Presentation is loading. Please wait.

Presentation is loading. Please wait.

NETW4005 COMPUTER SECURITY A

Published byStuart Haynes Modified over 6 years ago

Similar presentations

Presentation on theme: "NETW4005 COMPUTER SECURITY A"— Presentation transcript:

1 NETW4005 COMPUTER SECURITY A
LECTURE – 4 PHYSICAL SECURITY

2 CONTENT 4.1 INTRODUCTION 4.2 PHYSICAL SECURITY
4.3 PHYSICAL SECURITY THREATS 4.4 MITIGATION MEASURES 4.5 RECOVERY FROM PHYSICAL SECURITY BREACHES 4.6 THREAT ASSESSMENT 4.7 PHYSICAL / LOGICAL SECURITY INTEGRATION

3 4.1 INTRODUCTION Three elements of Information System (IS) security: 1. Logical security : Protects computer-based data from software-based and communications-based threats. 2. Physical security : Also called infrastructure security. Protects the IS that house data and the people who use, operate, and maintain the systems. Physical security also must prevent any type of physical access or intrusion that can compromise logical security.

4 3. Premises security: Also known as corporate or facilities security. Protects the people and property within an entire area, facility, or building(s), and is usually required by laws, and regulations. Premises security provides perimeter security, access control, smoke and fire detection, fire suppression, some environmental protection, and usually surveillance systems, alarms, and guards.

5 4.2 PHYSICAL SECURITY Protect physical assets that support the storage and processing of information. Involves two complementary requirements: 1) Prevent damage to physical infrastructure 2) Prevent physical infrastructure misuse a) Information system hardware: Data processing and storage equipment, transmission & networking facilities, offline storage media, supporting documentation. b) Physical facility: Buildings and other structures housing system and network components.

6 c) Supporting facilities:
Underpin the operation of the information system, & include electrical power, communication services, environmental controls: heat, humidity, etc. d) Personnel: Humans in control, maintenance, and use of the information systems. 2) Prevent physical infrastructure misuse Leading to misuse / damage of protected information Must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information. The misuse of the physical infrastructure can be accidental or malicious. It includes vandalism, theft of equipment, theft by copying, theft of services, and unauthorized entry.

7 4.3 PHYSICAL SECURITY THREATS
The types of physical situations and occurrences that can constitute a threat to information systems. There are a number of ways in which such threats can be categorized. The threats are categorized as follows: 4.3.1 Natural Disasters 4.3.2 Environmental threats 4.3.3 Technical threats 4.3.4 Human-caused threats Let us discuss all the threats

8 Natural Disasters Natural disasters are the source of a wide range of environmental threats. Lists of six categories of natural disasters are 1) Tornado Can generate winds that exceed hurricane strength. May cause a temporary loss of local utility and communications. 2) Hurricane May cause significant structural damage and damage to outside equipment. Wide damage to public infrastructure, utilities, and communications. 3) Earthquake Greatest damage and occurs without warning. Significant damage to data centers and other IS.

9 4) Ice storm or blizzard Can cause some disruption / damage to IS facilities if outside equipment. 5) Lightning Can disturb electrical power and have potential for fires. 6) Flood Damage can be severe, with long-lasting effects and the need for a major clean up operation

10 4.3.2 Environmental Threats
Inappropriate temperature and humidity (Produce undesirable results) Fire and smoke (Physical damage) Water (Electrical Short) Chemical, radiological, biological hazards (Intentional / Accidental) Dust (concern that is often overlooked) Infestation (mold ,insects and rodents)

11 4.3.3 Technical Threats Electrical power is essential to run equipment. Power utility problems: 1. Under-voltage - dips/brownouts/outages, interrupt service 2. Over-voltage - surges/faults/lightening, can destroy chips 3. Noise - on power lines, may interfere with device operation Electromagnetic interference (EMI) From line noise, motors, fans, heavy equipment, other computers, nearby radio stations & microwave relays. Can cause intermittent problems with computers

12 4.3.4 Human-Caused Threats More difficult to deal with than other types of threats. Less predictable than other types of physical threats. May be targeted from inside or outside entity. Human-caused threats includes 1) Unauthorized physical access: Unauthorized user should not be in the building. Major resources (Servers, network equipments, storage devices) should placed in restricted areas. Unauthorized physical access can lead to other threats, such as theft, vandalism, or misuse.

13 2) Theft: Theft of equipment and theft of data by copying. Eavesdropping and wiretapping. 3) Vandalism: Destruction of equipment and destruction of data. 4) Misuse: Improper use of resources by unauthorized users.

14 4.4 MITIGATION MEASURES Technique for preventing physical attacks
5.4.1 Environmental Threats 1. Inappropriate temperature and humidity Environmental control equipment, Maintenance of power supply 2. Fire and smoke Alarms, preventative measures, fire mitigation Smoke detectors, no smoking 3. Water Manage lines, equipment location, cutoff sensors 4. Other threats Appropriate technical counter-measures, limit dust entry, pest control

15 4.4.2 Technical Threats - Mitigation Measures
Electrical power for critical equipment use Use uninterruptible power supply (UPS) Emergency power generator Electromagnetic Interference (EMI) To deal with electromagnetic interference, a combination of filters and shielding can be used. The specific technical details will depend on the infrastructure design and the anticipated sources and nature of the interference.

16 4.4.3 Human-Caused Threats - Mitigation Measures
The general approach to human-caused physical threats is physical access control. Physical access control should cover locations of wiring, electrical power, HVAC equipment and distribution system, telephone and communications lines, backup media, and documents. A spectrum of approaches that can be used to restrict access to equipment. They are 1. Restrict building access (patrolled or guarded by personnel) 2. Locked cabinet, safe, or room 3. A security device controls the power switch. 4. Tracking device to alert security personnel. 5. Intruder sensors / alarms

17 4.5 RECOVERY FROM PHYSICAL SECURITY BREACHES
The most essential element of recovery from physical security breaches is redundancy. Redundancy: To provide recovery from loss of data. All important data should be available off-site and updated as often as feasible. Can use batch encrypted remote backup Physical equipment damage recovery Depends on nature of damage and cleanup May need disaster recovery specialists

18 4.6 THREAT ASSESSMENT To implement a physical security program, an organization needs to do a threat assessment. To determine the amount of resources to devote to physical security and the allocation of those resources against the various threats. This process also applies to logical security, and typically includes steps such as: 1. Set up a steering committee 2. Obtain information and assistance 3. Identify all possible threats 4. Determine the likelihood of each threat 5. Approximate the direct costs 6. Consider cascading costs 7. Prioritize the threats 8. Complete the threat assessment report

19 4.7 PHYSICAL / LOGICAL SECURITY INTEGRATION
Have many detection (Sensors, alarms) / prevention (locks, doors) devices. Physical security can be more effective if have a central control. Central control collects all alerts and alarms of all automated access control mechanisms, such as smart card entry sites. Hence desire to integrate physical and logical security, especially access control Need a common standard in this area 2006, FIPS “Personal Identity Verification (PIV) of Federal Employees and Contractors” provides a reliable, government-wide PIV system. For the integration of physical and logical access control to be practical, a wide range of vendors need to conform to standards that cover smart card protocols, authentication and access control formats and protocols, database entries, message formats and so on. An important step in this direction is FIPS “Personal Identity Verification (PIV) of Federal Employees and Contractors”, issued in The standard defines a reliable, government-wide PIV system for use in applications such as access to Federally controlled facilities and information systems. The standard specifies a PIV system within which common identification credentials can be created and later used to verify a claimed identity. The standard also identifies Federal government-wide requirements for security levels that are dependent on risks to the facility or information being protected.

Download ppt "NETW4005 COMPUTER SECURITY A"

Similar presentations

YOUR HOST!YOUR HOST!YOUR HOST!YOUR HOST! HOSTSHOSTSHOSTSHOSTS NAMENAMENAMENAME.

YOUR HOST!YOUR HOST!YOUR HOST!YOUR HOST! HOSTSHOSTSHOSTSHOSTS NAMENAMENAMENAME.
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
GCSE ICT Networks & Security..

GCSE ICT Networks & Security..
Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security
Computer Security Computer Security is defined as:

Computer Security Computer Security is defined as:
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Security Controls – What Works

Security Controls – What Works
Stephen S. Yau CSE 465 & CSE591, Fall 2006 1 Physical Security for Information Systems.

Stephen S. Yau CSE 465 & CSE591, Fall Physical Security for Information Systems.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Information Security Principles and Practices

Information Security Principles and Practices
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,

Physical and Cyber Attacks1. 2 Inspirational Quote Country in which there are precipitous cliffs with torrents running between, deep natural hollows,
Physical Security Chapter 9.

Physical Security Chapter 9.
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Similar presentations

Ads by Google