Physical Security

1
Physical Security

• Katie Parker and Robert Tribbia
• Computer Security
• Fall 2008

2
Physical Security

• Prevent attacks from accessing a facility,
  resource, or information stored on physical media

3
Two Main Things to Protect Against

• Human Attack

• Natural Disasters

4
Human Attacks

• Attacks from outside
• Thieves/burglars
• Hackers
• Former employee

• Attacks from inside
• Current angry or disgruntled employee
• Agent for hire

5
Five Layers of Physical Security

• Environmental deterrents
• Mechanical deterrents
• Surveillance deterrents
• Human deterrents
• Proper employee training

6
Environmental Deterrents

• Primarily for outside attacks
• High walls, fences
• Used to deter less motivated attackers

7
Mechanical Deterrents

• Can range from simple ID card to high-tech
  biometrics
• Locked gates, key cards
• Access control

8
Surveillance Deterrents

• Used to help prevent future attacks and provide
  information on past attacks
• Cameras, microphones, detection systems
• CCTV/cameras can help deter shoulder surfing

9
Human Deterrents

• Can be used to prevent both outside and inside
  attacks
• Security guards and checkpoints outside
• Reception desks and the employees (when trained)-
  inside
• One is not enough!

10
True Story

• 2 attackers obtained entry to data center
• Security guard wasnt at post, one employee on
  duty
• Attackers beat employee and used employee to gain
  access to equipment

11
Employee Training

• Common problem is laziness
• Train employees to always
• Lock all unattended workstations
• Turn monitors away from common areas
• Shred sensitive documents
• Lock laptops
• Stolen laptops are becoming a big security issue

12
Social Engineering

• Tricking people into giving confidential
  information or granting access
• Several different methods
• Pretexting
• Baiting
• Quid pro quo

13
Pretexting

• Using a invented scenario to convince the victim
  to give up personal information or do some action
• Justin Longs character in Live Free or Die Hard
  car

14
Baiting

• Attacker puts harmful virus/malware on a device
• Leave device in public place with legitimate
  title
• Victim uses device and uploads the malware to
  system

15
Quid Pro Quo

• Something for something
• Attacker offers help with problem, but while
  helping, hurts too
• The Italian Job- Becky the cablewoman

16
Dumpster diving

• Searching through the trash for valuable
  information that is still intact
• Prevent by
• Thoroughly shredding all important data

17
Regular old theft

• Mission Impossible
• Katies work application

18
Natural Disasters

• Risk Assessment
• See what problems are the most likely for your
  location and guard against them
• Example in Tallahassee, dont really need to
  worry about earthquakes, so dont spend money
  protecting against them

19
Natural disasters

• Fire
• Fire can destroy computer hardware
• Prevent with
• Smoke detectors
• Fire alarms
• Fire extinguishers

20
Other Natural Disasters

• Liquid damage
• Keep sensitive equipment on 2nd floor or higher
• Dont run water pipes through or near rooms with
  susceptible equipment
• Earthquakes
• Support with gel padding and springs
• Lightning
• Faraday cages
• Generators