Presentation is loading. Please wait.

Presentation is loading. Please wait.

Physical/ Environmental Security

Published byProsper Sherman Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Physical/ Environmental Security"— Presentation transcript:

1 Physical/ Environmental Security
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Theory Practice Learning by Doing IST 515

2 Environmental Security
Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management

3

4

5 Real World Scenario Michael, a practicing computer security consultant, was asked to do a physical security test by the Chief of a well-known database firm. Their database was considered to have a major competitive edge. They believed their systems were secure, but wanted to be sure of it. Michael went to the firm on the pretext of meeting its Chief. Before entering the lobby, Michael had driven around the building and checked for loopholes in the physical security, where he could easily slip into the building.

6 Real World Scenario He walked to the loading bays, up the stairs, and proceeded through the warehouse, to what was an obvious entrance into the office building. Michael also knew of the location of the computer room. He took the elevator down, and entered the room, which was secured with cipher locks and access cards. He went straight to the tape racks. There, he studied the racks, as if looking for specific information. He grabbed a tape with an identifier that looked something like ACCT95QTR1. The entire process lasted no more than 15 minutes. During that time, Michael breached their physical security by entering the building and taking a tape.

7 Objectives Describe the common threats to and vulnerabilities found in the environment of system and mobile devices Explain the principle of defense in depth, expressed as a layered combination of complementary countermeasures Explain the importance of providing both preventive and recovery measures Identify the range of countermeasures available for the environmental protection of information assets

8 Objectives The elements involved in choosing a secure site.
Site design and configuration. Methods for securing the facility against unauthorized access, theft of equipment and information. Environmental and safety measures needed to protect people, the facility, and its resources. (ISC)2 Candidate Information Bulletin

9 Readings Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, Domain 4 (Required). Weingart, S. H., “Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defenses,” In Koc, C. K. and Paar, C. (Eds.): CHES 2000, LNCS 1965, pp , Springer-Verlag Berlin Heidelberg, 2000 Wikipedia, Physical Security.

10 Security Facts Receive alarm communications - 28%
Access control technology with identification cards - 90% Companies require visitors to wear a badge or pass that identifies them as a visitor - 93% Explosion detection devices – 9% Emergency telephones in parking areas – 9% Police officers for security - 56% Companies use metal detectors for screen employees and visitors – 7%

11 Understand Physical Security
Egyptians were the first to develop a working lock. Physical security describes the measures that prevent or deter attackers from accessing a facility, resource, or information stored on the physical media. Physical security is an important factor of computer security. Major security actions that are involved with physical security are intended to protect the computer from climate conditions, even though most of them are targeted at protecting the computer from intruders who use, or attempt to use physical access to the computer to break into it.

12 Physical Security Measures
Physical security describes measures taken to protect personnel, critical assets, and systems against deliberate and accidental threats. Physical: Physical measures are taken to secure assets e.g. deploying security personnel. Technical: Technical measures are taken to secure services and elements that support Information Technologies e.g. security for server rooms Operational: Common security measures are taken before performing an operation such as analyzing threats of an activity and taking appropriate countermeasures

13 Why the Needs of PS? To prevent any unauthorized access to computer systems To prevent tampering/stealing of data from computer systems To protect the integrity of the data stored in the computer To prevent the loss of data/damage to systems against any natural calamities

14 Who is Accountable for PS
In most organizations, there is not a single person who is accountable for physical security. People who should be made accountable for the security of a firm including both physical and information security are: The plant’s security officer Safety officer Information systems analyst Chief information officer

15 Factors Affecting Physical Security
Vandalism Theft Natural calamities: Earthquake Fire Flood Lightning and thunder Dust Water Explosion Terrorist attacks

16 Scope of Physical Security
Physical security addresses the common physical, environmental, and procedural risks that may exist in the environment in which the information system is managed. The domain also addresses physical and procedural defensive and recovery strategies, countermeasures, and resources, including physical infrastructure, security policies and procedures, physical security tools, and organization’s staff.

17 Categories of Physical Infrastructure
Information System Hardware. Data processing and storage equipment, transmission and networking facilities, and offline storage media. Physical Facility: Building. Supporting Facilities: Electrical power, communication services, and environmental controls (heat, humidity, etc.). Personnel: Humans involved in the control, maintenance, and use of the information systems.

18 Physical Security Threats
Physical Security threats fall into many categories: Natural disasters (e.g., floods, fire) Environmental threats Supply system threats (e.g., power outages, communication interruptions) Manmade threats (e.g., explosions, disgruntled employees, fraud) Politically motivated threats (e.g., strikes, riots, civil disobedience)

19 Natural Disasters Natural disasters are the source of a wide range of environmental threats to data centers, other information processing facilities and their personnel. Tornado Hurricane Earthquake Ice storm / blizzard Lightning Flood

20 Characteristics of Natural Disasters
Warning Evacuation Duration Tornado Advance warning of potential; not site specific Remain at site Brief but intense Hurricane Significant advance warning May require evacuation Hours to a few days Earthquake No warning May be unable to evacuate Brief duration; Threats of aftershocks Ice Storm Several days warning generally expected May last several days Lighting Sensors may provide minutes of warning Brief but may recur Flood Site may be isolated for expected period

21 Environmental Threats
Water leakage Inappropriate temperature and humidity Ingress of dust and materials Excessive high and low temperature levels Power fluctuations and loss Chemical, radiological, biological hazards Fire and smoke Infestation Electromagnetic interference (EMI)

22 Human-caused Threats Unauthorized physical access
Theft of equipment/data Vandalism of equipment/data Misuse of resources Physical attack Sabotage Arson Accidents Ignorance of security obligations or how to operate the system securely

23 Threats to Physical Security
Interruption of services Theft Physical damage Unauthorized disclosure Loss of system integrity

24 Consideration in Physical Security
Primary consideration in physical security is that nothing should impede “life safety goals.” Ex.: Don’t lock the only fire exit door from the outside. “Safety” deals with the protection of life and assets against fire, natural disasters, and devastating accidents. “Security” addresses vandalism, theft, and attacks by individuals.

25 Physical Security Planning
The Layered Defense Model Crime Prevention Through Environmental Design (CPTED) Target hardening Facility Site Selection Facility Design Consideration: Construction materials and structure composition, Mantrap, automatic door lock, windows, internal partitions

26 Physical Security Planning: Overview
Physical security, like general information security, should be based on a layered defense model. (Defense in depth; Multi-level security) Layers are implemented at the perimeter and moving toward an asset. Layers include: Deterrence, Delaying, Detection, Assessment, Response

27 The Layered Defense Model
Outermost Perimeter Building Grounds Communications Channels Entrance/Public Areas General Offices ICT Suite and Other Rooms

28 Physical Security Planning: Program
A physical security program must address: Crime and disruption protection through deterrence (fences, security guards, warning signs, etc.). Reduction of damages through the use of delaying mechanisms (e.g., locks, security personnel, etc.). Crime or disruption detection (e.g., smoke detectors, motion detectors, CCTV, etc.). Incident assessment through response to incidents and determination of damage levels. Response procedures (fire suppression mechanisms, emergency response processes, etc.).

29 Physical Security Planning: CPTED
Crime Prevention Through Environmental Design (CPTED) Is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. Concepts developed in 1960’s. CPTED has three main strategies: Natural access control Natural surveillance Territorial reinforcement

30 Physical Security Planning: CPTED
Natural Access Control: The guidance of people entering and leaving a space by the placement of doors, fences, lighting, and landscaping Be familiar with bollards, use of security zones, access barriers, use of natural access controls References are from: All in One Book (Shon Harris, 2005) Bollards: Short posts that are commonly used to prevent vehicular access and to protect a building or people walking on a sidewalk from vehicles. They can also be used to direct foot traffic. (346) Security Zones (CPTED model): Division of an environment’s space into zones with different security levels depending upon who needs to be in the zone and the associated risk. (347) Zones are labeled as controlled, restricted, public, or sensitive. (347) Each zone should have a specific protection level that is required of it, which will help dictates the types of controls that should be put into place. (347) Following controls are commonly used for access controls within different organizations: (347) Limit the number of entry points Force all guests to go to a front desk and sign in before entering the environment Reduce the number of entry points even further after hours or during the weekend when not as many employees are around. Have a security guard validate a picture ID before allowing entrance Require guests to sign in and be escorted Encourage employees to question strangers Access barriers can be naturally created (cliffs, rivers, hills), existing manmade elements (railroad tracks, highways) or artificial forms designed specifically to impede movement (fences, closing streets). (347)

31 Physical Security Planning: CPTED
Natural Surveillance: Is the use and placement of physical environmental features, personnel walkways, and activity areas in ways that maximize visibility. The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.

32 Physical Security Planning: CPTED
Territorial Reinforcement: Creates physical designs that highlight the company’s area of influence to give legitimate owners a sense of ownership. Accomplished through the use of walls, lighting, landscaping, etc.

33 Physical Security Planning: Target Hardening
CPTED is not the same as “target hardening” Target hardening focuses on denying access through physical and artificial barriers (can lead to restrictions on use, enjoyment, and aesthetics of the environment). Target hardening considers a "strong, visible defense will deter or delay an attack. Removing any trees or bushes that could offer suitable hiding places or could be used to climb to a higher level of the property.

34 Planning Scheme Policy 16 – Safer by Design
(

35

36

37 Physical Security Planning: Site Selection
Issues with selecting a facility site: Visibility (terrain, neighbors, population of area, building markings) Surrounding area and external factors (crime rate, riots, terrorism, first responder locations) Accessibility (road access, traffic, proximity to transportation services) Natural Disasters (floods, tornados, earthquakes)

38 Physical Security Planning: Facility
Other facility considerations: Physical construction materials and structure composition. Be familiar with load, light frame construction material, heavy timber construction material, incombustible material, dire resistant material (know the fire ratings and construction properties).

39 Physical Security Planning: Facility
“Mantrap:” A small room with two doors. The first door is locked; a person is identified and authenticated. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The person has to be authenticated again in order to open the second door and access a critical area. The mantrap area could have a weight sensing floor as an additional control to prevent literal piggybacking. References are from: All in One Book (Shon Harris, 2005) Can prevent literal piggybacking as well. Piggybacking: When an individual gains unauthorized access by using someone else’s legitimate credentials or access rights. The best preventative measures against this are to have security guards at access points and to educate employees about good security practices. (387)

40 Physical Security Planning
Automatic door lock configuration: Fail safe: If a power disruption occurs, the door defaults to being unlocked. Fail secure: If a power disruption occurs, the door defaults to being locked. Note that “fail safe” and “fail secure” terminology can be applied to other types of access control defaults, not merely terms for doors.

41 Physical Security Planning
Windows can also be used to promote physical security. Know the different types of glass: Standard Tempered Acrylic Wired Laminated Solar Window Film Security Film References are from: All in One Book (Shon Harris, 2005) pg. 358 Standard: No extra protection. Cheapest and lowest level of protection. Tempered: Glass is heated and then cooled suddenly to increase its integrity and strength. 5-7x stronger than regular glass. Acrylic: Type of plastic instead of glass. Polycarbonate acrylics are stronger than regular acrylics. Produces toxic fumes if burned, may be prohibited by fire codes. Very expensive. Wired: mesh of wire is embedded between two sheets of glass. This wire helps to prevent the glass from shattering. Laminated: Plastic layer between two outer glass layers. Plastic layer helps to increate the strength against breakage. The greater the depth, the more difficult to break. Solar window film: Provides extra security by being tinted and extra strength through the film’s material. Security film: Transparent film is applied to the glass to increase its strength.

42 Physical Security Planning
Consider use of internal partitions carefully: True floor to true ceiling to counter security issues Should never be used in areas that house sensitive systems and devices

43 Internal Support Systems Outline
Power Issues: Power voltage fluctuations and Power protection. Environmental Issues: Positive drains; Static electricity; and Temperature. Ventilation. Fire Issues: Fire prevention; Fire detection; and Fire suppression.

44 Internal Support Systems: Power
Power Issues: A continuous supply of electricity assures the availability of company resources. Data centers should be on a different power supply from the rest of the building Redundant power supplies: two or more feeds coming from two or more electrical substations

45 Internal Support Systems: Power
Power protection: UPS Systems: Online UPS systems Standby UPS System Power line conditioners Backup Sources References are from: All in One Book (Shon Harris, 2005) pg. 358 Power protection (365) There are three main methods of protecting against power problems: (365) UPS Online UPS systems: Use AC line voltage to charge a bank of batteries. When in use the UPS has an inverter that changes the DC output from the batteries into the required AC form and regulates the voltage as it powers computer devices. (365) Have the normal primary power passing though them day in and day out. The constantly provide power from their own inverters, even when the electric power is in proper use. This UPS device is able to quickly detect when power failure takes place and can provide the necessary electricity and pick up the load after a power failure much more quickly then a standby UPS. (366) Standby UPS: Devices stay inactive until the power fails. The system has sensors that detect a power failure, and the load is then switched to the battery pack. (366) UPS factors that should be reviewed are the size of the electrical load the UPS can support, the speed with which it can assume the load when the primary source fails, and the amount of time it can support the load. (403) Power Line Conditioners Backup Sources Are necessary when there is a power failure and the outage will last longer than a UPS can last. Backup supplies can be a redundant line from another electrical substation, or from a motor generator, and can be used to supply main power or charge the batteries in a UPS system. (366)

46 Internal Support Systems: Power
Other power terms to know: Ground Noise Transient Noise Inrush Current Clean Power EMI RFI References are from: All in One Book (Shon Harris, 2005) pg. 358 Ground: The pathway to the earth to enable excess voltage to dissipate. (367) Noise: Electromagnetic or frequency interference that disrupts the power flow and can cause fluctuations. (367) Transient Noise: Short duration of power line disruption. (367) Inrush Current: The initial surge of current required when there is an increase in power demand. (367) Clean power: Electrical current that does not fluctuate. (367) Types of interference (line noise): (366) EMI: Electromagnetic interference (367) Created by the difference between three wires: hot, neutral and ground and the magnetic field that they create. Lightning and electric motors can induce EMI. (366) RFI: Radio frequency interference (367) Can be caused by anything that creates radio waves. Fluorescent lighting is one of the main causes of RFI within buildings today. (366)

47 Internal Support Systems: Power
Types of Voltage Fluctuations Power Excess: spike, surge Power Loss: fault, blackout Power Degradation: sag/dip, brownout, inrush current References are from: All in One Book (Shon Harris, 2005) pg. 358 Power Excess Spike: Momentary high voltage Surge: Prolonged high voltage Power Loss Fault : Momentary power loss Blackout: Sustained power loss Power Degredation Sag/dip: Momentary low voltage condition, from one cycle to a few seconds. Brownout: Prolonged power supply that is below normal voltage. Inrush Current: The initial surge of current required to start a load.

48 Internal Support Systems: Environment
Positive Drains: Contents flow out instead of in Important for water, steam, gas lines Static Electricity: To prevent Use antistatic flooring in data processing areas Ensure proper humidity Proper grounding No carpeting in data centers Antistatic bands Temperature: Computing components can be affected by temperature. Magnetic Storage devices: 100 deg. F. Computer systems and peripherals: 175 deg. F. Paper products: 350 deg. F.

49 Internal Support Systems: Ventilation
Airborne materials and particle concentration must be monitored for inappropriate levels. “Closed Loop” “Positive Pressurization” References are from: All in One Book (Shon Harris, 2005) Closed Loop: means that the air within the building is reused after it has been properly filtered, instead of bringing outside air in. (373) Should be used to maintain air quality. (373) Positive pressurization: Means that when an employee opens a door, the air goes out and outside area does not come in. (373) Positive pressurization and ventilation should be implemented to control contamination. (373)

50 Internal Support Systems: Fire
Fire Prevention: Includes training employees on how to react, supplying the right equipment, enabling fire suppression supply, proper storage of combustible elements Fire Detection: Includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc. Fire Suppression: Is the use of a suppression agent to put out a fire.

51 Internal Support Systems: Fire
American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how fire resistant ratings tests should be carried out and how to properly interpret results. Fire needs oxygen and fuel to continue to grow. Ignition sources can include the failure of an electrical device, improper storage of materials, malfunctioning heating devices, arson, etc. Special note on “plenum areas:” The space above drop down ceilings, wall cavities, and under raised floors. Plenum areas should have fire detectors and should only use plenum area rated cabling. References are from: All in One Book (Shon Harris, 2005) **Need to know the fire resistant ratings that are used in the study guides. E.g., 5/8 inch thick drywall sheet installed on each side of a wood stud provides a one hour rating. If the thickness of the drywall were doubled, it would be a two hour rating. Fire resistance represents the ability of a laboratory constructed assembly to contain fire for a specific period of time.

52 Internal Support Systems: Fire
The placement and operation of fire exists must consider the protection of human life as paramount. Timely and appropriate response to a fire outbreak may prevent it become a critical incident; thus, training and education have a part to play here. Combustible materials (e.g., magnetic tapes) can produce poisonous gases when ignited and thus should not be stored in central computing facility. Media containing critical data and system software should be stored in fireproof containers, and backups should be held off site.

53 Internal Support Systems: Fire
False floors or ceiling can act as tunnels for frame and smoke. Therefore, the materials used in there must be nonflammable. Consideration should be given to compartmenting computer suites using floor-to-ceiling barriers to prevent the spread of flames and smoke in the event of fire.

54 Internal Support Systems: Fire
Types of Fire Detectors: Ionization: Reacts to the charged particles in smoke. Photoelectric: Reacts to changes in or blockage of light caused by smoke. Heat: Reacts to significant changes in temperature caused by fire. Know the types and properties of each general category. References are from: All in One Book (Shon Harris, 2005) Smoke activated detectors (375) Good for early warning devices (375) Can be used to sound a warning alarm before the suppression system activates (375) Photoelectric Device (aka optical detector): Detects variation in light intensity. The detector produces a beam of light across a protected area, and if the beam is obstructed, the alarm sounds. (375) Heat Activated (376) Can be configured to sound an alarm either when a predefined temperature (fixed temperature) is reached or when the temperature increases over a period of time (rate of rise). (376) Rate of rise temperature sensors usually provide a quicker warning that fixed temperature sensors because they are more sensitive (but they can also sound more false alarms). (376)

55 Internal Support Systems: Fire Suppression
Class A: For common combustibles such as wood products, paper, and laminates. Suppression: Water, soda acid and foam Class B: For liquid such as petroleum products or coolants. Suppression: Gas, CO2, foam, dry powders Class C: For electrical equipment and wires. Suppression: Gas, CO2, dry powders. Class D: For combustible metals such as magnesium, sodium, potassium. Suppression: Dry powder Class K: For commercial kitchens such as cooking oil fires. Suppression: Wet chemicals such as potassium acetate.

56 Internal Support Systems: Fire
Different types of suppression agents: - Water Systems: Water - Gas Systems: Halon and halon substitutes - Foams - Dry Powders - CO2 - Soda Acid Detection and suppression systems should be calibrated to accommodate the temperature, humidity and other requirements. References are from: All in One Book (Shon Harris, 2005) Water: Works by reducing temperature. (378) Halon and halon substitutes: Works by interfering with the chemical combustion of elements with a fire. (378) Halon depletes the ozone and when used on extremely hot fires degrades into toxic chemicals. (378) Was prohibited in Montreal Protocol in 1987 and has not been manufactured since 1992. FM-200 is a halon substitute. (404) Foams: Mainly water based and contain a foaming agent that allows them to float on top of a burning substance to exclude oxygen. (377) Dry powders: Used mainly for class B and C fires. Sodium or potassium bicarbonate, calcium carbonate: interrupts the chemical combustion of a fire. (377) Monoammonium phosphate: Excludes oxygen from the fuel. (377) CO2: Works by removing oxygen. (378) Colorless, odorless (404) Good for putting fires out, but bad for life forms because it removes oxygen from the air. A suppression system using this agent should have a delay mechanism. (377) Best used in unattended areas or facilities. (377) Soda Acid (378): Works by removing fuel. (378) Class A extinguishers are for ordinary combustible materials such as paper, wood, cardboard, and most plastics. The numerical rating on these types of extinguishers indicates the amount of water it holds and the amount of fire it can extinguish. Class B fires involve flammable or combustible liquids such as gasoline, kerosene, grease and oil. The numerical rating for class B extinguishers indicates the approximate number of square feet of fire it can extinguish. Class C fires involve electrical equipment, such as appliances, wiring, circuit breakers and outlets. Never use water to extinguish class C fires - the risk of electrical shock is far too great! Class C extinguishers do not have a numerical rating. The C classification means the extinguishing agent is non-conductive. Class D fire extinguishers are commonly found in a chemical laboratory. They are for fires that involve combustible metals, such as magnesium, titanium, potassium and sodium. These types of extinguishers also have no numerical rating, nor are they given a multi-purpose rating - they are designed for class D fires only.

57 Internal Support Systems: Fire
Types of Sprinklers: Wet Pipe Systems (aka Closed Head System) Dry Pipe Systems: A valve is activated by the smoke or fire sensor and chokes the water supply for a short time before the sprinkler system is started. It allows for evacuation or emergency system shutdown. Preaction Systems Deluge Systems References are from: All in One Book (Shon Harris, 2005) Wet Pipe Systems (aka Closed Head System): Always contain water in the pipes and are usually discharged by temperature control level sensors. One disadvantage is that the water in pipes may freeze in colder climates. Also, nozzle or pipe break could cause severe water damage. (379) Dry Pipe Systems: Water is not actually held in pipes, it is contained in a holding tank until released. The pipes contain pressurized air, which is reduced when a fire or smoke alarm is activated, allowing the water value to be opened by the water pressure. Best used in colder climates because the pipes will not freeze. (379) Actual fire must be detected, usually by a heat or smoke senor being activated. (379) Preaction Systems: Similar to dry pipe systems in that the water is not held in pipes but is released when the pressurized air within the pipes is reduced. In this system water is not released right away, but will be released when a thermal-fusible link on the sprinkler head melts. (380) This gives people more time to respond to small fires or false alarms that can be handled by other means. (380) Deluge System: Has its sprinkler heads wide open to allow for a larger volume of water to be released in a shorter period. (380) Not usually used in data processing environments. (380)

58 Perimeter Security Outline
Overview. Protection services. Fences. Perimeter Intrusion Detection and Assessment System (PIDAS). Gates. Locks. Lighting. Surveillance Devices Key Considerations

59 Gates

60 Perimeter Security: Overview
The first line of defense is perimeter control at the site location, to prevent unauthorized access to the facility. Perimeter security has two modes: - Normal facility operation - Facility closed operation

61 Perimeter Security: Overview
Proximity protection components put in place to provide the following services: Control of pedestrian and vehicle traffic Various levels of protection for different security zones Buffers and delaying mechanisms to protect against forced entry Limit and control entry points

62 Perimeter Security: Protection services
Protection services can be provided by: - Access Control Mechanisms - Physical Barriers - Intrusion Detection - Assessment - Response - Deterrents References are from: All in One Book (Shon Harris, 2005) Access control mechanisms: Locks and keys, electronic card access, personnel awareness. Physical barriers: Fences, gates, walls, doors, windows, protected vents, vehicle barriers. Intrusion Detection: Perimeter sensors, interior sensors, annunciation mechanisms Assessment: guards, CCTV cameras. Response: Guards, local law enforcement Deterrents: Signs, lighting, environmental design

63 Perimeter Security: Fences
Fences are “first line of defence’ mechanisms. Varying heights, gauge, and mesh provides security features (know them). Barbed wire direction makes a difference. References are from: All in One Book (Shon Harris, 2005) Fence posts should be buried deep in ground and secured with concrete to ensure that they cannot be dug up or pulled out with vehicles. (390) 3-4 ft high: Only deter casual trespassers 6-7 ft high: Considered too high to climb easily 8 ft high w/ strands of barbed or razor write at the top: serious property protection, may deter the more determined intruder. Fencing gauge & mesh: (390) The lower the gauge number, the thicker the wire diameter: 11 gauge = .120 inch diameter 9 gauge = .148 inch diameter 6 gauge = .192 inch diameter Mesh sizing Typically are 2 inch, 1 inch, 3/8 inch. It is more difficult to climb fences with smaller mesh sizes. Strength levels of the most common gauge and mesh sizes used in fencing industry: Extremely high security: 3/8 in. mesh, 11 gauge Very high security: 1 inch mesh, 9 gauge High security: 1 inch mesh, 11 gauge Greater security: 2 inch mesh, 6 gauge Normal industrial security: 2 inch mesh, 9 gauge Barbed wire tilted in (e.g. prison): makes it harder for people to get out. (390) Barbed wire tilted out (e.g. military base): makes it harder for people to get in. (390)

64 Perimeter Security: Intrusion Detection
Perimeter Intrusion Detection and Assessment System (PIDAS): A type of fencing that has sensors on the wire mesh and base of the fence. A passive cable vibration sensor sets off an alarm if an intrusion is detected.

65 Perimeter Security: Gates
Gates have 4 distinct types: Class I: Residential usage Class II: Commercial usage, where general public access is expected (e.g., public parking lot, gated community, self storage facility) Class III: Industrial usage, where limited access is expected (e.g., warehouse property entrance not intended to serve public) Class IV: Restricted access (e.g., a prison entrance that is monitored either in person or via CCTV) References are from: All in One Book (Shon Harris, 2005) Each gate classification has a long list of implementation and maintenance guidelines to ensure the necessary level of protection. Guidelines are developed by Underwriters Laboratory (UL) which is a nonprofit organization that tests, inspects and classified electronic devices, fire protection equipment, and specific construction materials. (391) For physical security realm, we look to UL for best practices and industry standards. (391) Bollards: small concrete pillars places next to sides of buildings that have the most immediate threat of someone driving a vehicle through an exterior wall. (391)

66 Perimeter Security: Locks
Locks are inexpensive access control mechanisms that are widely accepted and used. Locks are considered delaying devices. Know your locks!

67 Perimeter Security : Locks
Types of Locks Mechanical Locks: Warded & Tumbler Combination Locks Cipher Locks (aka programmable locks): Smart locks Device Locks: Cable locks, switch controls, slot locks, port controls, peripheral switch controls, cable traps References are from: All in One Book (Shon Harris, 2005) Two main types of mechanical locks: (382) Warded Lock: Basic padlock. These are the cheapest locks, and because of their lack of sophistication, are the easiest to pick. (382) See diagram page 383. Tumbler Lock: Has more pieces and parts than a warded lock. Three types: (383) Pin Tumbler Most commonly used tumbler lock. (383) Wafer Tumbler (aka disc tumbler locks) Does not provide much protection because it can be easily circumvented. (383) Often used as car or desk locks. (383) Lever Tumbler Combination Locks: Require the correct combination of numbers to unlock them. (384) Cipher Locks (aka Programmable Locks): Keyless and use a keypad to control access into an area or facility. Compared to traditional locks, provide a much higher level of security and control of who can access a facility. (384) Smart Locks: More sophisticated cipher locks that allow for specific codes to be assigned to unique individuals. Allows entry and exit activities to be logged by person. (385) Functionalities available on many cipher combination locks that improve access controls and security: (384-85) Door Delay: If a door is held open for a given time, an alarm will trigger to alert personnel of suspicious activity. (384) Key Override: A specific combination can be programmed to be used in emergency situations to override normal procedures or for supervisory overrides. (384) Master Keying: Enables supervisory personnel to change access codes and other features of the cipher lock. (385) Hostage Alarm: If an individual is under duress and/or held hostage, a combination he enters can communicate this situation to the guard station or police station. (385) Device Locks (385) Cable Locks: consist of a vinyl coated steel cable that can secure a computer or peripheral to a desk or other stationary component. (385) Switch Controls: Cover on/off power switches. (386) Slot Locks: Secure the system to a stationary component by the use of steel cable that is connected to a bracket that is mounted in a spare expansion slot. (386) Port Controls: Block Access to disk drives or unused serial or parallel ports. (386) Peripheral Switch Controls: Secure a keyboard by inserting an on/off switch between the system unit and the keyboard input slot. (386) Cable traps: prevent the removal of input/output devices by passing their cables through a lockable unit. (386)

68 Perimeter Security: Locks
Lock Strengths: Grade 1 (commercial and industrial use) Grade 2 (heavy duty residential/light duty commercial) Grade 3 (residential and consumer expendable) Cylinder Categories: Low Security (no pick or drill resistance) Medium Security (some pick resistance) High Security (pick resistance through many different mechanisms—used only in Grade 1 & 2 locks)

69 Perimeter Security: Lighting
Know lighting terms and types of lighting to use in different situations (inside v. outside, security posts, access doors, zones of illumination) It is important to have the correct lighting when using various types of surveillance equipment. Lighting controls and switches should be in protected, locked, and centralized areas.

70 Perimeter Security: Lighting
Continuous lighting: An array of lights that provide an even amount of illumination across an area. Controlled lighting: An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes. Standby Lighting: Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated. Redundant or backup lighting: Should be available in case of power failures or emergencies. Response Area Illumination: Takes place when an IDS detects suspicious activities and turns on the lights within the specified area. References are from: All in One Book (Shon Harris, 2005) Continuous lighting: An array of lights that provides an even amount of illumination across an area. (393) Controlled lighting: An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes. (393) Standby Lighting: Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated. (393) Redundant or backup lighting should be available in case of power failures or emergencies. Response Area Illumination: Takes place when an IDS detects suspicious activities and turns on the lights within the specified area. (393)

71 Perimeter Security: Surveillance Devices
These devices usually work in conjunction with guards or other monitoring mechanisms to extend their capacity. Know the factors in choosing CCTV, focal length, lens types (fixed v. zoom), iris, depth of field, illumination requirements Annunciator system: An indicator that listens for noise and activates electrical devices. Will alert a security guard if movement is detected on a screen. (397)

72 CCTV Camera

73 Perimeter Security: Issues
Focal length: The focal length of a lens defines its effectiveness in viewing objects from a horizontal and vertical view. The sizes of images that will be shown on a monitor along with the area that can be covered by one camera are defined by focal length. - Short focal length = wider angle views - Long focal length = narrower views

74 Perimeter Security: Issues
Depth of field: Refers to the portion of the environment that is in focus Shallow depth of focus: Provides a softer backdrop and leads viewers to the foreground object Greater depth of focus: Not much distinction between objects in the foreground and background. Depth of field varies depending upon the size of the lens opening, the distance of the object being focused upon, and the focal length of the lens. (396) Increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So if you want to cover a large area and not focus on specific items use a: Wide angle lens (short focal length) with a Small lens opening

75 Perimeter Security Patrol Force and Guards: Use in areas where critical reasoning skills are required Auditing Physical Access: Need to log and review: - Date & time of access attempt - Entry point - User ID - Unsuccessful access attempts

76 Access Control Separation of work areas Biometric access control:
Fingerprints Face scan Iris scan Voice recognition Entry cards: Smart cards Security token Man traps Faculty sign-in procedures Identification badges

77 Challenges: Biometrics
Fingerprints can be faked with ease Face recognition systems can be tricked by masquerade techniques Signature recognition and hand geometry face the common problem of matching the patterns from a large database which might lead to higher number of false positives and false negatives Retinal scan can hinder accuracy if the user does not focus on a given point for scan. Iris scan machines are very expensive Some users object to vascular pattern technology that uses infrared light as it production of a "voice template“ Voice dynamics is prone to inaccuracy relies on the template that is compared with a spoken phrase

78 EPS (Electronic Physical Security)
Addressable fire detection systems Automatic gas suppression systems CCTV systems (IP Networks, Matrix Switchers, DVR camera specifications, etc.) RFID-Biometric- Smart Card Access Control Systems Intrusion detection systems Law enforcement systems and products (Perimeter fencing, Crash barriers, Automatic Retraceable Bollards, Turnstiles, Undercarriage Scanners, Xray/Gamma Scanners, Sniffers) Guarding equipment and guarding plan

79 Physical Security Final Concept to Guide in Assessing Physical Security Issues on Exam: Deterrence Delay Detection Assessment Response

80 Threat Assessment Set up a steering committee
Obtain information and assistance Identify all possible threats Determine the likelihood of each threat Approximate the direct costs Consider cascading costs Prioritize the threats Complete the threat assessment report To implement a physical security program, an organization needs to do a threat assessment to determine the amount of resources to devote to physical security and the allocation of those resources against the various threats. Indeed this process also applies to logical security, and typically includes steps such as: 1. Set up a steering committee of all those who have a stake in the security of the IS assets, including all of the user communities. 2. Obtain information and assistance such as historical information concerning external threats, such as flood, fire, etc; and also seek expert advice from vendors, suppliers, neighboring businesses, service personnel, consultants, and academics. 3. Identify all possible threats including those that are specific to IS operations as well as those that are more general, covering the building and the geographic area. 4. Determine the likelihood of each threat so that threats can at least be grouped in such a way as to suggest where attention should be directed. All of the information from step 2 can be applied to this task, but it is clearly difficult. 5. Approximate the direct costs being its severity in terms of consequences. 6. Consider cascading costs from consequential threats that add more impact costs. 7. Prioritize the threats. to determine the relative importance of the threats as a guide to focusing resources on prevention. 8. Complete the threat assessment report that includes the prioritized list, with commentary on how the results were achieved. This report serves as the reference source for the planning process that follows.

81 Planning and Implementation
After assessment then develop a plan for threat prevention, mitigation, recovery Typical steps: Assess internal and external resources Identify challenges and prioritize activities Develop a plan Implement the plan Once a threat assessment has been done, the steering committee, or another committee can develop a plan for threat prevention, mitigation, and recovery. The following is a typical sequence of steps an organization could take. 1. Assess internal and external resources. These include resources for prevention as well as response. A reasonable approach is to again use a relative scale from 1 (strong ability to prevent and respond) to 5 (weak ability to prevent and respond). This scale can be combined with the threat priority score to focus resource planning. 2. Identify challenges and prioritize activities. Determine specific goals and milestones. Make a list of tasks to be performed, by whom and when. Determine how you will address the problem areas and resource shortfalls that were identified in the vulnerability analysis. 3. Develop a plan. The plan should include prevent measures and equipment that are needed and emergency response procedures. The plan should include support documents, such as emergency call lists, building and site maps, and resource lists. 4. Implement the plan. This includes acquiring new equipment, assigning responsibilities, conducting training, monitoring plan implementation, and updating the plan regularly.

82 Physical/Logical Security Integration
Have many detection / prevention devices More effective if have central control Hence desire to integrate physical and logical security, especially access control Need standards in this area FIPS “Personal Identity Verification (PIV) of Federal Employees and Contractors” Physical security involves numerous detection devices, e.g. sensors and alarms, and numerous prevention devices and measures, e.g. locks and physical barriers. Clearly there is much scope for automation and for the integration of various computerized and electronic devices. Physical security can be made more effective if there is a central destination for all alerts and alarms and if there is central control of all automated access control mechanisms, such as smart card entry sites. From the point of view of both effectiveness and cost, there is increasing interest not only in integrating automated physical security functions but in integrating, to the extent possible, automated physical security and logical security functions. The most promising area for this to be done is that of access control. For the integration of physical and logical access control to be practical, a wide range of vendors need to conform to standards that cover smart card protocols, authentication and access control formats and protocols, database entries, message formats and so on. An important step in this direction is FIPS “Personal Identity Verification (PIV) of Federal Employees and Contractors”, issued in The standard defines a reliable, government-wide PIV system for use in applications such as access to Federally controlled facilities and information systems. The standard specifies a PIV system within which common identification credentials can be created and later used to verify a claimed identity. The standard also identifies Federal government-wide requirements for security levels that are dependent on risks to the facility or information being protected.

83 Recovery from Physical Security Breaches
Redundancy: to provide recovery from loss of data ideally off-site, updated as often as feasible can use batch encrypted remote backup extreme is remote hot-site with live data Physical equipment damage recovery: depends on nature of damage and cleanup may need disaster recovery specialists

84 Physical Security Checklist
Company surroundings Premises Reception Server Workstation area Wireless access points Other equipment, such as fax, and removable media Access control Computer equipment maintenance Wiretapping Remote access

85 Company Surroundings The entrance to the company premises should be restricted to only authorized access. Fences Gates Walls Guards Alarms

86 Reception The reception area is supposed to be a busier area than other areas of the firm with the number of people entering and exiting. Files and documents, media, etc. should not be kept on the reception desk Reception desks should be designed to discourage inappropriate access to the administrative area by non-staff members Computer screens should be positioned in such a way that people cannot observe the screen near the reception desk Computer monitors, keyboards, and other equipments at the reception desk should be locked whenever the receptionist is away from the desk and they should be logged off after office hours

87

88

89 Wireless Security Checking the wireless traffic
Enabling WEP/WPA on the wireless network MAC address control End-to-end encryption VPN (Virtual Private Network) Access points evaluation

90 Wireless Access Points
If an intruder successfully connects to the firm’s wireless access points, then he is virtually inside the LAN like any other employee of the firm. WEP encryption should be followed SSID should not be revealed Access points should be password protected to gain entry Passwords should be strong enough so that they cannot be easily cracked

91 Lock Down USB Ports Sometimes, it may not assure guaranteed protection against stealing of data. What if the intruder carries his own USB memory sticks and connects them to the computers at their office? In a fraction of a second, an intruder can steal all the business information needed for establishing his own company where he can get the customer’s database. Administrators secure their networks behind firewalls by (1) Installing filters on their SMTP servers and (2) Installing anti-virus software on all client workstations USB stick can be used to: (1) Hold an entire company's vital data, and (2) Compromise the network with an infected stick. To prevent the above situations, there is a need for the administrator to lock down the USB ports.

92 TEMPEST TEMPEST refers to Transient Electro Magnetic Pulse Emanation Surveillance Technology Technology for monitoring the devices that emit electromagnetic radiations Sources of TEMPEST: Functional Sources: Generates electromagnetic energy like oscillators and signal generators Incidental Sources: Do not generate electromagnetic energy such as electromechanical switches and brush-type motors Types of TEMPEST: Modulated Spurious Carriers Impulsive Emanations

93 Challenges in Physical Security
Enforcing security policies Social engineering attempts Restrictions for sharing experience and knowledge Cost and Time factors Terrorism Sophisticated Technologies.

Download ppt "Physical/ Environmental Security"

Similar presentations

CISSP Luncheon Series: Physical (Environmental) Security

CISSP Luncheon Series: Physical (Environmental) Security
Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security
Computer Security Computer Security is defined as:

Computer Security Computer Security is defined as:
Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.

Copyright 2004 Foreman Architects Engineers School Security From Common Sense to High Tech.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.

Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.
Security Controls – What Works

Security Controls – What Works
CSA 223 network and web security Chapter one

CSA 223 network and web security Chapter one
Stephen S. Yau CSE 465 & CSE591, Fall 2006 1 Physical Security for Information Systems.

Stephen S. Yau CSE 465 & CSE591, Fall Physical Security for Information Systems.
Information Security Principles and Practices

Information Security Principles and Practices
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Microsoft Technology Associate

Microsoft Technology Associate
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Information Systems Security Physical Security Domain #4.

Information Systems Security Physical Security Domain #4.
Physical Security Chapter 9.

Physical Security Chapter 9.
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Similar presentations

Ads by Google