UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSP
Lecture 9, Physical Security

Today’s CandyToday’s Candy
TwizzlersTwizzlers
Twizzlers is a brand of candy in the United
States and Canada. Twizzlers is the product
of Y&S Candies, Inc., of Lancaster,
Pennsylvania, now a subsidiary of The
Hershey Company. In 1908 a plant was
opened in Montreal and in 1929 the
Twizzler brand was established
10/11/16 UNIVERSITY OF WISCONSIN 2

Physical SecurityPhysical Security
It used to be easy, way back in the 1960s
Today, with IT assets on every desk, we
have:
•Theft
•Fraud
•Vandalism
•Sabotage
•Accidents

Let’s Watch an InterestingLet’s Watch an Interesting
Video About the History ofVideo About the History of
Physical SecurityPhysical Security
https://www.youtube.com/watch?v=-
eVSR9tder0
20 Minutes

Funny Cartoon VideoFunny Cartoon Video
But, it Makes a Good PointBut, it Makes a Good Point
https://
www.youtube.com/watch?v=tmOGJVDvJaQ
2 minutes

Four Major PhysicalFour Major Physical
Security ThreatsSecurity Threats
• Natural environmental
• Supply system
• Human made
• Politically motivated
Good security program protects against
all of these, in layers

Physical ThreatsPhysical Threats
Natural / EnvironmentalNatural / Environmental
Floods, earthquakes, storms, volcanoes

Supply SystemSupply System
Power, communications, supply of
water, etc.

Human MadeHuman Made
Unauthorized access, damage by angry
employees, employee errors and
accidents, vandalism, fraud, theft

Politically Motivated ThreatsPolitically Motivated Threats
Strikes, riots, civil disobedience,
terrorist attacks, bombings

What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Crime and disruption through
deterrence
Fences, security guards, warning signs,
etc.

Reduction of damage through use of
delaying mechanisms
Layers of defenses that slow down the
adversary, such as locks, security
personnel, barriers

Crime or disruption detection
Smoke detectors, motion detectors,
surveillance cameras, etc

Incident assessment
Response of personnel to quickly
evaluate situation and damage level

Rapid response procedures
Fire suppression systems, emergency
response systems, law enforcement
notification

5 Core Steps in a Physical5 Core Steps in a Physical
Security SystemSecurity System
• Deter
• Delay
• Detect
• Assess
• Respond

Sidewalk, Lights andSidewalk, Lights and
Landscaping For ProtectionLandscaping For Protection

Physical Access ControlPhysical Access Control
For VisitorsFor Visitors
• Limit the number of entry points
• Force all guests to sign-in at a common
location
• Reduce entry points even more, after
hours and on weekends
• Validate a government issued picture ID
before allowing entry
• Require all guests to be escorted by a full
time employee
• Encourage employees to question
strangers

Natural SurveillanceNatural Surveillance
Natural Surveillance is the intentional
and visible surveillance, to make
potential criminals aware that they are
being watch and make all others feel safe

Territorial ReinforcementTerritorial Reinforcement
Building facilities in such a way as you
make people feel secure, open, visible,
strong, etc.

Selecting a Facility SiteSelecting a Facility Site
• Visibility – Terrain, neighbors,
population
• Surrounding area – Crime, riots,
police, medical, fire, other hazzards
• Accessibility – Road access, traffic,
airport access, etc
• Natural Disasters – floods, tornadoes,
earthquakes, rain, etc

Entry PointsEntry Points
Windows and doors
are the standard
access points. They
should be secure,
strong, foolproof
Walls should be at
least as strong as
the doors and
windows

A Human TrapA Human Trap
• Only allows one
person into a secure
area at a time
• Open first door, enter
• Wait for first door to
close
• Enter second door to
secure area
• Only enough space for
one person at a time

Don’t Forget AboutDon’t Forget About
the Ceilingthe Ceiling

In Computer FacilitiesIn Computer Facilities
Water Detectors Are ImportantWater Detectors Are Important
Water detectors should be placed under
raised floors and on ceilings

Laptops Are One of theLaptops Are One of the
Most Frequently Stolen PhysicalMost Frequently Stolen Physical
AssetsAssets
• Inventory the laptops
• Harden the Operating system
• Password protect BIOS
• Register laptops with vendor
• Don’t check laptop as baggage!
• Don’t leave laptop unattended
• Engrave the laptop visibly
• Use a physical cable and lock
• Backup data
• Encrypt hard disk
• Store in secure place when not in use

Electric PowerElectric Power
Electricity is the lifeline of the company
Use multiple supply circuits coming into
the facility
Filter power for a clean electrical signal,
important for computers
Have a backup generator, test it regularly
Have an appropriately sized battery
backup power supply (UPS)
Test EVERYTHING, test OFTEN

Keep All Wiring OrganizedKeep All Wiring Organized
On Computer EquipmentOn Computer Equipment
• Reduces confusion
• Makes troubleshooting easier
• Lower risk of fire hazard
• Lower risk of electrical interference
• Looks professional and trustworthy,
in case visitors come through
• Use shielded cabling to stop electrical
interference
• Don’t run electrical wiring close to
fluorescent lighting

An Example of WhatAn Example of What
Not to DoNot to Do

Make Sure All Utility LinesMake Sure All Utility Lines
Have Emergency Shutoff ValvesHave Emergency Shutoff Valves

Static Electricity, theStatic Electricity, the
Invisible EnemyInvisible Enemy
• Protect against static electricity,
which can destroy computer
equipment:
• Antistatic flooring
• Humidity levels should be kept
moderate
• Use proper electrical grounding
• No carpeting, ever!!!
• Use anti-static bands on wrist when
working on a computer server

HVAC – Heating, Ventilation,HVAC – Heating, Ventilation,
Air ConditioningAir Conditioning
• Important to have commercial grade
systems to keep temperature are
proper level, and keep air filtered and
circulating

Every Good CompanyEvery Good Company
Is Full of LiebertIs Full of Liebert

Water Sprinkler SystemsWater Sprinkler Systems
• There are two types:
• Wet Pipe – always contains water
• Advantage – always ready for use
• Disadvantage – most costly, possibility
of accidental release of water
• Dry Pipe – has to be connected to a tank
• Advantage – no risk of accidental water
release
• Disadvantage – not ready immediately

Other Security ControlsOther Security Controls
• Fences – different heights, strengths
• Bollards – those odd looking posts in
front of Best Buy
• Lighting – one of the best deterrents
around, cheap and effective
• Locks – usually easy to defeat, but
good as once layer of security for
defense in depth strategy
• CCTV – Efficient for monitoring

Auditing Physical AccessAuditing Physical Access
Critical Pieces of InformationCritical Pieces of Information
• The date and time of the access
attempt
• The entry point at which access was
attempted
• The user ID associated with the
access attempt
• Any unsuccessful attempts, especially
if done during unauthorized hours

Tests and DrillsTests and Drills
Need to be developed
Must be put into action, at least once per
year, generally speaking
Must be documented
Must be put in easily accessible places
People must be assigned specific tasks
People should be taught and informed
on how to fulfill specific tasks
Determine in advance what will
determine success

A Note About Credit CardA Note About Credit Card
Reader Physical SecurityReader Physical Security
https://
www.youtube.com/watch?v=XipjYIbBj7k
•Physical access to credit card
transaction equipment is one of the
greatest physical security threats facing
most small businesses in the United
States, but most people never give it a
second thought

UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

Recommended

Recommended

More Related Content

More from Nicholas Davis

More from Nicholas Davis (20)

Recently uploaded

Recently uploaded (20)

UW-Madison Information Systems 365 -- Physical Security -- Lecture 9