These are the lecture slides I created, to teach the topic of Physical Security to the students of the Information Systems 365/765 Information Security course I teach at UW-Madison. Physical security is a critical component of effective information security, but is often not given enough consideration.
Interactive Powerpoint_How to Master effective communication
UW-Madison Information Systems 365 -- Physical Security -- Lecture 9
1. Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSP
Lecture 9, Physical Security
2. Today’s CandyToday’s Candy
TwizzlersTwizzlers
Twizzlers is a brand of candy in the United
States and Canada. Twizzlers is the product
of Y&S Candies, Inc., of Lancaster,
Pennsylvania, now a subsidiary of The
Hershey Company. In 1908 a plant was
opened in Montreal and in 1929 the
Twizzler brand was established
10/11/16 UNIVERSITY OF WISCONSIN 2
3. Physical SecurityPhysical Security
It used to be easy, way back in the 1960s
Today, with IT assets on every desk, we
have:
•Theft
•Fraud
•Vandalism
•Sabotage
•Accidents
10/11/16 UNIVERSITY OF WISCONSIN 3
4. Let’s Watch an InterestingLet’s Watch an Interesting
Video About the History ofVideo About the History of
Physical SecurityPhysical Security
https://www.youtube.com/watch?v=-
eVSR9tder0
20 Minutes
10/11/16 UNIVERSITY OF WISCONSIN 4
5. Funny Cartoon VideoFunny Cartoon Video
But, it Makes a Good PointBut, it Makes a Good Point
https://
www.youtube.com/watch?v=tmOGJVDvJaQ
2 minutes
10/11/16 UNIVERSITY OF WISCONSIN 5
6. Four Major PhysicalFour Major Physical
Security ThreatsSecurity Threats
• Natural environmental
• Supply system
• Human made
• Politically motivated
Good security program protects against
all of these, in layers
10/11/16 UNIVERSITY OF WISCONSIN 6
9. Physical ThreatsPhysical Threats
Human MadeHuman Made
Unauthorized access, damage by angry
employees, employee errors and
accidents, vandalism, fraud, theft
10/11/16 UNIVERSITY OF WISCONSIN 9
11. What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Crime and disruption through
deterrence
Fences, security guards, warning signs,
etc.
10/11/16 UNIVERSITY OF WISCONSIN 11
12. What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Reduction of damage through use of
delaying mechanisms
Layers of defenses that slow down the
adversary, such as locks, security
personnel, barriers
10/11/16 UNIVERSITY OF WISCONSIN 12
13. What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Crime or disruption detection
Smoke detectors, motion detectors,
surveillance cameras, etc
10/11/16 UNIVERSITY OF WISCONSIN 13
14. What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Incident assessment
Response of personnel to quickly
evaluate situation and damage level
10/11/16 UNIVERSITY OF WISCONSIN 14
15. What Constitutes a GoodWhat Constitutes a Good
Security PlanSecurity Plan
Rapid response procedures
Fire suppression systems, emergency
response systems, law enforcement
notification
10/11/16 UNIVERSITY OF WISCONSIN 15
16. 5 Core Steps in a Physical5 Core Steps in a Physical
Security SystemSecurity System
• Deter
• Delay
• Detect
• Assess
• Respond
10/11/16 UNIVERSITY OF WISCONSIN 16
17. Sidewalk, Lights andSidewalk, Lights and
Landscaping For ProtectionLandscaping For Protection
10/11/16 UNIVERSITY OF WISCONSIN 17
18. Physical Access ControlPhysical Access Control
For VisitorsFor Visitors
• Limit the number of entry points
• Force all guests to sign-in at a common
location
• Reduce entry points even more, after
hours and on weekends
• Validate a government issued picture ID
before allowing entry
• Require all guests to be escorted by a full
time employee
• Encourage employees to question
strangers
10/11/16 UNIVERSITY OF WISCONSIN 18
19. Natural SurveillanceNatural Surveillance
Natural Surveillance is the intentional
and visible surveillance, to make
potential criminals aware that they are
being watch and make all others feel safe
10/11/16 UNIVERSITY OF WISCONSIN 19
21. Selecting a Facility SiteSelecting a Facility Site
• Visibility – Terrain, neighbors,
population
• Surrounding area – Crime, riots,
police, medical, fire, other hazzards
• Accessibility – Road access, traffic,
airport access, etc
• Natural Disasters – floods, tornadoes,
earthquakes, rain, etc
10/11/16 UNIVERSITY OF WISCONSIN 21
22. Entry PointsEntry Points
Windows and doors
are the standard
access points. They
should be secure,
strong, foolproof
Walls should be at
least as strong as
the doors and
windows
10/11/16 UNIVERSITY OF WISCONSIN 22
23. A Human TrapA Human Trap
• Only allows one
person into a secure
area at a time
• Open first door, enter
• Wait for first door to
close
• Enter second door to
secure area
• Only enough space for
one person at a time
10/11/16 UNIVERSITY OF WISCONSIN 23
24. Don’t Forget AboutDon’t Forget About
the Ceilingthe Ceiling
10/11/16 UNIVERSITY OF WISCONSIN 24
25. In Computer FacilitiesIn Computer Facilities
Water Detectors Are ImportantWater Detectors Are Important
Water detectors should be placed under
raised floors and on ceilings
10/11/16 UNIVERSITY OF WISCONSIN 25
26. Laptops Are One of theLaptops Are One of the
Most Frequently Stolen PhysicalMost Frequently Stolen Physical
AssetsAssets
• Inventory the laptops
• Harden the Operating system
• Password protect BIOS
• Register laptops with vendor
• Don’t check laptop as baggage!
• Don’t leave laptop unattended
• Engrave the laptop visibly
• Use a physical cable and lock
• Backup data
• Encrypt hard disk
• Store in secure place when not in use
10/11/16 UNIVERSITY OF WISCONSIN 26
27. Electric PowerElectric Power
Electricity is the lifeline of the company
Use multiple supply circuits coming into
the facility
Filter power for a clean electrical signal,
important for computers
Have a backup generator, test it regularly
Have an appropriately sized battery
backup power supply (UPS)
Test EVERYTHING, test OFTEN
10/11/16 UNIVERSITY OF WISCONSIN 27
28. Keep All Wiring OrganizedKeep All Wiring Organized
On Computer EquipmentOn Computer Equipment
• Reduces confusion
• Makes troubleshooting easier
• Lower risk of fire hazard
• Lower risk of electrical interference
• Looks professional and trustworthy,
in case visitors come through
• Use shielded cabling to stop electrical
interference
• Don’t run electrical wiring close to
fluorescent lighting
10/11/16 UNIVERSITY OF WISCONSIN 28
29. An Example of WhatAn Example of What
Not to DoNot to Do
10/11/16 UNIVERSITY OF WISCONSIN 29
30. Make Sure All Utility LinesMake Sure All Utility Lines
Have Emergency Shutoff ValvesHave Emergency Shutoff Valves
10/11/16 UNIVERSITY OF WISCONSIN 30
31. Static Electricity, theStatic Electricity, the
Invisible EnemyInvisible Enemy
• Protect against static electricity,
which can destroy computer
equipment:
• Antistatic flooring
• Humidity levels should be kept
moderate
• Use proper electrical grounding
• No carpeting, ever!!!
• Use anti-static bands on wrist when
working on a computer server
10/11/16 UNIVERSITY OF WISCONSIN 31
32. HVAC – Heating, Ventilation,HVAC – Heating, Ventilation,
Air ConditioningAir Conditioning
• Important to have commercial grade
systems to keep temperature are
proper level, and keep air filtered and
circulating
10/11/16 UNIVERSITY OF WISCONSIN 32
33. Every Good CompanyEvery Good Company
Is Full of LiebertIs Full of Liebert
10/11/16 UNIVERSITY OF WISCONSIN 33
34. Water Sprinkler SystemsWater Sprinkler Systems
• There are two types:
• Wet Pipe – always contains water
• Advantage – always ready for use
• Disadvantage – most costly, possibility
of accidental release of water
• Dry Pipe – has to be connected to a tank
• Advantage – no risk of accidental water
release
• Disadvantage – not ready immediately
10/11/16 UNIVERSITY OF WISCONSIN 34
35. Other Security ControlsOther Security Controls
• Fences – different heights, strengths
• Bollards – those odd looking posts in
front of Best Buy
• Lighting – one of the best deterrents
around, cheap and effective
• Locks – usually easy to defeat, but
good as once layer of security for
defense in depth strategy
• CCTV – Efficient for monitoring
10/11/16 UNIVERSITY OF WISCONSIN 35
36. Auditing Physical AccessAuditing Physical Access
Critical Pieces of InformationCritical Pieces of Information
• The date and time of the access
attempt
• The entry point at which access was
attempted
• The user ID associated with the
access attempt
• Any unsuccessful attempts, especially
if done during unauthorized hours
10/11/16 UNIVERSITY OF WISCONSIN 36
37. Tests and DrillsTests and Drills
Need to be developed
Must be put into action, at least once per
year, generally speaking
Must be documented
Must be put in easily accessible places
People must be assigned specific tasks
People should be taught and informed
on how to fulfill specific tasks
Determine in advance what will
determine success
10/11/16 UNIVERSITY OF WISCONSIN 37
38. A Note About Credit CardA Note About Credit Card
Reader Physical SecurityReader Physical Security
https://
www.youtube.com/watch?v=XipjYIbBj7k
•Physical access to credit card
transaction equipment is one of the
greatest physical security threats facing
most small businesses in the United
States, but most people never give it a
second thought
10/11/16 UNIVERSITY OF WISCONSIN 38