COMP4690, HKBU1 Chapter 6 Physical Security

COMP4690, HKBU2 Introduction The goal of physical security is to provide a safe environment for all assets and interests of the organization. Physical security provides protection for the building, other building structures, or a vehicle housing the system, and/or other network components. Static systems: installed in structures at fixed location Mobile systems: installed in vehicles or vessels Portable systems: can be operated in buildings, vehicles, or in the open A very basic component of an organization’s total security plan.

COMP4690, HKBU3 Threats to Physical Environment Natural/environmental Earthquakes, floods, storms, tornadoes, hurricanes, volcanic eruptions, natural fires, extreme temperatures, high humidity, building collapse Supply systems Communication outage, power distribution, burst pipes Man-made Explosions, disgruntled employees, unauthorized access, employee errors, sabotage, hazardous spills, chemical contamination, malicious code, vandalism and theft, intruders, unintentional acts Political events Bombings, terrorist attacks, espionage, civil disturbances, strikes

COMP4690, HKBU4 Information Protection Environment A layered defense model Perimeter Building Grounds Building Entrance Building Floors/Office Suites Offices/Data Centers Equipment/Supplies, Media

COMP4690, HKBU5 Crime Prevention through Environmental Design (CPTED) CPTED as a concept began during the 1960s. It states that the physical environment of a building can be changed or managed to produce behavioral effects that will reduce the incidence and fear of crime. It contains elements that make legitimate users of a space feel safe and make illegal users feel unsafe in pursuing undesirable behavior. It is a psychological and sociological method of looking at security.

COMP4690, HKBU6 CPTED strategies Territoriality People protect territory that they feel is their own and people have a certain respect for the territory of others. CPTED encourages the use of physical attributes that express ownership, such as fences, pavement treatments, art, signs, good maintenance, and landscaping. Surveillance Surveillance is a principal tool in the protection of a space. Landscaping and lighting can be planned to promote natural surveillance from inside and from the outside. Closed-circuit television (CCTV) is often used as an additional deterrent. Access control Properly located entrances, exits, fencing, and landscaping can control the flow or limit access to both foot and automobile traffic in ways that discourage crime.

COMP4690, HKBU7 Site Location Physical security should begin with a detailed site selection process. Where and how a building should be built? Does our business have specific physical security concerns regarding the facility location? Is it vulnerable to crime, riots, or terrorism attacks? Is it vulnerable to natural disasters? Where is it located in relationship to adjacent buildings and/or other businesses? How far away is it to other types of threats? What are neighborhood crime rates and types? What type of emergency support response is provided to the area?

COMP4690, HKBU8 Construction Impacts Construction controls involve designing walls, windows, doors, and infrastructure support elements, such as water or gas lines, in a secure fashion. Constructing walls that are fire-rated Penetration resistant Windowless or have non-opening windows Questions to consider Could the structure withstand relevant natural threats? Is it earthquake resistant? Does the business require specific building enhancements?

COMP4690, HKBU9 Facility Impacts Entry points Infrastructure support systems Electrical power Heating, ventilation, air conditioning (and refrigeration) Internal sensitive or compartmentalized areas Portable computing

COMP4690, HKBU10 Entry points External entry points Doors, windows, roof access, service or delivery doors, fire-escape entries, other secondary entrances Internal entry points Elevators, stairs, door to internal offices

COMP4690, HKBU11 Infrastructure support systems Include power, water/plumbing, heating, ventilation, and air conditioning The failure or substandard performance of the support systems may interrupt operation of the system and may cause physical damage to system hardware or stored data. Physical security for the infrastructure support systems involves not only the area, but also locations of wiring used to connect elements of the system, such as cabling, plugs, sockets, loose wires, exposed cabling.

COMP4690, HKBU12 Electrical power A disruption in the electrical power supply can have a serious business impact. Complete power loss Blackout: complete loss of commercial power Fault: momentary power outage Power degradation Brownout: an intentional reduction of voltage by a utility company Sag/dip: a short period of low voltage Surge: a sudden rise in voltage in the power supply Transient: line noise or disturbance is superimposed on the supply circuit and can cause fluctuations in electrical power In-rush current: the initial surge of current required by a load before it reaches normal operation Electrostatic discharge: another type of electrical surge can occur when two non-conducting materials rub together, causing electrons to transfer from one material to another

COMP4690, HKBU13 Interference Interference is a random disturbance interfering with device operation. Electromagnetic interference (EMI) The interference in a circuit. Common-mode noise occurs between hot and ground wires; traverse-mode noise occurs between hot and neutral wires. Radio frequency interference (RFI) The reception of radio signals. Small electrical discharges generate RFI, and can be generated by components of electrical systems, transmitting devices, or lightning. Other sources of interference: radio stations, cellular phones, fluorescent lights, defective power plugs

COMP4690, HKBU14 Water/Plumbing Common sources of water problems Broken pipes, fire-suppression systems, improper installation of air conditioners, evaporative coolers Water damage can lead to problems with mold and mildew that may affect the proper functioning of the computer resources

COMP4690, HKBU15 HVAC Heating, ventilation, and air conditioning A system that provides the processes of comfort heating, ventilation, and/or air conditioning within a space HVAC&R: include refrigeration Questions: Where and how the system is installed? Whether the location of these areas could allow for unauthorized access or some type of sabotage? How to remote control, monitor and maintain the system? Risk of chemical and biological agents entering a building through the system

COMP4690, HKBU16 Internal sensitive or compartmentalized area Several areas need additional physical protection Data center Server room Communication center Switching center End-user areas where highly sensitive information is processed and stored

COMP4690, HKBU17 Portable computing Because the organization’s data is being accessed and processed outside the normal physical protections of the office, the risk of loss, theft, data exposure, and data destruction can be significantly greater.

COMP4690, HKBU18 Security technology and Tools Layered defense A fence protects the perimeter The building entry points are protected with a card access control system Inside the building, a card access control system protects the elevators and door locks secure the stairwells. The office doors are also secured with locks. Inside the office, the employee has locked all sensitive information in an office safe. Using multiple types of security controls within each of the layers.

COMP4690, HKBU19 Perimeter and building grounds boundary protection Protective barriers: Landscaping: can be designed to provide a measure of security, e.g., shrubs or trees Fences: to designate a property boundary Gates: portion of a wall or fence system that controls entrance and/or egress Bollards: vehicle barriers Lighting: an essential element in an integrated physical security system, be used with other controls

COMP4690, HKBU20 Perimeter Intrusion Detection Systems Closed-Circuit television (CCTV) A television transmission system that uses video cameras to transmit pictures by a transmission medium (wired or wireless) to connected monitors. CCTV levels Detection: the ability to detect the presence of an object Recognition: the ability to determine the type of object Identification: the ability to determine object details Three main components: Camera, transmission media, and monitor

COMP4690, HKBU21 CCTV Camera and lens To capture an optical image and convert the image into a video signal that is then transmitted to a remote monitor display Tube cameras: use a cathode ray tube (CRT) CCD cameras: use charge-coupled discharge (CCD) Infrared cameras: provide night-vision capability Fixed lens vs. zoom lens Depth-of-field: the area between the nearest and farthest points that appear to be in focus Field-of-view: the entire area that can be captured by the lens

COMP4690, HKBU22 CCTV (Cont.) Transmission media Coaxial cable Fiber-optic cables Wireless transmission Display monitors NTSC, PAL HDTV Other equipments Pan and tilt units: designed for remote control positioning of cameras in both the horizontal (pan) and vertical (tilt) planes. Multiplexers or switches: combine several cameras onto a single line or allow selected viewing of multiple cameras Videotape recorders Digital recorders

COMP4690, HKBU23 Building Entry Points Doors Hollow-core versus solid-core Windows Shatter-resistant, installed in fixed frames, can be locked from the inside Locks Key locks, combination locks, smart locks Guard Stations To monitor the security of the facility through TV monitors, alarm systems, intercoms, etc Card Access Control or Biometric Systems card & card reader

COMP4690, HKBU24 Inside the Buildings Supply system controls Electric power controls Surge suppressors Controlling interference Uninterruptible power supply (UPS) HVAC controls Water controls Gas lines

COMP4690, HKBU25 Fire Protection Fire prevention Materials used in construction should be as fireproof as possible Backup tapes and software should be stored in fireproof containers (they will produce poisonous gases when they burn) File-prevention training, includes fire drills Fire detection Smoke detectors Photoelectric detectors Heat detectors Fire suppression Fire-extinguishing systems For computer equipment, type ABC extinguishers are appropriate Automatic sprinkler systems: unpure water may compound the problem instead of help! If possible, equipment should be shut off before discharging the sprinkler system. Once a computer is wet, it should not be turned on until it is thoroughly dry.

COMP4690, HKBU26 Fire Classes ClassTypeSuppression ACommon combustibles (i.e., wood products) Water, soda acid BLiquid (i.e., petroleum products, coolants) Gas, CO 2, soda acid CElectrical (i.e., electrical equipment, wires) Gas, CO 2 DCombustible metalsDry powder

COMP4690, HKBU27 Penetration Detection Systems Basic types of physical intrusion detection systems include: Breaking or making an electrical circuit Interrupting a light beam Detecting sound or changes in sound levels Detecting vibration Detecting changes in heat level through passive infrared detectors Detecting a disturbance in an electrostatic, microwave, ultrasonic, or other type field

COMP4690, HKBU28 Good Security Practices for Data Center Security Access control Electronic access control: badge/smart cards/biometric devices Post an access control list on the outside of the door, indicating who is allowed unescorted access Have access control policies for daytime use, after-hour use, or during an emergency CCTV to view visitors Site location Location within the building should not be easily accessible to visitors or to the general public Away from external windows or walls Away from water pipes or other support system facilities

COMP4690, HKBU29 Good Security Practices for Data Center Security Walls Construct the room as a single unit Walls should not form part of an external wall of the building If using glass as an external wall barrier, use shatter- resistant glass to limit damage from breakage Doors Should be solid core Should not open out Door frame should be permanently fixed to the adjoining wall studs Door hinges should be fixed to the frames with a minimum of three hinges per door

COMP4690, HKBU30 Good Security Practices for Data Center Security HVAC Should be on a separate system from the rest of the building The size of the ducts and vents should ensure that they cannot be breached by an intruder Positive pressures should be maintained Power supply A backup power supply (UPS or generator) should exist for a minimum amount of time as required by the organization’s needs Backup power supply needs to be tested on a regular basis Electrical facilities that support the data center should be separate from the main building Electrical closets, cables, and wiring should be properly secured Fire Deploy portable extinguishers at exits and near equipments Install fire sensors/detection equipment Have documented and tested emergency plans Install water sensors under the raised floor