Understanding the Basic Security Concepts of Media
Chapter 2 provided details of securing communications on most layers of the OSI model except the Physical layer (layer 1). If an attack is launched against the signal on the wire, hackers might be able to copy information as it flows in the form of bits. This might not be as dangerous if an appropriate software encryption mechanism is employed in the transmission. Depending on the communication medium, hackers might be able to steal either information or bandwidth.
Coaxial cables are made of a core wire with an outer metallic shield used to reduce interference. Often, the shield is made of a metallic Web, with or without an additional metal-foil wrapping surrounding the core conductor. The cable is then surrounded by a plastic covering, called a sheath. Coaxial cables are no longer deployed en masse, but they are still abundant in legacy environments. Two types of coax cables are used: 10BASE-2 and 10BASE-5. On a 10BASE-2 cable, a signal can travel a distance of 185 meters at a speed of 10Mbps before it appreciably attenuates. On a thicker 10BASE-5 cable, signals can travel a distance of up to 500 meters at the same speed.
Because the electrical signal is conducted by a single core wire, someone can easily tap the wire by piercing the sheath. He would then be able to eavesdrop on the conversations of all the hosts attached to the segment because 10BASE-2 coaxial cabling implements broadband transmission technology and assumes many hosts connected to the same wire. Coaxial cable is still popular in campus areas, especially 10BASE-5 (or Thicknet), because of its greater transmission length. Coaxial cables have no physical transmission security and can be easily tapped without interrupting regular transmissions and without detection.
Unshielded twisted pair (UTP) is the main cabling type in LANs today. Seven types of UTP cable are available, but the most popular and widely deployed is category five (CAT5). CAT5E allows transmissions of up to 1Gbps at a distance of 100 meters, and it is made up of eight individual wires twisted in pairs (hence the name). Twisted pairs prevent crosstalk between the wires. UTP has no shielding and is prone to radio frequency interference (RFI) and electromagnetic interference (EMI); however, its installation is relatively simple and its cost low. In half-duplex deployments, only four of the eight wires are used and a device might not simultaneously transmit and receive. In a full-duplex (switched) environment, all eight wires are used: Two pairs are used to send, and the other two pairs are used to receive data. UTP uses RJ45 cable connectors for cable termination and connectivity. UTP is used in Ethernet topologies and is a shared communication medium unless a switch is used, in which case Unicast communications are conducted between the devices involved.
STP is analogous to UTP with a slight modification: It is shielded, which means it can withstand EMI and RFI much better than UTP does. STP is used in token-ring topologies.
Both UTP and STP can be tapped, although it is physically a little trickier than tapping coaxial cable because of the physical structure of STP and UTP cable. The major difference from coaxial cable is the connection method. Whereas coaxial cable runs from computer to computer, twisted pair cabling runs from computer to concentratorhub, repeater, bridge, switch, Multi-Station Access Unit (MSAU), and so on. Therefore, the service is more vulnerable to abuse and theft in those concentration spots. You need to keep concentrators in the server room (if cabling distances permit) or in wiring closets. At a minimum, keep distribution and core devices secured from unauthorized access. At the same time, authorized personnel must have ready access to patch panels, and cables must be clearly marked and available for visual inspection.
Fiber-optic cabling has many advantages over more traditional twisted pair cabling. Fiber is designed for short- and long-range transmissions at speeds higher than 1Gbps. It uses light pulses for signal transmission, making it immune to RFI and EMI. However, some disadvantages are that it is still quite expensive compared to more traditional cabling, it is less forgiving of physical stress, and it is more difficult to install.
As far as security is concerned, fiber cabling eliminates the tapping of electrical signals that is possible in the case of twisted pair and coax. Tapping fiber cable without service interruption and specially constructed equipment is impossible, which makes stealing service or eavesdropping on traffic significantly more difficult.
Infrared, RF, and Microwave
One obvious disadvantage of open-air signal transmission technologies is the lack of clearly defined boundaries. Wired networks have a physical signal path that can be secured. In broadcast, however, it is theoretically possible for anyone to tune a receiver to the frequency of your transmission and eavesdrop on it without anyone knowing about it. In the early days of wireless LAN technologies, it was even possible to use network services without authenticating. All an intruder had to do was to choose a site and do a site survey by scanning the frequency bands to find services. Signal spread spectrum technology made wireless transmission somewhat more secure, but only to a certain point. Frequency-hopping sequences are not secret; instead they are openly published standards.
Know which types of media are susceptible to which types of interference.
The fact that modern wireless facilities have security controls that prevent unauthorized use of the medium and services does not make the open-air medium safe from eavesdropping. IR transmissions are considered safer than radio transmissions because the communicating devices use an invisible light spectrum range and require a direct line of sight with each other. This makes eavesdropping on the communications without being noticed more complicated. But the technology itself is not technically immune to eavesdropping; infrared signals can be recorded using cameras with infrared filters. The only way to be sure of wireless communication security is to use strong authentication algorithms such as PKI and to encrypt all your communications.
Removable media poses a security risk because of two main problems. First, classified or confidential information can be stolen, destroyed, or misused. The loss or exposure of business, financial, or consumer information can cause serious damage to a company's competitiveness or reputation. Second, system, policy, or infrastructure information can give intruders enough information to mount future attacks.
Why do companies use removable media? With the storage density and capacity available today, using removable media might not seem relevant. However, even if a company has a few storage area network (SAN) devices that provide terabytes of storage space, it still needs to back up its files and databases. Remember, offsite storage of backups is a crucial part of a disaster recovery plan. The second reason that some companies might still have large amounts of sensitive information on removable media is because they have relied on removable media at some point in the past to control access or provide additional storage and the media has not been disposed of yet.
Various types of removable media include tape, CD-R, hard drives, flash cards, and smart cards, and they are covered in detail in the following sections.
Tape devices use magnetic storage and are extremely popular in backup technologies because of the amount of data that can fit on a storage unit (tape). It is the medium of choice for backing up mission-critical systems that often contain sensitive customer information, databases, and files. Tape backups are also widely used to back up system configuration and account information, which means they often contain system Registry and network user account databases.
Several backup types can be employed in disaster recovery strategies, and they are not specific to tape devices. (See Chapter 7 for full coverage on backups.) For the purposes of this discussion, the security person needs to be aware of the most popular backup strategies, which are as follows:
Full backupContains the entire set of data being backed up and is most sensitive to theft because the information it contains is readily available in full.
Incremental backupWorks with the full backup and does not contain a full copy of the information. Instead, it contains all the information that was modified between the time of the incremental backup and previous incremental or full backup. In case of theft, incremental information taken out of context might or might not represent value to the offender, but it certainly represents risk to the company.
Differential backupSimilar to incremental, with the only difference being that the archive flag is not reset after the differential backup is run. This causes every differential backup to copy information changed since the last full backup, regardless of when the last differential backup was made. This backup strategy is more risky in respect to theft because larger chunks of sequential data can be stored on tape the further away from the last full backup it gets.
Copy backupVery similar to a full backup in that it takes a complete snapshot of the system at the time of backup. The only difference between copy backup and full backup comes into play in database environments where transactional logging is employed. A copy backup takes a copy of the system as it is running at that moment, whereas a full backup commits the logs to the database first and then backs up the database. From a security perspective, the loss of a tape with a copy backup is tantamount to losing a tape with a full backup.
In addition to these backup strategies, companies employ tape rotation and retention policies to have a safety net if something goes wrong.
Backup is just one small part of an overall disaster recovery and contingency plan. Despite obvious security threats, backups must be done on a regular basis for every computer whose physical failure or loss would cause any amount of inconvenience. Every company should determine its own rotation and retention strategies, depending on the needs and nature of the information. Tapes that are going out of rotation and into archive must be stored offsite in safe deposit boxes or similar secure environments. Offsite storage ensures business continuity in the case of natural or manmade disasters. See Chapter 7 for more information.
Recordable or rewritable compact discs (CD-Rs or CD-RWs, respectively) can be used for the same purpose as tape backups in smaller companies where information might not change as frequently or where the volume of information is smaller. However, CDs are typically used for backup or distribution of individual projects to clients, offline content distribution, proprietary software or algorithm transfer, or similar purposes. This does not diminish the sensitivity of the information, and hence protection measures discussed in the previous section apply to CDs as well.
If a CD is no longer useful or is not working correctly, it must be made safe to discard. Formal as well as physical processes can be used to do this.
Disposal of Media
The following three concepts apply to all removable media units:
DeclassificationA formal process of assessing the risk involved in discarding particular information. You should consider all possible situations if this information ends up in the wrong hands, becomes known to the public, and so forth. Is it possible to use it against the company? Is it proprietary? Would it damage the company's market posture or competitive plans? Would it cause litigation or civil or criminal liabilities? If the information being discarded is innocuous or obsolete and therefore does not present any risk to the company, it can safely be declassified if no other threats are uncovered through the risk assessment.
SanitizationThe process of removing the information from the media as fully as possible, making it almost impossible to restore it even for data recovery specialists. Sanitization has no effect on the classification of the information. Depending on the media type, sanitization might or might not apply. To sanitize media, you can use a process such as magnetic degaussing or magnetic overwriting.
DestructionPhysically destroying the media and, therefore, the information stored on it. Other than destruction, there are no safe methods of completely removing all traces of information stored on a removable media device.
Because of the nature of CDs and CD-Rs, sanitization is not applicable to these media, and either declassification or destruction should be used (or both). Concerning destruction, only authorized, cleared personnel should ever have access to the media decommissioned for destruction.
Every company should have media disposal policies in place. It is important to follow company disposal standards and to know what obligations contracts with other companies or agencies impose on media disposal requirements. A listing of Department of Defense media disposal standards can be found at http://www.cerberussystems.com/INFOSEC/stds/sanitize.htm.
Hard Drives and Disks
Hard drives and disks are magnetic media, and in addition to destruction and declassification, sanitization can be used. The processes employed by sanitization are
DegaussingAlso called demagnetizing, it is applicable to magnetic storage devices. Degaussing works by applying a reverse magnetic field to the magnetic media and reducing magnetic density to null. This makes all the previously stored data unreadable. Degaussing is considered very safe.
OverwritingApplicable to magnetic storage devices, it involves an operation of completely rewriting every addressable bit pattern on the media with a single bit pattern (all 0s), verifying that the operation was successful, rewriting the bit pattern again using the opposite bit pattern (all 1s), and verifying again. This process must be repeated as many times as is required by the classification level of the information being sanitized.
Physical Security on Computer Systems Just because systems don't include ports for removable media (such as a caddy for removable hard drives) doesn't mean somebody can't attach such a device. Today, compact USB-based hard disks small enough to fit on a keychain offer up to 2GB of storage space and can conceivably be mounted on any system with a USB port. Not only does this underscore the overwhelming need for physical security on computer systems (thereby denying intruders the opportunity to use such devices), but it also argues that publicly accessible machines should be locked down so that unwanted devices cannot be mounted or used on that equipment.
DisconnectionFor volatile memory devices such as RAM, all sources of power must be disconnected including backup and BIOS batteries and the computing device must be grounded before sanitization is considered complete.
Removal of informationFor laser printers and copiers on which a large amount of declassified information is printed and copied, you need to remove traces of the classified information from the drums for the device to be considered sanitized.
Flashcards and Nonvolatile Memory
Flashcards and EEPROM devices are contained in many devices of varying sizes and purposes and can contain traces of classified or confidential information, such as customer data in the case of flashcards or proprietary software in the case of EEPROM. Companies should consider sanitizing or destroying these components when upgrading or discarding equipment.
Smart cards are widely used in cell phones and mobile devices to store customer ID information for providers to identify their subscribers in the network. They also store a personal phone book, Short Message Service (SMS) messages, and a log of incoming and outgoing calls. In corporate computing requirements, smart cards are replacing conventional username/password authentication mechanisms because they allow personal X.509 digital certificates to be used for user authentication and network logon purposes. Remember from the encryption discussion in Chapter 2 that digital signatures are impossible to forge and X.509 certificates are used in digital signing. Therefore, the company must be extremely vigilant regarding how these smart cards are used, distributed, and serviced. A single lost or stolen card can pose a company-wide risk of an intruder gaining unauthorized access to the site.
Smart cards often carry employee and company credentials printed on them, which makes identifying the target easy. Clearly, the right smart card in the wrong hands is a recipe for disaster. Therefore, companies must institute and enforce extremely strict smart card policies that make employees treat these identification devices with extreme caution and report lost or stolen cards immediately. Administrators, in turn, can revoke issued certificates or disable user accounts, making the smart card a piece of useless plastic.
Know the types of removable media and the security risks involved with each.
Another area of concern for the company in this case is disgruntled employees and headcount reduction. A process must be in place to ensure that all employees leaving the company relinquish their cards in a timely fashion. Administrators can then put the certificates stored on the cards on the revocation list and reprogram the cards to issue to new employees.