CISSP Preparation Training

1
CISSP Preparation Training

• Physical Security
• Domain Ten
• February 16, 2006

Jack Callaghan, CISSP CISM 719.265.8378 jcall_at_ttrg
.org
2
10 Domains

• Access Control Systems Methodology
• Telecommunications Network Security
• Security Management Practices
• Application Systems Development Security
• Cryptography
• Security Architecture Models
• Computer Operations Security
• Business Continuity Planning Disaster
  Recovery Planning
• Law, Investigation, Ethics
• Physical Security

3
Introduction

• Objective of Physical Security controls
• Ensure the system and its resources are available
  when needed
• Measured through the AIC Triad
• Availability, Integrity, and Confidentiality
• Physical Security is a secondary deterrent to the
  Logical Information Security controls

4
Brief History

• Mid-twentieth century - the ENIAC
• Huge computer with single mission
• Third generation systems (1960s)
• Large concert facilities housing multi-tasking
  systems
• Physical security systems catch up (1970s)
• Introduced mechanical locks, card access,fire
  suppression,
• Affordable Computer Era (1980s)
• Distributed architecture with internet
  connectivity and company reliance that introduces
  new security concerns

5
Physical Security New Concerns

• Provide protection to
• The main corporate facility
• Other facilities on the campus
• Services such as water, power, climate control,
  etc.
• Various computer systems
• Static Systems
• Mobile Systems
• Portable System

6
The Need

• To protect against computer service
  interruptions, physical damage, unauthorized
  information disclosure, system hijacking, or
  physical theft by
• Natural/Environmental
• Earthquakes, floods, storms, lighting,
  structural,
• Supply Systems
• Comm outages, power distribution, burst pipes,
• Man-Made
• Disgruntle employees, unauthorized access,
  malicious code, theft, sabotage,
• Political Events
• Bombings, terrorism, riots, strikes,

7
Layered Defense Model

• A strategy that includes examining Physical
  Security measures starting at the site perimeter
  and working down to the desk top computer

Perimeter
Building Grounds
Building Entrance
Building Floors/Office Suites
Offices/Data Centers Equipment/Supplies, Media
8
Information Protection Environment

• Physical Security requires that the building site
  be protected in a manner that minimizes risk to
  theft, destruction, and unauthorized access
• Areas of discussion
• Crime Prevention through Environmental Design
  (CPTED)
• Site Location
• Construction
• Support Facilities

9
Crime Prevention

• Crime Prevention through Environmental Design
  (CPTED)
• Premise Physical environment of the building can
  be changed or managed to produce behavioral
  effects that will reduce the incidence and fear
  of crime
• Instituted through a combination of security
  hardware, psychology, and site design to
  discourage crime

10
Crime Prevention

• Key Strategies
• Territoriality
• Use physical attributes that express ownership
  art, signs, maintenance, and landscaping
• Surveillance
• Proper lighting, open entries, windows between
  restricted areas, and closed circuit television
  (CCTV)
• Access Control
• Limited entrances/exits, fencing, and the use of
  corporate badges that signal authorized users

11
Site Selection

• Major considerations
• Unique Physical Security concerns of your
  operations
• Vulnerable to riots, demonstrations, and
  terrorism
• Natural/Environmental concerns
• Adjacent businesses
• Distance to other threat areas airports,
  highways, military bases, and hazard chemical
  production
• High crime neighborhoods
• Available emergency services fire department and
  police

12
Facility Construction

• Information system processing areas
• Floor slab - load, fire rating, drains
• Raised flooring - grounded, non-conducting
• Walls - slab, fire, adjacencies
• Ceiling - load, fire waterproof
• Windows - fixed, shatterproof, translucent
• Doors - hardware, hinges, fire, emergency exit,
  monitored

13
Facility Construction

• Additional recommendations
• Dropped ceilings - walls should extend above the
  ceiling
• Raised floors - walls should extend below the
  false floor
• Air ducts - should be small enough to prevent an
  intruder from crawling through them
• Glass walls - Easy to break and easy to see
  through

14
Support Facilities

• HVAC - Heating, Ventilation, Air Conditioning
• Maintain proper temperature (50-80 degrees)
• Keep humidity level at 20-80 percent
• Install monitors and alarms
• Use air filters to protect against dust
• Control access

15
Support Facilities

• Water
• Protect against all types of flooding
• Rain and ice buildup
• Toilet or sink overflow
• Overhead pipes (e.g., sprinkler systems)
• Install water sensors on the floor near computers
  and beneath raised floors
• Allow wet systems to dry out
• Control access

16
Support Facilities

• Electricity
• Dedicated feeder
• Dedicated, filtered, circuit with an isolated
  ground for each system
• User surge protectors
• Install an uninterruptible power supply (UPS)
• Install a backup source for critical systems
• Anti-static carpet

17
Support Facilities

• Other considerations
• Earthquakes
• Keep computers away from glass windows and high
  surfaces
• Place components on shock absorbers and anchor
• Ensure other objects dont fall on computers
• Lightning
• Shut down systems if possible and unplug them
• Store backup tapes away from buildings steel
  supports

18
Security Technology and Tools

• Physical Security tools are used to prevent or
  deter unauthorized events or delay the activity
  until proper response
• Physical Security tools that are used
• Fences, Gates, Barriers, and Lighting
• Surveillance Devices
• Entry Points
• Biometrics and Access Control
• Supply System Controls
• Fire Protection Controls
• Intrusion Detection
• Data Center and Object Protection

19
Fences, Gates, Barriers, and Lighting

• Fences are used to secure the boundary
• Consider proper gauge, top guards, posts, and
  height
• Gates are considered a moveable barrier
• Swinging, sliding, raising, rolling, barrier, or
  entrapment
• Barriers/Vehicle Barriers
• Heavy duty barriers define boundaries
• Lighting
• Essential element in a Physical Security system

20
Fencing

• Chain link - most commonly used
• At least 6-8 feet high
• Bottom of fence should be within 2 inches of firm
  soil, or buried in soft soil
• Barbed wire - not less than 6 feet high, attached
  to posts not more than 6 feet apart. No more
  than 6 inches between strands
• Barbed tape or Concertina - can be deployed
  quickly. Coils are about 3 feet in diameter

21
Barriers

• Types of physical barriers
• Natural mountains, swamps, rivers, cliffs, etc.
• Structural fences, walls, doors, gates, poles,
  etc.
• Physical barriers delay but rarely stop a
  determined intruder
• Barriers must be augmented by other means of
  protection

22
Lighting Types

• Continuous - fixed lights arranged to flood an
  area with overlapping cones of light (most
  common)
• Standby - randomly turned on to create an
  impression of activity
• Movable - manually operated movable searchlights.
  Used as needed to augment continuous or standby
  lighting
• Emergency - may duplicate any or all of the
  above. Depends on an alternative power source.

23
Lighting Concepts

• Direct illumination - directs light down from a
  structure to the ground surrounding the structure
• Indirect illumination - backlights intruders
  against the structure (aesthetically pleasing)
• Intermittent - a deterrent system developed to
  turn lights on at random times
• Responsive - an IDS sensor is used to turn on
  lights when an intruder is detected

24
Surveillance Devices

• Detectors utilizing Video motion, microwave,
  infrared, ultrasonic, laser, or audio
• Considered both perimeter and building entry
  controls
• They do not provide the same protection as a
  fence
• But can provide an intrusion alert warning

25
Surveillance Devices

• CCTV to detect, recognize, and identify
• Cameras and Lighting
• Charged-coupled discharge .vs. cathode ray tube
• Depth-of-field and Field-of-view
• Lighting must be sufficient to allow accurate
  viewing
• Signal transmission media
• Fiber Optic versus Coax cable
• Monitors
• Viewing distance and resolution
• Peripherals
• Switchers splitters, time/date generators,
  video tape/digital recorders, pan tilt
  mechanisms,

26
Surveillance Devices

• Guards
• CCTV is not effective unless constantly monitored
• Advantages
• Provides the human factor
• Able to interpret data, make decisions, and react
• Disadvantages
• Impose a substantial and continuing labor cost
• Support costs include bonding, licensing,
  training, uniforms, equipment, and administration

27
Entry Points

• Entry points into the building are not always the
  front door and each have inherit Physical
  Security concerns
• Entry Doors
• Solid-Core versus Hollow-Core
• Hinges and strike plates must be secured
• Frame must be solid and secured to the wall
• Panic-Bars
• Contact or Switch Devices
• Mantraps

28
Entry Points

• Windows
• Laminated Glass
• 1/2 inch thick - burglar proof
• 1 inch thick - bullet proof
• Wired Glass
• Solar Window Films
• Window Security Film
• Glass Breakage Sensors

29
Entry Points

• Locks
• Locks are considered delay devices
• Composed of lock body, strike, and key
• Types
• Key, combination, electronic, and deadbolt Locks
• Keyless/Pushbutton Locks
• Smart Locks
• Includes plastic card, key pad, and alarmed
• Master-Keying
• Requires a written policy for issue, emergency
  use, storage, physical guards, and utility rooms

30
Biometrics

• Biometrics
• The use of unique physiological, behavioral, and
  morphological characteristics to provide positive
  personal identification
• Fingerprints Facial characteristics
• Handprints Voice recognition
• Retina patterns Signature recognition
• Iris patterns Keystroke patterns
• Virtually spoof-proof

31
Access Control

• To gain access, a user should have to pass an
  authentication test
• Something you know password or PIN
• Something you have key, badge, token, or smart
  card
• Something you are fingerprint, hand, eye,
  voice, face, or signature

32
Access Control

• Passwords
• The most common form of authentication
• Inexpensive to implement and use
  Administrative costs are high
• Up to 50 of help desk calls
• Estimated up to 80 per call
• People dont create good passwords
• Good passwords are written down
• 72 of hackers say, passwords are the easiest
  and most common hack.

33
Access Control

• Tokens
• In olden days, a messenger would carry the kings
  seal or ring to prove he was not a spy
• Modern tokens are electronic devices containing
  encoded information about the user whos
  authorized to carry it
• Challenge/Response token
• Employs a two-factor authentication system
• Token itself PIN

34
Access Control

• Smart cards
• Contains a processor, memory, and user interface
• One type performs a series of complex
  calculations and sends the result back to the
  host system
• Another displays a code that changes every 60
  seconds - synchronized with host module

35
Supply System Controls

• Electronic Power Controls
• Surge Suppressors
• Uninterruptible Power Supply (UPS)
• Battery or generator
• Static Controls
• HVAC Controls
• Humidity
• heat/cooling
• Water Controls
• Gas Lines

• Major concerns
• System Monitors
• Controls (on/off)
• Secured Location
• Training

36
Fire Protection Controls

• Fire detection controls - typical controls that
  protect facilities against fire
• Human senses
• Temperature ion detectors
• Detector locations pull boxes, sensors,
  ceilings, below raised floors, return air ducts
• Audible and visible fire warnings
• Remote alarms to guards or fire department
• Check and/or exercise often

37
Fire Protection Controls

• Fire suppression - Halon 1301
• Came on the market in the 1960s as most effective
  gaseous fire fighting agent
• By the late 1980s, evidence indicated Halon was
  an ozone depleting chemical
• Montreal Protocol of 1987 required a phaseout of
  new production
• Current Status
• No legal obligation to remove Halon systems
• No new Halon 1301 is being manufactured
• Wise to plan the replacement of Halon systems
  with a Halon alternative

38
Fire Protection Controls

• Fire suppression - FE-13
• Developed by DuPont as a chemical refrigerant
• Its molecules absorb heat from a fire until the
  atmosphere no longer supports combustion
• Exhibits some ability to inhibit the chain of
  combustion similar to Halon 1301
• Limited atmospheric lifetime
• Zero ozone depletion potential

39
Fire Protection Controls

• Fire suppression - Carbon Dioxide (CO2)
• Reduces oxygen content reduces the ambient
  temperature
• High ratio of expansion facilitates rapid
  discharge and allows for 3-dimensional
  penetration of the entire hazard area
• CO2 is electrically non-conductive
• Has no residual clean-up

40
Fire Protection Controls

• Fire suppression - Argon
• Clean, clear, and colorless
• Heavier than the surrounding air
• Fire suppression is achieved by displacement of
  oxygen in the air
• Zero ozone depleting potential (ODP)
• Zero global warming potential (GWP)

41
Fire Protection Controls

• Fire suppression - FM-200
• Chemically known as heptafluoropropane
• Also known in the industry as HFC-27ea
• Cools the fire at the molecular level
• Safe for use when people are present
• Zero ozone depletion potential

42
Fire Protection Controls

• Fire suppression - INERGEN
• Blend of Nitrogen, Argon, and Carbon Dioxide
• Lowers the oxygen content of the area below 15 -
  point where most combustibles will not burn
• Patented carbon dioxide in INERGEN protects
  anyone trapped in the area from the effects of
  the lowered oxygen levels
• Electrically non-conductive
• Zero ODP and GWP

43
Fire Protection Controls

• Fire suppression - Water sprinkler systems
• Wet pipe systems -- when activated, water
  discharges immediately from opened sprinklers
• Dry pipe systems -- used where portions of the
  system are subject to freezing
• Preaction systems -- used where discharge of
  water is a special concern (e.g., computer
  facilities)
• Deluge systems -- used for rapid application of
  water over the entire protected area (represents
  only 1 of all sprinkler systems)

44
Fire Protection Controls

• Fire suppression - Fire extinguishers
• Place in obvious locations
• Train operators on their use
• Inspect periodically
• Types
• Dry chemical -- usually rated for multiple
  purpose use
• Halon -- contains a gas that interrupts the
  chemical reaction that takes place when fuels
  burn. Limited range of 4-6 feet.
• Water -- should only be used on Class A fires
• Carbon Dioxide (CO2) -- most effective on Class B
  and C fires. The liquid CO2 cools the air around
  the fire as the CO2 expands. Only effective from
  3-8 feet.

45
Fire Protection Controls

• Fire suppression - Extinguisher ratings
• Class A -- Ordinary combustibles
• Class B -- Flammable liquids
• Class C -- Electrical equipment
• Class D - Flammable metals

46
Intrusion Detection

• Contact sensors
• Photoelectric sensors
• Acoustic sensors
• Vibration sensors
• Motion sensors
• Capacitance Sensors
• Temperature sensors (less common)

47
Intrusion Detection

• Contact sensors
• Any action which breaks the foil or wire breaks
  the circuit and activates an alarm
• Advantages
• Relatively trouble-free
• Adequate in low-risk applications
• Disadvantages
• Costly to install where many entry points exist
• Unprotected soft walls or ceilings may be targets
• Will not detect stay-behinds

48
Intrusion Detection

• Photoelectric sensors
• Uses a light-sensitive cell and a light source
• An infrared filter makes the beam invisible
• Effective up to 500 indoors 1000 outdoors
• Advantages
• Provides effective, reliable notice of intrusion
• Detects stay-behinds
• Disadvantages
• Limited to locations where it is impossible to
  climb over or crawl under the beam

49
Intrusion Detection

• Acoustic sensors
• Super-sensitive microphone sensors installed on
  walls, ceilings, and floors
• Used to safeguard enclosed areas, such as vaults
  and warehouses
• Advantages
• Economical and easily installed
• Disadvantages
• Can only be used in enclosed areas with a minimum
  of extraneous sound

50
Intrusion Detection

• Vibration sensors
• Vibration-sensitive sensors installed on walls,
  ceilings, and floors of the protected area
• Used to safeguard enclosed areas, such as vaults
  and warehouses
• Advantages
• Economical and easily installed
• Disadvantages
• Can only be used in enclosed areas with a minimum
  of extraneous sound

51
Intrusion Detection

• Motion sensors
• These systems flood the area with acoustic or
  microwave energy, then detects the Doppler shift
  in transmitted and received frequencies
• Advantages
• Protects against concealed intruders
• Protective field is not visible -- difficult to
  defeat
• Disadvantages
• May require reduced sensitivity to overcome
  disturbance factors in the enclosed area

52
Intrusion Detection

• Capacitance sensors
• Establishes an electrostatic field around an
  object that becomes unbalanced by the body
  capacitance of an intruder
• Advantages
• Flexible and simple to install and operate
• Provides an invisible protective field
• High grade of protection
• Disadvantages
• Can only be applied to ungrounded objects

53
Data Center or Server Room

• Equipment Security
• Chain/Cable Locks
• Enabling devices special keys,electronic tokens,
  BIOS passwords, and smart cards
• Visitor Controls/CCTV
• Located from heat/water, external windows/walls
• Proper construction standards
• HVAC
• Power Supply/backup
• Fire detection/protection

54
Object Protection

• Laptops
• Common Sense
• Encryption
• Safes
• Good combinations, anchored, and visible location
• Fire Resident Cabinets
• Backups

55
Assurance, Trust, and Confidence

• Testing can be used to keep everyone aware of
  their responsibilities
• Types of testing activities
• Fire Drills
• Vulnerability and Penetration Testing
• Written Reports to measure improvements
• Use of Checklists
• Use in daily/monthly/annual reoccurring
  inspections
• Maintenance and Service

56
Info Protect and Management

• Goal is to maintain an alert and efficient
  security program
• Security Manager is responsible for
• Reporting program status to senior management
• Daily program and policy management
• Training employees
• Evaluating compliance
• Checking to ensure Physical Security sensors are
  working correctly

57
Info Protect and Management

• Hiring practices
• Professional environment
• Training
• Terminating employees
• Precautionary measures

58
Info Protect and Management

• Hiring practices
• Take special care to determine each candidates
  level of personal professional integrity
• Employ an in-depth screening process
• Conduct pre-employment interviews
• Reference checking is essential
• Drug testing
• Written contracts nondisclosure statements

59
Info Protect and Management

• Professional environment
• Rotate job assignments - many attacks take a long
  time to complete
• Enforce vacation policies - some attacks require
  daily monitoring
• Limit the access users have to equipment and
  information
• Monitor your employees security practices and
  enforce the policies

60
Info Protect and Management

• Training
• Ensure security staff is well trained
• Establish policy for handling turnover and
  training new people
• Inexperienced system administrators are a major
  threat to security
• Train employees and document it
• Display and distribute security awareness
  materials frequently

61
Info Protect and Management

• Terminating employees
• Escort to the door - if necessary
• Get back all keys, badges, tokens, etc.
• Revoke all system authorizations immediately
• Save the employees files for proof in case
  wrongdoing is discovered
• Inform employee of his/her obligation to keep
  company information confidential

62
Info Protect and Management

• Precautionary measures
• Create a working atmosphere
• Protect corporate secrets
• Establish intelligent restrictions on access
• Facilities
• Systems
• Information

63
Challenges

• Protecting the portable environment
• Portable computing threats
• Data disclosure
• Information is worth more than the computer
• Protection strategies
• Physical security
• Identification authentication
• Encryption

64
Challenges

• Theft deterrence . . .
• Workstation anchor pads
• Laptop cables
• Thief-proof briefcases
• 1400 - 1500 each
• Can only be opened with the proper code
• Built-in self-destruct mechanism that erases the
  hard drive if the case is opened by force
• Internal tracking device

65
Challenges

• Implementing a cost-effective security program
• Analyze the problem
• Design or purchase controls
• Implement the controls
• Test and exercise the controls
• Monitor the controls

66
End of Day, remember to

• Office doors are locked
• Desks/cabinets are locked
• Workstations are secured
• Flash CDs are secured
• Company information is secured

67
References

• http//www.infosyssec.org Security Portal
• /infosyssec/cctv_.htm CCTV
• http//homepage.ntlworld.com/avanti/whitepaper.htm
  Biometric White Paper
• http//www.computer.org/itpro/homepage/Jan_Feb/sec
  urity3.htm A practical Guide to Biometric
  Security Technology
• http//rc3.org/archive/inform/5/4.html Locks
• http//www.cccure.org CISSP Open Study Guide
• /Documents/HISM/675-680.html Domain 10
• http//www.reliablefire.com Fire Suppression
• http//www.firesprinklerassoc.org Sprinkler
  Systems
• http//www.hanford.gov/fire/safety/extingrs.htm
  Extinguishers
• http//csrc.nist.gov/publications/fips/index.html
  Federal Info
• http//csrc.nist.gov/cryptval/physec/physecdoc.htm
  l Physical Security (re FIPS 140) Workshop

68