Physical Security Presentation
115
Physical Security Muhammad Wajahat Rajab
description
Transcript of Physical Security Presentation
Physical Security
Muhammad Wajahat Rajab
Domain overview
• The domain addresses...
– Threats,
– Vulnerabilities
– Countermeasures
• Focuses on protecting enterprise resources…
– People
– Data
– Facility
– Equipment
CISSP expectations
• A candidate must know elements involved in…
– Choosing a secure site
– Design and configuration of a site
– Securing the facility against
• Unauthorized access
• Theft of equipment and information
– Environmental and safety measures needed to protect
• People
• Facility
• Equipment
Point to ponder
• Does compliance ensure security?
Basics
What is vulnerability?
What is threat?
What is risk?
Err… Security
• What is Security?
Physical security
• Measure to safeguard and protect against:
– Damage
– Loss
– Theft
CIA triad
• Risks to CIA
– Interruptions in providing computer services?
– Physical damage?
– Unauthorized disclosure of information?
– Loss of control over information?
– Physical theft?
Categories of threats
Important
• In any case nothing should impede life safety goals!
Physical controls
• Implement physical security
• Where are they needed?
– At perimeter and building grounds
– At building entry points
– Inside the building
• Offices / Rooms
– For data centers or server room security
– Computer equipment protection
Choosing a Secure Site
Visibility
• Low or high visibility?
• Types of neighbors
• Markings on the building
Local considerations
• Near hazard waste dump area
• In flood control plain area
• Local crime rate
• Riots
• Strike prone area
Natural disasters
• Weather related problems
• Tornadoes
• Heavy snow
• Earthquake zone
Transportation
• Excessive highway, air, or road traffic in area
• How many bridges?
Joint tenancy
• Shared HVAC and environmental controls
External services
• Proximity to…
– Local fire facilities
– Police
– Hospital/Medical Facilities
Layered defense model
Implementation
• Security breach alarms• On-premises security officers• Server operations monitoring• Early warning smoke detectors• Redundant HVAC equipment• UPS and backup generators• Seismically braced server racks• Biometric access and exit sensors• Continuous video surveillance• Electronic motion sensors
Implementation (2)
Designing a secure site
Walls
• All walls must have acceptable fire rating
– Floor to ceiling
• Any closets storing media must also have acceptable fire rating
Ceiling
• Can they bear the right weight?
• Acceptable fire rating
Floors
• Slab
– 150 pounds per square foot weight bearing
• Raised
– Concerned with
• Fire rating
• Electrical conductivity
– Employ non conducting surface material in data center!
Doors
• Must resist forced entry
• Solid or hollow?
• Hinges hidden, internal or fixed
• Fire rating equivalent to that of adjacent wall
• Emergency exits must be... – Clearly marked
– Monitored
– Alarmed
• Electrical doors– Fail safe or fail secure?
Windows
• Should prevent any viewing…
• Windows in data center?
• Windows types…
Standard glass
Tempered glass
Acrylic glass
Wired mesh glass
Solar window film
Security film
Keep an eye on…
• Sprinkler systems– Location and type must be known
• Water and gas pipelines– Location of the shut off valves must be known– Water, steam and gas lines should have positive drains
• Flow outward and away from the building!
• Air conditioning– Dedicated power for data centers– EPO switch should be known– Provide outward positive air pressure– Prevent intake of potential toxins into the facility
Facility security management
Audit logs
• Identify entry attempts and who attempted them
• Preventive or detective controls?
– Date and time of access attempt
– Whether the attempt was successful or not
– Where the access was granted (i.e. which door)
– Who attempted the access
– Who modified the access privileges at the supervisor level
– Can send alarms or alerts if required
Emergency procedures
• Should be clearly documented and readily accessible
• Copies should be stored offsite in the event of a disaster
• Should be updated periodically
• Should include the following…– Emergency system shutdown procedures
– Evacuation procedures
– Employee training, awareness programs, and periodic drills• Fire drills
– Periodic equipment and systems tests
Administrative personnel controls
Pre-employment screening
• Employment, references and educational history checks
• Background investigation and/or credit rating checks for sensitive positions
On-going employee checks
• Security clearances
• Ongoing employee ratings or reviews by supervisors
Post-employment procedures
• Exit interview, removal of network access, return of computers, etc.
Environmental and life safety controls
Environmental control areas
• Electrical Power
• Fire Detection and Suppression
• Heating, Ventilation and Air Conditioning (HVAC)
Electrical power
• Disruptions in electrical power can have a serious business impact
• Goals…
– Clean and steady power
– Excellent power quality
• Design considerations…– Dedicated feeders
– Alternate power source
– Access controls• Secure breaker and transformer rooms
Electrical power threats
• Electrical noise
• Anomalies
• Electrostatic discharge
Electrical noise
• Random disturbance interfering with devices
– EMI and RFI
• Caused by…– Components of electrical system
– Fluorescent lighting, Truck ignitions
• Can cause permanent damage to sensitive components in a system!
Types of EMI noise
• Common mode noise
– Noise from radiation generated by the difference between the “Hot” and “Ground” wires
• Transverse mode noise
– Noise from radiation generated by the difference between the “Hot” and “Neutral” wires
Protective measures for noise
• Proper line conditioning
• Proper grounding of the system to earth
• Cable shielding
• Limited exposure to magnets, electrical motors, and fluorescent lights
Electrical anomalies
• Power excess– Spike – Momentary high voltage
– Surge – Prolonged high voltage
• Power loss– Fault – Momentary power outage
– Blackout – Complete loss of power
• Power degradation– Sag/dip – Momentary low voltage condition for few
seconds
– Brownout – Prolonged low voltage power supply
Electrical anomalies
• Transients
– Line noise that is superimposed on the supply circuit can cause fluctuation in power
• Inrush current
– Initial surge of current required to start a load
Electrical support systems
• Surge suppressors
• Uninterruptible power supplies
– Only for duration needed to safely shutdown systems
• Emergency shutoff switch (EPO switch)
– Should be monitored by camera
• Alternate Power Supply
– Generator, Fuel Cell, etc.
Electrostatic discharge
• Power surge generated by a person or device contacting another device and transferring a high voltage shock!
• Affected by low humidity!
Static charge and damage
• At 40 Volts– Sensitive circuits and transistors
• At 1000 Volts– Scramble monitor display
• At 1500 Volts– Disk drive data loss
• At 2000 Volts– System shutdown
• At 4000 Volts– Printer jam
Static charge and damage (2)
• At 17000 Volts
– Permanent chip damage
Acceptable humidity
• Ideal humidity range = 40% to 60%
– High humidity > 60%• Causes problems with condensation on computer equipment
• Cause corrosion of electrical connections – sort of like “Electroplating” and impedes electrical efficiency
– Low humidity < 40%• Can cause increase in electrostatic discharge
• Up to 4000 Volts under normal humidity
• Up to 25,000 Volts under very low humidity
Precautions for static electricity
• Use anti-static sprays where possible
• Operations or computer centers should have anti-static flooring
• Building and computer rooms should be grounded properly
• Anti-static table or floor mats
• HVAC should maintain proper level of humidity in computer rooms
Fire protection
• Three ways to tackle fire…
– Fire Prevention
– Fire Detection
– Fire Suppression
• Three elements that keep the fire going…
– Heat
– Oxygen
– Fuel
– We just need to kill one element to kill the fire!
Types of fires
Class Description (Fuel)
A Common combustibles such as paper, wood, furniture, clothing
B Burnable fuels such as gasoline or oil
C Electrical fires such as computers and electronics
D Special fires such as chemical, metal
K Commercial kitchen fire
Fire prevention
• Use fire resistant materials for walls, doors, furnishings, etc.
• Reduce the amount of combustible papers around electrical equipment
• Provide fire prevention training to employees
– REMEMBER: Life safety is the most important issue!
• Conduct fire drills on all shifts so that personnel know how to exit a building!
• Ionization-type Smoke Detectors– Detect charged particles in smoke
• Optical (Photoelectric) Detectors– React to light blockage caused by smoke
• Fixed or Rate-of-Rise Temperature Sensors– Heat detectors that react to the heat of a fire
– Fixed sensors have lower false positives
• Flame Actuated– Senses infrared energy of flame or pulsating of the flame
– Very FAST response time but expensive!
Fire detection
Fire extinguishing methods
Class Description (Fuel) Extinguishing Method
A Common combustibles such as paper, wood, furniture, clothing
Water, Foam
B Burnable fuels such as gasoline or oil Inert Gas, CO2
C Electrical fires such as computers and electronics
Inert Gas, CO2 (Note: Most important step: Turn off
electricity first!)
D Special fires, such as chemical, metal Dry Powder (May require total immersion or other
special techniques)
K Commercial kitchen fire Wet Chemicals
Fire suppression
• Carbon Dioxide, Foam, Inert Gas and Dry Powder Extinguishers DISPLACE Oxygen to suppress a fire
• CO2 is a risk to humans (Because of oxygen displacement)
• Water suppresses the temperature required to sustain a fire
Fire suppression - Halon
• Halon banned for new systems under 1987 Montreal Protocol on substances that deplete the Ozone Layer
– Began implementation of ban in 1992
– Any new installations of fire suppression systems must use alternate options
– EU requires removal of Halon from most applications
• Halon replacements:
– FM200
– Water
Fire suppression - Water
• Wet Pipe– Always contains water
– Most popular
– 165°F Fuse Melts
– Can freeze in winter
– Pipe breaks can cause floods
• Dry Pipe– No water in pipe – Preferred for computer installations– Water held back by clapper– Air blows out of pipe, water flows
Fire Suppression – Water (2)
• Deluge
– Type of dry pipe
– Water discharge is large
– Not recommended for computer installations
• Preaction
– Most recommended for computer room
– Combines both dry and wet Pipes
– Water released into pipe first then after fuse melts in nozzle the water is dispersed
HVAC
• Heating, Ventilation, and Air Conditioning
• Usually the focal point for Environmental Controls
• You need to know who is responsible for HVAC in your building
• Clear escalation steps need to be defined well in advance of an environmental threatening incident
HVAC issues
• Are computerized components involved?
• Does it maintain appropriate temperature and humidity levels and air quality?
– Ideal Temperature = 70° to 74° F
– Ideal Humidity = 40% to 60%
• Maintenance procedures should be documented
More physical controls
Elements of physical security
• Badges• Restricted Areas• Lights• Dogs• CCTV• Locks• Access Control• Barriers• Security Forces• Fences• Intrusion Detection Systems
Functions of physical security
• Deter
• Detect
• Delay
• Respond
Perimeter protection
• Perimeter security controls are the first line of defense
• Protective barriers – Natural or structural
– Natural barriers
• Terrains that are difficult to cross
• Landscaping (Shrubs, Trees, Spiny shrubs)
– Structural barriers
• Fences, Gates, Bollards, Facility Walls
Fences
• Know These Fencing Heights:
– 3 ft – 4 ft high Deters casual trespassers
– 6 ft – 8 ft high Too hard to climb easily
– 8 ft high with 3 strands of barbed wire Deters intruders
• Types of fencing
– Chain link
– Barbed wire
– Barbed tape or Concertina wire
Fences (2)
• Chain link…
– 6 feet tall (Excluding top guard)
– 8 feet tall (With top guard)
– 2 inch openings or less
– Reach within 2 inches of ground or on soft ground should be below the surface
– Be sure vegetation or adjacent structures do not bridge over the fence
This is at least 8 Feet
Fences (3)
• Barbed wire
Fences (4)
• Concertina wire
Intrusion detection & surveillance
• Perimeter Intrusion Detection Systems
– Sensors that detect access into the area
• Photoelectric
• Ultrasonic
• Microwave
• Passive infrared (PIR)
• Pressure sensitive (Dry contact switch)
– Surveillance Devices
• Closed-Circuit Television (CCTV)
Motion detectors
• Wave Pattern – Generates a frequency wave pattern
• Capacitance – Monitors an electrical field around an object
• Audio Detectors – Monitors any abnormal sound wave generation
– Lots of false alarms
CCTV
• A television transmission system that uses cameras to transmit pictures to connected monitors
• CCTV levels:
– Detection: The ability to detect the presence of an object
– Recognition: The ability to determine the type of object (animal, blowing debris, crawling human)
– Identification: The ability to determine the object details (person, large rabbit, small deer, tumbleweed)
CCTV components
• Camera
– Fixed, Zoom
– Pan, Tilt
• Transmission Media
– Coax Cable
– Fiber Cable
– Wireless
• Monitor
CCTV deployment features
• Cameras high enough to avoid physical attack
• Cameras distributed to include blind areas
• Appropriate Lenses
• Pan, Tilt, Zoom (PTZ) as required
• Ability to be recorded
• Camera system tied to alarm system
• Number and quality of video frames increased during alarm event
• Regular service of moving parts
• Cleaning lenses
CCTV application guidelines
• Understand the facility’s total surveillance requirements
• Determine the size of the area to be monitored
– Depth, Height, and Width
– Ensures proper camera lens specifications
• Lighting is important – Different lamps and lighting provide various levels of effectiveness
– ‘Contrast’ between the object and background
– For outdoor use, the US army specifies the automatically adjusted Iris feature
CCTV legal & practical implications
• Storage implications of recorded data
• Video tapes must be stored to prevent deterioration
• Digital records must be maintained to assert integrity
• Human rights and privacy implications in recording people
• Requirements to blur/pixelate individuals other than accused!
Lighting
• Provides a deterrent to intruders
• Makes detection likely if entry attempted
• Should be used with other controls such as fences, patrols, alarm systems, CCTV
• Critical protected buildings should be illuminated up to 8 feet high, with 2 foot-candle power!
Types of lighting
• Continuous Lighting (Most Common)
– Glare Projection
– Flood Lighting
• Trip Lighting
• Standby Lighting
• Movable (Portable)
• Emergency Lighting
Locks
• Locks are considered delay devices only
• Defeated by force and/or the proper tools
• Never be considered stand-alone method of security
• Types of locks…
Key in knob-locks
Dead bolt locks
Mortise locks
Padlocks
Combination locks
Keyless and smart locks
Lock security measures
• Key control procedures– Restrict issue of keys on a long-term basis to outside
maintenance or janitorial personnel
– Keep a record of all issued keys
– Investigate the loss of all keys• When in doubt, rekey the affected locks
– Use as few master keys as possible
– Issue keys on a need-to-go basis
– Remember – Keys are a single-factor authentication mechanism that can be lost, stolen, or copied! • (Use 2-factor methods for more secure areas)
Compartmentalized area
• Location where sensitive equipment is stored and where sensitive information is processed
– Must have a higher level of security controls!
Portable device security
• Laptops, PDAs, Etc.
– Protect the device
– Protect the data in the device
• Examples:
– Locking the cables
– Tracing software
– Encryption software
– PIN Protection for PDAs
– Inventory system
Alarm systems
• Local alarm systems
– Alarm sounds locally and must be protected from tampering and audible for at least 400 feet
• Central station units
– Monitored 7x24 and signaled over leased lines – Usually within < 10 minutes travel time
– Private security firms
• Proprietary systems
– Similar to central but owned and operated by customer
Alarm systems (2)
• Auxiliary station systems
– Systems that ring at local fire or police stations
• Line supervision
– Alarm sounds when alarm transmission medium detects tampering
Drills, testing and maintenance
Drills
• Keep everyone aware of their responsibilities
• Focus on building evacuation exercises
Testing
• Employ physical penetration testing
• Identify weak entry points
• Keep findings documented
• Keep checklists to ensure consistency
Maintenance
• Monitor the maintenance
• Contractually bound the contractors
– Audit services provided
• Proper change and configuration management
Data destruction
• Data Destruction and Reuse…
– Degaussing or overwriting usually destroys most data
– Normal formatting does not destroy the data
– Format or overwrite 7 times (Mil-Spec)
– Consider shredding hard drives, other portable media
– Paper records = Confetti shred or burn!
Questions
Question 1
• Under what conditions would the use of a "Class C" hand-held fire extinguisher be preferable to the use of a "Class A" hand-held fire extinguisher?
A. When the fire is in its incipient stage.
B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
Question 1
• Under what conditions would the use of a "Class C" hand-held fire extinguisher be preferable to the use of a "Class A" hand-held fire extinguisher?
A. When the fire is in its incipient stage.
B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
Question 2
• Which of the following is the most costly countermeasure to reducing physical security risks?
A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
Question 2
• Which of the following is the most costly countermeasure to reducing physical security risks?
A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
Question 3
• Which type of fire extinguisher is most appropriate for an information processing facility?
A. Type A
B. Type B
C. Type C
D. Type D
Question 3
• Which type of fire extinguisher is most appropriate for an information processing facility?
A. Type A
B. Type B
C. Type C
D. Type D
Question 4
• Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
Question 4
• Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
Thank you!
