UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

Information Security 365/765, Fall Semester, 2016

Course Instructor, Nicholas Davis, CISA, CISSPLecture 9, Physical Security

Today’s CandyToday’s CandyTwizzlersTwizzlers

Twizzlers is a brand of candy in the United States and Canada. Twizzlers is the product of Y&S Candies, Inc., of Lancaster, Pennsylvania, now a subsidiary of The Hershey Company. In 1908 a plant was opened in Montreal and in 1929 the Twizzler brand was established

05/02/23 UNIVERSITY OF WISCONSIN 2

Physical SecurityPhysical Security

It used to be easy, way back in the 1960sToday, with IT assets on every desk, we have:•Theft•Fraud•Vandalism•Sabotage•Accidents


Let’s Watch an InterestingLet’s Watch an InterestingVideo About the History of Video About the History of

Physical SecurityPhysical Securityhttps://www.youtube.com/watch?v=-

eVSR9tder0

20 Minutes


https://www.youtube.com/watch?v=-eVSR9tder0



Funny Cartoon VideoFunny Cartoon VideoBut, it Makes a Good PointBut, it Makes a Good Point

https://www.youtube.com/watch?v=tmOGJVDvJaQ

2 minutes





Four Major PhysicalFour Major PhysicalSecurity ThreatsSecurity Threats

• Natural environmental• Supply system• Human made• Politically motivated

Good security program protects against all of these, in layers


Physical ThreatsPhysical ThreatsNatural / EnvironmentalNatural / Environmental

Floods, earthquakes, storms, volcanoes


Physical ThreatsPhysical ThreatsSupply SystemSupply System

Power, communications, supply of water, etc.


Physical ThreatsPhysical ThreatsHuman MadeHuman Made

Unauthorized access, damage by angry employees, employee errors and accidents, vandalism, fraud, theft


Physical ThreatsPhysical ThreatsPolitically Motivated Politically Motivated

ThreatsThreatsStrikes, riots, civil disobedience, terrorist attacks, bombings


What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan

Crime and disruption through deterrence

Fences, security guards, warning signs, etc.



Reduction of damage through use of delaying mechanisms

Layers of defenses that slow down the adversary, such as locks, security personnel, barriers



Crime or disruption detection

Smoke detectors, motion detectors, surveillance cameras, etc



Incident assessment

Response of personnel to quickly evaluate situation and damage level



Rapid response procedures

Fire suppression systems, emergency response systems, law enforcement notification


5 Core Steps in a Physical5 Core Steps in a PhysicalSecurity SystemSecurity System

• Deter• Delay• Detect• Assess• Respond


Sidewalk, Lights andSidewalk, Lights andLandscaping For ProtectionLandscaping For Protection


Physical Access ControlPhysical Access ControlFor VisitorsFor Visitors

• Limit the number of entry points• Force all guests to sign-in at a

common location• Reduce entry points even more,

after hours and on weekends• Validate a government issued

picture ID before allowing entry• Require all guests to be escorted

by a full time employee• Encourage employees to question

strangers


Natural SurveillanceNatural Surveillance

Natural Surveillance is the intentional and visible surveillance, to make potential criminals aware that they are being watch and make all others feel safe


Territorial ReinforcementTerritorial Reinforcement

Building facilities in such a way as you make people feel secure, open, visible, strong, etc.


Selecting a Facility SiteSelecting a Facility Site

• Visibility – Terrain, neighbors, population

• Surrounding area – Crime, riots, police, medical, fire, other hazzards

• Accessibility – Road access, traffic, airport access, etc

• Natural Disasters – floods, tornadoes, earthquakes, rain, etc


Entry PointsEntry Points

Windows and doors are the standard access points. They should be secure, strong, foolproof

Walls should be at least as strong as the doors and windows


A Human TrapA Human Trap

• Only allows one person into a secure area at a time

• Open first door, enter

• Wait for first door to close

• Enter second door to secure area

• Only enough space for one person at a time


Don’t Forget AboutDon’t Forget Aboutthe Ceilingthe Ceiling


In Computer FacilitiesIn Computer FacilitiesWater Detectors Are Water Detectors Are

ImportantImportantWater detectors should be placed under raised floors and on ceilings


Laptops Are One of theLaptops Are One of theMost Frequently Stolen Most Frequently Stolen

Physical AssetsPhysical Assets• Inventory the laptops• Harden the Operating system• Password protect BIOS• Register laptops with vendor• Don’t check laptop as baggage!• Don’t leave laptop unattended• Engrave the laptop visibly• Use a physical cable and lock• Backup data• Encrypt hard disk• Store in secure place when not in use


Electric PowerElectric PowerElectricity is the lifeline of the companyUse multiple supply circuits coming into the facilityFilter power for a clean electrical signal, important for computersHave a backup generator, test it regularlyHave an appropriately sized battery backup power supply (UPS)Test EVERYTHING, test OFTEN


Keep All Wiring OrganizedKeep All Wiring OrganizedOn Computer EquipmentOn Computer Equipment• Reduces confusion• Makes troubleshooting easier• Lower risk of fire hazard• Lower risk of electrical

interference• Looks professional and

trustworthy, in case visitors come through

• Use shielded cabling to stop electrical interference

• Don’t run electrical wiring close to fluorescent lighting05/02/23 UNIVERSITY OF WISCONSIN 28

An Example of WhatAn Example of WhatNot to DoNot to Do


Make Sure All Utility LinesMake Sure All Utility LinesHave Emergency Shutoff Have Emergency Shutoff

ValvesValves


Static Electricity, theStatic Electricity, theInvisible EnemyInvisible Enemy

• Protect against static electricity, which can destroy computer equipment:

• Antistatic flooring• Humidity levels should be kept

moderate• Use proper electrical grounding• No carpeting, ever!!!• Use anti-static bands on wrist

when working on a computer server


HVAC – Heating, HVAC – Heating, Ventilation,Ventilation,

Air ConditioningAir Conditioning• Important to have commercial grade systems to keep temperature are proper level, and keep air filtered and circulating


Every Good CompanyEvery Good CompanyIs Full of LiebertIs Full of Liebert


Water Sprinkler SystemsWater Sprinkler Systems

• There are two types:• Wet Pipe – always contains water• Advantage – always ready for use• Disadvantage – most costly,

possibility of accidental release of water

• Dry Pipe – has to be connected to a tank

• Advantage – no risk of accidental water release

• Disadvantage – not ready immediately


Other Security ControlsOther Security Controls

• Fences – different heights, strengths

• Bollards – those odd looking posts in front of Best Buy

• Lighting – one of the best deterrents around, cheap and effective

• Locks – usually easy to defeat, but good as once layer of security for defense in depth strategy

• CCTV – Efficient for monitoring05/02/23 UNIVERSITY OF WISCONSIN 35

Auditing Physical AccessAuditing Physical AccessCritical Pieces of Critical Pieces of

InformationInformation• The date and time of the access attempt

• The entry point at which access was attempted

• The user ID associated with the access attempt

• Any unsuccessful attempts, especially if done during unauthorized hours


Tests and DrillsTests and Drills

Need to be developedMust be put into action, at least once per year, generally speakingMust be documentedMust be put in easily accessible placesPeople must be assigned specific tasksPeople should be taught and informed on how to fulfill specific tasksDetermine in advance what will determine success


A Note About Credit CardA Note About Credit CardReader Physical SecurityReader Physical Security

https://www.youtube.com/watch?v=XipjYIbBj7k

•Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought05/02/23 UNIVERSITY OF WISCONSIN 38




UW-Madison Information Systems 365 -- Physical Security -- Lecture 9

Education

Transcript of UW-Madison Information Systems 365 -- Physical Security -- Lecture 9