lecture 08 physical security asst.prof.supakorn kungpisdan, ph.d. [email protected] 1...
TRANSCRIPT
Reference
M. E. Whitman and H. J. Mattord, Principles of Information Security, 3rd Edition, Thomson Course Technology, ISBN 1-4239-0177-0
NETE0519-ITEC4614 2
Learning Objectives
Discuss the relationship between threats to information security and physical security
Describe the key physical security considerations including fire control and surveillance systems
Identify critical physical environment considerations for computing facilities, including uninterruptible power supplies
NETE0519-ITEC4614 3
Introduction
Discuss CIA in Physical Security
NETE0519-ITEC4614 4
Introduction (cont.)
Physical security addresses design, implementation, and maintenance of countermeasures that protect physical resources of an organization
Most controls can be circumvented if an attacker gains physical access
Physical security is as important as logical security
NETE0519-ITEC4614 5
Major Sources of Physical Loss
Sources Descriptions
Extreme temperature Heat, cold
Gases War gases, commercial vapors, humid or dry air, suspended particles
Liquids Water, chemicals
Living organisms Viruses, bacteria, people, animals, insects
Projectiles Tangible object in motion, powered objects
Movement Collapse, shearing, shaking, vibration, liquefaction, flow waves, separation, slide
Energy anomalies Electrical surge or failure, magnetism, static electricity, aging circuitry, radiation
NETE0519-ITEC4614 6
Community Roles in Physical Security
General management responsible for facility security, draft security policy
IT management and professionals responsible for environmental and access security
Information security management and professionals: perform risk assessments and implementation reviews for
security controls implemented by general management and IT management
NETE0519-ITEC4614 7
Physical Access Controls
Access controls for a building are operated by a group called Facility management
Secure facility: physical location engineered with controls designed to minimize risk of attacks from physical threats
Secure facility can take advantage of natural terrain, traffic flow, and degree of urban development; can complement these with protection mechanisms (fences, gates, walls, guards, alarms)
NETE0519-ITEC4614 8
Physical Access ControlsPhysical Security Controls
Walls, fencing, and gates Guards Dogs ID cards and badges Locks and keys
Mantraps Electronic monitoring Alarms and alarm systems Computer rooms and
wiring closets Interior walls and doors
NETE0519-ITEC4614 9
Perimeter Security
What to examine: Natural boundaries at the
location Fences or walls around the
site The design of the outer
walls of a building Divisions and choke points
within a building
A series of mechanisms includes: Fences Perimeter Intrusion
Detection and Assessment Systems (PIDAS)
Security lighting Closed-circuit television
(CCTV) Security guards and guard
dogs Warning signs and notices
NETE0519-ITEC4614 10
PIDAS
Perimeter Intrusion Detection and Assessment Systems
PIDAS has sensors that detect intruders and feel vibrations along the fence
The system may produce false positives due to stray deer, high winds, or other natural events
NETE0519-ITEC4614 11
Physical Security ControlsWalls, Fencing, and Gates
Some of the oldest and most reliable methods of physical security
NETE0519-ITEC4614 12
Fencing
A fence with proper design and height can delay an intruder and work as a psychological barrier
A risk analysis should be performed to evaluate types of physical assets to be protected 4-foot fence will deter a casual trespasser 8-foot fence will keep a determined intruder out
Need to consider gauge and mesh size of the wire The smaller the mesh, the more difficult it is to climb The heavier the gauge, the more difficult it is to cut
NETE0519-ITEC4614 13
Gauge and Mesh
NETE0519-ITEC4614 14
16G with 50mm vs 25 mm mesh
Fencing (cont.)
NETE0519-ITEC4614 15
Gates
UL Standard 325 details requirements for gates with 4 classifications: Residential Class 1 Commercial Class 2 Industrial Class 3 Restricted Access Class 4
Bollards are made of concrete or steel and used to block vehicle traffic or to protect areas where pedestrians are entering or leaving buildings
NETE0519-ITEC4614 16
Guards
Guards have the ability to apply human reasoning
Most guards have clear Standard Operating Procedure (SOPs)
Need to have job references and be subjected to a background check
NETE0519-ITEC4614 17
Dogs
Guard dogs are keen to smell and hearing. They can detect intrusions that human guards cannot.
They can be placed in harm’s way when necessary to avoid risking the human life
NETE0519-ITEC4614 18
ID Cards and Badges
Ties physical security with information access control ID card is typically concealed
whereas name badge is visible Serve as simple form of biometrics
(facial recognition) Should not be only means of control
as cards can be easily duplicated, stolen, and modified
Tailgating (Piggybacking) occurs when unauthorized individual follows authorized user through the control
NETE0519-ITEC4614 19
Locks and Keys
Two types of locks: mechanical and electromechanical
Locks can also be divided into four categories: manual, programmable, electronic, biometric
Locks fail and alternative procedures for controlling access must be put in place
Locks fail in one of two ways: Fail-safe lock: the lock fails
and the door unlocks Fail-secure lock: the lock
fails and the door locks
NETE0519-ITEC4614 20
Where to apply fail-safe or fail-secure locks?
Locks and Keys (cont.)
NETE0519-ITEC4614 21
NETE0519-ITEC4614 22
Warded Locks
NETE0519-ITEC4614 23
Access Control: Locks (cont.)
NETE0519-ITEC4614 24
Tumbler Locks
Tabular lock
Mantrap
Small enclosure that has entry point and different exit point Individual enters mantrap, requests access, and if verified,
is allowed to exit mantrap into facility Individual denied entry is not allowed to exit until security
official overrides automatic locks of the enclosure
NETE0519-ITEC4614 25
NETE0519-ITEC4614 26
Mantrap
Mantraps (cont.)
27NETE0519-ITEC4614
Electronic Monitoring
Records events where other types of physical controls are impractical or incomplete
May use cameras with video recorders; includes closed-circuit television (CCTV) systems
Drawbacks Reactive; does not prevent access or prohibited activity Recordings often are not monitored in real time; must be
reviewed to have any value
NETE0519-ITEC4614 28
Alarms and Alarm Systems
Alarm systems notify when an event occurs Detect fire, intrusion, environmental disturbance, or an
interruption in services Rely on sensors that detect event; e.g., motion detectors,
smoke detectors, thermal detectors, glass breakage detectors, weight sensors, contact sensors, vibration sensors
NETE0519-ITEC4614 29
Alarm Sensor
NETE0519-ITEC4614 30
Glass break sensor
Photoelectric sensor
Motion detection sensor(photoelectric infrared)
Computer Rooms and Wiring Closets
Require special attention to ensure confidentiality, integrity, and availability of information
Logical controls easily defeated if attacker gains physical access to computing equipment
NETE0519-ITEC4614 31
Interior Walls and Doors
Information asset security sometimes compromised by construction of facility walls and doors
Facility walls typically either standard interior or firewall High-security areas must have firewall-grade walls to
provide physical security from potential intruders and improve resistance to fires
Doors allowing access to high security rooms should be evaluated
Recommended that push or crash bars be installed on computer rooms and closets
NETE0519-ITEC4614 32
Fire Security and Safety
Most serious threat to safety of people who work in an organization is possibility of fire
Fires account for more property damage, personal injury, and death than any other threat
Imperative that physical security plans examine and implement strong measures to detect and respond to fires
NETE0519-ITEC4614 33
Fire Detection and Response
Fire suppression systems: devices installed and maintained to detect and respond to a fire
Deny an environment of heat, fuel, or oxygen Water and water mist systems Carbon dioxide systems Soda acid systems Gas-based systems
NETE0519-ITEC4614 34
Fire Detection
Fire detection systems fall into two general categories: manual and automatic
Part of a complete fire safety program includes individuals that monitor chaos of fire evacuation to prevent an attacker accessing offices
There are three basic types of fire detection systems: thermal detection, smoke detection, flame detection
NETE0519-ITEC4614 35
Fire Suppression
Systems consist of portable, manual, or automatic apparatus
Portable extinguishers are rated by the type of fire: Class A, Class B, Class C, Class D
Installed systems apply suppressive agents; usually either sprinkler or gaseous systems
NETE0519-ITEC4614 36
Fire Suppression Classes
Class A: Fires of ordinary combustible fuels. Use water and multipurpose, dry chemical fire extinguishers.
Class B: Fires fueled by combustible liquids or gases, such as solvents, gasoline, paint, lacquer, and oil. Use carbon dioxide, multipurpose dry chemical, and halon fire extinguishers.
Class C: Fires with energized electrical equipment or appliances. Use carbon dioxide, multi-purpose dry chemical, and halon fire extinguishers.
Class D: Fires fueled by combustible metals, such as magnesium, lithium, and sodium. Use special extinguishing agents and techniques.
NETE0519-ITEC4614 37
Gaseous Emission Systems
Until recently, two types of systems: carbon dioxide and Halon
Carbon dioxide robs a fire of oxygen supply
Halon is clean but has been classified as an ozone-depleting substance; new installations are prohibited
Alternative clean agents include FM-200, Inergen, carbon dioxide, FE-13 (trifluromethane)
NETE0519-ITEC4614 38
Failure of Supporting Utilities and Structural Collapse
Supporting utilities (heating, ventilation, and air conditioning; power; water; and others) have significant impact on continued safe operation of a facility
Each utility must be properly managed to prevent potential damage to information and information systems
NETE0519-ITEC4614 39
HVAC
Areas within heating, ventilation, and air conditioning (HVAC) systems that can cause damage to information systems include: Temperature Humidity Static electricity
NETE0519-ITEC4614 40
Ventilation Shafts
While ductwork is small in residential buildings, in large commercial buildings it can be large enough for an individual to climb though
If vents are large, security can install wire mesh grids at various points to compartmentalize the runs
NETE0519-ITEC4614 41
Uninterruptible Power Supply (UPS)
In case of power outage, UPS is backup power source for major computer systems
NETE0519-ITEC4614 42
Emergency Shutoff
Important aspect of power management is the need to be able to stop power immediately should a current represent a risk to human or machine safety
Most computer rooms and wiring closets are equipped with an emergency power shutoff
NETE0519-ITEC4614 43
Water Problems
Lack of water poses problem to systems, including functionality of fire suppression systems and ability of water chillers to provide air-conditioning
Surplus of water, or water pressure, poses a real threat (flooding, leaks)
Very important to integrate water detection systems into alarm systems that regulate overall facilities operations
NETE0519-ITEC4614 44
Structural Collapse
Unavoidable forces can cause failures of structures that house organization
Structures designed and constructed with specific load limits; overloading these limits results in structural failure and potential injury or loss of life
Periodic inspections by qualified civil engineers assist in identifying potentially dangerous structural conditions
NETE0519-ITEC4614 45
Maintenance of Facility Systems
Physical security must be constantly documented, evaluated, and tested
Documentation of facility’s configuration, operation, and function should be integrated into disaster recovery plans and operating procedures
Testing helps improve the facility’s physical security and identify weak points
NETE0519-ITEC4614 46
Interception of Data
Three methods of data interception: Direct observation Interception of data transmission Electromagnetic interception
U.S. government developed TEMPEST program to reduce risk of electromagnetic radiation (EMR) monitoring
NETE0519-ITEC4614 47
Mobile and Portable Systems
With the increased threat to information security for laptops, handhelds, and PDAs, mobile computing requires more security than average in-house system
Many mobile computing systems have corporate information stored within them; some are configured to facilitate user’s access into organization’s secure computing facilities
NETE0519-ITEC4614 48
Mobile and Portable Systems (cont.)
Controls support security and retrieval of lost or stolen laptops CompuTrace software, stored on laptop; reports to a central
monitoring center Burglar alarms made up of a PC card that contains a motion
detector
NETE0519-ITEC4614 49
Special Considerations for Physical Security Threats
Develop physical security in-house or outsource? Many qualified and professional agencies Benefit of outsourcing includes gaining experience and
knowledge of agencies Downside includes high expense, loss of control over
individual components, and level of trust that must be placed in another company
Social engineering: use of people skills to obtain information from employees that should not be released
NETE0519-ITEC4614 50
Inventory Management
Computing equipment should be inventoried and inspected on a regular basis
Classified information should also be inventoried and managed
Physical security of computing equipment, data storage media, and classified documents varies for each organization
NETE0519-ITEC4614 51
Physical Security in ISO27001A.9 Physical and Environmental Security
A9.1 Secure areas A9.1.1 Physical security perimeter A9.1.2 Physical entry control A9.1.3 Securing offices, rooms, and facilities A9.1.4 Protecting against external and environmental threats A9.1.5 Working in secure areas A9.1.6 Public access, delivery and loading areas
NETE0519-ITEC4614 52
Physical Security in ISO27001A.9 Physical and Environmental Security (cont.)
A9.2 Equipment security A9.2.1 Equipment siting and protection A9.2.2 Supporting utilities A9.2.3 Cabling security A9.2.4 Equipment maintenance A9.2.5 Security of equipment off-promises A9.2.6 Secure disposal of re-use of equipment A9.2.7 Removal of property
NETE0519-ITEC4614 53
Summary
Threats to information security that are unique to physical security
Key physical security considerations in a facility site Physical security monitoring components Essential elements of access control Fire safety, fire detection, and response Importance of supporting utilities, especially use of uninterruptible
power supplies Countermeasures to physical theft of computing devices
NETE0519-ITEC4614 54
NETE0519-ITEC4614 55
Questions?