Physical Security Most people in information security do not think about physical security Many facilities are built with functionality or aesthetics in mind with not as much concern for physical security A security professional needs to regard security as a holistic process
Physical Security Need to evaluate physical security from the standpoint of a potential criminal to remedy vulnerabilities Recognize potential for civil suits for not practicing due diligence and due care regarding physical security
Physical Security Both safety and security Safety – Protection of life and assets against fire, natural disasters, and accidents Security – Vandalism, theft Protection of life is primary
Good Security Enables employees to do their jobs Encourages attackers to move on to easier targets
Planning Laws and Regulations Risk Analysis – Vulnerabilities, Threats, Business Impact Acceptable level of risk by management Implement countermeasures Performance based approach – Metrics of effectiveness (page 433)
CPTED Crime Prevention Through Environmental Design Different from target hardening – Make it a pleasant place Hedges and planters should be no more than 2.5 feet high so they cannot be used to gain access to windows.
CTPED Data center in center of building Natural access control – Guidance for people enter and leaving the building – Figure 5-2 on page 438 Natural Surveillance – Clear lines of sight to discourage criminals – Figure 5.3 on page 441
CTPED Natural Territorial Reinforcement – Physical design to create a sense of community that must be protected – Illegal activities will not be ignored
Designing a Physical Security Program Assess the protection levels of existing facilities Regulations (e.g. OSHA, EPA) Legal issues Should have Facility Safety Officer
Facility Site Selecting a site (Page 445) Example: – Telecommunication facility containing critical infrastructure No sign Hard to see from the road
Facility Construction Major items that need to be addressed from a physical security point of view. – Pages 446-448 – Identify the threats – Fire code
Entry Points Weakest points are doors and windows Also, door hinges Doors – Hollow-core = kicked-in or cut – Solid-core Mantraps
Entry Points Windows – Where security and aesthetics comes to blows – Standard glass Common in residences Easily broken – Window Types on page 452 Internal Partitions – Figure 5-4 on page 453
Computer Room Most computer equipment can be controlled remotely. Do not need personnel in data center. Only one entry and exit. In the core of the building. Not in the basement. Flooding. Restricted area. Not directly accessible from public areas.
Computer Room Away from water pipes. Emergency OFF. Allow employees to leave before gas fire suppression is released.