Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 11

Physical Security for Physical Security for Information SystemsInformation Systems

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 22

Importance of Physical Importance of Physical SecuritySecurity

Most people focus on protecting Most people focus on protecting logical logical systemssystems (software that is running) (software that is running)If you cannot protect the If you cannot protect the physical physical systemssystems (computer hardware), you (computer hardware), you cannot protect the program and data cannot protect the program and data running on the hardwarerunning on the hardware– Physical security deals with who has Physical security deals with who has

access to buildings, computer rooms, and access to buildings, computer rooms, and the devices within themthe devices within them

– Protect sites from natural and man-made Protect sites from natural and man-made physical threatsphysical threats

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 33

Physical Security ThreatsPhysical Security ThreatsWeatherWeather– Tornadoes, hurricanes, floods, fire, snow, Tornadoes, hurricanes, floods, fire, snow,

ice, heat, cold, humidity, etc.ice, heat, cold, humidity, etc.

Fire/chemicalFire/chemical– Explosions, toxic waste/gases, smoke, fireExplosions, toxic waste/gases, smoke, fire

Earth movementEarth movement– Earthquakes, mudslidesEarthquakes, mudslides

Structural failureStructural failure– Building collapse because of snow/ice or Building collapse because of snow/ice or

moving objects (cars, trucks, airplanes, moving objects (cars, trucks, airplanes, etc.)etc.)

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 44

Physical Security Threats Physical Security Threats (cont.)(cont.)

EnergyEnergy– Loss of power, radiation, magnetic wave Loss of power, radiation, magnetic wave

interference, etc.interference, etc.

BiologicalBiological– Virus, bacteria, etc.Virus, bacteria, etc.

HumanHuman– Strikes, theft, sabotage, terrorism and Strikes, theft, sabotage, terrorism and

warwar

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 55

Physical Security AreasPhysical Security Areas

Educating personnelEducating personnel– An educated staff is best weapon a An educated staff is best weapon a

company can have against illegitimate company can have against illegitimate and accidental acts by othersand accidental acts by others

Administrative controlsAdministrative controls– Address procedural and codified Address procedural and codified

applications of physical controlsapplications of physical controls

Physical security controlsPhysical security controls– Enforce proper controls for physical Enforce proper controls for physical

contact of system facilitiescontact of system facilities

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 66

Physical Security Areas Physical Security Areas (cont.)(cont.)

Technical controlsTechnical controls– Use of computer hardware and software Use of computer hardware and software

to protect facilities as opposed to some to protect facilities as opposed to some of traditional “pure physical” of traditional “pure physical” techniquestechniques

Environmental/life-safety controlsEnvironmental/life-safety controls– Ensure infrastructure to maintain Ensure infrastructure to maintain

proper operating environment for both proper operating environment for both human and machinehuman and machine

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 77

Educating PersonnelEducating Personnel

Security staff should be prepared for potential Security staff should be prepared for potential of unforeseen actsof unforeseen actsOther employees should be reminded Other employees should be reminded periodically of importance of helping their periodically of importance of helping their surroundings securesurroundings secure– Being mindful of physical and environmental Being mindful of physical and environmental

considerations required to protect information considerations required to protect information systemssystems

– Adhering to emergency and disaster plansAdhering to emergency and disaster plans– Monitoring unauthorized use of equipment and Monitoring unauthorized use of equipment and

services, and reporting those activities to security services, and reporting those activities to security personnelpersonnel

– Recognizing security objectives of organizationRecognizing security objectives of organization– Accepting individual responsibilities associated with Accepting individual responsibilities associated with

their jobs and that of their coworkerstheir jobs and that of their coworkers

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 88

Administrative ControlsAdministrative ControlsRestricting Work AreasRestricting Work Areas– First identify access rights to the site in generalFirst identify access rights to the site in general– Then decide various access rights required by Then decide various access rights required by

each location (rooms, elevators, buildings) within each location (rooms, elevators, buildings) within the sitethe site

Escort Requirements and Visitor ControlEscort Requirements and Visitor Control– In many government facilities or facilities with In many government facilities or facilities with

strong government ties, foreign nationals are not strong government ties, foreign nationals are not allowed unescorted access to any site within the allowed unescorted access to any site within the facility. Escorted access requires background facility. Escorted access requires background clearance and onsite identity checkclearance and onsite identity check

– For less secure sites, visitor must have a clear For less secure sites, visitor must have a clear purpose for visit and a confirmed contact within purpose for visit and a confirmed contact within the site. A temporary badge will be given after the site. A temporary badge will be given after the visitor sign-in at the security deskthe visitor sign-in at the security desk

Stephen S. YauStephen S. Yau 99

Administrative Controls Administrative Controls (cont.)(cont.)

Site SelectionSite Selection– VisibilityVisibility

Most data centers are not descriptive. They do not Most data centers are not descriptive. They do not want to advertise what they are and attract undue want to advertise what they are and attract undue attentionattention

– Locale considerationsLocale considerationsNeighborhood, local ordinances and variances, Neighborhood, local ordinances and variances, crime rate, hazardous sites nearby, such as landfills, crime rate, hazardous sites nearby, such as landfills, waste dumps, or nuclear reactors, etc.waste dumps, or nuclear reactors, etc.

– Natural disastersNatural disasters– TransportationTransportation

Airport, highways, railroads, etc. Airport, highways, railroads, etc.

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1010

Physical Security Physical Security ControlsControls

Perimeter Security ControlsPerimeter Security Controls– Gates, fences, turnstiles, Gates, fences, turnstiles,

mantrapsmantraps

BadgingBadging– Photo identification that not Photo identification that not

only authenticates an only authenticates an individual, but also continues individual, but also continues to identify the individual while to identify the individual while inside the facilityinside the facility

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1111

Physical Security Physical Security Controls Controls (cont.)(cont.)

Keys and Combination LocksKeys and Combination Locks– Mechanical locks , password locks, Mechanical locks , password locks,

electronic locks, etc.electronic locks, etc.

Security DogsSecurity Dogs– Well-trained dogs are good at detecting Well-trained dogs are good at detecting

intruders or sniffing out explosives intruders or sniffing out explosives

LightingLighting– Proper lighting could serve as a deterrentProper lighting could serve as a deterrent

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1212

Technical ControlsTechnical ControlsSmart cardSmart card– It carries a semiconductor chip with logic and It carries a semiconductor chip with logic and

nonvolatile memorynonvolatile memory– It can store software that detects unauthorized It can store software that detects unauthorized

tampering and intrusions to the chip itself and if tampering and intrusions to the chip itself and if detected, can lock or destroy the contents of the detected, can lock or destroy the contents of the chip to prevent disclosure or unauthorized useschip to prevent disclosure or unauthorized uses

– Three major types: contact, contact-less and Three major types: contact, contact-less and combinations of the two.combinations of the two.

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1313

Technical Controls Technical Controls (cont.)(cont.)

Audit Trails/Access LogsAudit Trails/Access Logs

Physical Intrusion DetectionPhysical Intrusion Detection– Metallic foil tape, infrared light Metallic foil tape, infrared light

beams, motion sensorsbeams, motion sensors

Alarm SystemsAlarm Systems– Systems like ADT that monitors and Systems like ADT that monitors and

responds to intrusion alert from a responds to intrusion alert from a central locationcentral location

Stephen S. YauStephen S. Yau 1414

Technical Controls Technical Controls (cont.)(cont.)BiometricsBiometrics– Use characteristics of a human, such as face, Use characteristics of a human, such as face,

eyes (iris), voice, fingerprints, DNA, hands, eyes (iris), voice, fingerprints, DNA, hands, signature, and even body temperature.signature, and even body temperature.

– Using biometrics in conjunction with standard Using biometrics in conjunction with standard forms of authentication ( such as password, forms of authentication ( such as password, smart card, etc.), security can further be smart card, etc.), security can further be enhancedenhanced

– Need to balance convenience with securityNeed to balance convenience with security

[t1-ch11.4, t2-[t1-ch11.4, t2-ch12.4]ch12.4]

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1515

Environmental/Life-safety Environmental/Life-safety ControlsControls

PowerPower– When there is a power-outage, When there is a power-outage,

emergency lights and continuing emergency lights and continuing functioning of those electronic gates are functioning of those electronic gates are neededneeded

– Computers will not function without Computers will not function without powerpower

– Uninterrupted: Uninterrupted Power Uninterrupted: Uninterrupted Power Service (UPS) and emergency power-off Service (UPS) and emergency power-off switchswitch

– Constant voltage and current: regulatorConstant voltage and current: regulator

Stephen S. YauStephen S. Yau CSE 465 & CSE591, Fall 2006CSE 465 & CSE591, Fall 2006 1616

Environmental/Life-safety Environmental/Life-safety ControlsControls

(cont.)(cont.)Fire\Chemical Detection and SuppressionFire\Chemical Detection and Suppression– Targets: Explosions, toxic waste/gases, Targets: Explosions, toxic waste/gases,

smoke, firesmoke, fire– Detectors: heat sensor, flame detector, Detectors: heat sensor, flame detector,

smoke detectorsmoke detector– Extinguish systems: water-sprinkler or Extinguish systems: water-sprinkler or

gas-discharge systemgas-discharge systemHeating, Ventilation and Air ConditioningHeating, Ventilation and Air Conditioning– Computers require temperature and Computers require temperature and

humidity control to function correctlyhumidity control to function correctly– Human that operates systems need a Human that operates systems need a

reasonable working environment reasonable working environment