Content

Introduction
Physical security of Facilities and IT Infrastructure Rooms (Layer 1)
Protected Wire Distribution Systems (Layer 2)
Network Security (Layer 3)
Certification, accreditation, oversight and compliance (Layer 9)
In this module we will investigate the security vertical, discovering all the ways security of information
systems is achieved on various layers of the 10 layer model. We will look at specific layers of the rubric
and explore where vulnerabilities can occur, and consider ways to mitigate these vulnerabilities. Students
will be given the opportunity to brainstorm on securing the layers we don't cover in this module.
In the previous module we went down the model starting at layer 10 to learn about management of
information systems, this module we walk up the model from the bottom, starting at layer1.

Physical security of Facilities and IT Infrastructure Rooms (Layer 1)

When considering securing and protection information systems, the most basic form of protection comes
in the form of protecting the physical structures and the contents inside them from harm. Site location
considerations include protections against natural disaster threats (e.g., flood plain) and man-made
threats (e.g., cold war bunkers). Organizations must consider the protection of the actual facility and any
surrounding infrastructure when protecting critical infrastructure. This especially is true when the facility
houses multiple disparate companies or organizations as depicted in the picture below.

External site perimeter considerations include fences and barricades, perimeter surveillance, gate locks,
pedestrian and vehicle access points (turnstiles, etc.). These can be manned or guarded by access codes
or other automated entrance protection means to mediate access at higher layers. Facility access
considerations include security guards, cleaning crew and visitor control.

Site risks can originate from unforeseen accidental events. Protection of physical facilities against
disasters that can occur from man-made accidents or natural disasters need to be considered. Mitigation
plans to protect against these include disaster recovery plans, redundant data paths, robust duplicated
utility feeds, off site processing and onsite and offsite storage back-ups. Also maintaining updated contact
lists and communications plans when a disaster occurs can help to facilitate coordination and execution
of responses to situations. Lastly, cross training on critical job functions may be needed if people are not
available to perform a particular activity that they usually do.

When providing physical security of IT infrastructure rooms, organizations must provide a strategy for
controlled access to physical locations. This includes wire closets, computer rooms, and network
distribution frames. Security of automated infrastructure control takes the form of Power/UPS/Generators,
cooling systems, fire control and extinguishing systems. When dealing with secured facilities, TEMPEST
shielding can be employed to control external or internal RF communications for buildings in the case of
classified processing and storage.

Protected Wire Distribution Systems (layer 2)

Layer 2 protection of information systems infrastructure includes protecting the wiring and connection
mechanism that pass data and provides access to services. To optimize data security these organizations
should transmit less sensitive information through circuits with lower protection or control and transmit
highly sensitive information through an area of higher protection to include use of encryption.

Other techniques for protecting transmission media include providing penetration protection of wiring to
include using electromagnetic (sheathing) to protect leakage of communications and pressurized conduit
to protect against the elements (cold, heat, moisture etc.). Also organizations should perform regular and
periodic visible physical inspection of conduit to ensure their integrity. Lastly it is recommended they
control access areas for terminations and provide physical separation of wiring for different levels of
security or sensitivity.

Network Security (Layer 3)

Layer 3 covers the network protocols that enable information systems. The field of network security is
about:

How intruders can attack computer networks

How we can defend networks against attacks
How to design architectures that are resilient to attacks

View the video Mod12_Vid1.m4v found in the module 12 Lecture link

PDF of slides for this lecture is attached to the same Content item as this PDF.

A great deal of information systems operations is reliant on the Internet as a communications mechanism.
However the Internet was not originally designed with much security in mind. The original vision for the
Internet was to provide a group of mutually trusting users attached to a transparent network.
Consequently Internet Protocol (IP) designers are playing "catch-up" and security considerations are
needed.
Below I will overview some of the protection mechanisms and strategies being employed to protect data
and services on the Internet.

Firewalls
Firewalls are computing devices that permit or deny network transmissions based upon a set of rules
encoded in the device. These rules disallow unauthorized access to networks while permitting authorized
communications to pass.

All traffic between external and internal networks should go through the firewall. A firewall ensures only
authorized traffic, as defined by policy, goes in and out. There is typically a zone between the internal and
external routers known as the de-militarized zone (DMZ) where outward-facing services can live.

Types of Firewalls

Packet filtering firewalls (state-less)

o Static and dynamic (policy-based filtering)
o Default permit vs. Default deny
o Filtering IP addresses
o Filtering ports and protocols
Application gateway firewalls (state-ful)
o Control external connections
o Maintains "state" of the connection
VPN Concentrator
SSL Tunnel

DMZ (De-Militarized Zone)

A DMZ is a physical or logical sub-network that holds and provides access to an organization's external
facing data and services to an untrusted network through the Internet. DMZ's play the part of a secure
perimeter network that adds additional layers of security to an organization's local area networks (LAN).
DMZ's allow organizations to expose external services without endangering their internal networks.
External users only have access to equipment in the DMZ, rather than any other part of the network.

Network Security (Encryption)

As we saw in layer 2, securing the physical medium of transport for data is important to information
systems security, but since a large portion of traffic travels across public networks (the Internet) it is
important to secure data when it leaves the boundaries of an organizations and travels to its destination.
This moving data is referred to as data in transit. Encrypting data in transit helps to secure it, as it is often
difficult to physically secure all access to networks.
Encryption is the process of transforming information using an algorithm known as ciphers to make it
unreadable to anyone except those possessing special knowledge. Rendering encrypted data readable is
accomplished by applying a key to the data. The result of applying this algorithm is encrypted information
or also known as ciphertext.

Fig. vii

Encryption has long been used by militaries and governments to facilitate secret communications, but is
now commonly used in protecting information within many kinds of civilian system. Any data transmitted
in the open is a candidate to be protected by encryptions. Encryption is used to protect data being
transferred via networks (e.g. the Internet, e-commerce), mobile telephones, wireless microphones,
wireless intercom systems, Bluetooth devices and bank automatic teller machines.
There are 2 types of cryptology, Symmetric and Asymmetric. In Symmetric cryptology, the encryption key
and decryption key are identical. This is "Classic" cryptography. This typically takes the form of some
combination of substitution and permutation. Examples include most Government Cryptographic
Systems, DES, and AES
With Asymmetric cryptology, the decryption key cannot be derived from the encryption key. Public key
encryption describe a cryptographic system requiring two separate keys, one to lock or encrypt the
plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these
keys is published or public and the other is kept private.
Public Key cryptology was invented in the mid 1970's and is typically based on a hard mathematical
problem. Examples include Diffie-Hellman, and RSA.

Fig. viii
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital certificates that support public cryptology.

Digital Certificate

Digital Certificate Contents

Digital Cert is signed by the Certificate Authority. Everyone has the public key of the CA and uses that to
get the name and public key of the person or company that you need to deal with.

Identification and Authentication

Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that
makes an assertion or claim of identity. Factors used include:

Something you know

o password
o personal identification number (PIN)
Something you have
o smart card
o security token
Something you are
o fingerprints
o voice
o retina
o iris characteristics
Where you are
o inside or outside a company firewall
o proximity of login location to a personal GPS device.

Combining factors increases confidence (Multifactor Authentication). Once the identity is established,
Authorization determines what a subject can do on the system.
Access Control regulates which users or processes have access to which resources (files, processes,
networks, and data). Access control provides protection against insiders and outsiders. The objectives of
access control are to provide:

Confidentiality who can see it

Integrity who can change it
Availability how many can use it
Usage who can use it

Types of Access Control include:

Discretionary Access Control (DAC) Identity checking

Mandatory Access Control /Lattice Based Access Control (MAC/LBAC) Label checking
Role Based Access Control (RBAC) Function
Attribute Based Access Control (ABAC) Fine Grained

Protection at Layer 9 Certification, accreditation, oversight and compliance

Security strategies at layer 9 protect the information system by providing policy and guidance that
oversees the development and operation of the system. FIPS 102-1983 provides guidelines for computer
Certification and Accreditation. Certification is the technical evaluation, made as part of and in support of
the accreditation process that establishes the extent to which a particular computer system or network
design and implementation meet a pre-specified set of security requirements. Accreditation is the
authorization and approval granted to an ADP system or network to process data in an operational
environment, and made on the basis of a certification by designated technical personnel of the extent to
which design and implementation of the system meet pre-specified requirements for achieving adequate
security.

Once an information system is operational, there may need to be a periodic review (oversight) of the
system to assure the compliance with policies and legalities stipulated in Layer 10. This is called
Oversight & Compliance. This is typically a Layer 9 process that monitors the threads (information flows)
within an information system and ensures that the policies and legalities are being enforced. Examples
include privacy of health care records and protection of case information within law enforcement

i http://www.treehugger.com/linked-hybrid-beijing-china-2.jpeg
ii http://www.theflagstaffgroup.com/chainlink.jpg
iii http://www.globsec.com/images/facility_2.jpg
iv http://www.mistletoestorage.com/images/security-features-7.jpg
v http://webecoist.com/2008/10/30/30-devastating-land-water-fire-and-sky-disasters/?ref=search
vi http://www.gobackup.net/en_US/images/marketing/power%20cable.jpg
vii http://www.safehousesoftware.com/images/Encryption.jpg
viii http://www.cio.wisc.edu/security/digitalCert/images/pki_yellow_key.jpg