Information Systems Security 365/765 UW-Madison

Information Security 365/765, Fall Semester, 2014

Course Instructor, Nicholas DavisLecture 7, Physical Security

Today’s CandyToday’s CandyTwizzlersTwizzlers

Twizzlers is a brand of candy in the United States and Canada. Twizzlers is the product of Y&S Candies, Inc., of Lancaster, Pennsylvania, now a subsidiary of The Hershey Company. In 1908 a plant was opened in Montreal and in 1929 the Twizzler brand was established

04/13/23 UNIVERSITY OF WISCONSIN 2

Physical SecurityPhysical Security

It used to be easy, way back in the 1960sToday, with IT assets on every desk, we have:TheftFraudVandalismSabotageAccidents


Let’s Watch an InterestingLet’s Watch an InterestingVideo About the History of Video About the History of

Physical SecurityPhysical Securityhttps://www.youtube.com/watch?v=-

eVSR9tder0

20 Minutes


Funny Cartoon VideoFunny Cartoon VideoBut, it Makes a Good PointBut, it Makes a Good Point

https://www.youtube.com/watch?v=tmOGJVDvJaQ

2 minutes


Four Major PhysicalFour Major PhysicalSecurity ThreatsSecurity Threats

Natural environmentalSupply systemHuman madePolitically motivated

Good security program protects against all of these, in layers


Physical ThreatsPhysical ThreatsNatural / EnvironmentalNatural / Environmental

Floods, earthquakes, storms, volcanoes


Physical ThreatsPhysical ThreatsSupply SystemSupply System

Power, communications, supply of water, etc.


Physical ThreatsPhysical ThreatsHuman MadeHuman Made

Unauthorized access, damage by angry employees, employee errors and accidents, vandalism, fraud, theft


Physical ThreatsPhysical ThreatsPolitically Motivated Politically Motivated

ThreatsThreatsStrikes, riots, civil disobedience, terrorist attacks, bombings


What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan

Crime and disruption through deterrence

Fences, security guards, warning signs, etc.



Reduction of damage through use of delaying mechanisms

Layers of defenses that slow down the adversary, such as locks, security personnel, barriers



Crime or disruption detection

Smoke detectors, motion detectors, surveillance cameras, etc



Incident assessment

Response of personnel to quickly evaluate situation and damage level



Rapid response procedures

Fire suppression systems, emergency response systems, law enforcement notification


5 Core Steps in a Physical5 Core Steps in a PhysicalSecurity SystemSecurity System

DeterDelayDetectAssessRespond


Sidewalk, Lights andSidewalk, Lights andLandscaping For ProtectionLandscaping For Protection


Physical Access ControlPhysical Access ControlFor VisitorsFor Visitors

Limit the number of entry pointsForce all guests to sign-in at a common locationReduce entry points even more, after hours and on weekendsValidate a government issued picture ID before allowing entryRequire all guests to be escorted by a full time employeeEncourage employees to question strangers


Natural SurveillanceNatural Surveillance

Natural Surveillance is the intentional and visible surveillance, to make potential criminals aware that they are being watch and make all others feel safe


Territorial ReinforcementTerritorial Reinforcement

Building facilities in such a way as you make people feel secure, open, visible, strong, etc.


Selecting a Facility SiteSelecting a Facility Site

Visibility – Terrain, neighbors, populationSurrounding area – Crime, riots, police, medical, fire, other hazzardsAccessibility – Road access, traffic, airport access, etcNatural Disasters – floods, tornadoes, earthquakes, rain, etc


Entry PointsEntry Points

Windows and doors are the standard access points. They should be secure, strong, foolproof

Walls should be at least as strong as the doors and windows


A Human TrapA Human Trap

Only allows one person into a secure area at a timeOpen first door, enterWait for first door to closeEnter second door to secure areaOnly enough space for one person at a time


Don’t Forget AboutDon’t Forget Aboutthe Ceilingthe Ceiling


In Computer FacilitiesIn Computer FacilitiesWater Detectors Are Water Detectors Are

ImportantImportantWater detectors should be placed under raised floors and on ceilings


Laptops Are One of theLaptops Are One of theMost Frequently Stolen Most Frequently Stolen

Physical AssetsPhysical AssetsInventory the laptopsHarden the Operating systemPassword protect BIOSRegister laptops with vendorDon’t check laptop as baggage!Don’t leave laptop unattendedEngrave the laptop visiblyUse a physical cable and lockBackup dataEncrypt hard diskStore in secure place when not in use


Electric PowerElectric Power

Electricity is the lifeline of the companyUse multiple supply circuits coming into the facilityFilter power for a clean electrical signal, important for computersHave a backup generator, test it regularlyHave an appropriately sized battery backup power supply (UPS)Test EVERYTHING, test OFTEN


Keep All Wiring OrganizedKeep All Wiring OrganizedOn Computer EquipmentOn Computer Equipment

Reduces confusionMakes troubleshooting easierLower risk of fire hazardLower risk of electrical interferenceLooks professional and trustworthy, in case visitors come throughUse shielded cabling to stop electrical interferenceDon’t run electrical wiring close to fluorescent lighting


An Example of WhatAn Example of WhatNot to DoNot to Do


Make Sure All Utility LinesMake Sure All Utility LinesHave Emergency Shutoff Have Emergency Shutoff

ValvesValves


Static Electricity, theStatic Electricity, theInvisible EnemyInvisible Enemy

Protect against static electricity, which can destroy computer equipment:Antistatic flooringHumidity levels should be kept moderateUse proper electrical groundingNo carpeting, ever!!!Use anti-static bands on wrist when working on a computer server04/13/23 UNIVERSITY OF WISCONSIN 31

HVAC – Heating, HVAC – Heating, Ventilation,Ventilation,

Air ConditioningAir ConditioningImportant to have commercial grade systems to keep temperature are proper level, and keep air filtered and circulating


Every Good CompanyEvery Good CompanyIs Full of LiebertIs Full of Liebert


Water Sprinkler SystemsWater Sprinkler Systems

There are two types:Wet Pipe – always contains waterAdvantage – always ready for useDisadvantage – most costly, possibility of accidental release of waterDry Pipe – has to be connected to a tankAdvantage – no risk of accidental water releaseDisadvantage – not ready immediately


Other Security ControlsOther Security Controls

Fences – different heights, strengthsBollards – those odd looking posts in front of Best BuyLighting – one of the best deterrents around, cheap and effectiveLocks – usually easy to defeat, but good as once layer of security for defense in depth strategyCCTV – Efficient for monitoring04/13/23 UNIVERSITY OF WISCONSIN 35

Auditing Physical AccessAuditing Physical AccessCritical Pieces of Critical Pieces of

InformationInformationThe date and time of the access attemptThe entry point at which access was attemptedThe user ID associated with the access attemptAny unsuccessful attempts, especially if done during unauthorized hours


Tests and DrillsTests and Drills

Need to be developedMust be put into action, at least once per year, generally speakingMust be documentedMust be put in easily accessible placesPeople must be assigned specific tasksPeople should be taught and informed on how to fulfill specific tasksDetermine in advance what will determine success


A Note About Credit CardA Note About Credit CardReader Physical SecurityReader Physical Security

https://www.youtube.com/watch?v=XipjYIbBj7k

Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought



























Documents

Information Systems Security 365/765 UW-Madison