Device Locks Unfortunately, hardware has a tendency to walk away from

facilities;
thus, device locks are necessary to thwart these attempts. Cable locks consist of a
vinyl-coated steel cable that can secure a computer or peripheral to a desk or
other
stationary components, as shown in Figure 5-19.
The following are some of the device locks available and their capabilities:
Switch controls Cover on/off power switches
Slot locks Secure the system to a stationary component by the use of steel
cable that is connected to a bracket mounted in a spare expansion slot
Port controls Block access to disk drives or unused serial or parallel ports
Peripheral switch controls Secure a keyboard by inserting an on/off switch
between the system unit and the keyboard input slot
Cable traps Prevent the removal of input/output devices by passing their
Power excess
Spike Momentary high voltage
Surge Prolonged high voltage
Power loss
Fault Momentary power outage
Blackout Prolonged, complete loss of electric power
Power degradation
Sag/dip Momentary low-voltage condition, from one cycle to a few seconds
Brownout Prolonged power supply that is below normal voltage
In-rush current Initial surge of current required to start a load

 Resistance to forcible entry

Emergency marking
Placement
Locked or controlled entrances
Alarms
Secure hinges
Directional opening
Electric door locks that revert to an unlocked state for safe evacuation in power
outages
Type of glassshatterproof or bulletproof glass requirements
Ceilings
Combustibility of material (wood, steel, concrete)
Fire rating
Weight-bearing rating
Drop-ceiling considerations
Windows
Translucent or opaque requirements
Shatterproof
Alarms
Placement
Accessibility to intruders
Flooring
Weight-bearing rating
Combustibility of material (wood, steel, concrete)
Fire rating
Raised flooring
Nonconducting surface and material
Heating, ventilation, and air conditioning
Positive air pressure
Protected intake vents
Dedicated power lines
Emergency shutoff valves and switches
Placement
Electric power supplies

Issues with Selecting a Facility Site

When selecting a location for a facility, some of the following items are critical to
the decision-making process:
Visibility
Surrounding terrain
Building markings and signs
Types of neighbors
Population of the area
Surrounding area and external entities
Crime rate, riots, terrorism attacks
Proximity to police, medical, and fire stations
Possible hazards from surrounding area
Accessibility
Road access
Traffic
Proximity to airports, train stations, and highways
Crime and disruption prevention through deterrence Fences, security
guards, warning signs, and so forth
Reduction of damage through the use of delaying mechanisms Layers of
defenses that slow down the adversary, such as locks, security personnel, and
barriers
Crime or disruption detection Smoke detectors, motion detectors, CCTV, and
so forth

 Incident assessment Response of security guards to detected incidents and

determination of damage level
Response procedures Fire suppression mechanisms, emergency response
processes, law enforcement notification, and consultation with outside security
professionals
Certification Technical evaluation of the security components and their
compliance to a predefined security policy for the purpose of accreditation.
Accreditation Formal acceptance of the adequacy of a systems overall
security by management.
Open system Designs are built upon accepted standards to allow for
interoperability.
Closed system Designs are built upon proprietary procedures, which inhibit
interoperability capabilities.
Maintenance hooks Code within software that provides a back door entry
capability.
Time-of-check/time-of-use (TOC/TOU) attack Attacker manipulates
the condition check step and the use step within software to allow for
unauthorized activity.
Race condition Two or more processes attempt to carry out their activity on
one resource at the same time. Unexpected behavior can result if the sequence of
execution does not take place in the proper order.
Diffie-Hellman algorithm First asymmetric algorithm created and is used to
exchange symmetric key values. Based upon logarithms in the finite fields.
RSA algorithm De facto asymmetric algorithm used for encryption, digital
signatures, and key exchange. Based upon the difficulty of factoring large
numbers into their original prime numbers.
El Gamal algorithm Asymmetric algorithm based upon the DiffieHellman algorithm used for digital signatures, encryption, and key exchange.
Elliptic curve cryptosystem algorithm Asymmetric algorithm based upon
the algebraic structure of elliptic curves over finite fields. Used for digital
signatures, encryption, and key exchange.
Knapsack algorithm Asymmetric algorithm based upon a subset sum problem
(knapsack problem). It has been broken and no longer used.
Zero knowledge proof One entity can prove something to be true without
providing a secret value.
One-way hash Cryptographic process that takes an arbitrary amount of data
and generates a fixed-length value. Used for integrity protection.
Message authentication code (MAC) Keyed cryptographic hash function
used for data integrity and data origin authentication.
Hashed message authentication code (HMAC) Cryptographic hash function
that uses a symmetric key value and is used for data integrity and data origin
authentication.
CBC-MAC Cipher block chaining message authentication code uses encryption
for data integrity and data origin authentication.
CMAC Cipher message authentication code that is based upon and provides
more security compared to CBC-MAC.
CMM Block cipher mode that combines the CTR encryption mode and CBC-MAC.
One encryption key is used for both authentication and encryption purposes.
Collision When two different messages are computed by the same hashing
algorithm and the same message digest value results.
Birthday attack Cryptographic attack that exploits the mathematics behind
the birthday problem in the probability theory forces collisions within hashing
functions.
Digital signature Ensuring the authenticity and integrity of a message through
the use of hashing algorithms and asymmetric algorithms. The
message digest is encrypted with the senders private key.
Digital signature standard U.S. standard that outlines the approved
algorithms to be used

Crime and disruption prevention through deterrence Fences, security

guards, warning signs, and so forth
Reduction of damage through the use of delaying mechanisms Layers of
defenses that slow down the adversary, such as locks, security personnel, and
barriers
Crime or disruption detection Smoke detectors, motion detectors, CCTV, and
so forth
Incident assessment Response of security guards to detected incidents and
determination of damage level
Response procedures Fire suppression mechanisms, emergency response
processes, law enforcement notification, and consultation with outside security
professionals
Assurance evaluation criteria Checklist and process of examining the
security-relevant parts of a system (TCB, reference monitor, security kernel) and
assigning the system an assurance rating.
Trusted Computer System Evaluation Criteria (TCSEC) (aka Orange Book)
U.S. DoD standard used to assess the effectiveness of the security controls built
into a system. Replaced by the Common Criteria.
Information Technology Security Evaluation Criteria (ITSEC)
European standard used to assess the effectiveness of the security controls built
into a system.
Common Criteria International standard used to assess the effectiveness of
the security controls built into a system from functional and assurance
perspectives.
Certification Technical evaluation of the security components and their
compliance to a predefined security policy for the purpose of accreditation.
Accreditation Formal acceptance of the adequacy of a systems overall
security by management.
Open system Designs are built upon accfepted standards to allow for
interoperability.
Closed system Designs are built upon proprietary procedures, which inhibit
interoperability capabilities.
Maintenance hooks Code within software that provides a back door entry
capability.
Time-of-check/time-of-use (TOC/TOU) attack Attacker manipulates
the condition check step and the use step within software to allow for
unauthorized activity.
Race conditionnTwo or more processes attempt to carry out their activity on
one resource at the same time. Unexpected behavior can result

Continuity policy

BIA

Integrate law and

regulation
Requirements
Define scope, goals,
roles
Management approves
policy

Identify critical functions

Reliability
Connection

Identify critical resources

Calculate MTD for
resources

Identify preventive
controls
Implement controls
Migrate risk
I

Packet sequencing

Congestion controls

Usage

Speed and overhead

Uses sequence numbers

within
headers to make sure each
packet within a
transmission is
received.
The destination computer
can tell the source if it is
overwhelmed and thus slow
the
transmission rate.
Used when reliable delivery
is required. Suitable for
relatively small amounts
of data transmission.

Uses a considerable amount

of resources and is slower
than UDP.

Does not use sequence

numbers.

The destination computer

does not
communicate back to the
source
computer about flow control
Used when reliable delivery
is
not required and high
volumes of
data need to be
transmitted, such
as in streaming video and
status
broadcasts.