COMP4690, HKBU 1 Chapter 6 Physical Security
Dec 21, 2015
COMP4690, HKBU 1
Chapter 6
Physical Security
COMP4690, HKBU 2
Introduction The goal of physical security is to provide a safe
environment for all assets and interests of the organization.
Physical security provides protection for the building, other building structures, or a vehicle housing the system, and/or other network components. Static systems: installed in structures at fixed location Mobile systems: installed in vehicles or vessels Portable systems: can be operated in buildings, vehicles,
or in the open A very basic component of an organization’s total
security plan.
COMP4690, HKBU 3
Threats to Physical Environment Natural/environmental
Earthquakes, floods, storms, tornadoes, hurricanes, volcanic eruptions, natural fires, extreme temperatures, high humidity, building collapse
Supply systems Communication outage, power distribution, burst pipes
Man-made Explosions, disgruntled employees, unauthorized access,
employee errors, sabotage, hazardous spills, chemical contamination, malicious code, vandalism and theft, intruders, unintentional acts
Political events Bombings, terrorist attacks, espionage, civil disturbances, strikes
COMP4690, HKBU 4
Information Protection Environment
A layered defense model
Perimeter
Building Grounds
Building Entrance
Building Floors/Office Suites
Offices/Data Centers Equipment/Supplies, Media
COMP4690, HKBU 5
Crime Prevention through Environmental Design (CPTED)
CPTED as a concept began during the 1960s. It states that the physical environment of a building
can be changed or managed to produce behavioral effects that will reduce the incidence and fear of crime.
It contains elements that make legitimate users of a space feel safe and make illegal users feel unsafe in pursuing undesirable behavior.
It is a psychological and sociological method of looking at security.
COMP4690, HKBU 6
CPTED strategies Territoriality
People protect territory that they feel is their own and people have a certain respect for the territory of others.
CPTED encourages the use of physical attributes that express ownership, such as fences, pavement treatments, art, signs, good maintenance, and landscaping.
Surveillance Surveillance is a principal tool in the protection of a space. Landscaping and lighting can be planned to promote natural surveillance
from inside and from the outside. Closed-circuit television (CCTV) is often used as an additional deterrent.
Access control Properly located entrances, exits, fencing, and landscaping can control the
flow or limit access to both foot and automobile traffic in ways that discourage crime.
COMP4690, HKBU 7
Site Location Physical security should begin with a detailed site
selection process. Where and how a building should be built?
Does our business have specific physical security concerns regarding the facility location?
Is it vulnerable to crime, riots, or terrorism attacks? Is it vulnerable to natural disasters? Where is it located in relationship to adjacent buildings
and/or other businesses? How far away is it to other types of threats? What are neighborhood crime rates and types? What type of emergency support response is provided to
the area?
COMP4690, HKBU 8
Construction Impacts
Construction controls involve designing walls, windows, doors, and infrastructure support elements, such as water or gas lines, in a secure fashion. Constructing walls that are fire-rated Penetration resistant Windowless or have non-opening windows
Questions to consider Could the structure withstand relevant natural threats? Is it earthquake resistant? Does the business require specific building enhancements?
COMP4690, HKBU 9
Facility Impacts
Entry points Infrastructure support systems Electrical power Heating, ventilation, air conditioning (and
refrigeration) Internal sensitive or compartmentalized areas Portable computing
COMP4690, HKBU 10
Entry points
External entry points Doors, windows, roof access, service or delivery
doors, fire-escape entries, other secondary entrances
Internal entry points Elevators, stairs, door to internal offices
COMP4690, HKBU 11
Infrastructure support systems
Include power, water/plumbing, heating, ventilation, and air conditioning
The failure or substandard performance of the support systems may interrupt operation of the system and may cause physical damage to system hardware or stored data.
Physical security for the infrastructure support systems involves not only the area, but also locations of wiring used to connect elements of the system, such as cabling, plugs, sockets, loose wires, exposed cabling.
COMP4690, HKBU 12
Electrical power A disruption in the electrical power supply can have a serious business
impact. Complete power loss
Blackout: complete loss of commercial power Fault: momentary power outage
Power degradation Brownout: an intentional reduction of voltage by a utility company Sag/dip: a short period of low voltage Surge: a sudden rise in voltage in the power supply Transient: line noise or disturbance is superimposed on the supply circuit
and can cause fluctuations in electrical power In-rush current: the initial surge of current required by a load before it
reaches normal operation Electrostatic discharge: another type of electrical surge can occur when two
non-conducting materials rub together, causing electrons to transfer from one material to another
COMP4690, HKBU 13
Interference Interference is a random disturbance interfering with
device operation. Electromagnetic interference (EMI)
The interference in a circuit. Common-mode noise occurs between hot and ground wires; traverse-mode noise occurs between hot and neutral wires.
Radio frequency interference (RFI) The reception of radio signals. Small electrical discharges generate RFI, and can be
generated by components of electrical systems, transmitting devices, or lightning.
Other sources of interference: radio stations, cellular phones, fluorescent lights, defective power plugs
COMP4690, HKBU 14
Water/Plumbing
Common sources of water problems Broken pipes, fire-suppression systems, improper
installation of air conditioners, evaporative coolers Water damage can lead to problems with
mold and mildew that may affect the proper functioning of the computer resources
COMP4690, HKBU 15
HVAC
Heating, ventilation, and air conditioning A system that provides the processes of comfort heating,
ventilation, and/or air conditioning within a space HVAC&R: include refrigeration
Questions: Where and how the system is installed? Whether the location of these areas could allow for
unauthorized access or some type of sabotage? How to remote control, monitor and maintain the system? Risk of chemical and biological agents entering a building
through the system
COMP4690, HKBU 16
Internal sensitive or compartmentalized area
Several areas need additional physical protection Data center Server room Communication center Switching center End-user areas where highly sensitive information
is processed and stored
COMP4690, HKBU 17
Portable computing
Because the organization’s data is being accessed and processed outside the normal physical protections of the office, the risk of loss, theft, data exposure, and data destruction can be significantly greater.
COMP4690, HKBU 18
Security technology and Tools
Layered defense A fence protects the perimeter The building entry points are protected with a card access
control system Inside the building, a card access control system protects
the elevators and door locks secure the stairwells. The office doors are also secured with locks. Inside the office, the employee has locked all sensitive
information in an office safe.
Using multiple types of security controls within each of the layers.
COMP4690, HKBU 19
Perimeter and building grounds boundary protection
Protective barriers: Landscaping: can be designed to provide a
measure of security, e.g., shrubs or trees Fences: to designate a property boundary Gates: portion of a wall or fence system that
controls entrance and/or egress Bollards: vehicle barriers Lighting: an essential element in an integrated
physical security system, be used with other controls
COMP4690, HKBU 20
Perimeter Intrusion Detection Systems
Closed-Circuit television (CCTV) A television transmission system that uses video cameras
to transmit pictures by a transmission medium (wired or wireless) to connected monitors.
CCTV levels Detection: the ability to detect the presence of an object Recognition: the ability to determine the type of object Identification: the ability to determine object details
Three main components: Camera, transmission media, and monitor
COMP4690, HKBU 21
CCTV
Camera and lens To capture an optical image and convert the image into a
video signal that is then transmitted to a remote monitor display
Tube cameras: use a cathode ray tube (CRT) CCD cameras: use charge-coupled discharge (CCD) Infrared cameras: provide night-vision capability Fixed lens vs. zoom lens Depth-of-field: the area between the nearest and farthest
points that appear to be in focus Field-of-view: the entire area that can be captured by the
lens
COMP4690, HKBU 22
CCTV (Cont.) Transmission media
Coaxial cable Fiber-optic cables Wireless transmission
Display monitors NTSC, PAL HDTV
Other equipments Pan and tilt units: designed for remote control positioning of
cameras in both the horizontal (pan) and vertical (tilt) planes. Multiplexers or switches: combine several cameras onto a single
line or allow selected viewing of multiple cameras Videotape recorders Digital recorders
COMP4690, HKBU 23
Building Entry Points Doors
Hollow-core versus solid-core Windows
Shatter-resistant, installed in fixed frames, can be locked from the inside
Locks Key locks, combination locks, smart locks
Guard Stations To monitor the security of the facility through TV monitors,
alarm systems, intercoms, etc Card Access Control or Biometric Systems
card & card reader
COMP4690, HKBU 24
Inside the Buildings
Supply system controls Electric power controls Surge suppressors Controlling interference Uninterruptible power supply (UPS) HVAC controls Water controls Gas lines
COMP4690, HKBU 25
Fire Protection Fire prevention
Materials used in construction should be as fireproof as possible Backup tapes and software should be stored in fireproof containers (they will
produce poisonous gases when they burn) File-prevention training, includes fire drills
Fire detection Smoke detectors Photoelectric detectors Heat detectors
Fire suppression Fire-extinguishing systems For computer equipment, type ABC extinguishers are appropriate Automatic sprinkler systems: unpure water may compound the problem
instead of help! If possible, equipment should be shut off before discharging the sprinkler
system. Once a computer is wet, it should not be turned on until it is thoroughly dry.
COMP4690, HKBU 26
Fire Classes
Class Type Suppression
A Common combustibles (i.e., wood products)
Water, soda acid
B Liquid (i.e., petroleum products, coolants)
Gas, CO2, soda acid
C Electrical (i.e., electrical equipment, wires)
Gas, CO2
D Combustible metals Dry powder
COMP4690, HKBU 27
Penetration Detection Systems
Basic types of physical intrusion detection systems include: Breaking or making an electrical circuit Interrupting a light beam Detecting sound or changes in sound levels Detecting vibration Detecting changes in heat level through passive
infrared detectors Detecting a disturbance in an electrostatic,
microwave, ultrasonic, or other type field
COMP4690, HKBU 28
Good Security Practices for Data Center Security Access control
Electronic access control: badge/smart cards/biometric devices
Post an access control list on the outside of the door, indicating who is allowed unescorted access
Have access control policies for daytime use, after-hour use, or during an emergency
CCTV to view visitors Site location
Location within the building should not be easily accessible to visitors or to the general public
Away from external windows or walls Away from water pipes or other support system facilities
COMP4690, HKBU 29
Good Security Practices for Data Center Security Walls
Construct the room as a single unit Walls should not form part of an external wall of the
building If using glass as an external wall barrier, use shatter-
resistant glass to limit damage from breakage Doors
Should be solid core Should not open out Door frame should be permanently fixed to the adjoining
wall studs Door hinges should be fixed to the frames with a minimum
of three hinges per door
COMP4690, HKBU 30
Good Security Practices for Data Center Security HVAC
Should be on a separate system from the rest of the building The size of the ducts and vents should ensure that they cannot be breached
by an intruder Positive pressures should be maintained
Power supply A backup power supply (UPS or generator) should exist for a minimum
amount of time as required by the organization’s needs Backup power supply needs to be tested on a regular basis Electrical facilities that support the data center should be separate from the
main building Electrical closets, cables, and wiring should be properly secured
Fire Deploy portable extinguishers at exits and near equipments Install fire sensors/detection equipment Have documented and tested emergency plans Install water sensors under the raised floor