My salary means yearly my employer pays approximately $700 in workers comp for me. If I was in Jersey that’d be over $2000.
CISSP week 26
Domain 10 CISSP Official CBK 3rd Edition
Physical Security Program: Purpose
• Designed to prevent the interruption of operations and provide for
the security of information, assets, and personnel.
• Risks include:
Violence and crime
The Security Survey
• The first step is to determine the protection objectives:
• Threat Definition
• Target Identification
• Facility Characteristics.
• Goal is to mitigate justified risks and not
waste money on ineffective security.
• The first step is to identify what assets need to be protected.
• Set a prioritization for assets.
• Assets can be personnel, property, equipment, or information.
• Identify the impact and consequences of an asset loss.
• Several security professionals should be included in a facility
walkthrough. The more eyes and the more experience the better.
• Overnight security guards get bored and wander around all night, as
such they are usually the best source for identifying weaknesses.
American Institute of Architects
List of Key Security Concerns
• Facility security control during and after hours
• Personnel and contract security policies and
• Personnel screening
• Site and building access control
• Video surveillance, assessment, and archiving.
• Natural surveillance opportunities.
• Protocols for responding to internal and
external security incidents.
• Degree of integration of security and other
• Shipping and receiving security
Property Identification and tracking
Proprietary information security
Computer network security
Workplace violence prevention
Mail screening operations, procedures, and
Parking lot and site security
Data center security
Business continuity planning and evacuation
• The assessment should be done within the context of the defined
threats and the value of the organization’s assets.
• Each risk (front entrance, receptionist, etc) should have it’s own
vulnerability level. (Very High, High, Medium High, Medium….)
• The cost of your protective measures shouldn’t be more expensive
than the assets your protecting.*
• Single Loss vs Annul Rate of Occurrence (SLE/ARO)
• Again, the goal of this whole process is the protection of life, property, and
• Countermeasures should be appropriate and effective to reduce the risk.
• Must balance employee convenience and a secure facility.
• Security shouldn’t be sacrificed for convenience, but a lot can be done to make
the user’s life easier.
• Security is always easier to setup from the beginning. Employees resist change
and push back every time things are changed. As such security should be done
right from the beginning, and only updated when necessary, not on a whim.
• The movement of people and materials through a facility is determined by the
design for access, delivery, and parking systems.
• Systems should be designed to maximize efficiency while minimizing conflicts
between entry and exit of vehicles and pedestrians.
• Normal street design is to minimize travel time and maximize safety.
• For security, roadways can be designed to minimize vehicle velocity
and to use the roadway as a protective measure.
• Straight line approaches should not be used. This allows a vehicle the
opportunity to gather the speed necessary to ram and penetrate the
• Approaches should be parallel to the perimeter with a barrier between the
road and building: earthen berms, high curbs, trees, etc.
• Existing streets can be retrofitted with barriers, bollards, swing gates, etc.
• Measures should be applied to keep vehicles from departing the roadway and
bypassing the countermeasures.
Crime Prevention through Environmental
• Provides direction to solve challenges of crime with organization
(people), mechanical (technology and hardware), and natural design
(architecture and circulation flow).
• Protection can be provided through aesthetically pleasing features
such as landforms, water, and vegetation.
• Thick vegetation should not be directly adjacent to a building and
thick ground cover over 4 inches tall could be a disadvantage.
• Facility should be designed with a single point of entrance for
guests/untrusted visitors. A receptionist should be available at this
• Windows are vulnerable and common entry points.
• Home windows shatter and cause hazardous conditions. (Note on window
• Buildings should be designed so that in the event of an explosion shattered
glass is mitigated. (Bushes, walls, special types of glass, secure door frame,
secure anchoring of frame to structure)
• Windows should ideally not be directly adjacent to doors. This prevents a
broken window allowing access to the door lock from the inside.
• Laminated glass, grills, screens, mesh etc can protect windows.
• Windows on ground level should not have the ability to be opened and
should have bars and alarm systems.
Types of Glass
• Annealed: Standard Glass
• Tempered Glass: Impact Resistant
• Wired glass: Wire mess imbedded in glass offering limited protection
• Laminated glass: Very shatter resistant. Still breakable, but shards are
held in place.
Glass Break Sensors
• Sensors can be installed to detect glass breaking.
• Acoustic (Listens for sound wave matching frequency of broken glass)
• Shock (Identifies shock wave when glass is broken)
• Also crap
• Dual mode (Acoustic and Shock required for alarm)
• Less crap
• Primary risks: Crime and vehicles hitting pedestrians
• Use signs to direct traffic and CCTV cameras to monitor for incidents.
• Bright lights reduce both risks
• 10-12 foot candle over parked cars
• 15-20 foot candles in walking and driving aisles.
• Exterior lights should be 12 feet above ground and should point
• Parking structure should be white to reflect light.
• Elevators and walkways should empty into the lobby, not into the
• Hurricane winds can exceed 155 MPH
• Tornado winds can reach 300 MPH
• Earthquakes shake things
• Floods…flood things…
• FIRE! FIRE!
• Fires cause damage due to heat, smoke, and water from suppression
• Fire systems should be protection water systems should be protected
from single points of failure.
• Incoming water line should be encased, buried, or located 50 feet
from high risk areas.
• Electric panels, conduits, and switchgear should be distributed
throughout the building to avoid single points of failure.
• Emergency generators should be located away from loading docks,
entrances, and parking areas. Preferably on a roof, protected level, or
protected interior area.
• Generator fuel storage should be located away form loading docks,
entrances, and parking areas. Access should be restricted and
protected including locking caps and seals.
• At least two phone lines on separate systems is good in case of
• If using VOIP, run at least 1 telephone landline to the security guard desk as a
• Cell phones are relatively cheap and should be provided to critical
• Maintain a phone list of critical employees.
• Setup a base radio and add a portable radio to each floor for
emergency internal communications.
• When possible protect utilities by placing them underground
• Protect drinking water from contamination
• Don’t provide signage saying “Critical power area” or “Single point of
failure for all of our power, water, and heat. Don’t hit with car!”
• Locate fuel storage tanks and operations buildings down slope and at
least 100 feet from buildings.
• Utility systems should be at least 50 feet from loading docks, front
entrances, and parking areas.
Primary Purpose of Security!
To protect personnel(people),assets(buildings, items), and
information(10010101011101) from death, destruction, or harm.
Workers comp costs
Insurance rate per $100 of payroll
• Perimeter security is made up of
several zones. The more zones,
the more defense-in-depth and
the better your security.
• Each zone can have different
• Security controls should be added
with care, using risk, vulnerability,
and threat assessment to balance
security and risk.
Physical Security elements
(Dodge, dip, dive, duck, and dodge)
• Visible security will make adversaries reconsider. If you’re the secure bank with a sniper on the
roof and a turret mounted machine gun operated by an annoyed robot, and the bank 2 blocks
over (out of sniper sight) has an electric alarm from Radioshack and you both have equal assets
that can be stolen…guess who’s going to be chosen.
• Detection devices allow prompt notification that a break in has occurred. These can be cameras,
motion sensors, infrared sensors, glass sensors, etc.
• This is the key to physical security. Your protections and detection components are attempting to
alert and delay adversaries so long as is necessary for police or security to arrive. Glass windows
only need to last 15 minutes of pounding if a guard walks by every 15 minutes. Even that’s overkill
since the guard would be able to hear several minutes before and after while he’s in the vicinity. A
safe only has to last long enough for a response, etc.
• A response force must be told that an unauthorized entry has been attempted. Police, security,
mercenaries, the sniper, etc.
Critical components to protect
Emergency generator: includes fuel systems, water supply, sprinklers, etc.
Telephone and switchgear
Building Control Centers
UPS power supplies
Elevator, stair, and utility shafts
Emergency power feeders.
Good fences make good neighbors
• If using a perimeter fence, here’s the recommendations:
Standard is 6 foot high fence with 2 inch mesh squares.
9 gauge vinyl or galvanized metal
Posts should be every feet and anchored into cement
Barbed wire angled out from the top of the fence at a 45 degree angle away from the
Fence + barbed wire = 7 foot tall.
Base of fence wire should have a post so fence can’t be pushed or crawled under.
For high security, add a double fence with rolls of barbed wire between the fences.
Fences are psychological deterrents and boundary markers and are easily
• Gates control access to vehicles and people entering/exiting the
• The higher security of the controlled area, the fewer gates should
• One is the optimal number for security, but not very practical with
• Each gate requires authentication resources:
• Automated system (cards, keycodes, etc)
• Human guards
• Walls are more expensive than fences but offer a softer view.
• Effective walls should be 7 feet high with 3 or 4 strands of barbed
wire on top.
• The disadvantage of walls is view obstruction.
• Passive Infrared sensors are designed for human body detection.
• Measures changes in heat in an area.
• Active Infrared sensors send an IR signal to a receiver. If the signal is
interrupted then an alarm triggers.
• Laser tripwire basically.
• Send a controlled microwave pattern into protected area. Baseline is
established and any variance is reported as an alarm.
• Passes through concrete and steel and should be not be pointed
adjacent to a roadway or adjacent buildings or false posivites will
• Uses separate devices for sensor and receiver. Sends microwave emission
between sensor and receiver and looks for variance.
• Has both sensor and receiver in the same unit. Generates a well controlled
beam that can be adjusted to monitor a specific region.
Left to right:
Passive, bistatic, multistatic(Radar)
Coaxial Strain-Sensitive Cable
• Coaxial cable is woven through a fence. The cable transmits an
electric field. If someone tries climbing or cutting the fence, the field
fluctuates and is detected in the cable. When this occurs an alarm
• Very tunable, susceptible to weather and climate.
• Some are susceptible to EMI and RFI
Video Content Analysis and Motion Path
• CCTV cameras can be piped to computers for software analysis. The
software can identify pixel changes and filter out known events to
identify suspicious events and raise alarms.
• Lighting deters intruders.
• It also makes it easier to see.
• Ideally lighting will allow security and employees to notice individuals
at night at a distance of 75 feet or more. They should be able to
identify a human face at 33 feet.
• Ideally place lighting higher to allow it to disperse naturally and
produce a better aesthetic.
Types of Lighting
• Fluorescent Lights
• Highly efficient and cost effective.
• Temperature sensitive. Not effective for outdoor lighting.
• Mercury Vapor Lights
Preferred security light. Disperses strong white-bluish light.
Extended lamp life.
Take time to come to full light.
Common at stadiums.
• Sodium Vapor Light
• Soft yellow light.
• More efficient than mercury Vapor.
• Used in foggy conditions.
• Quartz Lamps
Very bright white light
High wattage – 1500-2000 watts.
Used on perimeters and troublesome areas for high visability and day light levels of light.
• Most black and white CCTV cameras can see Infrared (IR)
• Infrared illuminators can be setup in areas
to enhance camera visibility.
• Card Types:
• Magnetic Stripe
Can be physically damaged by use
Data can be affected by magnetic fields
• Proximity Card (Prox Cards)
• Use embedded antenna wires connected to a chip within the card.
• Chip is encoded with unique card identification.
• Read distance varies by manufacturer and installation.
• Smart Cards
• Credential cards with a microchip embedded in them.
• Can store access transactions, licenses held by individuals, qualifications, safety training,
security access levels, and biometric templates.
• Card can double as an access card for doors and be used as an authenticator for a computer.
Additional Security measures
• Along with a magstripe, prox, or smart card you can add additional
measures to an authentication transaction:
• PIN in keypad
• Biometric reader
Fun with access Control Systems (ACS)
• When new users are enrolled, they are stored to a central
• This repository is mirrored to all readers on a consistent bases.
• If the reader looses access to the central repository, it’s still able to
authenticate known users, just not new additions.
More fun with ACS systems…
• Many prox and smart cards have “slots”. These slots hold things such
as PKI certificates or biometric data.
• Biometric data such as your thumb print.
• So in the event the proxy reader can’t communicate with the central
computer, it can still authenticate you based on the card prox number
and the thumb print scan on the badge.
• Viewer is able to view multiple locations from a centralized area.
• Viewer is able to assess the situation from a safe distance before choosing an
• May deter unsophisticated burglars, vandals, and intruders
• Evidentiary Archives
• Archived images/video may be helpful for identification and prosecution of
trespassers, vandals, and intruders.
• Color cameras provide more details like color of clothes or color of
• Black and white cameras are better in low light conditions.
• Cameras must have auto-white balance to adjust to changing color
temperatures of daylight and artificial light.
• Color cameras require more illumination levels.
• High quality color cameras work down to 1.5 foot-candle (fc)
illumination. Black and white work to .5 fc
Outdoor cameras are more expensive than indoor.
Lighting changes depending on time of day and weather.
Shrubs, trees, and vegetation can obstruct views.
In cold weather, a heater blower should be added to the camera housing.
Auto-iris lenses should be used since they automatically adjust to light. Strong
sunlight can damage a camera without this feature.
Set the focus in low light with an auto-iris. The focus will stay with more light, but
not if reversed.
“Neutral density (ND)” filters can be added to reduce lighting without changing
the color of the image.
Try to avoid direct sunlight in an image.
Try to avoid sky view in the camera, this will impair the contrast.
• Fixed position Camera
Cannot rotate or pan.
Good for motion detection.
Allows for “pre-alarm” where you can view images from before an alarm.
Unable to follow an dynamic event.
• Pan/Tilt/Zoom (PTZ) Cameras
• Cameras allow rotation, panning, tilting, and zooming.
• Due to extra electronics these usually cost 4 times more than a standard camera.
• Not suited for pre-alarm assessment since the alarm area can change at all times.
• Dome Cameras
• Cheaper than PTZ
• Hardened plastic lower dome, usually smoke colored to conceal camera.
• Better protected in harsh conditions
• IP cameras capture digital video.
• The camera is connected to a LAN network and video is sent over the
• Least secure system.
• Cost more than CCTV cameras.
• Not normally suitable for high-risk projects
• Deter unauthorized entry into a facility
• Response force to alarm activations
• Guards are required to conduct foot patrols of building interiors,
exteriors, and parking areas.
• Some guards will be stationary at entrances or security offices.
• Required to respond to fire, security, and medical emergencies. And
to renter assistance when needed.
• Must be able to submit written and verbal reports regarding
Security Guard Affiliations
• Proprietary (Company Employees)
Increased quality of personnel
Control of security program
Prestige for both employee and company
Disadvantage: cost, administration, staffing, impartiality, expertise
Largest disadvantage is time to create an effective security program.
Easily adapts to staffing levels
Total cost is rolled into single hourly billable rate: salary, insurance, admin cost, uniforms, benefits.
Contract security is generally impartial.
Guards are easy to replace.
Contract guards usually cost less than proprietary since they’re just a head.
• It’s possible to use some proprietary and some contract security to provide better control over your security
program while making the program cost effective.
• For secure facilities, generally two guards are on at all times, 24/7.
• Guard 1 is stationed in a security console center and monitors cameras, intrusion systems,
and fire systems.
• Guard 2 does walkthroughs and assigned tasks.
• Many organizations use UL 1981 Standard for high security facilities to designate
• Requires staffing to be such that all alarm signals can be acknowledged and appropriate
dispatch and verification action can be initiated not more than a defined period after the
monitoring facility receiver acknowledges.
• The Security Control Center should be located on the main floor or the basement
as long as the area is not below ground level (flood protection)
• Entry must be controlled and only authorized personnel allowed in.
• A sign in sheet should be hung up to document any non-authorized personnel being escorted in (police,
temporary staff, executives, etc)
• Must have primary and secondary power sources. Secondary power should last for at least 24
• Visitors should be required to sign in and sign out, and document
their purpose of visit.
• A visitor badge should be given to identify them as a non-employee.
• This badge should not be an access card
• The badge should state if they require an escort or not. If an escort is
required, the badge should have the name of the escort to make that person
• Some visitor systems can read government issued ID’s by swiping
them and identify if the ID is properly formatted or is falsified. The
data is populated into a database as a record.
• Door assemblies include the door, its frame, and the anchorage to the
• Exterior doors should be designed to fit snugly in the doorframe,
• Perimeter doors should be hollow steel doors or steel clad doors with steel
• Latch and frame anchor should match the strength of the door and frame.
• Hinges should be on the interior of restricted areas.
• Doors housing sensitive areas should have an automatic door closing
Why Hinges should be inside….
• Actuates the door bolt
• Some retract the lock without user intervention
• Some offer request-to-exit switches
• Often requires new door for retrofit
• Requires special door hinge to accommodate wiring harness
• Can be configured in fail-safe or fail-secure modes.
• Strike is removed (vs bolt being removed)
• Can be configured in fail-safe or fail-secure modes.
• Unrestricted exit access is allowed.
• Can easily be retrofitted to old doors.
• Easy retrofit
• Mounted on door and doorframe
• Continuous electric current is provided to hold the door closed.
• Locks are fail-safe (fail open) on power loss.
• US Life safety Codes require magnetic lock doors have a manual
override device and an automated senor or Request To Exit device.
• Locks are controlled by a card reader.
• Requires user to badge in and out when entering and leaving.
• Easy for accountability
• Some systems only allow single entry. To enter again the user must
have left. This stops people from dropping badges out windows or
cloning them to get multiple people inside.
• Prevents piggybacking or tailgating
• Assists guards in verifying that all
users badge in individually
• Room where you must enter, allow the door to close behind you, and
then enter another door which will allow unlock only once you are
locked in the room.
• This allows employees to know if someone is piggybacking.
• A footstep detecting floor can be added to identify the amount of
people in the room.
• Last line of defense.
• You should have spent more on guards, doors, and sensors.
• Different categories.
• Tool Resist
• Rating of TL-15 means it’s tool resistant for 15 minutes.
• To be TL-15 it must weight at least 750 pounds or have anchors.
• Have a metal body that is solid or fabricated of at least 1 inch thick with tensile strength
of 50,000 PSI and is fastened to the floor with ¼ inch steel.
• No hole on the safe can be larger than ¼ inch when closed.
• Must have a relocking device if the lock is destroyed.
• Different Categories:
Class M – ¼ hour
Class 1 – ½ hour
Class 2 – 1 hour
Class 3 – 2 hour
• Measure biological characteristics
• Fingerprints, hand geometry, voice print, iris pattern, etc
• Common failures
• False acceptance (Type I error) – erroneously allows access by confusing one
user with another or falsely recognizing an imposter
• False rejection (Type II error) – fails to recognize a legitimate user
• Most biometrics can be tuned to adjust the false acceptance rate
(FAR) and false rejection rate (FRR)
• The spot where FAR and FRR meet is called the Crossover Error Rate (CER)
• CER can be used to compare accuracy between different devices
• Compares pattern on fingers to a stored template
• Some require multiple fingers for either:
• More accuracy – harder to forge multiple fingerprints
• More flexibility – injury to one finger doesn’t bar access
• Modern scanners detect temperature and pulse
• Facial image
• Compates facial features to stored image
• Eye width, mouth width, nose height – general proportions
• Hand geometry
Uses distance between knuckle joints, finger lengths
Generally faster than other biometrics
Higher false acceptance rates
• Voice recognition
• Less expensive
• Require isolation from background noise
• Often paired with another access check like a PIN
• Iris patterns
• Iris is less susceptible to theft or injury than fingers
• Slower – typically about 2 seconds per check
• Some people don’t like having their eyes scanned
• Retina scanning
Scans blood vessels at the back of the eye
Very high security but lots of hurdles to implementing
Slow - Typically 10 seconds per check
Intrusive – have to take off glasses, hold very still
Some people think it will damage their eyes
• Signature dynamics
• Compares stored signature style
• Speed of writing, direction, as well as finished signature
• Easy for signers – don’t need to learn anything new
• Vascular patterns
• Maps veins in hands or fingers
• Difficult to forge
• Contact-less – hygiene benefits
• Keystroke dynamics
• Analyses the way a person types
• Keystroke rhythm template
• Dwell time – how long the key is pressed
• Flight time – time between key presses
Communications and Server Rooms
• Lightning protection
• Ground Potential Rise (GPR)
• Lightning strike to a grounding system
• Causes surge that can damage equipment, personnel
• Equipment damage may not manifest itself immediately
• Mean time before failure (MTBF) – average life expectancy of equipment
• Latent damage – shortens MTBF
• Can use fiber instead to avoid the issue
• Or isolate the circuits using optical isolators or isolation transformers
• Mounted in a non-conducting cabinet
• Called a High voltage interface (HVI)
Communications and Server Rooms
• Server room
• No windows
• Only one controlled entry
• Physical access to a system = game over
• So don’t let it happen!
• Metal conduits for cabling leading from/to (ideally everywhere)
Communications and Server Rooms
• Rack security
Communications and Server Rooms
• Rack security
• Don’t stop at access control for the server room – lock server racks
• Doubtful that everyone with server room access needs access to every rack
• Do electricians need to get into the racks? Probably not
• Manageable rack locks
• Can be remotely configures for more advanced access control than classic keys
• Only allow unlocking during certain times or day
• Require manager approval
• Monitor temperature, power consumption
Work Area Security
• Server rooms, closets probably not the best place to put workspaces
• High security personnel behind more secured areas
• Outside of secured rooms
• Security containers – locking cabinets
• Clean desk approach – clean/lock everything up at the end of the day
• Maintain strong password protection on workstations
• Point screens away from windows
• Use privacy filters or screen protectors
• Shredding policy to destroy paper copies of sensitive information
Restricted Work Areas
• Sensitive Compartmented Information Facility (SCIF)
Prevent & detect visual, acoustic, technical, physical access
3 layers of 5/8 inch drywall, true floor to true ceiling
One door with X-09 combination lock
Door frame affixed to surrounding wall & strong enough to prevent distortion
Automatic door closer
Noisemaking device over doors, pointed at windows
HVAC requirements restricting size or requiring bars on ducts
Intrusion detection that response force can respond to within 15 minutes
Utilities and Power
• UPS – battery backup for short term power outages
• Activate automatically in power outage
• Typically diesel fueled
• Heating, ventilation, air conditioning
• Keeps system temperature in range to avoid damage or outages
• Detectors – sound alarm to give people a chance to escape
• Physical process (ionization)
• Sudden temperature changes
• High temps
Wet system – filled with water that sprays until water supply is shut off
Dry system – valve fills system with water when triggered
Pre-action system – water held back until detectors are activated
Deluge system – like pre-action but sprinkler heads are left open
• Halon – outdated, leaves residue, can injure personnel