9: Physical Security

Physical security

addresses design, implementation, and maintenance of countermeasures that protect physical resources of an organization

General management role

responsible for facility security

IT management and professionals role

responsible for environmental and access security

Information security management and professionals role

perform risk assessments and implementation reviews

Secure facility

physical location engineered with controls designed to minimize risk of attacks from physical threats

Secure facility design

can take advantage of natural terrain, traffic flow, and degree of urban development; can complement these with protection mechanisms (fences, gates, walls, guards, alarms)

ID Cards and Badges

Ties physical security with information access control

ID Cards and Badges

Serve as simple form of biometrics (facial recognition)

ID Cards and Badges

Should not be only means of control as cards can be easily duplicated, stolen, and modified

Tailgating

occurs when unauthorized individual follows authorized user through the control

Two types of locks

mechanical and electromechanical

Four categories of locks

manual, programmable, electronic, biometric

Mantrap

Small enclosure that has entry point and different exit point

Mantrap

Individual enters --, requests access, and if verified, is allowed to exit mantrap into facility; Individual denied entry is not allowed to exit until security official overrides automatic locks of the enclosure

Electronic Monitoring

Records events where other types of physical controls are impractical or incomplete; May use cameras with video recorders; includes closed-circuit television (CCT) systems

Alarms and alarm systems

notify when an event occurs; Detect fire, intrusion, environmental disturbance, or an interruption in services

Alarms and Alarm Systems

Rely on sensors that detect event; e.g., motion detectors, smoke detectors, thermal detectors, glass breakage detectors, weight sensors, contact sensors, vibration sensors

Computer Rooms and Wiring Closets

Require special attention to ensure confidentiality, integrity, and availability of information

Computer Rooms and Wiring Closets

Logical controls easily defeated if attacker gains physical access to computing equipment

Custodial staff security

often the least scrutinized persons who have access to offices; are given greatest degree of unsupervised access

Interior Walls and Doors

Information asset security sometimes compromised by construction of facility walls and doors

Facility walls types

typically either standard interior or firewall

High-security areas

must have firewall-grade walls to provide physical security from potential intruders and improve resistance to fires

fire

Most serious threat to safety of people who work in an organization is possibility of --

Fires

account for more property damage, personal injury, and death than any other threat

Fire suppression systems

devices installed and maintained to detect and respond to a fire

Fire Detection and Response

These devices typically work to deny an environment of one of the three requirements for a fire to burn: temperature, fuel, and oxygen

Water and water mist systems

reduce the temperature of the flame to extinguish it and to saturate some categories of fuels to prevent ignition

Carbon dioxide systems

rob fire of its oxygen

Soda acid systems

deny fire its fuel, preventing spreading

Gas-based systems

disrupt the fire's chemical reaction but leave enough oxygen for people to survive for a short time

Two general categories of fire detection systems

manual and automatic

Fire Detection

-- systems fall into two general categories: manual and automatic

Fire Detection

Part of a complete fire safety program includes individuals that monitor chaos of fire evacuation to prevent an attacker accessing offices

Three basic types of fire detection systems

thermal detection, smoke detection, flame detection

Gaseous Emission Systems history

Until recently, two types of systems: carbon dioxide and Halon

Carbon dioxide gaseous

robs a fire of oxygen supply

Halon

is clean but has been classified as an ozone-depleting substance; new installations are prohibited

Failure of Supporting Utilities and Structural Collapse

Supporting utilities (heating, ventilation, and air conditioning; power; water; and others) have significant impact on continued safe operation of a facility

Failure of Supporting Utilities and Structural Collapse

Each utility must be properly managed to prevent potential damage to information and information systems

Heating, Ventilation, and Air Conditioning

Areas within heating, ventilation, and air conditioning (HVAC) systems that can cause damage to information systems include: Temperature, Filtration, Humidity, Static electricity

Ventilation Shafts

While ductwork is small in residential buildings, in large commercial buildings it can be large enough for an individual to climb though

Ventilation Shafts countermeasure

If -- are large, security can install wire mesh grids at various points to compartmentalize the runs

Power Management and Conditioning

Electrical quantity (voltage level, amperage rating) is a concern, as is quality of power (cleanliness, proper installation)

Noise

Noise that interferes with the normal 60 Hertz cycle can result in inaccurate time clocks or unreliable internal clocks inside CPU

Grounding

ensures that returning flow of current is properly discharged to ground

Overloading a circuit

causes problems with circuit tripping and can overload electrical cable, increasing risk of fire

Uninterruptible Power Supply (UPS)

In case of power outage, UPS is backup power source for major computer systems

Four basic UPS configurations

Standby, Ferroresonant standby, Line-interactive, True online (double conversion online)

Emergency Shutoff

Important aspect of power management is the need to be able to stop power immediately should a current represent a risk to human or machine safety

Water Problems

Lack of water poses problem to

systems, including functionality of fire suppression systems and ability of water chillers to provide air-conditioning

Water problem

Very important to integrate water detection systems into alarm systems that regulate overall facilities operations

Structural Collapse causes

Unavoidable forces can cause failures of structures that house organization

Periodic inspections

-- by qualified civil engineers assist in identifying potentially dangerous structural conditions

Maintenance of Facility Systems

Physical security must be constantly documented, evaluated, and tested

Maintenance of Facility Systems

Documentation of facility's configuration, operation, and function should be integrated into disaster recovery plans and operating procedures

Maintenance of Facility Systems

Testing helps improve the facility's physical security and identify weak points

Three methods of data interception

Direct observation, Interception of data transmission, Electromagnetic interception

TEMPEST program

U.S. government developed -- program to reduce risk of electromagnetic radiation (EMR) monitoring

Mobile and Portable Systems

With the increased threat to information security for laptops, handhelds, and PDAs, mobile computing requires more security than average in-house system

Mobile and Portable Systems

Many mobile computing systems have corporate information stored within them; some are configured to facilitate user's access into organization's secure computing facilities

CompuTrace software

stored on laptop; reports to a central monitoring center to support security and retrieval of lost or stolen laptops

Burglar alarms

made up of a PC card that contains a motion detector

Remote site computing

away from organizational facility

Telecommuting

computing using telecommunications including Internet, dial-up, or leased point-point links

Outsourcing

Benefit of -- includes gaining experience and knowledge of agencies

Outsourcing

Downside includes high expense, loss of control over individual components, and level of trust that must be placed in another company

Social engineering

use of people skills to obtain information from employees that should not be released

Inventory Management

Computing equipment should be inventoried and inspected on a regular basis; Classified information should also be inventoried and managed

Inventory Management

Physical security variance

of computing equipment, data storage media, and classified documents varies for each organization