dr. bhavani thuraisingham the university of texas at dallas (utd) june 2011 physical (environmental)...

Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)

June 2011

Physical (Environmental) Security

Domain Agenda• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area

Site Location Considerations• Emergency services• Hazards/ threats• Adjacency

Threats to Physical Security• National / environmental• Utility systems• Human-made/ political events

Threat Sources and ControlsThreat

• Theft• Espionage• Dumpster diving• Social engineering• Shoulder surfing• HVAC access

Controls• Locks• Background checks• Disposal procedures• Awareness• Screen filters• Motion sensors in

ventilation ducts

Domain Agenda• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area

Perimeter and BuildingBoundary Protections

• First line of defense• Protective barriers

– Natural– Structural

Fences• Federal, state or local codes may apply• Parking should not be allowed near fences

Controlled Access Points• Gates are the minimum necessary layer• Bollards

Perimeter Intrusion Detection Systems• Detect unauthorized access into an area

– Electronic ‘eyes’

• Note that some perimeters IDSs can function inside the perimeter as well.

Types of Lighting• Continuous lighting• Trip lighting• Standby lighting• Emergency exit lighting• Emergency egress lighting

Access and Visitor Logs and More Rigorous forms of Logging

ABC CompanyEntrance:___________________ Date:________________

Name Institution Name of Person VisitingTime In Time

Out

Closed Circuit Television (CCTV)• CCTV Capability Requirements

– Detection– Recognition– Identification

• Mixing Capabilities• Virtual CCTV Systems

Guards and Guard Stations• Guards

– Deterrent– Possible liability

• Guard stations

Domain Agenda• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area

Doors• Isolation of critical areas• Lighting of doorways• Contact devices• Guidelines

Building Entry Point Protection• Locks• Lock components

– Body– Strike– Strike plates– Key– Cylinder

Types of Locks• Something you have – Keyed• Something you know – Combinations• Something you are - Biometric

Lock Attacks• Lock picking• Lock bumping

Lock Controls• Lock and key control system• Key control procedures• Change combinations• Fail

– Soft– Secure– Safe

Other Electronic Physical Controls• Card access• Biometric access methods

Windows and Entry Points• Standard plate glass• Tempered glass• Acrylic materials• Polycarbonate windows• Entry points

Intrusion Detection Systems (IDS)• Closed circuit television• Sensors and monitors

Escorts and Visitor Control• Visitor access control best practices

– Picture identity– Photographs– Enclosed area– Authorized escort

Access Logs• Computerized log• Closed circuit TV

Domain Agenda• Site and Facility Design Criteria• Perimeter Security • Building and Inside Security• Secure Operational Area

Equipment Room• Perimeter enclosure• Controls• Policy

Data Processing Facility• Small devices threat• Server room• Mainframes• Storage

Communications and Power• Wireless access points• Network access control• Utility and power rooms

Work Area• Operators• System administrators• Restricted work areas

Equipment Protection• Inventory• Locks and tracing equipment• Data encryption• Disabling I/O ports

Environmental Controls

System• Electric power• HBAC• Water / plumbing• Gas• Refrigeration

Threat• Loss of power• Overheating• Flood / dripping• Explosion• Leakage

Fire Protection• Prevention – reduce causes• Detection – alert occupants• Suppression – contain or extinguish

Materials and Suppression Agents

Type Suppression Agents

Common combustibles Water, foam, dry chemicals

Combustible liquids Inter gas, CO2, foam, dry chemicals

Electrical Inert gas, CO2, dry chemicals

Combustible metals Dry powders

Cooking media (fats) Wet chemicals

Flooding Area Coverage• Water – sprinkler systems• Gas – Halon/CO2/Argon systems• Best practices for systems• Portable extinguishers

Types of Electrical Power Faults• Complete loss of power• Power degradation• Interference (noise)• Grounding

Loss of Electrical Power• UPS• Generators• Goals of power• Power controls

Heating Ventilation Air Condition (HVAC)

• Location• Positive pressure• Maintenance

Other Infrastructure Threats• Gas leakage• Water threats

Key Performance Indicators• # of physical security incidents detected• # of false positives for biometrics