Physical Security

Things to Protect Personnel Equipment Data Communication devices Communication paths Power supply Wiring

Critical-Path Analysis Lists all devices needed to maintain a particular asset Lists all communication paths needed for minimal operation Should include detailed diagrams (commonly done in Visio) For high availability, all devices and communication paths should be redundant

Physical Security Controls Administrative Facility management Training Personnel guidelines Emergency response procedures Physical Fencing Locks Lighting Construction material Technical Access controls Intrusion detection Alarms Video monitoring Heating, ventilation, AC Fire detection & suppression

Facility Physical Attributes Visibility Terrain Signs Neighbors Population Surrounding area Crime rate Distance to police, fire, medical Possible hazards Accessibility Road access Excessive traffic Proximity to trains, highways, airports Natural threats Likelihood of floods, earthquakes, tornadoes, hurricanes Hazardous train

Construction Issues Fire protection and combustibility Floors Type of fire suppression (sprinklers?) Door fire rating Placement of smoke, flame, and heat sensors Floors Load estimates Nonconducting surfaces Raised flooring Windows and doors Alarm sensor placement Placement Type of glass What is on the other side?

Power Water and gas lines Heating and cooling Backup sources Generators Alternate sources Cutover switch location Clean feed (no noise, sags, or surges) Aerial or buried service Placement and access to distribution panels Water and gas lines Routes Shutoff valve placement Heating and cooling Positive air pressure Protected air intake Dedicated and redundant power supplies Backup?

Walls Partition construction material Extension in ceiling space Considerations with suspended ceilings Sound proofing Fire proofing Access to wiring spaces

Server Room Considerations Non water fire suppression system No water lines in proximity Located toward center of structure Only one entrance, no through access Away from high traffic areas Independent A/C

Facility Access Controls Magnetic swipe cards May use issued card or credit card/DL May also require a PIN Proximity readers Fob or card need to be near reader Transponder type Passive type Field-powered type Fences 3’ – 4’ only casual deterrent 6’ – 7’ considered difficult to climb 8’ with barbed wire used for critical areas Lighting Used as deterrent Often considered part of due diligence

Facility Access Controls Locks and keys Cheap Easily duplicated or lost Hard to maintain Mechanical programmable (cipher) locks Less expensive Easily changed Only one access code Electronic cipher locks Expensive Can have multiple locks tied together Can have audit trails Individual codes for each employee Time based access One time use codes Centralized control available

Cipher Lock Options Electronic strike Magnetic lock Door delay alarm Key override Hostage (duress) alarm

Closed Circuit TV (CCTV) May be monitored, recorded, or both Often take only 1 frame every second Security guards May be armed or unarmed May be fixed post or patrolling Flexible - may be required to monitor environment, check doors, etc. Costly Dogs Generally requires a handler (guard) Costly Somewhat unpredictable Intrusion detection Magnetic proximity detector Photoelectric or photometric detector Wave pattern motion detector Passive infrared detector Acoustical-seismic detector

Power Uninterruptible Power Supply (UPS) Online (common small UPS’s) Standby (large facility-wide UPS’s) Measured in VA (Volt-Amp) Maximum computer power supply wattage around 60% of the VA rating (power factor) Use manufacturer run time chart or selector to determine run time

Backup power generator Gasoline Diesel Propane Natural Gas Fuel source must be protected Must be tested regularly May have an auto cutover switch or manual Should feed through a UPS or power conditioner Sometimes an alternate electrical utility feed may be available

Power Problems Line noise Spike – momentary high voltage Electromagnetic interference (EMI) Radio frequency interference (RFI) Spike – momentary high voltage Surge – prolonged high voltage Fault – momentary power loss Blackout – prolonged power loss Sag – momentary low voltage Brownout – Prolonged low voltage

Environmental Issues Water, gas, and steam leaks – shutoff valves Heat and cold Computer equipment damage – 175oF Magnetic media damage – 100oF Cold – condensation and frozen pipes Static electricity Anti-static flooring and/or sprays Anti-static wrist bands when working inside equipment Proper humidity High humidity can cause corrosion

Fire Suppression Type A Fire – Common Combustibles Suppress with water or soda acid Type B Fire – Flammable liquids Suppress with O2 replacing gas (Halon replacement), CO2, soda acid Type C Fire – Electrical Suppress with O2 replacing gas (Halon replacement) or CO2 Halon is commonly replaced with FM-200 or Inergen

Sprinkler Systems Wet pipe system Dry pipe system Preaction system Pipes contain water Heads triggered by temperature Dry pipe system Pipes empty Result in time delay before water release Triggered by electronic alarm Preaction system Combination of wet and dry system Deluge Dry pipe with flood heads

Device Protection Switch controls Slot locks Port controls Covers on/off switches Slot locks Installs in spare computer slot – used to lock computer to immovable object Port controls Lockable covers for unused peripheral ports or floppies/CD-ROMs Peripheral switch control Lockable on/off switch between keyboard and computer Cable trap Prevents removal of device by passing cord through lockable box Cable lock Fixes laptops and devices to immovable object

Administrative Control s Evacuation procedures System shutdown procedures Fire and evacuation drills Accessible procedures for various emergencies/threats Bomb threat Tornado Hurricane

Component Selection Always evaluate cost vs. benefit Musts Items required by code and for safety Fire alarm and smoke detectors Stairs to augment elevators Emergency illumination Fire exit doors Locks must not prevent emergency exit (magnetic locks)

Shoulds Data backups and control of media Redundancy and spares UPS’s on critical systems Monitored security alarm Strict control of keys and alarm codes Locks on computer rooms Any low cost, high impact security measures Fake cameras Signs Padlocks on gates

Hardware Reliability Mean Time Between Failure (MTBF) Estimated lifetime of the device Mean Time To Repair (MTTR) Estimate of the time between needed repairs Service Level Agreements (SLA) Guaranteed response times by service providers for repairs & replacement

Homework Assignment Read Chapter 7