Ethical Hacking and Countermeasures v6 module 21 physical security

Trang 1

Module XXIPhysical Security

Ethical Hacking and CountermeasuresVersion 6

Ethical Hacking and Countermeasures v6

Module XXI: Physical Security

Exam 312-50

Trang 2

Real World Scenario

Michael, a practicing computer security consultant, was asked to do a physical security test by the Chief

of a well-known database firm Their database was considered to have a major competitive edge They believed their systems were secure, but wanted to

be sure of it

Michael went to the firm on the pretext of meeting its Chief Before entering the lobby, Michael had driven around the building and checked for loopholes in the physical security, where he could easily slip into the building

Real World Scenario

He walked to the loading bays, up the stairs, and proceeded through the warehouse, to what was an obvious entrance into the office building Michael also knew of the location of the computer room He took the elevator down, and entered the room, which was secured with cipher locks and access cards He went straight to the tape racks There, he studied the racks, as if looking for specific information He grabbed a tape with an identifier that looked something like ACCT95QTR1

The entire process lasted no more than 15 minutes

During that time, Michael breached their physical security by entering the building and taking a tape

Source: www.miora.com/articles/awareness.htm

Michael is a practicing computer security consultant A well-known firm was believed to have one of the largest databases of information about a certain topic That database was considered the firm’s major competitive edge The people in the firm believed their systems were secure, but still asked Michael to

Trang 3

presence He even stopped to chat with a few employees Then he walked through the warehouse to what was an obvious entrance to the office area

He walked purposefully, yet not too quickly The door could be accessed via a key card that Michael did not have When someone entered the warehouse from the office area, Michael walked towards the door, and the employee, who had swiped his access card, politely held the door for Michael

Michael knew the location of the computer room He took the elevator down There was the computer room, with cipher locks and access cards guarding every entrance As he walked towards the door, another polite employee held the door for him Michael nodded and entered He went straight to the tape racks There, he studied the racks, as if looking for specific information He grabbed a tape with an identifier that looked something like ACCT95QTR1 He tucked the tape under his arm, exited the room, and took the elevator to the second floor There, looking lost and confused, he asked someone for the location of Jack's office They said his office was exactly where he was, but one floor up He went there, sat in Jack’s office, and waited A few minutes later, Jack walked into his office and saw Michael They had never met, but he knew who Michael was

The entire escapade lasted no more than 15 minutes In that time, Michael had breached their physical security by entering the building and taking a tape He also could have used Jack's computer to browse their internal network, since he had left the computer logged on with no screen saver The tape that Michael had in his hand was obviously an accounting tape, containing information for the first quarter of the year

Not all evaluations begin this way, but most organizations have vulnerabilities as obvious as this one If it isn't a physical security problem, it is a logical one or a security management problem

Trang 4

News

Source: http://www.bdafrica.com/

The business community of Kenya has decided to make major modifications in its security model because

of increased looting and damage of property at the time of post-poll violence

Security companies and the business community said that the new models contain use of security measures to secure business premises and use of new technologies to monitor business premises Ken wood, the managing director of GS4 said that the premises access controls in Kenya are very “weak” which allow unwanted people to enter into the business premises He also said that companies should setup more effective high quality closed circuit cameras (CCTVs) The Nairobi Central Business District Association (NCBDA) is also installing the CCTV cameras along the city streets to prevent crime The chief executive officer of the NCBDA “Wangui Muchiri” said that crimes have reduced to zero percent due to the installation of cameras in areas The association is intended to appoint all partners including security companies and police to install CCTV cameras in the city In South Africa’s Johannesburg, the crimes have reduced 60% due to installation of CCTV cameras

Trang 5

Module Objective

This module will familiarize you with:

Security Statistics Physical security Need for physical security Factors that affect physical security Physical Security checklist Locks

Wireless Security Laptop Thefts Mantrap Challenges in Ensuring Physical Security Spyware Technologies

Countermeasures

Module Objective

Physical security is as important as network security Until now, most firms seem to concentrate more on network security, overlooking the loopholes in physical security of the organization’s environment There has been an increase in laptop thefts across the globe The importance of securing computing assets physically cannot be overemphasized Importance of physical security must be communicated to employees through appropriate security policies This is necessary to avoid any data tampering orunauthorized access of the systems This module will look into the details of physical security, and advocate measures to strengthen physical security

This module will familiarize you with:

 Security Statistics

 Physical security

 Need for physical security

 Factors affecting physical security

 Physical Security checklist

Trang 6

Module Flow

Security Statistics

Need For Physical Security

Factors Affecting Physical Security

Physical Security

Wireless Security

Physical Security Checklist

Locks

Mantrap

Countermeasures Spyware Technologies

Laptop Thefts

Challenges in Ensuring Physical Security

Module Flow

Trang 7

Security Facts

Receive alarm communications - 28%

Access control technology with identification cards - 90%

Companies require visitors to wear a badge or pass that identifies them as a visitor - 93%

Explosion detection devices – 9%

Emergency telephones in parking areas – 9%

Police officers for security - 56%

Companies use metal detectors for screen employees and visitors – 7% Source: http://www.aga.org/

Computer theft incidents, especially of laptop and notebooks, have been on the rise This has been largely attributed to a lack of physical security Users need to be concerned about their responsibility in securing assets physically Hardware and software security precautions complement each other in keeping a hacker

at bay The software installed on a stolen laptop can be hacked to gain unauthorized access The following statistics of a survey, carried out on some of major companies, illustrate the state of current physical security measures implemented across the industry:

 Access control technology with identification cards - 90%

 Companies require visitors to wear a badge or pass that identifies them as a visitor - 93%

 Police officers for security - 56%

 Companies use metal detectors to screen employees and visitors – 7%

Trang 8

The IRS announced that now it is using a secure FTP site to send federal tax information rather than tapes IRS defines that 106 page official tax information security guidelines for state agencies, “Agency employees will return information to the office which is obtained or will make the information undisclosable” According to the IRS guidelines, “Agency which returns IRS information should use the receipt procedure and should protect the confidentiality during the transport.”

Trang 9

Understanding Physical

Security

Since man always had something important to protect, he found various methods of protecting it

Egyptians were the first to develop a working lock

Physical security describes the measures that prevent or deter attackers from accessing a facility, resource, or information stored on the physical media

Physical security is an important factor of computer security

Major security actions that are involved with physical security are intended to protect the computer from climate conditions, even though most of them are targeted at protecting

to break into it

As long as man has had something important to protect, he has found various methods of protecting it Egyptians were the first to develop a working lock To understand physical security, one needs to classify information and assets according to their sensitivity and importance to the organization

Why do people keep important documents, ornaments, jewelry or even certificates in a bank’s vault? The need of the hour is safety Everyone wants his/her things to be safe, so why fall behind in securing the workplace?

With the increasing workloads, employees tend to spend more time at the office Many employees like to personalize their space and systems to make them feel more “at home.” While these enhancements can have a positive psychological effect, they can sometimes be a roadblock to the company’s security

The following points need to be considered for physical security:

 Prevent attackers from gaining access to data stored in computers

 Physical security is an added layer to computer network security

 Physical security intends to protect the computer not only from climatic conditions, but more commonly, from intruders who use or attempt to use physical force to break into computers

Trang 10

• Physical measures are taken to secure assets e.g

deploying security personnel Technical

• Technical measures are taken to secure services and elements that support Information Technologies e.g

security for server rooms Operational

• Common security measures are taken before performing an operation such as analyzing threats of

an activity and taking appropriate countermeasures

Physical security includes the measures to protect personnel, critical assets, and systems against deliberate attacks and accidents It intends to prevent unauthorized access of information and other assets of a company

Physical security includes:

o Deploying security personnel for providing security to physical structures

o Installation of access controls systems

o Manual checking, fencing of premises, etc

o Use of access cards at entry and exit points

o Use of pass codes to access system resources

Trang 11

What Is the Need for Physical

Security

To prevent any unauthorized access to computer systems

To prevent tampering/stealing

of data from computer systems

To protect the integrity of the data stored in the computer

To prevent the loss of data/damage to systems against any natural calamities

Physical security doesn’t just mean securing systems, but it also involves securing the entire premises, boundaries, workstations, and any other area that may be unique to a company Physical security provides

an added layer of security for networks, by restricting the access of network resources

The scenario in this module highlights the need for physical security Michael could easily walk into a supposedly secure company and steal accounting data from the server room Just placing security guards

at key points does not necessarily make an organization physically secure Often other critical areas are left unattended Even though Michael was assessing the company’s security infrastructure, something similar could happen if an intruder wanted to steal information or maybe even plant a bomb Physical security is important:

 To prevent tampering/stealing of data and other valuable information from computer systems

 To protect the integrity of the data stored in the computer

 To prevent loss of data and damage of systems due to natural calamities

 To prevent any unauthorized person from getting into a company’s work area, or in other critical areas, such as the server room, R& D room, and labs

 To prevent dumpster diving, a way of collecting trash with the intent of finding sensitive information such as credit card receipts, tapes, CDs, phone books, and scribbled papers

 As prevention is always better than a cure

Trang 12

Who Is Accountable for Physical

• Information systems analyst

• Chief information officer

People who should be made accountable for the security of a firm including both physical and information security are:

Physical security is responsibility of every employee within the organization Most of the organizations do not have persons directly accountable for their physical security If a network is compromised, the system

or network administrators are likely to be held accountable but in case of any breach to physical security,

it is difficult to fix accountability Physical security policies of organizations should fix the accountability

of any security breach

The following persons should be made accountable for a firm’s physical and information security:

 Physical security officer:

o He/she is responsible for any physical security breach

o He/she is responsible for educating the rest of the employees and guards on duty

o He/she has to manually check every minute detail regarding the firm’s physical security

 Safety officer:

o The safety officer looks into the fire protection and safety measures to be taken

o Educating employees and other staff on fire and safety should be of prime concern for this officer He/she distributes the dos and don’ts for the safety of all employees

 Information systems analyst or security administrator:

o This officer primarily looks into the network security and related issues

 The Chief Information Officer

Trang 13

Factors Affecting Physical

Following factors affect the physical security of a firm:

o During civil unrest or a disaster, there is a chance of the systems being mishandled

o Lack of proper security and locks may result in theft of equipment

o Presence of an alert guard within the premises can help prevent such incidents

 Tarpaulins/plastic sheet should be readily available in the system room Covering computing assets in an emergency may mitigate damage

 Magnetic tapes should be covered to prevent wear and tear

 Fires pose a great threat to security, since they are mostly caused by human error

 Fire alarms and extinguishers should be placed well within reach of employees

 Smoke detectors should be placed on the ceiling and in other locations

Trang 14

 Lightning and Thunder cause a sudden power surge and voltage fluctuations which may damage the systems

 All computer systems should have a UPS (Uninterrupted Power Supply) and/or power stabilizers to protect from Lightning and Thunder



o Dust reduces a PC's ability to cool down Even if the computer’s case has never been opened, dust can still get in through the drive openings

o An effective way to remove dust from a CPU is to use compressed air that can be used to blow dust away from the motherboard and other components

o Explosions may cause massive destruction of organizations’ assets

o Chemicals which may cause explosions should be stored in an isolated place

o Physical security has to be good in an organization, but terrorist attacks can occur regardless

of a building’s security These attacks are often more disastrous and may jeopardize the survival of an organization The most tragic example is, of course, the September 11, 2001 terrorist attacks on the World Trade Center and the Pentagon

o The building should be adequately lit at night on all sides

o People with proper security clearance should only be permitted into the data processing area Suspicious activities should be reported to local security and/or the concerned authorities

Trang 15

Physical Security Checklist

Company surroundings Premises

Reception Server Workstation area Wireless access points Other equipment, such as fax, and removable media Access control

Computer equipment maintenance Wiretapping

Remote access

Physical security checklist acts as a guide for assessing an organization’s physical security posture It is developed on the basis of physical security policies implemented in the organization Physical security checklists should cover all areas and means that can be used to access organization’s sensitive information and infrastructure

A physical security checklist includes:

Trang 16

Physical Security Checklist:

Company Surroundings

The entrance to the company premises should be restricted to only authorized access

Physical security checklist for securing a company’s perimeter includes:

o Fences can be used as a deterrent

o A high security installation should contain two fences—an outer and inner fence, eachbetween 15 and 30 feet high

o Gates are an additional level of protection

o Gates can be used to filter visitors coming in and leaving the premises

o Electronic gates can be used as they cannot be opened manually

o Walls are basically used to separate various areas

o Guard dogs behind the walls of a facility can provide additional protection, if needed

o Guards are of two types: in-house (company paid guards) and contract guards

Contract guards are less reliable, since they do not work for the company, and if they commit

a mistake they may simply be transferred to another site In-house guards know the facility

Trang 17

Gates

Security Guards

Trang 18

• Installing intruder systems

• Installing panic buttons

• Installing burglar alarms

• Windows and door bars

• Deadlocks

Premises can be protected by:

Physical security checklist for protecting the company’s premises includes:

 Checking for roof/ceiling access through AC ducts

o There is a chance of an intruder getting in through such ducts

o CCTV cameras help in analyzing the events of the day, in case something suspicious happened

o CCTV cameras provide real time monitoring of the premises Their presence can act as a deterrent

o The only drawback of these cameras is that their usefulness depends on the personnel monitoring them

 Installing intrusion detection systems

o Intrusion detection systems should be placed in sensitive locations such as the server room, laboratory, and testing room

 Interior motion sensors can be used to detect an intruder inside the premises

 Ultrasonic detectors operate at very high frequencies that the human ear cannot hear The difference between an intruder detection system and other warning system is that, the alarm for the intrusion detection system is triggered when someone tries to enter in a restricted area whereas

Trang 19

Some instruments are fitted with burglar alarms, so that if anyone tries to remove them physically, or touches them, they send a signal in the form of a loud siren, thus alerting Security.

o Windows and door bars are the most basic form of room security

o This type of security has been in use for centuries

Trang 20

Reception

The reception area is supposed to be a busier area than other areas of the firm with the number of people entering and exiting

• Files and documents, removable media, etc should not be kept

on the reception desk

• Reception desks should be designed to discourage inappropriate access to the administrative area by non-staff members

• Computer screens should be positioned in such a way that people cannot observe the screen near the reception desk

• Computer monitors, keyboards, and other equipments at the reception desk should be locked whenever the receptionist is hours

The reception area can be protected by:

Reception is usually a busy area with a large number of people coming and going Often this area also has

a seating area for visitors This area is an important place for a person who wants to learn about the office staff and the company’s activities A person can be seated in the waiting area on the pretext of meeting someone, and eavesdrop on the conversations taking place in the reception area

The reception area can be protected in the following ways:

 The seating arrangement for visitors should be at a safe distance, so that the person sitting in the waiting area cannot overhear conversations at the reception desk

 A person sitting in the waiting area for an unusually long period should be questioned about his

or her purpose If the person’s response cannot be verified (e.g he or she is waiting for such an employee), the person should be asked to leave for security reasons

such-and- Files and documents, removable media, etc should not be kept on or near the reception desk

 Reception desks should be designed to discourage attempts by non-staff members to inappropriately gain access to the administrative area

 Computer screens should be positioned in such a way that people near the reception desk are not able to see them easily

 Computer monitors, keyboard, and other equipments at the reception desk should be locked whenever the receptionist moves away from the desk and should be logged off after office hours

Trang 21

Physical Security Checklist: Server

• Server should not be used to perform day-to-day activities

• It should be enclosed and locked to prevent any physical movement

• DOS should be removed from Windows Servers as an intruder can boot the server remotely by DOS

• Booting from the floppy disk should be disabled and CD-ROM drives on the server or, if possible, avoid having these drives on the server

The server can be secured by the following means:

The server, which is the most important factor of any network, should be given

a high level of security The server room should be well-lit

Server is the most important component of any network, so it should have a higher level of protection The server room should be well lit High-end configuration should be used for servers so that they can sustain the overload due to continuous uptime

The server can be secured by the following means:

 Servers should not be used to perform day-to-day activities

 Booting from floppy and CD-ROM drives on the server should be disabled, and if possible these drives should be removed from the server

 Some system administrators have a habit of labeling the server and other systems in the server room These labels sometimes have the Operating System’s name and hardware specification This is not wise, as anyone who passes through the server room can get details about the server and other devices If an attacker gets this information, he or she does not have to go through the tiresome process of foot-printing

Trang 22

Workstation Area

This is the area where a majority of employees work Employees should be educated about physical security

• Use CCTV

• Screens and PCs should be locked

• Workstation layout design

• Avoid removable media drives

The workstation area can be physically secured

by taking the following steps:

It is common for both large and small companies to have areas where the majority of employees work Often each of these employees has an individual cubicle Employees need to be educated on such points as how to secure their desktops to prevent any kind of intrusion Employees like to personalize their workstations as well as their PCs, but they need to be educated on how to secure this personal space People tend to scribble their passwords, personal information, IP addresses, or telephone numbers on whiteboards, post-it notes, pads or pieces of paper This should be discouraged, since attackers can easily obtain this information as well as critical information regarding the LAN and the company by going through dumpsters or by other means Address books, company policies, reminders, User IDs, etc should

be kept away from the reach of others

The workstation can be physically secured in the following ways:

employees

 Workstation cubicles should be designed in such a way that employees cannot see each other’s terminal screens

 Removable media drives should be avoided on workstation, to the extent possible Only one workstation per row should have such drives, and that particular workstation should not be used for any other purpose

Trang 23

Wireless Access Points

If an intruder successfully connects to the firm’s wireless access points, then he is virtually inside the LAN like any other employee of the firm

To prevent such unauthorized access, the wireless access points should

be secured

• WEP encryption should be followed

• SSID should not be revealed

• Access points should be password protected to gain entry

• Passwords should be strong enough so that they cannot be easily cracked

To prevent such unauthorized access, the wireless access points should be secured The following guidelines should be followed:

 WEP encryption should be employed (WEP for open access and use WPA and VPN for better encryption)

 Access points should be password protected

 Passwords should be strong enough to crack easily

Trang 24

• Faxes obtained should be filed properly

• Modems should not have auto answer mode enabled

• Removable media should not be placed in public places, and corrupted removable media should be physically destroyed

Other equipments, such as fax, and removable media

Equipment such as fax machines, removable media, etc can be physically secured in the following ways:

 Fax machines near the reception area should be locked in the absence of the receptionist

 Telephones in the reception area should not be left unattended

 Proper checks should be carried out to make sure telephones are not wiretapped

 Telephones should be locked, requiring a PIN code to unlock for dialing, as well as physically locked by placing a guard on the keypad

 There should not be any kind of labeling of instruments that don’t typically have removable media

 Faxes received should be filed properly

 Multifunctional devices such as scanners, fax machines, printers, and copiers should not be easily accessible

 Removable media should not be openly displayed in public places

 Physically destroy corrupted removable media, e.g., burning or shredding

Trang 25

Access control is used to prevent unauthorized access to any sensitive operational areas

Access Control

The types of access controls are:

Separation of work areas Biometric access control Entry cards

Man traps Faculty sign-in procedures Identification badges

Access control must be used to prevent unauthorized access to any sensitive operational area

The various types of access control are:

Every department must have a separate work area to maintain control over access, and to follow security policies This also ensures the easy identification of employees and the departments for which they work

 Biometric access control:

According to http://www.jiskha.com/science/biology/biometrics.html, biometric access control

refers to technologies for measuring and analyzing human physiological characteristics such as fingerprints, eye retinas and irises, voice patterns, facial patterns, and hand measurements for authentication purposes

Faculty sign-in procedures record information regarding an employee’s entry and exit

These are used for internal verification and identification of employees

Trang 26

According to www.whatis.com, “Biometrics is the science and technology of measuring and statistically analyzing biological data”

Biometric devices consist of a reader or scanning device, software that converts the scanned information into digital form, and a location for the data to be analyzed; for instance a database that stores the biometric data for comparison with previous records

According to whatis.com, “Biometrics is the science and technology of measuring and statistically analyzing biological data.”

Biometric devices consist of a reader or scanning device, software that converts the scanned information into digital form, and a database that stores baseline biometric data for comparison with new data

Some biometric techniques are:

Trang 27

• Ridges and furrows on the surface of a finger are used to identify a person, which are unique

• Identifies a person by analyzing the layer of blood vessels at the back of the eye

Retinal scanning

• Thickness and location of veins are analyzed to identify person

Vein Structure

Biometric devices used for access control are as following:

o It is the oldest form of identification in biometrics

o All individuals have unique, immutable fingerprints

o Biometric fingerprinting was developed as a replacement for passwords, ID cards, or other methods of controlling access to computers, buildings, rooms, and other areas in need of secure access

Trang 28

o The human eye’s iris has a unique random pattern of textures and pigments

o Iris scans are beginning to be implemented in many areas, including for:

o This type of verification can be deployed where voice data is already captured

o Voice or speaker verification is a biometric authentication technology well suited for a handful of applications and systems in which other biometric technologies would be difficult

to use

o It is a two-step process—identification and verification Initially, the biometric machine identifies the individual, stores the information, and subsequently verifies the identity of the individual, as needed

o This analysis is employed to analyze the blood vessels in the eye

o It involves a low intensity light source and optical coupler that recognizes the patterns with acute accuracy

o The user is asked to look through a small opening in the device at a small green light It takes about 10 to 15 seconds for the device to recognize and verify the patterns in the eye of the user

Vein structure can also be used as a biometric trait to authenticate a person The arrangement, location and thickness of veins are considered unique biological traits These traits are compared with stored data, thus authenticating a person if there is a match

Palm print is a new biometric method to verify a person’s identity There are two types of features

in palm prints:

o Structural features use the lines that can exemplify a palm accurately

o Statistical features use the physical features, but they cannot reveal the structural information

of the palm print

Trang 29

This type of scanning is used to verify the individual’s identification on the basis of the user’s signature

o Signature scanning equipment includes an electronic drawing tablet and stylus used to record the direction, speed, and coordinates of a handwritten signature

o It is an automatic technique of scrutinizing the user’s keystrokes on the keyboard The various characteristics that are used to verify dynamics are speed, pressure, total time taken to type a specific word, and the amount of time taken to hit certain keys

o Keyboard dynamics use different variables: “Dwell time” is the amount of time a particular key is held down, and “flight time,” the time interval between key strokes

Trang 30

Authentication Mechanisms

• Use of biometric techniques such as fingerprints, facial recognition, hand geometry, retinal scan, iris scan, vascular pattern, signature dynamics, and voice dynamics

Something you are :

• Based on the traditional password system

Something you know:

• Includes mechanisms such as challenge-response lists, one-time pads, smart cards, and so on

Something you have:

Something You Are:

Biometric authentication devices test the different characteristics of human body such as:

Something You Know:

This authentication is based on the user’s knowledge, such as a traditional UNIX password system Password authentication depends on something you know, which is hard to guess To make reliable authentication, the user must have a password that cannot be guessed by others Most people set weak passwords or have a hard time keeping passwords secret While short passwords are weak long and strongpasswords are difficult to remember

There are two ways to make traditional and memorized passwords non-reusable:

Trang 31

Authentication Mechanism Challenges: BiometricsFingerprints can be faked with ease

Face recognition systems can be tricked by masquerade techniques Signature recognition and hand geometry face the common problem of matching the patterns from a large database which might lead to higher number of false positives and false negatives

Retinal scan can hinder accuracy if the user does not focus on a given point for scan Iris scan machines are very expensive

Some users object to vascular pattern technology that uses infrared light

Voice dynamics is prone to inaccuracy as it relies on the production of a "voice template"

that is compared with a spoken phrase

 Fingerprints can easily be faked Dirty fingers or cut present on finger can disturb the matching process

 Face recognition systems can be tricked by masquerade techniques such as hats, beards, sunglasses, and face masks

 Hand geometry algorithms use limited number of data points resulting in a high level of false negatives and false positives than some other types of biometrics

 Retinal systems can be falsified when there is no beam of light illuminated into the eyeball at a fairly close distance

 Some users object to vascular pattern technology that uses infrared light

 Voice dynamics is prone to inaccuracy as it relies on the production of a "voice template" that is compared with a recorded voice

Trang 32

Faking Fingerprints

Identify your target whose fingerprint you want to fake

Glasses, door knobs, and glossy paper can be good sources

to obtain fingerprints of the target

Use the traditional forensic method to make the fingerprints visible Sprinkle the outer surface of the glass with colored powder so that it sticks to the fat Latent fingerprints are nothing but fat and sweat on the glass used

by the target

Faking Fingerprints (cont’d)

Photograph the fingerprint and scan the image

Use a professional image editor to work on the scanned image You need to get the exact image of the fingerprint to use as mold, from which the dummy is made

Take the print of the image on a transparency sheet using a laser printer Add wood glue to one of the prints on the transparency sheet

Faking Fingerprints (cont’d)

Add a small drop of glycerine to help in the process of making the dummy Use a roller for letter press printing

Trang 33

 Faking Fingerprints

 First, identify the original fingerprints that you are going to forge

 Glasses, doorknobs, and glossy paper can be good sources to obtain fingerprints of the target

 Use the traditional forensic method to make the fingerprints visible Sprinkle the outer surface of the glass with coloured powder so that it sticks to the fat Latent fingerprints are nothing but fat and sweat on the glass used by the target

 Take the photograph of that fingerprint and scan the image

 Use a professional image editor to work on the scanned image You need to get the exact image of the fingerprint to use as a mould to make the dummy

 Take the print of the image on a transparency sheet using a laser printer Add wood glue to one of the prints on the transparency sheet

 Add a small drop of glycerine to help in the process of making the dummy Use a roller for letter press printing

 After the glue dries up, it is pulled off the foil, and is cut to finger size

 Theatrical glue is used to glue the dummy onto your finger

 False fingerprint is ready

Trang 34

Checklist

Trang 35

Smart Cards

A smart card is a plastic card about the size of a credit card, with an embedded microchip that can

be loaded with data

This data can be used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use

A smart card contains more information than a magnetic strip card and can be programmed for different applications

According to Whatis.com, a “smart card is a plastic card, about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.”

It has more information than a magnetic stripe card (memory only) and can be programmed for different applications

 Smart cards provide mobility and improved security by allowing users to carry their digital certificates with them Passwords that users use on different sites could be different Digital certificates can be used anywhere on the Internet where user identification is required

 Digital certificates allow users to communicate secretly over the Internet One needs a Personal Identification Number (PIN) for using a smart card This makes the smart card more secure, as only the user of the card knows the PIN

 Smart cards get disabled if a certain number of attempts to input the right PIN fail Personal computers at the office can be protected from unauthorized access using smart cards Smart cards separate the certificates from the hard drive and ask for a PIN to access the system

 Some smart card readers look similar to a 3.5-inch floppy drive which, when connected to laptops

or PCs, allow users to safely access the Internet or corporate data

Trang 36

According to the search security definition, “A security token is a small hardware device that the owner carries to authorize access to a network service”

Security tokens provide an extra level of assurance through

a method known as two-factor authentication:

• The user has a personal identification number (PIN) that authorizes them as the owner of that particular device

• The device then displays a number that uniquely identifies the user to the service, allowing them to log in

 Security tokens are physical objects, unlike passwords

 A smart card is accessible via a PIN, whereas a token is used in tandem with a PIN

 Validating users on the network is easy with a security token

 Tokens improve security, lower cost per user, centralize the authentication mechanism, and reduce administrative costs, as well as preventing unauthorized access to services

 In case, a malicious person other than the user knows the PIN and gets access to the user’s token, he/she can do considerable damage to the network system by tampering with the data or even stealing confidential information

Trang 37

Appoint a person who will be responsible for looking after the computer equipment maintenance

Computer equipment in a warehouse should also be accounted for

The AMC company personnel should not be left alone when they come for the maintenance of the computer equipment

The toolboxes and the bags of the AMC company personnel should be thoroughly scanned for any suspicious materials that could

compromise the security of the firm

Computer Equipment Maintenance

companies

 Appoint a person who will be responsible for looking after the maintenance of the computer equipment

 AMC company personnel should not be left alone when they come to the company for maintenance

suspicious materials that could compromise the security of the firm

Trang 38

Wiretapping

• Inspect all the data carrying wires routinely

• Protect the wires using shielded cables

• Never leave any wire exposed

You can do few things to make sure that no one is wiretapping:

According to www.freesearch.com wiretapping is the action of secretly listening to other people’s conversations by connecting a listening device to their telephone

According to www.howstuffworks.com, “wiretap is a device that can interpret these patterns as sound”

 There are different types of legal states to record conversations If one of the parties involved in the conversation has knowledge about the recording, it is called a one-party state If both parties have knowledge about the recording, it is called the two-party state

 It is illegal to intercept a conversation between two parties without their consent

 Illegal interception can result in a civil case of action for damages under Federal Law

 According to wikipedia.com, “Telephone tapping or wire tapping/ wiretapping (in US) describes the monitoring of telephone conversations by a third party, often by covert means.”

 According to www.howstuffworks.com, a “wiretap is a device that can interpret these patterns as sound.” (Illegal without a court order in US.)

 Wiretapping is a serious offense, but many government agencies use this as a tool to trap criminals

 Some measures to ensure that no wiretapping is being done are as follows:

o Inspect all data carrying wires routinely

o Protect wires using shielded cables

Trang 39

Remote access is an easy way for an employee of a firm to work from any place outside the company’s physical boundaries

Remote access to the company’s networks should be avoided as much as possible

It is easy for an attacker to remotely access the company’s network by compromising the employee’s connection

The data being transferred during the remote access should be encrypted to prevent eavesdropping

Remote access is more dangerous than physical access as the attacker is not in the vicinity and the probability of catching him is less

Remote Access

Remote access company

 Remote access is easy way for an employee to work from any location outside the company’s physical boundaries

 Remote access to the company’s networks should be avoided, as far as possible

 It is easy for an attacker to access the company’s network remotely by compromising the employee’s connection

 The data flowing during remote access should be encrypted to prevent eavesdropping

 Remote access is more dangerous than physical access, as the attacker is not in the vicinity and there is less likelihood of catching the culprit

 Remote access should be restricted to top employees who have a higher than average level of responsibility within the company

 There should be a separate login for remote access, and the password sent to the server for authentication should be encrypted to avoid sniffers

Trang 40

Lapse of Physical Security

Source: http://www.normantranscript.com/

The physical security of digital devices is as important as Internet security The antivirus, antispyware, and other security software will not protect you from a thief stealing your laptop In one incident, a laptop computer and digital camera had been stolen from a high school teacher’s locked filing cabinet

The source of confusion here was how the locked cabinet had been unlocked People who are confused by the situation can get this answer on the Internet For example, take the web site “howstuffworks.com”; this site contains a page home.howstuffworks.com/lock-picking.htm This site explains the lock-picking process This is one of the thousands of web pages across the Internet with information on lock-picking

Tiêu đề	Physical Security
Trường học	EC-Council
Chuyên ngành	Ethical Hacking
Thể loại	Module

Định dạng
Số trang	80
Dung lượng	3,68 MB