Physical Security Least sexy of the 10 domains

Physical Security “Least sexy of the 10 domains but the best firewall in the world will not stand up to a well placed brick. ”

Physical Security Addresses threats, vulnerabilities, countermeasures to physically protect org’s resources & sensitive info Natural disasters Unauthorized entry and/or theft

Threats Risk analysis or business impact assessment identify threats Seven major sources of physical loss 1. 2. 3. 4. 5. 6. 7. Temperature Gases Liquids Organisms Projectiles Movement Energy Anomalies

Controls for Physical Security Administrative Controls Emergency Procedures, Personnel control, & planning and policy implementation Physical & Technical Controls

Facility Requirements Planning done in early stages of construction of data facility Choosing a Secure Site Designing a Secure Site

Choosing a Secure Site Visibility: neighbors, external markings Local Considerations: near possible threats, local crime rate Natural Disasters: weather related, earthquake fault Transportation: excessive air, highway or road traffic Joint Tenancy: HVAC controls, electricity External Services: local emergency, hospitals

Designing a secure site Walls: fire ratings rooms & storage Ceilings: weight-bearing, fire rating Floors: weight bearing, static, electrical cables Windows: none or translucent & shatterproof Doors: resist forcible entry, fire rating, personnel safety is first Sprinkler systems: fire resistant rating of not less than 1 hour Liquid or gas lines: positive (outward) flow Air Conditioning: dedicated power circuits, positive air flow Electrical Requirements: dedicated circuits, alternative

Facility Security Management Audit Trails Detecting security violations Performance Problems Design & programming flaws Include: date & time, successful or not, Where access granted, Who tried, data modified? Detective rather than preventative Emergency Procedures Include: emergency shutdown procedures, Evacuation, Employee training, periodic tests

Administrative Personnel Controls Human resources department Pre-employment screening Ongoing employee checks Post-employment procedures

Environmental & Life Safety Controls “Physical controls necessary to sustain either computer’s operating environment (OE) or personnel’s OE” Main Areas: Electrical Power Fire detection & suppression Heating, Ventilation, & Air Conditioning (HVAC)

Electrical Power Noise Brownouts & Sag (NYC 15% common) Radio frequency interference, EMI Cell phones, laptops, other ele. Equip. EMI eavesdropping Power line conditioning, proper shielding, grounding, magnets, fluorescent lights, electric motors, space heaters Surges & spikes when come back up Humidity Low == static (20, 000 volts possible)

Fire Detection & Suppression Fire classes, combustibles, detectors, & suppression methods Factors in priority order: 1. 2. 3. 4. Life safety aspects Fire threat of installation to occupants & property Economic loss from computing function Economic loss from loss of equipment

Fire Classes & Combustibles Classes A. B. C. Common combustibles – water or soda acid Liquid – CO 2, soda acid, or halon Electrical – CO 2 or halon Fire requires: oxygen, heat, & fuel Water: temperature, soda acid: fuel supply, CO 2 oxygen, halon: chemical reaction

Fire Detectors Heat sensing Flame-actuated Infrared or pulsation of flame Smoke-actuated Predetermined temp or fast change In ventilation systems Automatic dial-up fire alarm

Fire Extinguishing Systems Water Sprinkler Wet Pipe, Dry Pipe, Deluge, or Pre-action (combination of wet & dry pipe) Gas Discharge Pressurized inert gas CO 2 , halon, argonite, inergen

After the fire Contamination Smoke: little damage at first, residue Heat Water Suppression medium Water damage Shutoff power Move equipment Drain Wipe parts & spray

Physical & Technical Controls Facility Control Requirements Facility Access Control Devices Intrusion Detection & Alarms Computer Inventory Control Media Storage Requirements

Facility Control Requirements Guards Dogs Fencing Mantrap Lighting Locks (bump key) Closed Circuit TV

Facility Access Control Devices Security Access Cards Wireless Proximity Readers Dumb: photo id Smart: digital coded smart card Smarter: processor on card Passive, field powered, transponders Biometric

Intrusion Detection & Alarms Perimeter Intrusion Detectors Motion Detectors Photoelectric & dry contact switches Wave pattern (reflection), capacitance (electrical field), audio detectors Alarm Systems Local, central station, proprietary Line supervision

Computer Inventory Control Physical PC Control Cable locks Port controls Switch Controls Peripheral Switch Controls Electronic Security Boards Laptops

Media Storage Requirements Ongoing Storage Disposal Access & Environment Clearing – overwriting (7 times min), Purging – Degaussing or overwriting, Destruction Erasing only changes FAT, Damaged sectors not changed, overwrite may not change cause new file shorter, Encryption of sensitive data

Simplest Way to check physical Security “walk-about”