.

CIS 3500 1

Physical Security Controls

Chapter #17:

Architecture and Design

Chapter Objectives

n Explore the importance of physical security controls

n Learn about important environment controls

Physical Security Controls2

Physical Security Controls

n Physical security is an important for businesses dealing with

the security of networks and information systems

n Locking doors, installing alarm systems, using safes,

posting security guards, setting access controls

n Environmental controls protect systems used to process

information

Physical Security Controls3

Lighting

n Proper lighting is essential for physical security

n Unlit or dimly lit areas allow intruders to lurk and conduct

unauthorized activities

n External and internal

n Have sensitive areas well lit and open to observation

n Unauthorized parties in server rooms are more likely to be

detected if the servers are centrally located, surrounded in

windows, and well lit

Physical Security Controls4

.

CIS 3500 2

Signs

n Signs act as informational devices and can be used in a

variety of ways to assist in physical security

n Restricted areas, specific precautions, keeping doors

locked, delineate where visitors are allowed versus where

escorts are required

n Visual clues can take the form of different-color name

badges that indicate the level of access, visual lanyards

that indicate visitors, colored folders

Physical Security Controls5

Fencing/Gate/Cage

Physical Security Controls6

Security Guards

n Security guards are a visible presence with direct

responsibility for security

n They typically monitor entrances and exits and can

maintain access logs

n Security guards typically are not computer security experts,

so they need to be trained

n Strangers parked in the parking lot with laptops or other

mobile computing devices are all indicators of an attack

Physical Security Controls7

Alarms

n A la r m s s e r v e t o a le r t o p e r a t o r s t o a b n o r m a l c o n d i t io n s

n P h y s ic a l s e c u r i t y c a n in v o lv e s e n s o r s , in t r u s io n a la r m s , m o t io n d e t e c t o r s ,

s w i t c h e s t h a t a le r t t o d o o r s b e in g o p e n e d , v id e o a n d a u d io s u r v e i l la n c e

n W h e n t h e s e s y s t e m s h a v e in f o r m a t io n a n a la r m is t h e e a s ie s t m e t h o d o f

a le r t in g p e r s o n n e l t o t h e c o n d i t io n

n A la r m s a r e n o t s im p le : i f a c o m p a n y h a s t o o m a n y a la r m c o n d i t io n s ,

e s p e c ia l ly f a ls e a la r m s , t h e n t h e o p e r a t o r s w i l l n o t r e a c t t o t h e c o n d i t io n s

a s d e s i r e d

n T u n in g a la r m s s o t h a t t h e y p r o v id e u s e f u l , a c c u r a t e , a n d a c t io n a b le

in f o r m a t io n i s im p o r t a n t f o r t h e m t o b e e f f e c t iv e

Physical Security Controls8

.

CIS 3500 3

Safe

n Safes are physical storage devices

n They come in a wide variety of shapes, sizes, and cost

n Safes are not perfect; they are rated in terms of how long

they can be expected to protect the contents from theft or

fire

n The better the rating, the more expensive the safe

Physical Security Controls9

Secure Cabinets/Enclosures

n There are times when a safe is overkill

n A simpler solution is secure cabinets and enclosures

n They do not offer all of the levels of protection like a safe

Physical Security Controls10

Protected Distribution/Protected Cabling

n Cable runs between systems need to be protected by

protected distribution/ protected cabling

n The objective is to prevent any physical damage to the

physical layer portion of the system

Physical Security Controls11

Airgap

n An airgap: physical and logical separation of a network

from all other networks

n Prevent unauthorized data transfers

n Users will move data by other means, such as a USB drive -

- called “sneaker net”

n Unauthorized bypassing of the airgap increases system risk

because it also bypasses checks, logging, and other

processes important in development and deployment

Physical Security Controls12

.

CIS 3500 4

Mantrap

n A mantrap comprises two doors closely spaced that require

the user to card through one and then the other

sequentially

n Mantraps make it nearly impossible to trail through a

doorway undetected

n The implementation of a mantrap is one way to combat

tailgating

Physical Security Controls13

Faraday Cages

n Electromagnetic interference (EMI) is an electrical disturbance

that affects an electrical circuit

n Magnetic radiation enters the circuit by induction, where

magnetic waves create a charge on the circuit

n Modern circuitry is designed to resist EMI

n Cabling: the twists in unshielded twisted pair (UTP), or

Category 5e, 6, 6a, or 7, cable are there to prevent EMI

n Bigger shielding: Faraday cage or Faraday shield, which is an

enclosure of conductive material that is groundedPhysical Security Controls14

Locks

n Many different lock types are used in and around the computer

security arena e.g. computer lockdown cables

n Lock design has not changed much: a metal “token” is used to

align pins in a mechanical device

n High-security locks have been designed to defeat attacks

n Common feature of high-security locks is key control:

restrictions placed on making a copy of the key - patented

keyways that can only be copied by a locksmith, who will keep

recordsPhysical Security Controls15

Biometrics

n Biometrics is the measurement of biological attributes

n Fingerprint readers in laptops and stand-alone USB devices

n Two-part process: enrollment and then authentication

n Biometrics are not foolproof – some biometric measures

can be duplicated to fool a sensor

n Safeguards exist for most biometric bypass mechanisms,

making them a usable security technology

Physical Security Controls16

.

CIS 3500 5

Barricades/Bollards

n The primary defense against a majority of physical attacks

are the barricades between the assets and a potential

attacker — walls, fences, gates, and doors

n Security must be designed carefully, as an attacker has to

find only a single gap to gain access

n Barricades can also be used to control vehicular access

n The simple post-type barricade that prevents a vehicle from

passing but allows people to walk past is called a bollard

Physical Security Controls17

Tokens/Cards

n Badging systems use either tokens or cards that can be tied

to automated ID checks and logging of entry/exit

n They can embed a serialized ID for each user, enabling

user-specific logging

n They offer the same function as keys, but the system can

be remotely updated to manage access in real time

n Users can have privilege revoked without having to recover

the token or card

Physical Security Controls18

Environmental Controls

n Environmental controls are needed for current data centers

n Heating and cooling is important for computer systems as

well as users

n Server rooms require very specific cooling, usually provided

by a series of hot and cold aisles

n Fire suppression is an important consideration when dealing

with information systems

n They contribute to the availability aspect of security

Physical Security Controls19

HVAC

n C o n t r o l l in g a d a t a c e n t e r ’s t e m p e r a t u r e a n d h u m id i t y i s im p o r t a n t t o

k e e p in g s e r v e r s r u n n in g

n H e a t in g , v e n t i la t in g , a n d a i r c o n d i t io n in g ( H V A C ) s y s t e m s a r e c r i t i c a l f o r

k e e p in g d a t a c e n t e r s c o o l

n T y p ic a l s e r v e r s p u t o u t b e t w e e n 1 0 0 0 a n d 2 0 0 0 B T U s o f h e a t ( 1 B T U e q u a ls

t h e a m o u n t o f e n e r g y r e q u i r e d t o r a is e t h e t e m p e r a t u r e o f o n e p o u n d o f

l iq u id w a t e r b y o n e d e g r e e F a h r e n h e i t )

n M u lt ip le s e r v e r s c a n c r e a t e c o n d i t io n s t o o h o t f o r t h e m a c h in e s t o c o n t in u e

t o o p e r a t e

n H u m id i t y n e e d s t o b e c o n t r o l le d t o p r e v e n t s t a t i c i s s u e s ( t o o lo w h u m id i t y )

o r c o n d e n s a t io n i s s u e s ( t o o h ig h h u m id i t y ) Physical Security Controls20

.

CIS 3500 6

Hot and Cold Aisles

n A data center arranged into hot and cold aisles where all the intake

fans on all equipment face the cold aisle, and the exhaust fans all face

the opposite aisle

n The HVAC system is designed to push cool air underneath the raised

floor and up through perforated tiles on the cold aisle

n Hot air from the hot aisle is captured by return air ducts for the HVAC

system

n Never to mix the hot and cold air –cold air is not cheap

n The benefits of this arrangement are that cooling is more efficient and

can handle higher densityPhysical Security Controls21

Fire Suppression

n The ability to respond to a fire quickly and effectively is

thus critical to the long-term success of any organization

n Addressing potential fire hazards and vulnerabilities has

been a concern of organizations in their risk analysis

n Fire suppression systems are designed to provide protection

n They don’t prevent the fire from occurring but they do stop

it once it begins

Physical Security Controls22

Fire Suppression

Physical Security Controls23

Fire Suppression

n Water-based fire suppression systems are today the primary tool

to address and control structural fires

n Electrical equipment does not react well to large applications of

water

n Water is destructive to electronic equipment because of the

immediate electronic shorts but also because of corrosive damage

n Alternative fire suppression methods have been sought.

n Halon systems have been phased out because of environmental

concerns as it is a potent greenhouse gas

Physical Security Controls24

.

CIS 3500 7

Fire Suppression

n Clean-agent fire suppression systems: carbon dioxide (CO2) attacks

all three necessary elements for a fire: displaces oxygen; provides

some cooling and reduces the concentration of “gasified” fuel

n Argon lowers the oxygen concentration below the 15 % level required

for combustible items to burn

n Inergen is composed of three gases: 52% nitrogen, 40 % argon, and

8 % carbon dioxide - reduce oxygen to 12.5 %

n ChemicalSused to phase out halon areFE-13 and FM-200

(heptafluoropropane)

Physical Security Controls25

Fire Detection

n Smoke detector: ionization and photoelectric

n Heat activated: fixed-temperature or fixed-point devices

and ate-of-rise or rate-of-increase temperature devices

n Flame activated: change in the infrared energy that can be

detected – more expensive

Physical Security Controls26

Cable Locks

n Portable equipment—laptops, projectors, and the like—can

be easily removed or stolen

n Cable locks provide a simple means of securing equipment

n They can be used by road warriors to secure laptops from

casual theft, or in open areas such as conference centers or

rooms where portable equipment is exposed to a wide

range of visitors

Physical Security Controls27

Screen Filters

n Shoulder surfing: an attacker directly observing an

individual entering information

n Screen filters are optical filters that limit the angle of

viewability to a very narrow range

n They have a wide range of uses, from road warrior laptops,

to kiosks, to receptionists’ computers, or places where

sensitive data is displayed (medical data in medical

environments)

Physical Security Controls28

.

CIS 3500 8

Cameras

n CCTV (closed-circuit television ) cameras are used to monitor a

workplace for security purposes

n Traditional cameras are analog based and require a video

multiplexer to combine all the signals and make multiple views

appear on a monitor

n IP-based systems add useful functionality but also makes the

cameras subject to normal IP-based network attacks

n Different iris types, focal lengths, and color or infrared

capabilities are all optionsPhysical Security Controls29

Motion Detection

n Motion detector is for areas where there is little or no

expected traffic

n Most are based on infrared (heat) radiation and can be

tuned for size

n They can be useful during off-hours, when traffic is minimal

n They can trigger video systems

Physical Security Controls30

Logs

n Physical security logs provide the same utility as computer logs

n They act as a record of what was observed – e.g. visitors arriving

and departing, equipment received and shipped out

n Remote sensing of badges and RFID tags can create equipment

move logs that include when, where, what, and who—all

automatically

n Capabilities such as this make inventory of movable equipment

easier as its location is tracked and it can be scanned remotely

Physical Security Controls31

Infrared Detection

n Infrared (IR) radiation is not visible to the human eye

n Infrared detection: looking for things that otherwise may

not be noticed

n Infrared detectors can sense differences in temperature,

which can be from a person entering a room, even if not

visible due to darkness

n IR alarms are used extensively to monitor people

movement in areas where there should be none

Physical Security Controls32

.

CIS 3500 9

Key Management

n Physical locks have physical keys, and keeping track of who

has what keys can be a chore – especially with master keys

n Key management is the process of keeping track of where

the keys are and who has access to what

n Environment that does not have a means of key

management is not verifiably secure

Physical Security Controls33

Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!