Chapter 12: Organizational Controls

After planning for disaster and recovery procedures as discussed in Chapter 11, “Organizational Security,” it is necessary to plan for incident response, forensics investigations, and protecting the organization from malice that can cause both external and internal damages. This chapter looks at incident response, forensics analysis, and security policies. It also covers environmental controls and user security awareness training. Although only 12% of the exam is based on the organizational security domain, this is a growing area of security planning. Therefore, additional resources are detailed at the end of the chapter.

Incident Response Procedures

Incidents do happen from time to time in most organizations no matter how strict security policies and procedures are. It is important to realize that proper incident handling is just as vital as the planning stage, and its presence may make the difference between being able to recover quickly and ruining a business and damaging customer relations. Customers need to see that the company has enough expertise to deal with the problem.

Incident response guidelines, change-management procedures, security procedures, and many other security-related factors require extensive planning and documentation. Incident response documentation should include the identification of required forensic and data-gathering procedures and proper reporting and recovery procedures for each type of security-related incident.

The components of an incidence response plan should include preparation, roles, rules, and procedures. Incident response procedures should define how to maintain business continuity while defending against further attacks. Although many organizations have an Incident Response Team (IRT), which is a specific group of technical and security investigators that respond to and investigate security incidents, many do not. In the event there is no IRT, first responders will need to handle the scene and the response. Systems should be secured to prevent as many incidents as possible and monitored to detect security breaches as they occur. The National Institute of Standards and Technology (NIST) has issued a report on incident response guidelines that can help an organization spell out their own internal procedures. This is referenced in the “Suggested Reading and Resources” section at the end of the chapter.

Forensics

When a potential security breach must be reviewed, the digital forensics process comes into play. Similar to other forms of forensics, this process requires a vast knowledge of computer hardware, software, and media to protect the chain of custody over the evidence, avoid accidental invalidation or destruction of evidence, and preserve the evidence for future analysis. Computer forensics review involves the application of investigative and analytical techniques to acquire and protect potential legal evidence. Therefore, a professional within this field needs a detailed understanding of the local, regional, national, and even international laws affecting the process of evidence collection and retention, especially in cases involving attacks that may be waged from widely distributed systems located in many separate regions.

The major concepts behind computer forensics are to

• Identify the evidence

• Determine how to preserve the evidence

• Extract, process, and interpret the evidence

• Ensure that the evidence is acceptable in a court of law

Each state has its own laws that govern how cases can be prosecuted. For cases to be prosecuted, evidence must be properly collected, processed, and preserved. The corporate world focuses more on prevention and detection, whereas law enforcement focuses on investigation and prosecution.

Chain of Custody

Forensics analysis involves establishing a clear chain of custody over the evidence, which is the documentation of all transfers of evidence from one person to another, showing the date, time, and reason for transfer and the signatures of both parties involved in the transfer. In other words, it tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. If you are asked to testify regarding data that has been recovered or preserved, it is critical that you, as the investigating security administrator, be able to prove that no other individuals or agents could have tampered with or modified the evidence. This requires careful collection and preservation of all evidence, including the detailed logging of investigative access and the scope of the investigation. Definition of the scope is crucial to ensure that accidental privacy violations or unrelated exposure will not contaminate the evidence trail. After data is collected, it must be secured in such a manner that you, as the investigating official, can state with certainty that the evidence could not have been accessed or modified during your custodial term.

First Responders

First responders are the first ones to arrive at the incident scene. The success of data recovery and potential prosecution depends on the actions of the individual who initially discovers a computer incident. How the evidence scene is handled can severely affect the ability of the organization to prosecute if need be. While police officers are trained to have a good understanding of the limits of the Fourth and Fifth Amendments and applicable laws, many system administrators and network security personnel are not.

Note

The Fourth Amendment guards against unreasonable search and seizure. Although law enforcement might need a search warrant to look or evidence, most corporations do not. However, they need to be aware of how reasonable expectation of privacy affects the ability to examine employees and their working environment.

The Fifth Amendment deals with double jeopardy, self-incrimination, eminent domain, and due process. Due process extends to all persons and corporate entities. System administrators and network security should be aware of and understand the basic legal issues governing their actions in any matter that involves examination and investigation of employee workspaces and environments.

The entire work area is a potential crime scene, not just the computer itself. There might be evidence such as removable media, voice-mail messages, or handwritten notes. The work area should be secured and protected to maintain the integrity of the area. Under no circumstances should you touch the computer or should anyone be allowed to remove any items from the scene.

Damage and Loss Control

When the response team has determined that an incident occurred, the next step in incident analysis involves taking a comprehensive look at the incident activity to determine the scope, priority, and threat of the incident. This will aid with researching possible response and mitigation strategies. In keeping with the severity of the incident, the organization can act to mitigate the impact of the incident by containing it and eventually restoring operations back to normal.

Depending on the severity of the incident and the organizational policy, incident response functions can take many forms. The response team may send out recommendations for recovery, containment, and prevention to systems and network administrators at sites who then complete the response steps. The team may perform the remediation actions themselves. The follow-up response can involve sharing information and lessons learned with other response teams and other appropriate organizations and sites.

After the incident is appropriately handled, the organization may issue a report that details the cause of the incident, the cost of the incident, and the steps the organization should take to prevent future incidents.

It is important to accurately determine the cause of each incident so that it can be fully contained and the exploited vulnerabilities can be mitigated to prevent similar incidents from occurring in the future.

Reporting and Disclosure

Request For Comments (RFC) 2350, Expectations for Computer Security Incident Response, can be helpful in formulating organizational best practices for reporting and disclosure. Section 3.4.2 addresses cooperation, interaction, and disclosure of information. The reporting and disclosure policy should make clear who the incident response team’s report will go to in each circumstance. It should also note whether the team will be expected to operate through another internal team or directly with outside affected parties such as vendors. A clear statement of the policies and procedures helps all the parties involved understand how best to report incidents and what support to expect afterward.

The guidelines for reporting organizational security breaches may not be straightforward. Because of adverse publicity, many organizations choose to quietly fix a breach without reporting or disclosing. However, legal and ethical responsibilities now require organizations to be more diligent in this area. In many cases, security incidents must be reported by the chief information officer (CIO) and the board members need to be notified. The information reported may include the scope of the incident, impact, actions being taken, and actions taken to prevent a further occurrence. Board notification usually occurs as soon as the incident is known. Subsequent updates to the board may occur until the incident is closed, as determined by the chief information security officer (CISO).

Applicable Legislation and Organizational Policies

To ensure that proper incident response planning is managed and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users. Policies of which the users have no knowledge are rarely effective, and those that lack management support may prove to be unenforceable. Current and pending legislation will affecting the formulation of those polices.

The first data breach notification law in the United States was California’s S.B. 1386. This bill was enacted in August 2002, and went into effect in July 2003. Currently, 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. In most cases, companies must immediately disclose a data breach to customers, usually in writing. Federal bills regarding data breach notification currently in process include

• S. 239—Notification of Risk to Personal Data Act

• H.R. 958—Data Accountability and Trust Act

• H.R. 836—Cyber-Security Enhancement & Consumer Data Protection Act

• S. 495—Personal Data Privacy and Security Act of 2007

Besides state and federal data-breach notification, organizations formed in the United States are also bound by the following laws that relate to protection and proper disclosure of data:

• Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets national standards for protecting health information.

• Gramm-Leach-Bliley Act (GLB) establishes privacy rules for the financial industry.

• Sarbanes-Oxley (SOX) governs financial and accounting disclosure information.

The U.S. Supreme Court made changes to the Federal Rules of Civil Procedure that make requests for electronic data a standard part of the discovery process during civil lawsuits. The changes took effect December 1, 2006. Therefore, organizations need to have a record-retention policy. This topic is covered in further detail in the “Security-Related Human Resources Policy” section later in this chapter.

The point is, it is imperative to know legal ramifications if there is an incident. You should check the state laws concerning privacy, liability, and spam. For example, assume your state has an antispam law. Your company email server has an open relay on it allowing it to be used for spamming purposes. A spammer sends email about the price of gasoline in Europe to 500,000 people. This proves fatal to the company. First, your Internet service provider (ISP) puts you on the spammers list, and you must fix the open relay before you can send any email. You have also been reported for spamming; the fine per incident is $10 per mail. This could put a company out of business even if you have insurance because there’s a good chance the insurance company will not cover this type of incident.

Different countries mandate different customer notification approaches. Being aware of this is especially important in a global economy. Notification of affected customers should be a part of an organization’s incident response plan. If an organization resides in an area that is not subject to a specific notification law, they should adhere to common law liability and treat each incident on a case-by-case basis.

Secure Disposal of Computers and Media

ISO 17799, particularly sections 7 and 8, has established standards for dealing with the proper disposal of obsolete hardware. Standards dictate that equipment owned/used by the organization should be disposed of only in accordance with approved procedures, including independent verification that the relevant security risks have been mitigated. This policy addresses issues that should be considered when disposing of old computer hardware, either for recycle, disposal, donation, or resale. The most prominent example of a security risk involved is that the hard disk inside the computer has not been completely or properly wiped. Stories about this exact problem surface on almost a daily basis.

When implementing a policy on the secure disposal of outdated equipment, a wide range of scenarios need to be considered, such as the following:

• Breaches of health and safety requirements.

• Inadequate disposal planning results in severe business loss.

• Remnants of legacy data from old systems may still be accessible.

• Disposal of old equipment that is necessary to read archived data.

• Theft of equipment in use during cleanup of unwanted equipment.

Besides properly disposing of old hardware, removable media disposal is just as important. There is a proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the organization. The following methods are acceptable to use for media sanitation:

• Declassification—A formal process of assessing the risk involved in discarding particular information.

• Sanitization—The process of removing the contents from the media as fully as possible, making it extremely difficult to restore.

• Degaussing—This method uses an electrical device to reduce the magnetic flux density of the storage media to zero.

• Overwriting—This method is applicable to magnetic storage devices.

• Destruction—The process of physically destroying the media and the information stored on it.

Acceptable Use Policies

An organization’s acceptable use policy must provide details that specify what users may do with their network access. This includes email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions. An acceptable use policy should contain these main components:

• Clear, specific language

• Detailed standards of behavior

• Detailed enforcement guidelines and standards

• Outline of acceptable and not acceptable uses

• Consent forms

• Privacy statement

• Disclaimer of liability

The organization should be sure the acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company by employee misuse of resources. Upon logon, show a statement to the effect that network access is granted under certain conditions and that all activities may be monitored. This way you can be sure that any legal ramifications are covered.

Password Complexity

The organization’s password policy specifies password requirements, including length, strength, history, and required rate of change. Password policies were discussed in detail in Chapter 4, “Infrastructure Security and Controls.”

Although the organization may have password policies in place, allowing users to create their own passwords produces an unsecure environment because users typically choose passwords that contain easy-to-remember words. On the other end of the spectrum, if the passwords are too difficult to remember, users will write them down and post them on monitors, keyboards, and any number of easy-to-find places. A weak password might be very short or only use alphanumeric characters, containing information easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money, or password.

Organizational policies should include training to educate users to create stronger passwords from events or things the user knows. For example, let’s say that the password must be nine characters long and must be a combination of letters, numbers, and special characters. The user is going to Fiji on August 8, 2009, with his spouse named Joan. The phrase “Going to Fiji on August 8, 2009 with Joan” can become gtF8809@J. Now you have a complex password that is easy for the user to remember. Alternatively, users can use a phrase that has more than 13 characters so that password-cracking utilities will not be able to crack it. For example, using the password ThisisDiane@sTempPa33w0rd creates a longer string than most programs can crack.

Strong password policies help protect the network from hackers and define the responsibilities of users who have been given access to company resources. You should have all users read and sign security policies as part of their employment process and provide periodic training.

Change Management

All configuration changes should be documented. Many companies are lacking in this area. We are often in a hurry to make changes and say we will do the documentation later—most of the time, that doesn’t happen. You should realize that documentation is critical. It eliminates misunderstandings and serves as a trail if something goes wrong down the road. Change documentation should include the following:

• Specific details, such as the files being replaced, the configuration being changed, the machines or operating systems affected, and so on

• The name of the authority who approved the changes

• A list of the departments that will be involved in performing the changes and the names of their supervisors

• What the immediate effect of the change will be

• What the long-term effect of the change will be

• The date and time the change will occur

After the change has occurred, the following should be added to the documentation:

• Specific problems and issues that occurred during the process

• Any known workarounds if issues have occurred

• Recommendations and notes on the event

After the change has been requested, documented, and approved, you should then send out notification to the users so that they will know what to expect when the change has been implemented.

Classification of Information

ISO 17799 can help an organization establish information classification criteria. It is essential to classify information according to its value and level of sensitivity so that the appropriate level of security can be used. A system of classification should be easy to administer, effective, and uniformly applied throughout the organization. Organizational information that is not public should not be disclosed to anyone who is not authorized to access it. The organization should have a strict policy in place for violations that could result in disciplinary proceedings against the offending individual.

It is recommended to limit the number of information classification levels in your organization. Following are two different options. The first divides information into four classifications:

• Class 1: Public information—Data available in the public domain.

• Class 2: Internal information—Should this data become public, the consequences are not critical.

• Class 3: Confidential information—Should this data become public, it could influence the organization’s operational effectiveness and cause financial loss.

• Class 4: Secret information—This data is critical to the company, should be accessed by very few, and should never become public.

The next example adds an additional class:

• Top secret—Highly sensitive internal documents and data. This is the highest security level possible.

• Highly confidential—Information that is considered critical to the organization’s ongoing operations. Security should be very high.

• Proprietary—Internal information that defines the way in which the organization operates. Security should be high.

• Internal use only—Information that is unlikely to result in financial loss or serious damage to the organization. This is a restricted but normal security level.

• Public documents—Information in the public domain. This is a minimal security level.

The important thing to remember here is to document how your data classifications correlate to your security objectives. When classifications are established, they should be adhered to and closely monitored. All too often, top secret documents end up on unsecured family computers. Data classifications can also help when submitting discoverable information subject to the Federal Rules of Civil Procedure should the organization be involved in a lawsuit.

Separation of Duties and Mandatory Vacations

Too much power can lead to corruption, whether it is in politics or network administration. Most governments and other organizations implement some type of a balance of power through a separation of duties. It is important to include a separation of duties when planning for security policy compliance. Without this separation, all areas of control and compliance may be left in the hands of a single individual. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Often, you will find this in financial institutions, where to violate the security controls, all the participants in the process would have to agree to compromise the system. For security purposes, avoid having one individual who has complete control of a transaction or process from beginning to end and implement policies such as job rotation, mandatory vacations, and cross-training.

Users should be required to take mandatory vacations as part of the organization’s security policy. This part of the policy outlines the manner in which a user is associated with necessary information and system resources. There must be other employees who can do the job of each employee so that corruption does not occur. It is imperative that all employees are adequately cross-trained and only have the level of access necessary to perform normal duties.

Personally Identifiable Information

Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information.

To be considered PII, information must be specifically associated with an individual person. Information provided either anonymously or not associated with its owner before collection is not considered PII. Unique information such as a personal profile, unique identifier, biometric information, and IP address that is associated with PII can also be considered PII.

The California Online Privacy Protection Act of 2003 (OPPA), which became effective on July 1, 2004, requires owners of commercial websites or online services to post a privacy policy. OPPA requires that each operator of a commercial website conspicuously post a privacy policy on its website. The privacy policy itself must contain the following features:

• A list of the categories of PII the operator collects

• A list of the categories of third parties with whom the operator may share such PII

• A description of the process by which the consumer can review and request changes to his or her PII collected by the operator

• A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy

• The effective date of the privacy policy

Other federal and state laws may apply to PII. In addition, other countries have laws as to what information can be collected and stored by organizations. As with most of the information in this chapter, it is imperative that you know the regulations that govern the digital terrain in which your organization operates. The organization then has an obligation to be sure proper policies and procedures are in place.

Due Care

An organization may be negligent in its duties if it fails to take common and necessary precautions to avoid a security threat. It also may be negligent if its actions contribute to an environment that allows a security threat to happen. For example, if an employee hacks into a vendor’s network, the company can be held liable for lack of due care. Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. Because of this, it is important to establish clear lines of responsibility and expectations for users and administrators. Due care is based on best practices and what a prudent organization would do in a similar case. In other words, it involves doing the right thing and acting responsibly.

Your security policy must specify how your organization operates within applicable laws and regulations to ensure data privacy. This is especially important in industries that now have to comply with legislation. Users and administrators must be made aware of privacy issues and the consequences of unintentional disclosure of private data that may arise over web, email, and instant messaging traffic within the organization’s network. All employees should be familiar with and exercise due care when dealing with organizational assets.

Due Diligence

Due diligence can have several connotations that relate to technology. Generally, due diligence refers to the care a reasonable person should take before entering into an agreement or a transaction with another party. In this context, it may be used in connection with a due diligence investigation of a vendor, outsourcing agency, venture capital investment, or a partnering entity. This entails the request for various kinds of documents from the company to be used in connection with a legal due diligence investigation. Due diligence is a way of preventing unnecessary harm to either party involved in the transaction.

Due diligence can also be used internally. This is the process of investigation, such as an examination of operations and management and the verification of material facts. This is basically an investigation or audit to confirm all material facts. Many times, due diligence is done to assess the viability of the organization or to ensure that they have adequate controls and procedures in place so that they know the vendors and customers with whom they are dealing. This is particularly important in the banking industry. Adequate due diligence on new and existing customers is a key part of controls and oversight. Without due diligence, banks can become subject to reputation, operation, and legal risks, resulting in significant financial cost. Again, it is important to know the market in which you operate and what is expected of the organization.

Due Process

Due process is the concept that laws and legal proceedings must be fair. The U.S. Constitution guarantees that before depriving a citizen of life, liberty, or property, government must follow fair procedures. Other countries may have similar laws in effect. As an organization, policies and procedures must comply with the basic rights of the individual.

How this affects the organization depends on the type of employer. In the United States, most private-sector employees are governed by the employment-at-will doctrine. This means that both an employer and an employee have the privilege to end a working relationship without prior notice or explanation. All federal, state, and local government employees are protected by the Fifth and Fourteenth Amendments. These prohibit the government from depriving any person of life, liberty, or property without due process of law. Government employees’ services cannot be terminated under circumstances that violate the U.S. Constitution or the constitution of the state in which they work. They have the right to due process in cases of arbitrary dismissals not linked to job performance. Before termination, a government employer has to offer a reasonable explanation to the employee and provide a proper channel for the employee to answer those charges. If the charges are going to impede future job prospects, the employee has the right to a name-clearing hearing.

Service Level Agreements

Service level agreements (SLAs) are part of every organization. The purpose of a SLA is to establish a cooperative partnership, bring both sides together, and map out each party’s responsibilities. SLAs can help you determine what you will provide to your client, what is beyond your responsibility, and who should be contacted when something goes wrong. SLAs spell out the processes, service expectations, and service metrics. The organization should make sure that the affected staff is aware of the terms of each SLA. Failure to comply can result in a violation of the SLA and potential nullification of any vendor warranties or liabilities.

When SLAs are established, change, monitoring, and testing procedures should be in place. Changes to a SLA should be handled under agreed change-control procedures.

Security-Related Human Resources Policy

Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and third-party users. The primary legal and HR representatives should review all policies, especially privacy issues, legal issues, and HR enforcement language. Legal and HR review of policies is required in many, if not most, organizations.

Security planning must include procedures for the creation and authorization of accounts for newly hired personnel and the planned removal of privileges following employment termination. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization. The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies and the sanctions that may be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribe, particularly power users with broad administrative rights.

User Education and Awareness Training

One of the most powerful tools available to a security administrator is the body of network users, who may notice and draw attention to unusual access methods or unexpected changes. This same body of users also creates the greatest number of potential security holes because each user may be unaware of newly emerging vulnerabilities, threats, or required standards of action and access that must be followed. Like a chain, a network is only as secure as its weakest link—and users present a wide variety of bad habits, a vast range of knowledge, and varying intent in access.

User education is mandatory to ensure that users are made aware of expectations, options, and requirements related to secure access within an organization’s network. Education may include many different forms of communication, including the following:

• New employees and contract agents should be provided education in security requirements as a part of the hiring process.

• Reminders and security-awareness newsletters, emails, and flyers should be provided to raise general security awareness.

• General security policies must be defined, documented, and distributed to employees.

• Regular focus group sessions and on-the-job training should be provided for users regarding changes to the user interface, application suites, and general policies.

• General online security-related resources should be made available to users through a simple, concise, and easily navigable interface.

Although all the previously mentioned practices are part of a security-awareness training program, security training during employee orientation combined with yearly seminars is the best choice, as these are active methods of raising security awareness. Email and posters are passive and tend to be less effective.

Caution

It is important to locate a suitable upper-level sponsor for security initiatives to ensure that published security training and other requirements are applied to all users equally. Hackers, crackers, and other agents seeking unauthorized access often search for highly placed users within an organization who have exempted themselves from standard security policies.

The Importance of Environmental Controls

The location of everything from the actual building to wireless antennas affects security. When picking a location for a building, an organization should investigate the type of neighborhood, population, crime rate, and emergency response times. This will help in the planning of the physical barriers needed, such as fencing, lighting, and security personnel. An organization must also analyze the potential dangers from natural disasters and plan to reduce their impact when possible.

When protecting computers, wiring closets, and other devices from physical damage due to either natural or manmade disasters, you must select their locations carefully. Proper placement of the equipment should cost a company little money upfront yet provide significant protection from possible loss of data due to flooding, fire, or theft.

Fire Suppression

Fire is a danger common to all business environments and one that must be planned for well in advance of any possible occurrence. The first step in a fire safety program is fire prevention.

The best way to prevent fires is to train employees to recognize dangerous situations and report these situations immediately. Knowing where a fire extinguisher is and how to use it can stop a small fire from becoming a major catastrophe. Many of the newer motion- and ultrasonic-detection systems also include heat and smoke detection for fire prevention. These systems alert the monitoring station of smoke or a rapid increase in temperature. If a fire does break out somewhere within the facility, a proper fire-suppression system can avert major damage. Keep in mind that laws and ordinances apply to the deployment and monitoring of a fire-suppression system. It is your responsibility to ensure that these codes are properly met. In addition, the organization should have safe evacuation procedures and periodic fire drills to protect its most important investment: human life.

Fire requires three main components to exist: heat, oxygen, and fuel. Eliminate any of these components and the fire goes out. A common way to fight fire is with water. Water attempts to take away oxygen and heat. A wet-pipe fire-suppression system is the one that most people think of when discussing an indoor sprinkler system. The term wet is used to describe the state of the pipe during normal operations. The pipe in the wet-pipe system has water under pressure in it at all times. The pipes are interconnected and have sprinkler heads attached at regularly spaced intervals. The sprinkler heads have a stopper held in place with a bonding agent designed to melt at an appropriate temperature. After the stopper melts, it opens the valve and allows water to flow from the sprinkler head and extinguish the fire. Keep in mind that electronic equipment and water don’t get along well. Fires that start outside electrical areas are well served by water-based sprinkler systems. Also keep in mind that all these systems should have both manual activation and manual shutoff capabilities. You want to be able to turn off a sprinkler system to prevent potential water damage. Most systems are designed to activate only one head at a time. This works effectively to put out fires in the early stages.

Dry-pipe systems work in exactly the same fashion as wet-pipe systems, except that the pipes are filled with pressurized air rather than water. The stoppers work on the same principle. When the stopper melts, the air pressure is released, and a valve in the system opens. One of the reasons for using a dry-pipe system is that when the outside temperature drops below freezing, any water in the pipes will freeze, causing them to burst. Another reason for justifying a dry-pipe system is the delay associated between the system activation and the actual water deployment. Because some laws require a sprinkler system even in areas of the building that house electrical equipment, there is enough of a delay that it is feasible for someone to manually deactivate the system before water starts to flow. In such a case, a company could deploy a dry-pipe system and a chemical system together. The delay in the dry-pipe system can be used to deploy the chemical system first and avoid serious damage to the running equipment from a water-based sprinkler system.

Exam Alert

Know the difference between the different types of fire-suppression systems.

For Class A fires (trash, wood, and paper), water will decrease the fire’s temperature and extinguish its flames. Foam is usually used to extinguish Class B fires, which are fueled by flammable liquids, gases, and greases. Liquid foam mixes with air while passing through the hose and the foam.

Class C fires (energized electrical equipment, electrical fires, and burning wires) are put out using extinguishers based on carbon dioxide or halon. Halon was once used as a reliable, effective, and safe fire protection tool, but in 1987 an international agreement known as the Montreal Protocol mandated the phase-out of halons in developed countries by the year 2000 and in less-developed countries by 2010, due to emissions concerns. Therefore, carbon dioxide extinguishers have replaced halon extinguishers. They don’t leave a harmful residue, making them a good choice for an electrical fire on a computer or other electronic devices.

Class D fires are fires that involve combustible metals such as magnesium, titanium, and sodium. The two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder.

HVAC

Cooling requirements of computer data centers and server rooms need to be taken into consideration when doing facilities planning. The amount of heat generated by some of this equipment is extreme and highly variable. Depending on the size of the space, age, and type of equipment the room contains, energy consumption typically ranges from 20 to 100 watts per square foot. Newer servers, although smaller and more powerful, may consume more energy. Therefore, some high-end facilities with state-of-the-art technology may require up to 400 watts per square foot. These spaces consume many times more energy than office facilities of equivalent size and must be planned for accordingly. Smaller, more powerful IT equipment is considerably hotter than older systems, making heat management a major challenge.

When monitoring the HVAC system, keep in mind that overcooling causes condensation on equipment, and too dry leads to excessive static. The area should be monitored for hot spots and cold spots. This is where one exchange is frigid cold under vent and still hot elsewhere. Water or drain pipes above facilities also raises a concern about upper-floor drains clogging, too. One solution is to use rubberized floors above the data center or server room. Above all else, timely A/C maintenance is required.

As mentioned previously, overcooling causes condensation on equipment, and too dry leads to excessive static. In addition to temperature monitoring, humidity should be monitored. Humidity is a measurement of moisture content in the air. A high level of humidity can cause components to rust and degrade electrical resistance or thermal conductivity. A low level of humidity can subject components to electrostatic discharge (ESD), causing damage; at extremely low levels, components may be affected by the air itself. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the 40% to 55% range.

Shielding

One risk that is often overlooked is electronic and electromagnetic emissions. Electrical equipment generally gives off electrical signals. Monitors, printers, fax machines, and even keyboards use electricity. These electronic signals are said to “leak” from computer and electronic equipment. Shielding seeks to reduce this output. The shielding can be local, cover an entire room, or cover a whole building, depending on the perceived threat. We’re going to look at two types of shielding: TEMPEST and Faraday cages.

TEMPEST is a code word developed by the U.S. government in the 1950s. It is an acronym built from the Transient Electromagnetic Pulse Emanation Standard. It describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. TEMPEST has since grown in its definition to include the study of this radiation. Individual pieces of equipment are protected through extra shielding that helps prevent electrical signals from emanating. This extra shielding is a metallic sheath surrounding connection wires for mouse, keyboard, and video monitor connectors. It can also be a completely shielded case for the motherboard, CPU, hard drive, and video display system. This protection prevents the transfer of signals through the air or nearby conductors, such as copper pipes, electrical wires, and phone wires. You are most likely to find TEMPEST equipment in government, military, and corporate environments that process government/military classified information. Because this can be costly to implement, protecting an area within a building makes more sense than protecting individual pieces of equipment.

A more efficient way to protect a large quantity of equipment from electronic eavesdropping is to place the equipment into a well-grounded metal box called a Faraday cage, which is named after its inventor, Dr. Michael Faraday. The box can be small enough for a cell phone or can encompass an entire building. The idea behind the cage is to protect its contents from electromagnetic fields. Figure 12.1 shows an example of a Faraday cage.

Figure 12.1. Configuration of a Faraday cage that completely encloses the contents.

The cage surrounds an object with interconnected and well-grounded metal. The metal used is typically a copper mesh that is attached to the walls and covered with plaster or drywall. The wire mesh acts as a net for stray electric signals, either inside or outside the box.

Shielding also should be taken into consideration when choosing cable types and the placement of cable. Coaxial cable was the first type of cable used to network computers. Coaxial cables are made of a thick copper core with an outer metallic shield to reduce interference. Coaxial cables have no physical transmission security and are very simple to tap without being noticed or interrupting regular transmissions. The electric signal, conducted by a single core wire, can easily be tapped by piercing the sheath. It would then be possible to eavesdrop on the conversations of all hosts attached to the segment because coaxial cabling implements broadband transmission technology and assumes many hosts are connected to the same wire. Another security concern of coaxial cable is reliability. Because no focal point is involved, a faulty cable can bring the whole network down. Missing terminators or improperly functioning transceivers can cause poor network performance and transmission errors.

Twisted-pair cable is used in most of today’s network topologies. Twisted-pair cabling is either unshielded (UTP) or shielded (STP). UTP is popular because it is inexpensive and easy to install. UTP consists of eight wires twisted into four pairs. The design cancels much of the overflow and interference from one wire to the next, but UTP is subject to interference from outside electromagnetic sources, and is prone to radio frequency interference (RFI) and electromagnetic interference (EMI) as well as crosstalk.

STP is different from UTP in that it has shielding surrounding the cable’s wires. Some STP has shielding around the individual wires, which helps prevent crosstalk. STP is more resistant to EMI and is considered a bit more secure because the shielding makes wire tapping more difficult.

Both UTP and STP are possible to tap, although it is physically a little trickier than tapping coaxial cable because of the physical structure of STP and UTP cable. With UTP and STP, a more inherent danger lies in the fact that it is easy to add devices to the network via open ports on unsecured hubs and switches. These devices should be secured from unauthorized access, and cables should be clearly marked so a visual inspection can let you know whether something is awry. Also, software programs that can help detect unauthorized devices are available.

The plenum is the space between the ceiling and the floor of a building’s next level. It is commonly used to run network cables, which must be of plenum-grade. Plenum cable is a grade that complies with fire codes. The outer casing is more fire-resistant than regular twisted-pair cable.

Fiber was designed for transmissions at higher speeds over longer distances. It uses light pulses for signal transmission, making it immune to RFI, EMI, and eavesdropping. Fiber-optic wire has a plastic or glass center, surrounded by another layer of plastic or glass with a protective outer coating. On the downside, fiber is still quite expensive compared to more traditional cabling, it is more difficult to install, and fixing breaks can be costly. As far as security is concerned, fiber cabling eliminates the signal tapping that is possible with coaxial cabling. It is impossible to tap fiber without interrupting the service and using specially constructed equipment. This makes it more difficult to eavesdrop or steal service.

The Risks of Social Engineering

One area of security planning that is often considered the most difficult to adequately secure is the legitimate user. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. It is extremely successful because it relies on human emotions. Common examples of social engineering attacks include the following:

• An attacker calls a valid user pretending to be a guest, temp agent, or new user asking for assistance in accessing the network or details involving the business processes of the organization.

• An attacker contacts a legitimate user, posing as a technical aide attempting to update some type of information, and asks for identifying user details that may then be used to gain access.

• An attacker poses as a network administrator, directing the legitimate user to reset his password to a specific value so that an imaginary update may be applied.

• An attacker provides the user with a “helpful” program or agent, through email, a website, or other means of distribution. This program may require the user to enter logon details or personal information useful to the attacker, or it may install other programs that compromise the system’s security.

Another form of social engineering has come to be known as reverse social engineering. Here, an attacker provides information to the legitimate user that causes the user to believe the attacker is an authorized technical assistant. This may be accomplished by obtaining an IT support badge or logo-bearing shirt that validates the attacker’s legitimacy, by inserting the attacker’s contact information for technical support in a secretary’s Rolodex, or by making himself known for his technical skills by helping people around the office.

Many users would rather ask assistance of a known nontechnical person who they know to be skilled in computer support rather than contact a legitimate technical staff person, who may be perceived as busy with more important matters. An attacker who can plan and cause a minor problem will then be able to easily correct this problem, gaining the confidence of the legitimate user while being able to observe operational and network configuration details and logon information, and potentially being left alone with an authorized account logged on to the network.

Phishing

Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email. Phishing attacks rely on a mix of technical deceit and social engineering practices. In the majority of cases, the phisher must persuade the victim to intentionally perform a series of actions that will provide access to confidential information. As scam artists become more sophisticated, so do their phishing email messages. The messages often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites. Here is a list of the most common ones:

• Verify your account—Businesses do not ask you to send personal information through email.

• If you don’t respond within 48 hours, your account will be closed—These messages have an urgent tone so that you’ll respond without thinking.

• Dear Valued Customer as part of our continuing commitment to providing excellent service, we require that you update your account—This is a bulk email message.

• Click the link below to gain access to your account—The links that you are urged to click appear to be legitimate, but they are not. They look similar to the vendor’s website, but when examined more closely are fraudulent.

For best protection, proper security technologies and techniques must be deployed at the client side, the server side, and the enterprise level. Ideally, users should not be able to directly access email attachments from within the email application. However, the best defense is user education.

Hoaxes

Hoaxes were described in Chapter 6, “Securing Communications,” in the “Undesirable Email” section. Although they present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Organizational security awareness and training programs should alert employees to this type of situation and instruct them to not respond, or polices should spell out what is acceptable. Many organizations do not allow employees to send mass emails for this reason.

Shoulder Surfing

Shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or supermarkets because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. Shoulder surfing can also be done longdistance with the aid of binoculars or other vision-enhancing devices.

The immediate solution to prevent shoulder surfing is to shield paperwork or your keypad from view by using your body or cupping your hand. Biometrics and gaze-based password entry makes gleaning password information difficult for the unaided observer while retaining the simplicity and ease of use for the user.

Dumpster Diving

As humans, we naturally seek the path of least resistance. Instead of shredding documents or walking them to the recycle bin, they are often thrown in the wastebasket. Equipment sometimes is put in the garbage because city laws do not require special disposal. Because intruders know this, they scavenge discarded equipment and documents, called dumpster diving, and extract sensitive information from it without ever contacting anyone in the organization.

In any organization, the potential that an intruder can gain access to this type of information is huge. What happens when employees are leaving the organization? They clean out their desks. Depending on how long the employees have been there, what ends up in the garbage can be a goldmine for an intruder.

Other potential sources of information that are commonly thrown in the garbage include the following:

• Old company directories

• Old QA or testing analysis

• Employee manuals

• Training manuals

• Hard drives

• Floppy disks

• CDs

• Printed emails

Proper disposal of data and equipment should be part of the organization’s security policy. It is prudent to have a policy in place that requires shredding of all documents and security erasure of all types of storage media before they may be discarded.

User Education and Awareness Training

Users must be trained to avoid falling victim to social engineering attacks. This should be an ongoing process. Human behavior is difficult, if not impossible, to predict. Some guidelines for information to be included in user training may consist of the following points:

• How to address someone who has her hands full and asks for help getting into a secure area

• How to react to someone who has piggybacked into the building

• What procedure should be followed when a vendor comes into the building to work on the servers

• What to say to a sales representative who is at a customer site doing a demonstration and has forgotten the website password

• What to say to a vice president who has forgotten his password and needs it right away

• What items can and cannot go in the trash or recycle bin and what paperwork must be shredded

• What to do when an administrator calls and asks for a user’s password

As new methods of social engineering come out, so must new training methods. The scope of the training should be done so that management has a different type of training than the users. Management training should focus on the ramifications of social engineering, such as the liability of the company when a breach happens, the financial damage that can happen, and how this can affect the reputation or credibility of the company.

Exam Alert

Planning, training, regular reminders, and firm and clear security policies are important when you’re attempting to minimize vulnerabilities created by social engineering.

Exam Prep Questions

1. Which of the following security policies would identify that a user may be fined for using email to run a personal business?

A. Acceptable use

B. Due diligence

C. Due care

D. Separation of duties

2. Which of the following is a well-grounded metal structure used to protect a large quantity of equipment from electronic eavesdropping?

A. TEMPEST

B. Degausser

C. Faraday cage

D. Sonar

3. An attacker offers her business card as an IT solution provider and then later causes a user’s computer to appear to fail. What is this an example of?

A. Reverse social engineering

B. Social engineering

C. Separation of duties

D. Inverse social engineering

4. Which of the following would be defined in an acceptable use policy? (Choose the three best answers.)

A. Detailed standards of behavior

B. Detailed enforcement guidelines and standards

C. Privacy statement

D. Background check consent forms

5. What is the difference between a wet-pipe and a dry-pipe fire-suppression system?

A. A dry-pipe system uses air to suppress fire, whereas a wet-pipe system uses water.

B. A dry-pipe system uses dry chemicals, whereas a wet-pipe system uses wet chemicals.

C. A wet-pipe system has water in the pipe at all times, whereas in a dry-pipe system water is used but is held back by a valve until a certain temperature is reached.

D. A wet-pipe system uses wet chemicals that deploy after the pipe loses air pressure, whereas a dry-pipe system uses dry chemicals that deploy before the pipe loses air pressure.

6. When implementing a policy on the secure disposal of outdated equipment, which of the following needs to be considered? (Choose all that apply.)

A. Breaches of health and safety requirements.

B. Inadequate disposal planning results in severe business loss.

C. Remnants of legacy data from old systems may still be accessible.

D. Disposal of old equipment that is necessary to read archived data.

7. Which of the following security policies would require users to take mandatory vacations?

A. Acceptable use

B. Due diligence

C. Due care

D. Separation of duties

8. Which of the following tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed?

A. Incident response

B. Due diligence

C. Chain of custody

D. Due process

9. Which of the following are examples of social engineering? (Choose the two best answers.)

A. An attacker configures a packet sniffer to monitor user logon credentials.

B. An attacker sets off a fire alarm so that he can access a secured area when the legitimate employees are evacuated.

C. An attacker waits until legitimate users have left and sneaks into the server room through the raised floor.

D. An attacker unplugs a user’s network connection and then offers to help try to correct the problem.

E. An attacker obtains an IT office T-shirt from a local thrift store and takes a user’s computer for service.

10. Which of the following best describes the objective of a service-level agreement (SLA)?

A. Guidelines for reporting organizational security breaches

B. Requests for electronic data during federal lawsuits

C. Investigative and analytical techniques to acquire and protect potential legal evidence

D. Contracts with suppliers that detail levels of support that must be provided

Answers to Exam Prep Questions

1. A. Answers B, C, and D are incorrect because they detail individual policies that may detail sanctions if violated, but they would not be used to define the use of company resources.

2. C. To protect a large quantity of equipment from electronic eavesdropping, place the equipment into a well-grounded metal box called a Faraday cage. Answer A is incorrect because TEMPEST describes standards used to limit or block electromagnetic emanation (radiation) from electronic equipment. Answer B is incorrect because a degausser is an electrical device used to reduce the magnetic flux density of the storage media to zero. Answer D is incorrect because sonar is underwater sound propagation.

3. A. Reverse social engineering involves an attacker convincing the user that she is a legitimate IT authority, causing the user to solicit her assistance. Answer B is incorrect because social engineering is when an intruder tricks a user into giving him private information. Answer C is incorrect because separation of duties is when two users are assigned a part of a task that both of them need to complete. Answer D is incorrect because it is a bogus answer.

4. A, B, and C. An acceptable use policy should contain these components: detailed standards of behavior, detailed enforcement guidelines and standards, and a privacy statement. Answer D is incorrect because background check consent forms are part of the employment process and have nothing to do with acceptable use.

5. C. A wet-pipe system constantly has water in it. In dry-pipe systems, water is used but is held back by a valve until a certain temperature is reached. Therefore, answers A, B, and D are incorrect.

6. A, B, C, and D. All these scenarios should be considered when formulating a policy on the secure disposal of outdated equipment.

7. D. Answers A, B, and C are incorrect because they detail individual policies that may detail sanctions if violated, but they would not be used to define that too much power can lead to corruption.

8. C. Chain of custody tells how the evidence made it from the crime scene to the courtroom, including documentation of how the evidence was collected, preserved, and analyzed. Answer A is incorrect because it describes how an organization responds to an incident. Answer B is incorrect because it describes processes for compliance. Answer D is incorrect because it describes employee rights.

9. D, E. Social engineering attacks involve tricking a user into providing the attacker with access rights or operational details. Answer A is incorrect because packet sniffing is a form of a network security threat. Answers B and C are incorrect because they involve physical access control risks rather than social engineering.

10. D. SLAs are contracts with ISPs, utilities, facilities managers, and other types of suppliers that detail minimum levels of support that must be provided in the event of failure or disaster. Answer A is incorrect because it describes an incident response plan. Answer B is incorrect because it describes the discovery process. Answer C is incorrect because it describes the forensics process.

Table of Contents for Chapter 12: Organizational Controls

Create new playlist

Sign In

Sign Up