Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Understanding the Basic Security Concepts of Media

Chapter 2 provided details of securing communications on most layers of the OSI model except the Physical layer (layer 1). If an attack is launched against the signal on the wire, hackers might be able to copy information as it flows in the form of bits. This might not be as dangerous if an appropriate software encryption mechanism is employed in the transmission. Depending on the communication medium, hackers might be able to steal either information or bandwidth.

Coaxial Cable

Coaxial cables are made of a core wire with an outer metallic shield used to reduce interference. Often, the shield is made of a metallic Web, with or without an additional metal-foil wrapping surrounding the core conductor. The cable is then surrounded by a plastic covering, called a sheath. Coaxial cables are no longer deployed en masse, but they are still abundant in legacy environments. Two types of coax cables are used: 10BASE-2 and 10BASE-5. On a 10BASE-2 cable, a signal can travel a distance of 185 meters at a speed of 10Mbps before it appreciably attenuates. On a thicker 10BASE-5 cable, signals can travel a distance of up to 500 meters at the same speed.

Because the electrical signal is conducted by a single core wire, someone can easily tap the wire by piercing the sheath. He would then be able to eavesdrop on the conversations of all the hosts attached to the segment because 10BASE-2 coaxial cabling implements broadband transmission technology and assumes many hosts connected to the same wire. Coaxial cable is still popular in campus areas, especially 10BASE-5 (or Thicknet), because of its greater transmission length. Coaxial cables have no physical transmission security and can be easily tapped without interrupting regular transmissions and without detection.

UTP/STP

Unshielded twisted pair (UTP) is the main cabling type in LANs today. Seven types of UTP cable are available, but the most popular and widely deployed is category five (CAT5). CAT5E allows transmissions of up to 1Gbps at a distance of 100 meters, and it is made up of eight individual wires twisted in pairs (hence the name). Twisted pairs prevent crosstalk between the wires. UTP has no shielding and is prone to radio frequency interference (RFI) and electromagnetic interference (EMI); however, its installation is relatively simple and its cost low. In half-duplex deployments, only four of the eight wires are used and a device might not simultaneously transmit and receive. In a full-duplex (switched) environment, all eight wires are used: Two pairs are used to send, and the other two pairs are used to receive data. UTP uses RJ45 cable connectors for cable termination and connectivity. UTP is used in Ethernet topologies and is a shared communication medium unless a switch is used, in which case Unicast communications are conducted between the devices involved.

STP is analogous to UTP with a slight modification: It is shielded, which means it can withstand EMI and RFI much better than UTP does. STP is used in token-ring topologies.

Both UTP and STP can be tapped, although it is physically a little trickier than tapping coaxial cable because of the physical structure of STP and UTP cable. The major difference from coaxial cable is the connection method. Whereas coaxial cable runs from computer to computer, twisted pair cabling runs from computer to concentrator—hub, repeater, bridge, switch, Multi-Station Access Unit (MSAU), and so on. Therefore, the service is more vulnerable to abuse and theft in those concentration spots. You need to keep concentrators in the server room (if cabling distances permit) or in wiring closets. At a minimum, keep distribution and core devices secured from unauthorized access. At the same time, authorized personnel must have ready access to patch panels, and cables must be clearly marked and available for visual inspection.

Fiber

Fiber-optic cabling has many advantages over more traditional twisted pair cabling. Fiber is designed for short- and long-range transmissions at speeds higher than 1Gbps. It uses light pulses for signal transmission, making it immune to RFI and EMI. However, some disadvantages are that it is still quite expensive compared to more traditional cabling, it is less forgiving of physical stress, and it is more difficult to install.

As far as security is concerned, fiber cabling eliminates the tapping of electrical signals that is possible in the case of twisted pair and coax. Tapping fiber cable without service interruption and specially constructed equipment is impossible, which makes stealing service or eavesdropping on traffic significantly more difficult.

Infrared, RF, and Microwave

One obvious disadvantage of open-air signal transmission technologies is the lack of clearly defined boundaries. Wired networks have a physical signal path that can be secured. In broadcast, however, it is theoretically possible for anyone to tune a receiver to the frequency of your transmission and eavesdrop on it without anyone knowing about it. In the early days of wireless LAN technologies, it was even possible to use network services without authenticating. All an intruder had to do was to choose a site and do a site survey by scanning the frequency bands to find services. Signal spread spectrum technology made wireless transmission somewhat more secure, but only to a certain point. Frequency-hopping sequences are not secret; instead they are openly published standards.

TIP

Know which types of media are susceptible to which types of interference.

The fact that modern wireless facilities have security controls that prevent unauthorized use of the medium and services does not make the open-air medium safe from eavesdropping. IR transmissions are considered safer than radio transmissions because the communicating devices use an invisible light spectrum range and require a direct line of sight with each other. This makes eavesdropping on the communications without being noticed more complicated. But the technology itself is not technically immune to eavesdropping; infrared signals can be recorded using cameras with infrared filters. The only way to be sure of wireless communication security is to use strong authentication algorithms such as PKI and to encrypt all your communications.

Removable Media

Removable media poses a security risk because of two main problems. First, classified or confidential information can be stolen, destroyed, or misused. The loss or exposure of business, financial, or consumer information can cause serious damage to a company's competitiveness or reputation. Second, system, policy, or infrastructure information can give intruders enough information to mount future attacks.

Why do companies use removable media? With the storage density and capacity available today, using removable media might not seem relevant. However, even if a company has a few storage area network (SAN) devices that provide terabytes of storage space, it still needs to back up its files and databases. Remember, offsite storage of backups is a crucial part of a disaster recovery plan. The second reason that some companies might still have large amounts of sensitive information on removable media is because they have relied on removable media at some point in the past to control access or provide additional storage and the media has not been disposed of yet.

Various types of removable media include tape, CD-R, hard drives, flash cards, and smart cards, and they are covered in detail in the following sections.

Tape

Tape devices use magnetic storage and are extremely popular in backup technologies because of the amount of data that can fit on a storage unit (tape). It is the medium of choice for backing up mission-critical systems that often contain sensitive customer information, databases, and files. Tape backups are also widely used to back up system configuration and account information, which means they often contain system Registry and network user account databases.

Several backup types can be employed in disaster recovery strategies, and they are not specific to tape devices. (See Chapter 7 for full coverage on backups.) For the purposes of this discussion, the security person needs to be aware of the most popular backup strategies, which are as follows:

  • Full backup—Contains the entire set of data being backed up and is most sensitive to theft because the information it contains is readily available in full.

  • Incremental backup—Works with the full backup and does not contain a full copy of the information. Instead, it contains all the information that was modified between the time of the incremental backup and previous incremental or full backup. In case of theft, incremental information taken out of context might or might not represent value to the offender, but it certainly represents risk to the company.

  • Differential backup—Similar to incremental, with the only difference being that the archive flag is not reset after the differential backup is run. This causes every differential backup to copy information changed since the last full backup, regardless of when the last differential backup was made. This backup strategy is more risky in respect to theft because larger chunks of sequential data can be stored on tape the further away from the last full backup it gets.

  • Copy backup—Very similar to a full backup in that it takes a complete snapshot of the system at the time of backup. The only difference between copy backup and full backup comes into play in database environments where transactional logging is employed. A copy backup takes a copy of the system as it is running at that moment, whereas a full backup commits the logs to the database first and then backs up the database. From a security perspective, the loss of a tape with a copy backup is tantamount to losing a tape with a full backup.

In addition to these backup strategies, companies employ tape rotation and retention policies to have a safety net if something goes wrong.

Backup is just one small part of an overall disaster recovery and contingency plan. Despite obvious security threats, backups must be done on a regular basis for every computer whose physical failure or loss would cause any amount of inconvenience. Every company should determine its own rotation and retention strategies, depending on the needs and nature of the information. Tapes that are going out of rotation and into archive must be stored offsite in safe deposit boxes or similar secure environments. Offsite storage ensures business continuity in the case of natural or manmade disasters. See Chapter 7 for more information.

CDR

Recordable or rewritable compact discs (CD-Rs or CD-RWs, respectively) can be used for the same purpose as tape backups in smaller companies where information might not change as frequently or where the volume of information is smaller. However, CDs are typically used for backup or distribution of individual projects to clients, offline content distribution, proprietary software or algorithm transfer, or similar purposes. This does not diminish the sensitivity of the information, and hence protection measures discussed in the previous section apply to CDs as well.

If a CD is no longer useful or is not working correctly, it must be made safe to discard. Formal as well as physical processes can be used to do this.

Disposal of Media

The following three concepts apply to all removable media units:

  • Declassification—A formal process of assessing the risk involved in discarding particular information. You should consider all possible situations if this information ends up in the wrong hands, becomes known to the public, and so forth. Is it possible to use it against the company? Is it proprietary? Would it damage the company's market posture or competitive plans? Would it cause litigation or civil or criminal liabilities? If the information being discarded is innocuous or obsolete and therefore does not present any risk to the company, it can safely be declassified if no other threats are uncovered through the risk assessment.

  • Sanitization—The process of removing the information from the media as fully as possible, making it almost impossible to restore it even for data recovery specialists. Sanitization has no effect on the classification of the information. Depending on the media type, sanitization might or might not apply. To sanitize media, you can use a process such as magnetic degaussing or magnetic overwriting.

  • Destruction—Physically destroying the media and, therefore, the information stored on it. Other than destruction, there are no safe methods of completely removing all traces of information stored on a removable media device.

Because of the nature of CDs and CD-Rs, sanitization is not applicable to these media, and either declassification or destruction should be used (or both). Concerning destruction, only authorized, cleared personnel should ever have access to the media decommissioned for destruction.

Every company should have media disposal policies in place. It is important to follow company disposal standards and to know what obligations contracts with other companies or agencies impose on media disposal requirements. A listing of Department of Defense media disposal standards can be found at http://www.cerberussystems.com/INFOSEC/stds/sanitize.htm.

Hard Drives and Disks

Hard drives and disks are magnetic media, and in addition to destruction and declassification, sanitization can be used. The processes employed by sanitization are

  • Degaussing—Also called demagnetizing, it is applicable to magnetic storage devices. Degaussing works by applying a reverse magnetic field to the magnetic media and reducing magnetic density to null. This makes all the previously stored data unreadable. Degaussing is considered very safe.

  • Overwriting—Applicable to magnetic storage devices, it involves an operation of completely rewriting every addressable bit pattern on the media with a single bit pattern (all 0s), verifying that the operation was successful, rewriting the bit pattern again using the opposite bit pattern (all 1s), and verifying again. This process must be repeated as many times as is required by the classification level of the information being sanitized.

NOTE

Physical Security on Computer Systems Just because systems don't include ports for removable media (such as a caddy for removable hard drives) doesn't mean somebody can't attach such a device. Today, compact USB-based hard disks small enough to fit on a keychain offer up to 2GB of storage space and can conceivably be mounted on any system with a USB port. Not only does this underscore the overwhelming need for physical security on computer systems (thereby denying intruders the opportunity to use such devices), but it also argues that publicly accessible machines should be locked down so that unwanted devices cannot be mounted or used on that equipment.

  • Disconnection—For volatile memory devices such as RAM, all sources of power must be disconnected including backup and BIOS batteries and the computing device must be grounded before sanitization is considered complete.

  • Removal of information—For laser printers and copiers on which a large amount of declassified information is printed and copied, you need to remove traces of the classified information from the drums for the device to be considered sanitized.

Flashcards and Nonvolatile Memory

Flashcards and EEPROM devices are contained in many devices of varying sizes and purposes and can contain traces of classified or confidential information, such as customer data in the case of flashcards or proprietary software in the case of EEPROM. Companies should consider sanitizing or destroying these components when upgrading or discarding equipment.

Smart Cards

Smart cards are widely used in cell phones and mobile devices to store customer ID information for providers to identify their subscribers in the network. They also store a personal phone book, Short Message Service (SMS) messages, and a log of incoming and outgoing calls. In corporate computing requirements, smart cards are replacing conventional username/password authentication mechanisms because they allow personal X.509 digital certificates to be used for user authentication and network logon purposes. Remember from the encryption discussion in Chapter 2 that digital signatures are impossible to forge and X.509 certificates are used in digital signing. Therefore, the company must be extremely vigilant regarding how these smart cards are used, distributed, and serviced. A single lost or stolen card can pose a company-wide risk of an intruder gaining unauthorized access to the site.

Smart cards often carry employee and company credentials printed on them, which makes identifying the target easy. Clearly, the right smart card in the wrong hands is a recipe for disaster. Therefore, companies must institute and enforce extremely strict smart card policies that make employees treat these identification devices with extreme caution and report lost or stolen cards immediately. Administrators, in turn, can revoke issued certificates or disable user accounts, making the smart card a piece of useless plastic.

TIP

Know the types of removable media and the security risks involved with each.

Another area of concern for the company in this case is disgruntled employees and headcount reduction. A process must be in place to ensure that all employees leaving the company relinquish their cards in a timely fashion. Administrators can then put the certificates stored on the cards on the revocation list and reprogram the cards to issue to new employees.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020