The CISSP Prep Guide Chapter 10

1
The CISSP Prep GuideChapter 10

• Physical Security
• The CISSP Prep Guide Mastering the Ten Domains
  of Computer Security by Ronald L. Krutz, Russell
  Dean Vines (August 24, 2001), John Wiley Sons.
  ISBN 0471413569

2
Goals of Physical Security

• The elements involved in choosing a secure site
  and its design and configuration
• The methods for securing a facility against
  unauthorized access
• The methods for securing the equipment against
  theft of either the equipment or its containment
  information
• The environment and safety measures needed to
  protect personnel, and the facility and its
  resources

3
Domain Definition

• Addresses the threats, vulnerabilities, and
  countermeasures that can be utilized to
  physically protect an enterprises resources and
  sensitive information.
• These include personnel, the facility and work
  places, information and data, equipment, systems
  and media with which people work.

4
Threats to Physical Security

• Interruptions in providing computer services
  Availability
• Physical damage Availability
• Unauthorized disclosure of information
  Confidentiality
• Loss of control over system Integrity
• Physical theft Confidentiality, Integrity, and
  Availability

5
Examples of Threats to Physical Security

• Emergencies
• Fire and smoke contaminants
• Building collapse or explosion
• Utility loss (electrical power, air conditioning,
  heating)
• Water damage (pipe breakage)
• Toxic materials release

6
Examples of Threats to Physical Security

• Natural Disasters
• Earth movement (earthquakes and mud slides)
• Storm damage (snow, ice, floods)
• Human Intervention
• Sabotage
• Vandalism
• War
• Strikes

7
Controls for Physical Security

• Administrative Control
• Facility Requirement Planning
• Facility Security Management
• Administrative Personnel Controls

8
Facility Requirement Planning

• Choosing a Secure Site
• Low visibility
• Local considerations of the surrounding area
• Natural disasters
• Transportation
• Joint tenancy of environmental and heat,
  ventilation, A/C control
• External services of police, fire, medical

9
Designing a Secure Site

• Walls
• Ceilings
• Floors. Slab, Raised
• Windows
• Doors
• Sprinkler system
• Liquid or gas lines
• Air conditioning
• Electrical requirements

10
Facility Security Management

• Audit Trails
• The date and time of the access attempt
• Whether the attempt was successful or not
• Where the access was granted (which door)
• Who attempted the access
• Who modified the access privileges at the
  supervisor level

11
Emergency Procedure

• Emergency system shutdown procedures
• Evacuation procedures
• Employee training, awareness programs, and
  periodic drills
• Periodic equipment and systems tests

12
Administrative Personnel Controls

• Pre-employment screening
• Employment, references, or educational history
  checks
• Background investigation or credit rating checks
  for sensitive positions
• On-going employee checks
• Security clearances generated only if the
  employee is to have access to classified
  documents
• On-going employee ratings or reviews by their
  supervisor
• Post-employment procedures
• Exit interview
• Removal of network access and change of passwords
• Return of computer inventory or laptops

13
Environmental and Life Safety Controls

• Electrical power
• Fire detection and suppression
• Heating, Ventilation, and Air Conditioning (HVAC)
• First Aid Kit, CPR Training and poster, Emergency
  Exit and Light, and procedure poster.

14
Electrical Power Terms

• Fault momentary power loss
• Blackout complete loss of power
• Sag momentary low voltage
• Brownout prolonged low voltage
• Spike momentary high voltage
• Surge prolonged high voltage
• Inrush Initial surge of power at the beginning
• Noise Steady interfering disturbance
• Transient Short duration of line noise
  disturbances
• Clean Non-fluctuating pure power
• Ground one wire in an electrical circuit must
  be grounded

15
Electrical Power - Noise

• UPS Uninterruptible Power Supply
• RFI Radio Frequency Interference
• EMI Electromagnetic Interference
• Common-mode noise
• Traverse-mode noise
• Protective Measures
• Power line conditioning
• Proper grounding of the system to the earth
• Cable shielding
• Limiting exposure to magnets, fluorescent lights,
  electric motors, and space heaters

16
Electrical Power

• Brownouts
• Humidity
• Static Charge Damage
• 40V sensitive circuits and transistors
• 1000V scramble monitor display
• 1500V disk drive data loss
• 2000V system shutdown
• 4000V printer jam
• 17000V permanent chip damage
• Check the carpet

17
To Reduce Static Electricity Damage

• Use anti-static sprays where possible
• Operations or computer centers should have
  anti-static flooring
• Building and computer rooms should be grounded
  properly
• Anti-static table or floor mats may be used
• HVAC should maintain the proper level of relative
  humidity in computer rooms

18
Fire Detection and Suppression

• Fire Classes and Suppression Mediums
• ACommon combustibles Water, soda acid
• BLiquid CO2, soda acid, Halon
• CElectrical.CO2, Halon
• Fire Detectors
• Heat-sensing
• Flame-actuated
• Smoke-actuated
• Automatic Dial-up Fire Alarm

19
Fire Detection and Suppression

• Fire Extinguishing Systems
• Wet Pipe
• Dry Pipe
• Deluge
• Preaction
• Contamination and Damage
• Smoke
• Heat
• Water
• Suppression medium contamination

20
HVAC

• Heat Damage Temperatures
• Computer Hardware 175º F
• Magnetic Storage 100º F
• Paper Products 350º F

21
Physical and Technical Controls

• Facility Control Requirements
• Guards, Dogs, Fencing, Lighting, Locks, CCTV
• Availability, Reliability, Training, Cost
• Facility Access Control Devices
• Intrusion Detection and Alarms
• Computer Inventory Control
• Media Storage Requirements

22
Facility Access Control Devices

• Security Access Cards
• Photo-Image Cards
• Digital-Coded Cards
• Wireless Proximity Readers
• Photo ID, Optical-coded, Electric circuit,
  Magnetic stripe, magnetic strip, Passive
  electronic, Active Electronic
• Biometric Devices

23
Intrusion Detectors and Alarms

• Perimeter Intrusion Detectors
• Photoelectric sensors, Dry contract switches
• Motion Detectors
• Wave pattern, Capacitance, Audio detectors
• Alarm Systems
• Local Alarm Systems
• Central Station Systems
• Proprietary Systems
• Auxiliary Station Systems
• Line Supervision and Power Supplies

24
Computer Inventory Control

• PC Physical Control
• Cable locks
• Port controls
• Switch controls
• Peripheral switch controls
• Electronic security boards
• Laptop control

25
Media Storage Requirement

• Media for storage, destruction, or reuse
• Data backup tapes, CDs, Diskettes, Hard Drives,
  Paper printouts and reports, DVD
• For on-site and off-site
• Elements for protection
• Physical access control to the storage areas
• Environmental controls, such as fire and water
  protections
• Diskette inventory controls and monitoring
• Audits of media use

26
Data Destruction and Reuse

• Data Destruction
• Clearing, Purging, Destruction
• Common Problems
• Erasing the data but only directory entry
• Damaged sectors
• Rewriting files on top of old files
• Degausser equipment failure or operator error
• Inadequate erasure or format

27
Walk-Through Security List

• Sensitive company information is not lying open
  on desk or in traffic areas
• Workstations are logged out and turned off
• Offices are locked and secured
• Stairwell exits are not propped open
• File cabinets and desks are locked and secured
• Diskettes, tapes, and CDs are put away and
  secured