Physical and Environmental Security

NETWORK SECURITY-ITIE533

Physical and Environmental Security

At the end of the period, the students should be able to: The elements involved in choosing a secure site
and its design and configuration The methods for securing a facility against unauthorized access The methods for securing the equipment against theft of either the equipment or its contained information The environmental and safety measures needed to protect personnel, and the facility and its resources

Physical and Environmental Security

Physical security is extremely important. There is no point in technical and administrative security controls if someone can simply bypass them from physically accessing systems. Physical security is harder today as systems are more distributed (not just mainframes) and complex. Not just about protecting data, but more importantly PEOPLE! (remember safety is always issues #1*) Often physical security is an afterthought when building new facilities. Lawsuits against companies CAN be filed if a company does not take adequate physical security measures

Some examples of physical problems

Banks with bushes to close or to high near an ATM. Which allows criminals to hide or blocks view of crimes Portion of an underground garage has improper lighting Convenience store has too many signs which robbers target because the view is obstructed from the outside.

Threats to physical security

Natural hazards (floods, tornadoes, fires, temperatures) Supply system threats (power outage, water, gas, WAN connection etc) Manmade threats (unauthorized access, explosives, damage by disgruntled people, accidents, theft) Politically motivated threats (strikes, riots, civil disobedience)

Physical security fundamentals

Life safety goals should always be #1 priority Like in technical security, defense should be layered which means that different physical controls should work together to accomplish the goal of security. Physical security can address all of the CIA fundamental principals.

Planning Process
Threats should be classified as internal or external. Risk analysis should be taken on a physical aspect. Assets should be identified, threats should be identified (probabilities calculated) and countermeasures put in place that are COST EFFECTIVE and appropriate to the level of security needed. Physical security will ultimately be a combination of people, processes, procedures and equipment to protect resources.

Planning Process
The planning and security program should include the following goals. Deterrence fences, guards, signs Reducing/Avoiding damage by Delaying attackers slow down the attackers (locks, guards, barriers) Detection motion sensors, smoke detectors Incident assessment response of guards, and determination of damage level Response procedures fire suppression, law enforcement notification etc

Planning Process
Idea is to avoid problems if at all possible, otherwise mitigate problems. This can be best accomplished by layering (which we already talked about). If a crime happens you must be able to detect it, and response should be implemented. Remember this is the same process that we cover in Rink Analysis! All the same processes and concepts apply.

Target Hardening
Focuses on denying access through physical and artificial barriers. (alarms, locks, fences). Target hardening can lead to restrictions on the use, enjoyment and aesthetics of an environment.

CPTED
An important security concept organizations use is Crime Prevention Through Environmental Design The idea is that proper design of a physical environment can reduce crime by directly affecting human behavior.* It provides guidance in loss and crime prevention through properly facility construction and environmental components and procedures.

CPTED
CPTED concepts have been used since the 1960s and have advanced as environments and crime has advanced. CPTED is not just used for corporate security but also for building neighborhoods etc. CPTED looks at the components that make up the relationship between humans and their environment.

CPTED guidelines
Examples Hedges and planters should not be more than 2.5 feet tall. Data center should be at the center of a facility. Street furniture should encourage people to site and watch what is going around them. Landscaping should not provide places to hide. Put CCTV camera in plain view so criminals are aware they are being watched and recorded.

CPTED
CPTED provides three main strategies to bring together physical environment and social behavior to increase overall protection: Natural Access Control Natural Surveillance Territorial reinforcement We will talk about these next

CPTED (Natural Access Control)

Natural Access Control the guidance of people entering and leaving a space by the placement of doors, fences, lighting and landscaping. Clear lines of sight and transparency are used to discouraged potential offenders. Natural barriers can be used to create physical security zones

CPTED (Natural Surveillance)

Natural Surveillance attempts to discourage criminals by providing many ways for others to observe potential criminal behavior.

CPTED (Territorial Reinforcement)

Creating a space that emphasizes a companies (sphere of influence) so employees feel ownership of that space. The idea is that they will protect the environment (report suspicious activities). It can also make criminals feel vulnerable or that they dont belong there. Some examples are

CPTED (Territorial Reinforcement)

Decorated Walls Fences Landscaping Lights Flags Company signs Decorative sidewalks Company activities (i.e.. Barbeques)

Good approach to Physical Security

A good approach is to design generically using CPTED and then apply target hardening concepts where appropriate.

Security Zones
Zones are used to physically separate areas into different security areas. Each inner level becomes more restricted and more secure Stronger Access Control and Monitoring at the entry point to each zone

Designing a Physical Security Program

When designing a physical security program you must consider the following HVAC systems Construction materials Power distribution systems Communications lines Hazardous materials Proximity to airports, highways, roads Proximity to emergency service etc

Facilities
When building a new facility there are several considerations Visibility Surrounding area and external entities
Crime rate Proximity to police, medical and fire stations

Accessibility
Roads/access Traffic Proximity to airports etc.

Natural disasters
Probability of floods, hurricanes Hazardous terrain (mudslides, falling rocks (really?!?), excessive snow or rain)

Construction
Different considerations need to be considered when building a facility depending on what the facility is trying to protect and. For example (if documents are stored, fire-resistant materials should be used)

Entry Points
Entry points into a building or control zone must be secured. including windows Including ventilation ducts etc. All components of a door should be equally as strong. (no use to have a strong steel door, but weak hinges) (weakest link)

Doors
Fire codes dictate that exit bars be on doors. Doors can be hollow core or solid core, hollow core doors should only be user internally. Doors with automatic locks can be
Fail safe* - what does this mean? Fail secure* - what does this mean?

Windows
There are different type of windows that you should now about Standard glass residential home/easily broken Tempered glass glass that is heated and then suddenly cooled. 5-7x stronger than regular glass Acrylic glass (plexiglass/lexan) stronger than regular glass, but gives off toxic fumes if burnt.

Windows
Glass with embedded wires avoids glass shattering Laminated glass two sheet of glass with a plastic film in between. Harder to break. Glass can be treated with films to tint for security.

Computer Room
Computer rooms are where important servers and network equipment is stored. Equipment should be placed in locked racks. Computer rooms should be near the center of the building, and should be above ground, but not too high that it would be difficult to access by emergency crews Strict access control should be enabled. They should only have 1 access door, though they might have to have multiple fire doors

Computer Room
Computer Room should have positive air pressure* There should be an easy to access emergency off switch Portable fire extinguishers Smoke/fire sensors should be under raised floors. Water sensors should be under raised floors and on ceilings

Computer Room
Temperature and Humidity levels should be properly maintained
Humidity too low, static electricity* Humidity too high, corrosion of metal parts*

CR should be on separate electrical systems than the rest of the building Should have redundant power systems and UPS

Protecting Assets
Companies must protect from theft. Theft of laptops is a big deal especially if private information is on the laptop. You should understand best practices in regards to physically protecting things from being stolen. Inventory all laptops including serial number Harden the OS Use disk encryption on laptops Do not check luggage when flying Never leave a laptop unattended Install tracking software on laptops (low jack type software) Password protect the BIOS (See next slide)

Protecting Assets
You should also be aware of the types of safes that exist Wall safe Floor safe Chest (stand alone) Depositories (safes with slots) Vaults (walk in safes)

Internal Support Systems

Power is critically important for data processing we will talk about some different power issues and concerns to be aware off.

Electrical Power Issues

Electromagnetic Interference electromagnetic that can create noise. (motors can generate fields) Radio Frequency Interference fluorescent lights

(see next slide for visualization)

Electric power issues

There power interference that stops you from getting clean power this is called line noise.

Electrical Power Issues

There are times where the voltage delivered falls outside normal thresholds Excess Spike momentary high voltage Surge prolonged Shortage Sag/dip momentary low voltage Brownout prolonged low voltage Loss Fault momentary outage Black out

Electrical power issues

In rush current when a bunch of things are turned on, power demands are usually higher, and may stress power supplies, causing a sag/dip Try to have computer equipment on different electrical supplies. Do not use microwaves or vacuums on computer power lines.

Power
UPS (need visualization)
Online Standby

Power line conditioners Backups generators

Power best practices

Use surge protectors on desktops Do not daisy chain surge protectors (see next slide) Employ power monitor to detect current and voltage changes Use regulators or line conditioners in computer rooms Use UPS systems in computer rooms If possible shield power cables Do not run power over or under fluorescent lights

Environmental Issues
Improper environments can cause damage to equipment or services Water and Gas Make sure there are shutoff valves and that they have positive drains (flow out instead of in, why?) Humidity
Humidity must not be too high or too low
Low static High rust/corrosion

Hygrometer measures humidity

Environmental Issues
Static electricity besides ensuring proper humidity
use anti-static flooring in data processing areas Dont use carpeting in data centers Wear anti-static bands when working inside computers.

Environmental Issues
Temperature should not be too high. Room temps should be in the 60s ideally. Ventilation should be closed loop (re-circulating) Positive pressure (air flows out, ex, smoke and contaminants will be pushed out rather than flow in) If a fire is detected HVAC should be immediately turned off WHY?

Fire prevention
Its obvious that you should have fire prevention, detection and suppression systems. Which types you use depends on the environment. Fire detection systems Smoke activated (using a photoelectrical device) Heat activated
Rate of rise sensors Fixed temperature sensors

Fire prevention systems

Detectors need to be properly placed On and above suspended ceilings Below raised floors Enclosures and air ducts Uniformly spread through normal areas

Fire suppression
A fire needs fuel, oxygen and high temperatures to burn. There are many different ways to stop combustion fuel soda acid (remove fuel)* oxygen carbon dioxide (removes oxygen)* Temperature water (reduces temperature)* Chemical combustion gas (interferes with the chemical reactions)*

Fire Suppression
Different fire suppression types based on class of fire A B C D

Fire Suppression
A Common Combustibles Use for: Wood, paper, laminates Uses water or foam as suppression agent B Liquid Use for: gas or oil fires Use: Gas (CO2), foam, dry powders

Fire Suppression
C Electrical Use on: electrical equipment and wires Uses: Gas, CO2, dry powder D Combustible materials Use on: combustible chemicals (sodium, potassium) Uses: dry powder

Fire Suppression (Gases)

Before any type of dangerous gas (CO2) is released there should be some type of warning emitted. (CO2 will suffocate people) Halon is a type of gas that used to be commonly used, it is no longer used do to CFCs. It was banned by the Montreal protocol* in 1987. effective replacement is FM-200 or others on top

Fire Suppression Note

HVAC system should be set to shutdown when an automatic suppression system activates. Now we need to understand automatic fire suppression systems

Sprinkler Heads
The Thermal Linkage is often a small glass tube with colored liquid that is designed to shatter at a fixed temperature.

The fire will heat the Thermal Linkage to its break point, at
which point the water in the pipe will flow freely through the opening at a high pressure. The pressure of the water causes it to spread in a wide area when it hits the deflector

Automatic fire suppression

Sprinklers Wet Pipe high pressure water in pipe directly above sprinkler heads
Deluge Type of wet pipe with a high volume of water dispersal, not used for data centers.

Automatic fire suppression

Dry Pipe Air in pipe overhead, water in reservoir.

Automatic fire suppression

Pre action like dry pipe but water is released / primed by an independent sensor

Fire random tidbit

The space between the ceiling and the actual floor above is called the plenum. You should know this term, you should understand that when running network cables and other plastics insulated wiring, you need to use a certain type of wire called plenum wire, this is because burning plastic gives off toxic gases and small fires in plenum areas could distribute toxic gases throughout the building air systems.

Perimeter security
Perimeter security is concerned with protecting the outside of your facility, that is ensuring that nobody unauthorized gets inside to cause any security violations. Perimeter security can implement multiple controls to keep the facility secure Some controls that are used that we will look at are Locks Personnel access controls Fencing Lighting Bollards Surveillance devices Intrusion detection systems Guard dogs

Perimeter Security
Locks purpose of locks is to DELAY intruders, until they can be detected and apprehended. There are multiple types of locks that we will talk about Mechanical Combination locks Cipher locks

Locks
Mechanical use a physical key (Warded lock or tumbler)
Warded lock basic padlock, cheap (image)

Tumbler lock more piece that a warded lock, key fits into a cylinder which moved the metal pieces such that the bolt can slide into the locked and unlocked position.
Pin tumbler uses pins Wafer uses wafer (not very secure)

Locks types
There are different lock grades Grade 1 commercial Grade 2 heavy duty residential, light commercial Grade 3 residential throw away locks There are also 3 cylinder categories Low no pick or drill resistance provided Medium a little pick resistance High higher degree of pick resistance

Attacks against key type locks

Tension wrench shaped like an L and is used to apply tension to the cylinder, then use a pick to manipulate the individual pins. Pick used in conjunction with a tension wrench to manipulate the pins into place so you can turn the cylinder

Cipher Lock
Cipher locks electronic locks
Combination can be changed Combination can be different for different people Can work during different times of day Can have override codes
Subtype of Override Code is an emergency code*

Device Locks
Device Locks - Computer equipment sometimes must be locked (laptops, or physically blocking out slots). Some type of device locks are

Port / Laptop Lock

Slot locks physically lock into the expansion slots to physically secure systems.

Device Locks
Port controls block access to floppy or USB ports Cable traps lock down cables from being unplugged and removed.

Personnel access controls

There are different technologies to grant access to a building. User activated a user does something (swipe cards, biometrics) Proximity devices/transponders a system recognizes the presence of an object. (Electronic access control tokens) is a generic term for proximity authentication systems)

Fencing
Can deter and delay intruders Fences 3-4 feet high only deter casual trespassers Fences 6-7 feet high are considered too high to climb easily Fences 8 feet high should are considered serious.

Fencing
Memorize the gauges and mesh size chart on pg 457 Fencing best practices Fences should be a first line of defense Critical areas should have fences of 8 feet.

Bollards
Bollards are small concrete pillars, sometimes containing lights or flowers. They are used to stop people from driving through a wall, often put between a building and parking lot. They can be arranged to form a natural path for walking.*

Lighting
Lighting is obviously important in perimeter security. It decreases the probability of criminal activity. Each light should cover its own zone and there should not be gaps in the coverage Coverage in fact should overlap. Lighting should be directed AWAY from the security guards etc.

Surveillance
Surveillance systems are a detective control. Generally these are CCTV systems. CCTV systems consist of Cameras Transmitters Receivers Recording systems

Surveillance
Most camera are charged coupled devices that takes light from a lens and turns it into an electrical signal. There are two types of lenses in CCTV camera Fixed focal length Variable focus length (zoom lens) We will define focal length next slide

Focal Length
Focal Length = The distance from the surface of a lens or mirror to its focal point. short focal length = wide angle long focal length = narrow, but higher magnification

Depth of Field
Depth of field = Depth of field is the range of distance within the subject that is acceptably sharp

large depth of field = everything is generaly sharp short depth of field = something is specifically "focused" on where everything else is fuzzy.

Depth of Field
depth of field increases as the lens opening DECREASES depth of field increases as the focal length DECREASES best to cover a large area is a wide angle lens with a small lens opening*

Surveillance
Focal Length relates to the amount of area can be seen. Wide angles lenses use small focal lengths*. Narrow angles use long focal lengths*. If you dont have a CCTV camera that can change, you must pick an appropriate focal length for your application. Generally you should have cameras with auto-irises that can adjust to how bright the outside conditions are Zoom lenses allow you to change PTZ cameras (pan, tilt, zoon)

Intrusion Detection Systems

IDS (physical IDS, NOT network IDS) help detect the physical presence of an intruder. Can be multiple types.

Electromechanical IDS
Electromechanical traditional types, determine a opening of a window by a break in connectivity.
Vibration sensors are also electromechanical Pressure pads are also electromechanical

Photoelectric IDS
Photoelectric uses light beams to detect when something crosses the beam.

IDS
Acoustical Detection uses sound (like sonar) Proximity detector/capacitance detectors emits a measurable magnetic field. If field is disrupted it sets off the alarm. (usually this field is a very small area, as magnetic fields disperse quickly as the area increases)

Passive Infrared IDS

Passive Infrared (PIR) monitors heat signatures in a room. (a lot of home automatic light systems are of this type)

Patrols and Guards

Guards provide a dynamic response, guards can make decisions based on the situation, which most other IDS cannot. Dogs highly useful in detecting intruders and discouraging attacks.

Summary
In this lesson, you have learned: Physical and Environmental security. Physical problems Threats in Physical security Planning Process CPTED guidelines Designing Physical Security Program Security Zones Protecting Assets

Summary
In this lesson, you have learned: (continued) Fire prevention system. Intrusion Detection system Environmental issues Power best practices Perimeter security Personnel access controls

Any Questions?

Thank You!