Chapter 3: Physical Security

At the end of the unit, the students should be able to:

 Discuss the relationship between information security and physical security
 Describe key physical security considerations, including fire control and surveillance systems
 Identify critical physical environment considerations for computing facilities, including
uninterruptible power supplies
INTRODUCTION

Physical security encompasses the design, implementation, and maintenance of countermeasures that
protect the physical resources of an organization, including the people, hardware, and supporting system
elements and resources that control information in all its states (transmission, storage, and processing).
Most technology-based controls can be circumvented if an attacker gains physical access to the devices
being controlled. In other words, if it is easy to steal the hard drives from a computer system, then the
information on those hard drives is not secure. Therefore, physical security is just as important as logical
security to an information security program.

Physical Access Control

 An organization’s general management oversees its physical security.
 Commonly a building’s access controls are operated by a group called facilities management.
 A secure facility is a physical location that has in place controls to minimize the risk of attacks
from physical threats.
 Larger organizations may have an entire staff dedicated to facilities management, while smaller
organizations often outsource these duties.

Physical Security
There are a number of physical security controls that an organization’s communities of interest should
consider when implementing physical security inside and outside the facility. Some of the major controls
are:

1. Walls, fencing, and gates

 Some of the oldest and most reliable elements of physical security are walls, fencing, and
gates.
 Each exterior perimeter control requires expert planning to ensure that it fulfills the security
goals and that it presents an image appropriate to the organization.
2. Guards
 Guards, on the other hand, can evaluate each situation as it arises and make reasoned
responses.
 Most guards have clear standard operating procedures (SOPs) that help them to act
decisively in unfamiliar situations.
3. Dogs
 Dogs can be a valuable part of physical security if they are integrated into the plan and
managed properly.
 Guard dogs are useful because their keen sense of smell and hearing can detect intrusions
that human guards cannot, and they can be placed in harm’s way when necessary to avoid
risking the life of a person.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
1
Chapter 3: Physical Security
4. ID cards and badges
 An identification (ID) card is typically concealed, whereas a name badge is visible.
 Both devices can serve a number of purposes.
i. They serve as simple forms of biometrics in that they use the cardholder’s picture to
authenticate his or her access to the facility
i. ID cards that have a magnetic strip or radio chip that can be read by automated
control devices allow an organization to restrict access to sensitive areas within
the facility.
5. Locks and keys
 There are two types of lock mechanisms: mechanical and electromechanical.
i. The mechanical lock may rely on a key that is a carefully shaped piece of metal,
which is rotated to turn tumblers that release secured loops of steel, aluminum, or
brass
ii. Electromechanical locks can
accept a variety of inputs as
keys, including magnetic strips
on ID cards, radio signals from
name badges, personal
identification numbers (PINs)
typed into a keypad, or some
combination of these to activate
an electrically powered locking
mechanism.
 Electronic locks can be integrated into
alarm systems and combined with other
building management systems.
 The most sophisticated locks are
biometric locks. Finger, palm, and
hand readers, iris and retina scanners,
and voice and signature readers fall into
this category.
Figure 4.1 Locks

6. Mantraps
 A common enhancement for locks in high security areas is the mantrap.
 A mantrap is a small enclosure that has separate entry and exit points.
7. Electronic monitoring
 Electronic monitoring includes closed-circuit television (CCT) systems.
 CCT systems collect constant video feeds, while others rotate input from a number of
cameras, sampling each area in turn.
8. Alarms and alarm systems
 Closely related to monitoring are the alarm systems that notify people or systems when a
predetermined event or activity occurs.
 Alarms can detect a physical intrusion or other untoward event.
 Motion detectors detect movement within a confined space and are either active or
passive.
 Thermal detectors measure rates of change in the ambient temperature in the room.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
2
Chapter 3: Physical Security
 Contact and weight sensors work when two contacts are connected as, for example,
when a foot steps on a pressure sensitive pad under a rug, or a window is opened,
triggering a pin-and-spring sensor.
 Vibration sensors also fall into this category, except that they detect movement of the
sensor rather than movement in the environment.
9. Computer rooms and wiring closets
 Computer rooms and wiring and communications closets require special attention to
ensure the confidentiality, integrity, and availability of information.
 Custodians are given the greatest degree of unsupervised access.
 They are often handed the master keys to the entire building and then ignored, even
though they collect paper from every office, dust many desks, and move large containers
from every area.
 Thus, custodial staffs should be carefully managed not only by the organization’s general
management, but also by IT management.
10. Interior walls and doors
 The walls in a facility are typically of two types: standard interior and firewall.
 Building codes require that each floor have a number of firewalls, or walls that limit the
spread of damage should a fire break out in an office.
 Interior walls reach only part way to the next floor, which leaves a space above the ceiling
but below the floor of the next level up and this space is called a plenum.
 The doors that allow access into high-security rooms should also be evaluated.
 Standard office-grade doors provide little or no security.
 To secure doors, install push or crash bars on computer rooms and closets.

FIRE SECURITY AND SAFETY

The most important security concern is the safety of the people present in an organization’s
physical space—workers, customers, clients, and others. The most serious threat to that safety is fire.
Fires account for more property damage, personal injury, and death than any other threat to physical
security. As a result, it is imperative that physical security plans examine and implement strong measures
to detect and respond to fires and fire hazards.
FIRE DETECTION
Fire detection systems fall into two general categories: manual and automatic.
1. Manual fire detection systems include human responses, such as calling the fire department, as
well as manually activated alarms, such as sprinklers and gaseous systems.
2. The automatic fire-detection system, like any other asset, has a lifespan of 10 to 15 years.
After 15 years, it is no longer considered reliable, and there may not be parts available for its
repair.

Three basic types of fire detection systems:

1. Thermal detection systems contain a sophisticated heat sensor that operates in one of two ways.
a. Fixed temperature sensors detect when the ambient temperature in an area reaches a
predetermined level, usually between 135 degrees Fahrenheit and 165 degrees
Fahrenheit, or 57 degrees Centigrade to 74 degrees Centigrade.
a. Rate-of-rise sensors detect an unusually rapid increase in the area temperature within a
relatively short period of time.
2. Smoke detection systems are perhaps the most common means of detecting a potentially dangerous
fire, and they are required by building codes in most residential dwellings and commercial buildings.
a. Photoelectric sensors project and detect an infrared beam across an area.

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
3
Chapter 3: Physical Security
a. Ionization sensors contain a small amount of a harmless radioactive material within a
detection chamber
a. Air-aspirating detectors are sophisticated systems and are used in high sensitivity areas.

3. The flame detector is a sensor that detects the infrared or ultraviolet light produced by an open
flame.

How Fire-Detection Systems Work:

“The field of fire detection has advanced to where smoke detectors and alarm devices have combined to
become life-safety systems”

 Fire is one of the most dangerous events possible; somewhere in the world, one occurs every
minute of every day. While fire can be our friend in some instances, it can be our worst enemy
when it’s uncontrolled and allowed to continue through a building.
 The field of fire detection has advanced to where smoke detectors and alarm devices have
combined to become life-safety systems. The purpose of an automatic fire-alarm system is to
detect an occurrence, alert the control panel and proper authorities, and notify the occupants to
take action.

Current Fire-Detection Systems

 The fire-detection system today consists of an FACP (fire alarm control panel) – this is the
system’s brain, and it’s capable of making rapid decisions. Detection devices run the gamut, from
smoke detectors and heat detectors to multi-capability detectors, which contain a number of
functions in one detector.

Extra Functions
Your fire-detection system can also:
 Discharge clean agent fire-suppression systems in computer rooms or clean rooms.
 Activate deluge fire systems in aircraft hangers or similarly dangerous areas.
 Open a dry pipe sprinkler system for a pre-action suppression system.
 Be used for notification of other events, such as severe weather, terrorism, bomb threats,
hazardous chemical incidents, evacuation, etc.
 Monitor carbon-monoxide detectors.

*Keep in mind that there are a number of specialized detection devices designed to increase life safety
and reduce the potential for unwanted or nuisance alarms. There are also qualified professionals who can
provide valuable assistance in reviewing the circumstances of your operation and provide guidance and
recommendations for your needs.

FIRE SUPPRESSION
 Fire Suppression are used to extinguish or prevent the spread of fire in a building. Suppression
systems use a combination of dry chemicals and/or wet agents to suppress equipment fires.
 Fire suppression systems work by releasing a gas or mixture of gasses into the air, generally
with the aim of reducing the amount of oxygen in the air that feeds the flames. The clean agent,
such as CO2, is often stored a distance away from the area it will be protecting.

Types of Fire Suppression:

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
4
Chapter 3: Physical Security
• Fire Sprinkler System (Wet ,Dry ,Pre-action and deluge) - is an active fire protection method,
consisting of a water supply system, providing adequate pressure and flow rate to a water
distribution piping system, onto which fire sprinklers are connected.
• Gaseous fire suppression - also called clean agent fire suppression, is a term to describe the
use of inert gases and chemical agents to extinguish a fire. The system typically consists of the
agent, agent storage containers, agent release valves, fire detectors, fire detection system (wiring
control panel, actuation signaling), agent delivery piping, and agent dispersion nozzles.
• Wet chemicals fire suppression - Wet Chemical Systems use wet agents to suppress
commercial cooking fires. This method of fire protection helps prevent major fire damage from
happening in your commercial cooking area. The wet chemical fire suppression systems
effectively work because the liquid spray hits a burning surface and quickly reacts with fats and
oils to produce foam that cools the surface to prevent the re-igniting of a fire.
• Dry chemical fire suppression - Dry Chemical Fire Suppression Systems consist of dry chemical
compounds that suppress fire effectively because they are easy to install in any industrial setting.
The Dry Chemical Fire Suppression Systems provide excellent fire coverage. The Dry Chemical
agents come in ABC or BC. You must recharge them after every operation. These fire suppression
systems are affordable and great to use when a water supply is not available to help extinguish
fires.
• Fully Automatic Vehicle Fire Suppression Systems - Automatic fire suppression
systems control and extinguish fires without human intervention. Examples of automatic
systems include fire sprinkler system, gaseous fire suppression, and condensed aerosol fire
suppression.
• Manual Vehicle Fire Suppression Systems - using FORAY dry chemical agent for Class A, B,
and C fires. The system is designed for use on large, off-road type construction and mining
equipment, underground mining equipment and specialty vehicles.

Which Gas is used for Fire Suppression?

• This system uses Inert gases - such as nitrogen, argon, and carbon dioxide—to reduce the
oxygen level around the fire and suppress it in the process. The concentration of gasses used in
Inergen systems is safe to use around people.
How much is the Fire Suppression?
• The average costs for a fire sprinkler system are as follows: A
complete fire sprinkler system integrated into a new construction project costs about $1 – 2 per
square foot. This includes equipment and installation. Retrofitting an existing building
usually costs between $2 – 7 per square foot.
What is the differences between Fire Extinguisher and Fire Suppression?
The main differences between a fire sprinkler and fire suppression systems are how they
extinguish fires and when each system would be ideal to use. Fire sprinklers use water to extinguish
and control fires, while fire suppression systems can use a number of different agents.
The Main types of Fire suppression:
 Gas System
 Kitchen Fire Suppression
 Water Mist System
 Foam Deluge System
 Pneumatic Heat Detection Tube
FAILURE OF SUPPORTING UTILITIES AND STRUCTURAL COLLAPSE
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
5
Chapter 3: Physical Security
HEATING VENTILATION AND AIR CONDITIONING
 Heating, ventilation, and air conditioning (HVAC) is the technology of indoor and vehicular
environmental comfort. Its goal is to provide thermal comfort and acceptable indoor air quality.
HVAC system design is a sub discipline of mechanical engineering, based on the principles
of thermodynamics, fluid mechanics and heat transfer. "Refrigeration" is sometimes added to the
field's abbreviation, as HVAC&R or HVACR or "ventilation" is dropped, as in HACR (as in the
designation of HACR-rated circuit breakers).
1. Temperature and Filtration
 Computer systems are electronic, and as such are subject to damage from extreme
temperature and particulate contamination.
 Rapid changes in temperature, from hot to cold or from cold to hot, can produce
condensation, which can create short circuits or otherwise damage systems and
components.
 The optimal temperature for a computing environment (and for people) is between 70 and
74 degrees Fahrenheit.
2. Humidity and Static Electricity
 Humidity is an important thing to understand because it affects both weather and climate as
well as global climate change. Humidity also affects indoor environments, so understanding
it can help you determine the best place to store your books, clothing and other important
items in your house.
Relative Humidity
 You've probably heard about relative humidity in weather reports. This is the amount of
water vapor in the air relative to what the air can hold. Think about it this way: if you have a
cup that is half-full of water, the cup contains 50% of what it can hold. Air works the same
way.
Dew Point
 Dew is when water condenses at ground level because the air is saturated. Just like the
water spills over the side of the full cup, when air is saturated, the excess water 'spills over'
and builds up on leaves, cars, buildings or anything else that is surrounded by the saturated
air. Therefore, the temperature at which saturation occurs is called the dew point.

3. Ventilation shafts
 In fact, with moderate security precautions, these shafts can be completely eliminated as a
security vulnerability. In most new buildings, the ducts to the individual rooms are no larger than
12 inches in diameter and are flexible, insulated tubes.
 In most new buildings, the ducts to the individual rooms are no larger than 12 inches in diameter
and are flexible, insulated tubes. The size and nature of the ducts precludes most people from
using them, but access may be possible via the plenum. If the ducts are much larger, the security
team can install wire mesh grids at various points to compartmentalize the runs.

POWER MANAGEMENT AND CONDITIONING

1. Grounding and Amperage
 Grounding ensures that the returning flow of current is properly discharged to the ground.
 Power should also be provided in sufficient amperage to support needed operations.
 Nothing is more frustrating than plugging in a series of computers, only to have the circuit
breaker trip.
2. Uninterruptible Power Supply (UPS)
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
6
Chapter 3: Physical Security
 An uninterruptible power supply or uninterruptible power source (UPS) is an electrical
apparatus that provides emergency power to a load when the input power source or main
power fails
 A standby or offline UPS is an offline battery backup that detects the interruption of power
to the equipment and activates a transfer switch that provides power from batteries,
through a DC to AC converter, until the power is restored or the computer is shut down.
 A ferroresonant standby UPS improves upon the standby UPS design. It is still an offline
UPS, with the electrical service providing the primary source of power and the UPS serving
as a battery backup.
 The line-interactive UPS has a substantially different design than the previously
mentioned UPS models. In line-interactive UPSs, the internal components of the standby
models are replaced with a pair of inverters and converters.
 In a true online UPS, the primary power source is the battery, and the power feed from the
utility is constantly recharging this battery. This model allows constant use of the system,
while completely eliminating power fluctuation.
3. Emergency Shutoff
 One important aspect of power management in any environment is the ability to stop power
immediately should the current represent a risk to human or machine safety.
 Most computer rooms and wiring closets are equipped with an emergency power shutoff,
which is usually a large red button that is prominently placed to facilitate access, and has a
cover to prevent unintentional use.
4. Water Problems
 Another critical utility infrastructure element is water service.
 Flooding, leaks, and the presence of water in areas where it should not be is catastrophic
to paper and electronic storage of information.
5. Structural Collapse
 Unavoidable environmental factors or forces of nature can cause failures in the structures
that house the organization.
 Structures are designed and constructed with specific load limits, and overloading these
design limits inevitably results in structural failure.
6. Maintenance of Facility System
 Ongoing maintenance of systems is required as part of the systems’ operations.
 Testing provides information necessary to improve the physical security in the facility and
identifies weak points.

INTERCEPTION OF DATA
Three methods of data interception
1. Direct observation, requires that an individual be close enough to the information to breach
confidentiality.
2. Interception of data transmissions, has become easier in the age of the internet. If attackers can
access the media transmitting the data, they needn’t be anywhere near the source of the
information
3. Electromagnetic interception, sounds like it could be from a Star Trek episode. For decades,
scientists have known that electricity moving through cables emits electromagnetic signals (EM).

MOBILE AND PORTABLE SYSTEM

Remote Computing System

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
7
Chapter 3: Physical Security
 Remote site computing, which is becoming increasingly popular, involves a wide variety of
computing sites that are distant from the base organizational facility and includes all forms of
telecommuting.
 Telecommuting is off site computing that uses Internet connections, dialup connections,
connections over leased point-to-point links between offices, and other connection mechanisms.
 A virtual organization is a group of individuals brought together for a specific task, usually from
different organizations, divisions, or departments.

Special Considerations for Physical Security

 There are a number of special considerations to take into account when developing a physical
security program. The first of these is the question of whether to handle physical security in-house
or to outsource it.
 The benefits of outsourcing physical security include gaining the experience and knowledge of
these agencies, many of which have been in the field for decades.
Five considerations for physical Security
 Identify your physical weak points and determine your need
 The first thing you need to do is figure out where your vulnerabilities are. For example, it is
never a good idea to build a data centre against outside walls, similarly pay attention to
what is housed above and below your data storage facility.
 Keep track of all your workflow processes
 It is critical that you keep track of your operations and compliance-related activities. You
want to limit access to your data storage centre to IT staff and organizational stakeholders.
As such, you should regularly monitor your access logs and perform audit checks.
 Keep track of peripherals, servers and data center management software, looking for any
suspicious activity. If your data center is in a colocation facility, and you have a trusted
provider, most likely your assets are safe and well-maintained.
 Watch out for human error
 The most common form of data breach is that committed by insiders. It is now recognized
that danger comes in the form of poor engineering, carelessness, or corporate espionage,
but in all cases, people working in your facility pose the biggest risk. Accordingly, it is
necessary that you implement strong security policies that hold personnel accountable for
their access permissions.
4. Educate your people on security policies
 A big part of having a strong security system is staff member training e.g. explaining to
staff why they should not lend each other access cards and instructing them to report any
suspicious activity.
 Let them understand that for compliance purposes, workflow processes are strictly
segregated and monitored. Eliminating duplication of means that you are able to adhere to
compliance standards with greater ease.
5. Ask your business stakeholders for their feedback
 Once you have a security system fully in place, the next thing for you to do is discuss your
policies with staff members.
 Inventory management
1. The management of computer inventory is an important part of physical security.
2. The formality of having to sign for a document cements its worth in the mind of the
recipient.
IAS 102-Information Assurance and Security 2
Dinalyn A. Mallares
Instructor 1
8
Chapter 3: Physical Security

ACTIVITIES

Activity 1. Review Questions

1. What is physical security? What are the primary threats to physical security? How are they made
manifest in attacks against the organization?
2. What are the roles of IT, security, and general management with regard to physical security?
3. How does physical access control differ from the logical access control described in earlier
chapters? How is it similar?

Activity 2.
Assume that you have converted part of an area of general office space into a server room.
Describe the factors you would consider when planning for each of the following:
a. Walls and doors
b. Physical access control
c. Fire detection
d. Fire suppression
e. Heating, ventilating, and air-conditioning
f. Power quality and distribution

Case Exercises
Amy walked into her office cubicle and sat down. The entire episode with the blond man had taken
well over two hours of her day. Plus, the police officers had told her the district attorney would also be
calling to make an appointment to speak to her, which meant she would have to spend even more time
dealing with this incident. She hoped her manager would understand.

Questions:
1. Based on this case study, what security awareness and training documents and
posters had an impact in this event?
2. Do you think that Amy should have done anything differently? What would you have
done in the situation in which she found herself?

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
9
Chapter 3: Physical Security

Activity 1
1. What is physical security? What are the primary threats to physical security? How are they made
manifest in attacks against the organization?

2. What are the roles of IT, security, and general management with regard to physical security?

3. How does physical access control differ from the logical access control described in earlier
chapters? How is it similar?

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
10
Chapter 3: Physical Security

Activity 2.
Assume that you have converted part of an area of general office space into a server room. Describe the
factors you would consider when planning for each of the following:
a. Walls and doors

b. Physical access control

c. Fire detection

d. Fire suppression

e. Heating, ventilating, and air-conditioning

f. Power quality and distribution

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
11
Chapter 3: Physical Security
1. There are several online passphrase generators available. Locate at least two of them on the
Internet, and try them out. What did you observe?

Case Exercises
Questions:

1. Based on this case study, what security awareness and training documents and posters had an
impact in this event?

2. Do you think that Amy should have done anything differently? What would you have done in the
situation in which she found herself?

IAS 102-Information Assurance and Security 2

Dinalyn A. Mallares
Instructor 1
12