Physical Security

Muhammad Wajahat Rajab

 Domain overview
• The domain addresses...
– Threats,
– Vulnerabilities
– Countermeasures
• Focuses on protecting enterprise resources…
– People
– Data
– Facility
– Equipment
 CISSP expectations
• A candidate must know elements involved in…
– Choosing a secure site
– Design and configuration of a site
– Securing the facility against
• Unauthorized access
• Theft of equipment and information
– Environmental and safety measures needed to protect
• People
• Facility
• Equipment
 Point to ponder

• Does compliance ensure security?

Basics
What is vulnerability?
What is threat?
What is risk?
 Err… Security
• What is Security?
 Physical security
• Measure to safeguard and protect against:
– Damage
– Loss
– Theft
 CIA triad
• Risks to CIA
– Interruptions in providing computer services?
– Physical damage?
– Unauthorized disclosure of information?
– Loss of control over information?
– Physical theft?
Categories of threats
 Important

• In any case nothing should impede life safety goals!

 Physical controls
• Implement physical security
• Where are they needed?
– At perimeter and building grounds
– At building entry points
– Inside the building
• Offices / Rooms
– For data centers or server room security
– Computer equipment protection
Choosing a Secure Site
 Visibility
• Low or high visibility?
• Types of neighbors
• Markings on the building
 Local considerations
• Near hazard waste dump area
• In flood control plain area
• Local crime rate
• Riots
• Strike prone area
 Natural disasters
• Weather related problems
• Tornadoes
• Heavy snow
• Earthquake zone
 Transportation
• Excessive highway, air, or road traffic in area
• How many bridges?
 Joint tenancy
• Shared HVAC and environmental controls
 External services
• Proximity to…
– Local fire facilities
– Police
– Hospital/Medical Facilities
Layered defense model
 Implementation
• Security breach alarms
• On-premises security officers
• Server operations monitoring
• Early warning smoke detectors
• Redundant HVAC equipment
• UPS and backup generators
• Seismically braced server racks
• Biometric access and exit sensors
• Continuous video surveillance
• Electronic motion sensors
Implementation (2)
Designing a secure site
 Walls
• All walls must have acceptable fire rating
– Floor to ceiling
• Any closets storing media must also have acceptable
fire rating
 Ceiling
• Can they bear the right weight?
• Acceptable fire rating
 Floors
• Slab
– 150 pounds per square foot weight bearing
• Raised
– Concerned with
• Fire rating
• Electrical conductivity
– Employ non conducting surface material in data center!
 Doors
• Must resist forced entry
• Solid or hollow?
• Hinges hidden, internal or fixed
• Fire rating equivalent to that of adjacent wall
• Emergency exits must be...
– Clearly marked
– Monitored
– Alarmed
• Electrical doors
– Fail safe or fail secure?
 Windows
• Should prevent any viewing…
• Windows in data center?
• Windows types…
Standard glass
Tempered glass
Acrylic glass
Wired mesh glass
Solar window film
Security film
 Keep an eye on…
• Sprinkler systems
– Location and type must be known
• Water and gas pipelines
– Location of the shut off valves must be known
– Water, steam and gas lines should have positive drains
• Flow outward and away from the building!
• Air conditioning
– Dedicated power for data centers
– EPO switch should be known
– Provide outward positive air pressure
– Prevent intake of potential toxins into the facility
Facility security management
 Audit logs
• Identify entry attempts and who attempted them
• Preventive or detective controls?
– Date and time of access attempt
– Whether the attempt was successful or not
– Where the access was granted (i.e. which door)
– Who attempted the access
– Who modified the access privileges at the supervisor level
– Can send alarms or alerts if required
 Emergency procedures
• Should be clearly documented and readily accessible
• Copies should be stored offsite in the event of a
disaster
• Should be updated periodically
• Should include the following…
– Emergency system shutdown procedures
– Evacuation procedures
– Employee training, awareness programs, and periodic drills
• Fire drills
– Periodic equipment and systems tests
Administrative personnel
controls
 Pre-employment screening
• Employment, references and educational history
checks
• Background investigation and/or credit rating checks
for sensitive positions
 On-going employee checks
• Security clearances
• Ongoing employee ratings or reviews by supervisors
 Post-employment procedures
• Exit interview, removal of network access, return of
computers, etc.
Environmental and life safety
controls
 Environmental control areas
• Electrical Power
• Fire Detection and Suppression
• Heating, Ventilation and Air Conditioning (HVAC)
 Electrical power
• Disruptions in electrical power can have a serious
business impact
• Goals…
– Clean and steady power
– Excellent power quality
• Design considerations…
– Dedicated feeders
– Alternate power source
– Access controls
• Secure breaker and transformer rooms
 Electrical power threats
• Electrical noise
• Anomalies
• Electrostatic discharge
 Electrical noise
• Random disturbance interfering with devices
– EMI and RFI
• Caused by…
– Components of electrical system
– Fluorescent lighting, Truck ignitions

• Can cause permanent damage to sensitive

components in a system!
 Types of EMI noise
• Common mode noise
– Noise from radiation generated by the difference between
the “Hot” and “Ground” wires
• Transverse mode noise
– Noise from radiation generated by the difference between
the “Hot” and “Neutral” wires
 Protective measures for noise
• Proper line conditioning
• Proper grounding of the system to earth
• Cable shielding
• Limited exposure to magnets, electrical motors, and
fluorescent lights
 Electrical anomalies
• Power excess
– Spike – Momentary high voltage
– Surge – Prolonged high voltage
• Power loss
– Fault – Momentary power outage
– Blackout – Complete loss of power
• Power degradation
– Sag/dip – Momentary low voltage condition for few
seconds
– Brownout – Prolonged low voltage power supply
 Electrical anomalies
• Transients
– Line noise that is superimposed on the supply circuit can
cause fluctuation in power
• Inrush current
– Initial surge of current required to start a load
 Electrical support systems
• Surge suppressors
• Uninterruptible power supplies
– Only for duration needed to safely shutdown systems
• Emergency shutoff switch (EPO switch)
– Should be monitored by camera
• Alternate Power Supply
– Generator, Fuel Cell, etc.
 Electrostatic discharge
• Power surge generated by a person or device
contacting another device and transferring a high
voltage shock!
• Affected by low humidity!
 Static charge and damage
• At 40 Volts
– Sensitive circuits and transistors
• At 1000 Volts
– Scramble monitor display
• At 1500 Volts
– Disk drive data loss
• At 2000 Volts
– System shutdown
• At 4000 Volts
– Printer jam
 Static charge and damage (2)
• At 17000 Volts
– Permanent chip damage
 Acceptable humidity
• Ideal humidity range = 40% to 60%
– High humidity > 60%
• Causes problems with condensation on computer equipment
• Cause corrosion of electrical connections – sort of like “Electroplating”
and impedes electrical efficiency
– Low humidity < 40%
• Can cause increase in electrostatic discharge
• Up to 4000 Volts under normal humidity
• Up to 25,000 Volts under very low humidity
 Precautions for static electricity
• Use anti-static sprays where possible
• Operations or computer centers should have anti-
static flooring
• Building and computer rooms should be grounded
properly
• Anti-static table or floor mats
• HVAC should maintain proper level of humidity in
computer rooms
 Fire protection
• Three ways to tackle fire…
– Fire Prevention
– Fire Detection
– Fire Suppression
• Three elements that keep the fire going…
– Heat
– Oxygen
– Fuel
– We just need to kill one element to kill the fire!
 Types of fires

Class Description (Fuel)

A Common combustibles such as paper, wood, furniture,
clothing
B Burnable fuels such as gasoline or oil

C Electrical fires such as computers and electronics

D Special fires such as chemical, metal

K Commercial kitchen fire

 Fire prevention
• Use fire resistant materials for walls, doors,
furnishings, etc.
• Reduce the amount of combustible papers around
electrical equipment
• Provide fire prevention training to employees
– REMEMBER: Life safety is the most important issue!
• Conduct fire drills on all shifts so that personnel
know how to exit a building!
 Fire detection
• Ionization-type Smoke Detectors
– Detect charged particles in smoke
• Optical (Photoelectric) Detectors
– React to light blockage caused by smoke
• Fixed or Rate-of-Rise Temperature Sensors
– Heat detectors that react to the heat of a fire
– Fixed sensors have lower false positives
• Flame Actuated
– Senses infrared energy of flame or pulsating of the flame
– Very FAST response time but expensive!
 Fire extinguishing methods
Class Description (Fuel) Extinguishing Method
A Common combustibles such as paper, Water, Foam
wood, furniture, clothing

B Burnable fuels such as gasoline or oil Inert Gas, CO2

C Electrical fires such as computers and Inert Gas, CO2 (Note: Most
electronics important step: Turn off
electricity first!)
D Special fires, such as chemical, metal Dry Powder (May require
total immersion or other
special techniques)
K Commercial kitchen fire Wet Chemicals
 Fire suppression
• Carbon Dioxide, Foam, Inert Gas and Dry Powder
Extinguishers DISPLACE Oxygen to suppress a fire
• CO2 is a risk to humans (Because of oxygen
displacement)
• Water suppresses the temperature required to
sustain a fire
 Fire suppression - Halon
• Halon banned for new systems under 1987 Montreal
Protocol on substances that deplete the Ozone Layer
– Began implementation of ban in 1992
– Any new installations of fire suppression systems must use
alternate options
– EU requires removal of Halon from most applications
• Halon replacements:
– FM200
– Water
 Fire suppression - Water
• Wet Pipe
– Always contains water
– Most popular
– 165°F Fuse Melts
– Can freeze in winter
– Pipe breaks can cause floods
• Dry Pipe
– No water in pipe
– Preferred for computer installations
– Water held back by clapper
– Air blows out of pipe, water flows
 Fire Suppression – Water (2)
• Deluge
– Type of dry pipe
– Water discharge is large
– Not recommended for computer installations
• Preaction
– Most recommended for computer room
– Combines both dry and wet Pipes
– Water released into pipe first then after fuse melts in
nozzle the water is dispersed
 HVAC
• Heating, Ventilation, and Air Conditioning
• Usually the focal point for Environmental Controls
• You need to know who is responsible for HVAC in
your building
• Clear escalation steps need to be defined well in
advance of an environmental threatening incident
 HVAC issues
• Are computerized components involved?
• Does it maintain appropriate temperature and
humidity levels and air quality?
– Ideal Temperature = 70° to 74° F
– Ideal Humidity = 40% to 60%
• Maintenance procedures should be documented
More physical controls
 Elements of physical security
• Badges
• Restricted Areas
• Lights
• Dogs
• CCTV
• Locks
• Access Control
• Barriers
• Security Forces
• Fences
• Intrusion Detection Systems
 Functions of physical security
• Deter
• Detect
• Delay
• Respond
 Perimeter protection
• Perimeter security controls are the first line of
defense
• Protective barriers – Natural or structural
– Natural barriers
• Terrains that are difficult to cross
• Landscaping (Shrubs, Trees, Spiny shrubs)
– Structural barriers
• Fences, Gates, Bollards, Facility Walls
 Fences
• Know These Fencing Heights:
– 3 ft – 4 ft high  Deters casual trespassers
– 6 ft – 8 ft high  Too hard to climb easily
– 8 ft high with
3 strands of
barbed wire  Deters intruders
• Types of fencing
– Chain link
– Barbed wire
– Barbed tape or Concertina wire
 Fences (2)
This is at least
• Chain link… 8 Feet
– 6 feet tall (Excluding top guard)
– 8 feet tall (With top guard)
– 2 inch openings or less
– Reach within 2 inches of
ground or on soft ground
should be below the surface
– Be sure vegetation or adjacent
structures do not bridge over
the fence
 Fences (3)
• Barbed wire
 Fences (4)
• Concertina wire
Gates, Bollards, Barriers
 Intrusion detection & surveillance
• Perimeter Intrusion Detection Systems
– Sensors that detect access into the area
• Photoelectric
• Ultrasonic
• Microwave
• Passive infrared (PIR)
• Pressure sensitive (Dry contact switch)
– Surveillance Devices
• Closed-Circuit Television (CCTV)
 Motion detectors
• Wave Pattern
– Generates a frequency wave pattern
• Capacitance
– Monitors an electrical field around an object
• Audio Detectors
– Monitors any abnormal sound wave generation
– Lots of false alarms
 CCTV
• A television transmission system that uses cameras
to transmit pictures to connected monitors
• CCTV levels:
– Detection: The ability to detect the presence of an object
– Recognition: The ability to determine the type of object
(animal, blowing debris, crawling human)
– Identification: The ability to determine the object details
(person, large rabbit, small deer, tumbleweed)
 CCTV components
• Camera
– Fixed, Zoom
– Pan, Tilt
• Transmission Media
– Coax Cable
– Fiber Cable
– Wireless
• Monitor
 CCTV deployment features
• Cameras high enough to • Camera system tied to
avoid physical attack alarm system
• Cameras distributed to • Number and quality of
include blind areas video frames increased
• Appropriate Lenses during alarm event
• Pan, Tilt, Zoom (PTZ) as • Regular service of
required moving parts
• Ability to be recorded • Cleaning lenses
 CCTV application guidelines
• Understand the facility’s total surveillance
requirements
• Determine the size of the area to be monitored
– Depth, Height, and Width
– Ensures proper camera lens specifications
• Lighting is important – Different lamps and lighting
provide various levels of effectiveness
– ‘Contrast’ between the object and background
– For outdoor use, the US army specifies the automatically
adjusted Iris feature
 CCTV legal & practical implications
• Storage implications of recorded data
• Video tapes must be stored to prevent deterioration
• Digital records must be maintained to assert integrity
• Human rights and privacy implications in recording
people
• Requirements to blur/pixelate individuals other than
accused!
 Lighting
• Provides a deterrent to intruders
• Makes detection likely if entry attempted
• Should be used with other controls such as fences,
patrols, alarm systems, CCTV
• Critical protected buildings should be illuminated up
to 8 feet high, with 2 foot-candle power!
 Types of lighting
• Continuous Lighting (Most Common)
– Glare Projection
– Flood Lighting
• Trip Lighting
• Standby Lighting
• Movable (Portable)
• Emergency Lighting
 Locks
• Locks are considered delay devices only
• Defeated by force and/or the proper tools
• Never be considered stand-alone method of security
• Types of locks…
Key in knob-locks
Dead bolt locks
Mortise locks
Padlocks
Combination locks
Keyless and smart locks
 Lock security measures
• Key control procedures
– Restrict issue of keys on a long-term basis to outside
maintenance or janitorial personnel
– Keep a record of all issued keys
– Investigate the loss of all keys
• When in doubt, rekey the affected locks
– Use as few master keys as possible
– Issue keys on a need-to-go basis
– Remember – Keys are a single-factor authentication
mechanism that can be lost, stolen, or copied!
• (Use 2-factor methods for more secure areas)
 Compartmentalized area
• Location where sensitive equipment is stored and
where sensitive information is processed
– Must have a higher level of security controls!
 Portable device security
• Laptops, PDAs, Etc.
– Protect the device
– Protect the data in the device
• Examples:
– Locking the cables
– Tracing software
– Encryption software
– PIN Protection for PDAs
– Inventory system
 Alarm systems
• Local alarm systems
– Alarm sounds locally and must be protected from
tampering and audible for at least 400 feet
• Central station units
– Monitored 7x24 and signaled over leased lines – Usually
within < 10 minutes travel time
– Private security firms
• Proprietary systems
– Similar to central but owned and operated by customer
 Alarm systems (2)
• Auxiliary station systems
– Systems that ring at local fire or police stations
• Line supervision
– Alarm sounds when alarm transmission medium detects
tampering
Drills, testing and maintenance
 Drills
• Keep everyone aware of their responsibilities
• Focus on building evacuation exercises
 Testing
• Employ physical penetration testing
• Identify weak entry points
• Keep findings documented
• Keep checklists to ensure consistency
 Maintenance
• Monitor the maintenance
• Contractually bound the contractors
– Audit services provided
• Proper change and configuration management
 Data destruction
• Data Destruction and Reuse…
– Degaussing or overwriting usually destroys most data
– Normal formatting does not destroy the data
– Format or overwrite 7 times (Mil-Spec)
– Consider shredding hard drives, other portable media
– Paper records = Confetti shred or burn!
Questions
 Question 1
• Under what conditions would the use of a "Class C"
hand-held fire extinguisher be preferable to the use
of a "Class A" hand-held fire extinguisher?

A. When the fire is in its incipient stage.

B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
 Question 1
• Under what conditions would the use of a "Class C"
hand-held fire extinguisher be preferable to the use
of a "Class A" hand-held fire extinguisher?

A. When the fire is in its incipient stage.

B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
 Question 2
• Which of the following is the most costly
countermeasure to reducing physical security risks?

A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
 Question 2
• Which of the following is the most costly
countermeasure to reducing physical security risks?

A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
 Question 3
• Which type of fire extinguisher is most appropriate
for an information processing facility?

A. Type A
B. Type B
C. Type C
D. Type D
 Question 3
• Which type of fire extinguisher is most appropriate
for an information processing facility?

A. Type A
B. Type B
C. Type C
D. Type D
 Question 4
• Which of the following floors would be most
appropriate to locate information processing
facilities in a 6-stories building?

A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
 Question 4
• Which of the following floors would be most
appropriate to locate information processing
facilities in a 6-stories building?

A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
Thank you! 