As part of my studies toward the CISSP-ISSAP I will be using this for compiling my notes on the different CISSP-ISSAP topics. I will organise these topics using the Official (ISC)2® Guide to the ISSAP® CBK, 2nd Edition. I will be learning the content itself from the CBK, the NIST documents and any other freely available resource in the references of the CBK and in the CISSP-ISSAP references.
Domain 1 – Access Control Systems & Methodology
RFC 2904 – The AAA Authorization Framework.
This RFC describes a common schema for managing the authorization for any internet service. The need for a standard schema should be obvious but as Security Architects it is important that we understand how it works and how we can incorporate it into our system. While
Domain 2 – Communications & Network Security
Domain 3 – Cryptography
Domain 4 – Security Architecture Analysis
Domain 5 – Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Domain 6 – Physical Security Considerations
Physical Security Policies and Standards
Security policies can be vital to providing a defined structure for control. Simple and repeatable they reoccur in nearly every aspect of security and with good reason, they provide established best practice specific to our organisations. For Physical security our staff tend to need clearly defined boundries and rules on who can go where, when, to do what and the why/how its restricted. Having this clearly documented in a policy allows our staff to see our controls, understand them and most importantly buy in to their criticality.
Any good security policy should, at a high level cover facility design, location, access control, and any industry and region specific issues such as regulations or export control.
Security architects, policy maker, third party managers and other profesionals need to work with national, regional and international laws and requirements when it comes to transfering technology, or information, to other countries around the world. Some of the very same laws that cover nuclear arms imports also cover assets we may be transporting day to day, from encryption tools to software designs we need to understand the limits of what we can and cannot distribute. Security policies can help document these restrictions as each organisation will have different needs and the policies, guidelines or other documentation should make sure that these restrictions are clearly described, understandable and accessible for relevent staff and that there is a point of contact for clarifications. While the exports policy will deal with transfers it will have important links to other security requirements, for example if we allow anybody to come into our offices and look at our information without restriction, we could be conducting a deemed information export to these people who could be santioned. Having a sign in sheet for visitors, ID badges, escorting, pre-employment screening and more can all protect us from these breaching these restrictions. But what are these controls? Lets go through the USA, some international bodies, and Japan.
United States of America
Export control especially can be a key issue we need to either understand or have access to the expertise who do. Why are export controls important and what do they entail? This depends on the region of the world you are located in with the USA having strict and defined standards that, in part, are left-overs from the Cold War. The USA prohibits the unlicensed export of commodities or information for various reasons such as;
- The exported item has potential military applications, such as with Cryptography.
- The exported item that are covered under protectionist economic policies.
- Governmental controls around the destination such as sanctions on the destination country, organsiation or individuals.
- Concerns around the declared or suspected use of the export. This can be seen where an item being exported has both civilian and military uses.
That can cover many things in security, especially when we consider the use of standard IT and security tools by Advanced Persistant Threats and in cyber-espionage many things can be considered an “export” but the reasoning behind them being controled are very reasonable and they include the prevention of terrorism, cyber-crime, the promotion of national security, sanctions, regional stability and restrictions on the export of high performance computers. How exports can take place can very as well, you can “export” information by disclosing it to a foreign national, including by physical access and distribution.
The criteria for what is controled, what is not and what requires a governmental issued licence within the USA is quite detailed and is covered in the EAR website. Categories 4 and 5 are what we should be most concerned about. The are quite detailed in their contents and its not required to rote learn them for the exam you should be aware, at a high level of what you can and cannot export from the US and other Jurisdictions.
Where you are looking to get a license for a Dual Use/Comercial Technologies there are 3 categories of countries considered;
- State sponsors of terrorism.
- Countries of concern, such as china and the former USSR.
- Friendly countries such as the EU member states.
In addition to the EAR’s restrictions the Department of State’s International Traffic In Arms Regulations has its own list to cover military items and services which can be reviewed here. Besides the expected guns and ammo, the list restricts plans, diagrams, photos, and other documentation that can be used to build military gear. Access to physical materials or technical data related to defence and military technologies is restricted to US citizens only.
Who falls under ITAR?
- Computer Software/ Hardware vendors
- Third-party suppliers
The way ITAR Licensing works is you are denied if you are from a State Sponsor of Terrorism, a nation under Arms Embargo, or another specifically barred nation. Where a denial is based on the Item being exported or the end user this list extends to Afganistan, the Congo, Iraq and Rwanda.
Tired yet? There is more! The USA Treasury Departments Office of Foreign Assets Controls enforce economic and trade sanctions against specific countries and covers;
- Regulation of the transfer of items/services of value to embargoed nations.
- Imposing trade sanctions and trade embargo to control terrorism, drug trafficking and other illegal activities.
- Prevent payments to nationals of sanctioned countries.
- Prohibit travel with embargoed countries, even when EAR/ITAR exclusions apply.
Outside of exclusions export licenses are needed for exporting controlled items and acquiring this license can take several months, assuming it is granted. Even when approved these licenses can require restrictions. The exclusions that are available allow us to avoid the process of acquiring an export licences and exclusions are generally in place for all Dual-Use (or commercial) items. Export license tend to be require for dual use items where certain conditions are met which are set out in lists published by the EAR or ITAR.
- Denied Persons List – contains a list of US persons who have been denied export priviliges.
- Unverified List – contains parties where the Bureau of Industry and Security have not been to identify the end-user in prior transactions and can indiciate sanction circumvention.
- Entity List – contains parties where their involvement in a deal could require a license under the EAR as they represent a risk of using dual-use technologies for Weapons of Mass Destruction or missiles, or they engaged in sanctioned activities before.
- Specially Designated Nationals List – A list of prohibited parties maintained by the USA Treasury Department OFAC.
- Debarred List – Contains people barred by the ITAR and maintained by the USA State Department.
After all that the USA’s national restrictions should be covered but there are international controls on the exportation of dual use technologies, many of which the USA is a member of, including the below
Nuclear Suppliers Group – Which impliments guidelines to control nuclear and nuclear related exports.
Zangger Committee – Harmonises the implimentation of the Nucleaur Non-Prolifieration Treaty for safeguarding nuclear exports.
Missile Technology Control Regime (MTCR) – Applies a common export policy for controlled equipment used in missile development, production and operation.
Australia Group – Aims to prevent Chemical or Bio Weapons from getting into the hands of states or terror groups by maintaining a AG Control List of items that could allow the aquisition of these weapons.
Wassenaar Arrangement – specifically targets arms accumulation and certain dual use technology that could contribute to military capabilities and to allow for cross boarded information sharing between the adherants.
Now that we have covered the US and some international groups we will look at how Japan controls exports.
Japan has its own set of controls over sensitive goods and technologies that, like the US controls, cover both military and Dual-Use technologies. Exports in Japan are controlled by the the Foreign Exchange and Foreign Trade Act (1949) (ammended 1998) with the following important sections;
- Article 48-(1) of the Act stipulates that any person intending to export specific goods must obtain permission from the Ministry of Economy, Trade, and Industry (METI)
- Article 25-1-(1) says that those intending to transfer specific technology to a foreign person or to a foreign country must obtain permission from the ministry.
METI administers export controls under the Trade Control department covers Security Export Controls using the following divisions:
- The Security Export Control Policy Division.
- Responsible for setting, legislating and administrating the Export Control Policy and working with all the previously mentioned International Export Control regimes.
- The Security Export Licensing Division.
- Reviews and approves license applications.
- The Security Export Inspection Office
- Enforcement activities
- Awareness and promotion to prevent illegal exports.
Physical Security Risks
Alot of times when we think of all the requirements in information security and cybersecurity in general we think of firewalls, hardened systems, malware and pentesting, but while those are important all those controls are useless if we leave our windows open and doors unlocked. A solid security program should be well rounded and take into account any physical security risks for the businesses premise. These can range from having your Business Continuity Management in place to reduce the impact of global pandemics, or just localised flooding, or having employees aware of basic good practice to prevent tailgating. While we spoke about physical security briefly in our ISO 27001 blog we are going to dive into the details in this section.
An organisation can spend millions of euros on best in class technical controls, from TripWire to Cyberark, Digital Guardian to Qualys, have full teams of experts manning their SOC and maintaining those controls but if we dont secure the buildings that house our hardware and software our investment is useless. Without guards, physical access control systems, manned receptions CCTV and other physical controls an adversary can just walk in and compromise our information.
Humans are essential components to our security program and, especially with survailence devices like CCTV we need people to monitor and respond as necessary. Acting as deterent the disuade near-do-wells from attempting to enter these guards can provide assistance to legitimate employees, carry out patrols, escort visitors and make sure other controls such as preventing employees from holding the door open for friends and coworkers. Key responsibilities can include;
- Guarding and patrolling areas.
- Preventing contraban from being brought into restricted areas.
- Controlling access through checking employee badges, or signing in visitors.
- Respond to fire, security or medical emergincies
- Draft reports on any incidents.
- Observe for maintainence issues such as lights, toilet issues, or trip hazards
Access Control System
Physical access control systems are seen as standard with most companies to make sure only employees and authorised persons can enter the premise. Advanced access control can cover more than just people too, like in airports where there are security screenings of bags to detect for contraban. The type of access control used in each location should be tailored to the specific risks identified for that location, or for the value of the assets stored within it. The type of controls can include;
- Manned receptions
- Seperated and secured loading bays
- Card controls doors and elevators.
- Multi factor card controls
- Monitoring systems (CCTV etc)
There are other controls but the ultimate goal is the limit the chance of a risk being realised by reducing the physical access of threats to the premise. By preventing this we keep our paper documents safe, our physical equipment secure and reduce the risks of clear desk, clear screen policies not being followed. The Evil Cleaner attack is renowned because once a threat has access to the physical, all logical controls can be bypassed.
The Access control system records authorised/unauthorised access logs. These logs can be reviewed and archieved with the date, time adn any information specific to the event. This can be a useful sources of information should an incident happen.
To facilitate Access control systems employees are provided with cards or badges as part of employee onboarding and offboarding so they can be easily identified by other employees and the system. The types of cards are listed below but they allow finer control of employee movements. The Access control system would read in the data from the card and look up its database. If an entry is found the systems returns an allow and logs the event.
Cards are not perfect, they can be lost, stolen or lent to unauthorised people, while guards and more comprehensive Employee Badges can help reduce this risk there are times where physical guards are not practical. When this is the case multifactor authentication at access points can come to our rescue. This is where the card itself is useless without a second factor being known or used, such as fingerprint reads or a pincode. This is the same to how chip and pin bank cards work.
Magnetic Stripe cards use magnetic stripes on plastic cards, like credit cards, that is read when its swiped through a reader. Its an older technology that can be easily damaged with strong magnets and can be duplicated easily.
Proximity Cards use antenna wires that connects to a chip which can be seen if you split the card in half. The chip has the identification number for the card and the attenas allow it to be read on a reader. These are more difficult than magenetic stripe to duplicate.
Smart Cards are credentialed cards. They have microchips but unlike the proximity cards which only store a card identification number, smart cards can store substantially more information including the individuals user access rights in detail, qualifications, confidentiality level, biometric information and usage statistics. The wealth of information allows it to be used not only on a door but also a computer for authentication. Obviously this is the most difficult to clone.
As discussed access cards are useful, but they are not safe from exploit with employees losing them, having them stolen and lending them to others. Employee badges allow us to a reduce this risk by being useful not just for access control but also identification. These badges still need to be accounted for but allow security personal to encode identification information into them. They can be magnetic, proximity or smart cards with attributes encoded and possibly with a photograph printed on the card. While more useful than access cards they do require additional equipment to impliment and maintain.
- Camera’s for capturing photographs
- Special Badge software
- Badge printer for printing the relevent information on the card, and for encoding the card with the relevent information.
- Server for retention and maintaining the badge credential database which connects to the Access Control Systems.
While badges are pretty standard there are alternatives, for example the United States government has begun using a central provisioning model for all of its various agencies as part of the USAccess programme ( https://www.fedidcard.gov ). This program was established by the HSPD-12 Managed Service Office requires all employees and contractors have a common, interoperable PIV Credential. It ensures Credential Production, Issuance, Activation and Management are handled to high standards, ensuring uniformity and security by;
- Centralising where access requests are processed and cards produced into a central, secured facility.
- Ensuring that verificiation is carried out with the employee once they recieve their badge. This is done first by verifiying the employee through biometrics, followed by encoding the credential with additional biometric information, fingerprint templates, a pin and loading relevent digital certificates.
- Suspension, reprint and revocation of the credentials may be carried out by authorised role holders and an operational level.
- Some Agencies can use light activation stations on-site for employees to activate their badges or carry out maintainence activities(updates, or amendments) on the badges.
Of course badges can be a risk if lost, or misused and as such anytime they are in use we must ensure staff recieve appropriate awareness training to ensure they are handled responsibly.
Access Control Head End – Remove once understood
The application software housed in the CPU is the physical intelligent controller where all access control systems are activity monitored, recorded into history, commanded, and controlled by the operator. Current access systems allow each local security panel to hold the system logic for its associated devices. The CPU retains the system-specific programming to allow entry (access) for authorized personnel and deny access to unauthorized personnel.
Communications failure between the CPU and the local access control panel could result in new users not being permitted entry; however, the system is set so that the panel will recognize personnel already installed and will grant access to an authorized badge holder.
These systems can integrate with CCTV and provide instant visual recognition along with visual alarm activation in order to provide the security console operator visual information before dispatching a security response team.
Another feature of an access control system is it can provide event tracking/event logs, which are lists or logs of security events recorded by the access control system that indicate the actions performed by employees as they enter or attempt to enter a controlled area. Each event log entry contains the time, date, and any other information specific to the event. This is useful when identifying who has access to a specific area and verifying with management if that employee still needs access.
Physical Security Needs and Organization Drivers
Taking a risk-focus approach to planning our physical security includes looking at the organisations goals, and drivers. While some drivers might be specific to an organisation many are common amoung all organisations and allow us to identify and prioritise the security structure. Some of these common drivers include;
- Governance and compliance with regulatory requirements.
- Asset Protection.
- Protection of Personnel.
- Cost Control.
- Business growth.
While more niche and organisational specific drivers may impact our program such as if the site is a military base or there is a specifc certificate or audit standard targetted we need to meet the security needs of the business without hindering business processes. This allows a flexible approach that can keep up with and adapt to the business as it evolves.
Faculty risks are the physical risks to the facility building itself. When trying to identify these risks we do a vulnerability assessment and look at the layout of the buildingand location of key assets are located, where information is stored and used, and where our controls our. We look at how our physical controls are layered and try to identify gaps in our defence in depth strategy. If carried out correctly these assessments can help us identify and eliminate risks, including future potential risks that may emerge. Types of threats we might look at will be flooding of data centers, criminal theft, fire damage, protests and other forms of civil unrest. At the end of the risk assessments we should know what threats face our critical assets, what are vulnerabilities are and what combination of controls are the best counter measures for these.
As is standard we look at the CIA framework of Confidentiality, Availability and Integrity and how to protect these attributes for information and assets in our physical premises. Threat matrix can help us easily identify the assets we think would be targetted or critical, they can be people, information, euipment, or even gold bullions. Once we know our critical assets we can identify the likelihood and impact of the threats to calculate each assets risk rating.
The best way to come up with a facilities threat matrix, and to just identify critical assets and to understand the effectiveness of countermeasures is not just to do a site visit with trained security personnel. While that can be useful in a greenfield site it only provides part of the picture. We should also look at the people that work on the site. Auditors will already know this but the best way to identify what is critical to a business unit, and even how to break or attack that asset is through talking with and interviewing with the operational staff. This can also help attain buy in if changes are needed. Using the change management process for the facility we can ensure changes are implimented smoothly. Questions we should ask during any facility risk assessment is:
- What are our critical assets
- who are our threat actors
- what are the vulnerabilities for our assets
- What is the impact of the risk being realised
- How much protection do we want to achieve/what is our appetite for residule risk
- What types of mitigating controls are appropriate
- What could prevent controls being implimented.
- What are the specifci security design constraints.
- How do the people processes and technologies of the facility carry out incident response
Once our risk assessments, interviews, threat matrices, have answers to the our questions we can start planning the physical protection for the facility.
One of the main outcomes of physical security is controling access to the facility. By layering controls we can have a security programme that has ever increasing levels of security that become more difficult to circumvent as a threat actor gets closer to our critical assets and protected areas. This multilayered approach allows us to protect our assets even if some of our controls fail. With this layering an attacker would have to penetrate mutiple controls of different types of defences to access the targetted assets. The most critical asset in any organisation is the employees and the protection of their lives should be a primary goal. This needs to be taken into account when identifying what controls to use and how they should be implimented.
The first step in planning is to look at the building layout, where the assets are located and then thinking of what controls are needed where for optimal security. Making sure security personnel are readily available to respond to incidents. The placement, type and frequency of these controls has to be carefully planned to ensure that employees are abble to carry out their duties in as a free and convieent a wayt as possible, that still keeps assets protected. The level of control that is needed and the level of openness required varries by department and function and it is important to involve key stakeholders in the planning stage to get this ballance right. Security should always come before convinience but expediency should be present if possilbe. While security controls enterance and exit from a building it should also provide for evacuation routes should the worst happen.
Greenfield sites are always easier to work with then trying to adapt existing buildings and processes. Not only can we ensure the walls are in the right places in a greenfield site we can also ensure that they are located in the right geographic area. For example if we are choosing we multitenented we can select who our neightbours will be. Of the long term correct site selection, building placement, building layout, number of entry points and distribution of functions can reduce the security operating costs in the long run. Established sites can bring an array of problems such as requiring employee buyt in for process changes and to work with the existing change management to reduce any changes impact. Regardless of the site chosen a hollistic view should be taken to make sure security and business needs are banalnced, and that risks prioritised and resoruces allocated accordingly.
Depending on the function of the building specific requirements may be needed, such as for datacenters which should be able to withstand 200km per hour windows, rain and snow, fire resistance and have few, if any windows. In addition it should be designed for optimal cooling such as having 20foot high cieiling for airflow.
Restricted Work Area
Sensitive Compartmental Information Facilities (SCIF)
SCIFs are US governmental highly restricted areas where there are requirements for additional security measures and stricter access controls. The stricter controls extend from just physical restrictions to to noise insulation, blocking off any windows or visible areas, and airgapping them from the network. When practical, entrance doors should incorporate a vestibule to preclude visual observation and enhance acoustic protection
Primary entrance doors shall be equipped with the following:
- A GSA-approved pedestrian door deadbolt meeting Federal Specification FFL- 2890.
- A combination lock meeting Federal Specification FF-L 2740.
- An approved access-control device (see Chapter 8).
- May be equipped with a high security keyway for use in the event of an access control system failure. All Access control must be controlled from within the SCIF.
- All perimeter SCIF doors shall be equipped with an automatic, non-hold door-closer which shall be installed internal to the SCIF.
- All perimeter doors shall be alarmed
- Perimeter doors shall comply with applicable building, safety, and accessibility codes and requirements.
- White noise or sound-masking devices need to be placed over doors.
- Few if any windows should be present
- Windows should not be openable.
- Windows should be alarmed if within 18 feet of the ground
- Windows should be protected from visual or accoustice detection
- Windows should provide RF protection
Secure Working Area:
- Controlled by guards or with GSA-approved combo locks
- Incident response time of 15 minutes
- Strong access control
Outside of SCIFs the most secure place for an organisation are the Data Centers, which need to be built to withstand a variety of threats which, as well as standard attacks also have to contend with the risk of accidental, insider threats. All employees working in data centers should have well defined roles and those roles should be sufficiently segregated to prevent individuals having access to the entire facility. This can be through segmenting the HVAC and UPS equipment away from the networking gear. This, alongside strong access control, visitor controls and guard patrols, also reduce the risk of individuals having free reign to the building. There should be a 24/7 NOC to monitor for attacks, and environmental controls with redundant methods to contact the outside world. In addition access to server rooms and racks should be restricted to time limited access for a specific purpose only.
If the data center is just a room in a non-specialised facility it should be clearly marked as such with additional restrictions to the standard office. Regardless of if its a commsroom or a full data center, any access by staff such as cleaners or HVAC maintainence should be done in pairs and if the servers rooms themselves need to be cleaned the cleaners should be escourted by security.
While no protection plan is perfect it should incorporate People, Process and Technology. The combination of these factors will require compromise and understanding of the environment. With people being the most important factor of the organisation it is important that they are protected as much as possible. By understanding the people in the facility, where they congregate and what the usual movement flows are we are able to best plan our security. There are a few categories of people discussed:
- Contract/Proprietary personall
Access Control Violation Monitoring
While many of these are in the CBK, there is some that are not but i found useful, i also found several of the CBK references are no longer current and have updated these.
https://www.adamosecurity.com/wp-content/uploads/2020/07/JAFAN-6.9.pdf – this one is super old at 2004, so not sure how much wieght to give it, its short but if there is any contradiction to other sources use the more up-to-date source.
https://www.wrc.noaa.gov/wrso/briefings.htm – There are better resources for the CISSP-ISSAP but this has some interesting practical insights into how the US Government agencies try to instil good practice.
https://www.fema.gov/pdf/business/guide/bizindst.pdf – This is another super old reference but being FEMA and still current it is worth a read, however other resources should be considered such as https://www.fema.gov/about/offices/continuity and https://www.ready.gov/business-continuity-planning-suite