Physical (and

Environmental)
Security

Physical and Environmental

Security
Physical security is extremely important.
There is no point in technical and
administrative security controls if someone
can simply bypass them from physically
accessing systems.
Physical security is harder today as systems
are more distributed and complex.
Not just about protecting data, but more
importantly PEOPLE! (remember safety is
always issues #1*)

Some examples of physical

problems
Banks

with bushes to close or to high

near an ATM. Which allows criminals to
hide or blocks view of crimes
Portion of an underground parking
garage has improper lighting
Dairy or shop has too many signs which
robbers target because the view is
obstructed from the outside.

Threats to physical
security
Natural

hazards (floods, tornadoes,

fires, temperatures)
Supply system threats (power outage,
water, gas, WAN connection etc)
Man-made threats (unauthorised
access, explosives, damage by
disgruntled people, accidents, theft)
Politically motivated threats (strikes,
riots, civil disobedience)

Physical security
fundamentals
Life

safety goals should always be #1

priority
Like in technical security, defence
should be layered which means that
different physical controls should work
together to accomplish the goal of
security.
Physical security can address all of the
CIA fundamental principals.

Planning Process
Threats should be classified as internal or
external.
Risk analysis should be taken on a physical
aspect.

1. Assets should be identified,

2. threats should be identified (probabilities calculated)
3. countermeasures put in place that are COST EFFECTIVE

and appropriate to the level of security needed.

Physical security will ultimately be a combination of people,
processes, procedures and equipment to protect
resources.
(more)

Planning Process
The planning and security program should
include the following goals.
Deterrence fences, guards, signs
Reducing/Avoiding damage by Delaying
attackers slow down the attackers (locks,
guards, barriers)
Detection motion sensors, smoke detectors
Incident assessment response of guards,
and determination of damage level
Response procedures fire suppression, law
enforcement notification etc

Planning process
Idea is to avoid having a physical security
violation in the first place!
If

you cannot stop a violation then

countermeasures should mitigate damage
problems.
This can be best accomplished by layering.

If

a crime happens you must be able to detect

it, and response should be implemented.

Remember this is the same process that we

cover in Rink Analysis! All the same processes
and concepts apply.

Target Hardening ()
Focuses on denying access through
physical and artificial barriers. (alarms,
locks, fences). Target hardening can
lead to restrictions on the use,
enjoyment and aesthetics of an
environment.

Target
Hardening

CPTED
Crime Prevention Through Environmental
Design The idea is that proper design
of a physical environment can reduce
crime by directly affecting human
behaviour.
CPTED provides guidance in loss and crime

prevention through properly facility

construction and environmental
components and procedures.

CPTED
CPTED

concepts have been used since the

1960s and have advanced as environments
and crime has advanced.
CPTED looks at the components that make
up the relationship between humans and
their environment and tries to influence
behaviour by creating a environment that
naturally discourages crime.
CPTED is not just used for corporate security
but also for building residential areas etc.

CPTED NZ National
Guidelines
.
http://www.justice.govt.nz/publications/publication

s-archived/2005/national-guidelines-for-crime-preve
ntion-through-environmental-design-in-nz/part-1-sev
en-qualities-of-safer-places/documents/cpted-part-1
.pdf

CPTED NZ National
Guidelines

CPTED NZ National
Guidelines

CPTED guidelines
Examples
Hedges and planters should not be more than
76 cm tall.
Data centre should be at the centre of a facility.
Street furniture should encourage people to sit
and watch what is going around them.
Landscaping should not provide places to hide.
Put CCTV camera in plain view so criminals are
aware they are being watched and recorded.
Be able to determined what type of physical
countermeasure are influenced by CPTED

CPTED (Natural Access

Control)
Natural Access Control tries to control
flow of people entering and leaving a
space by the placement of doors,
fences, lighting and landscaping.
Clear lines of sight and transparency are

used to discourage potential offenders.

Natural barriers can be used to create
physical security zones
Methods are natural or organic, not target
hardening

CPTED (Natural
Surveillance)
Natural Surveillance attempts to
discourage criminals by providing
many ways for others to observe
potential criminal behaviour.
Examples:
Benches
Parks and other public areas

CPTED (Territorial
Reinforcement)
Creating a space that emphasises an
organisations sphere of influence so
employees feel ownership of that
space. The idea is that they will
protect the environment (report
suspicious activities, never directly
intervene). It can also make
criminals feel vulnerable or feel that
they do not belong there.

Good approach to Physical

Security
A good approach is to design generically
using CPTED first and then apply target
hardening concepts where appropriate.

Security Zones
Zones

are used to physically separate areas

into different security areas.

Each inner level

becomes more
restricted and more
secure
Stronger Access Control
and Monitoring at the
entry point to each zone

Designing a Physical Security

Program
When designing a physical security
program you must consider the following
HVAC systems
Construction materials
Power distribution systems
Communications lines
Hazardous materials
Proximity to airports, highways, roads
Proximity to emergency service
etc

Facilities
When building a new facility there are several
considerations
Visibility
Surrounding area and external entities
Crime rate
Proximity to police, medical and fire stations

Accessibility
Roads/access
Traffic
Proximity to airports etc.

Natural

disasters

Probability of floods, hurricanes

Hazardous terrain (mudslides/slips, falling rocks, excessive snow

or rain)

Construction
Different considerations need to be
considered when building a facility
depending on what the facility is
trying to protect and. For example (if
documents are stored, fire-resistant
materials should be used)

Entry Points
Entry

points into a building or control

zone must be secured.
including windows
Including ventilation ducts etc.

All

components of a door should be

equally as strong (hinges, door
construction) as security is only as
good as the weakest link

Doors
Fire

codes dictate that exit bars be

on doors.
Doors can be hollow core or solid
core, hollow core doors should only
be user internally*.
Doors with automatic locks can be
Fail safe* - what does this mean?
Fail secure* - what does this mean?

Man Trap

Windows
There are different type of windows that you
should know about
Standard glass residential home/easily
broken
Tempered glass glass that is heated and
then suddenly cooled. 5-7x stronger than
regular glass
Acrylic glass (plexiglass/lexan) stronger
than regular glass, but gives off toxic fumes
if burnt.
(more)

Windows
Glass

with embedded wires avoids

glass shattering
Laminated glass two sheet of glass
with a plastic film in between. Harder
to break.
Glass can be treated with films to
tint for security.

Computer Room
Computer rooms are where important servers
and network equipment is stored.
Equipment should be placed in locked racks.
Computer rooms should be near the centre of
the building, and should be above ground,
but not too high that it would be difficult to
access by emergency crews
Strict access control should be enabled.
They should only have 1 access door, though
they might have to have multiple fire doors
(more)

Computer Room
Computer

Room should have positive air

pressure
There should be an easy to access
emergency off switch
Portable fire extinguishers
Smoke/fire sensors should be under
raised floors.
Water sensors should be under raised
floors and on ceilings
(more)

Computer Room
Temperature

and Humidity levels should

be properly maintained
Humidity too low, static electricity
Humidity too high, corrosion of metal parts

CR

should be on separate electrical

systems than the rest of the building
Should have redundant power systems
and UPS

Protecting Assets
Organisations must protect from theft. Theft of laptops is a
big deal especially if private information is on the laptop
(Confidentiality, Legal).
You should understand best practices in regards to physically
protecting things from being stolen.
Inventory all laptops including serial number
Use disk encryption on laptops
Do not check luggage when flying
Never leave a laptop unattended
Install tracking software on laptops (low jack type software)
Password protect the BIOS (See next slide)
(more)

BIOS

BIOS

Protecting Assets
You should also be aware of the types of
safes that exist
Wall safe
Floor safe
Chest (stand alone)
Depositories (safes with slots)
Vaults (walk in safes)

Internal Support
Systems
Power is critically important for data
processing we will talk about some
different power issues and concerns to
be aware off.

Electrical Power Issues

Electromagnetic

Interference
electromagnetic that can create noise.
(motors can generate fields)
Radio Frequency Interference
fluorescent lights
(see next slide for visualisation)

Electric power issues

Power interference that stops you
from getting clean power this is
called line noise.

Electrical Power Issues

There are times where the voltage delivered
falls outside normal thresholds
Excess
Spike momentary high voltage
Surge prolonged

Shortage
Sag/dip momentary low voltage
Brownout prolonged low voltage

Loss
Fault momentary outage
Black out

Electrical power issues

In

rush current when a bunch of

things are turned on, power demands
are usually higher, and may stress
power supplies, causing a sag/dip or a
trip breakers.
Try to have computer equipment on
different electrical supplies than other
office equipment
DO NOT install microwaves or vacuums on

computer power circuits.

Power
UPS

(need visualisation)

Online
Standby

Power line conditioners

Backups generators

Know what each power

countermeasure is used for or when
they are appropriate.

Power best practices

Use

surge protectors on desktops

Do not daisy change surge protectors (see
next slide)
Employ power monitor to detect current and
voltage changes
Use regulators or line conditioners in
computer rooms
Use UPS systems in computer rooms
If possible shield power cables in conduit
Do not run power over or under fluorescent
lights

Daisy Chained Power

Strips

Environmental Issues
Improper environments can cause damage to
equipment or services
Water and Gas
Make sure there are shutoff valves and that they
have positive drains (flow out instead of in,
why?)
Humidity
Humidity must not be too high or too low
Low static
High rust/corrosion
Hygrometer measures humidity
(more)

Environmental Issues
Static

electricity besides ensuring

proper humidity
use anti-static flooring in data

processing areas
Dont use carpeting in data centres
Wear anti-static straps when working
inside computers.

Environmental Issues
Temperature

Should not be too high or equipment failure

will occur. General recommendations suggest that you
should not go below 10C (50F) or above 28C (82F).
These are extremes
Suggested range 20-23 C
Google has stated it keeps its data centre temps as high as 26C (80F) to save
electricity costs

Once best temp has been identified, temp should be monitored to

maintain optimal cooling and energy consumption

Ventilation
should be closed loop (re-circulating)
Positive pressure
If a fire is detected HVAC should be immediately turned off.

Fire prevention
Its obvious that you should have fire
prevention, detection and suppression
systems. Which types you use depends on
the environment.
Fire detection systems
Smoke activated (using a photoelectrical
device)
Heat activated
Rate of rise sensors
Fixed temperature sensors

Fire prevention systems

Detectors need to be properly placed
On and above suspended ceilings
Below raised floors
Enclosures and air ducts
Uniformly spread through normal areas

Fire suppression ()
A fire needs fuel, oxygen and high
temperatures to burn. There are
many different ways to stop
combustion
fuel soda acid (remove fuel)
oxygen carbon dioxide (removes

oxygen)
Temperature water (reduces
temperature)
Chemical combustion gas (interferes

Fire Suppression
Different fire suppression types based
on class of fire
A
B
C
D
(well

talk about each of these)

Fire Suppression
A Common Combustibles
Use for: Wood, paper, laminates
Uses water or foam as suppression
agent
B Liquid
Use for: gas or oil fires
Use: Gas (CO2), foam, dry powders

Fire Suppression
C Electrical
Use on: electrical equipment and
wires
Uses: Gas, CO2, dry powder
D Combustible metals
Use on: combustible metals (sodium,
potassium)
Uses: dry powder

Fire Suppression (Gases)

Before any type of dangerous gas
(CO2) is released there should be
some type of warning emitted. (CO2
will suffocate people)
Halon

is a type of gas that used to

be commonly used, it is no longer
used do to CFCs. It was banned by
the Montreal protocol in 1987.
effective replacement is FM-200 or

Fire Suppression Note

HVAC

system should be set to

shutdown when an automatic
suppression system activates.

Fire Supression Systems

Now we need to understand automatic

fire suppression systems

Sprinkler Heads
The thermal linkage is
often a small glass tube
with colored liquid that is
designed to shatter at a
fixed temperature.
The fire will heat the
Thermal Linkage to its
break point, at which
point the water in the
pipe will flow freely
through the opening at a
high pressure. The
pressure of the water

Automatic fire
suppression
Sprinklers
Wet Pipe high pressure water in pipe directly
above sprinkler heads

Deluge Type of wet pipe with a high volume of water

dispersal, not used for data centers.

Automatic fire
suppression

Dry Pipe Air in pipe overhead, water in

reservoir. Used where freezing
temperatures may occur*.

Automatic fire
suppression

Pre action like dry pipe but water is

released / primed by an independent
sensor

Fire random tidbit

Plenum

The crawlspace above a

ceiling.
Know the term
Cables run in the Plenum area MUST be

plenum cable which gives off less toxic

fumes when burning.

Plenum

Perimeter security
Perimeter security is concerned with protecting the outside
of your facility. Ensuring that there is no un-authorised
physical access. Perimeter security can implement
multiple controls to keep the facility secure
Some controls that are used that we will look at are
Locks
Personnel access controls
Fencing
Lighting
Bollards
Surveillance devices
Intrusion detection systems
Guard dogs

Perimeter Security
Locks purpose of locks is to DELAY
intruders, until they can be detected
and apprehended. There are multiple
types of locks that we will talk about
Mechanical
Combination locks
Cipher locks

Locks
Mechanical

use a physical key

(Warded lock or tumbler)
Warded lock basic padlock, cheap

(image)
Tumbler

lock more pieces that a

warded lock, key fits into a cylinder
which moved the metal pieces such
that the bolt can slide into the locked
and unlocked position.
Pin tumbler uses pins

Warded Lock

Tumbler Lock

Locks types (453)

There are different lock grades
Grade 1 commercial
Grade 2 heavy duty residential, light
commercial
Grade 3 residential throw away locks
There are also 3 cylinder categories
Low no pick or drill resistance provided
Medium a little pick resistance
High higher degree of pick resistance

Attacks against key type

locks
Tension

wrench shaped like an L

and is used to apply tension to the
cylinder, then use a pick to
manipulate the individual pins.

Pick

used in conjunction with a

tension wrench to manipulate the
pins into place so you can turn the
cylinder

Lock Picking

Locks
Combination

key, turn

locks rather than use a

Cipher Lock*

Cipher Lock
Cipher locks electronic locks
Advantages:
Combination can be changed
Combination can be different for

different people
Can work during different times of day
Can have override codes
Subtype of Override Code is an emergency
code

Device Locks
Device

Locks - Computer equipment

sometimes must be locked (laptops,
or physically blocking out slots).
Some type of device locks are

Switch Lock

Port / Laptop Lock

Slot

locks
physically lock into
the expansion
slots to physically
secure systems.

Device Locks
Port

controls block
access to floppy or
USB ports

Cable

traps lock
down cables from
being unplugged and
removed.

Personnel access
controls
There are different technologies to
grant access to a building.
User activated a user does
something (swipe cards, biometrics)
Proximity devices/transponders a
system recognizes the presence of
an object. (Electronic access control
tokens) is a generic term for
proximity authentication systems)

Fencing
Can deter and delay intruders
Fences 1 metre high only deter casual
trespassers
Fences 1.8-2.1 m high are considered
too high to climb easily
Fences 2.4 m high should are
considered serious.
(more)

Fencing
Fencing best practices
Fences should be a first line of defence.
Critical areas should have fences of 2,4
metres .

Bollards

Bollards
Bollards are small concrete pillars,
sometimes containing lights or flowers.
They are used to stop people from
driving through a wall, often put
between a building and parking lot.
They can be arranged to form a natural
path for walking.

Lighting
Lighting is obviously important in
perimeter security. It decreases the
probability of criminal activity.
Each light should cover its own zone

and there should not be gaps in the

coverage.
Coverage in fact should overlap.
Lighting should be directed AWAY from
the security guards etc.

Surveillance
Surveillance systems are a detective
control. Generally these are CCTV
systems.
CCTV systems consist of
Cameras
Transmitters
Receivers
Recording systems

Surveillance
Most camera are charged coupled
devices that takes light from a lens
and turns it into an electrical signal.
There are two types of lenses in CCTV
camera
Fixed focal length
Variable focus length (zoom lens)
We will define focal length next slide
(more)

Focal Length
Focal Length = The distance from the
surface of a lens or mirror to its focal
point.
short

focal length = wide angle

long focal length = narrow, but
higher magnification

Depth of Field
Depth of field = Depth of field is the range of
distance within the subject that is
acceptably sharp
large

depth of field = everything is generally

sharp
short depth of field = something is
specifically "focused" on where everything
else is fuzzy.
(see next slide)

Depth of Field

Surveillance
Focal Length - If you dont have a CCTV
camera that can change, you must pick an
appropriate focal length for your application.
Generally you should have cameras with
auto-irises that can adjust to how bright the
outside conditions are
Zoom lenses allow you to change
PTZ cameras (pan, tilt, zoon)

Intrusion Detection
Systems
IDS (physical IDS, NOT network IDS)
help detect the physical presence of
an intruder.
Can be multiple types.

Electromechanical IDS
Electromechanical

traditional types,
determine a opening
of a window by a
break in connectivity.
Vibration sensors are
also
electromechanical
Pressure pads are
also
electromechanical

Photoelectric IDS
Photoelectri

c uses
light beams
to detect
when
something
crosses the
beam.

IDS
Acoustical

Detection uses sound

(like sonar)
Proximity detector/capacitance
detectors emits a measurable
magnetic field. If field is disrupted it
sets off the alarm. (usually this field
is a very small area, as magnetic
fields disperse quickly as the area
increases)

Passive Infrared IDS

Passive Infrared
(PIR) monitors
heat signatures in
a room. (a lot of
home automatic
light systems are
of this type)

Patrols and Guards

Guards

provide a
dynamic response,
guards can make
decisions based on
the situation, which
most other IDS
cannot.
Dogs highly
useful in detecting
intruders and