183. Physical Controls (OBJ 4.2)
In this lesson, we’re going to talk about some physical security controls that you can use as remediation against vulnerabilities found during your penetration tests. Often, you’re going to find that physical access is a lot easier to achieve than getting remote access, because a lot of organizations will fall for social engineering attacks as well as having their facilities open to visitors which then can be another source of attack. To overcome the different physical security vulnerabilities you identified during your penetration test, you’re going to make recommendations that concern physical controls to your target organization. Some physical security controls that you can use are things like access control hardware like bad readers and biometrics, as well as access control vestibules, smart lockers, locking racks, locking cabinets, employee training and video surveillance. When it comes to access control hardware we usually are going to rely on either a badge reader or a biometric reader to control access to a secure telecommunications closet or data center. A badge reader is going to rely on either a magnetic strip like a credit card, a chip card, like a smart card or an RFID or radio frequency ID card. In general, it’s going to be a great practice to require all your employees to wear an identification badge within your buildings.
This badge is then used to unlock an electronic lock on the different doors of your data center or other secured spaces in combination with some kind of a knowledge factor, like a pin number that’s unique to that employee. By doing this, we now have a two-factor authentication system, something you have, your badge and something you know, your pin. Some of these locks can also choose to use a biometric authentication instead of a badge. For example, I’ve seen some data centers protected by a fingerprint reader, a retina scan or a voice print and a pin. Again, by adding the pin to the biometric factor, we’re gaining two-factor authentication and making error data center much more secure. In high security facilities, they also use an access control vestibule in combination with an access control hardware or lock. An access control vestibule is also known as a mantrap. An access control vestibule is an area between two doorways that holds people until they’re identified and authenticated. Sometimes these are automated, like using an electronic bad gym pin system that we just discussed, but sometimes they’re actually manned by a security personnel who’s going to physically look at your badge to verify you are who you claim to be. So as you enter the building, there might be an open lobby that anyone can access. But then there’s this set of turn styles where you’re going to scan your badge and enter your pin number. This will allow you to go past those turns styles and get into the building. This area between the front door and the turns styles that is considered the access control vestibule. Once you get past that turn style, you’re now in the secure area and you’ve already been authenticated and now you can be trusted. In some organizations, they instead opt to have less security at the main floor and instead they’re going to use access control vestibules located at key choke points throughout the building as you go into certain higher security areas of the building. Sometimes you may have both a mantrap at the entrance of the building that everyone goes in who works in that facility but then you have an additional access control vestibule going into a higher security area, such as your data center. In this case, the first access control vestibule at the main entrance of the building gives you access to a generic level of organizational security. But then you need to go into a top secret area, you then need to go through a second verification at another access control vestibule.
Next, let’s talk about personal electronic devices. A lot of organizations prevent the use of personal electronic devices like cell phones, smartphones and tablets inside their office spaces. This is done as a form of data loss prevention. After all, if I can simply carry my smartphone with me into a top secret building, I could take pictures of some highly classified documents from my computer screen and then those documents could walk right out the front door with me on my cell phone. This would not be very secure. So in these organizations, they’re usually going to be located in something like the government or military building and they’re going to place a smart locker in the entrance right before the access control vestibule. This way you can drop off your cell phone and lock it up securely in the smart locker. Now a smart locker is a fully integrated system that looks a lot like a large vending machine. Basically, you’re going to scan your employee badge at the smart locker on a digital badge reader. Then you pick an open locker from the display screen and once you select it that is going to unlock and open up that locker. You then put in your laptop, your tablet, your smartphone your smart watch, or other valuables inside the locker and once you shut the door to the locker, it automatically is going to lock and you can go about the rest of your day.
Whenever you need to get your things back, you go back to the display screen, click open locker and scan your badge. At that point, the locker will unlock again and you can retrieve your items from the locker. Next, let’s talk about protecting the things that are inside of our data center. Now, once we get inside of our data center or telecommunication closets, you’re going to see racks or cabinets that contain the different networking equipment and servers that we’re going to use. A standard server networking equipment rack is about 48 units high, also known as 48U, this is also about 50 inches deep and about 20 inches wide. These can house networking equipment like switches and routers, patch panels, servers rack mounted uninterrupted power supplies and much more. To protect these devices from being tampered with these racks and cabinets may contain a small key lock. By locking these racks and cabinets, you can control physical access to your equipment. Generally, one person will be the key custodian for the data center, and that person will also maintain a log of who has which keys and when in case that information is needed during an instant response. Finally, we need to talk about the most beneficial prevention mechanism that you have that you can invest in, and this is employee training. According to a study by Forester research, providing employee cybersecurity awareness training produced a 69% return on investment for small to medium size companies and a 248% return on investment for large enterprise organizations, the data supports it, employee training is a great investment.
This is particularly true because the biggest weakness in our networks is our users and the administrators because both of these people are going to use and run our networks. And they’re going to cause a lot of problems for us if they’re not trained properly. If an administrator misconfigured a device, for example, that creates a vulnerability that could be exploited by an attacker. If an end user clicks on a link in a phishing email they can cause the organization to get infected with malware and spend a lot of time and effort cleaning up this mess during an instant response.
When you’re conducting your employee training it’s important to stress the proper policies and procedures that the employees need to follow in regards to both their physical security, such as challenging personnel to show their employee badges or questioning why certain people are trying to access certain areas and technical security, such as malware prevention and anti-phishing training. The final physical control we need to discuss is the use of video surveillance. Video surveillance is a great way to use a detective control to figure out what has happened in a particular area. These cameras can be either wired or wireless and they can either be fixed or movement based depending on how you can figure them. The one thing you have to be aware of, when using wireless based cameras is that those wireless cameras can be attacked by an attacker by jamming their wireless signal. For this reason, it is much better to use wired cameras instead of wireless cameras for your security system as you’re implementing video surveillance.
184. Operational Controls (OBJ 4.2)
In this lesson, we’re going to discuss some operational controls, including things like the separation of duties, job rotation, mandatory vacation, employment and termination procedures, training and user awareness, auditing requirements and their frequencies, and time of day restrictions. First, we have policies that are focused on the separation of duties. Now separation of duties is a preventative control, and it’s one that should be considered whenever we draft up our organizational authentication and authorization policies. Separation of duties is designed to prevent fraud and abuse by distributing various tasks and approval authorities across numerous different users. For example, let’s say you work in the accounting department, you can’t go and request a check be sent out to an employee and also approve that same request. We do this to prevent fraud because two users now have to work together to steal money from our organization. In the cybersecurity world, a good example of this is when one administrator has the right to create backups of a given server, but another administrator has the proper rights to do the restoration of those backup files. Any function in an organization that may be considered high risk should utilize proper separation of duties. For example, if you’ve ever watched a war movie, where the military is trying to launch a missile for example, in “Crimson Tide,” you see that two people each have a different physical key, and that both are required to use that key to launch the missile. This specific type of separation of duties is known as dual control. Now another type of separation of duties is called split knowledge. This is when two people each have half of the knowledge required to do something.
For example, let’s imagine I have a box that’s holding my family’s super secret recipe in it. Now I can lock up that box with two different combination locks. I know the combination to one of those locks, and my wife might know the combination to the other. Neither of us can open the box by ourself because we both have half of the required knowledge. We each only know one combination. So we have to work together to unlock that box and get the recipe out. In the cybersecurity world, we can accomplish this using encryption. We’ll take the key and we break it up into two pieces, and each half of that key is given to a different administrator. Second, we have job rotation. With job rotation, different users are trained to perform tasks of the same position, and this helps prevent and identify fraud that could occur if only one employee had that job. Basically, if multiple people know how to perform a certain job, then it’s more likely that somebody can detect unusual activity than if there’s only a single person who does that job by themself.
Besides the security benefits of protecting against fraud and abuse, job rotation also provides a great opportunity to cross-train your employees and to develop trained personnel to back up the primary employee in case of an emergency. Job rotation is definitely a control to consider when you’re writing your organization security policy. Third, we have mandatory vacation policies. Now this is the other side of job rotations. With mandatory vacations, we require that every employee takes a vacation at some point during the year. Again, this makes them have to take a vacation and it forces somebody else to come in and do their job functions for them. Once somebody else is performing those job functions while the other employee’s out on vacation, they may uncover some kind of unusual activity, such as fraud or abuse, that has to be looked into further.
Now, in addition to the security benefits of protecting against fraud and abuse, job rotation and mandatory vacations also provides with the ability to cross-train our employees and develop trained personnel to back up the primary employee in case of an emergency or if that employee quits their position. Fourth, we have employment and termination procedures. These policies are focused on what to do when you hire or fire an employee. When we consider this, we’re talking specifically about the information system security and not about the human resource portion of this process. But we still need to consult the human resource team when developing this part of our organizational security policy. Organizations need to consider how personnel are going to be screened and background checked for the positions you’re hiring for. How are these candidates going to be hired and how are they going to be onboarded? And how are they going to be terminated and offboarded when you’re done with them? When screening personnel, many organizations consider a candidate’s criminal background, their credit history, their work history, their educational background, their certifications and licenses, and even conduct drug tests. These various needs are all going to be decided by human resources, but our organization security policy should also address some of these areas if they’re pertinent to your business model.
When you’re hiring personnel, you need to make sure you’re requiring them to sign all the appropriate documents, including privacy statements and non-disclosure agreements. Then, the employee should undergo mandatory cybersecurity training and processing, which will end up with the employee being given access to the network and receiving their username, their password, and their hardware authentication token if you’re using multifactor authentication. From a physical security standpoint, the new employee also needs to get their building access identification badge and they need to get access to their work center. Now, while employees are generally very cooperative during the hiring and onboarding process, they may not be as cooperative if you’re terminating them. If termination is friendly, such as the employee leaving your organization for a better position elsewhere, they’re likely going to be cooperative and they’ll turn in their user access, their hardware tokens, their identification badge, and even conduct an exit interview.
During this type of offboarding process, it is also important to remove their access from the network and disable their accounts. Now, if the termination is unfriendly, such as when you have to fire an employee, then their network access and physical access should be removed immediately. The employee should also be escorted out of your building by security, ensuring they’re not taking any company resources, data, or property with them as they’re leaving. Fifth, we have training and awareness for our users. Now there are three different terms used for user training and awareness, but each one has a slightly different meaning. These include secure awareness training, security training, and security education. Security awareness training is used to reinforce for users the importance of their help in securing the organization’s valuable resources. This includes things like educating users on the current threats facing the organization, as well as what to do in the case of an event or an incident. All employees should attend security awareness training at least once a year.
Studies have shown that this is by far the best return on investment that a company can make into their security policy as users are one of the largest vulnerabilities in most organizational networks. The second type of training we have is known as security training, and this is used to teach the organization’s personnel the skills they need to perform their job in a more secure manner. This is training usually focused on the IT staff and administrators, as well as your other technical employees. For example, if you’re a system administrator and you’re sent to training to learn the most secure way to set up a user account or to create a password, this is a form of security training. This type of training is very procedure-based and specific your network configuration. Now security education is our third type. Security education is a more general type of training in nature. Now, this course, for example, is security education for cybersecurity professionals who are looking to gain more expertise so they can better manage the security programs at their organizations.
This type of education is less procedural and more generalized for all networks and all organizations as opposed to being focused directly on your particular network or your particular industry. Now, when you conduct security awareness training, you need to develop that based on the intended audience, and there may be multiple versions of this training. For example, this training might consider the risk faced by each level of the organization, such as a manager who’s facing different risks than somebody who works in accounting or somebody who works in IT. All of them have different needs. Now specialized training can be developed for our organization based on our applicable laws, regulations, and business models that we have as well. This type of training for management should include a discussion of policies, guidelines, and standards. Whereas when we do it for technical staff, they may be given training on how to best identify and respond to an attack.
Also, whenever your organization conducts a security audit, you need to take the types of issues that are found there and feed those back into your training program. Let’s say you just did a penetration test and you found that a lot of your employees are clicking on links in phishing emails. Now, you need to start training your users on how to recognize phishing and make that part of your training curriculum. If they’re found that employees are using weak passwords, for example, you need to train your employees on how to create more secure passwords. You want to feed all that back into your training. Sixth, auditing requirements and their frequency. Now auditing and reporting are essential items to our organization security, and they need to be discussed within our security policies. What are we going to audit, how is it going to be reported to management, and how often are we going to do those audits are all going to be detailed inside our policy and things we need to fully think about. Audits may be required based on contractual obligations. For example, if you process credit cards, then you have to follow the requirements for PCI DSS.
And this requires, we conduct an external audit of our systems at least once per year. Now, if you’re in the Federal Government, then FSMA is going to apply to you, and it recommends you audit your systems at least annually too. Unfortunately, audits are only as useful as our configurations, and this is why it’s important to know what we’re going to audit and what the scope of that will be and to what level. If we try and log and audit everything, we’re going to drown in a sea of logs, and this makes it very likely that we’ll miss something important. Conversely, if we don’t log and audit enough things, then we might miss something that’s really important. So there is a balancing act here. Now this may sound like a lose-lose scenario and all hope is lost, but that’s not true. With time, we can find the appropriate balance between auditing important items and neglecting others so we don’t bog down our systems and our staff with unnecessary or redundant auditing.
Over time, we’re going to develop patterns of behavior and we can begin to use those to determine what is normal and what is abnormal for our organization, and this helps us fine-tune our auditing. For example, should we be concerned if a user tries to log in and they used the wrong password? Well, probably not because a user may have just typed it in incorrectly, but should you be notified if they try to log again three times with the incorrect password? Probably, because most users aren’t going to make the same mistake three times. In this case, our system may lock the user out and log that issue based on our lockout policy. This is the key to good auditing, deciding what the threshold is going to be that makes an event worthy of being reported in an audit.
Seventh, we have time of day restrictions. Now, time of day restrictions are a type of security control that rely on normal operating hours for a business for its users and then limits any access they have when it’s not during normal hours. For example, if my company operates between 9:00 and 5:00, there isn’t a reason for somebody to log in at one 1:00 in the morning. For this reason, they would then be blocked or denied. Setting up time restrictions is something that can be done as a technical control, but the overarching policy that’s going to define what those normal times are is going to be defined as an operational control, and that’s why it’s listed here. Remember, when it comes to time of day restrictions, these are going to be used to reduce the impact of stolen credentials because the attackers have to operate during your working hours to be able to access those credentials and use them, and this will give your defenders a chance to catch them during your normal working hours.
