COMP4690, HKBU1 Chapter 6 Physical Security. COMP4690, HKBU2 Introduction The goal of physical security is to provide a safe environment for all assets.

COMP4690, HKBU 1

Chapter 6

Physical Security

COMP4690, HKBU 2

Introduction The goal of physical security is to provide a safe

environment for all assets and interests of the organization.

Physical security provides protection for the building, other building structures, or a vehicle housing the system, and/or other network components. Static systems: installed in structures at fixed location Mobile systems: installed in vehicles or vessels Portable systems: can be operated in buildings, vehicles,

or in the open A very basic component of an organization’s total

security plan.

COMP4690, HKBU 3

Threats to Physical Environment Natural/environmental

Earthquakes, floods, storms, tornadoes, hurricanes, volcanic eruptions, natural fires, extreme temperatures, high humidity, building collapse

Supply systems Communication outage, power distribution, burst pipes

Man-made Explosions, disgruntled employees, unauthorized access,

employee errors, sabotage, hazardous spills, chemical contamination, malicious code, vandalism and theft, intruders, unintentional acts

Political events Bombings, terrorist attacks, espionage, civil disturbances, strikes

COMP4690, HKBU 4

Information Protection Environment

A layered defense model

Perimeter

Building Grounds

Building Entrance

Building Floors/Office Suites

Offices/Data Centers Equipment/Supplies, Media

COMP4690, HKBU 5

Crime Prevention through Environmental Design (CPTED)

CPTED as a concept began during the 1960s. It states that the physical environment of a building

can be changed or managed to produce behavioral effects that will reduce the incidence and fear of crime.

It contains elements that make legitimate users of a space feel safe and make illegal users feel unsafe in pursuing undesirable behavior.

It is a psychological and sociological method of looking at security.

COMP4690, HKBU 6

CPTED strategies Territoriality

People protect territory that they feel is their own and people have a certain respect for the territory of others.

CPTED encourages the use of physical attributes that express ownership, such as fences, pavement treatments, art, signs, good maintenance, and landscaping.

Surveillance Surveillance is a principal tool in the protection of a space. Landscaping and lighting can be planned to promote natural surveillance

from inside and from the outside. Closed-circuit television (CCTV) is often used as an additional deterrent.

Access control Properly located entrances, exits, fencing, and landscaping can control the

flow or limit access to both foot and automobile traffic in ways that discourage crime.

COMP4690, HKBU 7

Site Location Physical security should begin with a detailed site

selection process. Where and how a building should be built?

Does our business have specific physical security concerns regarding the facility location?

Is it vulnerable to crime, riots, or terrorism attacks? Is it vulnerable to natural disasters? Where is it located in relationship to adjacent buildings

and/or other businesses? How far away is it to other types of threats? What are neighborhood crime rates and types? What type of emergency support response is provided to

the area?

COMP4690, HKBU 8

Construction Impacts

Construction controls involve designing walls, windows, doors, and infrastructure support elements, such as water or gas lines, in a secure fashion. Constructing walls that are fire-rated Penetration resistant Windowless or have non-opening windows

Questions to consider Could the structure withstand relevant natural threats? Is it earthquake resistant? Does the business require specific building enhancements?

COMP4690, HKBU 9

Facility Impacts

Entry points Infrastructure support systems Electrical power Heating, ventilation, air conditioning (and

refrigeration) Internal sensitive or compartmentalized areas Portable computing

COMP4690, HKBU 10

Entry points

External entry points Doors, windows, roof access, service or delivery

doors, fire-escape entries, other secondary entrances

Internal entry points Elevators, stairs, door to internal offices

COMP4690, HKBU 11

Infrastructure support systems

Include power, water/plumbing, heating, ventilation, and air conditioning

The failure or substandard performance of the support systems may interrupt operation of the system and may cause physical damage to system hardware or stored data.

Physical security for the infrastructure support systems involves not only the area, but also locations of wiring used to connect elements of the system, such as cabling, plugs, sockets, loose wires, exposed cabling.

COMP4690, HKBU 12

Electrical power A disruption in the electrical power supply can have a serious business

impact. Complete power loss

Blackout: complete loss of commercial power Fault: momentary power outage

Power degradation Brownout: an intentional reduction of voltage by a utility company Sag/dip: a short period of low voltage Surge: a sudden rise in voltage in the power supply Transient: line noise or disturbance is superimposed on the supply circuit

and can cause fluctuations in electrical power In-rush current: the initial surge of current required by a load before it

reaches normal operation Electrostatic discharge: another type of electrical surge can occur when two

non-conducting materials rub together, causing electrons to transfer from one material to another

COMP4690, HKBU 13

Interference Interference is a random disturbance interfering with

device operation. Electromagnetic interference (EMI)

The interference in a circuit. Common-mode noise occurs between hot and ground wires; traverse-mode noise occurs between hot and neutral wires.

Radio frequency interference (RFI) The reception of radio signals. Small electrical discharges generate RFI, and can be

generated by components of electrical systems, transmitting devices, or lightning.

Other sources of interference: radio stations, cellular phones, fluorescent lights, defective power plugs

COMP4690, HKBU 14

Water/Plumbing

Common sources of water problems Broken pipes, fire-suppression systems, improper

installation of air conditioners, evaporative coolers Water damage can lead to problems with

mold and mildew that may affect the proper functioning of the computer resources

COMP4690, HKBU 15

HVAC

Heating, ventilation, and air conditioning A system that provides the processes of comfort heating,

ventilation, and/or air conditioning within a space HVAC&R: include refrigeration

Questions: Where and how the system is installed? Whether the location of these areas could allow for

unauthorized access or some type of sabotage? How to remote control, monitor and maintain the system? Risk of chemical and biological agents entering a building

through the system

COMP4690, HKBU 16

Internal sensitive or compartmentalized area

Several areas need additional physical protection Data center Server room Communication center Switching center End-user areas where highly sensitive information

is processed and stored

COMP4690, HKBU 17

Portable computing

Because the organization’s data is being accessed and processed outside the normal physical protections of the office, the risk of loss, theft, data exposure, and data destruction can be significantly greater.

COMP4690, HKBU 18

Security technology and Tools

Layered defense A fence protects the perimeter The building entry points are protected with a card access

control system Inside the building, a card access control system protects

the elevators and door locks secure the stairwells. The office doors are also secured with locks. Inside the office, the employee has locked all sensitive

information in an office safe.

Using multiple types of security controls within each of the layers.

COMP4690, HKBU 19

Perimeter and building grounds boundary protection

Protective barriers: Landscaping: can be designed to provide a

measure of security, e.g., shrubs or trees Fences: to designate a property boundary Gates: portion of a wall or fence system that

controls entrance and/or egress Bollards: vehicle barriers Lighting: an essential element in an integrated

physical security system, be used with other controls

COMP4690, HKBU 20

Perimeter Intrusion Detection Systems

Closed-Circuit television (CCTV) A television transmission system that uses video cameras

to transmit pictures by a transmission medium (wired or wireless) to connected monitors.

CCTV levels Detection: the ability to detect the presence of an object Recognition: the ability to determine the type of object Identification: the ability to determine object details

Three main components: Camera, transmission media, and monitor

COMP4690, HKBU 21

CCTV

Camera and lens To capture an optical image and convert the image into a

video signal that is then transmitted to a remote monitor display

Tube cameras: use a cathode ray tube (CRT) CCD cameras: use charge-coupled discharge (CCD) Infrared cameras: provide night-vision capability Fixed lens vs. zoom lens Depth-of-field: the area between the nearest and farthest

points that appear to be in focus Field-of-view: the entire area that can be captured by the

lens

COMP4690, HKBU 22

CCTV (Cont.) Transmission media

Coaxial cable Fiber-optic cables Wireless transmission

Display monitors NTSC, PAL HDTV

Other equipments Pan and tilt units: designed for remote control positioning of

cameras in both the horizontal (pan) and vertical (tilt) planes. Multiplexers or switches: combine several cameras onto a single

line or allow selected viewing of multiple cameras Videotape recorders Digital recorders

COMP4690, HKBU 23

Building Entry Points Doors

Hollow-core versus solid-core Windows

Shatter-resistant, installed in fixed frames, can be locked from the inside

Locks Key locks, combination locks, smart locks

Guard Stations To monitor the security of the facility through TV monitors,

alarm systems, intercoms, etc Card Access Control or Biometric Systems

card & card reader

COMP4690, HKBU 24

Inside the Buildings

Supply system controls Electric power controls Surge suppressors Controlling interference Uninterruptible power supply (UPS) HVAC controls Water controls Gas lines

COMP4690, HKBU 25

Fire Protection Fire prevention

Materials used in construction should be as fireproof as possible Backup tapes and software should be stored in fireproof containers (they will

produce poisonous gases when they burn) File-prevention training, includes fire drills

Fire detection Smoke detectors Photoelectric detectors Heat detectors

Fire suppression Fire-extinguishing systems For computer equipment, type ABC extinguishers are appropriate Automatic sprinkler systems: unpure water may compound the problem

instead of help! If possible, equipment should be shut off before discharging the sprinkler

system. Once a computer is wet, it should not be turned on until it is thoroughly dry.

COMP4690, HKBU 26

Fire Classes

Class Type Suppression

A Common combustibles (i.e., wood products)

Water, soda acid

B Liquid (i.e., petroleum products, coolants)

Gas, CO2, soda acid

C Electrical (i.e., electrical equipment, wires)

Gas, CO2

D Combustible metals Dry powder

COMP4690, HKBU 27

Penetration Detection Systems

Basic types of physical intrusion detection systems include: Breaking or making an electrical circuit Interrupting a light beam Detecting sound or changes in sound levels Detecting vibration Detecting changes in heat level through passive

infrared detectors Detecting a disturbance in an electrostatic,

microwave, ultrasonic, or other type field

COMP4690, HKBU 28

Good Security Practices for Data Center Security Access control

Electronic access control: badge/smart cards/biometric devices

Post an access control list on the outside of the door, indicating who is allowed unescorted access

Have access control policies for daytime use, after-hour use, or during an emergency

CCTV to view visitors Site location

Location within the building should not be easily accessible to visitors or to the general public

Away from external windows or walls Away from water pipes or other support system facilities

COMP4690, HKBU 29

Good Security Practices for Data Center Security Walls

Construct the room as a single unit Walls should not form part of an external wall of the

building If using glass as an external wall barrier, use shatter-

resistant glass to limit damage from breakage Doors

Should be solid core Should not open out Door frame should be permanently fixed to the adjoining

wall studs Door hinges should be fixed to the frames with a minimum

of three hinges per door

COMP4690, HKBU 30

Good Security Practices for Data Center Security HVAC

Should be on a separate system from the rest of the building The size of the ducts and vents should ensure that they cannot be breached

by an intruder Positive pressures should be maintained

Power supply A backup power supply (UPS or generator) should exist for a minimum

amount of time as required by the organization’s needs Backup power supply needs to be tested on a regular basis Electrical facilities that support the data center should be separate from the

main building Electrical closets, cables, and wiring should be properly secured

Fire Deploy portable extinguishers at exits and near equipments Install fire sensors/detection equipment Have documented and tested emergency plans Install water sensors under the raised floor