based).

Security Software:

Detect malicious activity.

Provide Protection.

Produce Security Application Logs.

?Benefits of Monitoring System Logs are:

Identify security incidents, policy violation, fraudulent activity and operational problems after it has occurred.

Logs provide information to help resolve problems.

Help with auditing, internal investigation and identify operational trends and long-term problems.

Provide documentation that the organization is in compliance with the laws and regulations.

Application Security includes:

Application development security.

Application hardening.

Patch management.

Attackers are beginning to attack Application Software packages running on host PCs.

Application Development Security must be considered during the following phases:

Design

Development

Deployment

Maintenance