Physical SecurityPhysical Security

ObjectiveObjective

To address the To address the threatsthreats, , vulnerabilitiesvulnerabilities, and , and countermeasurescountermeasures which can be utilized to physically protect which can be utilized to physically protect an enterprise’s resources and sensitive information to an enterprise’s resources and sensitive information to include people, facilities, data, equipment, support include people, facilities, data, equipment, support systems, media, and supplies.systems, media, and supplies.

To discuss considerations for To discuss considerations for choosing a secure sitechoosing a secure site, its , its design and configurationdesign and configuration, and the , and the methods for securing the methods for securing the facilityfacility against unauthorized access, theft of equipment and against unauthorized access, theft of equipment and information, and the information, and the environmental and safety measuresenvironmental and safety measures needed to protect people, the facility, and its resources.needed to protect people, the facility, and its resources.

Physical SecurityPhysical Security

Physical Security ThreatsPhysical Security Threats Site Design and ConfigurationSite Design and Configuration Physical Security RequirementsPhysical Security Requirements

– For Centralized Computing FacilitiesFor Centralized Computing Facilities

– For Distributed Processing FacilitiesFor Distributed Processing Facilities

– For Extended ProcessingFor Extended Processing

The Layered ApproachThe Layered Approach

Information Protection Environment

Crime Prevention through Environmental Design (CPTED)

• Concept that, as its basic premise, states that the physical environment of a building can be changed or managed to produce behavioral effects that will reduce the incidence and fear of crime

• Territoriality• Surveillance• Access control

Information Protection Environment Cont…

Site Location• Specific physical security concerns• Vulnerable to crime, riots, demonstrations, or terrorism

attacks• Neighborhood crime rates and types• Vulnerable to natural disasters

Construction Impacts Facility Impacts

• Entry points• Infrastructure support systems• Electrical power• Heating, ventilation, air conditioning (and refrigeration)• Internal sensitive or compartmentalized areas• Portable computing

Information Protection Environment Cont…

Electrical Power– Vulnerabilities include total power loss of short or long duration

or degradation in power quality, such as brownouts, spikes, or sags

• Blackout - complete loss of commercial power• Fault - momentary power outage• Brownout - an intentional reduction of voltage by a utility company• Sag/dip - a short period of low voltage• Surge - a sudden rise in voltage in the power supply• Transient - line noise or disturbance is superimposed on the supply

circuit and can cause fluctuations in electrical power• In-rush current - the initial surge of current required by a load before

it reaches normal operation • Electrostatic discharge - another type of electrical surge can occur

when two non-conducting materials rub together, causing electrons to transfer from one material to another

The Layered DefenseThe Layered Defense Perimeter and building grounds

– Landscaping, Fences, Gates, Bollards, Walls, and Doors

• 1 meter/3–4 feet - Deters casual trespassers• 2 meters/6–7 feet - Too high to climb easily• 2.4 meters/8 feet with top guard - Deters

determined intruder

Building entry points Inside the building - building floors, office suites,

and offices

Fire Protection

Fire Prevention– Fireproof Construction materials– False ceiling should not be flammable– Magnetic tapes, if ignited, produce poisonous gases– fire-prevention training

Fire Detection – Ionization-type smoke detectors– Photoelectric detectors– Heat detectors

“The first rule is to get the people out”

Fire Protection Cont…

Fire Suppression

Fire Protection Cont…

Portable ExtinguishersPortable Extinguishers At ExitsAt Exits Mark Locations and TypeMark Locations and Type Types A, B & CTypes A, B & C Need to InspectNeed to Inspect

Water Sprinkler SystemsWater Sprinkler Systems Works to Lower TemperatureWorks to Lower Temperature Most Damaging to EquipmentMost Damaging to Equipment Conventional SystemsConventional Systems ““Dry Pipe” Systems: Less Risk of LeakageDry Pipe” Systems: Less Risk of Leakage Employ in Throughout Building and in all SpacesEmploy in Throughout Building and in all Spaces

Fire Protection Cont…

Carbon Dioxide (COCarbon Dioxide (CO22)) Colorless/OdorlessColorless/Odorless Potentially LethalPotentially Lethal Removes OxygenRemoves Oxygen Best for Unattended FacilitiesBest for Unattended Facilities Delayed-Activation in Manned FacilitiesDelayed-Activation in Manned Facilities

HalonHalon Best Protection for EquipmentBest Protection for Equipment Concentrations <10% are SafeConcentrations <10% are Safe Becomes Toxic at 900Becomes Toxic at 900oo

Depletes Ozone (CFCs)Depletes Ozone (CFCs) Montreal Protocol (1987)Montreal Protocol (1987) Halon 1301: Requires PressurizationHalon 1301: Requires Pressurization Halon 1211: Self-Pressurization (Portable Extinguishers)Halon 1211: Self-Pressurization (Portable Extinguishers)

Physical Security ThreatsPhysical Security Threats Threat ComponentsThreat Components

AgentsAgents MotivesMotives ResultsResults

External ThreatsExternal Threats Wind/TornadoWind/Tornado FloodingFlooding LightningLightning EarthquakeEarthquake Cold and IceCold and Ice FireFire Chemical Chemical

Physical Security Threats Cont…Physical Security Threats Cont…

Internal Physical ThreatsInternal Physical Threats FireFire Environmental FailureEnvironmental Failure Liquid LeakageLiquid Leakage Electrical InterruptionElectrical Interruption

Human ThreatsHuman Threats TheftTheft VandalismVandalism SabotageSabotage EspionageEspionage ErrorsErrors

Site Design ConsiderationsSite Design Considerations

Location and AccessLocation and Access Local CrimeLocal Crime VisibilityVisibility Emergency AccessEmergency Access Natural HazardsNatural Hazards Air and Surface TrafficAir and Surface Traffic Joint TenantsJoint Tenants Stable Power SupplyStable Power Supply Existing Boundary Protection (Barriers/Fencing/Gates)Existing Boundary Protection (Barriers/Fencing/Gates)

Boundary ProtectionBoundary Protection

Area Designation: Facilitates EnforcementArea Designation: Facilitates Enforcement Vehicular AccessVehicular Access Personnel AccessPersonnel Access

OccupantsOccupants Visitors (Escort & Logging)Visitors (Escort & Logging)

FencesFences Deter Casual TrespassingDeter Casual Trespassing Compliments Other Access ControlsCompliments Other Access Controls AestheticsAesthetics Won’t Stop Determined IntruderWon’t Stop Determined Intruder

Boundary Protection Cont…Boundary Protection Cont…

LightingLighting EntrancesEntrances Parking AreasParking Areas Critical AreasCritical Areas

Perimeter Detection SystemsPerimeter Detection Systems Does Not Prevent PenetrationDoes Not Prevent Penetration Alerts Response ForceAlerts Response Force Requires ResponseRequires Response Nuisance AlarmsNuisance Alarms CostlyCostly

Boundary Protection Cont…Boundary Protection Cont…

CCTVCCTV EfficiencyEfficiency Requires Human ResponseRequires Human Response LimitationsLimitations

StaffingStaffing Access Control PointsAccess Control Points PatrolsPatrols EmployeesEmployees

Computing Facility RequirementsComputing Facility Requirements WallsWalls

True Floor to CeilingTrue Floor to Ceiling Fire Rating (at least 1 hour)Fire Rating (at least 1 hour) PenetrationsPenetrations Adjacent AreasAdjacent Areas

DoorsDoors Interior/ExteriorInterior/Exterior HingesHinges Fire RatingFire Rating AlarmsAlarms MonitoringMonitoring

Computing Facility Requirements Cont…Computing Facility Requirements Cont…

Windows/OpeningsWindows/Openings Interior/ExteriorInterior/Exterior FixedFixed ShatterproofShatterproof

Computer and Equipment Room Lay OutComputer and Equipment Room Lay Out Equipment AccessEquipment Access StorageStorage Occupied AreasOccupied Areas Water SourcesWater Sources Cable RoutingCable Routing

Computing Facility Requirements Cont…Computing Facility Requirements Cont…

Dedicated CircuitsDedicated CircuitsControlled Access toControlled Access to

Power Distribution PanelsPower Distribution PanelsMaster Circuit BreakersMaster Circuit BreakersTransformersTransformersFeeder CablesFeeder Cables

Emergency Power Off ControlsEmergency Power Off ControlsVoltage Monitoring/RecordingVoltage Monitoring/RecordingSurge ProtectionSurge Protection

Computing Facility Requirements Cont…Computing Facility Requirements Cont…

Backup PowerBackup PowerAlternate FeedersAlternate FeedersUninterruptible Power SupplyUninterruptible Power Supply

Hydrogen Gas HazardHydrogen Gas HazardMaintenance/TestingMaintenance/Testing

Emergency Power GeneratorEmergency Power GeneratorFuel ConsiderationFuel ConsiderationMaintenance/TestingMaintenance/TestingCostsCosts

HVACHVACTelecomTelecom

Computing Facility Requirements Cont…Computing Facility Requirements Cont…

Humidity ControlsHumidity Controls Risk of Static ElectricityRisk of Static Electricity Risk to Electric ConnectionsRisk to Electric Connections

Air Quality (Dust)Air Quality (Dust) Water ProtectionWater Protection

Falling WaterFalling Water Rising WaterRising Water DrainsDrains Protective CoveringsProtective Coverings Moisture Detection SystemsMoisture Detection Systems

Securing Storage AreasSecuring Storage Areas

Forms Storage RoomsForms Storage Rooms Increased Threat of FireIncreased Threat of FireCombustiblesCombustiblesAccess ControlsAccess Controls

Media Storage RoomsMedia Storage RoomsMedia SensitivityMedia SensitivitySegregationSegregationAccess ControlsAccess ControlsEnvironmental ControlsEnvironmental Controls

Media ProtectionMedia Protection StorageStorage

Media Libraries/Special RoomsMedia Libraries/Special Rooms CabinetsCabinets VaultsVaults

LocationLocation OperationalOperational Off-SiteOff-Site

TransportationTransportation

Cable ProtectionCable Protection

Optical FiberOptical Fiber Copper WireCopper Wire Certifying the Wiring and CablingCertifying the Wiring and Cabling Controlling Access to Closets and Riser RoomsControlling Access to Closets and Riser Rooms

Other ConsiderationsOther Considerations

Dealing with Existing FacilitiesDealing with Existing Facilities PlanningPlanning Upgrade/RenovationUpgrade/Renovation Incremental New ConstructionIncremental New Construction

Protecting the ProtectionProtecting the Protection Implement Physical and Environmental Controls Implement Physical and Environmental Controls

for Security Systemsfor Security Systems Protect against both Intentional and Inadvertent Protect against both Intentional and Inadvertent

ThreatsThreats

Personnel Access ControlsPersonnel Access Controls

Position Sensitivity Designation Position Sensitivity Designation Management Review of Access ListsManagement Review of Access Lists Background Screening/Re-ScreeningBackground Screening/Re-Screening Termination/Transfer ControlsTermination/Transfer Controls Disgruntled EmployeesDisgruntled Employees

Access Controls – LocksAccess Controls – Locks

Preset Locks and KeysPreset Locks and Keys Programmable LocksProgrammable Locks

Mechanical (Cipher Locks)Mechanical (Cipher Locks) Electronic (Keypad Systems): Digital KeyboardElectronic (Keypad Systems): Digital Keyboard

Number of CombinationsNumber of CombinationsNumber of Digits in CodeNumber of Digits in CodeFrequency of Code ChangeFrequency of Code ChangeError Lock-OutError Lock-OutError AlarmsError Alarms

Access Controls - TokensAccess Controls - Tokens

Security Card SystemsSecurity Card SystemsDumb CardsDumb Cards

Photo Identification BadgesPhoto Identification BadgesManual Visual VerificationManual Visual VerificationCan be Combined with Smart TechnologyCan be Combined with Smart Technology

Digital Coded (Smart) CardsDigital Coded (Smart) CardsOften Require Use of PIN Number with CardOften Require Use of PIN Number with CardReaders: Card Insertion, Card Swipe & ProximityReaders: Card Insertion, Card Swipe & Proximity

Types of Access CardsTypes of Access Cards

Photo ID CardsPhoto ID Cards Optical Coded Cards (Magnetic Dot)Optical Coded Cards (Magnetic Dot) Electric Circuit Cards (Embedded Wire)Electric Circuit Cards (Embedded Wire) Magnetic Cards (Magnetic Particles)Magnetic Cards (Magnetic Particles) Metallic Stripe Card (Copper Strips)Metallic Stripe Card (Copper Strips)

Access Controls - BiometricsAccess Controls - Biometrics Fingerprint/Thumbprint ScanFingerprint/Thumbprint Scan Blood Vein Pattern ScanBlood Vein Pattern Scan

RetinaRetina WristWrist HandHand

Hand GeometryHand Geometry Facial RecognitionFacial Recognition Voice VerificationVoice Verification Keystroke RecordersKeystroke Recorders ProblemsProblems

CostCost SpeedSpeed AccuracyAccuracy

Physical Security in Distributed Physical Security in Distributed ProcessingProcessing

ThreatsThreatsTo ConfidentialityTo Confidentiality

Sharing ComputersSharing ComputersSharing DiskettesSharing Diskettes

To AvailabilityTo Availability User ErrorsUser Errors

To Data IntegrityTo Data IntegrityMalicious CodeMalicious CodeVersion ControlVersion Control

Physical Security Controls Distributed Physical Security Controls Distributed ProcessingProcessing

Office Area ControlsOffice Area ControlsEntry ControlsEntry ControlsOffice Lay-OutOffice Lay-OutPersonnel ControlsPersonnel ControlsHard-Copy Document ControlsHard-Copy Document ControlsElectronic Media ControlsElectronic Media ControlsClean-Desk PolicyClean-Desk Policy

Physical Security Controls - Office AreaPhysical Security Controls - Office Area

Printer/Output ControlsPrinter/Output ControlsProperty ControlsProperty ControlsSpace Protection DevicesSpace Protection DevicesEquipment Lock-DownEquipment Lock-Down

Physical Security Controls - Distributed Physical Security Controls - Distributed Processing Cont…Processing Cont…

Cable LocksCable LocksDisk LocksDisk LocksPort ControlsPort ControlsPower Switch LocksPower Switch LocksKeyboard LocksKeyboard LocksCover LocksCover Locks

Physical Security Controls - Distributed Physical Security Controls - Distributed Processing Cont…Processing Cont…

Isolated Power SourceIsolated Power Source NoiseNoise Voltage FluctuationsVoltage Fluctuations Power OutagesPower Outages

Heat/Humidity ConsiderationsHeat/Humidity Considerations Fire/WaterFire/Water Magnetic Media ControlsMagnetic Media Controls

Physical Security Controls Extended Physical Security Controls Extended ProcessingProcessing

User Responsibilities ParamountUser Responsibilities ParamountProtection against DisclosureProtection against Disclosure

Shoulder SurfingShoulder SurfingAccess to Sensitive Media and Written MaterialAccess to Sensitive Media and Written Material

Integrity ProtectionIntegrity ProtectionProtection against Loss or TheftProtection against Loss or Theft

LocksLocksPracticesPractices

Management ResponsibilitiesManagement ResponsibilitiesApprovalApprovalMonitoringMonitoring

Physical Security - Other TermsPhysical Security - Other Terms

TailgateTailgate Piggy-BackPiggy-Back Stay Behind Stay Behind DegaussDegauss RemanenceRemanence MantrapMantrap Pass-BackPass-Back Dumpster DivingDumpster Diving False Positive/NegativeFalse Positive/Negative Montreal ProtocolMontreal Protocol Duress AlarmDuress Alarm Tamper AlarmTamper Alarm

Passive UltrasonicPassive Ultrasonic Fail Safe/Fail SoftFail Safe/Fail Soft IDSIDS Shoulder SurfingShoulder Surfing Electronic EmanationElectronic Emanation TsunamiTsunami RFIRFI Defense in DepthDefense in Depth EMIEMI Top GuardTop Guard

??