Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Physical Resources 2 Lesson: Designing Security for Physical Resources 8 Lab A: Designing Security for Physica
Trang 1Contents
Overview 1
Lesson: Determining Threats and
Analyzing Risks to Physical Resources 2
Lesson: Designing Security for Physical
Resources 8
Lab A: Designing Security for Physical
Resources 15
Module 5: Creating a Security Design for Physical Resources
Trang 2and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2002 Microsoft Corporation All rights reserved
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries
The names of actual companies and products mentioned herein may be the trademarks of their respective owners
Trang 3Instructor Notes
In this module, students determine threats and analyze risks to physical resources in an organization They then learn how to design security for facilities, computers, mobile devices, and hardware Students will also learn about implementing disaster recovery as a way to protect physical resources This module focuses on access to and protection of physical resources Other modules will focus on access to and protection of data
After completing this module, students will be able to:
Determine threats and analyze risks to physical resources
Design security for physical resources
To teach this module, you need Microsoft® PowerPoint® file 2830A_05.ppt
It is recommended that you use PowerPoint version 2002 or later to display the slides for this course If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not be displayed correctly
To prepare for this module:
Read all of the materials for this module
Complete the practices
Complete the lab and practice discussing the answers
Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD
Visit the Web links that are referenced in the module
Trang 4How to Teach This Module
This is the first module that deals with the building phase of the Microsoft Solutions Framework (MSF) mentioned in Module 2, “Creating a Plan for Network Security.” Modules 5 through 11 of this course involve designing security responses to the threats and risks presented in each module
Many IT professionals do not regularly consider the physical nature of their network Explain to students that they must consider any threat that encroaches upon the perimeter of their network when designing security Entrances such as doors, windows, and even loading docks all provide attackers with potential entry to their networks
Lesson: Determining Threats and Analyzing Risks to Physical
Resources
The structure of this lesson, and of this module in general, will be repeated in Modules 5 through 11 of this course The first lesson deals with threats and risks, the second lesson with designing security responses to those threats and risks
This slide is presented in several other modules It is not meant as a realistic network, but as a conceptual picture to represent different parts of a network Use the slide to explain the concepts and as a springboard for conversation For example, ask students what’s missing
This page is intended simply to give examples of vulnerabilities To elaborate attacks, draw upon your own experiences The next page deals with common vulnerabilities, so try not to skip ahead
Explain the threats, but do not discuss how to secure against them The second lesson in the module covers that topic
Walk students through this exercise, which involves a simple quantitative risk analysis Ensure that students realize this is a simple exercise to prevent them from becoming distracted by real-world details that were omitted for the sake of brevity, such as depreciation of hardware
Trang 5Lesson: Designing Security for Physical Resources
This section describes the instructional methods for teaching this lesson
You can mention threats to radio frequency emanations from monitors and keyboards in the context of physical security
Emphasize that students must ensure that their backup media is secured sufficiently Also, explain that if students maintain cold spares and facilities, they must ensure that those resources are kept up to date with the latest firmware and other required updates
Answers may vary Use the security responses that students give to generate classroom discussion
Use this page to review the content of the module Students can use the checklist as a basic job aid The phases mentioned on the page are from MSF Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the network
Assessment
There are assessments for each lesson, located on the Student Materials compact disc You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning
Lab A: Designing Security for Physical Resources
To begin the lab, open Microsoft Internet Explorer and click the name of the lab Play the video interviews for students, and then instruct students to begin the lab with their lab partners Give students approximately 30 minutes to complete this lab, and spend about 15 minutes discussing the lab answers as a class
This module uses Microsoft Visio® documents to display building information about Contoso Pharmaceutical’s Geneva site If students in your class are unfamiliar with Visio, spend a few moments explaining how Visio works
Before you conduct the lab, be sure to look at the Visio documents located in the Building Diagrams folder in the lab Use the answers listed in the Lab section of this module to guide classroom discussion
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course
Methods for Securing
Trang 6Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware
This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization
The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks
Trang 7Overview
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
In this module, you will determine threats and analyze risks to physical resources in an organization You will then learn how to design security for facilities, computers, mobile devices, and hardware You will also learn about implementing disaster recovery as a way to protect physical resources
This module focuses on access to and protection of physical resources Other modules will focus on access to and protection of data
After completing this module, you will be able to:
Determine threats and analyze risks to physical resources
Design security for physical resources
Introduction
Objectives
Trang 8Lesson: Determining Threats and Analyzing Risks to
Physical Resources
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
If an attacker can gain access to physical resources, such as computers, buildings, and server closets, he can easily penetrate your network and access your organization’s confidential or secret information Securing physical access requires diligence and awareness of threats that an attacker can easily perform
on unsuspecting employees
After completing this lesson, you will be able to:
Describe physical resources to protect
Explain why physical security is important
List threats to physical security
Introduction
Lesson objectives
Trang 9Physical Resources to Protect
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
The key to securing physical resources is to secure access to those resources Most of the protection on a computer or network is provided by software If an attacker can gain physical access to a computer or network, there is generally little stopping the attacker from penetrating your network
You should physically secure access to your organization for:
Buildings
Secure areas in buildings
Physical data links
Trang 10Why Physical Security Is Important
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Without proper physical security of a building, an external attacker could enter
a facility unnoticed, locate an unattended computer, and load a Trojan horse application that sends keystrokes, including passwords, to a location on the Internet
Without proper physical security of a server room, an internal attacker could enter the room and extract an account database from a server by using a boot startup disk or CD The attacker could then perform a brute force attack on the password hashes in the database and access confidential data from user accounts
External attacker
scenario
Internal attacker
scenario
Trang 11Common Threats to Physical Security
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
In addition to the common threats listed in the slide, consider places where the physical security of your network is not under your direct control For example, wireless networks often expand the physical control of your data link for up to one mile from the location of the access point Or, your organization may share space for data wiring with other organizations, or share entrances and exits to your offices, such as in leased office buildings
Key points
Trang 12Practice: Analyzing Risks to Physical Security
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Your company has issued to the sales staff 50 portable computers with confidential information The sales staff uses the portable computers at customer sites and trade shows Because the sales staff rarely has Internet access at these locations, they must maintain the information on their hard disks
The replacement cost of a lost or stolen portable computer is $3,000 The cost that is associated with disclosure of information on a portable computer is estimated to be $12,000, and the loss of productivity from a stolen portable computer is estimated to be $5,000 Based on statistics from previous years, the company projects that four portable computers will be stolen next year
Senior management has proposed two risk management strategies:
Install hardware alarms Each alarm will cost $175 per portable computer
and is estimated to reduce by one the number of computers stolen
Educate users about how to secure their portable computers Training will
cost $350 per user and is estimated to reduce by two the number of computers stolen
Implementing both strategies will reduce by three the number of stolen portable computers
Introduction
Trang 131 Based on the previous information, what is the Single Loss Expectancy (SLE), or total amount of revenue that is lost from a single occurrence of the risk?
$3,000 + $12,000 + $5,000 = $20,000
2 What is the Annual Loss Expectancy (ALE), or total amount of money that your organization will lose in one year if nothing is done to mitigate the risk?
$20,000 x 4 = $80,000
3 Subtract the cost of each risk management strategy from its estimated savings Based on the results, which of the risk management strategies would you recommend?
Alarms: 50 portable computers x $175 = $8,750 By reducing by one the number of portable computers stolen, this countermeasure would save the company $11,250 annually ($20,000 – $8,750 = $11,250)
User education: 50 portable computers x $350 = $17,500 By reducing
by two the number of portable computers stolen, this countermeasure would save the company $22,500 annually
($40,000 - $17,500 = $22,500) Both: 50 portable computers x $525 = $26,250 By reducing by three the number of portable computers stolen, together these countermeasures would save the company $33,750 annually
($60,000 – $26,250 = $33,750) Because the costs of implementing hardware alarms and user education are less then the ALE, consider implementing both strategies
4 What are some other considerations when choosing either of the risk management strategies?
Examples may include: Users may not use the locks properly or at all; users may lose the locks, which increases costs; users may not have time
to attend training
Questions
Trang 14Lesson: Designing Security for Physical Resources
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
To secure physical resources, you must secure the computers on your network and the access to them from your office or facility Portable computers in particular require special consideration due to their vulnerability to theft or misplacement You must also consider how your organization will recover network operations from a physical disaster, such as a fire or flood
After completing this lesson, you will be able to:
Describe methods for securing facilities
List methods for securing access to computers
Explain methods for securing portable computers and mobile devices
List considerations for recovering from disaster
Introduction
Lesson objectives
Trang 15Methods for Securing Facilities
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Many methods exist for securing access to facilities Balance the cost of each method with the security that it provides To protect entrances, for example, you can require employees to use either keys or electronic badges Electronic badges are more expensive than keys, but they provide much greater security Electronic badges are very difficult to copy, you can centrally manage the security level of electronic badges, and you can review detailed access reports
In addition to securing entrances and exits of facilities, ensure that you protect access to information inside facilities An internal attacker who finds an unused
or forgotten network connection could potentially obtain information about your internal network If data cables are accessible, attackers can tap into them
or attach listening devices that gather network data
Not all information is electronic For example, an attacker could read valuable information from whiteboards in conference rooms by looking through windows or entering the room after a meeting has ended Although the probability of this occurring may be low, the cost of erasing the whiteboards is minimal
Key points