1. Security fundamentals Topic 11 Maintaining operational security

2. Agenda Establishing site security Secure removable media Secure mobile devices Secure disposal of equipment Business continuity

3. Site security Physical access control – Secure with lock and key Protection from theft, disasters and accidents Unencrypted data can be accessed if physical access to servers can be obtained Access only to authorised personnel with a specific reason to access Most maintenance and configuration tasks can be performed remotely Concentric rings: lock server room, lock rack cabinet etc Sign-in log for access to server room, cameras, key cards, monitoring Building integrity and security: floors, walls and ceilings – Biometrics for access control (eg doors) Fingerprints/hand geometry, retinal scans, speech or face recognition

4. Human factor Compromise between the need to protect and the need to provide access If security methods are too restrictive, users will try to circumvent them Educate and train users on the need to follow secure practices and the dangers and consequences of insecure practises – Social engineering to trick users into revealing information that could compromise the system

5. Environment Data centres and server rooms typically have – Air conditioning, air filtration, humidity control, power conditioning Fire suppression – Flood the room with inert gas replacing the oxygen – Fire put out without water and foam – Emergency alarms for evacuation – FE-13 and FE-36 gas less damaging to ozone layer that halon Wireless networking – Issue of signal range, careful placement of antennas – Minimise transmission power levels – Shield the operational area – Encrypt wireless communications – Cellular communications has greater risks as it has a greater signal range

6. Disaster recovery Any occurrence that prevents your network from operating properly Backups: – Regular backups and testing with regular restores – Operating systems and backup software must be installed first before recovery begins – increases recovery time Offsite storage – Keeping offsite data confidential – vault or fireproof safe and protected with access control – Replacement hardware – will backups work on newer hardware? Secure recovery – Alternate sites Mirrored servers in a protected environment Computers, office space, temporary workers Test platform for emergency services Hot site – immediate failover; cold site – restores required – Disaster recovery plan What tasks must be done Who is responsible for doing them?

7. Securing removable media How to secure confidential data and how to dispose of media Floppy disks – Disable floppy disk drives or remove – Clean by passing through a magnetic field Hard disks – Limit the use of removable disks to servers and physically secure computers – Very portable, but fragile if dropped Writable optical media – 5GB on DVD, 700 MB on CD, small backups and archives – Protect disks from scratches and sunlight – Password protect the disk or encrypt the data if required – Limit writable drives (install CD, DVD Rom) and disable USB ports

8. Securing removable media Magnetic tape – Low cost, high speed, large capacity – Robotic tape changers for allow for unattended backups – QIC, DAT, DLT, LTO – Not random access – Limit the use of tape drives and encrypt the data Flash media – High capacity and small size – Protect data by encrypting – Disable USB ports Smart cards – Information on card is encrypted – Cards can be lost or stolen, so not sufficient to authenticate as the only method – Authentication when used with PIN or password

9. Securing mobile devices Antitheft devices – Motion alarms, locking cables and tracking equipment Identifying marks and colours – ID engraving Data encryption – Confidential data Monitor use when connected to the network

10. Secure disposal Ensure permanent erasure of all data from computer and media To permanently destroy data: – Use specialised software to overwrite data multiple times – Cipher to remove data from cmd – Degauss by exposing to strong magnetic field – Physically destroy the media Floppies – magnetise and shred disks Tapes – overwrite multiple times and shred Hard drives – repeated overwriting Optic media – destroy the disk, don’t burn due to toxic fumes – Documents Shred paper documents to protect from dumpster diving

11. Business continuity Planning phase: – Identify the mission-critical processes Identify all of the resources required for the mission-critical processes to operate Rate the relative importance of the mission-critical processes Decide on a course of action to undertake for each mission- critical process – If critical, move process to a branch office or activate a fallback facility with backup equipment – If less critical, consider purchasing insurance to cover the financial losses resulting from the interruption Implement the plan Test the plan regularly and train employees

12. Business continuity preparation Backup data and store copies offsite High availability and fault tolerance – Raid for disk failure – Clustered servers for server failure – Mirrored servers at alternate location – Duplicate office configuration – Duplicate WAN links – Procurement plans and contracts to replace equipment and personnel Utilities – Power UPS, backup generator with failover switch Water Mail and courier services

13. Lesson summary How to go about establishing site security Types of removable media and mobile devices, and how to secure them How to securely dispose of equipment What to consider to maintain business continuity