Physical Security

1

• Chapter 6
• Physical Security

2
Introduction

• The goal of physical security is to provide a
  safe environment for all assets and interests of
  the organization.
• Physical security provides protection for the
  building, other building structures, or a vehicle
  housing the system, and/or other network
  components.
• Static systems installed in structures at fixed
  location
• Mobile systems installed in vehicles or vessels
• Portable systems can be operated in buildings,
  vehicles, or in the open
• A very basic component of an organizations total
  security plan.

3
Threats to Physical Environment

• Natural/environmental
• Earthquakes, floods, storms, tornadoes,
  hurricanes, volcanic eruptions, natural fires,
  extreme temperatures, high humidity, building
  collapse
• Supply systems
• Communication outage, power distribution, burst
  pipes
• Man-made
• Explosions, disgruntled employees, unauthorized
  access, employee errors, sabotage, hazardous
  spills, chemical contamination, malicious code,
  vandalism and theft, intruders, unintentional
  acts
• Political events
• Bombings, terrorist attacks, espionage, civil
  disturbances, strikes

4
Information Protection Environment

• A layered defense model

Perimeter
Building Grounds
Building Entrance
Building Floors/Office Suites
Offices/Data Centers Equipment/Supplies, Media
5
Crime Prevention through Environmental Design
(CPTED)

• CPTED as a concept began during the 1960s.
• It states that the physical environment of a
  building can be changed or managed to produce
  behavioral effects that will reduce the incidence
  and fear of crime.
• It contains elements that make legitimate users
  of a space feel safe and make illegal users feel
  unsafe in pursuing undesirable behavior.
• It is a psychological and sociological method of
  looking at security.

6
CPTED strategies

• Territoriality
• People protect territory that they feel is their
  own and people have a certain respect for the
  territory of others.
• CPTED encourages the use of physical attributes
  that express ownership, such as fences, pavement
  treatments, art, signs, good maintenance, and
  landscaping.
• Surveillance
• Surveillance is a principal tool in the
  protection of a space.
• Landscaping and lighting can be planned to
  promote natural surveillance from inside and from
  the outside.
• Closed-circuit television (CCTV) is often used as
  an additional deterrent.
• Access control
• Properly located entrances, exits, fencing, and
  landscaping can control the flow or limit access
  to both foot and automobile traffic in ways that
  discourage crime.

7
Site Location

• Physical security should begin with a detailed
  site selection process.
• Where and how a building should be built?
• Does our business have specific physical security
  concerns regarding the facility location?
• Is it vulnerable to crime, riots, or terrorism
  attacks?
• Is it vulnerable to natural disasters?
• Where is it located in relationship to adjacent
  buildings and/or other businesses?
• How far away is it to other types of threats?
• What are neighborhood crime rates and types?
• What type of emergency support response is
  provided to the area?

8
Construction Impacts

• Construction controls involve designing walls,
  windows, doors, and infrastructure support
  elements, such as water or gas lines, in a secure
  fashion.
• Constructing walls that are fire-rated
• Penetration resistant
• Windowless or have non-opening windows
• Questions to consider
• Could the structure withstand relevant natural
  threats?
• Is it earthquake resistant?
• Does the business require specific building
  enhancements?

9
Facility Impacts

• Entry points
• Infrastructure support systems
• Electrical power
• Heating, ventilation, air conditioning (and
  refrigeration)
• Internal sensitive or compartmentalized areas
• Portable computing

10
Entry points

• External entry points
• Doors, windows, roof access, service or delivery
  doors, fire-escape entries, other secondary
  entrances
• Internal entry points
• Elevators, stairs, door to internal offices

11
Infrastructure support systems

• Include power, water/plumbing, heating,
  ventilation, and air conditioning
• The failure or substandard performance of the
  support systems may interrupt operation of the
  system and may cause physical damage to system
  hardware or stored data.
• Physical security for the infrastructure support
  systems involves not only the area, but also
  locations of wiring used to connect elements of
  the system, such as cabling, plugs, sockets,
  loose wires, exposed cabling.

12
Electrical power

• A disruption in the electrical power supply can
  have a serious business impact.
• Complete power loss
• Blackout complete loss of commercial power
• Fault momentary power outage
• Power degradation
• Brownout an intentional reduction of voltage by
  a utility company
• Sag/dip a short period of low voltage
• Surge a sudden rise in voltage in the power
  supply
• Transient line noise or disturbance is
  superimposed on the supply circuit and can cause
  fluctuations in electrical power
• In-rush current the initial surge of current
  required by a load before it reaches normal
  operation
• Electrostatic discharge another type of
  electrical surge can occur when two
  non-conducting materials rub together, causing
  electrons to transfer from one material to another

13
Interference

• Interference is a random disturbance interfering
  with device operation.
• Electromagnetic interference (EMI)
• The interference in a circuit. Common-mode noise
  occurs between hot and ground wires
  traverse-mode noise occurs between hot and
  neutral wires.
• Radio frequency interference (RFI)
• The reception of radio signals.
• Small electrical discharges generate RFI, and can
  be generated by components of electrical systems,
  transmitting devices, or lightning.
• Other sources of interference radio stations,
  cellular phones, fluorescent lights, defective
  power plugs

14
Water/Plumbing

• Common sources of water problems
• Broken pipes, fire-suppression systems, improper
  installation of air conditioners, evaporative
  coolers
• Water damage can lead to problems with mold and
  mildew that may affect the proper functioning of
  the computer resources

15
HVAC

• Heating, ventilation, and air conditioning
• A system that provides the processes of comfort
  heating, ventilation, and/or air conditioning
  within a space
• HVACR include refrigeration
• Questions
• Where and how the system is installed?
• Whether the location of these areas could allow
  for unauthorized access or some type of sabotage?
• How to remote control, monitor and maintain the
  system?
• Risk of chemical and biological agents entering a
  building through the system

16
Internal sensitive or compartmentalized area

• Several areas need additional physical protection
• Data center
• Server room
• Communication center
• Switching center
• End-user areas where highly sensitive information
  is processed and stored

17
Portable computing

• Because the organizations data is being accessed
  and processed outside the normal physical
  protections of the office, the risk of loss,
  theft, data exposure, and data destruction can be
  significantly greater.

18
Security technology and Tools

• Layered defense
• A fence protects the perimeter
• The building entry points are protected with a
  card access control system
• Inside the building, a card access control system
  protects the elevators and door locks secure the
  stairwells.
• The office doors are also secured with locks.
• Inside the office, the employee has locked all
  sensitive information in an office safe.
• Using multiple types of security controls within
  each of the layers.

19
Perimeter and building grounds boundary protection

• Protective barriers
• Landscaping can be designed to provide a measure
  of security, e.g., shrubs or trees
• Fences to designate a property boundary
• Gates portion of a wall or fence system that
  controls entrance and/or egress
• Bollards vehicle barriers
• Lighting an essential element in an integrated
  physical security system, be used with other
  controls

20
Perimeter Intrusion Detection Systems

• Closed-Circuit television (CCTV)
• A television transmission system that uses video
  cameras to transmit pictures by a transmission
  medium (wired or wireless) to connected monitors.
• CCTV levels
• Detection the ability to detect the presence of
  an object
• Recognition the ability to determine the type of
  object
• Identification the ability to determine object
  details
• Three main components
• Camera, transmission media, and monitor

21
CCTV

• Camera and lens
• To capture an optical image and convert the image
  into a video signal that is then transmitted to a
  remote monitor display
• Tube cameras use a cathode ray tube (CRT)
• CCD cameras use charge-coupled discharge (CCD)
• Infrared cameras provide night-vision capability
• Fixed lens vs. zoom lens
• Depth-of-field the area between the nearest and
  farthest points that appear to be in focus
• Field-of-view the entire area that can be
  captured by the lens

22
CCTV (Cont.)

• Transmission media
• Coaxial cable
• Fiber-optic cables
• Wireless transmission
• Display monitors
• NTSC, PAL
• HDTV
• Other equipments
• Pan and tilt units designed for remote control
  positioning of cameras in both the horizontal
  (pan) and vertical (tilt) planes.
• Multiplexers or switches combine several cameras
  onto a single line or allow selected viewing of
  multiple cameras
• Videotape recorders
• Digital recorders

23
Building Entry Points

• Doors
• Hollow-core versus solid-core
• Windows
• Shatter-resistant, installed in fixed frames, can
  be locked from the inside
• Locks
• Key locks, combination locks, smart locks
• Guard Stations
• To monitor the security of the facility through
  TV monitors, alarm systems, intercoms, etc
• Card Access Control or Biometric Systems
• card card reader

24
Inside the Buildings

• Supply system controls
• Electric power controls
• Surge suppressors
• Controlling interference
• Uninterruptible power supply (UPS)
• HVAC controls
• Water controls
• Gas lines

25
Fire Protection

• Fire prevention
• Materials used in construction should be as
  fireproof as possible
• Backup tapes and software should be stored in
  fireproof containers (they will produce poisonous
  gases when they burn)
• File-prevention training, includes fire drills
• Fire detection
• Smoke detectors
• Photoelectric detectors
• Heat detectors
• Fire suppression
• Fire-extinguishing systems
• For computer equipment, type ABC extinguishers
  are appropriate
• Automatic sprinkler systems unpure water may
  compound the problem instead of help!
• If possible, equipment should be shut off before
  discharging the sprinkler system.
• Once a computer is wet, it should not be turned
  on until it is thoroughly dry.

26
Fire Classes
Class Type Suppression
A Common combustibles (i.e., wood products) Water, soda acid
B Liquid (i.e., petroleum products, coolants) Gas, CO2, soda acid
C Electrical (i.e., electrical equipment, wires) Gas, CO2
D Combustible metals Dry powder
27
Penetration Detection Systems

• Basic types of physical intrusion detection
  systems include
• Breaking or making an electrical circuit
• Interrupting a light beam
• Detecting sound or changes in sound levels
• Detecting vibration
• Detecting changes in heat level through passive
  infrared detectors
• Detecting a disturbance in an electrostatic,
  microwave, ultrasonic, or other type field

28
Good Security Practices for Data Center Security

• Access control
• Electronic access control badge/smart
  cards/biometric devices
• Post an access control list on the outside of the
  door, indicating who is allowed unescorted access
• Have access control policies for daytime use,
  after-hour use, or during an emergency
• CCTV to view visitors
• Site location
• Location within the building should not be easily
  accessible to visitors or to the general public
• Away from external windows or walls
• Away from water pipes or other support system
  facilities

29
Good Security Practices for Data Center Security

• Walls
• Construct the room as a single unit
• Walls should not form part of an external wall of
  the building
• If using glass as an external wall barrier, use
  shatter-resistant glass to limit damage from
  breakage
• Doors
• Should be solid core
• Should not open out
• Door frame should be permanently fixed to the
  adjoining wall studs
• Door hinges should be fixed to the frames with a
  minimum of three hinges per door

30
Good Security Practices for Data Center Security

• HVAC
• Should be on a separate system from the rest of
  the building
• The size of the ducts and vents should ensure
  that they cannot be breached by an intruder
• Positive pressures should be maintained
• Power supply
• A backup power supply (UPS or generator) should
  exist for a minimum amount of time as required by
  the organizations needs
• Backup power supply needs to be tested on a
  regular basis
• Electrical facilities that support the data
  center should be separate from the main building
• Electrical closets, cables, and wiring should be
  properly secured
• Fire
• Deploy portable extinguishers at exits and near
  equipments
• Install fire sensors/detection equipment
• Have documented and tested emergency plans
• Install water sensors under the raised floor