Physical_Security_Historical_perspective.ppt

copyright, Dr. C.T. Johnson, Capitol
College
1
PHYSICAL SECURITY
INTRODUCTION
Dr. Craig T. Johnson
Professor

College
2
Today’s Discussion Topics
• Principles of basic
physical security
• Establishing the baseline
• Defining what is security
and how to protect assets
• Review the Khobar
Towers case study

College
3
TYPES OF SECURITY
• PHYSICAL • PROCEDURAL
• PERSONNEL • CONSTRUCTION
• TECHNICAL • TRANSPORTATION
• INFORMATION

College
4
OUR FOCUS WILL BE…
PHYSICAL SECURITY

College
5
BASIC PHYSICAL
SECURITY
“That part of security concerned with physical
measures designed to safeguard personnel; to
prevent unauthorized access to equipment,
installations, material, and documents; and to
safeguard against espionage, sabotage, damage,
and theft.”
US Army Field Manual 3-19.30
Physical Security
Brought to you by the US Army, the sweetest smelling army in the world!

College
6
BASIC PHYSICAL
SECURITY
• Definition: “A means of preventing
unauthorized entry of persons into a
premises, and the prevention of loss due to
all kinds of crime associated with
uncontrolled access.”

College
7
TYPES OF SECURITY
AREAS
• PRINCIPLES OF SAFEGUARDING
• CRITICAL & RESTRICTED AREAS
• SECURITY- CONTROLLED AREAS

College
8
TYPES OF SECURITY
AREAS
(DEFINED) - I
• Principles of Safeguarding
– Guarding against force or surreptitious entry
– Protecting material, equipment or information
– Protecting classified areas
– Protecting unclassified areas

College
9
TYPES OF SECURITY
AREAS
(Defined) - II
• Critical & Restricted Areas
– Degree of Criticality
– Degree of Restricted Area

College
10
TYPES OF SECURITY
AREAS
(Defined) - III
• Security – Controlled Areas
– Exclusion Areas
– Limited Areas
– Control Areas

College
11
PHYSICAL SECURITY
Terms, History, Risk
IAE-684 “COMPLEMENTARY SECURITY”

College
12
HISTORICAL
EXAMPLES
• Vassal states’ walls joined
during Qin Dynasty
creating “10,000 li (5k km)
Great Wall”
– Built to hold off Hsiung Nu
tribes (Huns)
• Denial and avoidance
security
– Kept invaders out for 1,000
years
– Eventually overcome from
within
• http://ce.eng.usf.edu/pharos/wonders/Forgotten/greatwall.html
• http://www.enchantedlearning.com/subjects/greatwall/
• http://www.jpl.nasa.gov/radar/sircxsar/gwall.html

College
13
HISTORICAL
EXAMPLES
• THE “GREAT WALL OF
CHINA”, EMPEROR
CHINN OF CHINA BUILT
THE “GREAT WALL” TO
GUARD AGAINST THE
BARBARIANS FROM THE
NORTH.
• DENIAL AND
AVOIDANCE SECURITY

College
14
HISTORICAL
EXAMPLES
• World’s first bank vaults
• Access control & asset
protection
– Assured ascension of
deceased to the gods
• Security modernization
project underway
– Night vision CCTV cameras

College
15
HISTORICAL
EXAMPLES
• Mesa Verde (“green table”)
in Colorado, occupied 600-
1300 A.D.
• Center of San Juan Anasazi
(Pueblo) culture
• Cliff dwellings with ladders
for access control
– Defense Theory
– Internal strife due to drought?
• Difficult access with natural
obstacles
• http://www.nps.gov/meve/mvnp/smvf/p50.htm
• http://www.nps.gov/meve/index.htm
• http://www.abqjournal.com/venue/travel/heritage_mesaverd
e.htm

College
16
HISTORICAL
EXAMPLES
• Masada (“fortress”),
built by Rome-
appointed King
Herod
• Captured during
Revolt of the Jews
– Held 2 years
– Last stronghold of
Jews
• http://www.mfa.gov.il/mfa/go.asp?MFAH0dp00
• http://faculty.smu.edu/dbinder/masada.html

College
17
HISTORICAL
EXAMPLES - cont
• “MASADA” OF ISRAEL; KING
HERODS FORTRESS ON THE RED SEA
WAS CAPTURED BY JEWISH ZEALOTS
AND HELD TWO YEARS AGAINST
THREE ROMAN LEGIONS

College
18
What is Risk Management?
The process of selecting and
implementing security
countermeasures to achieve an
acceptable level of risk at an
acceptable cost

College
19
What is Risk?
Risk level is a combination of two factors:
 Impact of loss -The value placed on an
asset by its owner and the consequence
of an undesirable event on that asset.
 Probability of undesirable event -The
likelihood that a specific vulnerability will
be exploited by a
particular threat.
Risk is the potential for
damage or loss of an asset

College
20
What is an Asset?
The asset may have value to an adversary,
as well as to the owner, although the
values may differ.
An asset is anything of value:
 people
 information
 equipment
 facilities
 activities/operations

College
21
What is Impact?
Impact is the amount of loss or
damage that can be expected,
or may be expected, from a
successful attack on an asset.

College
22
What is Threat?
 Threat can also be defined as the intention to
undertake actions detrimental to assets
Threat is any indication, circumstance, or
event with the potential to cause the loss of
or damage to an asset.

College
23
What is an Adversary?
 Intelligence services, extremists, terrorists,
criminals, and private interests groups
Any individual, group, organization, or
government that conduces activities,
or has the intention and capability to conduce
activities detrimental to valued assets

College
24
Vulnerabilities
 Vulnerabilities can result from, but are not limited to, the
following:
 building characteristics
 equipment properties
 personal behavior
 locations of people, equipment, and buildings
 operational procedures and personnel practices
Vulnerabilities - Any weakness that
can be exploited by an adversary to
gain access to an asset

College
25
RISK
“1. Hazard; danger; peril; exposure to loss, injury, or destruction.”
Webster’s 1913 Dictionary
http://www.hyperdictionary.com/dictionary/risk
“The potential for realization of unwanted, adverse consequences to human
life, health, property, or the environment; estimation of risk is usually based
on the expected value of the conditional probability of the event occurring
times the consequence of the event given that it has occurred.”
Society for Risk Analysis
http://www.sra.org/gloss3.htm#R
 The probability of loss
 Factor of threat and vulnerability
(Risk=Threat x Vulnerability)

College
26
RISK ANALYSIS
• Risk analysis must be a constant,
comprehensive, integrated function of the
security organization
“A detailed examination including risk assessment, risk
evaluation, and risk management alternatives, performed to
understand the nature of unwanted, negative consequences to
human life, health, property, or the environment; an analytical
process to provide information regarding undesirable events; the
process of quantification of the probabilities and expected
consequences for identified risks.”
Society for Risk Analysis
http://www.sra.org/gloss3.htm#R

College
27
RISK ANALYSIS
WILL LOSS OCCUR?
WEAKNESS IN PERSONNEL
PROCEDURES OF PHYSICAL
PLANT
PERPETRATER
RISK
GAIN

College
28
RISK vs. GAIN
EQUATION
• The rational human threat can be deterred
by countermeasures or a lack of
vulnerability
• Personal risk for the bad guy
– Capture  Physical harm
Low risk
+ High gain
low hanging fruit
High risk
+ High or low gain
go next door

College
29
RISK
MANAGEMENT
Four basic steps:
1. Asset identification
2. Threat/Vulnerability Assessment
3. Risk Analysis
4. Countermeasure evaluation/implementation
The process is iterative!

College
30
Risk Management at a Glance
Assess
Assets
1
Assess
Threats
2
Assess
Vulnerabilities
3
Assess
Risks
4
Determine
Countermeasure
Options
5
Make RM
Decisions
Benefits Analysis
Cost Analysis
Monitor
Implement
T & E

College
31
Relationship of Risk Management Practices
to Achieving Benefits
Critical Success Factors
1. Senior management support & involvement
2. Focal points
3. Define procedures
4. Experts involved
Process
1. Identify & rank critical assets
and operations & estimate
potential damage of loss
2. Identify threats & likelihood of
threats materializing
3. Identify exploitable
vulnerabilities
4. Determine Risk
5. Identify cost effective mitigating
countermeasures
6. Obtain risk management
decisions
7. Develop/Implement action plans
8. Test/Evaluate countermeasures
9. Monitor changes in risk
factors/repeat process
Tools
1. Tables/Matrices
2. Questionnaires
3. Standard formats
4. Software to facilitate
documentation and analysis
5. Lists of threats, controls,
vulnerabilities
Benefits
1. Assurance that the greatest risks have
been identified and addressed
2. Increased understanding of risks
3. Mechanism for reaching consensus
4. Support for needed controls
5. Means for communicating results
5. Units responsible
6. Assessment scope limited
7. Document & maintain results

College
32
Critical Success
Factors
1. Senior management support & involvement
2. Focal points
3. Define procedures
4. Experts involved
5. Units responsible
6. Assessment scope limited
7. Document & maintain results

College
33
Process
1. Identify & rank critical assets
and operations & estimate potential damage of loss
2. Identify threats & likelihood of threats materializing
3. Identify exploitable vulnerabilities
4. Determine Risk
5. Identify cost effective mitigating countermeasures
6. Obtain risk management decisions
7. Develop/Implement action plans
8. Test/Evaluate countermeasures
9. Monitor changes in risk factors/repeat process

College
34
Tools
1. Tables/Matrices
2. Questionnaires
3. Standard formats
4. Software to facilitate documentation
and analysis
5. Lists of threats, controls,
vulnerabilities

College
35
Benefits
1. Assurance that the greatest risks have
been identified and addressed
2. Increased understanding of risks
3. Mechanism for reaching consensus
4. Support for needed controls
5. Means for communicating results

College
36
THREAT
Defined
• A force or event that could cause loss
– Environmental/natural
• Acts of God (or some higher power)
• Weather
– Human
• Unintentional (error)
• Intentional (penetration, theft, espionage)

College
37
THREAT
• Environment can cause as great or greater
loss than humans but are more predictable
• Human threats present the greatest
challenge to the security professional
– If threat is rational, deterrence is possible
– No countermeasure will deter an irrational
human
“It is unlikely that measures can be devised that can
eliminate entirely the multitude of diverse dangers that may
arise, particularly when the President is traveling…”
Warren Commission Report, 1964

College
38
THREAT
(DEFINED)
• AN OUTSIDE FORCE THAT COULD
CAUSE A LOSS TO THE ORGANIZATION.
THE THREAT CAN BE NATURAL AS IN A
HURRICANE OR EARTHQUAKE OR IT
MAY BE HUMAN SUCH AS A BURGLAR
OR TERRORIST.

College
39
THREAT
(DEFINED – II)
• ENVIRONMENTAL THREATS ARE THOSE
NATURAL OCCURING EVENTS THAT ARE
INHERENT WITH THE GEOGRAPHICAL
LOCATION, WEATHER CONDITIONS OR
SIMPLY “GOD’S WILL”.
• THESE ENVIRONMENTAL THREATS CAN
CAUSE AS GREAT A LOSS AS A HUMAN
HOWEVER, THEY ARE MUCH MORE
PREDICTABLE.

College
40
THREAT
(DEFINED – III)
• HUMAN THREATS PRESENT THE GREATEST
CHALLENGE TO THE SECURITY PROFESSIONAL. IF
THE HUMAN THREAT IS EXPECTED TO BE A
RATIONAL THINKING PERSON THEN THE THREAT
CAN BE DETERRED.
• HUMAN IS NOT RATIONAL NO COUNTERMEASURE
WILL DETER THE INDIVIDUAL

College
41
BASIC PHYSICAL
SECURITY
PROTESTORS
MOTHER
NATURE
DISGRUNTLED
EMPLOYEE
THEFT
TERRORIST
FIRE
CRIMINALS

College
42
THE THREE “D’S”
Modern Security programs
are predicated on a theory
of controlling access to
valuables by employing
countermeasures that
will:
– DETER
– DELAY
– DETECT

College
43
THE THREE “D’S”
• Deterrence:
– Creating the appearance that the Risk of Entry would be
greater than the personal gain.
• Delay:
– Slowing access through the use of Physical barriers
• Detection:
– The ability of the protector to Detect an attempted or
actual entry into a protected area.

College
44
DETERRENCE – I
Historical perspective
• Creating the appearance
that the risk of entry would
be higher then the possible
gain.
• A deterrent does not have
to be real to be effective!

College
45
DELAY – II
Historical perspective
• Preventing or slowing
access through the use of
physical barriers.
• Most often used method
for security
• Historically, moats, sentry
towers & castles were
used
• Modern systems call for
fences, walls and bollards.

College
46
DETECTION - III
• The ability of the protector
to detect or sense an
attempted or actual entry
into the protected area.
• Detection systems do not
physical stop the intrusion!
• A response is critical to
prevent loss of valuables

Impact or Risk
Threat or Vulnerability
Suggested Scales
Low Medium High Critical
Range 1-3 4-13 14-49 50-100
Mid-
point
2 5 25 71
Low Medium High Critical
Range .01-.24 .25-.49 .50-.74 .75-1.00
Mid-
point
.12 .37 .62 .87

College
48
The Rating by Definition
I & R .T & .V
50-100
14-49
4-13
1-3
.75-1.00
.50-.74
.25-.49
.01-.24
With the scales being so big or wide, it would be hard for you to assign a
number to the rating if you did not use the degree of rating like H/C

College
49
The Degrees of Impact
Criticality
Degree
High
Medium
Low
H/C
High
Medium
Low
High
Medium
Low
L
M/M
L/H
Low is low enough
The value of low is only
three numbers 1-3 for
Impact and Risk

College
50
The Degrees of
Threat & Vulnerability
Criticality
Degree
High
Medium
Low
H/C
High
Medium
Low
High
Medium
Low
M/L
M/M
L/H
High
Medium
Low

College
51
Bottom Line
When using the degrees with the rating,
assignment of numbers becomes much easier. Using
this method will allow for repeatable and consistent
our assessments. This method also builds
creditability with others that must be convince with
the analysis
Always obtain consciences on your definitions
and ensure you are assigning the the ratings
correctly.

College
52
WHERE ARE MY VULNERABILITIES?
How do we define them???

College
53
VULNERABILITY
(DEFINED)
“…IS DEFINED AS THE STRENGTH
OR WEAKNESS OF DEFENSE.”

College
54
IDENTIFY ADVERSARY
THREATS
• Lessons learned from past adversaries
• Determine adversary pathways to your
assets
• Use the asymmetrical perspective by view
your assets through the eyes of your
adversary.

College
55
Security Breaches at the
Los Alamos Lab
Presented by
Former student
Mr. Albert Reel
2006

College
56
History of Los Alamos
• Los Alamos Lab was created in 1943 in the
middle of World War II
• Manhattan Project
– Fat Man
– Little Boy
• July 16, 1945 First Atomic Bomb was
detonated.

College
57
Past Espionage
• During World War II there were three
known individuals that engaged in
Espionage Efforts at the Los Alamos Lab
– Klaus Fuchs
– Theodore Hall
– David Greenglass

College
58
Klaus Fuchs
• German Expatriate and Emigrated to the
United Kingdom to escape Nazis
• He worked on Implosion Problems in Los
Alamos
• Delivered sketches of Fat Man to the Soviet
Union
• Spent 14 Years in Wormwood Scrubbs
Prison

College
59
Theodore Hall
• Graduated From Harvard at the age of 18
• On vacation walked into the Soviet
Embassy to volunteer to work for the
Russians
• Never arrested by the FBI
• Little is known or what information he gave
to Soviet Union

College
60
David Greenglass
• US Army enlisted personnel trained as a
machinist
• Brother of Ethel Rosenberg
• Rosenberg’s recruited David to become part
of their espionage ring
• Supplied Soviets with drawings of parts to
Fat Boy

College
61
Security Lapses
• Wen Ho Lee
– Held Q clearance which granted him access to
Top Secret information
– Between 1980 and December 23, 1998
– First thought to be spying for the People’s
Republic of China
– Charged 59 counts for Mishandling Classified
Information
– Release from Jail in 2000

College
62
Security Lapses
• In 2000 FBI investigate missing hard drives
• Drives belonged to the Alamos Nuclear
Emergency Research Team
• Found days later behind a copy machine

College
63
Security Lapses
• 2004 the Los Alamos Lab was shut down after an
inventory showed they were missing two
computer disk containing nuclear secrets
discovered missing
• Sloppy inventory controls were blamed as the
culprit as it was determined that no disks missing
• Following this incident, that Lab instituted a 5
year program to migrate to an environment
without the use of computer disks

College
64
Security Lapses
• Jessica Lynn Quintana
– During a methamphetamines laboratory drug bust by
law enforcement, officials in New Mexico found Top
Secret documents from the National Laboratory
– Over 1000 pages of classified documents were
discovered
– Suspect removed classified documents, computer
hardware from vault type rooms
– In 2006, Quintana plead guilty to knowingly removing
documents

College
65
Conclusion
• National security breeches such as these can
greatly harm the United States
• All aspects of security are important
– These systems weren’t “hacked”
– Careless errors and gross incompetence reasons
for security lapses
• Everyone must be security conscience

College
66
PROVOCATIVE QUESTION
How do we stop the threat???

College
67
PHYSICAL SECURITY – III
(EXECUTION)
CONCENTRIC CIRCLES

College
68
BASIC PHYSICAL
SECURITY - THEORY
• ANY COUNTERMEASURE CREATED BY
MAN CAN BE DEFEATED
• MULTIPLE LAYERS OF DIFFERENT TYPES
OF COUNTERMEASURES ARE THE MOST
EFFECTIVE
• NUMBER AND TYPES OF LAYERS ARE
FLEXIBLE ACCORDING TO THREAT TO THE
VALUABLES
• A GOOD “RISK ASSESSMENT” IS CRITICAL

College
69
BASIC PRINCIPLES
TYPES OF “LAYERS”
• THE “RINGS” OR “LAYERS” ARE THE
“DEFENSE IN DEPTH” COUNTERMEASURES
WITH EACH RING COMPLEMENT THE OTHER
• FOR EXAMPLE, VIBRATION SENSORS ON
FENCES OR WALLS WILL DELAY & DETECT
• KNOWLEDGE OF SUCH SENSORS CAN
DETER INTRUDERS AND ADD VALUE TO
SYSTEM

College
70
HISTORICAL
IMPLICATIONS
• PROTECTION WAS FIRST
CONSIDERATION FOR ANCIENTS
• WALLS AND BARRIERS MEANT
SECURITY & PROTECTION
• SAVEHAVENS AND SECURED
AREAS WERE IMPORTANT
• GUARD AGAINST THE EXTERNAL
ENEMIES OUTSIDE THE CITIES

College
71
DEPLOYING
COUNTER-MEASURES
PASSIVE & ACTIVE SENSORS SECURITY PERSONNEL

College
72
After Countermeasures!
To find out the benefit in Risk reduction
• Go back to your Vulnerability rating
• Look at your new CM’s
• Re-evaluate the Vulnerability
• Look at the definitions again
• The Rating should be REDUCED
• Mark the new Vulnerability Rating and Value
• Go back, do the math again for that line
• Impact x Threat x New Vulnerability Value = New Risk
• You should now have a new Risk Value
– The NEW Risk Value should be lower
• Convert NEW Risk Value to Linguistic Rating
You should have lowered your Risk for that single event line.

College
73
PHYSICAL SECURITY
DEPLOYMENT
CONCENTRIC RINGS
Five Rings
ASSETS

College
74
Perimeter Zone
Base Camp
Warfighter Zone
Tactical Zone
Detection Zone
Intelligence Zone
Warning
Detection
Assessment
Delay/Denial
Response
Investigation/Follow-up
C2
The Force Protection
World Tactical View

College
75
Integrated Command
and Control
Civil/Facility
Engineers
Security
Force
Investigative
Services
Intelligence
Communi-
cations -
Electronics
Medical Logistics
Force Protection
Situation Awareness
Command and Control Capability
Counter
Intelligence
Sources
Special
Systems
Organic
Sensors
Camera fence
Installation
Security
Systems
Intelligence
Sources
Surveillance
Sources
Reconnaissance
Sources
Allied/Coalition
Host Country
Sources
“Force Protection
Integrated Information Infrastructure”
Functions
Sources
Responses

A Systems Approach to Security Decision Making
Key Terms & Definitions
Analytical Risk Management

College
77
What is a Risk Assessment?
 Establishes the basis for countermeasure
recommendations
The process of evaluating threat
to and vulnerabilities of an asset to
give an expert opinion on the probability
of loss or damage and its impact
I x (.T x .V) = R

College
78
What is a Countermeasure?
 Countermeasure costs may be monetary, but
also non-monetary (e.g., reduced operational
effectiveness, adverse publicity, poor working
conditions, political consequences)
* May also affect threat and/or impact
A countermeasure is an action taken or
a physical entity principally* used to
reduce or eliminate one or
more vulnerabilities.

College
79
What is a Cost-Benefit Analysis?
Part of the Risk Management decision-making
process in which the costs and benefits of each
alternative are compared and the most appropriate
alternative is selected
 Minimize cost
 Maximize risk reduction

Discussion of Key Terms &
Definitions
Questions & Comments

College
81
DEBRIEFING OF
KhOBAR TOWERS CASE
STUDY
• How might the terrorist acts been
mitigated?
• How should responsibility be allocated?
• What’s your recommendation re BG
Schwalier?
• Lessons learned that can relate to IT
INFOSEC catastrophic events?

College
82
References
Harris, S. (2005). CISSP Exam Guide (3rd ed.), Emeryville,
CA: McGraw-Hill/Osborne
Miller, L. & Gregory, P. (2002). CISSP for Dummies,
Hoboken, NJ: Wiley Publishing, Inc.
Pfleeger, C., & Pfleeger, S. (2003). Security in Computing
(3rd ed.), Upper Saddle River, NJ: Prentice Hall
Professional Technical Reference.
Russell, D, & Gangemi, G.T. (1991). Computer Security
Basics, Sebastopol, CA: O’Reilly & Associates.
Tung, B. (2006). The Moron's Guide to Kerberos, Version 2.0.
Retrieved November 9, 2006 from
http://www.isi.edu/~brian/security/kerberos.html

College
83
References
• Thomas, Ryan and Cook (May 15, 2007) Guilty Plea in
Los Alamos Security Breach abc NEWS
http://abcnews.go.com/TheLaw/story?id=3177289
• Associated Press (October 25, 2006) Classified document
found in drug raid USA Today
http://www.usatoday.com/news/nation/2006-10-24-los-
alamos-documents_x.htm
• Associated Press (October 25, 2006) New Details Emerge
in Los Alamos Case CBS NEWS
http://www.cbsnews.com/stories/2006/10/24/national/main
2122004.shtml

College
84
References
• www.ietf.org/html.charters/cat-charter.html
• www.nrl.navy.mil/CCS/people/kerberos-faq.html
• www.mit.edu/afs/athena.mit.edu/astaff/project/ker
beros/www/papers.html
• “A History of National Security” Los Alamos National
Laboratory http://www.lanl.gov/history/index.shtml
(March 20, 2008)

Physical_Security_Historical_perspective.ppt

Recommended

Recommended

More Related Content

Similar to Physical_Security_Historical_perspective.ppt

Similar to Physical_Security_Historical_perspective.ppt (20)

More from Major K. Subramaniam Kmaravehlu

More from Major K. Subramaniam Kmaravehlu (20)

Recently uploaded

Recently uploaded (20)

Physical_Security_Historical_perspective.ppt