ITNS and CERIAS

1
ITNS and CERIAS CISSP Luncheon Series
Physical (Environmental) Security
Presented by Scott L. Ksander
2
Physical Security

• From (ISC)2 Candidate Information Bulletin
• The Physical (Environmental) Security domain
  addresses the threats, vulnerabilities, and
  countermeasures that can be utilized to
  physically protect an enterprises resources and
  sensitive information. These resources include
  people, the facility in which they work, and the
  data, equipment, support systems, media, and
  supplies they utilize.

3
Physical Security

• From (ISC)2 Candidate Information Bulletin
• The candidate will be expected to know the
  elements involved in choosing a secure site, its
  design and configuration, and the methods for
  securing the facility against unauthorized
  access, theft of equipment and information, and
  the environmental and safety measures needed to
  protect people, the facility, and its resources.

4
Introduction

• Threats to physical security include
• Interruption of services
• Theft
• Physical damage
• Unauthorized disclosure
• Loss of system integrity

5
Introduction

• Threats fall into many categories
• Natural environmental threats (e.g., floods,
  fire)
• Supply system threats (e.g., power outages,
  communication interruptions)
• Manmade threats (e.g., explosions, disgruntled
  employees, fraud)
• Politically motivated threats (e.g., strikes,
  riots, civil disobedience)

6
Introduction

• Primary consideration in physical security is
  that nothing should impede life safety goals.
• Ex. Dont lock the only fire exit door from the
  outside.
• Safety Deals with the protection of life and
  assets against fire, natural disasters, and
  devastating accidents.
• Security Addresses vandalism, theft, and
  attacks by individuals.

7
Physical Security Planning

• Physical security, like general information
  security, should be based on a layered defense
  model.
• Layers are implemented at the perimeter and
  moving toward an asset.
• Layers include Deterrence, Delaying, Detection,
  Assessment, Response

8
Physical Security Planning

• A physical security program must address
• Crime and disruption protection through
  deterrence (fences, security guards, warning
  signs, etc.).
• Reduction of damages through the use of delaying
  mechanisms (e.g., locks, security personnel,
  etc.).
• Crime or disruption detection (e.g., smoke
  detectors, motion detectors, CCTV, etc.).
• Incident assessment through response to incidents
  and determination of damage levels.
• Response procedures (fire suppression mechanisms,
  emergency response processes, etc.).

9
Physical Security Planning

• Crime Prevention Through Environmental Design
  (CPTED)
• Is a discipline that outlines how the proper
  design of a physical environment can reduce crime
  by directly affecting human behavior.
• Concepts developed in 1960s.
• Think Social Engineering

10
Physical Security Planning

• CPTED has three main strategies
• Natural Access Control
• Natural Surveillance
• Territorial Reinforcement

11
Physical Security Planning

• Natural Access Control
• The guidance of people entering and leaving a
  space by the placement of doors, fences,
  lighting, and landscaping
• Be familiar with bollards, use of security
  zones, access barriers, use of natural access
  controls

12
Physical Security Planning

• Natural Surveillance
• Is the use and placement of physical
  environmental features, personnel walkways, and
  activity areas in ways that maximize visibility.
• The goal is to make criminals feel uncomfortable
  and make all other people feel safe and
  comfortable, through the use of observation.

13
Physical Security Planning

• Territorial Reinforcement
• Creates physical designs that highlight the
  companys area of influence to give legitimate
  owners a sense of ownership.
• Accomplished through the use of walls, lighting,
  landscaping, etc.

14
Physical Security Planning

• CPTED is not the same as target hardening
• Target hardening focuses on denying access
  through physical and artificial barriers (can
  lead to restrictions on use, enjoyment, and
  aesthetics of the environment).

15
Physical Security Planning

• Issues with selecting a facility site
• Visibility (terrain, neighbors, population of
  area, building markings)
• Surrounding area and external factors (crime
  rate, riots, terrorism, first responder
  locations)
• Accessibility (road access, traffic, proximity to
  transportation services)
• Natural Disasters (floods, tornados, earthquakes)

16
Physical Security Planning

• Other facility considerations
• Physical construction materials and structure
  composition
• Be familiar with load, light frame construction
  material, heavy timber construction material,
  incombustible material, dire resistant material
  (know the fire ratings and construction
  properties).

17
Physical Security Planning

• Mantrap A small room with two doors. The
  first door is locked a person is identified and
  authenticated. Once the person is authenticated
  and access is authorized, the first door opens
  and allows the person into the mantrap. The
  person has to be authenticated again in order to
  open the second door and access a critical area.
  The mantrap area could have a weight sensing
  floor as an additional control to prevent literal
  piggybacking.

18
Physical Security Planning

• Automatic door lock configuration
• Fail safe If a power disruption occurs, the
  door defaults to being unlocked.
• Fail secure If a power disruption occurs, the
  door defaults to being locked.

19
Physical Security Planning

• Windows can also be used to promote physical
  security.
• Know the different types of glass
• Standard
• Tempered
• Acrylic
• Wired
• Laminated
• Solar Window Film
• Security Film

20
Physical Security Planning

• Consider use of internal partitions carefully
• True floor to true ceiling to counter security
  issues
• Should never be used in areas that house
  sensitive systems and devices

21
Internal Support Systems

• Power issues
• A continuous supply of electricity assures the
  availability of company resources.
• Data centers should be on a different power
  supply from the rest of the building
• Redundant power supplies two or more feeds
  coming from two or more electrical substations

22
Internal Support Systems

• Power protection
• UPS Systems
• Online UPS systems
• Standby UPS System
• Power line conditioners
• Backup Sources

23
Internal Support Systems

• Other power terms to know
• Ground
• Noise
• Transient Noise
• Inrush Current
• Clean Power
• EMI
• RFI

24
Internal Support Systems

• Types of Voltage Fluctuations
• Power Excess
• Spike
• Surge
• Power Loss
• Fault
• Blackout
• Power Degradation
• Sag/dip
• Brownout
• Inrush Current

25
Internal Support Systems

• Environmental Issues
• Positive Drains
• Static Electricity
• Temperature

26
Internal Support Systems

• Environmental Issues Positive Drains
• Contents flow out instead of in
• Important for water, steam, gas lines

27
Internal Support Systems

• Environmental Issues Static Electricity
• To prevent
• Use antistatic flooring in data processing areas
• Ensure proper humidity
• Proper grounding
• No carpeting in data centers
• Antistatic bands

28
Internal Support Systems

• Environmental Issues Temperature
• Computing components can be affected by
  temperature
• Magnetic Storage devices 100 Deg. F.
• Computer systems and peripherals 175 Deg. F.
• Paper products 350 Deg. F.

29
Internal Support Systems

• Ventilation
• Airborne materials and particle concentration
  must be monitored for inappropriate levels.
• Closed Loop
• Positive Pressurization

30
Internal Support Systems

• Fire prevention, detection, suppression
• Fire Prevention Includes training employees on
  how to react, supplying the right equipment,
  enabling fire suppression supply, proper storage
  of combustible elements
• Fire Detection Includes alarms, manual
  detection pull boxes, automatic detection
  response systems with sensors, etc.
• Fire Suppression Is the use of a suppression
  agent to put out a fire.

31
Internal Support Systems

• American Society for Testing and Materials (ASTM)
  is the organization that creates the standards
  that dictate how fire resistant ratings tests
  should be carried out and how to properly
  interpret results.

32
Internal Support Systems

• Fire needs oxygen and fuel to continue to grow.
• Ignition sources can include the failure of an
  electrical device, improper storage of materials,
  malfunctioning heating devices, arson, etc.
• Special note on plenum areas The space above
  drop down ceilings, wall cavities, and under
  raised floors. Plenum areas should have fire
  detectors and should only use plenum area rated
  cabling.

33
Internal Support Systems

• Types of Fire
• A Common Combustibles
• Elements Wood products, paper, laminates
• Suppression Water, foam
• B Liquid
• Elements Petroleum products and coolants
• Suppression Gas, CO2, foam, dry powders
• C Electrical
• Elements Electrical equipment and wires
• Suppression Gas, CO2, dry powders
• D Combustible Metals
• Elements magnesium, sodium, potassium
• Suppression Dry powder
• K Commercial Kitchens
• Elements Cooking oil fires
• Suppression Wet chemicals such as potassium
  acetate.

34
Internal Support Systems

• Types of Fire Detectors
• Smoke Activated
• Heat Activated
• Know the types and properties of each general
  category.

35
Internal Support Systems

• Different types of suppression agents
• Water
• Halon and halon substitutes
• Foams
• Dry Powders
• CO2
• Soda Acid
• Know suppression agent properties and the types
  of fires that each suppression agent combats
• Know the types of fire extinguishers (A,B,C, D)
  that combat different types of fires

36
Internal Support Systems

• Types of Sprinklers
• Wet Pipe Systems (aka Closed Head System)
• Dry Pipe Systems
• Preaction Systems
• Deluge Systems

37
Perimeter Security

• The first line of defense is perimeter control at
  the site location, to prevent unauthorized access
  to the facility.
• Perimeter security has two modes
• Normal facility operation
• Facility closed operation

38
Perimeter Security

• Proximity protection components put in place to
  provide the following services
• Control of pedestrian and vehicle traffic
• Various levels of protection for different
  security zones
• Buffers and delaying mechanisms to protect
  against forced entry
• Limit and control entry points

39
Perimeter Security

• Protection services can be provided by
• Access Control Mechanisms
• Physical Barriers
• Intrusion Detection
• Assessment
• Response
• Deterrents

40
Perimeter Security

• Fences are first line of defence mechanisms.
  (Small Joke!)
• Varying heights, gauge, and mesh provides
  security features (know them).
• Barbed wire direction makes a difference.

41
Perimeter Security

• Perimeter Intrusion Detection and Assessment
  System (PIDAS)
• A type of fencing that has sensors on the wire
  mesh and base of the fence.
• A passive cable vibration sensor sets off an
  alarm if an intrusion is detected.

42
Perimeter Security

• Gates have 4 distinct types
• Class I Residential usage
• Class II Commercial usage, where general public
  access is expected (e.g., public parking lot,
  gated community, self storage facility)
• Class III Industrial usage, where limited
  access is expected (e.g., warehouse property
  entrance not intended to serve public)
• Class IV Restricted access (e.g., a prison
  entrance that is monitored either in person or
  via CCTV)

43
Perimeter Security

• Locks are inexpensive access control mechanisms
  that are widely accepted and used.
• Locks are considered delaying devices.
• Know your locks!

44
Perimeter Security

• Types of Locks
• Mechanical Locks
• Warded Tumbler
• Combination Locks
• Cipher Locks (aka programmable locks)
• Smart locks
• Device Locks
• Cable locks, switch controls, slot locks, port
  controls, peripheral switch controls, cable traps

45
Perimeter Security

• Lock Strengths
• Grade 1 (commercial and industrial use)
• Grade 2 (heavy duty residential/light duty
  commercial)
• Grade 3 (residential and consumer expendable)
• Cylinder Categories
• Low Security (no pick or drill resistance)
• Medium Security (some pick resistance)
• High Security (pick resistance through many
  different mechanismsused only in Grade 1 2
  locks)

46
Perimeter Security

• Lighting
• Know lighting terms and types of lighting to use
  in different situations (inside v. outside,
  security posts, access doors, zones of
  illumination)
• It is important to have the correct lighting when
  using various types of surveillance equipment.
• Lighting controls and switches should be in
  protected, locked, and centralized areas.

47
Perimeter Security

• Continuous lighting An array of lights that
  provide an even amount of illumination across an
  area.
• Controlled lighting An organization should
  erect lights and use illumination in such a way
  that does not blind its neighbors or any passing
  cars, trains, or planes.
• Standby Lighting Lighting that can be
  configured to turn on and off at different times
  so that potential intruders think that different
  areas of the facility are populated.
• Redundant or backup lighting Should be
  available in case of power failures or
  emergencies.
• Response Area Illumination Takes place when
  an IDS detects suspicious activities and turns on
  the lights within the specified area.

48
Perimeter Security

• Surveillance Devices
• These devices usually work in conjunction with
  guards or other monitoring mechanisms to extend
  their capacity.
• Know the factors in choosing CCTV, focal length,
  lens types (fixed v. zoom), iris, depth of field,
  illumination requirements

49
Perimeter Security

• Focal length The focal length of a lens
  defines its effectiveness in viewing objects from
  a horizontal and vertical view.
• The sizes of images that will be shown on a
  monitor along with the area that can be covered
  by one camera are defined by focal length.
• Short focal length wider angle views
• Long focal length narrower views

50
Perimeter Security

• Depth of field Refers to the portion of the
  environment that is in focus
• Shallow depth of focus Provides a softer
  backdrop and leads viewers to the foreground
  object
• Greater depth of focus Not much distinction
  between objects in the foreground and background.

51
Perimeter Security

• Intrusion Detection systems are used to detect
  unauthorized entries and to alert a responsible
  entity to respond.
• Know the different types of IDS systems
  (electro-mechanical v. volumetric) and changes
  that can be detected by an IDS system.

52
Perimeter Security

• Patrol Force and Guards
• Use in areas where critical reasoning skills are
  required
• Auditing Physical Access
• Need to log and review
• Date time of access attempt
• Entry point
• User ID
• Unsuccessful access attempts

53
Physical Security

• Final Concept to Guide in Assessing Physical
  Security Issues on Exam
• Deterrence
• Delay
• Detection
• Assessment
• Response

54
Physical Security

• Resources
• All in One Book (Shon Harris, 2005)
• Official (ISC)² Guide to the CISSP CBK ((ISC)²,
  2006)