Physical Security “Least sexy of the 10 domains but the best firewall in the world will not stand up to a well placed brick.”

Physical Security  Addresses threats, vulnerabilities, countermeasures to physically protect org’s resources & sensitive info  Natural disasters  Unauthorized entry and/or theft

Threats  Risk analysis or business impact assessment identify threats  Seven major sources of physical loss 1.Temperature 2.Gases 3.Liquids 4.Organisms 5.Projectiles 6.Movement 7.Energy Anomalies

Controls for Physical Security  Administrative Controls Emergency Procedures, Personnel control, & planning and policy implementation  Physical & Technical Controls

Facility Requirements Planning  Planning done in early stages of construction of data facility  Choosing a Secure Site  Designing a Secure Site

Choosing a Secure Site  Visibility: neighbors, external markings  Local Considerations: near possible threats, local crime rate  Natural Disasters: weather related, earthquake fault  Transportation: excessive air, highway or road traffic  Joint Tenancy: HVAC controls, elecriticity  External Services: local emergency, hospitals

Designing a secure site  Walls: fire ratings rooms & storage  Ceilings: weight-bearing, fire rating  Floors: weight bearing, static, electrical cables  Windows: none or translucent & shatterproof  Doors: resist forcible entry, fire rating, personnel safety is first  Sprinkler systems: fire resistant rating of not less than 1 hour  Liquid or gas lines: positive (outward) flow  Air Conditioning: dedicated power circuits, positive air flow  Electrical Requirements: dedicated circuits, alternative

Facility Security Management  Audit Trails Detecting security violations Performance Problems Design & programming flaws Include: date & time, successful or not, Where access granted, Who tried, data modified? Detective rather than preventative  Emergency Procedures Include: emergency shutdown procedures, Evacuation, Employee training, periodic tests

Administrative Personnel Controls  Human resources department  Pre-employment screening  Ongoing employee checks  Post-employment procedures

Environmental & Life Safety Controls  “Physical controls necessary to sustain either computer’s operating environment (OE) or personnel’s OE”  Main Areas: Electrical Power Fire detection & suppression Heating, Ventilation, & Air Conditioning (HVAC)

Electrical Power  Noise Radio frequency interference, EMI Cell phones, laptops, other ele. Equip. EMI eavesdropping Power line conditioning, proper shielding, grounding, magnets, fluorescent lights, electric motors, space heaters  Brownouts & Sag (NYC 15% common) Surges & spikes when come back up  Humidity Low == static (20,000 volts possible)

Fire Detection & Suppression  Fire classes, combustibles, detectors, & suppression methods  Factors in priority order: 1.Life safety aspects 2.Fire threat of installation to occupants & property 3.Economic loss from computing function 4.Economic loss from loss of equipment

Fire Classes & Combustibles  Classes A.Common combustibles – water or soda acid B.Liquid – CO 2, soda acid, or halon C.Electrical – CO 2 or halon  Fire requires: oxygen, heat, & fuel  Water: temperature, soda acid: fuel supply, CO 2 oxygen, halon: chemical reaction

Fire Detectors  Heat sensing Predetermined temp or fast change  Flame-actuated Infrared or pulsation of flame  Smoke-actuated In ventilation systems  Automatic dialup fire alarm

Fire Extinguishing Systems  Water Sprinkler Wet Pipe, Dry Pipe, Deluge, or Preaction (combination of wet & dry pipe)  Gas Discharge Pressurized inert gas CO 2, halon, argon, argonite, inergen

After the fire  Contamination Smoke: little damage at first, residue Heat Water Suppression medium  Water damage Shutoff power Move equipment Drain Wipe parts & spray

Physical & Technical Controls  Facility Control Requirements  Facility Access Control Devices  Intrusion Detection & Alarms  Computer Inventory Control  Media Storage Requirements

Facility Control Requirements  Guards  Dogs  Fencing  Mantrap  Lighting  Locks  Closed Circuit TV

Facility Access Control Devices  Security Access Cards Dumb: photo id Smart: digital coded smart card Smarter: processor on card  Wireless Proximity Readers Passive, field powered, transponders  Biometric

Intrusion Detection & Alarms  Perimeter Intrusion Detectors Photoelectric & dry contact switches  Motion Detectors Wave pattern (reflection), capacitance (electrical field), audio detectors  Alarm Systems Local, central station, proprietary Line supervision

Computer Inventory Control  Physical PC Control Cable locks Port controls Switch Controls Peripheral Switch Controls Electronic Security Boards  Laptops

Media Storage Requirements  Ongoing Storage Access & Environment  Disposal Clearing – overwriting (7 times min), Purging – Degaussing or overwriting, Destruction Erasing only changes FAT, Damaged sectors not changed, overwrite may not change cause new file shorter,  Encryption of sensitive data

Simplest Way to check physical Security  “walk-about”