Information Security 365/765, Fall Semester, 2016 Course Instructor, Nicholas Davis, CISA, CISSP Lecture 9, Physical Security
Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSPLecture 9, Physical Security
Today’s CandyToday’s CandyTwizzlersTwizzlers
Twizzlers is a brand of candy in the United States and Canada. Twizzlers is the product of Y&S Candies, Inc., of Lancaster, Pennsylvania, now a subsidiary of The Hershey Company. In 1908 a plant was opened in Montreal and in 1929 the Twizzler brand was established
05/02/23 UNIVERSITY OF WISCONSIN 2
Physical SecurityPhysical Security
It used to be easy, way back in the 1960sToday, with IT assets on every desk, we have:•Theft•Fraud•Vandalism•Sabotage•Accidents
05/02/23 UNIVERSITY OF WISCONSIN 3
Let’s Watch an InterestingLet’s Watch an InterestingVideo About the History of Video About the History of
Physical SecurityPhysical Securityhttps://www.youtube.com/watch?v=-
eVSR9tder0
20 Minutes
05/02/23 UNIVERSITY OF WISCONSIN 4
Funny Cartoon VideoFunny Cartoon VideoBut, it Makes a Good PointBut, it Makes a Good Point
https://www.youtube.com/watch?v=tmOGJVDvJaQ
2 minutes
05/02/23 UNIVERSITY OF WISCONSIN 5
Four Major PhysicalFour Major PhysicalSecurity ThreatsSecurity Threats
• Natural environmental• Supply system• Human made• Politically motivated
Good security program protects against all of these, in layers
05/02/23 UNIVERSITY OF WISCONSIN 6
Physical ThreatsPhysical ThreatsNatural / EnvironmentalNatural / Environmental
Floods, earthquakes, storms, volcanoes
05/02/23 UNIVERSITY OF WISCONSIN 7
Physical ThreatsPhysical ThreatsSupply SystemSupply System
Power, communications, supply of water, etc.
05/02/23 UNIVERSITY OF WISCONSIN 8
Physical ThreatsPhysical ThreatsHuman MadeHuman Made
Unauthorized access, damage by angry employees, employee errors and accidents, vandalism, fraud, theft
05/02/23 UNIVERSITY OF WISCONSIN 9
Physical ThreatsPhysical ThreatsPolitically Motivated Politically Motivated
ThreatsThreatsStrikes, riots, civil disobedience, terrorist attacks, bombings
05/02/23 UNIVERSITY OF WISCONSIN 10
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime and disruption through deterrence
Fences, security guards, warning signs, etc.
05/02/23 UNIVERSITY OF WISCONSIN 11
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Reduction of damage through use of delaying mechanisms
Layers of defenses that slow down the adversary, such as locks, security personnel, barriers
05/02/23 UNIVERSITY OF WISCONSIN 12
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime or disruption detection
Smoke detectors, motion detectors, surveillance cameras, etc
05/02/23 UNIVERSITY OF WISCONSIN 13
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Incident assessment
Response of personnel to quickly evaluate situation and damage level
05/02/23 UNIVERSITY OF WISCONSIN 14
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Rapid response procedures
Fire suppression systems, emergency response systems, law enforcement notification
05/02/23 UNIVERSITY OF WISCONSIN 15
5 Core Steps in a Physical5 Core Steps in a PhysicalSecurity SystemSecurity System
• Deter• Delay• Detect• Assess• Respond
05/02/23 UNIVERSITY OF WISCONSIN 16
Sidewalk, Lights andSidewalk, Lights andLandscaping For ProtectionLandscaping For Protection
05/02/23 UNIVERSITY OF WISCONSIN 17
Physical Access ControlPhysical Access ControlFor VisitorsFor Visitors
• Limit the number of entry points• Force all guests to sign-in at a
common location• Reduce entry points even more,
after hours and on weekends• Validate a government issued
picture ID before allowing entry• Require all guests to be escorted
by a full time employee• Encourage employees to question
strangers
05/02/23 UNIVERSITY OF WISCONSIN 18
Natural SurveillanceNatural Surveillance
Natural Surveillance is the intentional and visible surveillance, to make potential criminals aware that they are being watch and make all others feel safe
05/02/23 UNIVERSITY OF WISCONSIN 19
Territorial ReinforcementTerritorial Reinforcement
Building facilities in such a way as you make people feel secure, open, visible, strong, etc.
05/02/23 UNIVERSITY OF WISCONSIN 20
Selecting a Facility SiteSelecting a Facility Site
• Visibility – Terrain, neighbors, population
• Surrounding area – Crime, riots, police, medical, fire, other hazzards
• Accessibility – Road access, traffic, airport access, etc
• Natural Disasters – floods, tornadoes, earthquakes, rain, etc
05/02/23 UNIVERSITY OF WISCONSIN 21
Entry PointsEntry Points
Windows and doors are the standard access points. They should be secure, strong, foolproof
Walls should be at least as strong as the doors and windows
05/02/23 UNIVERSITY OF WISCONSIN 22
A Human TrapA Human Trap
• Only allows one person into a secure area at a time
• Open first door, enter
• Wait for first door to close
• Enter second door to secure area
• Only enough space for one person at a time
05/02/23 UNIVERSITY OF WISCONSIN 23
Don’t Forget AboutDon’t Forget Aboutthe Ceilingthe Ceiling
05/02/23 UNIVERSITY OF WISCONSIN 24
In Computer FacilitiesIn Computer FacilitiesWater Detectors Are Water Detectors Are
ImportantImportantWater detectors should be placed under raised floors and on ceilings
05/02/23 UNIVERSITY OF WISCONSIN 25
Laptops Are One of theLaptops Are One of theMost Frequently Stolen Most Frequently Stolen
Physical AssetsPhysical Assets• Inventory the laptops• Harden the Operating system• Password protect BIOS• Register laptops with vendor• Don’t check laptop as baggage!• Don’t leave laptop unattended• Engrave the laptop visibly• Use a physical cable and lock• Backup data• Encrypt hard disk• Store in secure place when not in use
05/02/23 UNIVERSITY OF WISCONSIN 26
Electric PowerElectric PowerElectricity is the lifeline of the companyUse multiple supply circuits coming into the facilityFilter power for a clean electrical signal, important for computersHave a backup generator, test it regularlyHave an appropriately sized battery backup power supply (UPS)Test EVERYTHING, test OFTEN
05/02/23 UNIVERSITY OF WISCONSIN 27
Keep All Wiring OrganizedKeep All Wiring OrganizedOn Computer EquipmentOn Computer Equipment• Reduces confusion• Makes troubleshooting easier• Lower risk of fire hazard• Lower risk of electrical
interference• Looks professional and
trustworthy, in case visitors come through
• Use shielded cabling to stop electrical interference
• Don’t run electrical wiring close to fluorescent lighting05/02/23 UNIVERSITY OF WISCONSIN 28
An Example of WhatAn Example of WhatNot to DoNot to Do
05/02/23 UNIVERSITY OF WISCONSIN 29
Make Sure All Utility LinesMake Sure All Utility LinesHave Emergency Shutoff Have Emergency Shutoff
ValvesValves
05/02/23 UNIVERSITY OF WISCONSIN 30
Static Electricity, theStatic Electricity, theInvisible EnemyInvisible Enemy
• Protect against static electricity, which can destroy computer equipment:
• Antistatic flooring• Humidity levels should be kept
moderate• Use proper electrical grounding• No carpeting, ever!!!• Use anti-static bands on wrist
when working on a computer server
05/02/23 UNIVERSITY OF WISCONSIN 31
HVAC – Heating, HVAC – Heating, Ventilation,Ventilation,
Air ConditioningAir Conditioning• Important to have commercial grade systems to keep temperature are proper level, and keep air filtered and circulating
05/02/23 UNIVERSITY OF WISCONSIN 32
Every Good CompanyEvery Good CompanyIs Full of LiebertIs Full of Liebert
05/02/23 UNIVERSITY OF WISCONSIN 33
Water Sprinkler SystemsWater Sprinkler Systems
• There are two types:• Wet Pipe – always contains water• Advantage – always ready for use• Disadvantage – most costly,
possibility of accidental release of water
• Dry Pipe – has to be connected to a tank
• Advantage – no risk of accidental water release
• Disadvantage – not ready immediately
05/02/23 UNIVERSITY OF WISCONSIN 34
Other Security ControlsOther Security Controls
• Fences – different heights, strengths
• Bollards – those odd looking posts in front of Best Buy
• Lighting – one of the best deterrents around, cheap and effective
• Locks – usually easy to defeat, but good as once layer of security for defense in depth strategy
• CCTV – Efficient for monitoring05/02/23 UNIVERSITY OF WISCONSIN 35
Auditing Physical AccessAuditing Physical AccessCritical Pieces of Critical Pieces of
InformationInformation• The date and time of the access attempt
• The entry point at which access was attempted
• The user ID associated with the access attempt
• Any unsuccessful attempts, especially if done during unauthorized hours
05/02/23 UNIVERSITY OF WISCONSIN 36
Tests and DrillsTests and Drills
Need to be developedMust be put into action, at least once per year, generally speakingMust be documentedMust be put in easily accessible placesPeople must be assigned specific tasksPeople should be taught and informed on how to fulfill specific tasksDetermine in advance what will determine success
05/02/23 UNIVERSITY OF WISCONSIN 37
A Note About Credit CardA Note About Credit CardReader Physical SecurityReader Physical Security
https://www.youtube.com/watch?v=XipjYIbBj7k
•Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought05/02/23 UNIVERSITY OF WISCONSIN 38
05/02/23 UNIVERSITY OF WISCONSIN 39