Upload
nicholas-davis
View
132
Download
2
Tags:
Embed Size (px)
DESCRIPTION
I was very fortunate to be offered an opportunity to teach a semester long undergraduate and graduate student class, at the University of Wisconsin-Madison. The class has 50 students and every one of them is so friendly, outgoing and kind. The UW should be proud of the quality of the students it admits. I am lucky to be an employee of this massive and fantastic university. Here is the lecture I gave today. This module of the course is entitled Physical Security, which is an integral part of Information Security. It isn't all about hackers and spies. A lot of Information Security is derived from having solid documented and tested business processes.
Citation preview
Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas DavisLecture 7, Physical Security
Today’s CandyToday’s CandyTwizzlersTwizzlers
Twizzlers is a brand of candy in the United States and Canada. Twizzlers is the product of Y&S Candies, Inc., of Lancaster, Pennsylvania, now a subsidiary of The Hershey Company. In 1908 a plant was opened in Montreal and in 1929 the Twizzler brand was established
04/13/23 UNIVERSITY OF WISCONSIN 2
Physical SecurityPhysical Security
It used to be easy, way back in the 1960sToday, with IT assets on every desk, we have:TheftFraudVandalismSabotageAccidents
04/13/23 UNIVERSITY OF WISCONSIN 3
Let’s Watch an InterestingLet’s Watch an InterestingVideo About the History of Video About the History of
Physical SecurityPhysical Securityhttps://www.youtube.com/watch?v=-
eVSR9tder0
20 Minutes
04/13/23 UNIVERSITY OF WISCONSIN 4
Funny Cartoon VideoFunny Cartoon VideoBut, it Makes a Good PointBut, it Makes a Good Point
https://www.youtube.com/watch?v=tmOGJVDvJaQ
2 minutes
04/13/23 UNIVERSITY OF WISCONSIN 5
Four Major PhysicalFour Major PhysicalSecurity ThreatsSecurity Threats
Natural environmentalSupply systemHuman madePolitically motivated
Good security program protects against all of these, in layers
04/13/23 UNIVERSITY OF WISCONSIN 6
Physical ThreatsPhysical ThreatsNatural / EnvironmentalNatural / Environmental
Floods, earthquakes, storms, volcanoes
04/13/23 UNIVERSITY OF WISCONSIN 7
Physical ThreatsPhysical ThreatsSupply SystemSupply System
Power, communications, supply of water, etc.
04/13/23 UNIVERSITY OF WISCONSIN 8
Physical ThreatsPhysical ThreatsHuman MadeHuman Made
Unauthorized access, damage by angry employees, employee errors and accidents, vandalism, fraud, theft
04/13/23 UNIVERSITY OF WISCONSIN 9
Physical ThreatsPhysical ThreatsPolitically Motivated Politically Motivated
ThreatsThreatsStrikes, riots, civil disobedience, terrorist attacks, bombings
04/13/23 UNIVERSITY OF WISCONSIN 10
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime and disruption through deterrence
Fences, security guards, warning signs, etc.
04/13/23 UNIVERSITY OF WISCONSIN 11
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Reduction of damage through use of delaying mechanisms
Layers of defenses that slow down the adversary, such as locks, security personnel, barriers
04/13/23 UNIVERSITY OF WISCONSIN 12
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime or disruption detection
Smoke detectors, motion detectors, surveillance cameras, etc
04/13/23 UNIVERSITY OF WISCONSIN 13
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Incident assessment
Response of personnel to quickly evaluate situation and damage level
04/13/23 UNIVERSITY OF WISCONSIN 14
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Rapid response procedures
Fire suppression systems, emergency response systems, law enforcement notification
04/13/23 UNIVERSITY OF WISCONSIN 15
5 Core Steps in a Physical5 Core Steps in a PhysicalSecurity SystemSecurity System
DeterDelayDetectAssessRespond
04/13/23 UNIVERSITY OF WISCONSIN 16
Sidewalk, Lights andSidewalk, Lights andLandscaping For ProtectionLandscaping For Protection
04/13/23 UNIVERSITY OF WISCONSIN 17
Physical Access ControlPhysical Access ControlFor VisitorsFor Visitors
Limit the number of entry pointsForce all guests to sign-in at a common locationReduce entry points even more, after hours and on weekendsValidate a government issued picture ID before allowing entryRequire all guests to be escorted by a full time employeeEncourage employees to question strangers
04/13/23 UNIVERSITY OF WISCONSIN 18
Natural SurveillanceNatural Surveillance
Natural Surveillance is the intentional and visible surveillance, to make potential criminals aware that they are being watch and make all others feel safe
04/13/23 UNIVERSITY OF WISCONSIN 19
Territorial ReinforcementTerritorial Reinforcement
Building facilities in such a way as you make people feel secure, open, visible, strong, etc.
04/13/23 UNIVERSITY OF WISCONSIN 20
Selecting a Facility SiteSelecting a Facility Site
Visibility – Terrain, neighbors, populationSurrounding area – Crime, riots, police, medical, fire, other hazzardsAccessibility – Road access, traffic, airport access, etcNatural Disasters – floods, tornadoes, earthquakes, rain, etc
04/13/23 UNIVERSITY OF WISCONSIN 21
Entry PointsEntry Points
Windows and doors are the standard access points. They should be secure, strong, foolproof
Walls should be at least as strong as the doors and windows
04/13/23 UNIVERSITY OF WISCONSIN 22
A Human TrapA Human Trap
Only allows one person into a secure area at a timeOpen first door, enterWait for first door to closeEnter second door to secure areaOnly enough space for one person at a time
04/13/23 UNIVERSITY OF WISCONSIN 23
Don’t Forget AboutDon’t Forget Aboutthe Ceilingthe Ceiling
04/13/23 UNIVERSITY OF WISCONSIN 24
In Computer FacilitiesIn Computer FacilitiesWater Detectors Are Water Detectors Are
ImportantImportantWater detectors should be placed under raised floors and on ceilings
04/13/23 UNIVERSITY OF WISCONSIN 25
Laptops Are One of theLaptops Are One of theMost Frequently Stolen Most Frequently Stolen
Physical AssetsPhysical AssetsInventory the laptopsHarden the Operating systemPassword protect BIOSRegister laptops with vendorDon’t check laptop as baggage!Don’t leave laptop unattendedEngrave the laptop visiblyUse a physical cable and lockBackup dataEncrypt hard diskStore in secure place when not in use
04/13/23 UNIVERSITY OF WISCONSIN 26
Electric PowerElectric Power
Electricity is the lifeline of the companyUse multiple supply circuits coming into the facilityFilter power for a clean electrical signal, important for computersHave a backup generator, test it regularlyHave an appropriately sized battery backup power supply (UPS)Test EVERYTHING, test OFTEN
04/13/23 UNIVERSITY OF WISCONSIN 27
Keep All Wiring OrganizedKeep All Wiring OrganizedOn Computer EquipmentOn Computer Equipment
Reduces confusionMakes troubleshooting easierLower risk of fire hazardLower risk of electrical interferenceLooks professional and trustworthy, in case visitors come throughUse shielded cabling to stop electrical interferenceDon’t run electrical wiring close to fluorescent lighting
04/13/23 UNIVERSITY OF WISCONSIN 28
An Example of WhatAn Example of WhatNot to DoNot to Do
04/13/23 UNIVERSITY OF WISCONSIN 29
Make Sure All Utility LinesMake Sure All Utility LinesHave Emergency Shutoff Have Emergency Shutoff
ValvesValves
04/13/23 UNIVERSITY OF WISCONSIN 30
Static Electricity, theStatic Electricity, theInvisible EnemyInvisible Enemy
Protect against static electricity, which can destroy computer equipment:Antistatic flooringHumidity levels should be kept moderateUse proper electrical groundingNo carpeting, ever!!!Use anti-static bands on wrist when working on a computer server04/13/23 UNIVERSITY OF WISCONSIN 31
HVAC – Heating, HVAC – Heating, Ventilation,Ventilation,
Air ConditioningAir ConditioningImportant to have commercial grade systems to keep temperature are proper level, and keep air filtered and circulating
04/13/23 UNIVERSITY OF WISCONSIN 32
Every Good CompanyEvery Good CompanyIs Full of LiebertIs Full of Liebert
04/13/23 UNIVERSITY OF WISCONSIN 33
Water Sprinkler SystemsWater Sprinkler Systems
There are two types:Wet Pipe – always contains waterAdvantage – always ready for useDisadvantage – most costly, possibility of accidental release of waterDry Pipe – has to be connected to a tankAdvantage – no risk of accidental water releaseDisadvantage – not ready immediately
04/13/23 UNIVERSITY OF WISCONSIN 34
Other Security ControlsOther Security Controls
Fences – different heights, strengthsBollards – those odd looking posts in front of Best BuyLighting – one of the best deterrents around, cheap and effectiveLocks – usually easy to defeat, but good as once layer of security for defense in depth strategyCCTV – Efficient for monitoring04/13/23 UNIVERSITY OF WISCONSIN 35
Auditing Physical AccessAuditing Physical AccessCritical Pieces of Critical Pieces of
InformationInformationThe date and time of the access attemptThe entry point at which access was attemptedThe user ID associated with the access attemptAny unsuccessful attempts, especially if done during unauthorized hours
04/13/23 UNIVERSITY OF WISCONSIN 36
Tests and DrillsTests and Drills
Need to be developedMust be put into action, at least once per year, generally speakingMust be documentedMust be put in easily accessible placesPeople must be assigned specific tasksPeople should be taught and informed on how to fulfill specific tasksDetermine in advance what will determine success
04/13/23 UNIVERSITY OF WISCONSIN 37
A Note About Credit CardA Note About Credit CardReader Physical SecurityReader Physical Security
https://www.youtube.com/watch?v=XipjYIbBj7k
Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought
04/13/23 UNIVERSITY OF WISCONSIN 38
04/13/23 UNIVERSITY OF WISCONSIN 39
04/13/23 UNIVERSITY OF WISCONSIN 40
04/13/23 UNIVERSITY OF WISCONSIN 41
04/13/23 UNIVERSITY OF WISCONSIN 42
04/13/23 UNIVERSITY OF WISCONSIN 43
04/13/23 UNIVERSITY OF WISCONSIN 44
04/13/23 UNIVERSITY OF WISCONSIN 45
04/13/23 UNIVERSITY OF WISCONSIN 46
04/13/23 UNIVERSITY OF WISCONSIN 47
04/13/23 UNIVERSITY OF WISCONSIN 48
04/13/23 UNIVERSITY OF WISCONSIN 49
04/13/23 UNIVERSITY OF WISCONSIN 50
04/13/23 UNIVERSITY OF WISCONSIN 51
04/13/23 UNIVERSITY OF WISCONSIN 52
04/13/23 UNIVERSITY OF WISCONSIN 53
04/13/23 UNIVERSITY OF WISCONSIN 54
04/13/23 UNIVERSITY OF WISCONSIN 55
04/13/23 UNIVERSITY OF WISCONSIN 56
04/13/23 UNIVERSITY OF WISCONSIN 57
04/13/23 UNIVERSITY OF WISCONSIN 58
04/13/23 UNIVERSITY OF WISCONSIN 59
04/13/23 UNIVERSITY OF WISCONSIN 60
04/13/23 UNIVERSITY OF WISCONSIN 61
04/13/23 UNIVERSITY OF WISCONSIN 62
04/13/23 UNIVERSITY OF WISCONSIN 63