Biological Agents, Work Practices, Safety Equipment, and Facility Design Specific to Each A very specialized research laboratory that deals with infectious agents is the biosafety lab. Whether performing research or production activities, when working with infectious materials, organisms or perhaps even laboratory animals, the proper degree of protection is of utmost importance. Protection for laboratory personnel, the environment and the local community must be considered and ensured. The protections required by these types of activities are defined as biosafety levels.
Biological safety levels are ranked from one to four and are selected based on the agents or organisms on which the research or work is being conducted. Each level up builds on the previous level, adding constraints and barriers. The (CDC) and the (NIH) are our main sources for biological safety information for infectious agents. The publication Biosafety in Microbiological and Biomedical Laboratories 1 is a principal reference and the resource for much of the information presented in this month’s column. As an introduction, we summarize what the different biosafety levels encompass in terms of the typical biological agents used, safe work practices, specialized safety equipment (primary barriers) and facility design (secondary barriers). The four biosafety levels were developed to protect against a world of select agents.
These agents include bacteria, fungi, parasites, prions, rickettsial agents and viruses, the latter being probably the largest and most important group. In many instances the work or research involves vertebrate animals, everything from mice to cattle. When vertebrates are involved, additional precautions and safety requirements are necessary. Using the most infectious agents also means extensive security measures are in place, not only because of their virulence but also because of their potential for use in bioterrorism.
Level 1 Biosafety level one, the lowest level, applies to work with agents that usually pose a minimal potential threat to laboratory workers and the environment and do not consistently cause disease in healthy adults. Research with these agents is generally performed on standard open laboratory benches without the use of special containment equipment.
BSL 1 labs are not usually isolated from the general building. Training on the specific procedures is given to the lab personnel, who are supervised by a trained microbiologist or scientist. Standard microbiology practices are usually enough to protect laboratory workers and other employees in the building.
These include mechanical pipetting only (no mouth pipetting allowed), avoidance of splashes or aerosols, and decontamination of all work surfaces when work is complete, e.g., daily. Decontamination of spills is done immediately, and all potentially infectious materials are decontaminated prior to disposal, generally by autoclaving.
Standard microbiological practices also require attention to personal hygiene, i.e., hand washing and a prohibition on eating, drinking or smoking in the lab. Normal laboratory is generally worn, consisting of eye protection, gloves and a lab coat or gown. Biohazard signs are posted and access to the lab is limited whenever infectious agents are present. Level 2 Biosafety level two would cover work with agents associated with human disease, in other words, pathogenic or infectious organisms posing a moderate hazard. Examples are the equine encephalitis viruses and HIV when performing routine diagnostic procedures or work with clinical specimens.
Therefore, because of their potential to cause human disease, great care is used to prevent percutaneous injury (needlesticks, cuts and other breaches of the skin), ingestion and mucous membrane exposures in addition to the standard microbiological practices of BSL 1. Contaminated sharps are handled with extreme caution. Use of disposable syringe-needle units and appropriate puncture-resistant sharps containers is mandatory. Direct handling of broken glassware is prohibited, and decontamination of all sharps prior to disposal is standard practice.
The laboratory’s written biosafety manual details any needed immunizations (e.g., hepatitis B vaccine or TB skin testing) and whether serum banking is required for at-risk lab personnel. Access to the lab is more controlled than for BSL 1 facilities. Immunocompromised, immunosuppressed and other persons with increased risk for infection may be denied admittance at the discretion of the laboratory director.
BSL 2 labs must also provide the next level of barriers, i.e., specialty safety equipment and facilities. Preferably, this is a Class II or equivalent containment device for work with agents and an autoclave or other suitable method for decontamination within the lab. A readily available eyewash station is needed. Selfclosing lockable doors and biohazard warning signs are also required at all access points.
Level 3 Yellow fever, St. Louis encephalitis and West Nile virus are examples of agents requiring biosafety level 3 practices and containment. Work with these agents is strictly controlled and must be registered with all appropriate government agencies.
2 These are indigenous or exotic agents that may cause serious or lethal disease via aerosol transmission, i.e., simple inhalation of particles or droplets. The pathogenicity and communicability of these agents dictates the next level of protective procedures and barriers. Add to all the BSL 2 practices and equipment even more stringent access control and decontamination of all wastes, including lab clothing before laundering, within the lab facility. Baseline serum samples are collected from all lab and other at-risk personnel as appropriate.
More protective primary barriers are used in BSL 3 laboratories, including solid-front wraparound gowns, scrub suits or coveralls made of materials such as Tyvek® and respirators as necessary. Facility design should incorporate self-closing double-door access separated from general building corridors. The ventilation must provide ducted, directional airflow by drawing air into the lab from clean areas and with no recirculation.
Level 4 Agents requiring BSL 4 facilities and practices are extremely dangerous and pose a high risk of life-threatening disease. Examples are the Ebola virus, the Lassa virus, and any agent with unknown risks of pathogenicity and transmission. These facilities provide the maximum protection and containment. To the BSL 3 practices, we add requirements for complete clothing change before entry, a shower on exit and decontamination of all materials prior to leaving the facility. The BSL 4 laboratory should contain a Class III biological safety cabinet but may use a Class I or II BSC in combination with a positive-pressure, air-supplied full-body suit. Usually, BSL 4 laboratories are in separate buildings or a totally isolated zone with dedicated supply and exhaust ventilation.
Exhaust streams are filtered through high-efficiency particulate air (HEPA) filters, depending on the agents used. We have touched on only the main issues and differences between BSL 1, 2, 3 and 4 laboratories. There are many other concerns and requirements addressed in the CDC manual, such as impervious, easy-to-clean surfaces; insect and rodent control; and total barrier sealing of all wall, floor and ceiling penetrations. Our goal was to introduce you to the different levels of biological safety practices and facility design considerations. Hopefully, you now have the knowledge to decide whether you should open that door or not. References. Biosafety in Microbiological and Biomedical Laboratories, 5th edition, Centers for Disease Control and Prevention and National Institutes of Health, February 2007.
Biennial Review of the Lists of Select Agents and Toxins, National Select Agent Registry, CDC. Like this article? To subscribe to free newsletters from Lab Manager.
Finding and exploiting buffer overflows in real world applications is what you will learn during this incredibly hands-on module. A hard topic made easy through examples explained step by step starting from the very basics of stack manipulation. Armed with assemblers, compilers and debuggers, the students will learn how to hijack the execution of an application. At the end of the module, the student is exposed to the most modern techniques used to prevent Buffer overflows and the main methods to bypass them. The Information Gathering module is the most important phase of the overall engagement.
A Penetration tester will use the information collected during this phase to map the attack surface and increase his chances to breach the organization in the same way criminals do. ELearnSecurity proposes an extremely thorough investigation methodology that takes into account the Business and the Infrastructure of the client. Students will learn how to get access to valuable, sensitive and sometimes secret documents by means of free services, databases and specialized search engines. Infrastructure Information gathering will deal with the enumeration of DNS, Domains, netblocks and other web assets belonging to the organization. As one of the most important steps in the penetration test of a network, this module will first teach you the theory behind port scanning and service reconnaissance. If you are not a network expert, the first chapters of this module will introduce you to the basics of TCP and other network protocols. We will then show you how to use the best tools to detect live hosts, open ports and services running on them.
Through Nmap and Hping2, you will learn how to find zombies to mount completely stealth port scans against a target. Passive and Active OS fingerprinting techniques will also be covered in depth. The scope of this module is to provide you with the techniques professional penetration testers employ to enumerate resources on target. You will be able to explore, enumerate and map the remote network and its available services through a number of different Windows and Unix tools. NetBIOS is the subject of the first part of this module: real world examples will be explained to show most important techniques and tools to enumerate remote Windows shares and printers.
You will also learn how to test for NetBIOS Null Sessions that still affect old Windows versions. SNMP basics will be explained.
The student will then be introduced to attacks against the protocols through a number of common tools. Studying ARP, how it works and how it can be manipulated to mount sophisticated attacks is made extremely easy to understand. Sniffing is a technique that you will be able to fully grasp in its most practical aspects. We will make sure you have enough basics of network theory before we cover actual attack scenarios using the best tools available. LLMNR and NBT-NS spoofing/poisoning is also covered, including advanced scenarios leveraging the Responder toolkit.
Man in the middle attacks are one of the most used penetration testing techniques today; you will be able to mount man in the middle attacks within local networks and over the Internet. This module will teach the student how to master Nessus in order to perform thorough and targeted Vulnerability scans. Windows authentication protocols are dissected to demonstrate weaknesses and related attacks from Metasploit. The student is then immersed in common exploitation techniques used by today’s Penetration testers, to exploit client side and remote vulnerabilities in Workstations and Servers. The latest Windows remote code execution vulnerabilities are covered and combined with numerous other attacking techniques. Lastly, creating custom wordlists, is another skill the student will acquire by studying this module. It should be noted that this module is video and lab intensive.
ELearnSecurity's experienced instructors have come up with a proven methodology to conduct a thorough exploitation of remote internal networks through advanced post exploitation techniques. Once you are comfortable with most recent exploitation techniques, you will be exposed to the cyclic steps of a successful post exploitation phase.
This is the phase where criminals ensure stable high privileged access to the remote network in order to steal and ex-filtrate documents and credentials from the organization. Penetration testers must possess the same skill-set and tools in order to test not only the perimeter security but also any kind of internal weakness that affects the organization security.
Privilege escalation through insecurely configured services, DLL hijacking and DNS tunneling are only a small percentage of what students will learn in this module. With the Offensive PowerShell module, students will dive deeper into specific PowerShell tools, techniques and frameworks. From downloading and execution of payloads and scripts, to Obfuscation, Information Gathering, and Post-Exploitation. This module will also provide the student with a greater understanding of the “Living Off The Land” concept as it relates to utilizing PowerShell for offensive purposes and introduces several powershell pentesting frameworks and tools including Nishang, PowerSploit, and Empire. Section: Linux Exploitation. The post-exploitation module for Linux Exploitation will navigate the student through the various stages of post-exploitation from Privilege Escalation, to Lateral Movement, Data Exfiltration and Maintaining Access. The student will learn how to exploit misconfigurations, SUID executables, crack passwords, the basics of Kernel Exploits, and will also learn some lesser known techniques for obtaining root access, such as SSH hijacking and Shared Object Library loading, to several newer and lesser-known techniques that can be used to maintain persistence through custom services and utilities already built-in to the operating system.
Section: Web Application Security. The most widespread web application vulnerability will be dissected and studied thoroughly. At first, you will be provided with a theoretical explanation. This understanding will help you in the exploitation and remediation process. Later, you will master all the techniques to find XSS vulnerabilities through black box testing and within PHP code. Real world exploitation examples will conclude the module; you will finally steal session cookies, modify website DOM and perform advanced phishing attacks. This is a hands-on intensive module.
This module contains the most advanced techniques to find and exploit SQL Injections, from the explanation of the most basic SQL injection to the most advanced. Advanced methods will be taught with real world examples and the best tools will be demonstrated on real targets.
You will not be able to just dump remote databases but also get root on the remote machine through advanced SQL Injection techniques. Tools will be covered in depth and a taxonomy will help the student to pick the right tool according to the environment and scenario he will face in real engagements. This is a video and hands-on intensive module.
Ruby is a very powerful programming language and thanks to its many features, it can be used for many different purposes. From this module on, we will focus on how to use Ruby for penetration testing purposes. One of the first topics we will cover is ‘Regular Expression.’ Regex is widely used in the security field; it is used to find and locate important information stored in files, web pages, network communication and so on. A good knowledge of how to use and define regex is a ‘must’ for a penetration tester! During the study of this module, the student will also learn how to use date and time classes as well as manage and interact with files and directories: read, delete, create and so on. Another very important topic that a penetration tester should master is ‘network communication.’ In this module, the student will learn how to use the power of Ruby in order to create, forge, intercept network communications.
Thanks to many useful examples and scripts, the student will learn how to create raw sockets, forge packets, create TCP/UDP scanners and much more. We will also see how to interact with local and remote Operating Systems. This, in conjunction with the network communication skills, may be useful to create powerful tools (i.e. Backdoors that are able to retrieve information from remote systems, as well as send and run specific commands). Now that the student has mastered Ruby and its features, it is time to start working with one of the most powerful Ruby tools: Metasploit.
In this module, the student will study the Metasploit architecture and the framework, and will learn how to create, add or edit custom Metasploit modules. Thanks to our virtual labs, the student will also have the chance to practice against real vulnerable machines. Pre-requisites. Basic understanding of networking: TCP/IP, Routing, Forwarding. Reading and understanding C, ASM, Python, PHP code will help although not mandatory. No development skills required.
Basic understanding of HTTP protocol, Cookies, Sessions. Understanding of IT Security matters and basics of Penetration Testing. A wireless NIC with injection capabilities (Alfa AWUS036h recommended). A spare WiFi Access point. All the above recommended skills are provided within the PTS course This training course is for. Penetration Testers.
IT Security Professionals. Network security engineers. IT Personnel. Developers. CERT’s Labs Penetration Testing Professional (PTP) is the most practical training course on the Penetration testing.
Being integrated with Hera Lab, the most sophisticated virtual lab on IT Security, it offers an unmatched practical learning experience. Hera is the only virtual lab that provides fully isolated per-student access to each of the real world network scenarios available on the platform. Students can access Hera Lab from anywhere through VPN. Fabrizio Siciliano With nearly 20 years of experience in the Information Security industry in both Offensive and Defensive roles within the private and public sectors, and with the last seven years primarily focused on the offensive side of the house, Fabrizio brings his real-world experience to the eLearnSecurity body-of-knowledge to provide the latest in information security research and techniques. Previous Authors Previous Authors include Armando Romeo, Brett D. Arion, Stefano Angaran, Andrea Tarquini, Francesco Stillavato.