Wolkite University College of Computing and Informatics Department of IT

Chapter 5
Security at different layer

Physical Security

What does Physical Security mean?

 Physical security describes measures designed to ensure the physical protection of IT

assets like facilities, equipment, personnel, resources and other properties from damage
and unauthorized physical access.

 Physical security measures are taken in order to protect these assets from physical threats
including theft, vandalism, fire and natural disasters.

 Physical security is often the first concern in facilities with high asset concentration
especially that used in critical systems for business processes.

 Physical security is especially important for IT resources, as their proper operation

demands that the hardware assets and infrastructure they are running on be kept away
from anything that could hinder their function. This includes tampering by unauthorized
personnel and unforeseen events like accidents and natural disasters.

There are two phases of physical security:

 Deterrence: Methods and measures that are meant to deter attackers and intruders or
prevent natural events and accidents from affecting protected assets. The simple method
for this is through the use of physical barriers and signs. The signs serve as a warning to
any intruder that their actions will bring physical harm or prosecution. The physical
barriers are meant to prevent access entirely or simply to provide protection from external
factors like storms or vehicular accidents.
 Detection: Allows security personnel to detect and locate potential intruders using
surveillance equipment like cameras, motion sensors, security lights and personnel like
security guards and watch dogs.

Main Components of Physical Security

Physical security is always a component of a wider security strategy.

There are three most important components of a physical security plan include access
control, surveillance, and security testing.

1
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Access control: may start at the outer edge of your security perimeter. You can use
fencing and video surveillance to monitor access to your facility and secure the
outdoor area.

Examples of a comprehensive access control system and strategy would include also use of
advanced locks, access control cards or biometric authentication and authorization.

An example of physical security strategy detecting intruders in real time.

 Surveillance: is another important component to consider. Modern security systems
take advantage of intrusion detection sensors, heat sensors, and smoke detectors for
protection against intrusions and accidents alike. Naturally, your security strategy
should also envisage adoption of surveillance cameras and notification systems.
 Security testing: That is why you need to test your disaster recovery plan on a
regular basis. Drills should test your abilities to react both to natural disasters and to
emergencies caused by inside or outside threats. You should also check for weak
points concerning access to business critical resources such as server rooms, data
centers, production lines, power equipment, and the like.

When evaluating physical security, you will want to look at the operations and controls both
inside and outside the facility. You also want to focus on specific logical areas like:

 All facility entry/egress points

 Data center or server rooms
 Network operations and IT support areas

2
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Executive and management areas

 Sensitive areas such as wiring closets, loading docks, employee smoking exits, and
executive briefing and conference rooms evaluate the above areas against the following
guidelines.

 Ensure that operational cameras cover key entry locations.

 Ensure that entry points have adequate and functioning locks.
 Ensure that alarm monitoring equipment is in proper working condition.
 Ensure that data center and/or operational server rooms have adequate and
functioning locks.
 Ensure that a key custodian exists that tracks and assigns keys for locks; no more
than two people for any given department.
 Ensure that any maintained list of administrative accounts, either paper or
electronic, is properly secured with no more than two-person access.
 Ensure that data center and/or operational server rooms properly control and have
accountability for all staff, including maintenance and cleaning personnel.
 Ensure that data center and/or operational server rooms have alarm and/or video
monitoring equipment.
 Ensure that server cages and racks are properly secured.
 Ensure that necessary environment controls and practices such as fire suppression,
backup power, and data recovery exist for critical system operations.
 Ensure that system repair disks and backup media are not left unsecured.
 Ensure that backup media is being stored off-site.
 Ensure that network jacks are disabled in public areas, conference rooms, and
other unused areas.
 Ensure that all personnel entering the facility enter through a monitored control
point(s), either via electronic card key or guard/reception personnel.
 Ensure that facility and operationally sensitive doors and other entry points are
not propped open or otherwise left unsecured for any length of time without
supervision.
 Ensure that the walls for sensitive areas extend to the ceiling through drop
ceilings.
 Ensure that critical personnel do not have computer monitors and keyboards
exposed to windows that would be viewable telescopically from the outside
(surveillance is possible from very long distances).
 Ensure that guard personnel monitor the facility's external perimeter and check on
suspicious activity (roving personnel or video surveillance).
 Ensure that guard personnel monitor internal areas (roving personnel or video
surveillance).

3
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Ensure that visitors are required to have badges and are not allowed access to
sensitive areas unescorted.
 Ensure that visitors are required to be escorted at all times.
 Ensure that proper accountability and control exists for all modems and wireless
access points within the facility.
 Ensure that critical executive staff offices are not left unsecured in off hours.
 Ensure that all cleaning staff entering the facility are known and identified; any
changes to staff should require prior authorization.
 Ensure that all sensitive documentation and electronic media are appropriately
disposed of.
 Ensure that manual shredder/shredding pickup service lifecycles are secure.
 Ensure that sensitive operational documents or electronics are not left unattended
for inappropriate periods of time.
 Ensure that user system account information or network topologies are not written
down or posted in work areas or otherwise left unsecured.

Examples of Best Practices for Successful Physical Security

Examples of security strategy and countermeasures in physical security have a number of
common best practices. Such as:

 Your first line of defense may include fenced walls or razor wires that are good in
preventing the average by-passer from entering your security perimeter.
 Protective barriers are used for preventing forced entry of persons or vehicles, and
should always be complemented by a sort of gates and other points of security
checks.
 Locks are a method to enable only individuals with a key or access control card to
open or lock a door or gate. Locks may be connected to a more comprehensive
security monitoring system.
 Your physical security should incorporate surveillance cameras and sensors that
track movements and changes in environment. You also need security lighting to
ensure all monitored areas are visible at any given moment.
 Security guards should cover all entry points to your facility while also securing
business critical areas indoors. Water-, smoke- and heat detectors, as well as
firefighting systems are your protection against water leakages and fire.
 Your last point of defense against unauthorized access is the use of smart cards,
biometric identification, and in-person clearance aimed at allowing only authorized
personnel get into a restricted area. In any event, you need to assess all possible
scenarios and study past examples of successful physical security procedures before
implementing feasible countermeasures for your facilities.

4
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Software Security

 Software security is an idea implemented to protect software against malicious attack and
other hacker risks so that the software continues to function correctly under such
potential risks. Security is necessary to provide integrity, authentication and availability.
 It is the process of engineering software so that the software can continue to withstand
and function correctly under malicious attacks.
–        It is the process of designing, building, and testing software for security.
 Today’s software
–        Today’s software is troubled with both design flaws and implementation bugs,
resulting in unacceptable security risks.
–        The notion of software security risk has become common, yet we have only
recently begun to systematically investigate how to build secure software system.
–        The practice of software security remains in its infancy.
 Software security problems
–        Software defects with security ramifications-including implementation bugs
(such as buffer overflows) and design flaws (such as inconsistent error handling)-
promise to be with us for years.
–        Internet based software applications are easy to exploit and have become
common attack targets.
 Software security practices
–        Good software security practice leverages good software engineering principles
and practices.
–        It involves thinking security early in the software lifecycle, knowing and
understanding common problems (such as language-based flaws and pitfalls),
designing for security, and subjecting all software artifacts to thorough risk
analysis, review and testing.
Pillars of Software Security
 Software security is an ongoing activity that requires a cultural shift.
–        It takes work; no magic tool that will result in secure software.
 Software security borrows heavily from software engineering, programming languages,
and security engineering.
There are three pillars of software security:
–        applied risk management,
–        Software security best practices, and
–        Knowledge.
 We cannot test quality (or security) into software.
Applied Risk Management

5
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 A way to gather the requisite data to make a good judgment call, based on knowledge of
vulnerabilities, threats, impacts, and probabilities.
 It can be performed at the architectural level (called threat modeling or security design
analysis) and at the level of tracking and mitigating as a full software development
lifecycle (SDLC) activity.
Software Security Best Practices
 The software security best practices (micro-processes) can be applied regardless of the
core software development process (such as waterfall model, spiral development, or
CMMi) used to create a set of software artifacts.
The software artifacts can include:
 Requirements and use cases,  Source code,
  Architecture documents,  Test results, and
 Design documents,  Feedback from the field.
 Test plans,
Knowledge
 Gathering, encapsulating, and sharing security knowledge that can provide a solid
foundation of software security practices is the third pillar.
–        Knowledge management and training play a central role in encapsulating and
spreading the emerging discipline more efficiently.
 Software security knowledge can be organized into seven knowledge categories:
–        Principles, –        Exploits,
–        Guidelines, –        Attack patterns, and
–        Rules, –        Historic risks
–        Vulnerabilities,

Types of Software Security

Any software designed to identify, prevent, stop and repair the damage caused by others on your
computer or network can be called security software. Security software may be focused on
preventing attacks from reaching their target, on limiting the damage attacks can cause if they
reach their target and on tracking the damage that has been caused so that it can be repaired. As
the nature of malicious code evolves, security software also evolves.

 Firewall

o A firewall prevents unauthorized users from accessing a computer or network

without restricting those who are authorized. Firewalls can be implemented
with hardware or software. Some computer operating systems include
software firewalls in the operating system itself. For example, Microsoft
Windows has a built-in firewall. Routers and servers can include firewalls.

6
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

There are also dedicated hardware firewalls that have no other function other
than protecting a network from unauthorized access.

 Antivirus

o Antivirus software works to prevent malicious code from attacking a

computer by recognizing the attack before it begins. But it is also designed to
stop an attack in progress that could not be prevented, and to repair damage
done by the attack once the attack abates. Antivirus software is useful because
it addresses security issues in cases where attacks have made it past a firewall.
New computer viruses appear daily, so antivirus software must be
continuously updated to remain effective.

 Antispyware

o While antivirus software is designed to prevent malicious software from

attacking, the goal of antispyware software is to prevent unauthorized
software from stealing information that is on a computer or being processed
through the computer. Since spyware does not need to attempt to damage data
files or the operating system, it does not trigger antivirus software into action.
However, antispyware software can recognize the particular actions spyware
is taking by monitoring the communications between a computer and external
message recipients. When communications occur that the user has not
authorized, antispyware can notify the user and block further communications.

Network Security

 Network security is any activity designed to protect the usability and integrity of your
network and data. It includes both hardware and software technologies. Effective network
security manages access to the network. It targets a variety of threats and stops them from
entering or spreading on your network.

How does network security work?

 Network security combines multiple layers of defenses at the edge and in the network.
Each network security layer implements policies and controls. Authorized users gain
access to network resources, but malicious actors are blocked from carrying out exploits
and threats.

How do I benefit from network security?

7
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 Digitization has transformed our world. How we live, work, play, and learn have all
changed. Every organization that wants to deliver the services that customers and
employees demand must protect its network. Network security also helps you protect
proprietary information from attack. Ultimately it protects your reputation.

Types of network security

 Access control

o Not every user should have access to your network. To keep out potential
attackers, you need to recognize each user and each device. Then you can
enforce your security policies. You can block noncompliant endpoint devices
or give them only limited access. This process is network access control
(NAC).

 Antivirus and antimalware software

o "Malware," short for "malicious software," includes viruses, worms, Trojans,

ransomware, and spyware. Sometimes malware will infect a network but lie
dormant for days or even weeks. The best antimalware programs not only
scan for malware upon entry, but also continuously track files afterward to
find anomalies, remove malware, and fix damage.

 Application security

o Any software you use to run your business needs to be protected, whether
your IT staff builds it or whether you buy it. Unfortunately, any application
may contain holes, or vulnerabilities, that attackers can use to infiltrate your
network. Application security encompasses the hardware, software, and
processes you use to close those holes.

 Behavioral analytics

o To detect abnormal network behavior, you must know what normal behavior
looks like. Behavioral analytics tools automatically discern activities that
deviate from the norm. Your security team can then better identify indicators
of compromise that pose a potential problem and quickly remediate threats.

 Data loss prevention

8
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

o Organizations must make sure that their staff does not send sensitive
information outside the network. Data loss prevention, or DLP, technologies
can stop people from uploading, forwarding, or even printing critical
information in an unsafe manner.

 Email security

o Email gateways are the number one threat vector for a security breach.
Attackers use personal information and social engineering tactics to build
sophisticated phishing campaigns to deceive recipients and send them to sites
serving up malware. An email security application blocks incoming attacks
and controls outbound messages to prevent the loss of sensitive data.

 Firewalls

o Firewalls put up a barrier between your trusted internal network and untrusted
outside networks, such as the Internet. They use a set of defined rules to allow
or block traffic. A firewall can be hardware, software, or both. Cisco offers
unified threat management (UTM) devices and threat-focused next-generation
firewalls.

 Intrusion prevention systems

o An intrusion prevention system (IPS) scans network traffic to actively block

attacks. Cisco Next-Generation IPS (NGIPS) appliances do this by correlating
huge amounts of global threat intelligence to not only block malicious activity
but also track the progression of suspect files and malware across the network
to prevent the spread of outbreaks and reinfection.

 Mobile device security

o Cybercriminals are increasingly targeting mobile devices and apps. Within the
next 3 years, 90 percent of IT organizations may support corporate
applications on personal mobile devices. Of course, you need to control which
devices can access your network. You will also need to configure their
connections to keep network traffic private.

 Network segmentation

o Software-defined segmentation puts network traffic into different

classifications and makes enforcing security policies easier. Ideally, the
9
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

classifications are based on endpoint identity, not mere IP addresses. You can
assign access rights based on role, location, and more so that the right level of
access is given to the right people and suspicious devices are contained and
remediated.

 Security information and event management

o SIEM products pull together the information that your security staff needs to
identify and respond to threats. These products come in various forms,
including physical and virtual appliances and server software.

 VPN

o A virtual private network encrypts the connection from an endpoint to a

network, often over the Internet. Typically, a remote-access VPN uses IPsec
or Secure Sockets Layer to authenticate the communication between device
and network.

How to implementing Good Security Measures

Implementing good security measures in your company can ensure the security, integrity, and
availability of data. The good security measures to protect the information data of your company
can be achieved by building a good security policy for the company besides other things. A
security policy is the foundation of security measures taken by the company. It is the first
security measure to reduce the risk of unacceptable use of company’s information resources.
The security policy should precisely inform all the employees of the company about the general
use of company’s resources, their acceptable use, the prohibited activities and the security related
responsibilities of the employees.
The security policy should describe the acceptable use of all the assets of the company that
include hardware, software, and Internet. If an old security policy already exist then instead of
wasting time in creating a new policy, it is better to rebuild the old one. The security policy
should be updated time to time with the new threats coming up. Some other security measures
that should be taken by an organization to implement good security are:
 Change Passwords: The passwords of all important servers that host important services
must be changed frequently. For example, you should change passwords for servers that host
system accounts, user accounts, firewalls, and routers. Frequent change in passwords ensures
that an attacker cannot gain access to the system easily.
 Review User Accounts and Access Lists: The regular review of user accounts and
access lists allow you to keep your network updated with the employees who access the

10
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

network resources. Many times, the employees who have already left the company still have
access permissions to company’s resources. This can lead to security breach.
 Create a “No Wireless” Policy: Wireless access devices are hard to secure and monitor.
Therefore, they should be turned off on the network. Personal devices should not be
permitted on a corporate network. If you must have wireless corporate assets, you should
create a policy to cover these devices.
 Implement Intrusion Detection System: The intrusion detection system will detect and
prevent all attacks aimed at a system/network.
 Create an Incident Response Plan: The incident response plan should be created and
Computer Emergency Repair Team (CERT) and Secret Service should be included in it. This
ensures that staff members or security personnel know who to call first and how to
investigate an event in case of an emergency or theft.

Web security
 A web security solution will control your staff’s web use, block web-based threats, and
deny access to malicious websites. It will protect your web gateway on site or in the
cloud. "Web security" also refers to the steps you take to protect your own website.
Web Security Threats:
Table 1.1 provides a summary of the types of security threats faced in using the Web. One way
to group these threats is in terms of passive and active attacks. Passive attacks include
eavesdropping on network traffic between browser and server and gaining access to information
on a Web site that is supposed to be restricted. Active attacks include impersonating another
user, altering messages in transit between client and server, and altering information on a Web
site.

Table 1.1 a Comparison of Threats on the Web

Threats Consequences Countermeasures
Integrity  Modification of user o Loss of  Cryptographic
data information checksums
 Trojan horse browser o Compromise of
machine
 Modification of o Vulnerability to
memory all other
 Modification of o threats
message
11
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

 traffic in transit
Confidentiality  Eavesdropping on the o Loss of  Encryption,
information web proxies
 Net o Loss of privacy
 Theft of info from
server Theft of data
from client Info
about network
configuration
 Info about which
client talks to server
Denial of  Killing of user threads o Disruptive  Difficult to
Service prevent
 Flooding machine o Annoying
with
 bogus requests o Prevent user from
getting
 Filling up disk or o work done
memory
 Isolating machine by
 DNS attacks
Authentication  Impersonation of o Misrepresentation  Cryptographic
of user techniques
 legitimate users o Belief that false
 Data forgery o information is
valid

Web Traffic Security Approaches:

A number of approaches to providing Web security are possible. The various approaches that
have been considered are similar in the services they provide and, to some extent, in the
mechanisms that they use, but they differ with respect to their scope of applicability and their
relative location within the TCP/IP protocol stack.

Figure: 1.1 Relative Location of Security Facilities in the TCP/IP Protocol Stack
12
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Figure 1.1 illustrates this difference.

 One way to provide Web security is to use IP Security (Figure 1.1a). The advantage
of using IPsec is that it is transparent to end users and applications and provides a
general-purpose solution. Further, IPsec includes a filtering capability so that only
selected traffic need incur the overhead of IPsec processing.
 Another relatively general-purpose solution is to implement security just above TCP
(Figure 1.1b). The foremost example of this approach is the Secure Sockets Layer (SSL)
and the follow-on Internet standard known as Transport Layer Security (TLS). At this
level, there are two implementation choices. For full generality, SSL (or TLS) could be
provided as part of the underlying protocol suite and therefore be transparent to
applications. Alternatively, SSL can be embedded in specific packages. For example,
Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web
servers have implemented the protocol. Application-specific security services are
embedded within the particular application.
 Figure 1.1c shows examples of this architecture. The advantage of this approach is that
the service can be tailored to the specific needs of a given application. In the context of
Web security, an important example of this approach is Secure Electronic Transaction
(SET).

Advanced network security issues

When businesses connect their systems and computers, one user's problems may affect everyone
on the network. Despite the many benefits of using networks, networking raises a greater
potential for security issues such as:

 Data loss
 Security breaches
 Malicious attacks, such as hacking and viruses

You can implement measures to reduce your network's vulnerability to unauthorized access or
damage. It may not be possible, or economically practical, to eliminate all vulnerabilities, so
performing an IT risk assessment is important in deciding what measures to implement.

Dealing with common network security issues

Security devices such as firewalls and anti-virus software

Security settings in the router or the operating system
Data encryption systems for sensitive data
Data backup, including the use of off-site backup
Restricting access to the network infrastructure to authorized personnel only

13
IAS Chapter 5 Lecture Note Prepared by Abraham A
Wolkite University College of Computing and Informatics Department of IT

Training staff in the safe and secure use of the equipment

Importance of regular network administration and housekeeping

Regular maintenance of your computer network is an essential part of keeping your systems
running smoothly and securely. Redundant data, disused software, forgotten mailboxes and
remains of old updates can slow down your network system, potentially causing efficiency and
productivity issues for business.

It is important to ensure data security through regular housekeeping such as:

 Bucking up files
 Password routines
 System logs
 Removing access from employees who leave

Virtual private networks (VPN) security

If your staff need to access the network while off-site, consider a virtual private network. This
creates a secure link and protects information sent and received.

Whichever technology solution you select, security should be a priority. If you're unsure how to
proceed, seek expert advice from your internet service provider, system provider, installer or an
adviser.

14
IAS Chapter 5 Lecture Note Prepared by Abraham A