Title: CISSP Preparation Training
1CISSP Preparation Training
- Physical Security
- Domain Ten
- February 16, 2006
Jack Callaghan, CISSP CISM 719.265.8378 jcall_at_ttrg
.org
210 Domains
- Access Control Systems Methodology
- Telecommunications Network Security
- Security Management Practices
- Application Systems Development Security
- Cryptography
- Security Architecture Models
- Computer Operations Security
- Business Continuity Planning Disaster
Recovery Planning - Law, Investigation, Ethics
- Physical Security
3 Introduction
- Objective of Physical Security controls
- Ensure the system and its resources are available
when needed - Measured through the AIC Triad
- Availability, Integrity, and Confidentiality
- Physical Security is a secondary deterrent to the
Logical Information Security controls
4Brief History
- Mid-twentieth century - the ENIAC
- Huge computer with single mission
- Third generation systems (1960s)
- Large concert facilities housing multi-tasking
systems - Physical security systems catch up (1970s)
- Introduced mechanical locks, card access,fire
suppression, - Affordable Computer Era (1980s)
- Distributed architecture with internet
connectivity and company reliance that introduces
new security concerns
5Physical Security New Concerns
- Provide protection to
- The main corporate facility
- Other facilities on the campus
- Services such as water, power, climate control,
etc. - Various computer systems
- Static Systems
- Mobile Systems
- Portable System
6The Need
- To protect against computer service
interruptions, physical damage, unauthorized
information disclosure, system hijacking, or
physical theft by - Natural/Environmental
- Earthquakes, floods, storms, lighting,
structural, - Supply Systems
- Comm outages, power distribution, burst pipes,
- Man-Made
- Disgruntle employees, unauthorized access,
malicious code, theft, sabotage, - Political Events
- Bombings, terrorism, riots, strikes,
7Layered Defense Model
- A strategy that includes examining Physical
Security measures starting at the site perimeter
and working down to the desk top computer
Perimeter
Building Grounds
Building Entrance
Building Floors/Office Suites
Offices/Data Centers Equipment/Supplies, Media
8Information Protection Environment
- Physical Security requires that the building site
be protected in a manner that minimizes risk to
theft, destruction, and unauthorized access - Areas of discussion
- Crime Prevention through Environmental Design
(CPTED) - Site Location
- Construction
- Support Facilities
9Crime Prevention
- Crime Prevention through Environmental Design
(CPTED) - Premise Physical environment of the building can
be changed or managed to produce behavioral
effects that will reduce the incidence and fear
of crime - Instituted through a combination of security
hardware, psychology, and site design to
discourage crime
10Crime Prevention
- Key Strategies
- Territoriality
- Use physical attributes that express ownership
art, signs, maintenance, and landscaping - Surveillance
- Proper lighting, open entries, windows between
restricted areas, and closed circuit television
(CCTV) - Access Control
- Limited entrances/exits, fencing, and the use of
corporate badges that signal authorized users
11Site Selection
- Major considerations
- Unique Physical Security concerns of your
operations - Vulnerable to riots, demonstrations, and
terrorism - Natural/Environmental concerns
- Adjacent businesses
- Distance to other threat areas airports,
highways, military bases, and hazard chemical
production - High crime neighborhoods
- Available emergency services fire department and
police
12Facility Construction
- Information system processing areas
- Floor slab - load, fire rating, drains
- Raised flooring - grounded, non-conducting
- Walls - slab, fire, adjacencies
- Ceiling - load, fire waterproof
- Windows - fixed, shatterproof, translucent
- Doors - hardware, hinges, fire, emergency exit,
monitored
13Facility Construction
- Additional recommendations
- Dropped ceilings - walls should extend above the
ceiling - Raised floors - walls should extend below the
false floor - Air ducts - should be small enough to prevent an
intruder from crawling through them - Glass walls - Easy to break and easy to see
through
14Support Facilities
- HVAC - Heating, Ventilation, Air Conditioning
- Maintain proper temperature (50-80 degrees)
- Keep humidity level at 20-80 percent
- Install monitors and alarms
- Use air filters to protect against dust
- Control access
15Support Facilities
- Water
- Protect against all types of flooding
- Rain and ice buildup
- Toilet or sink overflow
- Overhead pipes (e.g., sprinkler systems)
- Install water sensors on the floor near computers
and beneath raised floors - Allow wet systems to dry out
- Control access
16Support Facilities
- Electricity
- Dedicated feeder
- Dedicated, filtered, circuit with an isolated
ground for each system - User surge protectors
- Install an uninterruptible power supply (UPS)
- Install a backup source for critical systems
- Anti-static carpet
17Support Facilities
- Other considerations
- Earthquakes
- Keep computers away from glass windows and high
surfaces - Place components on shock absorbers and anchor
- Ensure other objects dont fall on computers
- Lightning
- Shut down systems if possible and unplug them
- Store backup tapes away from buildings steel
supports
18Security Technology and Tools
- Physical Security tools are used to prevent or
deter unauthorized events or delay the activity
until proper response - Physical Security tools that are used
- Fences, Gates, Barriers, and Lighting
- Surveillance Devices
- Entry Points
- Biometrics and Access Control
- Supply System Controls
- Fire Protection Controls
- Intrusion Detection
- Data Center and Object Protection
19Fences, Gates, Barriers, and Lighting
- Fences are used to secure the boundary
- Consider proper gauge, top guards, posts, and
height - Gates are considered a moveable barrier
- Swinging, sliding, raising, rolling, barrier, or
entrapment - Barriers/Vehicle Barriers
- Heavy duty barriers define boundaries
- Lighting
- Essential element in a Physical Security system
20Fencing
- Chain link - most commonly used
- At least 6-8 feet high
- Bottom of fence should be within 2 inches of firm
soil, or buried in soft soil - Barbed wire - not less than 6 feet high, attached
to posts not more than 6 feet apart. No more
than 6 inches between strands - Barbed tape or Concertina - can be deployed
quickly. Coils are about 3 feet in diameter
21Barriers
- Types of physical barriers
- Natural mountains, swamps, rivers, cliffs, etc.
- Structural fences, walls, doors, gates, poles,
etc. - Physical barriers delay but rarely stop a
determined intruder - Barriers must be augmented by other means of
protection
22Lighting Types
- Continuous - fixed lights arranged to flood an
area with overlapping cones of light (most
common) - Standby - randomly turned on to create an
impression of activity - Movable - manually operated movable searchlights.
Used as needed to augment continuous or standby
lighting - Emergency - may duplicate any or all of the
above. Depends on an alternative power source.
23Lighting Concepts
- Direct illumination - directs light down from a
structure to the ground surrounding the structure - Indirect illumination - backlights intruders
against the structure (aesthetically pleasing) - Intermittent - a deterrent system developed to
turn lights on at random times - Responsive - an IDS sensor is used to turn on
lights when an intruder is detected
24Surveillance Devices
- Detectors utilizing Video motion, microwave,
infrared, ultrasonic, laser, or audio - Considered both perimeter and building entry
controls - They do not provide the same protection as a
fence - But can provide an intrusion alert warning
25Surveillance Devices
- CCTV to detect, recognize, and identify
- Cameras and Lighting
- Charged-coupled discharge .vs. cathode ray tube
- Depth-of-field and Field-of-view
- Lighting must be sufficient to allow accurate
viewing - Signal transmission media
- Fiber Optic versus Coax cable
- Monitors
- Viewing distance and resolution
- Peripherals
- Switchers splitters, time/date generators,
video tape/digital recorders, pan tilt
mechanisms,
26Surveillance Devices
- Guards
- CCTV is not effective unless constantly monitored
- Advantages
- Provides the human factor
- Able to interpret data, make decisions, and react
- Disadvantages
- Impose a substantial and continuing labor cost
- Support costs include bonding, licensing,
training, uniforms, equipment, and administration
27Entry Points
- Entry points into the building are not always the
front door and each have inherit Physical
Security concerns - Entry Doors
- Solid-Core versus Hollow-Core
- Hinges and strike plates must be secured
- Frame must be solid and secured to the wall
- Panic-Bars
- Contact or Switch Devices
- Mantraps
28Entry Points
- Windows
- Laminated Glass
- 1/2 inch thick - burglar proof
- 1 inch thick - bullet proof
- Wired Glass
- Solar Window Films
- Window Security Film
- Glass Breakage Sensors
29Entry Points
- Locks
- Locks are considered delay devices
- Composed of lock body, strike, and key
- Types
- Key, combination, electronic, and deadbolt Locks
- Keyless/Pushbutton Locks
- Smart Locks
- Includes plastic card, key pad, and alarmed
- Master-Keying
- Requires a written policy for issue, emergency
use, storage, physical guards, and utility rooms
30Biometrics
- Biometrics
- The use of unique physiological, behavioral, and
morphological characteristics to provide positive
personal identification - Fingerprints Facial characteristics
- Handprints Voice recognition
- Retina patterns Signature recognition
- Iris patterns Keystroke patterns
- Virtually spoof-proof
31Access Control
- To gain access, a user should have to pass an
authentication test - Something you know password or PIN
- Something you have key, badge, token, or smart
card - Something you are fingerprint, hand, eye,
voice, face, or signature
32Access Control
- Passwords
- The most common form of authentication
- Inexpensive to implement and use
Administrative costs are high - Up to 50 of help desk calls
- Estimated up to 80 per call
- People dont create good passwords
- Good passwords are written down
- 72 of hackers say, passwords are the easiest
and most common hack.
33Access Control
- Tokens
- In olden days, a messenger would carry the kings
seal or ring to prove he was not a spy - Modern tokens are electronic devices containing
encoded information about the user whos
authorized to carry it - Challenge/Response token
- Employs a two-factor authentication system
- Token itself PIN
34Access Control
- Smart cards
- Contains a processor, memory, and user interface
- One type performs a series of complex
calculations and sends the result back to the
host system - Another displays a code that changes every 60
seconds - synchronized with host module
35Supply System Controls
- Electronic Power Controls
- Surge Suppressors
- Uninterruptible Power Supply (UPS)
- Battery or generator
- Static Controls
- HVAC Controls
- Humidity
- heat/cooling
- Water Controls
- Gas Lines
- Major concerns
- System Monitors
- Controls (on/off)
- Secured Location
- Training
36Fire Protection Controls
- Fire detection controls - typical controls that
protect facilities against fire - Human senses
- Temperature ion detectors
- Detector locations pull boxes, sensors,
ceilings, below raised floors, return air ducts - Audible and visible fire warnings
- Remote alarms to guards or fire department
- Check and/or exercise often
37Fire Protection Controls
- Fire suppression - Halon 1301
- Came on the market in the 1960s as most effective
gaseous fire fighting agent - By the late 1980s, evidence indicated Halon was
an ozone depleting chemical - Montreal Protocol of 1987 required a phaseout of
new production - Current Status
- No legal obligation to remove Halon systems
- No new Halon 1301 is being manufactured
- Wise to plan the replacement of Halon systems
with a Halon alternative
38Fire Protection Controls
- Fire suppression - FE-13
- Developed by DuPont as a chemical refrigerant
- Its molecules absorb heat from a fire until the
atmosphere no longer supports combustion - Exhibits some ability to inhibit the chain of
combustion similar to Halon 1301 - Limited atmospheric lifetime
- Zero ozone depletion potential
39Fire Protection Controls
- Fire suppression - Carbon Dioxide (CO2)
- Reduces oxygen content reduces the ambient
temperature - High ratio of expansion facilitates rapid
discharge and allows for 3-dimensional
penetration of the entire hazard area - CO2 is electrically non-conductive
- Has no residual clean-up
40Fire Protection Controls
- Fire suppression - Argon
- Clean, clear, and colorless
- Heavier than the surrounding air
- Fire suppression is achieved by displacement of
oxygen in the air - Zero ozone depleting potential (ODP)
- Zero global warming potential (GWP)
41Fire Protection Controls
- Fire suppression - FM-200
- Chemically known as heptafluoropropane
- Also known in the industry as HFC-27ea
- Cools the fire at the molecular level
- Safe for use when people are present
- Zero ozone depletion potential
42Fire Protection Controls
- Fire suppression - INERGEN
- Blend of Nitrogen, Argon, and Carbon Dioxide
- Lowers the oxygen content of the area below 15 -
point where most combustibles will not burn - Patented carbon dioxide in INERGEN protects
anyone trapped in the area from the effects of
the lowered oxygen levels - Electrically non-conductive
- Zero ODP and GWP
43Fire Protection Controls
- Fire suppression - Water sprinkler systems
- Wet pipe systems -- when activated, water
discharges immediately from opened sprinklers - Dry pipe systems -- used where portions of the
system are subject to freezing - Preaction systems -- used where discharge of
water is a special concern (e.g., computer
facilities) - Deluge systems -- used for rapid application of
water over the entire protected area (represents
only 1 of all sprinkler systems)
44Fire Protection Controls
- Fire suppression - Fire extinguishers
- Place in obvious locations
- Train operators on their use
- Inspect periodically
- Types
- Dry chemical -- usually rated for multiple
purpose use - Halon -- contains a gas that interrupts the
chemical reaction that takes place when fuels
burn. Limited range of 4-6 feet. - Water -- should only be used on Class A fires
- Carbon Dioxide (CO2) -- most effective on Class B
and C fires. The liquid CO2 cools the air around
the fire as the CO2 expands. Only effective from
3-8 feet.
45Fire Protection Controls
- Fire suppression - Extinguisher ratings
- Class A -- Ordinary combustibles
- Class B -- Flammable liquids
- Class C -- Electrical equipment
- Class D - Flammable metals
46Intrusion Detection
- Contact sensors
- Photoelectric sensors
- Acoustic sensors
- Vibration sensors
- Motion sensors
- Capacitance Sensors
- Temperature sensors (less common)
47Intrusion Detection
- Contact sensors
- Any action which breaks the foil or wire breaks
the circuit and activates an alarm - Advantages
- Relatively trouble-free
- Adequate in low-risk applications
- Disadvantages
- Costly to install where many entry points exist
- Unprotected soft walls or ceilings may be targets
- Will not detect stay-behinds
48Intrusion Detection
- Photoelectric sensors
- Uses a light-sensitive cell and a light source
- An infrared filter makes the beam invisible
- Effective up to 500 indoors 1000 outdoors
- Advantages
- Provides effective, reliable notice of intrusion
- Detects stay-behinds
- Disadvantages
- Limited to locations where it is impossible to
climb over or crawl under the beam
49Intrusion Detection
- Acoustic sensors
- Super-sensitive microphone sensors installed on
walls, ceilings, and floors - Used to safeguard enclosed areas, such as vaults
and warehouses - Advantages
- Economical and easily installed
- Disadvantages
- Can only be used in enclosed areas with a minimum
of extraneous sound
50Intrusion Detection
- Vibration sensors
- Vibration-sensitive sensors installed on walls,
ceilings, and floors of the protected area - Used to safeguard enclosed areas, such as vaults
and warehouses - Advantages
- Economical and easily installed
- Disadvantages
- Can only be used in enclosed areas with a minimum
of extraneous sound
51Intrusion Detection
- Motion sensors
- These systems flood the area with acoustic or
microwave energy, then detects the Doppler shift
in transmitted and received frequencies - Advantages
- Protects against concealed intruders
- Protective field is not visible -- difficult to
defeat - Disadvantages
- May require reduced sensitivity to overcome
disturbance factors in the enclosed area
52Intrusion Detection
- Capacitance sensors
- Establishes an electrostatic field around an
object that becomes unbalanced by the body
capacitance of an intruder - Advantages
- Flexible and simple to install and operate
- Provides an invisible protective field
- High grade of protection
- Disadvantages
- Can only be applied to ungrounded objects
53Data Center or Server Room
- Equipment Security
- Chain/Cable Locks
- Enabling devices special keys,electronic tokens,
BIOS passwords, and smart cards - Visitor Controls/CCTV
- Located from heat/water, external windows/walls
- Proper construction standards
- HVAC
- Power Supply/backup
- Fire detection/protection
54Object Protection
- Laptops
- Common Sense
- Encryption
- Safes
- Good combinations, anchored, and visible location
- Fire Resident Cabinets
- Backups
55Assurance, Trust, and Confidence
- Testing can be used to keep everyone aware of
their responsibilities - Types of testing activities
- Fire Drills
- Vulnerability and Penetration Testing
- Written Reports to measure improvements
- Use of Checklists
- Use in daily/monthly/annual reoccurring
inspections - Maintenance and Service
56Info Protect and Management
- Goal is to maintain an alert and efficient
security program - Security Manager is responsible for
- Reporting program status to senior management
- Daily program and policy management
- Training employees
- Evaluating compliance
- Checking to ensure Physical Security sensors are
working correctly
57Info Protect and Management
- Hiring practices
- Professional environment
- Training
- Terminating employees
- Precautionary measures
58Info Protect and Management
- Hiring practices
- Take special care to determine each candidates
level of personal professional integrity - Employ an in-depth screening process
- Conduct pre-employment interviews
- Reference checking is essential
- Drug testing
- Written contracts nondisclosure statements
59Info Protect and Management
- Professional environment
- Rotate job assignments - many attacks take a long
time to complete - Enforce vacation policies - some attacks require
daily monitoring - Limit the access users have to equipment and
information - Monitor your employees security practices and
enforce the policies
60Info Protect and Management
- Training
- Ensure security staff is well trained
- Establish policy for handling turnover and
training new people - Inexperienced system administrators are a major
threat to security - Train employees and document it
- Display and distribute security awareness
materials frequently
61Info Protect and Management
- Terminating employees
- Escort to the door - if necessary
- Get back all keys, badges, tokens, etc.
- Revoke all system authorizations immediately
- Save the employees files for proof in case
wrongdoing is discovered - Inform employee of his/her obligation to keep
company information confidential
62Info Protect and Management
- Precautionary measures
- Create a working atmosphere
- Protect corporate secrets
- Establish intelligent restrictions on access
- Facilities
- Systems
- Information
63Challenges
- Protecting the portable environment
- Portable computing threats
- Data disclosure
- Information is worth more than the computer
- Protection strategies
- Physical security
- Identification authentication
- Encryption
64Challenges
- Theft deterrence . . .
- Workstation anchor pads
- Laptop cables
- Thief-proof briefcases
- 1400 - 1500 each
- Can only be opened with the proper code
- Built-in self-destruct mechanism that erases the
hard drive if the case is opened by force - Internal tracking device
65Challenges
- Implementing a cost-effective security program
- Analyze the problem
- Design or purchase controls
- Implement the controls
- Test and exercise the controls
- Monitor the controls
66End of Day, remember to
- Office doors are locked
- Desks/cabinets are locked
- Workstations are secured
- Flash CDs are secured
- Company information is secured
67References
- http//www.infosyssec.org Security Portal
- /infosyssec/cctv_.htm CCTV
- http//homepage.ntlworld.com/avanti/whitepaper.htm
Biometric White Paper - http//www.computer.org/itpro/homepage/Jan_Feb/sec
urity3.htm A practical Guide to Biometric
Security Technology - http//rc3.org/archive/inform/5/4.html Locks
- http//www.cccure.org CISSP Open Study Guide
- /Documents/HISM/675-680.html Domain 10
- http//www.reliablefire.com Fire Suppression
- http//www.firesprinklerassoc.org Sprinkler
Systems - http//www.hanford.gov/fire/safety/extingrs.htm
Extinguishers - http//csrc.nist.gov/publications/fips/index.html
Federal Info - http//csrc.nist.gov/cryptval/physec/physecdoc.htm
l Physical Security (re FIPS 140) Workshop
68