Presentation is loading. Please wait.

Presentation is loading. Please wait.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.

Published byBarnard Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."— Presentation transcript:

1 McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 8 Physical Security

2 8-2 Objectives Manage the problems of dispersion and diversity Factor the concept of secure space into a physical security scheme Construct a security process using a security plan Mitigate physical security threats

3 8-3 Physical Security Physical security safeguards assets from non- digital threats Protects information processing facilities and equipment from deliberate or accidental harm More involved and complex Essential to protecting information asset base Uncontrolled physical space makes it easy for an attacker to subvert most security measures Proximity to the equipment allows attackers to mount attacks more easily

4 8-4 Problems of Dispersion and Diversity Physical security accounting and controlling processes have become more difficult with the advent of distributed systems Difficult to secure effectively because network resources are diverse and widely distributed External parts of a network Telephone, cable lines, broadband interface Protection of less obvious non-computerized information repositories

5 8-5 Problems of Dispersion and Diversity Collections of assets have different protection requirements Establishing safeguards: Physical asset accounting framework that itemizes the physical records and resources This framework requires maintaining a perpetual inventory of tangible assets as well as rules for controlling each asset Combination of a defined set of assets and the associated controls is called secure space

6 8-6 The Joy of Secure Space Safeguarding a facility requires deliberately creating a secure space Define physical perimeter or boundary Deploy countermeasures to assure the security, confidentiality, and integrity of the items Delineate the boundary of all controlled locations Factors to be considered in establishing a secure space: Location Access Control

7 8-7 The Joy of Secure Space Factor 1: Ensuring the location Secure physical assets proportionate to the risks resulting from unauthorized access to that facility Factor 2: Ensuring controlled access Access is a privilege, which is individually assigned and enforced, rather than a right Factor 3: Ensuring control of secure space Based on the specification and enforcement of a set of behaviors that can be objectively monitored

8 8-8 Physical Security Process and Plan Physical security process Guarantees that the effective safeguards are in place Effectiveness is ensured by making certain that: Threats have been identified Associated vulnerabilities have been accurately characterized, prioritized, and addressed Implemented through planning Supervised and enforced by consistent and ongoing management

9 8-9 Physical Security Process Identify the items to be protected Three classes of items requiring assurance: Equipment – includes tangible things such as hardware and network connections People – involves human resources and is part of the personnel security process Environment – includes hazards associated with the environment as well as the safety requirements of the physical space

10 8-10 Physical Security Plan Should be developed once an understanding of the threat environment has been developed Establishes a response to events that represent potential harm and that have a reasonable probability of occurrence Responds to a threat by recommending the deployment of a set of countermeasures Effective planning for all contingencies ensures efficient disaster recovery

11 8-11 Physical Security Plan Ensuring effective planning Implemented through a formal, organization-wide plan aligned with both business and information assurance goals Should specify the threats associated with the protected items in the secure space and specify countermeasures Should be able to respond to all credible threats in advance Establish controls to ensure that the secure space is not susceptible to intrusion and that sensitive materials are stored in secure containers Should ensure that the organization responds effectively to natural disasters Implementation plan is overseen by the audit function that monitors and enforces accountability

12 8-12 Physical Security Plan Defense in-depth countermeasures Built around measures to extend the time it takes for a threat to cause harm Involves design of the steps to detect, assess, and report probable physical threats or intrusions In the threat assessment process, a decision has to be made about the probabilities of occurrence and harm The outcome of that assessment should produce a manageable set of threats, which are likely to occur for that particular space

13 8-13 Physical Security Targets and Threats It is important to factor four threat types into a comprehensive physical security plan: Facilities Equipment People Environment

14 8-14 Threats to the Facility Ensuring clean and steady power Power problems affect computers in three ways: Damage the hardware, causing downtime Affect network availability – lost productivity Result in a loss of data Potential infrastructure hazards to look for are: Voltage swings Drains Hazardous wiring Eliminating fluctuations Surge suppressors, Uninterruptible Power Supplies Ensure that access to physical controls is enforced

15 8-15 Threats to the Facility Ensuring other building systems Ensure that other critical building systems are reliable such as: Heating Ventilation Air conditioning Plumbing Water supply systems

16 8-16 Safeguarding Equipment Physical security process safeguards tangible items, they include: Communication, processing, storage, and input or output devices Countermeasures assure safety and security Conventional physical access control measures establish the integrity of controlled spaces Measures include locks, passcards, RFID, swipecard readers, video cameras, and safes May also include human-based monitoring and control methods

17 8-17 Safeguarding Equipment Protecting networks: ensuring integrity over a wide area Prevent unauthorized access Technical countermeasures for security include: Interruption sensors Line monitors Emanations security Security failures on networks: Unauthorized users intercept information by physically accessing network equipment If the network is unable to carry out its transmission functions

18 8-18 Safeguarding Equipment Protecting portable devices Problem of ubiquitous portability requires adherence to the following principles: Ensure that the device itself is always controlled Assign individual responsibility and enforce accountability for all portable devices Ensure that the data on the device is secure Ensure that sensitive data cannot be transported nor displayed without authorization and accountability Ensure controls that are provided to ensure security of a portable item are easy for end-users to follow

19 8-19 Controlling Access by People Effective access control requires: Designing a layered defense in the physical environment Continuous monitoring and access control built in Heart of access control systems is the ability to: Grant convenient physical access to authorized people Completely deny access to unauthorized ones

20 8-20 Controlling Access by People Mechanisms for restricting physical access include: Perimeter controls Controls include restriction devices such as: Natural barriers Fence systems Walls Supplemented with mechanical barriers Secure windows, doors, and locks

21 8-21 Controlling Access by People Perimeter controls: barriers Natural barriers Structural barriers Fences define the secure areas and enforce entry only at designated points Gates and bollards are part of the restriction system Closed circuit television (CCTV) Monitors which provide three levels of control: Detection – detects the presence of an object Recognition – determines the type of object Identification – determines the object details

22 8-22 Controlling Access by People Perimeter controls: intrusion detection Ensures the integrity of a physical space Monitors suspicious traffic, tracks intruders, and subsequently marks security holes discovered Based on monitoring sensors and observing actions along the perimeter Retrospective monitoring uses security logs or audit data to detect unauthorized accesses Sensors installed at each access point establish perimeter protection

23 8-23 Controlling Access by People Perimeter controls: guards and patrols Low-tech, labor-intensive approach to access control Provide an effective deterrent to unauthorized entry Less expensive and no less reliable than automated systems Not passive and cannot be disconnected or sabotaged as with high-tech solutions They are subject to error

24 8-24 Controlling Access by People Perimeter controls: structural and mechanical barriers Doors and windows have to be strictly controlled since they are the most likely point of access Considerations in determining which type of structure to be used: Whether to employ a hollow-core versus solid-core technology How to identify and address hinge and doorframe vulnerabilities Whether to monitor use through contact devices such as switches and pressure plates

25 8-25 Controlling Access by People Mechanical barrier devices: locks Most widely accepted and employed barrier device Types of locks include: Cipher locks Combination locks Deadbolt locks Smart locks Keys are the authentication tokens for locks: Security element rests with the control of keys Most effective when used in a two-factor authentication system Example: with a door PIN

26 8-26 Controlling Access by People Biometric systems An emerging authentication tool in physical access control Based on exclusive physical attributes, which can be read and digitized Can be used in conjunction with smart cards Problem: scanning errors occur leading to false positives and false negatives

27 8-27 Controlling Access by People Doubling the assurance: multiple factor authentication Uses of more than one form of authentication to control access; based on three broad categories: What you are (for example, biometrics) What you have (for example, tokens) What you know (for example, passwords) Simple multiple-factor authentication requires confirmation of at least two factors Three-factor authentication combines three types

28 8-28 Controlling Access by People Ensuring against the well-intentioned human being Accidents and non-intentional acts are the most frequent cause of human-based harm Proactive way to address human error is through training and drills Keeps people continuously aware of their security responsibilities It has to be continuous to be effective Basic rule of thumb is a corollary to Murphy’s Law: A disaster plan is an appropriate countermeasure

29 8-29 Mitigating the Effects of Natural Disasters and Fires Response or disaster planning is the primary means of assuring against the broad category of natural disasters Disaster response countermeasures center on: Awareness Anticipation Preparation

30 8-30 Mitigating the Effects of Natural Disasters and Fires Planning for fire prevention Computers and their components are extremely flammable devices Three primary issues associated with fire protection: Prevention – reduction in the causes and sources Detection – receiving a warning of fire Suppression – extinguishing and containing a fire

31 8-31 Mitigating the Effects of Natural Disasters and Fires Preventing fires Good building design improves the chances of prevention The use of fire-resistant materials in walls, doors, and furnishings Reduce the number of combustible materials in the surrounding environment Proactive approach to fire protection is fire- prevention awareness for employees Response drills such as a fire drill

32 8-32 Mitigating the Effects of Natural Disasters and Fires Fire detection Provides warning as close to the fire event as possible Most common are the ionization-type smoke detectors, which detect charged particles in smoke

33 8-33 Mitigating the Effects of Natural Disasters and Fires Fire detection (cont’d) Some kinds of non-equipment-related fires do not produce smoke Two related types of detectors are: Photoelectric or optical detectors – react to light blockage caused by smoke particles Heat sensing – react to the heat of a fire Downside in both methods – the fire has to be advanced enough to detect

34 8-34 Mitigating the Effects of Natural Disasters and Fires Fire suppression The first line of defense is the fire suppression system Having the right type of fire extinguisher Know that fire extinguishers have limited use Halon is effective and it was the fire suppression agent of choice FM200 (FM-200/heptafluoropropane) Extinguishes a fire by both robbing it of oxygen and by its physical suppression effect Water sprinkler system

Download ppt "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Chapter 7: Physical & Environmental Security

Chapter 7: Physical & Environmental Security
Computer Security Computer Security is defined as:

Computer Security Computer Security is defined as:
Control and Accounting Information Systems

Control and Accounting Information Systems
Access Control Methodologies

Access Control Methodologies
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Information Security Principles and Practices

Information Security Principles and Practices
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 16: Physical and Infrastructure Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Physical Security Chapter 9.

Physical Security Chapter 9.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.

Chapter 3.  Security Framework  Operational Security Lifecycle  Security Perimeter  Access Control  Social Engineering  Environmental Issues.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google