Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Chapter 8 Physical Security
  2. 2. Objectives <ul><li>Manage the problems of dispersion and diversity </li></ul><ul><li>Factor the concept of secure space into a physical security scheme </li></ul><ul><li>Construct a security process using a security plan </li></ul><ul><li>Mitigate physical security threats </li></ul>
  3. 3. Physical Security <ul><li>Physical security safeguards assets from non-digital threats </li></ul><ul><ul><li>Protects information processing facilities and equipment from deliberate or accidental harm </li></ul></ul><ul><ul><li>More involved and complex </li></ul></ul><ul><ul><li>Essential to protecting information asset base </li></ul></ul><ul><li>Uncontrolled physical space makes it easy for an attacker to subvert most security measures </li></ul><ul><ul><li>Proximity to the equipment allows attackers to mount attacks more easily </li></ul></ul>
  4. 4. Problems of Dispersion and Diversity <ul><li>Physical security accounting and controlling processes have become more difficult with the advent of distributed systems </li></ul><ul><ul><li>Difficult to secure effectively because network resources are diverse and widely distributed </li></ul></ul><ul><ul><li>External parts of a network </li></ul></ul><ul><ul><ul><li>Telephone, cable lines, broadband interface </li></ul></ul></ul><ul><ul><li>Protection of less obvious non-computerized information repositories </li></ul></ul>
  5. 5. Problems of Dispersion and Diversity <ul><li>Collections of assets have different protection requirements </li></ul><ul><li>Establishing safeguards: </li></ul><ul><ul><li>Physical asset accounting framework that itemizes the physical records and resources </li></ul></ul><ul><ul><li>This framework requires maintaining a perpetual inventory of tangible assets as well as rules for controlling each asset </li></ul></ul><ul><ul><ul><li>Combination of a defined set of assets and the associated controls is called secure space </li></ul></ul></ul>
  6. 6. The Joy of Secure Space <ul><li>Safeguarding a facility requires deliberately creating a secure space </li></ul><ul><ul><li>Define physical perimeter or boundary </li></ul></ul><ul><ul><li>Deploy countermeasures to assure the security, confidentiality, and integrity of the items </li></ul></ul><ul><ul><li>Delineate the boundary of all controlled locations </li></ul></ul><ul><ul><li>Factors to be considered in establishing a secure space: </li></ul></ul><ul><ul><ul><li>Location </li></ul></ul></ul><ul><ul><ul><li>Access </li></ul></ul></ul><ul><ul><ul><li>Control </li></ul></ul></ul>
  7. 7. The Joy of Secure Space <ul><li>Factor 1: Ensuring the location </li></ul><ul><ul><li>Secure physical assets proportionate to the risks resulting from unauthorized access to that facility </li></ul></ul><ul><li>Factor 2: Ensuring controlled access </li></ul><ul><ul><li>Access is a privilege, which is individually assigned and enforced, rather than a right </li></ul></ul><ul><li>Factor 3: Ensuring control of secure space </li></ul><ul><ul><li>Based on the specification and enforcement of a set of behaviors that can be objectively monitored </li></ul></ul>
  8. 8. Physical Security Process and Plan <ul><li>Physical security process </li></ul><ul><ul><li>Guarantees that the effective safeguards are in place </li></ul></ul><ul><ul><li>Effectiveness is ensured by making certain that: </li></ul></ul><ul><ul><ul><li>Threats have been identified </li></ul></ul></ul><ul><ul><ul><li>Associated vulnerabilities have been accurately characterized, prioritized, and addressed </li></ul></ul></ul><ul><ul><li>Implemented through planning </li></ul></ul><ul><ul><li>Supervised and enforced by consistent and ongoing management </li></ul></ul>
  9. 9. Physical Security Process <ul><li>Identify the items to be protected </li></ul><ul><li>Three classes of items requiring assurance: </li></ul><ul><ul><li>Equipment – includes tangible things such as hardware and network connections </li></ul></ul><ul><ul><li>People – involves human resources and is part of the personnel security process </li></ul></ul><ul><ul><li>Environment – includes hazards associated with the environment as well as the safety requirements of the physical space </li></ul></ul>
  10. 10. Physical Security Plan <ul><li>Should be developed once an understanding of the threat environment has been developed </li></ul><ul><ul><li>Establishes a response to events that represent potential harm and that have a reasonable probability of occurrence </li></ul></ul><ul><ul><li>Responds to a threat by recommending the deployment of a set of countermeasures </li></ul></ul><ul><ul><li>Effective planning for all contingencies ensures efficient disaster recovery </li></ul></ul>
  11. 11. Physical Security Plan <ul><li>Ensuring effective planning </li></ul><ul><ul><li>Implemented through a formal, organization-wide plan aligned with both business and information assurance goals </li></ul></ul><ul><ul><li>Should specify the threats associated with the protected items in the secure space and specify countermeasures </li></ul></ul><ul><ul><li>Should be able to respond to all credible threats in advance </li></ul></ul><ul><ul><li>Establish controls to ensure that the secure space is not susceptible to intrusion and that sensitive materials are stored in secure containers </li></ul></ul><ul><ul><li>Should ensure that the organization responds effectively to natural disasters </li></ul></ul><ul><ul><li>Implementation plan is overseen by the audit function that monitors and enforces accountability </li></ul></ul>
  12. 12. Physical Security Plan <ul><li>Defense in-depth countermeasures </li></ul><ul><ul><li>Built around measures to extend the time it takes for a threat to cause harm </li></ul></ul><ul><ul><li>Involves design of the steps to detect, assess, and report probable physical threats or intrusions </li></ul></ul><ul><ul><li>In the threat assessment process, a decision has to be made about the probabilities of occurrence and harm </li></ul></ul><ul><ul><ul><li>The outcome of that assessment should produce a manageable set of threats, which are likely to occur for that particular space </li></ul></ul></ul>
  13. 13. Physical Security Targets and Threats <ul><li>It is important to factor four threat types into a comprehensive physical security plan: </li></ul><ul><ul><li>Facilities </li></ul></ul><ul><ul><li>Equipment </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Environment </li></ul></ul>
  14. 14. Threats to the Facility <ul><li>Ensuring clean and steady power </li></ul><ul><ul><li>Power problems affect computers in three ways: </li></ul></ul><ul><ul><ul><li>Damage the hardware, causing downtime </li></ul></ul></ul><ul><ul><ul><li>Affect network availability – lost productivity </li></ul></ul></ul><ul><ul><ul><li>Result in a loss of data </li></ul></ul></ul><ul><ul><li>Potential infrastructure hazards to look for are: </li></ul></ul><ul><ul><ul><li>Voltage swings </li></ul></ul></ul><ul><ul><ul><li>Drains </li></ul></ul></ul><ul><ul><ul><li>Hazardous wiring </li></ul></ul></ul><ul><ul><li>Eliminating fluctuations </li></ul></ul><ul><ul><ul><li>Surge suppressors, Uninterruptible Power Supplies </li></ul></ul></ul><ul><ul><li>Ensure that access to physical controls is enforced </li></ul></ul>
  15. 15. Threats to the Facility <ul><li>Ensuring other building systems </li></ul><ul><ul><li>Ensure that other critical building systems are reliable such as: </li></ul></ul><ul><ul><ul><li>Heating </li></ul></ul></ul><ul><ul><ul><li>Ventilation </li></ul></ul></ul><ul><ul><ul><li>Air conditioning </li></ul></ul></ul><ul><ul><ul><li>Plumbing </li></ul></ul></ul><ul><ul><ul><li>Water supply systems </li></ul></ul></ul>
  16. 16. Safeguarding Equipment <ul><li>Physical security process safeguards tangible items, they include: </li></ul><ul><ul><li>Communication, processing, storage, and input or output devices </li></ul></ul><ul><li>Countermeasures assure safety and security </li></ul><ul><li>Conventional physical access control measures establish the integrity of controlled spaces </li></ul><ul><ul><li>Measures include locks, passcards, RFID, swipecard readers, video cameras, and safes </li></ul></ul><ul><ul><li>May also include human-based monitoring and control methods </li></ul></ul>
  17. 17. Safeguarding Equipment <ul><li>Protecting networks: ensuring integrity over a wide area </li></ul><ul><ul><li>Prevent unauthorized access </li></ul></ul><ul><ul><ul><li>Technical countermeasures for security include: </li></ul></ul></ul><ul><ul><ul><ul><li>Interruption sensors </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Line monitors </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Emanations security </li></ul></ul></ul></ul><ul><ul><li>Security failures on networks: </li></ul></ul><ul><ul><ul><li>Unauthorized users intercept information by physically accessing network equipment </li></ul></ul></ul><ul><ul><ul><li>If the network is unable to carry out its transmission functions </li></ul></ul></ul>
  18. 18. Safeguarding Equipment <ul><li>Protecting portable devices </li></ul><ul><ul><li>Problem of ubiquitous portability requires adherence to the following principles: </li></ul></ul><ul><ul><ul><li>Ensure that the device itself is always controlled </li></ul></ul></ul><ul><ul><ul><ul><li>Assign individual responsibility and enforce accountability for all portable devices </li></ul></ul></ul></ul><ul><ul><ul><li>Ensure that the data on the device is secure </li></ul></ul></ul><ul><ul><ul><ul><li>Ensure that sensitive data cannot be transported nor displayed without authorization and accountability </li></ul></ul></ul></ul><ul><ul><ul><li>Ensure controls that are provided to ensure security of a portable item are easy for end-users to follow </li></ul></ul></ul>
  19. 19. Controlling Access by People <ul><li>Effective access control requires: </li></ul><ul><ul><li>Designing a layered defense in the physical environment </li></ul></ul><ul><ul><li>Continuous monitoring and access control built in </li></ul></ul><ul><li>Heart of access control systems is the ability to: </li></ul><ul><ul><li>Grant convenient physical access to authorized people </li></ul></ul><ul><ul><li>Completely deny access to unauthorized ones </li></ul></ul>
  20. 20. Controlling Access by People <ul><li>Mechanisms for restricting physical access include: </li></ul><ul><ul><li>Perimeter controls </li></ul></ul><ul><li>Controls include restriction devices such as: </li></ul><ul><ul><li>Natural barriers </li></ul></ul><ul><ul><li>Fence systems </li></ul></ul><ul><ul><li>Walls </li></ul></ul><ul><ul><li>Supplemented with mechanical barriers </li></ul></ul><ul><ul><ul><li>Secure windows, doors, and locks </li></ul></ul></ul>
  21. 21. Controlling Access by People <ul><li>Perimeter controls: barriers </li></ul><ul><ul><li>Natural barriers </li></ul></ul><ul><ul><li>Structural barriers </li></ul></ul><ul><ul><ul><li>Fences define the secure areas and enforce entry only at designated points </li></ul></ul></ul><ul><ul><ul><li>Gates and bollards are part of the restriction system </li></ul></ul></ul><ul><ul><ul><li>Closed circuit television (CCTV) </li></ul></ul></ul><ul><ul><ul><li>Monitors which provide three levels of control: </li></ul></ul></ul><ul><ul><ul><ul><li>Detection – detects the presence of an object </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Recognition – determines the type of object </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Identification – determines the object details </li></ul></ul></ul></ul>
  22. 22. Controlling Access by People <ul><li>Perimeter controls: intrusion detection </li></ul><ul><ul><li>Ensures the integrity of a physical space </li></ul></ul><ul><ul><li>Monitors suspicious traffic, tracks intruders, and subsequently marks security holes discovered </li></ul></ul><ul><ul><li>Based on monitoring sensors and observing actions along the perimeter </li></ul></ul><ul><ul><li>Retrospective monitoring uses security logs or audit data to detect unauthorized accesses </li></ul></ul><ul><ul><li>Sensors installed at each access point establish perimeter protection </li></ul></ul>
  23. 23. Controlling Access by People <ul><li>Perimeter controls: guards and patrols </li></ul><ul><ul><li>Low-tech, labor-intensive approach to access control </li></ul></ul><ul><ul><ul><li>Provide an effective deterrent to unauthorized entry </li></ul></ul></ul><ul><ul><ul><li>Less expensive and no less reliable than automated systems </li></ul></ul></ul><ul><ul><ul><li>Not passive and cannot be disconnected or sabotaged as with high-tech solutions </li></ul></ul></ul><ul><ul><ul><li>They are subject to error </li></ul></ul></ul>
  24. 24. Controlling Access by People <ul><li>Perimeter controls: structural and mechanical barriers </li></ul><ul><ul><li>Doors and windows have to be strictly controlled since they are the most likely point of access </li></ul></ul><ul><ul><li>Considerations in determining which type of structure to be used: </li></ul></ul><ul><ul><ul><li>Whether to employ a hollow-core versus solid-core technology </li></ul></ul></ul><ul><ul><ul><li>How to identify and address hinge and doorframe vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Whether to monitor use through contact devices such as switches and pressure plates </li></ul></ul></ul>
  25. 25. Controlling Access by People <ul><li>Mechanical barrier devices: locks </li></ul><ul><ul><li>Most widely accepted and employed barrier device </li></ul></ul><ul><ul><li>Types of locks include: </li></ul></ul><ul><ul><ul><li>Cipher locks </li></ul></ul></ul><ul><ul><ul><li>Combination locks </li></ul></ul></ul><ul><ul><ul><li>Deadbolt locks </li></ul></ul></ul><ul><ul><ul><li>Smart locks </li></ul></ul></ul><ul><ul><li>Keys are the authentication tokens for locks: </li></ul></ul><ul><ul><ul><li>Security element rests with the control of keys </li></ul></ul></ul><ul><ul><ul><li>Most effective when used in a two-factor authentication system </li></ul></ul></ul><ul><ul><ul><ul><li>Example: with a door PIN </li></ul></ul></ul></ul>
  26. 26. Controlling Access by People <ul><li>Biometric systems </li></ul><ul><ul><li>An emerging authentication tool in physical access control </li></ul></ul><ul><ul><li>Based on exclusive physical attributes, which can be read and digitized </li></ul></ul><ul><ul><li>Can be used in conjunction with smart cards </li></ul></ul><ul><ul><li>Problem: scanning errors occur leading to false positives and false negatives </li></ul></ul>
  27. 27. Controlling Access by People <ul><li>Doubling the assurance: multiple factor authentication </li></ul><ul><ul><li>Uses of more than one form of authentication to control access; based on three broad categories: </li></ul></ul><ul><ul><ul><li>What you are (for example, biometrics) </li></ul></ul></ul><ul><ul><ul><li>What you have (for example, tokens) </li></ul></ul></ul><ul><ul><ul><li>What you know (for example, passwords) </li></ul></ul></ul><ul><ul><li>Simple multiple-factor authentication requires confirmation of at least two factors </li></ul></ul><ul><ul><li>Three-factor authentication combines three types </li></ul></ul>
  28. 28. Controlling Access by People <ul><li>Ensuring against the well-intentioned human being </li></ul><ul><ul><li>Accidents and non-intentional acts are the most frequent cause of human-based harm </li></ul></ul><ul><ul><ul><li>Proactive way to address human error is through training and drills </li></ul></ul></ul><ul><ul><ul><ul><li>Keeps people continuously aware of their security responsibilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>It has to be continuous to be effective </li></ul></ul></ul></ul><ul><ul><ul><li>Basic rule of thumb is a corollary to Murphy’s Law: </li></ul></ul></ul><ul><ul><ul><ul><li>A disaster plan is an appropriate countermeasure </li></ul></ul></ul></ul>
  29. 29. Mitigating the Effects of Natural Disasters and Fires <ul><li>Response or disaster planning is the primary means of assuring against the broad category of natural disasters </li></ul><ul><li>Disaster response countermeasures center on: </li></ul><ul><ul><li>Awareness </li></ul></ul><ul><ul><li>Anticipation </li></ul></ul><ul><ul><li>Preparation </li></ul></ul>
  30. 30. Mitigating the Effects of Natural Disasters and Fires <ul><li>Planning for fire prevention </li></ul><ul><ul><li>Computers and their components are extremely flammable devices </li></ul></ul><ul><ul><li>Three primary issues associated with fire protection: </li></ul></ul><ul><ul><ul><li>Prevention – reduction in the causes and sources </li></ul></ul></ul><ul><ul><ul><li>Detection – receiving a warning of fire </li></ul></ul></ul><ul><ul><ul><li>Suppression – extinguishing and containing a fire </li></ul></ul></ul>
  31. 31. Mitigating the Effects of Natural Disasters and Fires <ul><li>Preventing fires </li></ul><ul><ul><li>Good building design improves the chances of prevention </li></ul></ul><ul><ul><ul><li>The use of fire-resistant materials in walls, doors, and furnishings </li></ul></ul></ul><ul><ul><li>Reduce the number of combustible materials in the surrounding environment </li></ul></ul><ul><ul><li>Proactive approach to fire protection is fire-prevention awareness for employees </li></ul></ul><ul><ul><ul><li>Response drills such as a fire drill </li></ul></ul></ul>
  32. 32. Mitigating the Effects of Natural Disasters and Fires <ul><li>Fire detection </li></ul><ul><ul><li>Provides warning as close to the fire event as possible </li></ul></ul><ul><ul><ul><li>Most common are the ionization-type smoke detectors, which detect charged particles in smoke </li></ul></ul></ul>
  33. 33. Mitigating the Effects of Natural Disasters and Fires <ul><li>Fire detection (cont’d) </li></ul><ul><ul><li>Some kinds of non-equipment-related fires do not produce smoke </li></ul></ul><ul><ul><li>Two related types of detectors are: </li></ul></ul><ul><ul><ul><li>Photoelectric or optical detectors – react to light blockage caused by smoke particles </li></ul></ul></ul><ul><ul><ul><li>Heat sensing – react to the heat of a fire </li></ul></ul></ul><ul><ul><li>Downside in both methods – the fire has to be advanced enough to detect </li></ul></ul>
  34. 34. Mitigating the Effects of Natural Disasters and Fires <ul><li>Fire suppression </li></ul><ul><ul><li>The first line of defense is the fire suppression system </li></ul></ul><ul><ul><li>Having the right type of fire extinguisher </li></ul></ul><ul><ul><ul><li>Know that fire extinguishers have limited use </li></ul></ul></ul><ul><ul><ul><li>Halon is effective and it was the fire suppression agent of choice </li></ul></ul></ul><ul><ul><ul><li>FM200 (FM-200/heptafluoropropane) </li></ul></ul></ul><ul><ul><ul><ul><li>Extinguishes a fire by both robbing it of oxygen and by its physical suppression effect </li></ul></ul></ul></ul><ul><ul><ul><li>Water sprinkler system </li></ul></ul></ul>