Group 1 and Group 3 Response

Order Description

Read Group 1 and Group 3

Write about what you learned from response Group 1 and Group 3 response.

Make sure to provide two comments one for Group 1 topics and the other for Group 3 topics.

Label it as Group 1 response and Group 3 response

Group1
COLLAPSE
For Group 1 I would like you to consider the challenges associated with using ID cards and badges as a method for authorizing access to all corporate locations.  (Therefore it can be the same database that is used for multiple locations.)   What are some of the challenges associated with managing ID cards and badges for a large organization?  (For an enterprise organization this could be 10,000 plus employees and it could even be 100+ locations.)  Additionally, what type of doors or turnstiles would you put in place to manage access?  (The reason I ask is that just doors themselves can be prone to “tailgating” or multiple people entering at once on a single badge.)  What would you do to minimize “tailgating”?  Final question: What is the difference between a fail-safe and a fail-secure lock?
– Designation of the areas where an ID card/badge is required.
– A description of the type of card/badge in use and the authorizations and limitations placed on the bearer.
– Containing the individual’s name, color photograph or digitized image, the name of the issuing department/organization, date of expiry, and a number unique to the card.
– The required presentation of the card/badge when entering or leaving each area during all hours of the day.
– Details of when, where, and how the card/badge should be worn, displayed, or carried. Also, the inclusion of details such as employee height, weight, hair color and date of birth.
– Procedures to follow in case of loss or damage of the card.
– The disposition of the card/badge upon termination of employment, investigations, or personnel actions.
– Prerequisites for reissuing the card/badge.
Additionally, what type of doors or turnstiles would you put in place to manage access?  (The reason I ask is that just doors themselves can be prone to “tailgating” or multiple people entering at once on a single badge.)
All access control systems need some type of impartial physical barrier to bar unauthorized entry. This often comes down to some sort of turnstile, revolving door or entry portal. If someone is denied access, the turnstile beeps, lights bright red, snaps a barrier arm into place and alerts a guard. It can outfit turnstiles to close if they detect metal or dangerous chemicals.
Some systems can use weight mats on the floor to ensure only one person enters at a time. Tomsed’s more sophisticated units use ultrasonic sensors to ensure there is only one individual in the space at a time.
A state-of-the-art system may look a lot like Smarter Security’s Door Detective. It uses an infrared sensor linked to a neural network – software designed to analyze images like a human brain – to determine whether an unauthorized person is attempting to penetrate the door.
What would you do to minimize “tailgating”?
A variety of anti-tailgating strategies abound. It is dependent on the specific entry point you want to secure, the layout of the entrance, the reason for controlling access to it, and the flexibility of your budget. I would use a combination of these systems:
– Security guards can visually confirm a badge matches the holder.
– Turnstiles serve as a physical barrier and are good for high-volume traffic.
– Laser sensors can detect multiple people.
– Biometrics deter employees from sharing credentials.
– PIN numbers can be added to card readers.
– Camera analytics enable remote facial recognition.
– Visitor badges ensure temporary guests are documented.
What is the difference between a fail-safe and a fail-secure lock?
Fail-safe locks require power to lock. When power is interrupted by an access control or power outage the door will unlock. Failsafe locks are often used for life safety applications such as the access control of perimeter fire rated exit doors and high rise building stairwell doors where the locks are automatically released by a signal from the building fire life safety command center during an emergency or building power outage. When used on interior doors that do not require connection to the life safety command center, battery back-up power supplies may be used to provide continuous power to electric locks and strikes during a power outage.
Fail-secure locks require power to unlock. When energized by use of an access control the door unlocks. The door will lock or stay locked during a building power outage. A battery back-up power supply may be provided to ensure continued operation during loss of building power. Typically used for high security applications fail-secure locks are not permitted on fire rated doors because they do not unlock during an emergency or power loss.
References:
http://www.globalsecurity.org/military/library/policy/army/fm/3-19-30/ch7.htm
http://www.rcmp-grc.gc.ca/physec-secmat/pubs/g1-006-eng.htm
http://ehstoday.com/fire_emergencyresponse/ehs_imp_12510
http://www.buildings.com/article-details/articleid/13274/title/10-strategies-to-prevent-tailgating.aspx
https://sdcsecurity.wordpress.com/2009/05/06/what-is-the-difference-between-failsafe-and-failsecure-electric-locks/

Group 3
COLLAPSE

Here is a challenging one.  If you have a data breach on your WiFi network, how do you find the user/users and device/devices that have breached it?  Make sure to provide details to the degree necessary to find the devices.  This is not easy since a rogue device on a wired network can be found by following the “wire”.  This is not the case with WiFi abuse since there is no “wire” to follow.  (When answering the question make sure you are specific and find the necessary tools to do the job.  You may even want to use the example of a college campus, even if you track the issue down to a specific WiFi Access Point, you may walk into a room or building with 10s or 100s of people in it.  How do you narrow it down from there???  Make sure to think how you would do it professionally.)

Tracking down a security breach on a Wi-Fi network is no simple task, but to better explain the basic approach, let’s create the scenario at hand.  The breach takes place at a local university.  For simplicity, it is just one building that houses classrooms, admin offices, computer labs, a library, and a server room in the basement.  The only hard wired objects allowed on the network are university approved devices such as facility work stations, printers, computers in the labs, and wireless access points.  The wireless access points broadcast an open network for students to log on to, similar to an access point you would find at a Starbucks (not secured).  The only thing the network blocks are common torrent sites.

To continue on with the story to lay the ground work for this, pretend the university did not splurge for the system with all the bells and whistles (which does not necessarily mean an intrusion would have been prevented, but keeps the story less complicated) but spent enough for a fairly good firewall and intrusion detection system the sits immediately behind the firewall, thus monitoring all traffic on the ‘secure’ portion of the network.  They did not use a secure access with WPA/WPA2 requiring university issued credentials to log on (think like the set up here at LTU, but we would not have much of the story because it would be easy to trace).  Instead, JB, the IT guy only configured the administrator portion of the access point with WEP which has proven very unsafe for networks (it’s not encrypted).
A few more assumptions, because when it comes to computer forensics, this story could go a lot of ways:
•         The attacker would have to remain on the network
•         The detection system behind the firewall picked up unknown traffic which alerted JB
JB quickly looks at the port number the IDS picked up as being an error.  Unsure of exactly where the issue is stemming from, he launches Wireshark, a free network analyzer tool from his computer and references the port number, not finding anything.  He then launches another pieces of software from Acrylic Wi-Fi Analyzer.  The reason he uses this is Wireshark does not handle Wi-Fi analyzing easily and has many known issues, especially on a Windows platform.  The first thing JB looks for is to see if you can find the port.  Lucky, Acrylic, the one thing the university did spend some money one, gives the access point.  Unfortunately, a lot of people can use an access point at once, it just limits down his geographical area.  He then looks for the DHCP status and get the machine name and record the MAC address.  If JB’s lucky, the person named their computer with something like “John Doe” or “John-PC”.  Bump this up across a student listing and a class schedule, JB may be able to narrow the search down but unlikely, he has other work to do first.

Although this is a university and not some multi-billion dollar company, any data breach should be considered criminal activity until otherwise noted.  Politically, you would want to protect the organization’s reputation.  Some things to consider according to the 2012 Data Protection & Breach Readiness Guide are preservation of areas that were breached.  So if a server was accessed and administrator level items were changed, you would want to save the log files as evidence.  JB quickly cross references the port and where the hacker is trying to get.  He logs onto the firewall administrator account and closes the port but before he does, he screen shots the mac address and DHCP.  This is for his own reference as well as evidence for any future prosecution.  JB contacts security and has them meet him as they go to the area around the access point.  Unfortunately, there are several classrooms and a lecture hall.  To make matters worse, the DHCP was not a simple one.
JB thinks of two options:
One, he can create a honeypot and attempt to lure the attacker back in at another time or two, he can block that mac address across the entire network.  JB decides on the latter.  Most college students only have one laptop.  If he blocks the mac address, it’s likely the attacker (a student in this case) will bring his computer to the help desk because it “will not connect to the school Wi-Fi but connects everywhere else.”
JB takes the necessary notes and speaks with the university on what occurred and what his plans are.  The university increases the budget and plans to increase security are made.
References:
https://www.acrylicwifi.com/en/wlan-software/wifi-analyzer-acrylic-professional/
http://www.howtogeek.com/107945/how-to-identify-network-abuse-with-wireshark/
http://www.isaca.org/Groups/Professional-English/incident-management/GroupDocuments/OTA_-_2012_Data_Breach_Guide.pdf

http://www.isaca.org/Journal/archives/2005/Volume-6/Pages/Internal-Cyberforensics1.aspx