Security – Page 12 – Adventures in the programming jungle

Book review: Hacking – the art of exploitation, 2-end edition

15 May, 20135 November, 2015Adrian Citu

This is a review of the Hacking – the art of exploitation, 2-end edition book.

Chapter 0x100 Introduction

Very short chapter (2 pages and 1/2) in which the author gives his definition of a hacker; person that find unusual solutions to any kind of problems, not only technical problems. The author also expresses very clearly the goal of his book: “The intent of this book is to teach you the true spirit of hacking. We will look at various hacking techniques, from the past to the present, dissecting them to learn how and why they work”.

Chapter 0x200 Programming

The chapter is an introduction to C programming language and to assembler for Intel 8086 processors. The entry level is very low, it starts by explaining the use of pseudo-code and then very gradually introduces many of the structures of the C language: variables, variables scopes, control structures, structs, functions, pointers (don’t expect to have a complete introduction to C or to find advanced material).

The chapter contains a lot of code examples very clearly explained using the GDB debugger. Since all the examples are running under Linux, the last part of the chapter contains some basics about the programming on Linux operating system like file permissions, uid, guid, setuid.

Chapter 0x300 Exploitation

This chapter it builds on the knowledge learned in the previous one and it’s dedicated to the buffer overflow exploits. The most part of the chapter treats the stack-based buffer overflow in great detail using gradual complexity examples. Overflow vulnerabilities on other memory segments are also presented, overflows on the heap and on the BSS.

The last part of the chapter is about format string exploits. Some of the string vulnerabilities use specific GNU C compiler structures (.dtors and .ctors). In almost all the examples, the author uses the GDB to explain the details of the vulnerabilities and of the exploits.

One negative remark is that in some of the exploits the author use shell codes without explaining how these shell codes have been crafted (on the other side an entire chapter is devoted to shell codes).

Chapter 0x400 Networking

This chapter is dedicated to the network hacking(s) and can be split in 3 parts. The first part is rather theoretical, the ISO OSI model is presented and some of the layers (data-link layer, network layer and transport layer) are explained in more depth.

The second part of the chapter is more practical; different network protocols are presented like ARP, ICMP, IP, TCP; the author explains the structure of the packets/datagrams for the protocols and the communication workflow between the hosts. On the programming side, the author makes a very good introduction to sockets in the C language.

The third part of the chapter is devoted to the hacks and is build on the top of the first two parts. For the package sniffing hacks the author introduces the libpcap library and for the package injection hacks the author uses the libnet library (ARP cache poisoning, SYN flooding, TCP RST hijacking). Other networking hacks are presented like different port scanning techniques, denial of service and the exploitation of a buffer overflow over the network. In most of the hacks the authors it’s crafting his own tools but sometimes he uses tools like nemesis and nmap.

Chapter 0x500 Shellcode

This chapter is an introduction to the shellcode writing. In order to be injected in the target program the shelcode must be as compact as possible so the best suitable programing language for this task is the assembler language.

The chapter starts with an introduction to the assembler language for the Linux platform and continues with an example of a “hello word” shellcode. The goal of the “hello word” shellcode is to present different techniques to make the shellcode memory position-independent.

The rest of the chapter is dedicated to the shell-spawning(local) and port-binding (remote) shellcodes. In both cases the same presentation pattern is followed: the author starts with an example of the shellcode in C and then he translates and adapts (using GDB) the shellcode in assembler language.

Chapter 0x600 Countermeasures

The chapter is about the countermeasures that an intruder should apply in order to cover his tracks and became as undetectable as possible but also the countermeasures that a victim should apply in order reduce or nullify the effect of an attack.

The chapter is organized around the exploits of a very simple web server. The exploits proposed are increasingly complex and stealthier; from the “classical” port-biding shellcode that can be easily detected to more advanced camouflage techniques like forking the shellcode in order to keep the target program running, spoofing the logged IP address of the attacker or reusing an already open socket for the shellcode communication.

In the last part of the chapter some defensive countermeasures are presented like non-executable stack and randomized stack space. For each of this hardening countermeasures some partial workarounds are explained.

Chapter 0x700 Cryptology

The last chapter treats the cryptology, an subject very hard to explain to a neophyte. The first part of the chapter contains information about the algorithmic complexity, the symmetric and asymmetric encryption algorithms; the author brilliantly demystifies the operation of the RSA algorithm.

On the hacking side the author presents some attacks linked to the cryptography like the man-in-the-middle attack of an SSL connection (using the mitm-ssh tool and THC Fuzzy Fingerprint) and cracking of passwords generated by Linux crypt function (using dictionary attacks, brute-force attacks and rainbow tables attacks).

The last part of the chapter is quite outdated in present day (the book was edited in 2008) and is dedicated to the wireless 802.11 b encryption and to the weaknesses of the WEP.

Chapter 0x800 Conclusion

As for the introduction chapter, this chapter is very short and as in the first chapter the authors repeats that the hacking it’s state of mind and the hackers are people with innovative spirits.

(My) Conclusion

The book it’s a very good introduction to different technical topics of IT security. Even if the author tried to make the text easy for non-technical peoples (the chapter about programming starts with an explanation about pseudo-codes) some programming experience is required (ideally C/C++) in order to get the best of this book.

Introduction à la plateforme Digital Forensic Framework (DFF) (1)

1 May, 20131 April, 2013Adrian Citu

Digital Forensic Framework [DFF] est un logiciel open source développé par ArxSys[ARXSYS]. C’est un nouvel arrivant dans le monde des logiciels d’investigation numérique. Il se veut être multiplateforme, automatisable, portable et modulaire.

DFF est un outil d’analyse et présentation de données et il est capable d’extraire, analyser et mettre en corrélation des traces suspectes et des données de différents fichiers, provenant d’acquisitions de supports numériques, tels que les disques durs, la mémoire vive ou les téléphones cellulaires. Il peut également être utilisé pour récupérer des données supprimées.

Écrit en Python et C++, il est multi-plateforme, hautement modulaire et personnalisable. L’interface graphique est développée avec PyQt [PYQT]. L’interfaçage et les transformations entre Python et C++ sont obtenus grâce à Swig [SWIG].

DFF est divisé en quatre différentes couches logicielles (voir la figure suivante), communiquant entre elles par une interface de programmation applicative (API) : la couche de base (Core Layer), les modules, l’interface utilisateur et le shell.

La couche de base de DFF

Cette couche peut être considérée comme le cœur du framework. Elle fait l’interface avec le système d’exploitation et est utilisée pour charger et exécuter les modules. L’exécution des modules est automatique car la couche de base est conçue pour savoir quel module est requis et ensuite l’exécuter. Cette couche offre également aux modules la possibilité de renvoyer les données analysées sous la forme de nœuds (dans un arbre).

L’espace mémoire où ces nœuds sont créés est appelé un Système de Fichiers Virtuel (VFS pour Virtual File System). Chaque nœud peut être généré par un module différent et avoir des attributs spécifiques. Ce mécanisme permet à la couche de base de générer des rapports en mettant en corrélation toutes les données en provenance des modules, tout en restant indépendant des modules eux-mêmes. Même si un module plante après la création des nœuds, la couche de base sera en mesure d’exploiter ces nœuds. Les modules étant conçus pour l’investigation numérique, ils permettent aussi de révéler les données non allouées et cachées.

DFF offre aux utilisateurs une vue arborescente des données analysées. Par exemple, si un système de fichiers NTFS est analysé, tout son contenu sera visible dans l’interface graphique DFF, sous la forme d’un arbre: chaque répertoire contenant des fichiers et des répertoires, eux-mêmes contenant des fichiers et des répertoires, et ainsi de suite. DFF agit plus ou moins comme un navigateur de fichiers sur n’importe quel système d’exploitation. Dans DFF ces fichiers et répertoires sont appelés nœuds. Les nœuds sont créés par des modules suite à une analyse des données.

Les nœuds sont stockés dans un espace mémoire appelé VFS (Virtual File System). Le VFS peut être vu comme un système de fichiers en lecture seule utilisés par DFF pour stocker les nœuds. Lorsque DFF est lancé, une et une seule instance de VFS est créée ; dans d’autres termes, VFD est un singleton.

Les VFS contient la liste de tous les nœuds et chacun des nœuds contient un pointeur vers le nœud de son parent (ou NULL pour le nœud racine) et une liste de pointeurs vers ses enfants (le cas échéant).

Un nœud peut représenter pratiquement n’importe quel type de données. Une fois qu’il est créé, il devrait être ajouté au VFS afin qu’il puisse être visible dans l’interface graphique ou shell. Les deux caractéristiques importantes d’un nœud sont son nom et sa taille Si rien n’est défini, les valeurs par défaut sont une chaîne vide pour le nom et 0 octet pour la taille.

Mais ces informations pourraient ne pas suffire. Nous avons dit qu’un nœud peut représenter n’importe quel type de données. Si l’on prend comme exemple, un fichier d’un système de fichiers, le nœud aura un nom et une taille (donnés par le système de fichiers) mais aussi beaucoup d’autres informations telles que les métadonnées, les pointeurs pour indiquer la position de son contenu sur le système de fichiers, etc.

Dans DFF, ces informations supplémentaires sont appelées des attributs étendus. Ces attributs sont composés d’une liste de paires clé/valeur, où la clé doit être une chaîne de caractères.

Les modules DFF

Chaque module DFF est conçu pour analyser un type spécifique de données, tels que les systèmes de mémoire RAM de fichiers, ou des cadres du réseau. Les modules créent des nœuds, les attachent au VFS, et en fonction du type de données, génèrent des informations supplémentaires telles que les indications de temps ou métadonnées d’extraction.

La version actuelle de la DFF (1.2 au moment de la rédaction du présent rapport) est livrée avec de nombreux modules qui effectuent des tâches diverses : le traitement des images mémoire des téléphones mobiles, la visualisation des films et des images, la génération des statistiques sur un nœud ou un ensemble de nœuds. Comme toutes les tâches d’analyse dans DFF sont effectuées via des modules, l’interface de programmation (API) a un grand nombre de fonctionnalités disponibles. Des modules supplémentaires peuvent être écrits en C++ ou Python.

Les modules contenus en DFF peuvent être classées en 3 catégories (voir le schéma suivant):

les modules qui chargent des systèmes de fichiers/volumes/partitions.
les modules qui actionnent sur les nœuds du VFS.
les modules qui matérialisent les nœuds du VFS en fichiers sur disque.

Modules qui chargent des systèmes de fichiers/volumes/partitions

Le tableau suivant liste les modules DFF.

*Fonctionnalité*	*Module*	*Shell*	*IHM*	*Commentaire*
Container de données	local	Oui	Oui
	ewf	Oui	Oui
	aff	Oui	Oui	Pas d’information disponible
	device	Oui	Oui
	readlines	Oui	Oui	Pas d’information disponible
Partition	partition	Oui	Oui
	vmware	Oui	Oui
Système des fichiers	fat	Oui	Oui
	ntfs	Oui	Oui
	efs	Oui	Oui
Contenu du RAM	volatility	Oui	Oui	Pas d’information disponible

Modules qui actionnent sur les nœuds du VFS

Une fois que le système de fichiers est chargé, DFF offre une vue arborescente du système de fichiers, arborescence sur laquelle d’autres modules sont capables de travailler. Parmi les fonctionnalités offerts, on peut trouver des modules qui affichent le contenu d’un nœud (hexadecimal, diff, picture, text, web, player), des modules qui sont capables des chercher des nœuds ayant certains caractéristiques (find, carver).

Le tableau suivant liste les modules DFF.

*Fonctionnalité*	*Module*	*Shell*	*IHM*	*Commentaire*
Chercher	find	Oui	Oui
	carver	Oui	Non
	carverui	Oui	Non	Pas d’information disponible
	carvergui	Non	Oui	Pas d’information disponible
Visualiser	hexadecinal	Oui	Oui
	diff	Oui	Oui
	pictures	Non	Oui
	text	Oui	Oui
	player	Non	Oui	Pas d’information disponible
	web	Non	Oui	Pas d’information disponible
Archiver	unzip	Oui	Oui
Chiffrement	unxor	Oui	Oui
Base de données	Winreg	Oui	Oui
Hachage	hash	Oui	Oui
Métadonnées pour les images	metaexif	Oui	Oui
Téléphones mobiles	smsdecode	Oui	Oui	Pas d’information disponible
	k800i	Oui	Oui	Pas d’information disponible
	K800-i-Recover	Oui	Oui	Pas d’information disponible
Statistiques	timeline	Non	Oui
	fileschart	Non	Oui	Pas d’information disponible

Modules qui matérialisent les nœuds du VFS en fichiers sur disque

La dernière étape d’une analyse avec DFF est la récupération des résultats qui consistent donc à matérialiser un ou plusieurs nœuds du VFS dans des fichiers sur disque.

*Fonctionnalité*	*Module*	*Shell*	*IHM*	*Commentaire*
Ecrire nœuds sur disque	extract	Oui	Oui	Pas d’information disponible

Modules définis par l’utilisateur

DFF offre la possibilité à l’utilisateur de créer ses propres modules utilisant l’IDE inclus dans DFF. L’IDE de DFF peut être utilisé pour générer des squelettes des scripts DFF, de modules ou de modules graphiques. Pour le lancer, vous pouvez utiliser l’icône de la barre d’outils d’application ou à partir du menu IDE -> Open.

La figure suivante présente une capture d’écran de l’IDE de DFF :

La partie gauche est utilisée pour naviguer sur le système de fichiers et pour sélectionner le fichier à ouvrir (seuls les fichiers Python peut être ouvert). Pour ouvrir un fichier cliquez deux fois sur son nom et son contenu sera affiché.
Voici la description des différentes icônes de la barre d’outils:

New empty file : Ouvre un fichier vide dans l’IDE.
Generate skeleton : Lance l’assistant pour générer le squelette d’un nouveau module.
Open file : Ouvre un fichier existant.
Save : Sauve le fichier.
Save as : Sauve un fichier sous un nom choisi par l’utilisateur.
Load : Compile le module et le charge dynamiquement en DFF.
Undo : Annule l’action précédente.
Redo : Répete l’action precedente.
Comment : Commente la ligne sur laquelle le curseur de la souris se trouve.
Uncomment : « Dé-commente » la ligne sur laquelle le curseur de la souris se trouve.

L’IDE de DFF permet de créer très rapidement un squelette d’un module et donc facilite la tâche du développeur. Par contre, pour créer un module ayant une certaine utilité, il faut aussi connaître l’API (Python) de DFF.

(My) CISSP Notes – Bibliography

5 January, 201331 December, 2012Adrian Citu

This is the last ticket from/for “(My) CISSP Notes” and will contains links to the materials that I used for the preparation of the exam.

Books

CISSP study guide – This was my main source of information.
CISSP for dummies – This was my second source of information; very easy to read and understand but not sufficient to pass the exam.
11th Hour CISSP: Study guide – This is a short version of the CISSP study guide . I use it for a quick review the last few days before the exam.
CISSP Boxed Set – This box set contains a study guide and a book with practice exams. I used the study guide only punctually for specific topics and I found it very complete. I tried at the beginning the use it as the main source of information but the main problem is the huge quantity of information (1400 pages).

Practice Exams

McGraw-Hill Education CISSP Practice Exams – Free practice exams offered by Shon Harris. The practice exams are covering all the domains and I found it quite challenging. For me, if you are able to answer correctly to these questions then you are fully prepared for the real exam.
CISSP Practice Exams form the CISSP Boxed Set – The questions from the book have the same level of difficulty as the McGraw-Hill Education CISSP Practice Exams

Audio Postcasts

McGraw-Hill Education CISSP Podcasts – The podcasts are covering all the domains and are of quite good (audio) quality. If you don’t have the time to listen everything then you could choose the listen only the review podcasts containing only the most important information.

(My) CISSP Notes – Security Operations

25 December, 201225 December, 2012Adrian Citu

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

Operations Security is concerned with threats to a production operating environment.

So operations security is about people, data, media, hardware, and the threats associated with each of these in a production environment.

Administrative security

One fundamental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integrity, or availability of data or the systems and media holding that data. Administrative Security provides the means to control people’s operational access to data.

Administrative personnel controls :

least privilege – the principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their duties.
need to know – only people with a valid need to know certain information in order to perform their job functions, should have access to that information.An extension to the principle of least privilege in MAC environments is the concept of compartmentalization. Compartmentalization, a method for enforcing need to know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information.
separation of duties – prescribes that multiple people are required to complete critical or sensitive transactions.The goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sensitive data or transactions; they must convince another party to act in concert. Collusion is the term used for the two parties conspiring to undermine the security of the transaction.
rotation of duties – also known as job rotation or rotation of responsibilities, provides an organization with a means to help mitigate the risk associated with any one individual having too many privileges.Rotation of duties simply requires that critical functions or responsibilities are not continuously performed by the same single person without interruption.
mandatory leave – an additional operational control that is closely related to rotation of duties is that of mandatory leave, also known as forced vacation.
non-disclouse agreement (NDA) – is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of sensitive information.
background checks – also known as background investigations or preemployment screening; are an additional administrative control commonly employed by many organizations.

Sensitive information/media security

Wherever the data exists, there must be processes that ensure the data is not destroyed or inaccessible (a breach of availability), disclosed, (a breach of confidentiality) or altered (a breach of integrity).

Perhaps the most important step in media security is the process of locating sensitive information, and labeling or marking it as sensitive.

People handling sensitive media should be trusted individuals who have been vetted by the organization.

When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an unauthorized fashion due to media security issues.

The term data remanence is important to understand when discussing media sanitization and data destruction. Data remanence is data that persists beyond noninvasive means to delete it.

Wiping, also called overwriting or shredding, writes new data over each bit or block of file data.

By introducing an external magnetic field through use of a degausser, the data on magnetic storage media can be made unrecoverable.

Asset management

Patch management – One of the most basic, yet still rather difficult, tasks associated with maintaining strong system security configuration is patch management, the process of managing software updates.
Vulnerability management – Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears mentioning that vulnerability scanning devices are only capable of discovering the existence of known vulnerabilities. The term vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information.
Change management – In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the change might impose.

Continuity of operation

Three basic types of backups exist:

full backup – is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure.
incremental backup – one alternative to exclusively relying upon full backups is to leverage incremental backups. Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced.
differential backup – while the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.

Redundant array of inexpensive disks (RAID)

The goal of a Redundant Array Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures.

Three terms that are important to understand with respect to RAID are:

mirroring – is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks.
striping – is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk.
parity – is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.

RAID 0: Striped Set As is suggested by the title, RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID.

RAID 1: Mirrored Set This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write performance is decreased, though the read performance can see an increase.

RAID 2: Hamming Code RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not likely to be tested.

RAID 3: Striped Set with Dedicated Parity (byte level) Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3 data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.

RAID 4: Striped Set with Dedicated Parity (block level) RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level.

RAID 5: Striped Set with Distributed Parity One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages a block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks.

RAID 6: Striped Set with Dual Distributed Parity While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks.

System redundancy

The most common example of this in-built redundancy is systems or devices which have redundant onboard power in the event of a power supply failure. In addition to redundant power, it is also common to find redundant network interface cards (NICs), as well as redundant disk controllers.

Some applications and systems are so critical that they have more stringent uptime requirements than can be met by standby redundant systems, or spare hardware. These systems and applications typically require what is commonly referred to as a high-availability (HA) or failover cluster. A high-availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.

Incident response management

Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents.

Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents.

Phases of incident responses :

detection – one of the most important steps in the incident response process is the detection phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.
containment – is the point at which the incident response team attempts to keep further damage from occurring as a result of the incident.This phase is also typically where a binary (bit by bit) forensic backup is made of systems involved in the incident.
eradication – involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase.
recovery – involves cautiously restoring the system or systems to operational status.
reporting – is the one most likely to be neglected in immature incident response programs. This fact is unfortunate because the reporting phase, if done right, is the phase that has the greatest potential to effect a positive change in security posture. The goal of the reporting phase is to provide a final report on the incident, which will be delivered to management.

(My) CISSP Notes – Physical Security

15 December, 201215 December, 2012Adrian Citu

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

Physical (Environmental) security protects the Confidentiality, Integrity and Availability of physical assets: people, buildings, systems, and data. The CISSP® exam considers human safety as the most critical concern of this domain, which trumps all other concerns.

Physical security protects against threats such as unauthorized access and disasters, both man-made and natural. Controls used in this domain are primarily physical (such as locks, fences, guards, etc.); administrative controls (such as policy and procedures) and technical (such as biometrics) are also used.

Physical access control

Physical access control consists of the systems and techniques used to restrict access to a security perimeter and provide boundary protection.

Types of Vehicle Gates :

class 1 – residential (home use)
class 2 – commercial/general access (parking garage)
class 3 – industrial/limited access
class 4 – restricted access

A traffic bollard is a strong post designed to stop a car.

Lock picking is the art of opening a lock without a key.

The master key opens any lock for a given security zone in a building.

The core key is used to remove the lock core in interchangeable core locks (where the lock core may be easily removed and replaced with another core).

A smart card is physical access control device which is often used for electronic locks, credit card purchases, or dual-factor authentication systems.

A magnetic stripe card contains a magnetic stripe which stores information.

A mantrap is a preventive physical control with two doors. The first door must close and lock before the second door may be opened. Each door typically requires a separate form of authentication to open.

Turnstiles are designed to prevent tailgating by enforcing a “one person per authentication” rule, just as they do in subway systems.

Technical controls

Technical control include monitoring and surveillance, intrusion detection systems and alarms.

Closed Circuit Television (CCTV) is a detective device used to aid guards in detecting the presence of intruders in restricted areas.Key issues include depth of field (the area that is in focus) and field of view (the entire area viewed by the camera). More light allows a larger depth of field because a smaller aperture places more of the image in focus. CCTV displays may display a fixed camera view, autoscan (show a given camera for a few seconds before moving to the next), or multiplexing (where multiple camera feeds are fed into one display).

Ultrasonic, microwave, and infrared motion sensors are active sensors, which means they actively send energy.

If you see the term “intrusion” on the exam, be sure to look for the context (human or network-based).

Door hinges should face inward, or be otherwise protected. Externally-facing hinges that are not secured pose a security risk: attackers can remove the hinge pins with a hammer and screwdriver, allowing the door to be opened from the hinge side.

Use of simple glass windows in a secure perimeter requires a compensating control such as window burglar alarms.

Environmental and life safety controls

Environmental controls are designed to provide a safe environment for personnel and equipment. Power, HVAC, and fire safety are considered environmental controls.

The following are common types of electrical faults:

Blackout: prolonged loss of power
Brownout: prolonged low voltage
Fault: short loss of power
Surge: prolonged high voltage
Spike: temporary high voltage
Sag: temporary low

Heat detectors, flame detectors, and smoke detectors provide three methods for detecting fire.

The two primary evacuation roles are safety warden and meeting point leader.

Classes of Fire and Suppression Agents :

Class A – fires are common combustibles such as wood, paper, etc. This type of fire is the most common and should be extinguished with water or soda acid.
Class B – fires are burning alcohol, oil, and other petroleum products such as gasoline. They are extinguished with gas or soda acid. You should never use water to extinguish a class B fire.
Class C – fires are electrical fires which are fed by electricity and may occur in equipment or wiring. Electrical fires are Conductive fires, and the extinguishing agent must be non-Conductive, such as any type of gas.
Class D – fires are burning metals and are extinguished with dry powder.
Class K – fires are kitchen fires, such as burning oil or grease. Wet chemicals are used to extinguish class K fires.

Experts always prefer to prevent a fire rather than extinguish one, and are often generous with their time dedicated to preventive measures.

All fire suppression agents work via four methods (sometimes in combination): reducing the temperature of the fire, reducing the supply of oxygen, reducing the supply of fuel, and interfering with the chemical reaction within fire.

Always consider “hire or ask an expert” as a valid choice for any exam question asking about “the best thing to do.” Do not fall for the engineer’s trap of “I will figure this out on my own.”

Water suppresses fire by lowering the temperature below the kindling point (also called the ignition point). Water is the safest of all suppressive agents, and recommended for extinguishing common combustible fires such as burning paper or wood.

In addition to suppressing fire by lowering temperature, soda acid also has additional suppressive properties beyond plain water: it creates foam which can float on the surface of some liquid fires, starving the oxygen supply.

Extinguishing a fire with dry powder (such as sodium chloride) works by lowering temperature and smothering the fire, starving it of oxygen. Dry powder is primarily used to extinguish metal fires.

Wet chemicals are primarily used to extinguish kitchen fires (type K fires in the U.S.; type F in Europe), but may also be used on common combustible fires (type A).

CO2, oxygen, and nitrogen are what we breathe as air. Fires require oxygen as fuel, so fires may be smothered by removing the oxygen: this is how CO2 fire suppression works. A risk associated with CO2 is it is odorless and colorless, and our bodies will breathe it as air. By the time we begin suffocating due to lack of oxygen, it is often too late.

Halon extinguishes fire via a chemical reaction that consumes energy and lowers the temperature of the fire.Halon has ozone-depleting properties. Due to this effect, the 1989 Montreal Protocol (formally called the “Montreal Protocol on Substances That Deplete the Ozone Layer”) banned production and consumption of new halon in developed countries by January 1, 1994.

Recommended replacements for halon include the following systems: • Argon • FE-13 • FM-200

CO2, halon, and halon substitutes such as FM-200 are considered gas-based systems. All gas systems should use a countdown timer (both visible and audible) before gas is released. This is primarily for safety reasons, to allow personnel evacuation before release. A secondary effect is to allow personnel to stop the release in case of false alarm.

Water is usually the recommended fire suppression agent. Water (in the absence of electricity) is the safest suppression agent for people.

Dry pipe systems also have closed sprinkler heads: the difference is the pipes are filled with compressed air. The water is held back by a valve that remains closed as long as sufficient air pressure remains in the pipes. As the dry pipe sprinkler heads open, the air pressure drops in each pipe, allowing the valve to open and send water to that head.

Dry pipes are often used in areas where water may freeze, such as parking garages.

Deluge systems are similar to dry pipes, except the sprinkler heads are open and larger than dry pipe heads. The pipes are empty at normal air pressure; the water is held back by a deluge valve.