Physical Security

“Least sexy of the 10 domains but the best firewall in the world will not stand up to a well placed brick.”

Physical Security

Addresses threats, vulnerabilities, countermeasures to physically protect org’s resources & sensitive info

Natural disasters Unauthorized entry and/or theft

Threats Risk analysis or business impact

assessment identify threats Seven major sources of physical loss

1. Temperature2. Gases3. Liquids4. Organisms5. Projectiles6. Movement7. Energy Anomalies

Controls for Physical Security

Administrative Controls Emergency Procedures, Personnel

control, & planning and policy implementation

Physical & Technical Controls

Facility Requirements Planning

Planning done in early stages of construction of data facility

Choosing a Secure Site Designing a Secure Site

Choosing a Secure Site Visibility: neighbors, external markings Local Considerations: near possible threats,

local crime rate Natural Disasters: weather related,

earthquake fault Transportation: excessive air, highway or

road traffic Joint Tenancy: HVAC controls, elecriticity External Services: local emergency,

hospitals

Designing a secure site Walls: fire ratings rooms & storage Ceilings: weight-bearing, fire rating Floors: weight bearing, static, electrical cables Windows: none or translucent & shatterproof Doors: resist forcible entry, fire rating, personnel

safety is first Sprinkler systems: fire resistant rating of not less than

1 hour Liquid or gas lines: positive (outward) flow Air Conditioning: dedicated power circuits, positive air

flow Electrical Requirements: dedicated circuits,

alternative

Facility Security Management Audit Trails

Detecting security violations Performance Problems Design & programming flaws Include: date & time, successful or not, Where

access granted, Who tried, data modified? Detective rather than preventative

Emergency Procedures Include: emergency shutdown procedures,

Evacuation, Employee training, periodic tests

Administrative Personnel Controls

Human resources department

Pre-employment screening Ongoing employee checks Post-employment procedures

Environmental & Life Safety Controls

“Physical controls necessary to sustain either computer’s operating environment (OE) or personnel’s OE”

Main Areas: Electrical Power Fire detection & suppression Heating, Ventilation, & Air Conditioning

(HVAC)

Electrical Power Noise

Radio frequency interference, EMI Cell phones, laptops, other ele. Equip. EMI eavesdropping Power line conditioning, proper shielding,

grounding, magnets, fluorescent lights, electric motors, space heaters

Brownouts & Sag (NYC 15% common) Surges & spikes when come back up

Humidity Low == static (20,000 volts possible)

Fire Detection & Suppression

Fire classes, combustibles, detectors, & suppression methods

Factors in priority order:1. Life safety aspects2. Fire threat of installation to occupants &

property3. Economic loss from computing function4. Economic loss from loss of equipment

Fire Classes & Combustibles

ClassesA. Common combustibles – water or soda

acidB. Liquid – CO2, soda acid, or halon

C. Electrical – CO2 or halon

Fire requires: oxygen, heat, & fuel Water: temperature, soda acid: fuel

supply, CO2 oxygen, halon: chemical reaction

Fire Detectors

Heat sensing Predetermined temp or fast change

Flame-actuated Infrared or pulsation of flame

Smoke-actuated In ventilation systems

Automatic dialup fire alarm

Fire Extinguishing Systems

Water Sprinkler Wet Pipe, Dry Pipe, Deluge, or Preaction

(combination of wet & dry pipe) Gas Discharge

Pressurized inert gas CO2 , halon, argon, argonite, inergen

After the fire Contamination

Smoke: little damage at first, residue Heat Water Suppression medium

Water damage Shutoff power Move equipment Drain Wipe parts & spray

Physical & Technical Controls

Facility Control Requirements Facility Access Control Devices Intrusion Detection & Alarms Computer Inventory Control Media Storage Requirements

Facility Control Requirements

Guards Dogs Fencing Mantrap Lighting Locks Closed Circuit TV

Facility Access Control Devices

Security Access Cards Dumb: photo id Smart: digital coded smart card Smarter: processor on card

Wireless Proximity Readers Passive, field powered, transponders

Biometric

Intrusion Detection & Alarms

Perimeter Intrusion Detectors Photoelectric & dry contact switches

Motion Detectors Wave pattern (reflection), capacitance

(electrical field), audio detectors Alarm Systems

Local, central station, proprietary Line supervision

Computer Inventory Control

Physical PC Control Cable locks Port controls Switch Controls Peripheral Switch Controls Electronic Security Boards

Laptops

Media Storage Requirements Ongoing Storage

Access & Environment Disposal

Clearing – overwriting (7 times min), Purging – Degaussing or overwriting, Destruction

Erasing only changes FAT, Damaged sectors not changed, overwrite may not change cause new file shorter,

Encryption of sensitive data

Simplest Way to check physical Security

“walk-about”