Chapter 10 Physical Security BIS 4113/6113 “Physical controls are your first line of defense, and people are your last.” (p.386)
Physical Security? How does it relate to our class? AMRC Server missing Dell Optiplex GX-620, used for backup Patient, financial information Noticed when queries were being ignored
Cause & Effect Anatomy of physical breach C I Host Inc. Unlocked entrances Guard not at post Physical attack on data center worker (!) $100,000 of equipment stolen
YouTube video CBS NEWS Investigation
How far does your responsibility go? Dept of Veterans’ Affairs, 2006 2009 Audit of VA contracts 6000 of 22K contracts did not include infosec clauses 578 contractors refused to sign 2010: Two laptops stolen from VA contractors 1500 veterans’ records exposed 2010: Blue Cross Blue Shield of TN Theft of hard drives from abandoned office building Up to 220,000 customers’ identities compromised Up to $7M spent in response
Common Physical Threats Fire/smoke Water (rising/falling) Earth movement Storms Sabotage/vandalism Explosions Building collapse Toxic materials Utility loss Equipment failure Personnel loss (strikes, illness, transport, etc.)
Planning Physical Security (p.390) Deterrence Denial Detection Delay
3 Levels of Security Controls Administrative Site selection Environmental dangers Proximity to resource/emergency facilities Facility Design Work areas Server rooms Appropriate partitioning Visitation
3 Levels of Security Controls Physical Fences, gates, turnstiles, mantraps Appropriate lighting Guards & dogs Motion detectors CCTV Intrusion alarms
3 Levels of Security Controls Technical Smart cards RFID readers Physical IDS Emanation security
Special Considerations Server Rooms (p.393) One hour minimum fire rating Halon suppression Data Centers (p.396) Means of access (smartcards, proximity readers) Two-factor authentication
Power Issues Fault (temporary loss) Blackout (complete loss) Undervoltage (sag, brownout) Overvoltage (spike, surge) Interference (noise) UPS Clean power
Equipment Failure (p.390) Costs Other metrics Storage, transportation, installation, restoration Other metrics MTTF (Mean Time to Failure) MTTR (Mean Time to Repair) Waiting for complete failure before replacement: Bad