Domain 4: Physical (Environmental) Security - PowerPoint PPT Presentation

Loading...

PPT – Domain 4: Physical (Environmental) Security PowerPoint presentation | free to view - id: 611b73-MTI5M



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Domain 4: Physical (Environmental) Security

Description:

... Zoom Pan & Tilt Transmission Media Coax Cable Fiber Cable Wireless Monitor CCTV Added Components Camera Tube Pan and Tilt Units Panning Device Mountings ... – PowerPoint PPT presentation

Number of Views:268
Avg rating:3.0/5.0
Slides: 99
Provided by: ErnieH1
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Domain 4: Physical (Environmental) Security


1
Domain 4 Physical (Environmental) Security
  • CISSP Study Group
  • April 15, 2007

2
References
  • Official (ISC) Guide to the CISSP CBK
  • US Army Field Manual 3-19.30, Physical Security
  • CISSP Prep Guide Krutz Vines
  • Fighting Computer Crime Parker
  • CISSP Certification Shon Harris
  • CISSP for Dummies (Rev 0) Miller Gregory
  • Physical Security for Mission-Critical
    Facilities and Data Centers, by Gerald Bowman,
    Information Security Management Handbook, 5th
    Edition, Vol 3
  • Mike Meyers Passport Security
  • Uptime Institute www.uptimeinstitute.com
  • Status Of Industry Efforts To Replace Halon Fire
    Extinguishing Agents, Robert T. Wickham,
    http//www.periphman.com/fire/statusofindustry.pdf

3
IMPORTANT TIP!
  • Many CISSP candidates underestimate the physical
    security domain. As a result, exam scores are
    often the lowest in this domain.
  • CISSP For Dummies
  • Page 301

4
Objectives
  • Upon completion of this discussion, you should be
    able to
  • Describe the threats, vulnerabilities, and
    countermeasures related to physically protecting
    the enterprises sensitive information assets
  • Identify the risk to facilities, data, media,
    equipment, support systems, and supplies as they
    relate to physical security.

5
5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

6
Risks to CIA
  • Interruptions in providing computer services
    Availability
  • Physical Damage Availability
  • Unauthorized Disclosure of Information
    Confidentiality
  • Loss of Control Over Information Integrity
  • Physical Theft Confidentiality, Integrity, and
    Availability

7
Definition Physical Security
  • The physical measures and their associated
    procedures to safeguard and protect against
  • Damage
  • Loss
  • Theft

8
Required Physical Controls
  • Perimeter and Building Grounds
  • Building Entry Points
  • Inside the Building Building Floors / Offices
  • Data Centers or Server Room Security
  • Computer Equipment Protection
  • Object Protection

9
5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

10
Definition Threat
  • Any indication, circumstance or event with the
    potential to cause
  • Loss of or Damage to an Asset
  • Personal Injury
  • Loss of Live

11
Threat Types
  • Natural / Environmental
  • Earthquakes, floods, storms, hurricanes, fires,
    smoke, snow, ice
  • Consequence of Natural Phenomenon
  • Pandemic Flu
  • Normally not preventable
  • Human Made / Political Events
  • Explosions, vandalism, theft, terrorist attacks,
    riots
  • Result of a state of mind, attitude, weakness or
    character trait
  • Acts of commission or omission
  • Overt or covert
  • Disrupt or destroy

12
Examples of Threats
  • Emergencies
  • Fire and Smoke Contaminants
  • Building Collapse or Explosion
  • Utility Loss (Power, AC, Heat)
  • Water Damage (Broken Pipes)
  • Toxic Materials Release

13
Examples of Threats (2)
  • Natural Disasters
  • Earth Movement (Earthquakes or Mudslides)
  • Storm Damage (Snow, Ice, Floods, Hurricanes)
  • Human Intervention
  • Sabotage
  • Vandalism
  • War
  • Strikes

14
Examples of Physical Loss
  • Seven Major Sources of Physical Loss
  • Temperature Extreme Variations in Heat and Cold
  • Gasses Sarin, Nerve Gas, PCP from Transformers,
    Cleaning Fluids, Smog, Fuel Vapors, Paper
    Particles from Printers
  • Liquids Water and Chemicals (flood, plumbing
    failures, spilled drinks, fuel leaks, computer
    printer fluids)
  • Organisms Viruses, Bacteria, People, Animals
    and Insects, Molds, Mildews, Cobwebs

Ref Fighting Computer Crime Donn B. Parker
Wiley 1998
15
Examples of Physical Loss
  • Seven Major Sources of Physical Loss (2)
  • Projectiles Tangible Objects in Motion (Cars,
    Trucks, Falling Objects, Meteorites, Bullets,
    Rockets)
  • Movement Collapse, Shearing, Shaking,
    Vibration, Liquefaction, Flows, Waves,
    Separations and Slides (Lava Flows, Earthquakes,
    Adhesive Failures, Dropping or Shaking Equipment)
  • Energy Anomalies Electrical Surges or Failures,
    Magnetism, Static Electricity, Radiation, Sound,
    Light, Radio and Magnetic Waves

16
Site Location
  • Security Should include WHERE the building is and
    HOW it should be built
  • Choosing a Secure Site
  • Visibility Usually low visibility is the rule
    to follow. What types of neighbors and markings
    on the building?
  • Local Considerations Near hazardous waste dump?
    In flood control plain? Local crime rate,
    riots, strike-prone area?
  • Natural Disasters Weather-related problems,
    tornados, flooding, heavy snow, earthquake zone

17
Site Location (2)
  • Choosing a Secure Site
  • Transportation Excessive highway, air or road
    traffic in area, failed bridges will cause
    building access problems?
  • Joint Tenancy Are access to HVAC and
    environmental controls shared in building?
  • Adjacent Buildings
  • External Services Proximity to local Fire,
    Police, Hospital/Medical Facilities?

18
Key Concept Layered Defense Model
19
Key Concept Layered Defense Model
Ref http//rphrm.curtin.edu.au
20
Designing a Secure Site
  • WALLS
  • All walls MUST have an acceptable Fire Rating.
  • Be Floor to Ceiling
  • Any Closets or Rooms that Store Media must also
    have Fire Rating
  • CEILINGS
  • Be aware if they are WEIGHT BEARING and their
    Fire Rating

21
Designing a Secure Site (2)
  • FLOORS
  • Slab or Raised?
  • SLAB
  • If concrete then concerns are Weight Bearing (aka
    Loading) Usually 150 pounds per square foot.
  • RAISED
  • Concerned with Fire Rating, Electrical
    Conductivity (Grounding against static
    electricity)
  • Must employ non-conducting surface material in
    data center

22
Designing a Secure Site (3)
  • DOORS
  • Must resist Forced Entry
  • Solid or Hollow
  • Hinges Hidden, Internal or Fixed
  • Fire Rating Equal to Walls
  • Emergency Exits Must Be Clearly Marked,
    Monitored, or Alarmed
  • Electrical Doors on Emergency Exits Should Revert
    to Disabled State if Power Outage Occurs For Safe
    Evacuation
  • TIP!! Personnel Safety ALWAYS Takes Precedence!
    Doors Can Be Guarded During an Emergency

23
Designing a Secure Site (4)
  • SPRINKLER SYSTEM
  • Location and Type of Suppression System Must
    Always Be Known
  • LIQUID or GAS LINES
  • Know Where the Shut Off Valves Are
  • Water, Steam and Gas Lines Should Have POSITIVE
    Drains
  • i.e., Flow Outward and Away from Building

24
Designing a Secure Site (5)
  • AIR CONDITIONING
  • AC Units Should Have Dedicated Power Circuits
  • Know Where the Emergency Power Off (EPO) Switch
    is Located
  • Provide Outward, Positive Air Pressure to
    Building
  • Protected Intake Vents to Prevent Inflow of
    Potential Toxins Into a Facility

25
Designing a Secure Site (6)
  • WINDOWS
  • Located to Prevent Viewing Monitors or Desks
  • Standard Plate Glass (Brittle, Breaks Easily)
  • Tempered Glass (Stronger, Breaks into Small
    Shards)
  • Acrylic Materials
  • Polycarbonate Windows
  • Glass and Polycarbonate Combinations Combine Best
    of Glass and Acrylics
  • Wire Mesh Layers
  • Lexan (General Electric)
  • Bomb Blast Film (Prevent Viewing In and Reinforce
    Window)
  • Bullet Resistant Windows
  • Glass Breakage Sensors
  • Usually Not Accepted in Data Center
  • If Installed, Should Be Translucent and
    Shatterproof
  • Frames Secured to Walls, Windows Can Be Locked,
    Glass Cant be Removed

26
Procedural Controls
  • Guard Post / Dogs
  • Checking and Escorting Visitors on Site
  • Managing Deliveries to the Site
  • Building-Specific

27
Facility Security Management
  • Administrative Security Controls NOT Related to
    Initial Planning Process
  • Audit Trails or Access Logs
  • Vital to Know Where Attempts to Enter Existed and
    Who Attempted Them
  • Emergency Procedures
  • Should be Clearly Documented and Readily
    Accessible
  • Copies Stored Offsite in the Event of a Disaster
  • Updated Periodically

28
Audit Trails
  • These are known as DETECTIVE rather than
    PREVENTIVE
  • Date and Time of Access Attempt
  • Whether the Attempt was Successful or Not
  • Where the Access was Granted (i.e., which door)
  • Who Attempted the Access
  • Who Modified the Access Privileges at the
    Supervisor Level
  • Can Send Alarms or Alerts if Required

29
Emergency Procedures
  • Should Include the Following
  • Emergency System Shutdown Procedures
  • Evacuation Procedures
  • Employee Training, Awareness Programs, and
    Periodic Drills
  • Periodic Equipment and Systems Tests

30
Administrative Personnel Controls
  • Pre-Employment Screening
  • Employment, References and Educational History
    Checks
  • Background Investigation and/or Credit Rating
    Checks for Sensitive Positions
  • On-Going Employee Checks
  • Security Clearances
  • Ongoing Employee Ratings or Reviews by
    Supervisors
  • Post-Employment Procedures
  • Exit Interview, Removal of Network Access, Return
    of Computers, etc.

31
Environmental and Life Safety Controls
  • Three Areas of Environmental Control
  • Electrical Power
  • Fire Detection and Suppression
  • Heating, Ventilation and Air Conditioning (HVAC)

32
Electrical Power
  • Disruptions in Electrical Power Can Have a
    Serious Business Impact
  • Goals
  • Clean and Steady Power
  • Excellent Power Quality
  • Design Considerations
  • Dedicated Feeders
  • Alternate Power Source
  • Access Controls
  • Secure Breaker and Transformer Rooms

33
Electrical Power Threat Elements
  • NOISE
  • Electromagnetic Interference (EMI)
  • Radio Frequency Interference (RFI)
  • ANOMOLIES
  • Brownout, Blackout, Fault, etc.
  • ELECTROSTATIC DISCHARGE (ESD)
  • Affected by Low Humidity

34
Electrical Noise
  • Def Random Disturbance Interfering With Devices
  • Electromagnetic Interference (EMI)
  • Caused by Motors, Lightning, etc.
  • Spark Noise
  • Radio Frequency Interference (RFI)
  • Caused by Components of Electrical System
  • Caused by Electrical Cables, Fluorescent
    Lighting, Truck Ignitions, etc.
  • Can Cause Permanent Damage to Sensitive
    Components in a System

35
Electrical Noise (2)
  • Common Types of EMI
  • Common Mode Noise Noise from Radiation
    Generated by the Difference Between the Hot and
    Ground Wires
  • Traverse Mode Noise Noise from Radiation
    Generated by the Difference Between the Hot and
    Neutral Wires

36
Protective Measures for NOISE
  • Proper Line Conditioning
  • Proper Grounding of the System to Earth
  • Cable Shielding
  • Limited Exposure to Magnets, Electrical Motors,
    Space Heaters and Fluorescent Lights

37
Electrical Anomalies
Electrical Event Definition
Blackout Total loss of power
Fault Momentary loss of power
Brownout Prolonged drop in voltage (up to 10)
Sag Short drop in voltage
Inrush Initial power rush
Spike Momentary rush of power, Momentary high voltage
Surge Prolonged rush of power, prolonged high voltage
Mnemonic Bob Frequently Buys Shoes in Shoe
Stores
38
Electrical Anomalies (2)
  • Transients
  • Line Noise that is Superimposed On the Supply
    Circuit Can Cause Fluctuation in Power
  • Inrush Current
  • The Initial Surge of Current Required When There
    is an Increase in Power Demand (e.g., starting a
    large motor)

39
Electrostatic Discharge (ESD)
  • Power Surge Generated by a Person or Device
    Contacting Another Device and Transferring a High
    Voltage Shock
  • Affected by Low Humidity

40
Now, About Humidity
  • Ideal Humidity Range 40 to 60
  • High Humidity gt 60
  • Causes Problems with Condensation on Computer
    Equipment
  • Cause Corrosion of Electrical Connections sort
    of like Electroplating and Impedes Electrical
    Efficiency
  • Low Humidity lt 40
  • Can Cause Increase in Electrostatic Discharge
  • Up to 4000 Volts Under Normal Humidity
  • Up to 25,000 Volts Under Very Low Humidity

41
Static Charge and Damage
Static Charge in Volts Will Damage
40 Sensitive Circuits and Transistors
1,000 Scramble Monitor Display
1,500 Disk Drive Data Loss
2,000 System Shutdown
4,000 Printer Jam
17,000 Permanent Chip Damage
42
Precautions for Static Electricity
  • Use Anti-Static Sprays Where Possible
  • Operations or Computer Centers Should Have
    Anti-Static Flooring
  • Zinc Whiskers Problem
  • Building and Computer Rooms Should be Grounded
    Properly
  • Anti-Static Table or Floor Mats
  • HVAC Should Maintain Proper Level of Humidity in
    Computer Rooms

43
Electrical Support Systems
  • Surge Suppressors
  • Uninterruptible Power Supplies
  • Only for Duration Needed to Safely Shutdown
    Systems
  • Emergency Shutoff (EPO Switch)
  • Have Monitored by Camera
  • Alternate Power Supply
  • Generator, Fuel Cell, etc.

44
FIRE PROTECTION
  1. Fire Prevention
  2. Fire Detection
  3. Fire Suppression

45
Fire Triangle
Heat
Oxygen
A FIRE Needs These Three Elements to Burn
Fire Fighting Removes One of These Three Elements
OR By Temporarily Breaking Up the
Chemical Reaction
Fuel
46
Types of Fires
Class Description (Fuel)
A Common combustibles such as paper, wood, furniture, clothing
B Burnable fuels such as gasoline or oil
C Electrical fires such as computers and electronics
D Special fires, such as chemical, metal
K Commercial Kitchens
47
Fire Prevention
  • Use Fire Resistant Materials for Walls, Doors,
    Furnishings, etc.
  • Reduce the Amount of Combustible Papers Around
    Electrical Equipment
  • Provide Fire Prevention Training to Employees
  • REMEMBER Life Safety is the Most Important
    Issue!
  • Conduct Fire Drills on All Shifts So that
    Personnel Know How to Exit A Building

48
Fire Detection
  • Ionization-type Smoke Detectors
  • Detect Charged Particles in Smoke
  • Optical (Photoelectric) Detectors
  • React to Light Blockage Caused by Smoke
  • Fixed or Rate-of-Rise Temperature Sensors
  • Heat Detectors That React to the Heat of a Fire
  • Fixed Sensors Have Lower False Positives
  • Flame Actuated
  • Senses Infrared Energy of Flame or Pulsating of
    the Flame
  • Very FAST Response Time, Expensive

49
Fire Detection (2)
  • Automatic Dial-Up Fire Alarm
  • System Dials the Local Fire or Police Department
    and Plays a Prerecorded Message When a Fire is
    Detected
  • Usually Used in Conjunction with One of the Other
    Type of Fire Detectors
  • This Type of System Can Be Easily/Intentionally
    Subverted
  • Combinations are Usually Used for The Best
    Effectiveness in Detecting a Fire

50
Fire Classes and Suppression/Extinguishing Methods
Class Description (Fuel) Extinguishing Method
A Common combustibles such as paper, wood, furniture, clothing Water, Foam
B Burnable fuels such as gasoline or oil Inert Gas, CO2
C Electrical fires such as computers and electronics Inert Gas, CO2(Note Most important step Turn off electricity first!)
D Special fires, such as chemical, metal Dry Powder (May require total immersion or other special techniques)
K Commercial Kitchens Wet Chemicals
51
Fire Suppression
  • Carbon Dioxide (CO2), Foam, Inert Gas and Dry
    Power Extinguishers DISPLACE Oxygen to Suppress a
    Fire
  • CO2 Is a Risk to Humans (Because of Oxygen
    Displacement)
  • Water Suppresses the Temperature Required to
    Sustain a Fire

52
Fire Suppression - Halon
  • Halon Banned for New Systems Under 1987 Montreal
    Protocol on Substances that Deplete the Ozone
    Layer
  • Began Implementation of Ban in 1992
  • Any New Installations of Fire Suppression systems
    Must Use Alternate Options
  • EU Requires Removal of Halon for Most
    Applications
  • Halon Replacements
  • FM200,

53
Halon Replacements
Ref http//www.periphman.com/fire/statusofindustr
y.pdf
54
Fire Suppression - Water
  • Wet Pipe
  • Always Contains Water
  • Most Popular and Reliable
  • 165 Fuse Melts
  • Can Freeze in Winter
  • Pipe Breaks Can Cause Floods
  • Dry Pipe
  • No Water in Pipe
  • Preferred for Computer Installations
  • Water Held Back by Clapper
  • Air Blows Out of Pipe, Water Flows

Wet Pipe Dry Pipe
55
Fire Suppression Water (2)
  • Deluge
  • Type of Dry Pipe
  • Water Discharge is Large
  • Not Recommended for Computer Installations
  • Preaction
  • Most Recommended for Computer Room
  • Combines Both Dry and Wet Pipes
  • Water Released into Pipe First Then After Fuse
    Melts in Nozzle the Water is Dispersed

56
Fire Contamination Damage
  • Smoke
  • Heat
  • Water
  • Suppression Medium Contamination

57
Heating Ventilation Air Conditioning (HVAC)
  • Usually the Focal Point for Environmental
    Controls
  • You Need to Know Who is Responsible for HVAC in
    Your Building
  • Clear Escalation Steps Need to Be Defined Well in
    Advance of an Environmental-Threatening Incident

58
HVAC Issues
  • Are Computerized Components Involved?
  • Does It Maintain Appropriate Temperature and
    Humidity Levels? Air Quality?
  • Ideal Temperature 70 to 74 F
  • Ideal Humidity 40 to 60
  • Maintenance Procedures Should Be Documented
  • Preventive Maintenance Performed and Documented

59
5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

60
Elements of Physical Security
  • Badges
  • Restricted Areas
  • Lights
  • Dogs
  • CCTV
  • Locks
  • Access Control
  • Barriers
  • Security Forces
  • Fences
  • Intrusion Detection Systems

61
Functions of Physical Security
  1. Deter
  2. Delay
  3. Detect
  4. Assess
  5. Respond

62
Layered Defense
  • Security Breach Alarms
  • On-Premises Security Officers
  • Server Ops Monitoring
  • Early Warning Smoke Detectors
  • Redundant HVAC Equipment
  • UPS and Backup Generators
  • Seismically Braced Server Racks
  • Biometric Access Exit Sensors
  • Continuous Video Surveillance
  • Electronic Motion Sensors

63
Perimeter Protection
  • Perimeter Security Controls are the First Line of
    Defense
  • Protective Barriers Natural or Structural
  • Natural Barriers
  • Terrains That are Difficult to Cross
  • Landscaping (Shrubs, Trees, Spiny Shrubs)
  • Structural Barriers
  • Fences, Gates, Bollards, Facility Walls

64
Fences
  • Know These Fencing Heights
  • 3 ft 4 ft High Deters Casual Trespassers
  • 6 ft 8 ft High Too Hard to Climb Easily
  • 8 ft High with 3 Strands of Barbed Wire Deters
    Intruders
  • 3 Types of Fencing
  • Chain Link
  • Barbed Wire
  • Barbed Tape or Concertina Wire

65
Fences (2)
  • Chain Link
  • 6 Feet Tall (Excluding Top Guard)
  • 8 Feet Tall (with Top Guard)
  • 2 inch Openings or Less
  • Reach within 2 Inches of Ground or On Soft Ground
    It Is Below the Surface
  • Be Sure Vegetation or Adjacent Structures Do Not
    Bridge Over the Fence

66
Gates, Bollards, Barriers
67
Intrusion Detection Surveillance
  • Perimeter Intrusion Detection Systems
  • Sensors That Detect Access Into the Area
  • Photoelectric (Usu. Infrared Light)
  • Ultrasonic
  • Microwave
  • Passive Infrared (PIR)
  • Pressure Sensitive (Dry Contact Switch)
  • Surveillance Devices
  • Closed-Circuit Television (CCTV)

68
Motion Detectors
  • 3 Categories
  • Wave Pattern Generates a Frequency Wave
    Pattern. If Pattern is Disturbed as it is
    Reflected Back to its Receiver (low, ultrasonic
    or microwave range)
  • Capacitance Monitor an Electrical Field Around
    an Object. If Field is Disturbed the Alarm is
    Triggered. Used for Spot Protection.
  • Audio Detectors Monitor for any Abnormal Sound
    Wave Generation. (Lots of False Alarms)

69
Intrusion Detection Systems
  • Can Be Installed On
  • Windows, Doors, Ceilings, Walls
  • Any Other Entry Points Such as HVAC, Roof Access
    Openings, Ducts, etc.
  • They Detect Change In
  • Electrical Circuits, Light Beams
  • Sounds, Vibrations, Motion
  • Capacitance Due to Penetration of An
    Electrostatic Field
  • Biometrics

70
CCTV
  • Def A Television Transmission System That Uses
    Cameras to Transmit Pictures To Connected
    Monitors
  • CCTV Levels
  • Detection The Ability to Detect the Presence of
    an Object
  • Recognition The Ability to Determine the Type
    of Object (animal, blowing debris, crawling
    human)
  • Identification The Ability to Determine the
    Object Details (person, large rabbit, small deer,
    tumbleweed)
  • Remember Monitoring Live Events is Preventive
    and Recording of Events is Detective

71
CCTV Components
  • Camera
  • Fixed, Zoom
  • Pan Tilt
  • Transmission Media
  • Coax Cable
  • Fiber Cable
  • Wireless
  • Monitor

72
CCTV Added Components
  • Camera Tube
  • Pan and Tilt Units
  • Panning Device
  • Mountings
  • Switchers/Multiplexers
  • Remote Camera Controls
  • Infrared Illuminators
  • Time/Date Generators
  • Videotape or Digital Recorders
  • Motion Detectors
  • Computer Controls
  • Video Loss Detectors

73
CCTV Deployment Features
  • Cameras High Enough to Avoid Physical Attack
  • Cameras Distributed to Exclude Blind Areas
  • Appropriate Lenses
  • Pan, Tilt, Zoom (PTZ) as Required
  • Ability to be Recorded
  • Camera System Tied to Alarm System
  • Number and Quality of Video Frames Increased
    During Alarm Event
  • Regular Service of Moving Parts
  • Cleaning Lenses
  • Human Intervention

74
CCTV Application Guidelines
  • Understand the Facilitys Total Surveillance
    Requirements
  • Determine the Size of the Area to be Monitored
  • Depth, Height, and Width
  • Ensures Proper Camera Lens Specifications
  • Lighting is Important Different Lamps and
    Lighting Provide Various Levels of Effectiveness
  • Contrast Between the Object and Background
  • For Outdoor Use, the US Army Specifies the
    Automatically Adjusted Iris Feature

75
CCTV Design Guidelines
  • System Familiarity is Important Understand
    Camera Placement and Detection Field Shape
  • Exterior Camera Concerns
  • Weather
  • Illumination Range
  • Field of View Alignment
  • Balanced Lighting
  • Environmental Housings
  • Mounting Heights
  • In All Cases, Place Camera High Enough to Avoid
    Tampering or Collision

76
CCTV Legal and Practical Implications
  • Storage Implications of Recorded Data
  • Video Tapes Must Be Stored to Prevent
    Deterioration
  • Digital Records Must Be Maintained to Assert
    Integrity
  • Human Rights and Privacy Implications in
    Recording People
  • Requirements to Blurr/Pixelate Individuals Other
    than Accused

77
Lighting
  • Provides a Deterrent to Intruders
  • Makes Detection Likely if Entry Attempted
  • Should be Used With Other Controls Such as
    Fences, Patrols, Alarm Systems, CCTV
  • Critical Protected Buildings Should Be
    Illuminated Up to 8 Feet High, with 2 Foot-Candle
    Power

78
Types of Lighting
  • Continuous Lighting (Most Common)
  • Glare Projection
  • Flood Lighting
  • Trip Lighting
  • Standby Lighting
  • Movable (Portable)
  • Emergency Lighting

79
Access Control
Advisory Magnetic Access Cards Should Have
No Company ID On Them
  • Card Access
  • Smart Cards
  • Mag Stripe Cards
  • Proximity Cards
  • Biometrics
  • Fingerprint
  • Retina or Iris Scans
  • Hand Geometry
  • Signature Dynamics

80
Locks
  • Tip Locks are Considered DELAY Devices Only
  • All Locks Can Be Defeated By Force and/or the
    Proper Tools
  • Locks Must Never Be Considered a Stand-Alone
    Method of Security

81
Locks (2)
  • Types of Locks
  • Key Locks
  • Combination Locks
  • Key Locks
  • Key-in-Knob or Key-in-Lever (Cylindrical Lockset)
    Only for Low Security Apps
  • Dead Bolt Locks or Tubular Dead Bolts Good for
    Storerooms, Houses (Bolt is Thrown)
  • Mortise Locks (Lock Case is Recessed or Mortised
    into the Edge of Door) Low Security Apps
  • Padlocks
  • Combination Locks
  • Combinations Must Be Changed at Specific Times
    and Under Specific Circumstances

82
Keyless and Smart Locks
  • Keyless (Cipher) Locks
  • Push-button locks
  • Smart Locks
  • Permit Only Authorized People Into Certain Doors
    at Certain Times
  • E.g., Magnetic Stripe Card that is Time Sensitive

83
Lock Security Measures
  • Key Control Procedures
  • Restrict Issue of Keys on a Long-Term Basis to
    Outside Maintenance or Janitorial Personnel
  • Keep a Record of All Issued Keys
  • Investigate the Loss of All Keys
  • When in Doubt, Rekey the Affected Locks
  • Use as Few Master Keys as Possible
  • Issue Keys on a Need-to-Go Basis
  • Remember Keys are a Single-Factor
    Authentication Mechanism That Can Be Lost,
    Stolen, or Copied.
  • (Use 2-Factor Methods for More Secure Spaces)

84
Compartmentalized Area
  • Def Location Where Sensitive Equipment is
    Stored and Where Sensitive Information is
    Processed
  • Must Have a Higher Level of Security Controls

85
Data Center
  • Walls
  • Extend from True Floor to True Ceiling
  • Access Controls
  • Depending Upon Sensitivity of the Information and
    Value of Equipment, Electronic Access Controls
    May Need to be Installed

Ref CISSP Certification, Shon Harris
86
Portable Device Security
  • Laptops, PDAs, Etc.
  • Protect the Device
  • Protect the Data in the Device
  • Examples
  • Locking Cables for Docking Stations
  • Tracing Software
  • Audible Motion Alarm
  • Encryption Software
  • PIN Protection for PDAs
  • Inventory System

87
Alarm Systems
  1. Local Alarm Systems Alarm Sounds Locally and
    Must be Protected from Tampering and Audible for
    at Least 400 Feet
  2. Central Station Units Monitored 7x24 and
    Signaled Over Leased Lines Usually within lt10
    Minutes Travel Time (Private Security Firms)
  3. Proprietary Systems Similar to Central but
    Owned and Operated by Customer
  4. Auxiliary Station Systems Systems that Ring at
    Local Fire or Police Stations

88
Additional Alarm Systems
  • Line Supervision
  • Alarm Sounds When Alarm Transmission Medium
    Detects Tampering.
  • Secure Detection and Alarm Systems Require Line
    Supervision
  • Power Supplies
  • Require Separate Circuitry and Backup Power with
    24 Hour Minimum Discharge Time

89
5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

90
Drills Testing
  • Drills/Exercises/Testing
  • Keeps Everyone Aware of Their Responsibilities
  • Building Evacuation Drills Are Important
  • Physical Vulnerability/Penetration Tests
  • Should Identify Weak Entry Points
  • Findings Should Be Documented
  • Ref Ira Winkler Stories

91
Checklist, Maintenance Service
  • Checklist
  • Identifies Those Elements of Physical Security
    That Need to be Checked on a Regular Basis
  • Maintenance and Service
  • Needs to be Done
  • Need to Monitor Who Performs the Maintenance,
    Especially if it is an Outside Contractor

92
5 Functional Areas
  1. Information Protection Requirements
  2. Information Protection Environment
  3. Security Technology and Tools
  4. Assurance, Trust and Confidence Mechanisms
  5. Information Protection and Management Services

93
Managed Services
  • Be Sure To Address
  • Contractor Understands and is Contractually Bound
    to Meet the Organizations Physical and
    Procedural Security Requirements
  • The Contracting Organization Has Ability to Audit
    or Test the Security Services Provided
  • There is a Channel of Communications Between the
    Contracting Authority and the Contractor to
    Affect Changes As Needed

94
Media Storage Requirements
  • Common Storage Areas for Media
  • On Site safes, desks, storage cabinets
  • Off Site data backup vaults (Transportation can
    be a security concern)
  • Elements and Resources in Control to Protect the
    Media
  • Physical Access Control at Storage Area
  • Environmental Controls (fire, water protection)
  • Inventory Controls and Monitoring
  • Audits

95
Media Storage Requirements (2)
  • Data Destruction and Reuse
  • Degaussing or Overwriting Usually Typically
    Destroys Most Data
  • Normal Formatting Does Not Destroy the Data
  • Format or Overwrite 7 Times (Mil-Spec)
  • Consider Shredding Hard Drives, Other Portable
    Media
  • Paper Records Confetti Shred or Burn

96
Physical Summary
  • Physical and Procedural Countermeasures
  • Provide Identification and Authentication
  • Authorization (Access Control)
  • Accountability
  • Provide Physical Contingency Resources and
    Alternate Procedures
  • Organized in a DEFENSE IN DEPTH Strategy
  • Effectiveness Relies on Knowledge, Skills and
    Awareness of Staff

97
Thank You!
Ernie Hayden CISSP, CEH enhayden_at_centurytel.net Ce
ll 425-765-1400
98
Uptime Institute
  • www.uptimeinstitute.com
  • Zinc Whiskers
  • Conductivity Contamination
  • Data Center Energy Issues
About PowerShow.com