1

ITNS and CERIAS CISSP Luncheon Series: Physical (Environmental) Security

Presented by Scott L. Ksander

2

Physical Security

From (ISC)2 Candidate Information Bulletin:• The Physical (Environmental) Security

domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems, media, and supplies they utilize.

3

Physical Security

From (ISC)2 Candidate Information Bulletin:• The candidate will be expected to know the

elements involved in choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.

4

Introduction

Threats to physical security include:• Interruption of services• Theft• Physical damage• Unauthorized disclosure• Loss of system integrity

5

Introduction

Threats fall into many categories:• Natural environmental threats (e.g., floods,

fire)• Supply system threats (e.g., power outages,

communication interruptions)• Manmade threats (e.g., explosions,

disgruntled employees, fraud)• Politically motivated threats (e.g., strikes,

riots, civil disobedience)

6

Introduction

Primary consideration in physical security is that nothing should impede “life safety goals.”• Ex.: Don’t lock the only fire exit door from

the outside.

“Safety:” Deals with the protection of life and assets against fire, natural disasters, and devastating accidents.

“Security:” Addresses vandalism, theft, and attacks by individuals.

7

Physical Security Planning

Physical security, like general information security, should be based on a layered defense model.

Layers are implemented at the perimeter and moving toward an asset.

Layers include: Deterrence, Delaying, Detection, Assessment, Response

8

Physical Security Planning

A physical security program must address:• Crime and disruption protection through deterrence (fences, security guards, warning signs, etc.).

• Reduction of damages through the use of delaying mechanisms (e.g., locks, security personnel, etc.).

• Crime or disruption detection (e.g., smoke detectors, motion detectors, CCTV, etc.).

• Incident assessment through response to incidents and determination of damage levels.

• Response procedures (fire suppression mechanisms, emergency response processes, etc.).

9

Physical Security Planning

Crime Prevention Through Environmental Design (CPTED)• Is a discipline that outlines how the

proper design of a physical environment can reduce crime by directly affecting human behavior.• Concepts developed in 1960’s.• Think: Social Engineering

10

Physical Security Planning

CPTED has three main strategies:• Natural Access Control• Natural Surveillance• Territorial Reinforcement

11

Physical Security Planning

Natural Access Control• The guidance of people entering and

leaving a space by the placement of doors, fences, lighting, and landscaping• Be familiar with: bollards, use of

security zones, access barriers, use of natural access controls

12

Physical Security Planning

Natural Surveillance• Is the use and placement of physical

environmental features, personnel walkways, and activity areas in ways that maximize visibility.

• The goal is to make criminals feel uncomfortable and make all other people feel safe and comfortable, through the use of observation.

13

Physical Security Planning

Territorial Reinforcement• Creates physical designs that

highlight the company’s area of influence to give legitimate owners a sense of ownership.• Accomplished through the use of

walls, lighting, landscaping, etc.

14

Physical Security Planning

CPTED is not the same as “target hardening”

Target hardening focuses on denying access through physical and artificial barriers (can lead to restrictions on use, enjoyment, and aesthetics of the environment).

15

Physical Security Planning

Issues with selecting a facility site:• Visibility (terrain, neighbors, population of

area, building markings)• Surrounding area and external factors

(crime rate, riots, terrorism, first responder locations)

• Accessibility (road access, traffic, proximity to transportation services)

• Natural Disasters (floods, tornados, earthquakes)

16

Physical Security Planning

Other facility considerations:• Physical construction materials and

structure composition» Be familiar with: load, light frame

construction material, heavy timber construction material, incombustible material, dire resistant material (know the fire ratings and construction properties).

17

Physical Security Planning

“Mantrap:” A small room with two doors. The first door is locked; a person is identified and authenticated. Once the person is authenticated and access is authorized, the first door opens and allows the person into the mantrap. The person has to be authenticated again in order to open the second door and access a critical area. The mantrap area could have a weight sensing floor as an additional control to prevent literal piggybacking.

18

Physical Security Planning

Automatic door lock configuration:

“Fail safe:” If a power disruption occurs, the door defaults to being unlocked.

“Fail secure:” If a power disruption occurs, the door defaults to being locked.

19

Physical Security Planning

Windows can also be used to promote physical security.

Know the different types of glass:• Standard• Tempered• Acrylic• Wired• Laminated• Solar Window Film• Security Film

20

Physical Security Planning

Consider use of internal partitions carefully:• True floor to true ceiling to counter

security issues• Should never be used in areas that

house sensitive systems and devices

21

Internal Support Systems

Power issues:• A continuous supply of electricity assures

the availability of company resources.• Data centers should be on a different power

supply from the rest of the building• Redundant power supplies: two or more

feeds coming from two or more electrical substations

22

Internal Support Systems

Power protection:• UPS Systems

» Online UPS systems» Standby UPS System

• Power line conditioners• Backup Sources

23

Internal Support Systems

Other power terms to know:• Ground• Noise• Transient Noise• Inrush Current• Clean Power• EMI• RFI

24

Internal Support Systems

Types of Voltage Fluctuations• Power Excess

» Spike» Surge

• Power Loss» Fault » Blackout

• Power Degradation» Sag/dip» Brownout» Inrush Current

25

Internal Support Systems

Environmental Issues• Positive Drains• Static Electricity• Temperature

26

Internal Support Systems

Environmental Issues: Positive Drains• Contents flow out instead of in• Important for water, steam, gas lines

27

Internal Support Systems

Environmental Issues: Static Electricity• To prevent:

» Use antistatic flooring in data processing areas

» Ensure proper humidity» Proper grounding» No carpeting in data centers» Antistatic bands

28

Internal Support Systems

Environmental Issues: Temperature• Computing components can be affected

by temperature:» Magnetic Storage devices: 100 Deg. F.» Computer systems and peripherals: 175

Deg. F.» Paper products: 350 Deg. F.

29

Internal Support Systems

Ventilation• Airborne materials and particle

concentration must be monitored for inappropriate levels.• “Closed Loop”• “Positive Pressurization”

30

Internal Support Systems

Fire prevention, detection, suppression

“Fire Prevention:” Includes training employees on how to react, supplying the right equipment, enabling fire suppression supply, proper storage of combustible elements

“Fire Detection:” Includes alarms, manual detection pull boxes, automatic detection response systems with sensors, etc.

“Fire Suppression:” Is the use of a suppression agent to put out a fire.

31

Internal Support Systems

American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how fire resistant ratings tests should be carried out and how to properly interpret results.

32

Internal Support Systems

Fire needs oxygen and fuel to continue to grow.

Ignition sources can include the failure of an electrical device, improper storage of materials, malfunctioning heating devices, arson, etc.

Special note on “plenum areas:” The space above drop down ceilings, wall cavities, and under raised floors. Plenum areas should have fire detectors and should only use plenum area rated cabling.

33

Internal Support Systems

Types of Fire:• A: Common Combustibles

» Elements: Wood products, paper, laminates» Suppression: Water, foam

• B: Liquid» Elements: Petroleum products and coolants» Suppression: Gas, CO2, foam, dry powders

• C: Electrical» Elements: Electrical equipment and wires» Suppression: Gas, CO2, dry powders

• D: Combustible Metals» Elements: magnesium, sodium, potassium» Suppression: Dry powder

• K: Commercial Kitchens» Elements: Cooking oil fires» Suppression: Wet chemicals such as potassium acetate.

34

Internal Support Systems

Types of Fire Detectors• Smoke Activated• Heat Activated

• Know the types and properties of each general category.

35

Internal Support Systems

Different types of suppression agents:• Water• Halon and halon substitutes• Foams• Dry Powders• CO2• Soda Acid

• Know suppression agent properties and the types of fires that each suppression agent combats

• Know the types of fire extinguishers (A,B,C, D) that combat different types of fires

36

Internal Support Systems

Types of Sprinklers• Wet Pipe Systems (aka Closed Head

System)• Dry Pipe Systems• Preaction Systems• Deluge Systems

37

Perimeter Security

The first line of defense is perimeter control at the site location, to prevent unauthorized access to the facility.

Perimeter security has two modes:• Normal facility operation• Facility closed operation

38

Perimeter Security

Proximity protection components put in place to provide the following services:• Control of pedestrian and vehicle traffic• Various levels of protection for

different security zones• Buffers and delaying mechanisms to

protect against forced entry• Limit and control entry points

39

Perimeter Security

Protection services can be provided by:• Access Control Mechanisms• Physical Barriers• Intrusion Detection• Assessment• Response• Deterrents

40

Perimeter Security

Fences are “first line of de’fence’” mechanisms. (Small Joke!)

Varying heights, gauge, and mesh provides security features (know them).

Barbed wire direction makes a difference.

41

Perimeter Security

Perimeter Intrusion Detection and Assessment System (PIDAS): • A type of fencing that has sensors on

the wire mesh and base of the fence. • A passive cable vibration sensor sets

off an alarm if an intrusion is detected.

42

Perimeter Security

Gates have 4 distinct types:• Class I: Residential usage• Class II: Commercial usage, where general

public access is expected (e.g., public parking lot, gated community, self storage facility)

• Class III: Industrial usage, where limited access is expected (e.g., warehouse property entrance not intended to serve public)

• Class IV: Restricted access (e.g., a prison entrance that is monitored either in person or via CCTV)

43

Perimeter Security

Locks are inexpensive access control mechanisms that are widely accepted and used.

Locks are considered delaying devices.

Know your locks!

44

Perimeter Security

Types of Locks• Mechanical Locks

» Warded & Tumbler• Combination Locks• Cipher Locks (aka programmable locks)

» Smart locks• Device Locks

» Cable locks, switch controls, slot locks, port controls, peripheral switch controls, cable traps

45

Perimeter Security

Lock Strengths:• Grade 1 (commercial and industrial use)• Grade 2 (heavy duty residential/light duty

commercial)• Grade 3 (residential and consumer expendable)

Cylinder Categories• Low Security (no pick or drill resistance)• Medium Security (some pick resistance)• High Security (pick resistance through many

different mechanisms—used only in Grade 1 & 2 locks)

46

Perimeter Security

Lighting• Know lighting terms and types of lighting to

use in different situations (inside v. outside, security posts, access doors, zones of illumination)

• It is important to have the correct lighting when using various types of surveillance equipment.

• Lighting controls and switches should be in protected, locked, and centralized areas.

47

Perimeter Security

“Continuous lighting:” An array of lights that provide an even amount of illumination across an area.

“Controlled lighting:” An organization should erect lights and use illumination in such a way that does not blind its neighbors or any passing cars, trains, or planes.

“Standby Lighting:” Lighting that can be configured to turn on and off at different times so that potential intruders think that different areas of the facility are populated.

“Redundant” or “backup lighting:” Should be available in case of power failures or emergencies.

“Response Area Illumination:” Takes place when an IDS detects suspicious activities and turns on the lights within the specified area.

48

Perimeter Security

Surveillance Devices• These devices usually work in

conjunction with guards or other monitoring mechanisms to extend their capacity.• Know the factors in choosing CCTV,

focal length, lens types (fixed v. zoom), iris, depth of field, illumination requirements

49

Perimeter Security

“Focal length:” The focal length of a lens defines its effectiveness in viewing objects from a horizontal and vertical view.

The sizes of images that will be shown on a monitor along with the area that can be covered by one camera are defined by focal length. • Short focal length = wider angle views• Long focal length = narrower views

50

Perimeter Security

“Depth of field:” Refers to the portion of the environment that is in focus

“Shallow depth of focus:” Provides a softer backdrop and leads viewers to the foreground object

“Greater depth of focus:” Not much distinction between objects in the foreground and background.

51

Perimeter Security

Intrusion Detection systems are used to detect unauthorized entries and to alert a responsible entity to respond.

Know the different types of IDS systems (electro-mechanical v. volumetric) and changes that can be detected by an IDS system.

52

Perimeter Security

Patrol Force and Guards• Use in areas where critical reasoning

skills are required

Auditing Physical Access• Need to log and review:

» Date & time of access attempt» Entry point» User ID» Unsuccessful access attempts

53

Physical Security

Final Concept to Guide in Assessing Physical Security Issues on Exam:• Deterrence• Delay• Detection• Assessment• Response

54

Physical Security

Resources• All in One Book (Shon Harris, 2005)• Official (ISC)² Guide to the CISSP CBK

((ISC)², 2006)