NETW4005 COMPUTER SECURITY A LECTURE – 4 PHYSICAL SECURITY

CONTENT 4.1 INTRODUCTION 4.2 PHYSICAL SECURITY 4.3 PHYSICAL SECURITY THREATS 4.4 MITIGATION MEASURES 4.5 RECOVERY FROM PHYSICAL SECURITY BREACHES 4.6 THREAT ASSESSMENT 4.7 PHYSICAL / LOGICAL SECURITY INTEGRATION

4.1 INTRODUCTION Three elements of Information System (IS) security: 1. Logical security : Protects computer-based data from software-based and communications-based threats. 2. Physical security : Also called infrastructure security. Protects the IS that house data and the people who use, operate, and maintain the systems. Physical security also must prevent any type of physical access or intrusion that can compromise logical security.

3. Premises security: Also known as corporate or facilities security. Protects the people and property within an entire area, facility, or building(s), and is usually required by laws, and regulations. Premises security provides perimeter security, access control, smoke and fire detection, fire suppression, some environmental protection, and usually surveillance systems, alarms, and guards.

4.2 PHYSICAL SECURITY Protect physical assets that support the storage and processing of information. Involves two complementary requirements: 1) Prevent damage to physical infrastructure 2) Prevent physical infrastructure misuse a) Information system hardware: Data processing and storage equipment, transmission & networking facilities, offline storage media, supporting documentation. b) Physical facility: Buildings and other structures housing system and network components.

c) Supporting facilities: Underpin the operation of the information system, & include electrical power, communication services, environmental controls: heat, humidity, etc. d) Personnel: Humans in control, maintenance, and use of the information systems. 2) Prevent physical infrastructure misuse Leading to misuse / damage of protected information Must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information. The misuse of the physical infrastructure can be accidental or malicious. It includes vandalism, theft of equipment, theft by copying, theft of services, and unauthorized entry.

4.3 PHYSICAL SECURITY THREATS The types of physical situations and occurrences that can constitute a threat to information systems. There are a number of ways in which such threats can be categorized. The threats are categorized as follows: 4.3.1 Natural Disasters 4.3.2 Environmental threats 4.3.3 Technical threats 4.3.4 Human-caused threats Let us discuss all the threats

4.3.1 Natural Disasters Natural disasters are the source of a wide range of environmental threats. Lists of six categories of natural disasters are 1) Tornado Can generate winds that exceed hurricane strength. May cause a temporary loss of local utility and communications. 2) Hurricane May cause significant structural damage and damage to outside equipment. Wide damage to public infrastructure, utilities, and communications. 3) Earthquake Greatest damage and occurs without warning. Significant damage to data centers and other IS.

4) Ice storm or blizzard Can cause some disruption / damage to IS facilities if outside equipment. 5) Lightning Can disturb electrical power and have potential for fires. 6) Flood Damage can be severe, with long-lasting effects and the need for a major clean up operation

4.3.2 Environmental Threats Inappropriate temperature and humidity (Produce undesirable results) Fire and smoke (Physical damage) Water (Electrical Short) Chemical, radiological, biological hazards (Intentional / Accidental) Dust (concern that is often overlooked) Infestation (mold ,insects and rodents)

4.3.3 Technical Threats Electrical power is essential to run equipment. Power utility problems: 1. Under-voltage - dips/brownouts/outages, interrupt service 2. Over-voltage - surges/faults/lightening, can destroy chips 3. Noise - on power lines, may interfere with device operation Electromagnetic interference (EMI) From line noise, motors, fans, heavy equipment, other computers, nearby radio stations & microwave relays. Can cause intermittent problems with computers

4.3.4 Human-Caused Threats More difficult to deal with than other types of threats. Less predictable than other types of physical threats. May be targeted from inside or outside entity. Human-caused threats includes 1) Unauthorized physical access: Unauthorized user should not be in the building. Major resources (Servers, network equipments, storage devices) should placed in restricted areas. Unauthorized physical access can lead to other threats, such as theft, vandalism, or misuse.

2) Theft: Theft of equipment and theft of data by copying. Eavesdropping and wiretapping. 3) Vandalism: Destruction of equipment and destruction of data. 4) Misuse: Improper use of resources by unauthorized users.

4.4 MITIGATION MEASURES Technique for preventing physical attacks 5.4.1 Environmental Threats 1. Inappropriate temperature and humidity Environmental control equipment, Maintenance of power supply 2. Fire and smoke Alarms, preventative measures, fire mitigation Smoke detectors, no smoking 3. Water Manage lines, equipment location, cutoff sensors 4. Other threats Appropriate technical counter-measures, limit dust entry, pest control

4.4.2 Technical Threats - Mitigation Measures Electrical power for critical equipment use Use uninterruptible power supply (UPS) Emergency power generator Electromagnetic Interference (EMI) To deal with electromagnetic interference, a combination of filters and shielding can be used. The specific technical details will depend on the infrastructure design and the anticipated sources and nature of the interference.

4.4.3 Human-Caused Threats - Mitigation Measures The general approach to human-caused physical threats is physical access control. Physical access control should cover locations of wiring, electrical power, HVAC equipment and distribution system, telephone and communications lines, backup media, and documents. A spectrum of approaches that can be used to restrict access to equipment. They are 1. Restrict building access (patrolled or guarded by personnel) 2. Locked cabinet, safe, or room 3. A security device controls the power switch. 4. Tracking device to alert security personnel. 5. Intruder sensors / alarms

4.5 RECOVERY FROM PHYSICAL SECURITY BREACHES The most essential element of recovery from physical security breaches is redundancy. Redundancy: To provide recovery from loss of data. All important data should be available off-site and updated as often as feasible. Can use batch encrypted remote backup Physical equipment damage recovery Depends on nature of damage and cleanup May need disaster recovery specialists

4.6 THREAT ASSESSMENT To implement a physical security program, an organization needs to do a threat assessment. To determine the amount of resources to devote to physical security and the allocation of those resources against the various threats. This process also applies to logical security, and typically includes steps such as: 1. Set up a steering committee 2. Obtain information and assistance 3. Identify all possible threats 4. Determine the likelihood of each threat 5. Approximate the direct costs 6. Consider cascading costs 7. Prioritize the threats 8. Complete the threat assessment report

4.7 PHYSICAL / LOGICAL SECURITY INTEGRATION Have many detection (Sensors, alarms) / prevention (locks, doors) devices. Physical security can be more effective if have a central control. Central control collects all alerts and alarms of all automated access control mechanisms, such as smart card entry sites. Hence desire to integrate physical and logical security, especially access control Need a common standard in this area 2006, FIPS 201-1 “Personal Identity Verification (PIV) of Federal Employees and Contractors” provides a reliable, government-wide PIV system. For the integration of physical and logical access control to be practical, a wide range of vendors need to conform to standards that cover smart card protocols, authentication and access control formats and protocols, database entries, message formats and so on. An important step in this direction is FIPS 201-1 “Personal Identity Verification (PIV) of Federal Employees and Contractors”, issued in 2006. The standard defines a reliable, government-wide PIV system for use in applications such as access to Federally controlled facilities and information systems. The standard specifies a PIV system within which common identification credentials can be created and later used to verify a claimed identity. The standard also identifies Federal government-wide requirements for security levels that are dependent on risks to the facility or information being protected.