1 / 20

Computer Security: Principles and Practice

Computer Security: Principles and Practice. Chapter 13 – Physical and Infrastructure Security. First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Physical and Infrastructure Security. now consider physical / premises security

candie
Download Presentation

Computer Security: Principles and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security: Principles and Practice Chapter 13 – Physical and Infrastructure Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown

  2. Physical and Infrastructure Security • now consider physical / premises security • three elements of info system security: • logical security - protect computer data • physical security - protect systems & access • premises security - protect people / property

  3. Physical Security • protect physical assets that support the storage and processing of information • involves two complementary requirements: • prevent damage to physical infrastructure • information system hardware • physical facility • supporting facilities • personnel • prevent physical infrastructure misuse leading to misuse / damage of protected information

  4. Physical Security Context

  5. Physical Security Threats • look at physical situations / occurrences that threaten information systems: • environmental threats (incl. natural disasters) • technical threats • human-caused threats • first consider natural disasters

  6. Natural Disasters • tornado • hurricane • earthquake • ice storm / blizzard • lightning • flood

  7. Environmental Threats • inappropriate temperature and humidity • fire and smoke • water • chemical, radiological, biological hazards • dust • infestation

  8. Technical Threats • electrical power is essential to run equipment • power utility problems: • under-voltage - dips/brownouts/outages, interrupt service • over-voltage - surges/faults/lightening, can destroy chips • noise - on power lines, may interfere with device operation • electromagnetic interference (EMI) • from line noise, motors, fans, heavy equipment, other computers, nearby radio stations & microwave relays • can cause intermittent problems with computers

  9. Human-Caused Threats • less predictable, may be targeted, harder to deal with • include: • unauthorized physical access • leading to other threats • theft of equipment / data • vandalism of equipment / data • misuse of resources

  10. Mitigation MeasuresEnvironmental Threats • inappropriate temperature and humidity • environmental control equipment, power • fire and smoke • alarms, preventative measures, fire mitigation • smoke detectors, no smoking • water • manage lines, equipment location, cutoff sensors • other threats • appropriate technical counter-measures, limit dust entry, pest control

  11. Mitigation MeasuresTechnical Threats • electrical power for critical equipment use • use uninterruptible power supply (UPS) • emergency power generator • electromagnetic interference (EMI) • filters and shielding

  12. Mitigation MeasuresHuman-Caused Threats • physical access control • IT equipment, wiring, power, comms, media • have a spectrum of approaches • restrict building access, locked area, secured, power switch secured, tracking device • also need intruder sensors / alarms

  13. Recovery from Physical Security Breaches • redundancy • to provide recovery from loss of data • ideally off-site, updated as often as feasible • can use batch encrypted remote backup • extreme is remote hot-site with live data • physical equipment damage recovery • depends on nature of damage and cleanup • may need disaster recovery specialists

  14. Threat Assessment • set up a steering committee • obtain information and assistance • identify all possible threats • determine the likelihood of each threat • approximate the direct costs • consider cascading costs • prioritize the threats • complete the threat assessment report

  15. Planning and Implementation • after assessment then develop a plan for threat prevention, mitigation, recovery • typical steps: • assess internal and external resources • identify challenges and prioritize activities • develop a plan • implement the plan

  16. Example Policy

  17. Physical / Logical Security Integration • have many detection / prevention devices • more effective if have central control • hence desire to integrate physical and logical security, esp access control • need standards in this area • FIPS 201-1 “Personal Identity Verification (PIV) of Federal Employees and Contractors”

  18. Personal Identity Verification

  19. PIV Convergence

  20. Summary • introduced physical security issues • threats: environmental,technical, human • mitigation measures and recovery • assessment, planning, implementation • physical / logical security integration

More Related