of 69
8/7/2019 cissp-chapter 06
1/69
Chapter 6 Physical and
Environmental Security
8/7/2019 cissp-chapter 06
2/69
Physical and Environmental
SecurityPhysical security is extremely important. There is no pointin technical and administrative security controls ifsomeone can simply bypass them from physicallyaccessing systems.
Physical security is harder today as systems are moredistributed (not just mainframes) and complex.
Not just about protecting data, but more importantlyPEOPLE! (remember safety is always issues #1*)
Often physical security is an afterthought when building
new facilities.
Lawsuits against companies CAN be filed if a companydoes not take adequate physical security measures (seenext slide)
8/7/2019 cissp-chapter 06
3/69
Some examples of physical
problems Banks with bushes to close or to high near
an ATM. Which allows criminals to hide or
blocks view of crimes Portion of an underground garage has
improper lighting
Convenience store has too many signs
which robbers target because the view is
obstructed from the outside.
8/7/2019 cissp-chapter 06
4/69
Threats to physical security
Natural hazards (floods, tornadoes, fires,temperatures)
Supply system threats (power outage,water, gas, WAN connection etc)
Manmade threats (unauthorized access,explosives, damage by disgruntled people,
accidents, theft) Politically motivated threats (strikes, riots,
civil disobedience)
8/7/2019 cissp-chapter 06
5/69
Physical security fundamentals
Life safety goals* should always be #1
priority
Defense should be layered which meansthat different physical controls should work
together to accomplish the goal of
security. (examples)
Physical security can address all of the
CIA fundamental principals.
8/7/2019 cissp-chapter 06
6/69
Planning Process
Threats should be classified as internal or external.
Risk analysis should be taken on a physicalaspect. Assets should be identified, threats
should be identified (probabilities calculated)and countermeasures put in place that areCOST EFFECTIVE and appropriate to the levelof security needed.
Physical security will ultimately be a combinationof people, processes, procedures andequipment to protect resources.
(more)
8/7/2019 cissp-chapter 06
7/69
Planning Process
The planning and security program should includethe following goals.
Deterrence fences, guards, signs
Reducing/Avoiding damage by Delayingattackers slow down the attackers (locks,guards, barriers)
Detection motion sensors, smoke detectors
Incident assessment response of guards, anddetermination of damage level
Response procedures fire suppression, lawenforcement notification etc
8/7/2019 cissp-chapter 06
8/69
Planning process
Idea is to avoid problems if at all possible,otherwise mitigate problems. This can bebest accomplished by layering (which we
already talked about). If a crime happensyou must be able to detect it, andresponse should be implemented.
Remember this is the same process that wecover in Rink Analysis! All the sameprocesses and concepts apply.
8/7/2019 cissp-chapter 06
9/69
Target Hardening (410)
Focuses on denying access through
physical and artificial barriers. (alarms,
locks, fences). Target hardening can lead
to restrictions on the use, enjoyment and
aesthetics of an environment.
8/7/2019 cissp-chapter 06
10/69
CPTED
An important security concept organizations
use is Crime Prevention Through
Environmental Design The idea is that
proper design of a physical environment
can reduce crime by directly affecting
human behavior.* It provides guidance in
loss and crime prevention through properlyfacility construction and environmental
components and procedures.
8/7/2019 cissp-chapter 06
11/69
CPTED
CPTED concepts have been used since the 1960s
and have advanced as environments and crime
has advanced. CPTED is not just used for
corporate security but also for buildingneighborhoods etc.
CPTED looks at the components that make up the
relationship between humans and their
environment.
(some examples CPTED guidelines are next)
8/7/2019 cissp-chapter 06
12/69
CPTED guidelines
Examples
Hedges and planters should not be more than
2.5 feet tall.
Data center should be at the center of a facility.
Street furniture should encourage people to site
and watch what is going around them.
Landscaping should not provide places to hide. Put CCTV camera in plain view so criminals are
aware they are being watched and recorded.
8/7/2019 cissp-chapter 06
13/69
CPTED
CPTED provides three main strategies to
bring together physical environment and
social behavior to increase overall
protection:
Natural Access Control
Natural Surveillance
Territorial reinforcement
We will talk about these next
8/7/2019 cissp-chapter 06
14/69
CPTED (Natural Access Control)
Natural Access Control the guidance of
people entering and leaving a space by
the placement of doors, fences, lighting
and landscaping.
Clear lines of sight and transparency are
used to discouraged potential offenders.
Natural barriers can be used to create
physical security zones
8/7/2019 cissp-chapter 06
15/69
CPTED (Natural Surveillance)
Natural Surveillance attempts to discourage
criminals by providing many ways for
others to observe potential criminal
behavior.
8/7/2019 cissp-chapter 06
16/69
CPTED (Territorial Reinforcement)
Creating a space that emphasizes acompanies (sphere of influence) soemployees feel ownership of that space.
The idea is that they will protect theenvironment (report suspicious activities).It can also make criminals feel vulnerableor that they dont belong there.
Some examples are
(next)
8/7/2019 cissp-chapter 06
17/69
CPTED (Territorial Reinforcment)
Decorated Walls
Fences
Lanscaping Lights
Flags
Company signs
Decorative sidewalks
Company activities (ie. Barbeques)
8/7/2019 cissp-chapter 06
18/69
y
A good approach is to design generically
using CPTED and then apply target
hardening concepts where appropriate.
8/7/2019 cissp-chapter 06
19/69
Zones are used to physically separate
areas into different security areas.
8/7/2019 cissp-chapter 06
20/69
Designing a Physical Security
ProgramWhen designing a physical security program you
must consider the following
HVAC systems
Construction materials Power distribution systems
Communications lines
Hazardous materials
Proximity to airports, highways, roads Proximity to emergency service
etc
8/7/2019 cissp-chapter 06
21/69
Facilities
When building a new facility there are severalconsiderations
Visibility
Surrounding area and external entities
Crime rate Proximity to police, medical and fire stations
Accessibility Roads/access
Traffic
Proximitty to airports etc. Natural disasters
Probability of floods, huricanes
Hazardous terrain (mudslides, falling rocks (really?!?), excessivesnow or rain)
8/7/2019 cissp-chapter 06
22/69
Construction
Different considerations need to be
considered when building a facility
depending on what the facility is trying to
protect and. For example (if documents
are stored, fire-resistant materials should
be used)
(read the bullet points on 418/419) youshould memorize these.
8/7/2019 cissp-chapter 06
23/69
Entry Points
Entry points into a building or control zonemust be secured.
including windows
Including ventilation ducts etc.
All components of a door should be equally
as strong. (no use to have a strong steeldoor, but weak hinges) (weakest link)
(more)
8/7/2019 cissp-chapter 06
24/69
Doors
Fire codes dictate that exit bars be on
doors.
Doors can be hollow core or solid core,hollow core doors should only be user
internally.
Doors with automatica locks can be
Failsafe* - what does this mean?
Failsecure* - what does this mean?
8/7/2019 cissp-chapter 06
25/69
Mantrap
What is it?
What is piggybacking?
8/7/2019 cissp-chapter 06
26/69
Windows
There are different type of windows that youshould now about
Standard glass residental home/easily broken
Tempered glass glass that is heated and then
suddenly cooled. 5-7x stronger than regular
glass
Acrylic glass (plexiglass/lexan) stronger than
regular glass, but gives off toxic fumes if burnt.(more)
8/7/2019 cissp-chapter 06
27/69
Windows
Glass with embedded wires avoids glass
shattering
Laminated glass two sheet of glass witha plastic film in between. Harder to break.
Glass can be treated with films to tint for
security.
8/7/2019 cissp-chapter 06
28/69
Computer Room
Computer rooms are where important servers andnetwork equipment is stored.
Equipment should be placed in locked racks.
Computer rooms should be near the center ofthe building, and should be above ground, butnot too high that it would be difficult to access byemergency crews
Strict access control should be enabled.
They should only have 1 access door, thoughthey might have to have multiple firedoors
(more)
8/7/2019 cissp-chapter 06
29/69
Computer Room
Computer Room should have positive air
pressure*
There should be an easy to access emergency
off switch
Portable fire extinguishers
Smoke/fire sensors should be under raised
floors. Water sensors should be under raised floors and
on ceilings
(more)
8/7/2019 cissp-chapter 06
30/69
Computer Room
Temperature and Humidity levels should
be properly maintained
Humidity too low, static electricity*
Humitdity too high, corrosion of metal parts*
CR should be on separate electrical
systems than the rest of the building
Should have redundant power systems
and UPS
8/7/2019 cissp-chapter 06
31/69
Protecting Assets (429)
Companies must protect from theft. Theft of laptops is a bigdeal especially if private information is on the laptop. Youshould understand best practices in regards to physicallyprotecting things from being stolen.
Inventory all laptops including serial number Harden the OS
Password protect the BIOS
Use disk encyrption on laptops
Do not check luggage when flying
Never leave a laptop unattended Install tracking software on laptops (lowjack type
software)
(more)
8/7/2019 cissp-chapter 06
32/69
Protecting Assets
You should also be aware of the types of
safes that exist
Wall safe Floor safe
Chest (stand alone)
Depositories (safes with slots) Vaults (walk in safes)
8/7/2019 cissp-chapter 06
33/69
Internal Support Systems
Power is critically important for data
processing we will talk about some
different power issues and concerns to be
aware off.
8/7/2019 cissp-chapter 06
34/69
Power
UPS
Online
Standby
Power line conditioners
Backups generators
8/7/2019 cissp-chapter 06
35/69
Electric power issues
There power interference that stops you
from getting clean power this is called
line noise.
Eletromagnetic Interference
electromagnetic that can create noise.
(motors can generate fields)
Radio Frequency Interference
fluorescent lights
8/7/2019 cissp-chapter 06
36/69
Electrical Power Issues
There are times where the voltage delivered falls outsidenormal thresholds
Excess
Spike momentary high voltage
Surge prolonged
Shortage
Sag/dip momentary low voltage
Browout prolonged low voltage
Loss
Fault momentary outage
Black out
8/7/2019 cissp-chapter 06
37/69
Electrical power issues
In rush current when a bunch of things
are turned on, power demands are usually
higher, and may stress power supplies,
causing a sag/dip
Try to have computer equipment on
different electrical supplies. Do not use
microwaves or vacuums on computerpower lines.
8/7/2019 cissp-chapter 06
38/69
Power best practices
Use surge protectors on desktops
Do not daisy change surge protectors
Employ power monitor to detect current and
voltage changes Use regulators or line conditioners in computer
rooms
Use UPS systems in computer rooms
If possible shield power cables
Do not run power over or under fluorescentlights
8/7/2019 cissp-chapter 06
39/69
Environmental Issues
Improper environments can cause damage toequipment or services
Water and Gas
Make sure there are shutoff valves and that theyhave positive drains (flow out instead of in,why?)
Humidity
Humidity must not be too high or too low Low static
High rust/corrosion
Hygrometer measures humidity
(more)
8/7/2019 cissp-chapter 06
40/69
Environmental Issues
Static electricity besides ensuring proper
humidity
use anti-static flooring in data processing
areas
Dont use carpeting in data centers
Wear anti-static bands when workign inside
computers.
8/7/2019 cissp-chapter 06
41/69
Environmental Issues
Temperature should not be too high.
Room temps should be in the 60s ideally.
Ventilation
should be closed loop (re-circulating)
Positive pressure (air flows out, ex, smokeand contaminants will be pushed out
rather than flow in)
8/7/2019 cissp-chapter 06
42/69
Fire prevention
Its obvious that you should have fire prevention,
detection and supression systems. Which types
you use depends on the environment.
Fire detection systems Smoke activated (using a photoelectrical device)
Heat activated
Rate of rise sensors
Fixed temperature sensors
(more)
8/7/2019 cissp-chapter 06
43/69
Fire prevention systems
Detectors need to be properly placed
On and above suspended ceilings
Below raised floors Enclosures and air ducts
Uniformly spread through normal areas
8/7/2019 cissp-chapter 06
44/69
Fire suppresion (444)
A fire needs fuel, oxygen and high temperatures to
burn. There are many different ways to stop
combustion
fuel soda acid (remove fuel)*
oxygen carbon dioxide (removes oxygen)*
Temperature water (reduces temperature)*
Chemical cumbustion gas (interferes with thechemical reactions)*
8/7/2019 cissp-chapter 06
45/69
Fire Suppression
Different fire suppression types based onclass of fire
A
B
C
D
(well talk about each of these)
8/7/2019 cissp-chapter 06
46/69
Fire Supression
A Common Combustibles
Use for: Wood, paper, laminates
Uses water or foam as suppressionagent
B Liquid
Use for: gas or oil fires
Ues: Gas (CO2), foam, dry powders
8/7/2019 cissp-chapter 06
47/69
Fire Suppression
C Electrical
Use on: electrical equipment and wires
Uses: Gas, CO2, dry powder
D Combustible materials
Use on: combustible chemicals (sodium,
potassium)
Uses: dry powder
8/7/2019 cissp-chapter 06
48/69
Fire Suppression (Halon)
Before any type of dangerous gas (Halon, CO2) is
released there should be some type of warning
emmitted. (CO2 will sufficate people)
Halon is a type of gas that used to be commonlyused, it is no longer used do to CFCs. (it is also
dangerous to people). It was banned by the
Montreal protocol* in 1987. effective
replacement is FM-200 or others on top of pg444*
8/7/2019 cissp-chapter 06
49/69
Fire Suppression Note
HVAC system should be set to shutdown
when an automatical supression system
activates.
Now we need to understand automatic fire
supression systems
8/7/2019 cissp-chapter 06
50/69
Automatic fire supression
Sprinklers
Wet Pipe
Dry Pipe Preaction like dry pipe, but a delay exists
before release. Best for computer rooms if
a water based system is used.
Deluge High volume of water dispersal,
not used for data centers.
8/7/2019 cissp-chapter 06
51/69
Fire random tidbit
The space between the ceiling and theactual floor above is called the plenum.You should know this term, you should
understand that when running networkcables and other plastics insulated wiring,you need to use a certain type of wirecalled plenum wire, this is because
burning plastic gives off toxic gases andsmall fires in plenum areas could distributetoxic gases throughout the building airsystems.
8/7/2019 cissp-chapter 06
52/69
Perimeter security
Perimeter security is concerned with protecting the outsideof your facility, that is ensuring that nobody unauthorizedgets inside to cause any security violations. Perimetersecurity can implement multiple controls to keep thefacility secure
Some controls that are used that we will look at are Locks
Personnel access controls
Fencing
Lighting Bollards
Surveillance devices
Intrusion detection systems
Guard dogs
8/7/2019 cissp-chapter 06
53/69
Perimeter Security
Locks purpose of locks is to DELAY*
intruders, until they can be detected and
apprehended. There are multiple types of
locks that we will talk about
Mechanical
Combination locks
Cipher locks
8/7/2019 cissp-chapter 06
54/69
Locks
Mechanical use a physical key (Warded
lock or tumbler)
Warded lock basic padlock, cheap
Tumbler lock more piece that a warded lock,
key fits into a cylinder which moved the metal
pieces such that the bolt can slide into the
locked and unlocked position. Pin tumbler uses pins
Wafer uses wafer (not very secure)
8/7/2019 cissp-chapter 06
55/69
Locks types (453)
There are different lock grades
Grade 1 commercial
Grade 2 heavy duty residential, lightcommercial
Grade 3 residential throw away locks
There are also 3 cylinder categories
Low no pick or drill resistance provided
Medium a littl pick resistance
High higher degree of pick resistance
8/7/2019 cissp-chapter 06
56/69
Attacks against key type locks
Tension wrench shaped like an L and is
used to apply tensino to the cylinder, then
use a pick to manipulate the individual
pins.
8/7/2019 cissp-chapter 06
57/69
Locks
Combination locks rather than use a key,turn
Cipher locks electronic locks
Combination can be changed
Combination can be different for differentpeople
Can work during different times of day
Can have emergency codes
Can have override codes
8/7/2019 cissp-chapter 06
58/69
Locks
Device Locks - Computer equipment sometimesmust be locked (laptops, or physically blockingout slots). Some type of device locks are
Switch controls Slot locks physically lock into the expansion
slots to physically secure systems.
Port controls block acess to floppy or USB
ports Cable traps lock down cables from being
unplugged and removed.
8/7/2019 cissp-chapter 06
59/69
8/7/2019 cissp-chapter 06
60/69
Fencing
Can deter and delay intruders
Fences 3-4 feet high only deter casual
trespassers
Fences 6-7 feet high are considered too
high to climb easily
Fences 8 feet high should are considered
serious.
(more)
8/7/2019 cissp-chapter 06
61/69
Fencing
Memorize the gauges and mesh size chart
on pg 457
Fencing best practices
Fenses should be a first line of defence
Critical areas should have fences of 8 feet.
8/7/2019 cissp-chapter 06
62/69
Bollards
Bollards are small concrete pillars,
sometimes containing lights or flowers.
They are used to stop people from driving
through a wall, often put between a
building and parking lot.
They can be arranged to form a natural path
for walking.
8/7/2019 cissp-chapter 06
63/69
Lighting
Lighting is obviously important in perimiter
security. It decreases the probability of
criminal activity.
Each light should cover its own zone and
there should not be gaps in the coverage
Coverage in fact should overlap.
Lighting should be directed AWAY from
the security gaurds etc.
8/7/2019 cissp-chapter 06
64/69
Surveillance
Surveillance systems are a detective control.
Genearlly these are CCTV systems.
CCTV systems consist of
Cameras
Transmitters
Receivers Recording systems
8/7/2019 cissp-chapter 06
65/69
8/7/2019 cissp-chapter 06
66/69
Survellance
Focal Length relates to the amount of area canbe seen. Wide angles lenses use small focallengths*. Narrow angles use long focal lengths*.If you dont have a CCTV camera that can
change, you must pick an appropriate focallength for your application.
Generally you should have cameras with auto-irises that can adjust to how bright the outsideconsitions are
Zoom lenses allow you to change PTZ cameras (pan, tilt, zoon)
8/7/2019 cissp-chapter 06
67/69
Intrustion Detection Systems
IDS (physical IDS, NOT network IDS) helpdetect the physical presence of anintruder.
Can be multiple types.Electromechanical traditional types,
determine a openining of a window by abreak in connectivity.
Vibration sensors are also electromechanical
Pressure pads are also electromechanical
8/7/2019 cissp-chapter 06
68/69
IDS
Photoelectric uses light beams to decect whensomething crosses the beam.
Passive Infrared (PIR) monitors heat signaturesin a room. (a lot of home automatical light
systems are of this type)Acoustical Detection uses sound
Proximity detector/capacitance detectors emits ameasurable magnetic field. If field is disrupted it
sets off the alarm. (usually this field is a verysmall area, as magnetic fields disperse quicklyas the area increases)
8/7/2019 cissp-chapter 06
69/69
Patrols and Gaurds
Obvious and provide a dynamic
response, gaurds can make decisions
based on the situation, which most other
IDS cannot.
Dogs highly useful in detecting intruders
and discouraging attacks.