Thursday, December 20, 2012

Defense in Depth Layer 2: Physical Security


“Security is always excessive until it's not enough.”
— Robbie Sinclair, Head of Security, Country Energy, NSW Australia


The next layer of Defense in Depth (DID), working inward or upward, is physical security.  Preventing access to items that should remain secure may seem like a no-brainer, but physical security is often taken for granted, and complacency can lead to lax security efforts.  The purpose of physical security is to make it extremely difficult, if not impossible, for intruders to gain access to tangible assets such as personnel, servers, network equipment and cabling, computers, data storage devices, and other valuable resources.

This image, retrieved from http://technet.microsoft.com/library/dd365117.aspx, refreshes the memory of our DID layers.  



The Facilities Physical Security Measures Guideline by ASIS (http://www.abdi-secure-ecommerce.com/asis/ps-920-30-1854.aspx) suggests that there are eight main categories of physical security.  We will use these categories to address the layers of security within the physical layer:

1. Crime Prevention Through Environmental Design (CPTED)
-Uses architectural design and the physical environment as protection against opportunities for crime
-Relies on an awareness of how people use space for legitimate and illegitimate purposes
-Designed to support and control desired and acceptable behaviors
-Uses mechanical measures (locks, gates, etc.), organizational measures (teaching employees how to protect themselves and the spaces they occupy, routine activity theory/capable guardians), and natural/architectural measures (spaces are designed to be effective for users while at the same time deterring crime)

2. Physical Barriers and Site Hardening (keeping unwanted parties out)
-A physical barrier may be natural (fields, rivers, mountains) or structural (landscaping, ditches, walls, doors, roofs).
-Meant to physically and psychologically discourage unauthorized access
-Keeps people and property within a given area, e.g. keeps property from being thrown out the window to be retrieved later
-Directs pedestrian or vehicle traffic in predictable patterns
-Demonstrates a concern for security, e.g. indicates there are further security measures in store
-May delay access by determined attackers
-Includes protection for practical openings (doors and windows) and other openings (ducts, vents, utility channels, tunnels)
-Examples:  Fences (chain-link, barbed wire, ornamental, wooden, concrete, etc.), planters, bollards, concrete barriers, steel barricades, gates, turnstiles, fortification with steel bars and wire mesh, etc.
-Site hardening includes protecting structural integrity against attacks and natural disasters and provides for redundancy of operating systems and utilities.

3. Physical Entry and Access Controls (allowing some people in and keeping others out)
Access control systems may be manual (use personnel to control access), machine-aided manual (i.e. metal detectors), or automated (use technology alone to control access).
-Access control barriers – doors, gates, turnstiles, elevators, etc.
-Electronic access control systems – require credentials, i.e. something you know, something inherent to you, and something you carry
-Personnel access control – tokens or other items in an employee’s possession, i.e. metal key, swipe card, photo ID card, password, PIN number, biometric features (fingerprint, iris/retinal patterns, speech)
-Locks – mechanical, electrified, electromagnetic, card-operated, biometric, key system, etc.
-Contraband detection – physical searches by security officers or trained canines, metal detectors, x-ray machines, explosive detectors, etc.
-Vehicle access control – placards, stickers, RFID tags, bar codes, etc.
-Procedures and controls – should address such issues as wearing of badges, number of access attempts allowed, list of prohibited materials, access hours and levels of access, authorized visitor access, etc.


Image retrieved from http://gcn.com/articles/2012/10/30/free-suite-tests-for-biometric-compliance.aspx.


4. Security Lighting
-May deter adversaries and suspicious activities
-Improved surveillance and security response
-Reduced liability
-Witness potential
-Useful both outdoors and indoors
-Intensity is a factor
-Many different lighting types and applications, i.e. continuous, standby, emergency, floodlight, LED, etc.
-Requires adequate power, mounting, and maintenance

5. Intrusion Detection Systems (Alarm Systems)
-Deter intruders when warning signs are posted
-Detect an impending or actual security breach
-Delay intruders by activating other physical barriers
-Respond by pinpointing location of intrusion and where the intruder has moved
-Examples:  position detection devices, motion detectors, sound detectors, vibration sensors, heat sensors, impact sensors
-Include alarm transmission, monitoring, and notification

6. Video Surveillance
-Systems are usually closed-circuit television (CCTV) systems.
-Detects activities that call for a security response
-Collects images of an incident for later review and evidence if needed
-Assists in alarm analysis
-There are a variety of considerations for camera types, requirements, and features, i.e. motion detecting, transport medium, length of storage, resolution, lighting, lens selection, etc.
-Requires adequate power, mounting, and maintenance

7. Security Personnel
-Implements, monitors, and maintains physical security measures
-May include Chief Security Officer (CSO), security manager, security officer, guard, etc.
             
8. Security Policies and Procedures
Although we discussed policies and procedures in last week’s post, it is important to note that special consideration should be given to physical security measures.
-Establish strategic security objectives and priorities
-Set forth responsibilities and expectations for all people in the organization
-Must be communicated effectively

At this point, it would be a good idea to briefly mention the concept of security convergence.  Security convergence is the integration of physical security and logical security (cybersecurity).  The theory is that a holistic approach to security will yield more benefits than either one alone will.  It provides a more streamlined approach to management that maximizes efficiencies.  We will revisit this topic at another time.  

Whew!  There was a lot of information to cover here.  Next time we will discuss perimeter security as we begin our move to the creamy nougat center of our DID layer model. (Blogging makes me hungry!)

Thanks for reading!

Jen

Thursday, December 13, 2012

Defense in Depth Layer 1: Policies/Procedures/Awareness/Education

“People often represent the weakest link in the security chain and 
are chronically responsible for the failure of security systems.”
— Bruce Schneier


The outermost layer of the Defense in Depth (DID) strategy is formed by policies and procedures that govern a company’s information security practices as well as the awareness and education of these practices in general. 

Don’t cue the collective eye roll just yet!  While most people don’t appreciate the documentation of do’s and don’ts, policies and procedures serve an important purpose.  Security is everyone’s responsibility; making that fact known upfront can prevent many problems. 

Side Note:  Information security potentially begins at the hiring process.  It is important to hire people who are proactive, have good attitudes, and are willing to comply with company policies.  Once those people are hired, they should be properly trained and treated well.



1. The Purpose of Security Policies and Procedures
There are various reasons to create and implement security policies and procedures. 
-To establish the necessary requirements to prevent or minimize accidental or intentional unauthorized access and/or damage to company technology
-To provide consistent guidelines for best security practices
-To communicate the importance of security to all employees
-To establish minimum safeguards
-To satisfy regulations or laws

2. The Elements of a Solid Security Policy
The security policy should include the following components:
-Purpose
-Scope 
-Definitions and acronyms 
-Policy topics 
-Enforcement 
-Compliance 
-Revision history 
-Related policies and procedures 
-Contact information

3. Security Policy Topics
The tenets of Confidentiality, Integrity, and Availability should be upheld in all security efforts. In order to implement and maintain a successful security effort, certain topics should be addressed in the security policy to support these principles, including:
-Roles and responsibilities of all staff members 
-Handling confidential, sensitive, and proprietary information 
-Appropriate email and Internet usage 
-Instant messaging 
-Downloading and opening attachments 
-Responding to potential security threats and attacks 
-Proper use and maintenance of user names and passwords 
-Saving and backing up data 
-Hardware and software installation 
-System access and updates 
-Malware avoidance and protection
-Mobile device usage, BYOD, etc. 
-Removable media usage, e.g. USB storage devices 
-Remote access and telecommuting 
-Power irregularities 
-Data storage and disposal 
-Technology standards 
-Other best security practices as applicable

The Policies/Procedures/Awareness/Education efforts should be reevaluated on a regular basis in order to keep up with new threats and vulnerabilities and to prevent complacency.  In order for security efforts to be successful, they must be enforced; even better, they should be modeled by upper management and IT staff.

As the saying goes, the best defense is a good offense.  In the pursuit of information security, it makes sense to start by educating the users of the information to be secured.    With all the external threats out there, it would be tragic if the threat came from within in the form of an unaware or misinformed employee.

Next time, we’ll discuss how physical security measures can provide tangible protective barriers to secure information. 

Thanks for reading!

Jen

Thursday, December 6, 2012

Defense in Depth: The Layered Security Solution

“Better to be despised for too anxious apprehensions, than ruined by too confident security.”— Edmund Burke
In order to maintain some cohesion throughout this blog experience, I have decided to focus on Defense in Depth (DID) as an information security solution.  I will begin by providing an overview of the DID structure, then subsequent postings will discuss each of the components in greater detail. 
There are several DID models out there, but most of them include the following general categories, listed from outermost to innermost layer:
1.       Policies/Procedures/Awareness/Education
2.       Physical
3.       Perimeter
4.       Internal Network
5.       Host
6.       Application
7.       Data
The following image, retrieved from http://technet.microsoft.com/en-us/library/cc512681.aspx, is a representation of these layers.
Each of these layers represents an opportunity to incorporate security into the information technology framework to make sure all the bases are covered, so to speak.  Taking a layered approach to security by including defense measures at each layer can greatly reduce the risk and effects of vulnerability, attacks, and intrusions, thereby saving a lot of time, money, and frustration. 
DID is historically based on a military strategy to bolster defenses so that one breach will only lead to more defense measures; such a strategy may exhaust the resources of the offense in the meantime, allowing key defensive resources to remain protected.  There are, however, advantages and disadvantages to this strategy.
DID’s main advantage is, of course, added security.  DID creates multiple layers of protection so that if one defensive measure fails, there are more behind it to continue protecting the assets.  This is especially important because a combination of many different kinds of security tools is required to provide protection from modern threats;  there is no single solution for the information security problems being faced today.
DID’s main disadvantage is complexity.  Implementing security at every layer takes a lot of planning and valuable resources.  It is important to consider if and how security measures can work together as well as the maintenance, administration, and monitoring that is required for each.  DID must achieve a balance between protection capability and cost, performance, and operational considerations.
Overall, DID is really an application of best practices; this approach to information security makes a lot of sense.  More equals better in most cases, right?  But the important question to answer is “More of what?”  That is what we will seek to find throughout this blog series.     
Join me next time to learn about how policies and procedures provide the hard outer shell to the DID structure. 
Thanks for reading!
Jen

Wednesday, November 28, 2012

An Introduction


Welcome, and thank you for visiting my blog!  As the name implies, I will be pursuing a deeper understanding of Information Security by exploring relevant topics on a weekly basis.  Please feel free to comment on any of the posts.  
Best regards, 
Jen