1 / 98

Domain 4: Physical (Environmental) Security

Domain 4: Physical (Environmental) Security. CISSP Study Group April 15, 2007. References. Official (ISC) Guide to the CISSP CBK US Army Field Manual 3-19.30, Physical Security CISSP Prep Guide – Krutz & Vines Fighting Computer Crime – Parker CISSP Certification – Shon Harris

adamdaniel
Download Presentation

Domain 4: Physical (Environmental) Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain 4:Physical (Environmental) Security CISSP Study Group April 15, 2007

  2. References • Official (ISC) Guide to the CISSP CBK • US Army Field Manual 3-19.30, Physical Security • CISSP Prep Guide – Krutz & Vines • Fighting Computer Crime – Parker • CISSP Certification – Shon Harris • CISSP for Dummies (Rev 0) – Miller & Gregory • “Physical Security for Mission-Critical Facilities and Data Centers,” by Gerald Bowman, Information Security Management Handbook, 5th Edition, Vol 3 • Mike Meyer’s Passport: Security+ • Uptime Institute www.uptimeinstitute.com • “Status Of Industry Efforts To Replace Halon Fire Extinguishing Agents,” Robert T. Wickham, http://www.periphman.com/fire/statusofindustry.pdf

  3. IMPORTANT TIP! • “Many CISSP candidates underestimate the physical security domain. As a result, exam scores are often the lowest in this domain.” CISSP For Dummies Page 301

  4. Objectives • Upon completion of this discussion, you should be able to: • Describe the threats, vulnerabilities, and countermeasures related to physically protecting the enterprise’s sensitive information assets • Identify the risk to facilities, data, media, equipment, support systems, and supplies as they relate to physical security.

  5. 5 Functional Areas • Information Protection Requirements • Information Protection Environment • Security Technology and Tools • Assurance, Trust and Confidence Mechanisms • Information Protection and Management Services

  6. Risks to CIA • Interruptions in providing computer services – Availability • Physical Damage – Availability • Unauthorized Disclosure of Information – Confidentiality • Loss of Control Over Information – Integrity • Physical Theft – Confidentiality, Integrity, and Availability

  7. Definition: Physical Security • The physical measures and their associated procedures to safeguard and protect against: • Damage • Loss • Theft

  8. Required Physical Controls • Perimeter and Building Grounds • Building Entry Points • Inside the Building – Building Floors / Offices • Data Centers or Server Room Security • Computer Equipment Protection • Object Protection

  9. 5 Functional Areas • Information Protection Requirements • Information Protection Environment • Security Technology and Tools • Assurance, Trust and Confidence Mechanisms • Information Protection and Management Services

  10. Definition: Threat • Any indication, circumstance or event with the potential to cause: • Loss of or Damage to an Asset • Personal Injury • Loss of Live

  11. Threat Types • Natural / Environmental • Earthquakes, floods, storms, hurricanes, fires, smoke, snow, ice • Consequence of Natural Phenomenon • Pandemic Flu • Normally not preventable • Human – Made / Political Events • Explosions, vandalism, theft, terrorist attacks, riots • Result of a state of mind, attitude, weakness or character trait • Acts of commission or omission • Overt or covert • Disrupt or destroy

  12. Examples of Threats • Emergencies • Fire and Smoke Contaminants • Building Collapse or Explosion • Utility Loss (Power, AC, Heat) • Water Damage (Broken Pipes) • Toxic Materials Release

  13. Examples of Threats (2) • Natural Disasters • Earth Movement (Earthquakes or Mudslides) • Storm Damage (Snow, Ice, Floods, Hurricanes) • Human Intervention • Sabotage • Vandalism • War • Strikes

  14. Examples of Physical Loss • Seven Major Sources of Physical Loss • Temperature – Extreme Variations in Heat and Cold • Gasses – Sarin, Nerve Gas, PCP from Transformers, Cleaning Fluids, Smog, Fuel Vapors, Paper Particles from Printers • Liquids – Water and Chemicals (flood, plumbing failures, spilled drinks, fuel leaks, computer printer fluids) • Organisms – Viruses, Bacteria, People, Animals and Insects, Molds, Mildews, Cobwebs Ref: Fighting Computer Crime – Donn B. Parker – Wiley 1998

  15. Examples of Physical Loss • Seven Major Sources of Physical Loss (2) • Projectiles – Tangible Objects in Motion (Cars, Trucks, Falling Objects, Meteorites, Bullets, Rockets) • Movement – Collapse, Shearing, Shaking, Vibration, Liquefaction, Flows, Waves, Separations and Slides (Lava Flows, Earthquakes, Adhesive Failures, Dropping or Shaking Equipment) • Energy Anomalies – Electrical Surges or Failures, Magnetism, Static Electricity, Radiation, Sound, Light, Radio and Magnetic Waves

  16. Site Location • Security Should include WHERE the building is and HOW it should be built: • Choosing a Secure Site – • Visibility – Usually low visibility is the rule to follow. What types of neighbors and markings on the building? • Local Considerations – Near hazardous waste dump? In flood control plain? Local crime rate, riots, strike-prone area? • Natural Disasters – Weather-related problems, tornados, flooding, heavy snow, earthquake zone

  17. Site Location (2) • Choosing a Secure Site – • Transportation – Excessive highway, air or road traffic in area, failed bridges will cause building access problems? • Joint Tenancy – Are access to HVAC and environmental controls shared in building? • Adjacent Buildings • External Services – Proximity to local Fire, Police, Hospital/Medical Facilities?

  18. Key Concept: Layered Defense Model

  19. Key Concept: Layered Defense Model Ref: http://rphrm.curtin.edu.au

  20. Designing a Secure Site • WALLS • All walls MUST have an acceptable Fire Rating. • Be Floor to Ceiling • Any Closets or Rooms that Store Media must also have Fire Rating • CEILINGS • Be aware if they are WEIGHT BEARING and their Fire Rating

  21. Designing a Secure Site (2) • FLOORS • Slab or Raised? • SLAB – • If concrete then concerns are Weight Bearing (aka Loading) – Usually 150 pounds per square foot. • RAISED • Concerned with Fire Rating, Electrical Conductivity (Grounding against static electricity) • Must employ non-conducting surface material in data center

  22. Designing a Secure Site (3) • DOORS • Must resist Forced Entry • Solid or Hollow • Hinges Hidden, Internal or “Fixed” • Fire Rating Equal to Walls • Emergency Exits Must Be Clearly Marked, Monitored, or Alarmed • Electrical Doors on Emergency Exits Should Revert to Disabled State if Power Outage Occurs For Safe Evacuation • TIP!! Personnel Safety ALWAYS Takes Precedence! Doors Can Be Guarded During an Emergency

  23. Designing a Secure Site (4) • SPRINKLER SYSTEM • Location and Type of Suppression System Must Always Be Known • LIQUID or GAS LINES • Know Where the Shut Off Valves Are • Water, Steam and Gas Lines Should Have “POSITIVE” Drains • i.e., Flow Outward and Away from Building

  24. Designing a Secure Site (5) • AIR CONDITIONING • AC Units Should Have Dedicated Power Circuits • Know Where the Emergency Power Off (EPO) Switch is Located • Provide Outward, Positive Air Pressure to Building • Protected Intake Vents to Prevent Inflow of Potential Toxins Into a Facility

  25. Designing a Secure Site (6) • WINDOWS • Located to Prevent Viewing Monitors or Desks • Standard Plate Glass (Brittle, Breaks Easily) • Tempered Glass (Stronger, Breaks into Small Shards) • Acrylic Materials • Polycarbonate Windows • Glass and Polycarbonate Combinations Combine Best of Glass and Acrylics • Wire Mesh Layers • Lexan® (General Electric) • Bomb Blast Film (Prevent Viewing In and Reinforce Window) • Bullet Resistant Windows • Glass Breakage Sensors • Usually Not Accepted in Data Center • If Installed, Should Be Translucent and Shatterproof • Frames Secured to Walls, Windows Can Be Locked, Glass Can’t be Removed

  26. Procedural Controls • Guard Post / Dogs • Checking and Escorting Visitors on Site • Managing Deliveries to the Site • Building-Specific

  27. Facility Security Management • Administrative Security Controls NOT Related to Initial Planning Process • Audit Trails – or Access Logs • Vital to Know Where Attempts to Enter Existed and Who Attempted Them • Emergency Procedures • Should be Clearly Documented and Readily Accessible • Copies Stored Offsite in the Event of a Disaster • Updated Periodically

  28. Audit Trails • These are known as DETECTIVE rather than PREVENTIVE • Date and Time of Access Attempt • Whether the Attempt was Successful or Not • Where the Access was Granted (i.e., which door) • Who Attempted the Access • Who Modified the Access Privileges at the Supervisor Level • Can Send Alarms or Alerts if Required

  29. Emergency Procedures • Should Include the Following: • Emergency System Shutdown Procedures • Evacuation Procedures • Employee Training, Awareness Programs, and Periodic Drills • Periodic Equipment and Systems Tests

  30. Administrative Personnel Controls • Pre-Employment Screening • Employment, References and Educational History Checks • Background Investigation and/or Credit Rating Checks for Sensitive Positions • On-Going Employee Checks • Security Clearances • Ongoing Employee Ratings or Reviews by Supervisors • Post-Employment Procedures • Exit Interview, Removal of Network Access, Return of Computers, etc.

  31. Environmental and Life Safety Controls Three Areas of Environmental Control • Electrical Power • Fire Detection and Suppression • Heating, Ventilation and Air Conditioning (HVAC)

  32. Electrical Power • Disruptions in Electrical Power Can Have a Serious Business Impact • Goals: • “Clean and Steady Power” • Excellent “Power Quality” • Design Considerations: • Dedicated Feeders • Alternate Power Source • Access Controls • Secure Breaker and Transformer Rooms

  33. Electrical Power Threat Elements • NOISE • Electromagnetic Interference (EMI) • Radio Frequency Interference (RFI) • ANOMOLIES • Brownout, Blackout, Fault, etc. • ELECTROSTATIC DISCHARGE (ESD) • Affected by Low Humidity

  34. Electrical “Noise” • Def: Random Disturbance Interfering With Devices • Electromagnetic Interference (EMI) • Caused by Motors, Lightning, etc. • “Spark” Noise • Radio Frequency Interference (RFI) • Caused by Components of Electrical System • Caused by Electrical Cables, Fluorescent Lighting, Truck Ignitions, etc. • Can Cause Permanent Damage to Sensitive Components in a System

  35. Electrical “Noise” (2) • Common Types of EMI • “Common Mode Noise” – Noise from Radiation Generated by the Difference Between the “Hot” and “Ground” Wires • “Traverse Mode Noise” – Noise from Radiation Generated by the Difference Between the “Hot” and “Neutral” Wires

  36. Protective Measures for “NOISE” • Proper Line Conditioning • Proper Grounding of the System to Earth • Cable Shielding • Limited Exposure to Magnets, Electrical Motors, Space Heaters and Fluorescent Lights

  37. Electrical Anomalies Mnemonic: “Bob Frequently Buys Shoes in Shoe Stores”

  38. Electrical Anomalies (2) • Transients • Line Noise that is Superimposed On the Supply Circuit Can Cause Fluctuation in Power • Inrush Current • The Initial Surge of Current Required When There is an Increase in Power Demand (e.g., starting a large motor)

  39. Electrostatic Discharge (ESD) • Power Surge Generated by a Person or Device Contacting Another Device and Transferring a High Voltage Shock • Affected by Low Humidity

  40. Now, About Humidity… • Ideal Humidity Range = 40% to 60% • High Humidity > 60% • Causes Problems with Condensation on Computer Equipment • Cause Corrosion of Electrical Connections – sort of like “Electroplating” and Impedes Electrical Efficiency • Low Humidity < 40% • Can Cause Increase in Electrostatic Discharge • Up to 4000 Volts Under Normal Humidity • Up to 25,000 Volts Under Very Low Humidity

  41. Static Charge and Damage

  42. Precautions for Static Electricity • Use Anti-Static Sprays Where Possible • Operations or Computer Centers Should Have Anti-Static Flooring • “Zinc Whiskers” Problem • Building and Computer Rooms Should be Grounded Properly • Anti-Static Table or Floor Mats • HVAC Should Maintain Proper Level of Humidity in Computer Rooms

  43. Electrical Support Systems • Surge Suppressors • Uninterruptible Power Supplies • Only for Duration Needed to Safely Shutdown Systems • Emergency Shutoff (EPO Switch) • Have Monitored by Camera • Alternate Power Supply • Generator, Fuel Cell, etc.

  44. FIRE PROTECTION • Fire Prevention • Fire Detection • Fire Suppression

  45. Fire Triangle Heat Oxygen A FIRE Needs These Three Elements to Burn Fire Fighting Removes One of These Three Elements OR By Temporarily Breaking Up the Chemical Reaction Fuel

  46. Types of Fires

  47. Fire Prevention • Use Fire Resistant Materials for Walls, Doors, Furnishings, etc. • Reduce the Amount of Combustible Papers Around Electrical Equipment • Provide Fire Prevention Training to Employees • REMEMBER: Life Safety is the Most Important Issue! • Conduct Fire Drills on All Shifts So that Personnel Know How to Exit A Building

  48. Fire Detection • Ionization-type Smoke Detectors • Detect Charged Particles in Smoke • Optical (Photoelectric) Detectors • React to Light Blockage Caused by Smoke • Fixed or Rate-of-Rise Temperature Sensors • Heat Detectors That React to the Heat of a Fire • Fixed Sensors Have Lower False Positives • Flame Actuated • Senses Infrared Energy of Flame or Pulsating of the Flame • Very FAST Response Time, Expensive

  49. Fire Detection (2) • Automatic Dial-Up Fire Alarm • System Dials the Local Fire or Police Department and Plays a Prerecorded Message When a Fire is Detected • Usually Used in Conjunction with One of the Other Type of Fire Detectors • This Type of System Can Be Easily/Intentionally Subverted • Combinations are Usually Used for The Best Effectiveness in Detecting a Fire

  50. Fire Classes and Suppression/Extinguishing Methods

More Related