Physical Security and IT Concerns

Questions and Answers

Why is physical security an IT concern despite robust cybersecurity measures?

• Because firewalls are ineffective against physical threats.
• Because physical access allows attackers to bypass all electronic security measures. (correct)
• Because intrusion detection systems do not monitor physical breaches.
• Because antivirus programs cannot detect physical intrusion.

Which of the following BEST describes the principle behind location protection as a measure of physical security?

• Monitoring environmental conditions to prevent hardware damage.
• Securing hardware against physical attacks like hard drive tampering.
• Detecting unauthorized intrusion attempts on network hardware.
• Using physical barriers and deterrents, such as locks, to restrict access. (correct)

In the context of physical security, what is the PRIMARY aim of using mechanical locking devices?

• To digitally encrypt access logs.
• To regulate network traffic.
• To restrict access to digital media.
• To protect access to physical spaces like buildings or containers. (correct)

What fundamental principle is exploited when lock picking tools are used to compromise a pin tumbler lock?

Manipulating the internal components to mimic the action of the correct key. (D)

What inherent vulnerability in locks does the expression "locks keep honest people honest" primarily highlight?

Locks deter casual attempts but offer little resistance to determined attackers. (C)

Before 1967, how did the Hays Code affect the depiction of lock picking in Hollywood movies?

It required censorship of detailed depictions of lock picking methods. (B)

Why is the potential to calculate the total number of possible locks useful in security assessments, and what limitation affects its practical application?

It helps estimate the brute-force resistance of a locking system, but is limited because not all theoretical combinations are physically possible. (B)

What is the key distinction between "picking" and "bypassing" a lock in the context of physical security?

Picking simulates the key's operation, while bypassing manipulates the lock without affecting its mechanism. (B)

How do side-channel attacks exploit vulnerabilities in physical security systems, and what makes them particularly challenging to address?

By circumventing security measures by exploiting other vulnerabilities indirectly related to the primary security controls. (C)

In the context of authentication, what critical consideration differentiates something a person has from something a person is?

Its inherent link to the individual's unique characteristics versus an assigned or acquired item. (B)

What is an important distinction between barcodes and more recent two-dimensional barcodes in the context of data encoding?

Barcodes use a one-dimensional encoding scheme, while two-dimensional barcodes use a two-dimensional pattern. (A)

Why are barcodes considered to provide more convenience than security for airline boarding passes?

Because barcodes can be easily duplicated and used fraudulently. (D)

What specific characteristic of magnetic stripe cards makes them vulnerable to data theft and cloning?

The ease with which magnetic stripe readers and writers can be obtained and used. (D)

How do smart cards enhance security compared to magnetic stripe cards, and what primary characteristic defines this improvement?

Smart cards incorporate an integrated circuit, enabling secure authentication and making duplication extremely difficult. (D)

What critical function does a SIM card perform in mobile phone security, and how does it achieve this?

It allows the user to authenticate to the cellular network using personal and contact information. (A)

What is the significance of the IMSI (International Mobile Subscriber Identity) stored on a SIM card, and how does it contribute to security?

It identifies the owner's country and network, used for authentication and preventing unauthorized access. (B)

How does Radio Frequency IDentification (RFID) technology facilitate data transmission, and what components are essential for its operation?

RFID utilizes an integrated circuit and a coiled antenna to transmit identification information. (A)

What is a key security consideration regarding RFID passports, and how do they attempt to mitigate the risk?

RFID passports are vulnerable to unauthorized reading, so communications are encrypted with a secret key. (A)

What is the PRIMARY function of biometric systems in physical security, and what process do they employ to achieve this?

To uniquely identify individuals based on biological traits, comparing scanned data to stored templates. (B)

Which of the following statements correctly evaluates a challenge associated with biometric identification systems?

Environmental factors can significantly affect biometric readings. (A)

How does the concept of "limited conductance" relate to direct environmental attacks on computing equipment?

It emphasizes the risk of short circuits if uncontrolled electrical connections occur due to environmental factors like flooding. (A)

What is 'shoulder surfing' and why is protection of the environment important?

Shoulder surfing involves direct observation of sensitive information, so the physical surroundings must be controlled. (B)

What is the primary characteristic of wiretapping attacks that makes them particularly difficult to detect in communication networks?

They are passive, without altering the original signal. (C)

Which of the following is the MOST effective countermeasure against acoustic emissions, used to reconstruct keyboard strokes?

Enclosing sensitive equipment in a room lined with sound-dampening(soundproofing) materials. (C)

How does a hardware keylogger operate, and why is it considered a significant threat to information security?

It records keystrokes by physically connecting between the keyboard and computer. (D)

What is TEMPEST, and what specific area of security does it address?

A U.S. government code word for standards limiting electromagnetic emanations from computing equipment. (A)

How does grounding and insulation of electrical cords mitigate electromagnetic attacks?

By making sure every such cord and cable is well grounded and insulated. (C)

In the context of protecting against electromagnetic emanations, what defines the functionality of a Faraday cage?

Blocking electromagnetic emanations with metallic conductive shielding or a mesh. (D)

Computer forensics may be employed by attackers to:

Uncover sensitive information. (A)

Why does an ATM have an internal cryptographic processor?

To encrypt the entered PIN. (D)

Besides Lebanese loop, which of the following types of attacks can be committed against ATMs?

Fake ATMs. (C)

Which of the following is NOT a risk associated with peripherals?

Distributed denial of service attacks. (C)

According to the content, what is a significant consequence that can arise from natural disasters?

A serious business interruption leading to business disaster. (A)

Loss of system integrity can occur, if:

If intruders gain physical access bypassing logical security. (A)

What should an organization do, to prevent an interruption due to physical theft?

Replace stolen components and have a backup. (D)

Why is insufficient physical security a concern for unauthorized disclosure of information?

Because it may enable intruders to obtain easy access to an organization's information assets. (A)

Layered defense approaches for physical and environmental security are divided into which of the following areas?

A and B. (C)

Why are physical entry controls important?

They restrict access to information-processing resources. (B)

Why must employees be required to wear some form of visible identification (ID badge)?

Positive identification and access control are mandatory. (A)

Why should an organization secure equipment?

To secure equipment from environmental threats, hazards, and opportunities for unauthorized access. (C)

Besides installing fire sensors, what else may be done in the event of a fire?

Dry-pipe systems should be standard. (D)

Following a smoke emergency, besides personnel, what may be impacted?

Equipment. (A)

What supporting utiliti(es) must an organization have?

Organizations require supporting utilities such as electric power, heating and air conditioning, and telecommunications equipment, which if disrupted lead to a loss of availability. (C)

In addition to a UPS, what else may be used to support critical business operations during an outage?

Backup generators. (C)

Besides electric power, what should Computer systems that manage critical information have?

Air-conditioning units. (D)

Flashcards

Physical Security

Using physical measures to protect resources.

Locks

A mechanical device to protect access.

Yale Pin Tumbler Lock

Modern version of the Egyptian single-pin design.

Pin tumbler lock: Key absence

When a key is not present, the pin stacks are pushed down by the springs.

Pin tumbler lock: Key inserted

Alignment allows rotation of the plug.

Pin tumbler lock: Wrong Key

When pins do not align along the shear line.

Tubular lock

Lock used on car alarms or vending machines.

Lock Picking

picking a lock had been the exclusive art of locksmiths

Lock picking laws

Varies significantly state-by-state

Lockpicking Tools

Feelers • Rakes • Tension tools

Lock Picking

Acting on the lock mechanism simulating the operation of the key

Lock Bypass

manipulation of the bolt without using the lock

Side Channel Attacks

exploiting other vulnerabilities not protected by the security mechanisms

Authentication

Usually based on a combination of what the person has, knows, or is.

Barcodes

A series of variable-width, vertical lines of ink, essentially a one-dimensional encoding scheme.

Barcodes in boarding passes.

an internal unique identifier used to look up passenger's record.

Magnetic stripe card

Contains personalized information

Magnetic stripe Security

readers can be purchased at a relatively low cost

Smart Cards

An integrated circuit, optionally with an on-board microprocessor

Smart Card Authentication

a means of strong authentication using cryptography

SIM Cards

subscriber identity module card (SIM card)

SIM card Security

integrated circuit card ID (ICCID)

RFIDs

Radio frequency identification.

RFID Technology

Transmitting via radio waves

Passports

an embedded RFID chip contains information about the owner

Passport Security

Secret key is merely the passport number, the holder's date of birth and the expiration date

Biometrics

uniquely identify a person based on biological or physiological traits

Universality

Almost every person should have this

Distinctiveness

Each person should have noticeable differences in the characteristic

Permanence

The characteristic should not change significantly over time

Collectability

The characteristic should have the ability to be effectively determined and quantified

Electricity attacks

Requires electricity to function

Temperature attacks

Computer chips have a natural operating temperature

Eavesdropping

Secretly listening on another person's conversation

Eavesdropping observation

Also known as shoulder surfing

Direct attacks against computers

electrical impulses that travel through the cables

Key strokes

Hardware Keyloggers

TEMPEST

standards for limiting information-carrying electromagnetic emanations.(flow) from computing equipment.

Emanation Blockage

enclose sensitive equipment in a windowless room

Faraday Cages

metallic conductive shielding or a mesh

Study Notes

Is Physical Security An IT concern?

• Securing a network from cyber attacks requires hard work
• This is done using redundant layers of antivirus programs, firewalls, and intrusion detection systems
• These measures protect against every possible electronic method of entry
• An attacker gaining access to the server room or network wiring closet raises questions about network safety

Physical Security

• The use of physical measures to protect valuables, information, or access to restricted resources
• Location protection involves physical barriers like locks
• Physical intrusion detection involves detecting unauthorized access
• Hardware attacks can target hard drives, network adapters, memory chips, or microprocessors

Locks and Safes

• Mechanical locking devices protect access to buildings, vehicles, and containers since ancient times
• Locks are used to secure physical locations where computers and digital media are stored

1860: Yale Pin Tumbler Lock

• Modern version of the Egyptian single-pin design
• Locks utilize two pins for locking
• This uses the double-detainer theory of locking
• The design creates a shear line

How Pin Tumbler Locks Work

• Without a key, pin stacks are pushed down by springs
• The driver pins span the plug and outer casing, preventing rotation
• With the correct key, ridges push up the pin stacks, aligning cuts with the shear line
• Alignment of cuts with the shear line allows the plug to be rotated
• When an inappropriate key is inserted, pins do not align along the shear line, and the lock does not turn

Tubular Locks

• Typically found on car alarms or vending machines
• Locks have 6-8 pins
• Easy to pick with special tools
• The tool to pick the lock could become a new key.

Attacks - Compromising Locks

• Locks are a cornerstone of physical security for centuries
• Many people rely on them daily to protect people and assets
• The trust most people place in locks may be unwarranted
• Locks can be easily compromised with nondestructive methods
• This can take seconds using readily available tools
• "Locks keep honest people honest"

Lock Picking

• Lock picking was exclusive to locksmiths, professional thieves, spies, and magicians for years
• Information about lock-picking methods and tools has become readily available with the advent of the Internet
• YouTube hosts many lock-picking videos

Legal Notice

• Laws regarding lock picking vary significantly by state
• In most states, purchasing and possessing dedicated lock-picking tools is legal
• Penalties are raised when caught using them in the commission of a crime

Lock Picking in Movies

• Genuine lock picking in movies was prohibited
• Before 1967, the Hays code (Motion Picture Production Code) required censorship of Hollywood movies
• Censorship involved removing detailed depiction of crime must be removed such as lock picking or mixing of chemicals to make explosives

Lockpicking Tools

• Feelers
• Rakes
• Tension tools

Protecting Against Brute-Force Attacks

• The total number of possible locks is calculated as 40 x 87 = 83,886,080
• Not all these are possible. due to difficulties

Pick vs Bypass

• Locks can be opened non-destructively either by picking or bypassing
• Picking is acting on the lock mechanism and simulating the operation of the key
• Bypassing is manipulating the bolt without using the lock

Side Channel Attacks

• Rather than directly bypass security measures, an attacker goes around them
• This is done by exploiting other vulnerabilities not protected by the security mechanisms
• Side channel attacks are often surprisingly simple to perform

Authentication

• Authentication involves determining identity based on a combination of what the person has, knows, and is
• This includes the following:
  • Barcodes
  • Magnetic stripe cards
  • Smart cards
  • RFIDS
  • Biometrics

Barcodes

• Developed in the 20th century to improve efficiency in grocery checkout
• First-generation barcodes represent data as variable-width vertical lines, creating a one-dimensional encoding
• More recent barcodes use two-dimensional patterns readable by specialized optical scanners

Authentication via Barcodes

• Airlines use barcodes on boarding passes for flight check-in and boarding since 2005
• The barcode is encoded as an internal unique identifier to look up passenger's record
• Authentication involves verifying that the boarding pass was purchased in that person's name and a photo ID
• Barcodes provide more convenience than security

Magnetic Stripe Cards

• Plastic cards with a magnetic stripe contain personalized information about the cardholder
• The first track contains the cardholder's full name, account number, format information, and other data
• The second track may contain the account number, expiration date, issuing bank information, track format, and discretionary data

Magnetic Stripe Card Security

• A vulnerability of magnetic stripe cards is easy to read and reproduce
• Attackers can buy magnetic stripe readers at low cost to read data
• Coupled with a magnetic stripe writer, attackers can clone cards easily
• PIN entry is often required for card usage to improve security

Smart Cards

• Smart cards incorporate an integrated circuit, optionally with an on-board microprocessor
• Microprocessors have reading and writing capabilities, which allows data to be accessed and altered
• Smart card technology can provide secure authentication mechanisms that protect the information and are difficult to duplicate

Smart Card Authentication

• Commonly employed by large companies and organizations for strong authentication using cryptography
• May be used as an "electronic wallet" containing funds for various services like parking, transport, and retail transactions.

SIM Cards

• Many mobile phones use a special smart card called a subscriber identity module card (SIM card)
• The SIM card is issued by a network provider
• It maintains personal and contact information for a user
• The user can then authenticate to the cellular network

SIM Card Security

• SIM cards contain several pieces of information that are used to identify the owner and authenticate to the appropriate cell network.
• Each SIM card corresponds to a record in the database of subscribers maintained by the network provider.
• A SIM card features an integrated circuit card ID (ICCID), which is a unique 18-digit number used for hardware identification.
• A SIM card contains a unique international mobile subscriber identity (IMSI), which identifies the owner's country, network, and personal identity.
• SIM cards also contain a 128-bit secret key used for authenticating a phone to a mobile network.
• Many SIM cards require a PIN as an additional security mechanism before allowing any access to information on the card.

RFIDs

• Radio frequency identification (RFID) is a rapidly emerging technology
• It relies on small transponders to transmit identification information via radio waves
• RFID chips feature an integrated circuit for storing information
• A coiled antenna transmits and receive a radio signal.

RFID Technology

• RFID tags must be used in conjunction with a separate reader or writer.
• While some RFID tags require a battery, many are passive and do not.
• The effective range of RFID varies from a few centimeters to several meters
• In most cases, since data is transmitted via radio waves, it is not necessary for a tag to be in the line of sight of the reader

Wide Variety of RFID Applications

• Consumer product tracking
• Car key fobs
• Electronic toll transponders.

Passports

• Modern passports from several countries, including the United States, feature an embedded RFID chip
• RFID chips contain information about the owner, including a digital facial photograph
• Airport officials can use the photograph to compare the passport's owner to the person who is carrying it

Passport Security

• To keep sensitive things private, all RFID communications are encrypted with a secret key
• In a lot of cases, the secret key is simply the passport number, the holder’s birthday, and when it goes out of date
• All this info is either written out or put into codes on the card with barcodes or other optical techniques
• Even though the secret key is meant to be for only people with direct access, an attacker could put together the key because passport numbers are ordered

Biometrics

• Refers to any measure used to uniquely identify a person based on biological or physiological traits.
• Biometric systems incorporate some sort of sensor or scanner to read in biometric information
• This info is compareed to stored templates of accepted users before giving access

Requirements for Biometric Identification

• Universality: Almost every person should have this characteristic
• Distinctiveness: Each person should have noticeable differences in the characteristic
• Permanence: The characteristic should not change significantly over time
• Collectability: The characteristic should have the ability to be effectively determined and quantified

Biometric Indentification

Candidates for Biometric IDs

• Fingerprints
• Retinal/iris scans
• DNA
• "Blue-ink” signature
• Voice recognition
• Face recognition
• Gait recognition identifies people by analyzing their walking patterns
• Universality, distinctiveness, permanence, and collectability should be considered for each

Direct attacks against computers - Environmental attacks

• Electricity: Computing equipment requires a steady, uninterrupted power supply to function
• Temperature: Exceeding the natural operating temperature of computer chips can cause severe damage
• Limited conductance: Electronic equipment relies on limited conductance in its environment; a short circuit can be caused by random parts of a computer that are connected electronically

Direct attacks against computers - Eavesdropping

• Eavesdropping is secretly listening in on another person's conversation.
• Protecting sensitive data goes beyond just computer security, and also encompasses where it is being read and entered
• Eavesdropping techniques
  • Using social engineering to allow the attacker to read information over the victim's shoulder
  • Installing small cameras to capture the information as it is being read
  • Using binoculars to view a victim's monitor through an open window.
• Direct observation techniques are shoulder surfing

Direct attacks against computers - Wiretapping

• Communication networks use inexpensive coaxial copper cables
• These transmit information via electrical impulses
• Inexpensive means is used to measure impulses and reconstruct the data being transferred through a tapped cable
• The attacker can then eavesdrop on network traffic
• This wiretapping is passive because there is no alteration of the signal

Direct attacks against computers - Signal Emissions

• Computer screens emit radio frequencies that are used to detect what is being displayed
• Visible light reflections can also be used to reconstruct a display from its reflection on a wall, coffee mug, or eyeglasses
• Both of these require the attacker to have a receiver close enough to detect the signal

Direct attacks against computers - Acoustic Emissions

• Dmitri Asonov and Rakesh Agrawal published a paper in 2004 on using audio recording of keyboard typing to reconstruct what was typed
• Each keystroke has minute differences in the sound it produces, and certain keys are known to be pressed more often than others
• After training an advanced neural network to recognize individual keys, their software recognized an average 79% of all keystrokes

Direct attacks against computers - Hardware Keyloggers

• A keylogger is any means of recording a victim's keystrokes
• Keyloggers access passwords or other sensitive information
• Hardware keyloggers are small connectors installed between a keyboard and computer
• For example, a USB keylogger is a device containing male and female USB connectors

TEMPEST

• US government code word for limiting info-carrying electromagnetic emanations(flow) TEMPEST establishes three zones of protection:
• An attacker has almost direct contact with the equipment, such as in an adjacent room or within a meter of the device in the same room
• An attacker is less than 20 meters to the equipment or is blocked by a building to have an equivalent amount of attenuation
• An attacker is less than 100 meters to the equipment or is blocked by a building to have an equivalent amount of attenuation

Emission Blockage

• To block visible light, put sensitive equipment in a windowless room
• To block acoustic, put it in a room lined with sound dampening materials
• Make sure every such cord and cable is well grounded and insulated to block electromagnetic emanations

Faraday Cages

• Surrounding sensitive equipment in an area with metallic conductive shielding or mesh
• The holes must be smaller than the wavelengths of the electromagnetic radiation that you with to block from getting in.

Computer Forensics

• A practice of obtaining information contained on electronic mediums, such as computer systems, hard drives, and optical disks
• It is usually for gathering evidence to be used in legal proceedings.
• Advanced techniques are also unfortunately employed by hackers

Computer Forensics Analysis

• Typically involves the physical inspection of the components of a computer, sometimes at a microscopic level
• It can also involve electronic inspection of a computer’s parts as well.

Special-Purpose Machines - ATMs

• An automatic teller machine (ATM) allows customers of financial institutions to complete withdrawal and deposit transactions without human assistance
• Customers insert a magnetic stripe credit or debit card, enter a PIN, and then deposit or withdraw cash from their account
• The ATM encrypts the entered PIN and compares it to an encrypted PIN stored on the card or in a remote database

Special Purpose Machines - Attacks on ATMs

• Lebanese loop: A perpetrator inserts this sleeve into the card slot of an ATM
• When a customer inserts their credit card, it sits in the sleeve
• This is out of sight from the customer, who thinks that the machine has malfunctioned
• After the customer leaves, the perpetrator can then remove the sleeve with the victim's card
• Skimmer: reads and stores magnetic stripe information when a card is swiped
• An attacker can install a skimmer over the card slot of an ATM and store customers' credit information without their knowledge
• Later, duplicates the original cards.
• Fake ATMs: capture both credit/debit cards and PINs at the same time

Peripheral Security

• Risks associated with common peripherals can come from removable media, laptops, shoulder surfing, discarded devices, and printed documents
• To mitigate risks, we need to control access to devices such as printers, copiers, mobile devices, imaging devices, or any other devices that store data and are connected to networks

Threats to physical and environmental security

• Energy, for example, electricity
• Equipment, for example, mechanical or electronic component failure
• Fire and Chemical, for example, explosion, smoke, or industrial pollution
• Human, for example, riot, war, terrorist attack, or bombing
• Natural Disaster, for example, earthquake, volcano, landslide, or tornado
• Pandemic disease, for example, bacteria or virus
• Weather, for example, sandstorm, humidity, flood, or lightning

Environmental Disruption

• Natural disasters and man-made environmental problems are some of the most prevalent threats

Interruptions to Servcie

• Serious business interruption may cause business disaster

Loss of System Integrity

• If intruders are able to gain physical access to hardware components, they may be able to bypass logical access controls
• With this direct access, they can carry out illegal actions on systems and Components

Physical Theft

• Organizational functions may be interrupted if there is no backup or the org doesn't replace stolen components in a timely manner

Unauthorized Disclosure of Information

• Insufficient physical security controls may give intruders to easy access to an organization's information assets

Physical and environmental security

• Best managed using a layered defense approach

The layered defense approaches

• Divided into two broad areas:
• Physical security of premises and offices
• Physical security of equipment

Physical Entry Controls

• Restrict access to information-processing resources by allowing only authorized individuals in the area
• Control the entry and exit of employees, equipment, and media from an area
• Area examples include the following:
  • An office building
  • Data center
  • Areas that contain critical information-processing resources

Access controls for employees and visitors

• Employee access - Restriction of employee access depends on the need for access, job function, and responsibilities
• Positive identification and access control are mandatory and must involve ID badge
• Visitor access - Permit visitor access only to those areas where they have specific and official purposes

Equipment Placement and Protection

• Organizations should secure equipment from environmental threats, hazards, and opportunities for unauthorized access
• Organizational assets face destruction from exposure to fire, smoke, water, and other hazards
• Information and information processing resources should be protected with a diverse set of countermeasures

Protection Cont.

• Fire - install fire sensors, heat sensors, smoke sensors, fire extinguishers or sprinkler systems
• Sprinklers - water-based sprinklers should be dry pipe systems that do not have water in normal conditions
  • In the equipment rooms, avoid water
• Smoke is hazardous to both personnel and equipment
• Smoke may originate from malfunctioning computer systems or electrical fires
• If a system’s requirements demand uninterrupted processing in the event of a prolonged outage, a backup generator should be considered An UPS can be used to support critical business operations to provide enough time for system administrators to shut down systems and equipment
• systems that manage critical information should have air-conditioning units that provide continuous monitoring and recording of temperature and humidity