Physical Security

1
Physical Security

• Chapter 15

2
The Problem

• Plug laptop into network
• PDA have an OS with network support that can act
  as a wireless bridge
• Bootdisk floppy (DOS or Linux), CD-ROM
• Drive imaging
• Steal computer
• Social engineering
• Unauthorized access ie. cleaning personnel

3
Safeguards

• Physical security safeguards need to be
  considered for information resources residing in
  static facilities (such as buildings), mobile
  facilities (such as computers mounted in
  vehicles), and portable facilities (in-transit
  facility housing).
• Appropriate physical safeguards need to be
  established based on the risks related to
  geographic location, including natural threats
  (such as flooding), man-made threats (such as
  burglary or civil disorders), and threats from
  nearby activities (such as toxic chemical
  processing or electromagnetic interference).
• Lastly, physical safeguards need to assure that
  the appropriate levels of support facilities such
  as electric power, heating, and air-conditioning
  are sustainable as required by the information
  resources.

4
Location and Environment Considerations

• Visibility
• buildings that are unnoticeable or
  indistinguishable, or areas with mountainous
  terrain that can block eavesdropping signals
• Accessibility
• The site should have adequate access to
  facilitate entrance and exit of personnel and
  emergency response vehicles, but restrictive
  enough to maintain a secure environment
• Propensity for environmental problems
• The surrounding area should be analyzed based on
  crime statistics, location of emergency response
  facilities (such as police, fire, and medical)
  and any other potential hazards such as factories
  producing explosive or combustible materials. .

5
Construction

• Wall materials
• Fire rating, how well reinforced
• Security of doors - easily forced open, is glass
  shatterproof or bulletproof
• Ceilings
• Combustibility, load and weight bearing ratings,
  drop ceilings
• Windows
• Shatterproof, wired for alarms
• Translucent or opaque to deter any unwanted
  observation.
• No windows, especially if the security policy
  dictates.
• When assessing a facility, it is important to
  verify where shutoff valves for water and gas
  lines are located and the location of fire
  detection and suppression devices.

continued
6
Physical Barriers -Types of Locks

• Preset locks - are most insecure
• Cipher Locks are programmable locks that utilize
  a keypad for entering a PIN or password
• More expensive than preset locks
• Offer more security and flexibility
• Cipher lock options
• Door delay
• Key override
• Master keyring
• Hostage alarm

7
Physical Barriers -Types of Locks

• Biometric locks - Verify users identity by a
  unique personal characteristic, complex,
  expensive, and secure
• Multicriteria locks (something you have), along
  with a PIN number or password (something you
  know), and a thumbprint (something you are) to
  open the lock.
• Device locks - secure computer hardware and
  network devices. In addition to cable locks,
• switch controls that cover on/off switches,
• slot locks that cover spare expansion slots,
• port controls that block access to disk drives or
  serial ports,
• cable traps that prevent the removal of cabling.

8
Fencing

• Controls access to entrances - Fences three to
  four feet high are used primarily to deter casual
  trespassers, while fences eight feet high with
  barbed or razor wire indicate that the facility
  is serious about securing the physical perimeter.
  
• Cost is directly related to
• Height
• Quality of material
• How well installed

9
Lighting

• The National Institute of Standards and
  Technology advises that critical areas should be
  illuminated eight feet high and two feet out to
  ensure the safety of personnel and visitors. The
  actual lighting types may include
• flood lights,
• street lights,
• lights that are easily focused.

10
Physical Surveillance

• Hard to protect communication lines that run for
  hundreds of miles. Need to be able to detect
  location of break.
• Running communications media along other
  structures (original telegraph wires).
• In 1985, Williams Companies pioneered the
  placement of fiber-optic cables inside
  decommissioned pipelines-structures that most
  backhoe operators try to avoid.
• underground telephone trunks are sometimes
  bundled inside a sheath that is filled with
  compressed gas a substantial loss of pressure
  indicates the outer protective coating has been
  breached. This often allows maintenance to occur
  on the trunk before any subscribers are aware of
  the difficulty.
• Security guards
• Guard dogs generally used with security guards

11
Technical Controls

• Personnel Access Controls a digital record of
  each employee should be recorded everytime they
  enter the office
• Password or personal identification numbers
• Identification cards
• Biometric systems- fingerprints, palm prints,
  hand geometry, eyescans, signature dynamics and
  voice prints.
• Methods for fooling the biometric systems
• Synthetic gel-filled structures called "gummy
  fingers" can fool fingerprint, palm print, or
  hand geometry readers.
• Signature forgery can be used on a signature
  reader just as on a printed check
• Common security breaches
• Social engineering attack
• Piggybacking
• New methods include a promising method is based
  on DNA analysis, and implanted chips
• http//slate.msn.com/id/2109477/

12
Technical Controls

• Technical Surveillance
• Closed-circuit television cameras
• Can be monitored at a central location
• Record all activity that takes place within
  critical areas
• Allow security personnel to assess whether or not
  an area is being compromised
• Ventilation
• Maintain air quality and temperature with a
  closed-loop recirculating air-conditioning system
• Control contamination from dust and other
  pollutants with positive pressurization and
  ventilation

13
Technical Controls

• Power
• Main methods to protect against power failure
• Uninterruptible power supply (UPS)
• Backup sources generator
• Surge protectors protect from voltage
  fluctuation.
• Proper shutdown and power-up procedures should be
  followed to ensure that computing devices are not
  damaged.
• Shield long cable runs to help control the
  impacts of electromagnetic interference. Avoid
  fluorescent lighting.
• Properly ground all equipment and racks.
• Do not daisy chain power strips and extension
  chords

14
Fire Prevention Solutions

• A fire detection response system (manual or
  automatic sensor) is usually used in tandem with
  automatic fire suppression system that uses
• Halon gas interferes with the chemical process
  that creates the fire
• Carbon dioxide removes oxygen
• Water used to decrease temperature
• Soda acid removes oxygen oxygen

15
Natural Disasters

• Floods
• Lightening
• Earthquakes

16
Checklist

• To determine how close your information
  technology security program matches Commonwealth
  of Virginia standards in this category, ask
  yourself the questions below
• Are mission critical systems located in a locked
  location to which access is restricted to only
  authorized personnel?
• Are personnel authorized to access only those
  computer hardware, wiring, displays, and networks
  essential to perform their jobs?
• Are critical computer hardware, wiring, displays,
  and network configurations documented?
• Are installations and changes to those critical
  physical configurations governed by a formal
  change management process?
• Is a system for monitoring and auditing physical
  access to critical hardware, wiring, displays,
  and networks in place?
• Are backups of mission critical data stored
  off-site in a secured location?

17
Safeguards

• Policies and procedures devices and users
• Remove floppies, USB and CD-ROM access espcially
  autorun
• BIOS passwords established
• Background checks of new hires
• All users need security training
• Layered access controls
• Multilayer authentication
• Lock up machines that have important data
• Educate security guards on network security