• Like
  • Save
Chapter008
Upcoming SlideShare
Loading in...5
×
 

Chapter008

on

  • 963 views

 

Statistics

Views

Total Views
963
Views on SlideShare
954
Embed Views
9

Actions

Likes
0
Downloads
70
Comments
0

1 Embed 9

http://jda-insite.blogspot.com 9

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Chapter008 Chapter008 Presentation Transcript

    • Chapter 8 Physical Security
    • Objectives
      • Manage the problems of dispersion and diversity
      • Factor the concept of secure space into a physical security scheme
      • Construct a security process using a security plan
      • Mitigate physical security threats
    • Physical Security
      • Physical security safeguards assets from non-digital threats
        • Protects information processing facilities and equipment from deliberate or accidental harm
        • More involved and complex
        • Essential to protecting information asset base
      • Uncontrolled physical space makes it easy for an attacker to subvert most security measures
        • Proximity to the equipment allows attackers to mount attacks more easily
    • Problems of Dispersion and Diversity
      • Physical security accounting and controlling processes have become more difficult with the advent of distributed systems
        • Difficult to secure effectively because network resources are diverse and widely distributed
        • External parts of a network
          • Telephone, cable lines, broadband interface
        • Protection of less obvious non-computerized information repositories
    • Problems of Dispersion and Diversity
      • Collections of assets have different protection requirements
      • Establishing safeguards:
        • Physical asset accounting framework that itemizes the physical records and resources
        • This framework requires maintaining a perpetual inventory of tangible assets as well as rules for controlling each asset
          • Combination of a defined set of assets and the associated controls is called secure space
    • The Joy of Secure Space
      • Safeguarding a facility requires deliberately creating a secure space
        • Define physical perimeter or boundary
        • Deploy countermeasures to assure the security, confidentiality, and integrity of the items
        • Delineate the boundary of all controlled locations
        • Factors to be considered in establishing a secure space:
          • Location
          • Access
          • Control
    • The Joy of Secure Space
      • Factor 1: Ensuring the location
        • Secure physical assets proportionate to the risks resulting from unauthorized access to that facility
      • Factor 2: Ensuring controlled access
        • Access is a privilege, which is individually assigned and enforced, rather than a right
      • Factor 3: Ensuring control of secure space
        • Based on the specification and enforcement of a set of behaviors that can be objectively monitored
    • Physical Security Process and Plan
      • Physical security process
        • Guarantees that the effective safeguards are in place
        • Effectiveness is ensured by making certain that:
          • Threats have been identified
          • Associated vulnerabilities have been accurately characterized, prioritized, and addressed
        • Implemented through planning
        • Supervised and enforced by consistent and ongoing management
    • Physical Security Process
      • Identify the items to be protected
      • Three classes of items requiring assurance:
        • Equipment – includes tangible things such as hardware and network connections
        • People – involves human resources and is part of the personnel security process
        • Environment – includes hazards associated with the environment as well as the safety requirements of the physical space
    • Physical Security Plan
      • Should be developed once an understanding of the threat environment has been developed
        • Establishes a response to events that represent potential harm and that have a reasonable probability of occurrence
        • Responds to a threat by recommending the deployment of a set of countermeasures
        • Effective planning for all contingencies ensures efficient disaster recovery
    • Physical Security Plan
      • Ensuring effective planning
        • Implemented through a formal, organization-wide plan aligned with both business and information assurance goals
        • Should specify the threats associated with the protected items in the secure space and specify countermeasures
        • Should be able to respond to all credible threats in advance
        • Establish controls to ensure that the secure space is not susceptible to intrusion and that sensitive materials are stored in secure containers
        • Should ensure that the organization responds effectively to natural disasters
        • Implementation plan is overseen by the audit function that monitors and enforces accountability
    • Physical Security Plan
      • Defense in-depth countermeasures
        • Built around measures to extend the time it takes for a threat to cause harm
        • Involves design of the steps to detect, assess, and report probable physical threats or intrusions
        • In the threat assessment process, a decision has to be made about the probabilities of occurrence and harm
          • The outcome of that assessment should produce a manageable set of threats, which are likely to occur for that particular space
    • Physical Security Targets and Threats
      • It is important to factor four threat types into a comprehensive physical security plan:
        • Facilities
        • Equipment
        • People
        • Environment
    • Threats to the Facility
      • Ensuring clean and steady power
        • Power problems affect computers in three ways:
          • Damage the hardware, causing downtime
          • Affect network availability – lost productivity
          • Result in a loss of data
        • Potential infrastructure hazards to look for are:
          • Voltage swings
          • Drains
          • Hazardous wiring
        • Eliminating fluctuations
          • Surge suppressors, Uninterruptible Power Supplies
        • Ensure that access to physical controls is enforced
    • Threats to the Facility
      • Ensuring other building systems
        • Ensure that other critical building systems are reliable such as:
          • Heating
          • Ventilation
          • Air conditioning
          • Plumbing
          • Water supply systems
    • Safeguarding Equipment
      • Physical security process safeguards tangible items, they include:
        • Communication, processing, storage, and input or output devices
      • Countermeasures assure safety and security
      • Conventional physical access control measures establish the integrity of controlled spaces
        • Measures include locks, passcards, RFID, swipecard readers, video cameras, and safes
        • May also include human-based monitoring and control methods
    • Safeguarding Equipment
      • Protecting networks: ensuring integrity over a wide area
        • Prevent unauthorized access
          • Technical countermeasures for security include:
            • Interruption sensors
            • Line monitors
            • Emanations security
        • Security failures on networks:
          • Unauthorized users intercept information by physically accessing network equipment
          • If the network is unable to carry out its transmission functions
    • Safeguarding Equipment
      • Protecting portable devices
        • Problem of ubiquitous portability requires adherence to the following principles:
          • Ensure that the device itself is always controlled
            • Assign individual responsibility and enforce accountability for all portable devices
          • Ensure that the data on the device is secure
            • Ensure that sensitive data cannot be transported nor displayed without authorization and accountability
          • Ensure controls that are provided to ensure security of a portable item are easy for end-users to follow
    • Controlling Access by People
      • Effective access control requires:
        • Designing a layered defense in the physical environment
        • Continuous monitoring and access control built in
      • Heart of access control systems is the ability to:
        • Grant convenient physical access to authorized people
        • Completely deny access to unauthorized ones
    • Controlling Access by People
      • Mechanisms for restricting physical access include:
        • Perimeter controls
      • Controls include restriction devices such as:
        • Natural barriers
        • Fence systems
        • Walls
        • Supplemented with mechanical barriers
          • Secure windows, doors, and locks
    • Controlling Access by People
      • Perimeter controls: barriers
        • Natural barriers
        • Structural barriers
          • Fences define the secure areas and enforce entry only at designated points
          • Gates and bollards are part of the restriction system
          • Closed circuit television (CCTV)
          • Monitors which provide three levels of control:
            • Detection – detects the presence of an object
            • Recognition – determines the type of object
            • Identification – determines the object details
    • Controlling Access by People
      • Perimeter controls: intrusion detection
        • Ensures the integrity of a physical space
        • Monitors suspicious traffic, tracks intruders, and subsequently marks security holes discovered
        • Based on monitoring sensors and observing actions along the perimeter
        • Retrospective monitoring uses security logs or audit data to detect unauthorized accesses
        • Sensors installed at each access point establish perimeter protection
    • Controlling Access by People
      • Perimeter controls: guards and patrols
        • Low-tech, labor-intensive approach to access control
          • Provide an effective deterrent to unauthorized entry
          • Less expensive and no less reliable than automated systems
          • Not passive and cannot be disconnected or sabotaged as with high-tech solutions
          • They are subject to error
    • Controlling Access by People
      • Perimeter controls: structural and mechanical barriers
        • Doors and windows have to be strictly controlled since they are the most likely point of access
        • Considerations in determining which type of structure to be used:
          • Whether to employ a hollow-core versus solid-core technology
          • How to identify and address hinge and doorframe vulnerabilities
          • Whether to monitor use through contact devices such as switches and pressure plates
    • Controlling Access by People
      • Mechanical barrier devices: locks
        • Most widely accepted and employed barrier device
        • Types of locks include:
          • Cipher locks
          • Combination locks
          • Deadbolt locks
          • Smart locks
        • Keys are the authentication tokens for locks:
          • Security element rests with the control of keys
          • Most effective when used in a two-factor authentication system
            • Example: with a door PIN
    • Controlling Access by People
      • Biometric systems
        • An emerging authentication tool in physical access control
        • Based on exclusive physical attributes, which can be read and digitized
        • Can be used in conjunction with smart cards
        • Problem: scanning errors occur leading to false positives and false negatives
    • Controlling Access by People
      • Doubling the assurance: multiple factor authentication
        • Uses of more than one form of authentication to control access; based on three broad categories:
          • What you are (for example, biometrics)
          • What you have (for example, tokens)
          • What you know (for example, passwords)
        • Simple multiple-factor authentication requires confirmation of at least two factors
        • Three-factor authentication combines three types
    • Controlling Access by People
      • Ensuring against the well-intentioned human being
        • Accidents and non-intentional acts are the most frequent cause of human-based harm
          • Proactive way to address human error is through training and drills
            • Keeps people continuously aware of their security responsibilities
            • It has to be continuous to be effective
          • Basic rule of thumb is a corollary to Murphy’s Law:
            • A disaster plan is an appropriate countermeasure
    • Mitigating the Effects of Natural Disasters and Fires
      • Response or disaster planning is the primary means of assuring against the broad category of natural disasters
      • Disaster response countermeasures center on:
        • Awareness
        • Anticipation
        • Preparation
    • Mitigating the Effects of Natural Disasters and Fires
      • Planning for fire prevention
        • Computers and their components are extremely flammable devices
        • Three primary issues associated with fire protection:
          • Prevention – reduction in the causes and sources
          • Detection – receiving a warning of fire
          • Suppression – extinguishing and containing a fire
    • Mitigating the Effects of Natural Disasters and Fires
      • Preventing fires
        • Good building design improves the chances of prevention
          • The use of fire-resistant materials in walls, doors, and furnishings
        • Reduce the number of combustible materials in the surrounding environment
        • Proactive approach to fire protection is fire-prevention awareness for employees
          • Response drills such as a fire drill
    • Mitigating the Effects of Natural Disasters and Fires
      • Fire detection
        • Provides warning as close to the fire event as possible
          • Most common are the ionization-type smoke detectors, which detect charged particles in smoke
    • Mitigating the Effects of Natural Disasters and Fires
      • Fire detection (cont’d)
        • Some kinds of non-equipment-related fires do not produce smoke
        • Two related types of detectors are:
          • Photoelectric or optical detectors – react to light blockage caused by smoke particles
          • Heat sensing – react to the heat of a fire
        • Downside in both methods – the fire has to be advanced enough to detect
    • Mitigating the Effects of Natural Disasters and Fires
      • Fire suppression
        • The first line of defense is the fire suppression system
        • Having the right type of fire extinguisher
          • Know that fire extinguishers have limited use
          • Halon is effective and it was the fire suppression agent of choice
          • FM200 (FM-200/heptafluoropropane)
            • Extinguishes a fire by both robbing it of oxygen and by its physical suppression effect
          • Water sprinkler system