资源描述
,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,#,Chapter 6 Physical and Environmental Security,Brian E. Brzezicki,Physical and Environmental Security,Physical security is extremely important. There is no point in technical and administrative security controls if someone can simply bypass them from physically accessing systems.,Physical security is harder today as systems are more distributed and complex.,Not just about protecting data, but more importantly PEOPLE! (remember safety is always issues #1*),Often physical security is an afterthought when building new facilities.,Lawsuits against companies CAN be filed if a company does not take adequate physical security measures.,Some examples of physical problems,Banks with bushes to close or to high near an ATM. Which allows criminals to hide or blocks view of crimes,Portion of an underground garage has improper lighting,Convenience store has too many signs which robbers target because the view is obstructed from the outside.,Threats to physical security,Natural hazards (floods, tornadoes, fires, temperatures),Supply system threats (power outage, water, gas, WAN connection etc),Manmade threats (unauthorized access, explosives, damage by disgruntled people, accidents, theft),Politically motivated threats (strikes, riots, civil disobedience),Physical security fundamentals,Life safety goals* should always be #1 priority,Like in technical security, defense should be layered which means that different physical controls should work together to accomplish the goal of security.,Physical security can address,all of the CIA,fundamental principals*.,Planning Process,Threats should be classified as internal or external.,Risk analysis should be taken on a physical aspect.,Assets should be identified,threats should be identified (probabilities calculated),countermeasures put in place that are COST EFFECTIVE and appropriate to the level of security needed.,Physical security will ultimately be a combination of people, processes, procedures and equipment to protect resources.,(more),Planning Process,The planning and security program should include the following goals.,Deterrence fences, guards, signs,Reducing/Avoiding damage by Delaying attackers slow down the attackers (locks, guards, barriers),Detection motion sensors, smoke detectors,Incident assessment response of guards, and determination of damage level,Response procedures fire suppression, law enforcement notification etc,Planning process,Idea is to avoid having a physical security violation in the first place!,If you cannot stop a violation then countermeasures should mitigate damage problems.,This can be best accomplished by layering.,If a crime happens you must be able to detect it, and response should be implemented.,Remember this is the same process that we cover in Rink Analysis! All the same processes and concepts apply.,Target Hardening (),Focuses on denying access through physical and artificial barriers. (alarms, locks, fences). Target hardening can lead to restrictions on the use, enjoyment and aesthetics of an environment.,Target Hardening,CPTED,C,rime,P,revention,T,hrough,E,nvironmental,D,esign The idea is that proper design of a physical environment can reduce crime,by directly affecting human behavior,.*,CPTED provides guidance in loss and crime prevention through properly facility construction and environmental components and procedures.,CPTED,CPTED concepts have been used since the 1960s and have advanced as environments and crime has advanced.,CPTED looks at the components that make up the relationship between humans and their environment and tries to,influence behavior by creating a environment that naturally discourages crime.,CPTED is not just used for corporate security but also for building neighborhoods etc.,(some examples CPTED guidelines are next),CPTED guidelines,Examples,Hedges and planters should not be more than 2.5 feet tall.,Data center should be at the center of a facility.,Street furniture should encourage people to site and watch what is going around them.,Landscaping should not provide places to hide.,Put CCTV camera in plain view so criminals are aware they are being watched and recorded.,Be able to determined what type of physical countermeasure are influenced by CPTED,CPTED,CPTED provides three main strategies to bring together physical environment and social behavior to increase overall protection:,We will talk about these strategies on the upcoming slides.,Natural Access Control*,Natural Surveillance*,Territorial reinforcement*,CPTED (Natural Access Control),Natural Access Control tries to controls flow of people entering and leaving a space by the placement of doors, fences, lighting and landscaping.,Clear lines of sight and transparency are used to discouraged potential offenders.,Natural barriers can be used to create physical security zones,Methods are natural or organic, not target hardening,CPTED (Natural Surveillance),Natural Surveillance attempts to discourage criminals by providing many ways for others to observe potential criminal behavior.,Examples:,Benches,Parks and other public areas,CPTED (Territorial Reinforcement),Creating a space that emphasizes a organizations sphere of influence* so employees feel ownership of that space. The idea is that they will “protect” the environment (report suspicious activities, never directly intervene). It can also make criminals feel vulnerable or feel that they do not belong there.,Some examples are listed on the next page,CPTED (Territorial Reinforcement),Decorated Walls,Fences,Landscaping,Lights,Flags,Company signs,Decorative sidewalks,Company “activities” (i.e. Barbeques),Good approach to Physical Security,A good approach is to design generically using CPTED first and then apply target hardening concepts where appropriate.,Security Zones,Zones are used to physically separate areas into different security areas.,Each inner level becomes more restricted and more secure,Stronger Access Control and Monitoring at the entry point to each zone,Designing a Physical Security Program,When designing a physical security program you must consider the following,HVAC systems,Construction materials,Power distribution systems,Communications lines,Hazardous materials,Proximity to airports, highways, roads,Proximity to emergency service,etc,Facilities,When building a new facility there are several considerations,Visibility,Surrounding area and external entities,Crime rate,Proximity to police, medical and fire stations,Accessibility,Roads/access,Traffic,Proximity to airports etc.,Natural disasters,Probability of floods, hurricanes,Hazardous terrain (mudslides, falling rocks (really?!?), excessive snow or rain),Construction,Different considerations need to be considered when building a facility depending on what the facility is trying to protect and. For example (if documents are stored, fire-resistant materials should be used),(read the bullet points on 418/419) you should memorize these.,Entry Points,Entry points into a building or control zone must be secured.,including windows,Including ventilation ducts etc.,All components of a door should be equally as strong (hinges, door construction) as security is only as good as the weakest link,Doors,Fire codes dictate that exit bars be on doors.,Doors can be hollow core or solid core, hollow core doors should only be user internally*.,Doors with automatic locks can be,Fail safe* - what does this mean?,Fail secure* - what does this mean?,Man Trap*,Windows,There are different type of windows that you should now about*,Standard glass residential home/easily broken,Tempered glass glass that is heated and then suddenly cooled. 5-7x stronger than regular glass,Acrylic glass (plexiglass/lexan) stronger than regular glass, but gives off toxic fumes if burnt.,(more),Windows,Glass with embedded wires avoids glass shattering,Laminated glass two sheet of glass with a plastic film in between. Harder to break.,Glass can be treated with films to tint for security.,Computer Room,Computer rooms are where important servers and network equipment is stored.,Equipment should be placed in locked racks*.,Computer rooms should be near the center of the building, and should be above ground, but not too high that it would be difficult to access by emergency crews*,Strict access control should be enabled*.,They should only have 1 access door, though they might have to have multiple fire doors*,(more),Computer Room,Computer Room should have positive air pressure*,There should be an easy to access emergency off switch*,Portable fire extinguishers,Smoke/fire sensors should be under raised floors*.,Water sensors should be under raised floors and on ceilings*,(more),Computer Room,Temperature and Humidity levels should be properly maintained*,Humidity too low, static electricity*,Humidity too high, corrosion of metal parts*,CR should be on separate electrical systems than the rest of the building,Should have redundant power systems and UPS,Protecting Assets (429),Organizations must protect from theft. Theft of laptops is a big deal especially if private information is on the laptop (Confidentiality,Legal).,You should understand best practices in regards to physically protecting things from being stolen.,Inventory all laptops including serial number,Use disk encryption on laptops,Do not check luggage when flying,Never leave a laptop unattended,Install tracking software on laptops (low jack type software),Password protect the BIOS (See next slide),(more),BIOS,BIOS,Protecting Assets,You should also be aware of the types of safes that exist,Wall safe,Floor safe,Chest (stand alone),Depositories (safes with slots),Vaults (walk in safes),Internal Support Systems,Power is critically important for data processing we will talk about some different power issues and concerns to be aware off.,Electrical Power Issues,Electromagnetic Interference electromagnetic that can create noise. (motors can generate fields),Radio Frequency Interference fluorescent lights,(see next slide for visualization),Electric power issues,Power interference that stops you from getting “clean power” this is called,line noise,.,Electrical Power Issues,There are times where the voltage delivered falls outside normal thresholds,Excess,Spike momentary high voltage*,Surge prolonged*,Shortage,Sag/dip momentary low voltage*,Brownout prolonged low voltage*,Loss,Fault momentary outage*,Black out*,Electrical power issues,In rush current, when a bunch of things are turned on, power demands are usually higher, and may stress power supplies, causing a sag/dip or a trip breakers.,Try to have computer equipment on different electrical supplies than other office equipment,DO NOT,install microwaves or vacuums on computer power circuits.,Power,UPS (need visualization),Online,Standby,Power line conditioners,Backups generators,Know what each power countermeasure is used for or when they are appropriate.,Power best practices,Use surge protectors on desktops,Do not daisy change surge protectors (see next slide),Employ power monitor to detect current and voltage changes,Use regulators or line conditioners in computer rooms,Use UPS systems in computer rooms,If possible shield power cables in conduit,Do not run power over or under fluorescent lights,Daisy Chained Power Strips,Environmental Issues,Improper environments can cause damage to equipment or services,Water and Gas,Make sure there are shutoff valves and that they have positive drains (flow out instead of in, why?),Humidity*,Humidity must not be too high or too low,Low static,High rust/corrosion,Hygrometer measures humidity,(more),Environmental Issues,Static electricity besides ensuring proper humidity,use anti-static flooring in data processing areas,Dont use carpeting in data centers,Wear anti-static bands when working inside computers.,Environmental Issues,Temperature Should not be too high or equipment failure will occur. Room temps should be in the 60s ideally.,Ventilation,should be,closed loop,(re-circulating),Positive pressure,If a fire is detected HVAC should be immediately turned off.,Fire prevention,Its obvious that you should have fire prevention, detection and suppression systems. Which types you use depends on the environment.,Fire detection systems ,Smoke activated (using a photoelectrical device),Heat activated,Rate of rise sensors,Fixed temperature sensors,Fire prevention systems,Detectors need to be properly placed,On and above suspended ceilings*,Below raised floors*,Enclosures and air ducts*,Uniformly spread through normal areas*,Fire suppression (),A fire needs fuel, oxygen and high temperatures to burn*. There are many different ways to stop combustion,fuel soda acid (remove fuel)*,oxygen carbon dioxide (removes oxygen)*,Temperature water (reduces temperature)*,Chemical combustion gas (interferes with the chemical reactions)*,Fire Suppression,Different fire suppression types based on class of fire,A,B,C,D,(well talk about each of these),Fire Suppression,A Common Combustibles*,Use for: Wood, paper, laminates,Uses water or foam as suppression agent,B Liquid*,Use for: gas or oil fires,Use: Gas (CO2), foam, dry powders,Fire Suppression,C Electrical*,Use on: electrical equipment and wires,Uses: Gas, CO2, dry powder,D Combustible metals,Use on: combustible metals (sodium, potassium),Uses: dry powder,Fire Suppression (Gases),Before any type of dangerous gas (CO2) is released there should be some type of warning emitted. (CO2 will suffocate people),Halon is a type of gas that used to be commonly used, it is no longer used do to CFCs. It was banned by the “Montreal protocol”* in 1987*. effective replacement is FM-200 or others on top of pg 444*,Fire Suppression Note,HVAC system should be set to shutdown when an automatic suppression system activates.,Fire Supression Systems,Now we need to understand automatic fire suppression systems,Sprinkler Heads,The,thermal linkage,is often a small glass tube with colored liquid that is designed to shatter at a fixed temperature.,The fire will heat the Thermal Linkage to its break point, at which point the water in the pipe will flow freely through the opening at a high pressure. The pressure of the water causes it to spread in a wide area when it hits the deflector,Automatic fire suppression,Sprinklers ,Wet Pipe high pressure water in pipe directly above sprinkler heads,Deluge Type of wet pipe with a high volume of water dispersal, not used for data centers.,Automatic fire suppression,Dry Pipe Air in pipe overhead, water in reservoir. Used where freezing temperatures may occur*.,Automatic fire suppression,Pre action like dry pipe but water is released / primed by an independent sensor,Fire random tidbit,Plenum The crawlspace above a ceiling.,Know the term,Cables run in the Plenum area MUST be,plenum,cable,which gives off less toxic fumes when burning.,Plenum,Perimeter security,Perimeter security is concerned with protecting the outside of your facility. Ensuring that there is no un-authorized physical access. Perimeter security can implement multiple controls to keep the facility secure,Some controls that are used that we will look at are,Locks,Personnel access controls,Fencing,Lighting,Bollards,Surveillance devices,Intrusion detection systems,Guard dogs,Perimeter Security,Locks purpose of locks is to DELAY* intruders, until they can be detected and apprehended. There are multiple types of locks that we will talk about,Mechanical,Combination locks,Cipher locks,Locks,Mechanical use a physical key (Warded lock or tumbler),Warded lock basic padlock, cheap (image),Tumbler lock more pieces that a warded lock, key fits into a cylinder which moved the metal pieces such that the bolt can slide into the locked and unlocked position.,Pin tumbler uses pins,Wafer uses wafer (not very secure),Warded Lock,Tumbler Lock,Locks types (453),There are different lock grades*,Grade 1 commercial,Grade 2 heavy duty residential, light commercial,Grade 3 residential throw away locks,There are also 3 cylinder categories,Low no pick or drill resistance provided,Medium a little pick resistance,High higher degree of pick resistance,Attacks against key type locks,Tension wrench shaped like an L and is used to apply tension to the cylinder, then use a pick to manipulate the individual pins*.,Pick used in conjunction with a tension wrench to manipulate the pins into place so you can turn the cylinder*,Visualization next slide,Lock Picking,Locks,Combination locks rather than use a key, turn,Cipher Lock*,Cipher Lock,Cipher locks electronic locks*,Advantages*:,Combination can be changed,Combination can be different for different people,Can work during different times of day,Can have,override codes,Subtype of Override Code is an,emergency code,*,Device Locks,Device Locks - Computer equipment sometimes must be locked (laptops, or physically blocking out slots). Some type of device locks are,Switch Lock,Port / Laptop Lock,Slot locks physically lock into the expansion slots to physically secure systems.,Device Locks,Port controls block access to floppy or USB ports,Cable traps lock down cables from being unplugged and removed.,Personnel access controls,There are different technologies to grant access to a building.,User activated a user does something (swipe cards, biometrics),Proximity devices/transponders a system recognizes the presence of an object. (Electronic access control tokens) is a generic term for proximity authentication systems),Fencing,Can deter and delay intruders,Fences 3-4 feet high only deter casual trespassers*,Fences 6-7 feet high are considered too high to climb easily*,Fences 8 feet high should are considered serious.*,(more),Fencing,Memorize the gauges and mesh size chart on pg 457,Fencing best practices,Fences should be a first line of defense.*,Critical areas should have fences of 8 feet*.,Bollards*,Bollards,Bollards are small concrete pillars, sometimes containing lights or flowers.,They are used to stop people from driving through a wall, often put between a building and parking lot.,They can be arranged to form a natural path for walking.*,Lighting,Lighting is obviously important in perimeter security. It decreases the probability of criminal activity*.,Each light should cover its own zone and there should not be gaps in the coverage.*,Coverage in fact should overlap.*,Lighting should be directed AWAY from the security guards etc.*,Surveillance,Surveillance systems are a detective control. Generally these are CCTV systems.,CCTV systems consist of,Cameras,Transmitters,Receivers,Recording systems,Surveillance,Most camera are,charged coupled devices,that takes light from a lens and turns it into an electrical signal.,There are two types of lenses in CCTV camera,Fixed focal length,Variable focus length (zoom lens),We will define focal length next slide,(more),Focal Length,Focal Length = The distance from the surface of a lens or mirror to its focal point.,short focal length = wide angle*,long focal length = narrow, but higher magnification*,Depth of Field,Depth of field = Depth of field is the range of distance within the subject that is acceptably sharp,large depth of field = everything is generally sharp,short depth of field = something is specifically focused on where everything else is fuzzy.,(see next slide),Depth of Field,Depth of Field,depth of field increases as the lens opening DECREASES*,depth of field increases as the focal length DECREASES*,Best combination to cover a large area is a,wide angle lens,with a,small lens opening,*,(short focal length and large depth of field),Surveillance,Focal Length - If you dont have a CCTV camera that can change, you must pick an appropriate focal length for your applicati
展开阅读全文