Physical SecurityPhysical Security

Katie Parker and Katie Parker and Robert TribbiaRobert Tribbia

Computer SecurityComputer Security

Fall 2008Fall 2008

Physical SecurityPhysical Security

Prevent attacks from accessing a Prevent attacks from accessing a facility, resource, or information facility, resource, or information stored on physical mediastored on physical media

Two Main Things to Protect Two Main Things to Protect AgainstAgainst

Human AttackHuman Attack Natural DisastersNatural Disasters

Human AttacksHuman Attacks

Attacks from Attacks from outsideoutside– Thieves/burglarsThieves/burglars

– HackersHackers

– Former employeeFormer employee

Attacks from insideAttacks from inside– Current angry or Current angry or

disgruntled disgruntled employee employee

– Agent for hireAgent for hire

Five Layers of Physical Five Layers of Physical SecuritySecurity

Environmental deterrentsEnvironmental deterrents Mechanical deterrentsMechanical deterrents Surveillance deterrentsSurveillance deterrents Human deterrentsHuman deterrents Proper employee trainingProper employee training

Environmental DeterrentsEnvironmental Deterrents

Primarily for outside attacksPrimarily for outside attacks

High walls, fencesHigh walls, fences

Used to deter less motivated Used to deter less motivated attackersattackers

Mechanical DeterrentsMechanical Deterrents

Can range from simple ID card to Can range from simple ID card to high-tech biometricshigh-tech biometrics

Locked gates, key cardsLocked gates, key cards

Access controlAccess control

Surveillance DeterrentsSurveillance Deterrents Used to help prevent Used to help prevent

future attacks and future attacks and provide information on provide information on past attackspast attacks

Cameras, microphones, Cameras, microphones, detection systemsdetection systems

CCTV/cameras can help CCTV/cameras can help deter “shoulder deter “shoulder surfing”surfing”

Human DeterrentsHuman Deterrents

Can be used to prevent both outside Can be used to prevent both outside and inside attacksand inside attacks

Security guards and checkpoints – Security guards and checkpoints – outsideoutside

Reception desks and the employees Reception desks and the employees (when trained)- inside(when trained)- inside

One is not enough!One is not enough!

True StoryTrue Story

2 attackers obtained entry to data 2 attackers obtained entry to data centercenter

Security guard wasn’t at post, one Security guard wasn’t at post, one employee on dutyemployee on duty

Attackers beat employee and used Attackers beat employee and used employee to gain access to equipmentemployee to gain access to equipment

Employee TrainingEmployee Training

Common problem is lazinessCommon problem is laziness Train employees to always:Train employees to always:

– Lock all unattended workstationsLock all unattended workstations– Turn monitors away from common areasTurn monitors away from common areas– Shred sensitive documentsShred sensitive documents– Lock laptopsLock laptops

Stolen laptops are becoming a big security Stolen laptops are becoming a big security issueissue

Social EngineeringSocial Engineering

Tricking people Tricking people into giving into giving confidential confidential information or information or granting accessgranting access

Several different Several different methodsmethods– PretextingPretexting– BaitingBaiting– Quid pro quoQuid pro quo

PretextingPretexting

Using a invented scenario to convince the Using a invented scenario to convince the victim to give up personal information or victim to give up personal information or do some actiondo some action

Justin Long’s character in Live Free or Die Justin Long’s character in Live Free or Die Hard; carHard; car

BaitingBaiting

Attacker puts Attacker puts harmful harmful virus/malware on a virus/malware on a devicedevice

Leave device in Leave device in public place with public place with legitimate titlelegitimate title

Victim uses device Victim uses device and uploads the and uploads the malware to systemmalware to system

Quid Pro QuoQuid Pro Quo

““Something for something”Something for something”

Attacker offers help with problem, Attacker offers help with problem, but while helping, hurts toobut while helping, hurts too

The Italian Job- Becky the The Italian Job- Becky the cablewomancablewoman

Dumpster divingDumpster diving

Searching through the trash for Searching through the trash for valuable information that is still valuable information that is still intactintact

Prevent by:Prevent by:– Thoroughly shredding all important dataThoroughly shredding all important data

Regular old theftRegular old theft

Mission ImpossibleMission Impossible

Katie’s work applicationKatie’s work application

Natural DisastersNatural Disasters

Risk AssessmentRisk Assessment

– See what problems are the most likely for See what problems are the most likely for your location and guard against themyour location and guard against them

– Example: in Tallahassee, don’t really need Example: in Tallahassee, don’t really need to worry about earthquakes, so don’t to worry about earthquakes, so don’t spend money protecting against themspend money protecting against them

Natural disastersNatural disasters

FireFire Fire can destroy Fire can destroy

computer hardwarecomputer hardware Prevent with:Prevent with:

– Smoke detectorsSmoke detectors– Fire alarmsFire alarms– Fire extinguishers Fire extinguishers

Other Natural DisastersOther Natural Disasters Liquid damageLiquid damage

– Keep sensitive equipment Keep sensitive equipment on 2on 2ndnd floor or higher floor or higher

– Don’t run water pipes Don’t run water pipes through or near rooms through or near rooms with susceptible with susceptible equipmentequipment

EarthquakesEarthquakes– Support with gel padding Support with gel padding

and springsand springs LightningLightning

– Faraday cagesFaraday cages– GeneratorsGenerators