NATIONAL DEFENCE UNIVERSITY “CAROL I” REGIONAL DEPARTMENT OF DEFENSE RESOURCES MANAGEMENT STUDIES INFORMATION SECURITY MANAGEMENT – EVOLUTIONS Workshop unfolded during the postgraduate course in Information Security Management 14- 15.06.2010, Brasov Coordinator: LTC Prof. eng. Daniel Sora, PhD National Defense University „Carol I” Publishing House BUCHAREST 2011 1 Scientific board: LTC Professor eng. Daniel Sora, PhD LTC Senior Lecturer Cezar Vasilescu, PhD Junior lecturer Aura Codreanu, PhD ISBN: 978-973-663-952-4 2 CONTENT 1. INFORMATION AND PHYSICAL SECURITY............................................. 4 LTC Marius Daniel CĂLINOIU......................................................................... 4 2. SECURING DNS ............................................................................................. 19 CPT Lucian CROITORU ................................................................................ 19 3. THE SELF-HACK AUDIT .............................................................................. 53 LT Eduard GHIU.............................................................................................. 53 4. ENCRYPTION ALGORITHMS OVERVIEW............................................... 66 CPT Tiberiu MOLDOVAN .............................................................................. 66 5. RFID –SECURITY AND PRIVACY ISSUES .............................................. 86 LT. Octavian PALEACU ................................................................................. 86 6. MANAGING AN HOST-BASED INTRUSION DETECTION AND PREVENTION SYSTEM ................................................................................ 99 1st LT Bogdan RUSU ..................................................................................... 99 7. INTERNET PROTOCOL SECURITY (IPsec) .......................................... 114 Maj. Laurenţiu SPĂTĂROAIA...................................................................... 114 8. WIMAX SECURITY....................................................................................... 135 CPT Sorin STOICA ....................................................................................... 135 9. INFORMATION SECURITY POLICY AND POLICY ON APPROPRIATE USE OF COMPUTERS AND NETWORK SYSTEMS AT THE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN ...... 153 MAJ Dinu Emilian TUNDREA...................................................................... 153 10.TETRA SECURITY ....................................................................................... 171 CPT Ioana MARTIN ...................................................................................... 171 11.ALPHABETICAL INDEX OF AUTHORS.................................................. 193 3 INFORMATION AND PHYSICAL SECURITY LTC Marius Daniel CĂLINOIU INTRODUCTION The practice of information security has become much more complicated and the need for qualified information security professionals has become critical. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) computer physical security. As technologies evolve, the protection of resources becomes increasingly more complex. Nevertheless, information security is predominantly an organizational issue, and as such, establishing and enforcing policies and standards is critical to the successful administration of the Information Security Program. Physical security is often a discounted discipline, yet attention to safeguarding the physical environment can yield a satisfactory level of protection. This document offers a comprehensive look at implementing a physical security program, which begins with a risk assessment so that the appropriate most cost-effective controls are implemented. Additionally, the paper illustrates the multiple biometric technologies and defines each in terms of rejection and acceptance rates. Ultimately, maintains that a good physical security program is an organization’s first line of defense. A company's physical and logical information networks and user interfaces have been completely separate for years. Building access, or physical security systems are typically put in place by either the owner of the building or, in the case of larger businesses, by the corporation's security department. Network and data security, or logical security, systems are the domain of the IT department. Each developed separately within the organization. Corporate security departments developed to protect physical assets through locks, surveillance and alarm systems and are typically staffed by people with backgrounds in law enforcement, not technology. In contrast, protecting a company's information and knowledge assets has been one of the main tasks of IT since day one. This role has evolved into protecting both company and employee data since the dawn of the Internet age. All corporate assets - from office equipment to employee belongings - need to be protected and hackers, industrial saboteurs and terrorists must be prevented from wreaking havoc with 4 networks, applications and databases. However, because physical and logical security systems have traditionally been handled separately with little or no cross over, few companies realize how much a converged system could help. In many ways, building access security systems have always acted as the first line of defense against unauthorized access to any company assets, physical or logical. If an intruder could not gain entry to a company's offices, that person could therefore not gain access to corporate applications and sensitive data. However, with the advances in technology, this is no longer the case as telecommuting and remote access become more prevalent every day. A company's IT assets and critical data can no longer be protected by physical security systems alone. There have been other, more conventional, attempts made at solving the issue of unauthorized access to company information, but they all stop short of true integration. Some of these have included: Multifunction cards using either proximity capabilities or a traditional magnetic strip combined with a digital certificate or other credentials to identify users when they enter buildings or access their computer. However, there is no way to correlate access policy across systems or revoke all the various credentials contained on the card simultaneously. Identity management solutions can enable provisioning for new users, streamlining the creation of directory accounts and required user applications, as well as physical access privileges and web-application access control. However, they are costly and time- consuming to implement and are not a realistic solution for small to mid-size businesses. Consolidation is closest to an integrated physical and logical approach, as it gathers logs from application, network and physical access systems and generates consolidated reports by user. The problem with this approach is that it is time consuming to set up and still only lets administrators see what has already happened; it does not control access or prevent a transgression from happening in real time. Physical and logical security concerns continue to mount, bringing the problems with the above solutions and issues such as inadequate security policy and lax enforcement to the forefront. Today, more and more organizations are realizing that a combination of their physical and logical security systems will help strengthen their security and better protect their company, employee and customer data. I. Threats and Facility Requirements The injury to the national interest or to private/ non-national interests increases with the sensitivity of the disclosed information. Injury may include damage to the defense and maintenance of the economic, social or political stability of a country, compromise of other 5 governments' interests, breach of privacy, liability or financial loss, loss of confidence in the government, or decrease of government efficiency. Unauthorized disclosure of protected or classified information can occur: a. accidentally through loss or negligence by employees who were granted access to the information; b. intentionally by individuals who have authorized (i.e., have been properly security screened and have a need to know) access to the information; and c. intentionally by individuals who gain unauthorized access to information by whatever means, e.g., targeting of protected and classified information by criminal, terrorist or foreign intelligence elements. Unauthorized disclosure of Secret or Protected C information will create more injury than unauthorized disclosure of Protected A or B information. In addition, some classified or protected information may be more attractive than other information in the same security classification and may, therefore, require safeguarding above the baseline delineated for this level of information. The approach to physical security complements other aspects of the Security Policy and is based on the theory that the external and internal environments of facilities can be designed and managed to create conditions that, together with specific physical security safeguards, will protect against unauthorized access, detect attempted or actual unauthorized access and activate an effective response. I.1 Physical Security I.1.1 The human factor Recent FBI statistics