Transcript Fail-secure

Physical Layer Security
Lecture 2
Supakorn Kungpisdan
[email protected]
NETE4630 Advanced Network
Security and Implementation
1
Roadmap
 Defending the Physical Layer
 Attacking the Physical Layer
NETE4630 Advanced Network Security and Implementation
2
Defending the Physical Layer
 The point at which protection should begin
 Security Controls have three primary goals:
 Deter: security lighting and “Beware of Dog” sign
 Delay: fences, gates, locks, access controls, and mantraps
 Detect: intrusion detection systems (IDSes) and alarms
 Higher layers focus on preventing disclosure, denial, or
alteration of information
 Physical security focuses on intruders, vandals, and
thieves
NETE4630 Advanced Network Security and Implementation
3
Physical, Technical, and Administrative Controls
NETE4630 Advanced Network Security and Implementation
4
Design Security
 Design security should begin during the design phase, not
at the time of deployment
 Physical security of assets and employees should be
considered when designing a new facility; well-designed
facilities are comfortable and secure
NETE4630 Advanced Network Security and Implementation
5
Key Issues of Design Security






Location
Construction
Accessibility and Transportation
Climatology
Utilities
Access Control
NETE4630 Advanced Network Security and Implementation
6
Perimeter Security
 What to examine:
 Natural boundaries at the
location
 Fences or walls around the
site
 The design of the outer
walls of a building
 Divisions and choke points
within a building
 A series of mechanisms
includes:
 Fences
 Perimeter Intrusion
Detection and Assessment
Systems (PIDAS)
 Security lighting
 Closed-circuit television
(CCTV)
 Security guards and guard
dogs
 Warning signs and notices
NETE4630 Advanced Network Security and Implementation
7
Fencing
 A fence with proper design and height can delay an
intruder and work as a psychological barrier
 A risk analysis should be performed to evaluate types of
physical assets to be protected
 4-foot fence will deter a casual trespasser
 8-foot fence will keep a determined intruder out
 Need to consider gauge and mesh size of the wire
 The smaller the mesh, the more difficult it is to climb
 The heavier the gauge, the more difficult it is to cut
NETE4630 Advanced Network Security and Implementation
8
Gauge and Mesh
16G with 50mm vs 25 mm mesh
NETE4630 Advanced Network Security and Implementation
9
Fencing (cont.)
NETE4630 Advanced Network Security and Implementation
10
PIDAS
 Perimeter Intrusion Detection and Assessment Systems
 PIDAS has sensors that detect intruders and feel
vibrations along the fence
 The system may produce false positives due to stray deer,
high winds, or other natural events
NETE4630 Advanced Network Security and Implementation
11
Gates, Guards, and Ground Design
 UL Standard 325 details requirements for gates with 4
classifications:




Residential Class 1
Commercial Class 2
Industrial Class 3
Restricted Access Class 4
 Bollards are made of concrete or steel and used to block vehicle
traffic or to protect areas where pedestrians are entering or leaving
buildings
 Security guards need to have job references and be subjected to a
background check
 Web site operation and private investigators
NETE4630 Advanced Network Security and Implementation
12
Bollards
NETE4630 Advanced Network Security and Implementation
13
Gates, Guards, and Ground Design (cont.)
 Dogs are loyal but can be unpredictable.
 Dogs are restricted to exterior control and should be used with caution
 Lighting can discourage criminals
 Most standards list two candlefoot power as the norm for facilities
using nighttime security.
 Too much light causes over-lighting and glare. It may bleed over
adjacent property
 With CCTV, activities can be monitored live by a security officer or
recorded and reviewed later
 British government has installed over 1.5 million CCTV cameras
 Warning signs or notices should be posted to deter trespassing
NETE4630 Advanced Network Security and Implementation
14
Facility Security
 “Anyone with physical access has the means and the
opportunity to commit a crime”
 Least Privilege: providing only the minimum amount of
access that is required, and restricted non-authorized
individuals from entering sensitive areas
 Can achieve by examining windows, doors, locks, walls,
access control, intrusion detection
NETE4630 Advanced Network Security and Implementation
15
Entry Points
 Doors, windows, roof access, fire escapes, delivery
access, and chimneys
NETE4630 Advanced Network Security and Implementation
16
Entry Points: Doors
 Door functions determine its construction, appearance,
and operation
 A door designed for security purpose is very solid and
durable, with hardened hardware
 Interior doors are made of hollow-core wood; exterior
doors are made of solid-core wood
 Need to perform risk assessment on interior applications
NETE4630 Advanced Network Security and Implementation
17
Entry Points: Doors (cont.)
 Doors have fire rating with various configurations:





Personal doors
Industrial doors
Vehicle access doors
Bulletproof doors
Vault doors
 Must examine hardware used to install a door
 Mantrap is designed so that when the outer door opens,
the inner door locks
NETE4630 Advanced Network Security and Implementation
18
Doors (cont.)
Vault door
Bullet-proof door
NETE4630 Advanced Network Security and Implementation
19
Doors (cont.)
Industrial door
Vehicle access door
NETE4630 Advanced Network Security and Implementation
20
Mantrap
NETE4630 Advanced Network Security and Implementation
21
Entry Points: Doors (cont.)
 Automatic door locks: fail-safe or fail-secure
 Fail-safe (unlocked) state allows employees to exit, but
also allows other unauthenticated access
 Fail-secure (locked) configuration is when the doors
default to being locked, thereby keeping unauthorized
individuals out while also preventing access
NETE4630 Advanced Network Security and Implementation
22
Entry Points: Windows
 Alarms or sensors may be installed on windows
 Window types include:
 Standard: lowest security, least expensive, easily shattered (แตก
ละเอียด)
 Polycarbonate Acrylic: more stronger than standard glass
 Wire Reinforced: adds shatterproof protection
 Laminated: similar to those used in automobiles, strengthen the
glass
 Solar Film: provide moderate level of security and decrease
potential for shattering
 Security Film: highest security
NETE4630 Advanced Network Security and Implementation
23
Windows (cont.)
NETE4630 Advanced Network Security and Implementation
24
Entry Points: Walls
 A reinforced wall can keep a determined attacker from
entering an area
 Walls should be designed with firewalls, and emergency
lighting should be in place
NETE4630 Advanced Network Security and Implementation
25
Access Control
 Access control is any mechanism by which an individual is
granted or denied access
 Many types include:
 Mechanical locks
 Identity card technology
NETE4630 Advanced Network Security and Implementation
26
Access Control: Locks
 Warded locks and tumbler locks
 Warded locks work by matching wards to keys, are
cheapest mechanical lock and easiest to pick
 Tumbler locks contain more parts and are harder to pick
 Another type of tumbler lock is the tubular lock, which is
used for computers, vending machines, and other highsecurity devices
NETE4630 Advanced Network Security and Implementation
27
Warded Locks
NETE4630 Advanced Network Security and Implementation
28
Access Control: Locks (cont.)
NETE4630 Advanced Network Security and Implementation
29
Tumbler Locks (cont.)
Tabular lock
NETE4630 Advanced Network Security and Implementation
30
Access Control: Locks (cont.)
 Three basic grades of locks include:
 Grade 3: The weakest commercial lock (designed for 200,000
cycles)
 Grade 2: Light duty commercial locks or heavy duty residential
locks (designed for 400,000 cycles)
 Grade 1: Commercial locks of the highest security (designed for
800,000 cycles)
NETE4630 Advanced Network Security and Implementation
31
Access Control: Physical Controls
 Network cabling
 Select the right type of cable
 Should be routed through the facility so that it cannot be
tampered with
 Unused network drop should be disabled; all cable
access points should be secured
NETE4630 Advanced Network Security and Implementation
32
Access Control: Physical Controls (cont.)
 Controlling individuals:
 ID cards with photograph of an individual
 Intelligent access control devices: contact and contactless
 Contact access cards come with different configurations
including:




Active Electronic: can transmit electronic data
Electronic Circuit: has a circuit embedded
Magnetic Strips: has a magnetic stripe
Optical-coded: contains laser-burned pattern of encoded dots
NETE4630 Advanced Network Security and Implementation
33
Optical Card
NETE4630 Advanced Network Security and Implementation
34
Access Control: Physical Controls (cont.)
 Contactless cards function by proximity e.g. RFID (Radio Frequency
ID)
 Passive: powered by RFID reader
 Semi-passive: has battery only to power microchip
 Active: battery-powered
 Multi-factor authentication is recommended
 Physical Intrusion Detection




Motion Detectors: audio, infrared, wave pattern, or capacitance
Photoelectric sensors
Pressure-sensitive devices
Glass breakage sensors
 Keep in mind that IDSes are not perfect
NETE4630 Advanced Network Security and Implementation
35
Intrusion Detection (cont.)
Photoelectric sensor
Motion detection sensor
(photoelectric infrared)
Glass break sensor
NETE4630 Advanced Network Security and Implementation
36
Device Security
 Device security addresses controls implemented to
secure devices found in an organization
 Computers, networking devices, portable devices,
cameras, iPods, and thumb drives
NETE4630 Advanced Network Security and Implementation
37
Device Security: Identification and
Authentication
 Identification: the process of identifying yourself
 Authentication: the process of proving your identity
 Three categories of authentication
 Something You Know
 Something You Have
 Something You Are
NETE4630 Advanced Network Security and Implementation
38
Device Security: Sth You Know
 Passwords are most commonly used authentication
schemes
 Gartner study in 2000 found that:
 90% of respondents use dictionary words or names
 47% use their name, spouse’s name, or a pet’s name
 9% used cryptographically strong passwords
NETE4630 Advanced Network Security and Implementation
39
Device Security: Sth You Know (cont.)
 A good password policy:
Passwords should not use personal information
Passwords should be 8 or more characters
Passwords should be changed regularly
Passwords should never be comprised of common words or
names
 Passwords should be complex, use upper- and lower-case
letters, and miscellaneous characters (e.g. !, @, #, $, %, ^, &)
 Limit logon attempts to three successive attempts




NETE4630 Advanced Network Security and Implementation
40
Device Security: Sth You Have
 Tokens, smart cards, and magnetic cards
 Two basic groups of tokens:
 Synchronous token: synchronized to authentication server
 Asynchronous challenge-response token
NETE4630 Advanced Network Security and Implementation
41
Device Security: Sth You Are
Basic operations:

1.
2.
3.
Accuracy of biometrics





User enrolls in the system
User requests to be authenticated
A decision is reached: allowed or denied
Type 1 Error (False Rejection Rate: FRR)
Type 2 Error (False Acceptance Rate: FAR)
The point at which FRR and FAR meet is known as Crossover
Error Rate (CER)
The Lower CER, the more accurate the system
NETE4630 Advanced Network Security and Implementation
42
Crossover Error Rate (CER)
NETE4630 Advanced Network Security and Implementation
43
Biometric







Finger Scan
Hand Geometry
Palm Scan
Retina Pattern
Iris Recognition
Voice Recognition
Keyboard Dynamics
NETE4630 Advanced Network Security and Implementation
44
Computer Controls
 Session controls
 System timeouts
 Screensaver lockouts
 Warning banners
NETE4630 Advanced Network Security and Implementation
45
Device Security: Mobile Devices and Media
 Samsung Corporation banned employees from using
Samsung’s cell phones with 8GB of storage
 Sensitive media must be controlled, handled, and
destroyed in an approved manner




Papers can be shredded: strip-cut and cross-cut shredders
CD can be destroyed
Magnetic media can be degaussed
Harddrive can be wiped
NETE4630 Advanced Network Security and Implementation
46
Information Classification Systems
 Government Information Classification System
 Focuses on secrecy
 Commercial Information Classification System
 Focuses on Integrity
NETE4630 Advanced Network Security and Implementation
47
Information Classification Systems (cont.)
NETE4630 Advanced Network Security and Implementation
48
Information Classification Systems (cont.)
NETE4630 Advanced Network Security and Implementation
49
Communications Security
 Communications Security examines electronic devices and
electromagnetic radiation (EMR) they produce
 Original controls for these vulnerabilities were named TEMPEST,
now changed to Emissions Security (Emsec)
 Newer technologies that have replaced shielding are white noise
and control zones
 PBX must be secure
 Fax can be intercepted
 Fax ribbons can be virtual carbon copy of original document
 Solved by using fax server and fax encryption
NETE4630 Advanced Network Security and Implementation
50
Comm Security: Bluetooth
 To keep bluetooth secure, make sure bluetooth-enable devices are
set to non-discoverable mode.
 Use secure application to limit amount of cleartext transmission
 It no bluetooth functionality is needed, turn if off
 It can be configured to access shared directories without authentication, which
open it up for viruses, trojans, and information theft
 In 2005, AirDefense released BlueWatch, the first commercial
security tool designed to monitor bluetooth devices and identify
insecure devices
 www.airdefense.net/products/bluewatch/index.php
NETE4630 Advanced Network Security and Implementation
51
BlueWatch
 AirDefense BlueWatch can provide information such as:
 Identify different types of Bluetooth devices, including laptops,
PDAs, keyboards and cell phones
 Provide key attributes, including device class, manufacturer and
signal strength
 Illustrate communication or connectivity among various
devices
 Identify services available on each device, including network
access, fax and audio gateway
NETE4630 Advanced Network Security and Implementation
52
802.11 Wireless Protocols
Retire WEP devices
Change default SSID
MAC filtering
Turn off DHCP
Limit access of wireless users
Use port authentication (802.1x)
Perform periodic site surveys and scan for rogue devices e.g. using
Kismet
 Update policies to stipulate requirements for wireless users
 Use encryption
 Implement a second layer of authentication e.g. RADIUS







NETE4630 Advanced Network Security and Implementation
53
Roadmap
 Defending the Physical Layer
 Attacking the Physical Layer
NETE4630 Advanced Network Security and Implementation
54
Attacking Physical Layer
 Several techniques to attack physical security:




Stealing data
Lock picking
Wiretapping
Hardware modification
NETE4630 Advanced Network Security and Implementation
55
Stealing Data
 Abe Usher wrote a program called “pod slurp” to steal data
from PC
 Purpose of Slurp
 To create a proof-of-concept application that searches for office
documents that can be copied from a Windows computer to an
iPod (or other removable storage device).
 The point of this exercise is to demonstrate (quantitatively) how
quickly data theft can occur with removable storage devices.
 Method:
 Searches for the "C:Documents and Settings" directory on a
Windows computer. It then recurses through all of the
subdirectories, discovering all of the documents (*.doc, *.xls,
*.htm, *.url, *.pdf, etc.) on the computer that it is running from.
NETE4630 Advanced Network Security and Implementation
56
How to Use Slurp
 Step 0:
 Stop the iPod Service in Windows (if iPod software is installed and running).
 Step 1:
 Unzip slurp.zip
 Step 2:
 Copy the entire "slurp-audit" directory to your removable storage device (iPod,
external hard drive, etc.)
 Step 3
 Run the application file "slurp-audit.exe" and watch it find all of the business
files. After it is complete, check the report.html file to find out what files could
have been copied to an iPod or USB thumbdrive.
 For more information, check: http://www.sharp-ideas.net
NETE4630 Advanced Network Security and Implementation
57
Slurp
NETE4630 Advanced Network Security and Implementation
58
Slurp Report
NETE4630 Advanced Network Security and Implementation
59
Lock Picks
 Basic components used to pick locks:
 Tension Wrenches: small, angled flathead screwdrivers that
come in various thicknesses and sizes
 Picks: small, angled, and pointed, similar to a dentist pick
NETE4630 Advanced Network Security and Implementation
60
Scrubbing
NETE4630 Advanced Network Security and Implementation
61
Lock Shim
NETE4630 Advanced Network Security and Implementation
62
Lock Shim (cont.)
NETE4630 Advanced Network Security and Implementation
63
Lock Shim (cont.)
NETE4630 Advanced Network Security and Implementation
64
Scanning and Sniffing
 Phreakers are interested in making free long-distance calls
 Free loaders intercept free HBO. Prevented by implementing
videocipher encryption
 Cordless phone were attacked by tuning the same frequencies other
people to listen to active conversation
 Solved by switching to spread spectrum technologies
 1st Gen mobile phones have been hacked by Tumbling
 Modify Electronic Serial Number (ESN) and mobile identification number
(MIN) after each call
 Also vulnerable to cloning attack
 Intercept ESN and MIN from listening to active calls
NETE4630 Advanced Network Security and Implementation
65
Scanning and Sniffing (cont.)
 Attacks on 2nd Gen Mobile phones:
 International Mobile Subscriber Identity (IMSI) catcher
 Tell mobile phone that it is a base station
 Cellphone jammer
 Transmit signals with same freq as cell phones; preventing all
communication within given area
 Cellphone detector
 Detect when a cell phone is powered on
NETE4630 Advanced Network Security and Implementation
66
Scanning and Sniffing (cont.)
 Bluejacking allows an individual to send unsolicited
messages over BT to other BT devices
 Bluesnarfing is the theft of data, calendar information and
phonebook entries
NETE4630 Advanced Network Security and Implementation
67
Tools to Attack Bluetooth
 RedFang: small proof-of-concept application used to find nondiscoverable devices
 Bluesniff: a proof-of-concept tool for BT wardriving
 Btscanner: a BT scanning with the ability to do inquiry and brute
force scans, identify BT devices in range
 BlueBug: exploits a BT security hole on some BT-enabled phones.
Allows unauthorized downloading of phonebooks and call lists,
sending and reading SMSs
 Find those tools at
 http://www.remote-exploit.org/backtrack_download.html
NETE4630 Advanced Network Security and Implementation
68
Attacking WLANs




Eavesdropping
Open Authentication
Rogue Access Point
DoS
NETE4630 Advanced Network Security and Implementation
69
Hardware Hacking
 Hardware hacking is about using physical access to
bypass control or modify the device in some manner
 Sometimes it is called “moding”
 Bypass BIOS password
 Router password recovery
 Prevented by issuing no service passwordrecovery command
 Bypass Windows authentication
NETE4630 Advanced Network Security and Implementation
70
Example: Modifying Bluetooth Hardware
 Objective:
 To extend BT range
NETE4630 Advanced Network Security and Implementation
71
Example: Modifying Bluetooth Hardware
1
2
NETE4630 Advanced Network Security and Implementation
72
Example: Modifying Bluetooth Hardware
3
4
NETE4630 Advanced Network Security and Implementation
73
Example: Modifying Bluetooth Hardware
5
6
NETE4630 Advanced Network Security and Implementation
74
To Read
 Hack-The-Stack: Page 70-84
NETE4630 Advanced Network Security and Implementation
75
Question?
Next week
Data Link Layer Security
NETE4630 Advanced Network
Security and Implementation
76