CHAPTER 5_Physical and Environmental Security Flashcards
1
Q
Emphasis: Cross-sectional
A
A photoelectric system, or photometric system, detects the change in a light beam and thus can be used only in windowless rooms. These systems work like photoelectric smoke detectors, which emit a beam that hits the receiver. If this beam of light is interrupted, an alarm sounds. The beams emitted by the photoelectric cell can be cross-sectional and can be invisible or visible beams. Cross-sectional means that one area can have several different light beams extending across it, which is usually carried out by using hidden mirrors to bounce the beam from one place to another until it hits the light receiver. These are the most commonly used systems in the movies. You have probably seen James Bond and other noteworthy movie spies or criminals use night-vision goggles to see the invisible beams and then step over them.
2
Q
Emphasis: Similarities in Approaches
A
Similarities in ApproachesThe risk analysis steps that need to take place for the development of a physical security program are similar to the steps outlined in Chapter 2 for the development of an organizational security program and the steps outlined in Chapter 8 for a business impact analysis, because each of these processes (development of an information security program, a physical security program, or a business continuity plan) accomplishes goals that are similar to the goals of the other two processes, but with different focuses. Each process requires a team to carry out a risk analysis to determine the company’s threats and risks. An information security program looks at the internal and external threats to resources and data through business processes and technological means. Business continuity looks at how natural disasters and disruptions could damage the organization, while physical security looks at internal and external physical threats to the company resources.
3
Q
Explanation Bullets: If a team is organized to assess the protection level of an existing facility, it needs to investigate the following:
A
- Construction materials of walls and ceilings
- Power distribution systems
- Communication paths and types (copper, telephone, fiber)
- Surrounding hazardous materials
- Exterior components:
- Topography
- Proximity to airports, highways, railroads
- Potential electromagnetic interference from surrounding devices
- Climate
- Soil
- Existing fences, detection sensors, cameras, barriers
- Operational activities that depend upon physical resources
- Vehicle activity
- Neighbors
4
Q
Emphasis: Standby UPS
A
Standby UPS devices stay inactive until a power line fails. The system has sensors that detect a power failure, and the load is switched to the battery pack. The switch to the battery pack is what causes the small delay in electricity being provided. So an online UPS picks up the load much more quickly than a standby UPS, but costs more, of course.
5
Q
Explanations: Intrusion Detection Systems Characteristics
A
IDSs are very valuable controls to use in every physical security program, but several issues need to be understood before implementing them:
6
Q
Bullets: Class II
A
Commercial usage, where general public access is expected; examples include a public parking lot entrance, a gated community, or a self-storage facility
7
Q
Bullets: Class III
A
Industrial usage, where limited access is expected; an example is a warehouse property entrance not intended to serve the general public
8
Q
Bullets: Depositories
A
Safes with slots, which allow the valuables to be easily slipped in
9
Q
Explanations: Types of Fire Detection
A
Fires present a dangerous security threat because they can damage hardware and data and risk human life. Smoke, high temperatures, and corrosive gases from a fire can cause devastating results. It is important to evaluate the fire safety measurements of a building and the different sections within it.
10
Q
Bullets: In-rush current
A
Initial surge of current required to start a load
11
Q
Explanations: Gauges and Mesh Sizes
A
The gauge of fence wiring is the thickness of the wires used within the fence mesh. The lower the gauge number, the larger the wire diameter:
12
Q
Bullets: Supply system threats
A
Power distribution outages, communications interruptions, and interruption of other resources such as water, gas, air filtration, and so on
13
Q
Bullets: Tempered
A
Glass is heated and then cooled suddenly to increase its integrity and strength.
14
Q
Emphasis: fire-resistant material
A
A building could be made up of incombustible material, such as steel, which provides a higher level of fire protection than the previously mentioned materials, but loses its strength under extreme temperatures, something that may cause the building to collapse. So, although the steel will not burn, it may melt and weaken. If a building consists of fire-resistant material, the construction material is fire-retardant and may have steel rods encased inside of concrete walls and support beams. This provides the most protection against fire and forced entry attempts.
15
Q
Emphasis: Vibration sensors
A
An acoustical detection system uses microphones installed on floors, walls, or ceilings. The goal is to detect any sound made during a forced entry. Although these systems are easily installed, they are very sensitive and cannot be used in areas open to sounds of storms or traffic. Vibration sensors are similar and are also implemented to detect forced entry. Financial institutions may choose to implement these types of sensors on exterior walls, where bank robbers may attempt to drive a vehicle through. They are also commonly used around the ceiling and flooring of vaults to detect someone trying to make an unauthorized bank withdrawal.
16
Q
Emphasis: Wafer tumbler
A
Wafer tumbler locks (also called disc tumbler locks) are the small, round locks you usually see on file cabinets. They use flat discs (wafers) instead of pins inside the locks. They often are used as car and desk locks. This type of lock does not provide much protection because it can be easily circumvented.
17
Q
Explanation Bullets: IDSs can be used to detect changes in the following:
A
- Beams of light
- Sounds and vibrations
- Motion
- Different types of fields (microwave, ultrasonic, electrostatic)
- Electrical circuit
18
Q
Emphasis: Testing and Drills
A
Testing and DrillsHaving fire detectors, portable extinguishers, and suppressions agents is great, but people also need to be properly trained on what to do when a fire (or other type of emergency) takes place. An evacuation and emergency response plan must be developed and actually put into action. The plan needs to be documented and to be easily accessible in times of crisis. People who are assigned specific tasks must be taught and informed how to fulfill those tasks, and dry runs must be done to walk people through different emergency situations. The drills should take place at least once a year, and the entire program should be continually updated and improved.
19
Q
Explanation Bullets: The following are some of the EPA-approved replacements for halon:
A
- FM-200
- NAF-S-III
- CEA-410
- FE-13
- Inergen
- Argon
- Argonite
20
Q
Explanations: Personnel Access Controls
A
Proper identification needs to verify whether the person attempting to access a facility or area should actually be allowed in. Identification and authentication can be verified by matching an anatomical attribute (biometric system), using smart or memory cards (swipe cards), presenting a photo ID to a security guard, using a key, or providing a card and entering a password or PIN.
21
Q
Emphasis: auto iris lens
A
CCTV lenses have irises, which control the amount of light that enters the lens. Manual iris lenses have a ring around the CCTV lens that can be manually turned and controlled. A lens with a manual iris would be used in areas that have fixed lighting, since the iris cannot self-adjust to changes of light. An auto iris lens should be used in environments where the light changes, as in an outdoor setting. As the environment brightens, this is sensed by the iris, which automatically adjusts itself. Security personnel will configure the CCTV to have a specific fixed exposure value, which the iris is responsible for maintaining. On a sunny day, the iris lens closes to reduce the amount of light entering the camera, while at night, the iris opens to capture more light—just like our eyes.
22
Q
Bullets: Vaults
A
Safes that are large enough to provide walk-in access
23
Q
Emphasis: passive infrared system (PIR)
A
A passive infrared system (PIR) identifies the changes of heat waves in an area it is configured to monitor. If the particles’ temperature within the air rises, it could be an indication of the presence of an intruder, so an alarm is sounded.
24
Q
Bullets: Incident assessment
A
Response of security guards to detected incidents and determination of damage level
25
Explanations: Natural Surveillance
Please sit on this bench and just watch people walking by. You are cheaper than hiring a security guard.
26
Explanations: Natural Access Control
I want to go into the building from the side, but I would have to step on these flowers. I better go around to the front.
27
Bullets: Master keying
Enables supervisory personnel to change access codes and other features of the cipher lock.
28
Explanation Bullets: When dealing with electric power issues, the following items can help protect devices and the environment:
* Employ surge protectors to protect from excessive current.
* Shut down devices in an orderly fashion to help avoid data loss or damage to devices due to voltage changes.
* Employ power line monitors to detect frequency and voltage amplitude changes.
* Use regulators to keep voltage steady and the power clean.
* Protect distribution panels, master circuit breakers, and transformer cables with access controls.
* Provide protection from magnetic induction through shielded lines.
* Use shielded cabling for long cable runs.
* Do not run data or power lines directly over fluorescent lights.
* Use three-prong connections or adapters if using two-prong connections.
* Do not plug outlet strips and extension cords into each other.
29
Bullets: Amount of illumination of the environment
Lit areas, unlit areas, areas affected by sunlight
30
Emphasis: Fire detection
Fire detection response systems come in many different forms. Manual detection response systems are the red pull boxes you see on many building walls. Automatic detection response systems have sensors that react when they detect the presence of fire or smoke. We will review different types of detection systems in the next section.
31
Emphasis: Laminated glass
Laminated glass has two sheets of glass with a plastic film in between. This added plastic makes it much more difficult to break the window. As with other types of glass, laminated glass can come in different depths. The greater the depth (more glass and plastic), the more difficult it is to break.
32
Emphasis: Responsive area illumination
Responsive area illumination takes place when an IDS detects suspicious activities and turns on the lights within a specific area. When this type of technology is plugged into automated IDS products, there is a high likelihood of false alarms. Instead of continuously having to dispatch a security guard to check out these issues, a CCTV camera can be installed to scan the area for intruders.
33
Explanations: Internal Support Systems
Having a fortified facility with secure compartmentalized areas and protected assets is nice, but also having lights, air conditioning, and water within this facility is even better. Physical security needs to address these support services, because their malfunction or disruption could negatively affect the organization in many ways.
34
Intrusion Detection Systems Characteristics : IDSs are very valuable controls to use in every physical security program, but several issues need to be understood before implementing them:
* They are expensive and require human intervention to respond to the alarms.
* A redundant power supply and emergency backup power are necessary.
* They can be linked to a centralized security system.
* They should have a fail-safe configuration, which defaults to “activated.”
* They should detect, and be resistant to, tampering.
35
Bullets: Wet pipe
Wet pipe systems always contain water in the pipes and are usually discharged by temperature control-level sensors. One disadvantage of wet pipe systems is that the water in the pipes may freeze in colder climates. Also, if there is a nozzle or pipe break, it can cause extensive water damage. These types of systems are also called closed head systems.
36
Explanations: The Planning Process
Okay, so what are we doing and why?Response: We have no idea.
37
Bullets: Class IV
Restricted access; this includes a prison entrance that is monitored either in person or via closed circuitry
38
Explanations: Heat Activated
Heat-activated detectors can be configured to sound an alarm either when a predefined temperature (fixed temperature) is reached or when the temperature increases over a period of time (rate-of-rise). Rate-of-rise temperature sensors usually provide a quicker warning than fixed-temperature sensors because they are more sensitive, but they can also cause more false alarms. The sensors can either be spaced uniformly throughout a facility, or implemented in a line type of installation, which is operated by a heat-sensitive cable.
39
Explanations: Ventilation
Can I smoke in the server room?Response: Security!
40
Explanations: Electric Power
We don’t need no stinkin’ power supply. Just rub these two sticks together.
41
Emphasis: PIDAS Fencing
PIDAS FencingPerimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors located on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.
42
Emphasis: capacitance detector
A proximity detector, or capacitance detector, emits a measurable magnetic field. The detector monitors this magnetic field, and an alarm sounds if the field is disrupted. These devices are usually used to protect specific objects (artwork, cabinets, or a safe) versus protecting a whole room or area. Capacitance change in an electrostatic field can be used to catch a bad guy, but first you need to understand what capacitance change means. An electrostatic IDS creates an electrostatic magnetic field, which is just an electric field associated with static electric charges. All objects have a static electric charge. They are all made up of many subatomic particles, and when everything is stable and static, these particles constitute one holistic electric charge. This means there is a balance between the electric capacitance and inductance. Now, if an intruder enters the area, his subatomic particles will mess up this lovely balance in the electrostatic field, causing a capacitance change, and an alarm will sound. So if you want to rob a company that uses these types of detectors, leave the subatomic particles that make up your body at home.
43
Emphasis: blackout
Blackout A blackout is when the voltage drops to zero. This can be caused by lightning, a car taking out a power line, storms, or failure to pay the power bill. It can last for seconds or days. This is when a backup power source is required for business continuity.
44
Bullets: Access control mechanisms
Locks and keys, an electronic card access system, personnel awareness
45
Bullets: Reduction of damage through the use of delaying mechanisms
Layers of defenses that slow down the adversary, such as locks, security personnel, and barriers
46
Emphasis: Patrol Force and Guards
Patrol Force and GuardsOne of the best security mechanisms is a security guard and/or a patrol force to monitor a facility’s grounds. This type of security control is more flexible than other security mechanisms, provides good response to suspicious activities, and works as a great deterrent. However, it can be a costly endeavor, because it requires a salary, benefits, and time off. People sometimes are unreliable. Screening and bonding is an important part of selecting a security guard, but this only provides a certain level of assurance. One issue is if the security guard decides to make exceptions for people who do not follow the organization’s approved policies. Because basic human nature is to trust and help people, a seemingly innocent favor can put an organization at risk.
47
Emphasis: facility safety officer
Every organization should have a facility safety officer, whose main job is to understand all the components that make up the facility and what the company needs to do to protect its assets and stay within compliance. This person should oversee facility management duties day in and day out, but should also be heavily involved with the team that has been organized to evaluate the organization’s physical security program.
48
Emphasis: Heavy timber construction material
Heavy timber construction material is commonly used for office buildings. Combustible lumber is still used in this type of construction, but there are requirements on the thickness and composition of the materials to provide more protection from fire. The construction materials must be at least four inches in thickness. Denser woods are used and are fastened with metal bolts and plates. Whereas light frame construction material has a fire survival rate of 30 minutes, the heavy timber construction material has a fire rate of one hour.
49
Emphasis: Star Trek
These access cards can be used with user-activated readers, which just means the user actually has to do something—swipe the card or enter a PIN. System sensing access control readers, also called transponders, recognize the presence of an approaching object within a specific area. This type of system does not require the user to swipe the card through the reader. The reader sends out interrogating signals and obtains the access code from the card without the user having to do anything. Spooky Star Trek magic.
50
Bullets: Manmade threats
Unauthorized access (both internal and external), explosions, damage by disgruntled employees, employee errors and accidents, vandalism, fraud, theft, and others
51
Explanation Bullets: So, before an effective physical security program can be rolled out, the following steps must be taken:
* Identify a team of internal employees and/or external consultants who will build the physical security program through the following steps.
* Carry out a risk analysis to identify the vulnerabilities and threats and to calculate the business impact of each threat.
* Identify regulatory and legal requirements that the organization must meet and maintain.
* Work with management to define an acceptable risk level for the physical security program.
* Derive the required performance baselines from the acceptable risk level.
* Create countermeasure performance metrics.
* Develop criteria from the results of the analysis, outlining the level of protection and performance required for the following categories of the security program:
* Deterrence
* Delaying
* Detection
* Assessment
* Response
* Identify and implement countermeasures for each program category.
* Continuously evaluate countermeasures against the set baselines to ensure the acceptable risk level is not exceeded.
52
Explanations: Protecting Assets
The main threats that physical security components combat are theft, interruptions to services, physical damage, compromised system and environment integrity, and unauthorized access.
53
Emphasis: Electromechanical systems
Electromechanical systems work by detecting a change or break in a circuit. The electrical circuits can be strips of foil embedded in or connected to windows. If the window breaks, the foil strip breaks, which sounds an alarm. Vibration detectors can detect movement on walls, screens, ceilings, and floors when the fine wires embedded within the structure are broken. Magnetic contact switches can be installed on windows and doors. If the contacts are separated because the window or door is opened, an alarm will sound.
54
Explanations: Preventive Measures and Good Practices
Don’t stand in a pool of water with a live electrical wire.Response: Hold on, I need to write that one down.
55
Preventive Steps Against Static Electricity : The following are some simple measures to prevent static electricity:
* Use antistatic flooring in data processing areas.
* Ensure proper humidity.
* Have proper grounding for wiring and outlets.
* Don’t have carpeting in data centers, or have static-free carpets if necessary.
* Wear antistatic bands when working inside computer systems.
56
Bullets: Security film
Transparent film is applied to the glass to increase its strength.
57
Bullets: Preaction
Preaction systems are similar to dry pipe systems in that the water is not held in the pipes, but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are filled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small fires that can be handled by other means. Putting out a small fire with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems.
58
Emphasis: Introduction to Physical Security
Introduction to Physical SecurityThe physical security of computers and their resources in the 1960s and 1970s was not as challenging as it is today because computers were mostly mainframes that were locked away in server rooms, and only a handful of people knew what to do with them anyway. Today, a computer sits on almost every desk in every company, and access to devices and resources is spread throughout the environment. Companies have several wiring closets and server rooms, and remote and mobile users take computers and resources out of the facility. Properly protecting these computer systems, networks, facilities, and employees has become an overwhelming task to many companies.
59
Explanations: Window Types
A security professional may be involved with the planning phase of building a facility, and each of these items comes into play when constructing a secure building and environment. The following sums up the types of windows that can be used:
60
Explanation Bullets: Access control should be in place to control and restrict individuals from going from one security zone to the next. Access control should also be in place for all facility entrances and exits. The security program development team needs to consider other ways in which intruders can gain access to buildings, such as by climbing adjacent trees to access skylights, upper-story windows, and balconies. The following controls are commonly used for access controls within different organizations:
* Limit the number of entry points.
* Force all guests to go to a front desk and sign in before entering the environment.
* Reduce the number of entry points even further after hours or during the weekend, when not as many employees are around.
* Implement sidewalks and landscaping to guide the public to a main entrance.
* Implement a back driveway for suppliers and deliveries, which is not easily accessible to the public.
* Provide lighting for the pathways the public should follow to enter a building to help encourage that only one entry is used for access.
* Implement sidewalks and grassy areas to guide vehicle traffic to only enter and exit through specific locations.
* Provide parking in the front of the building (not the back or sides) so people will be directed to enter the intended entrance.
61
Emphasis: Electronic access control (EAC) tokens
NOTE Electronic access control (EAC) tokens is a generic term used to describe proximity authentication devices, such as proximity readers, programmable locks, or biometric systems, which identify and authenticate users before allowing them entrance into physically controlled areas.
62
Explanation Bullets: Preventive Steps Against Static Electricity
The following are some simple measures to prevent static electricity:
* Use antistatic flooring in data processing areas.
* Ensure proper humidity.
* Have proper grounding for wiring and outlets.
* Don’t have carpeting in data centers, or have static-free carpets if necessary.
* Wear antistatic bands when working inside computer systems.
63
Explanations: Designing a Physical Security Program
Our security guards should wear pink uniforms and throw water balloons at intruders.
64
Emphasis: Perimeter Intrusion Detection and Assessment System (PIDAS)
Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors located on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.
65
Emphasis: Computer and Equipment Rooms
Computer and Equipment RoomsIt used to be necessary to have personnel within the computer rooms for proper maintenance and operations. Today, most servers, routers, switches, mainframes, and other equipment housed in computer rooms can be controlled remotely. This enables computers to live in rooms that have fewer people milling around and spilling coffee. Because the computer rooms no longer have personnel sitting and working in them for long periods, the rooms can be constructed in a manner that is efficient for equipment instead of people.
66
Explanations: Automatic Dial-Up Alarm
Fire detection systems can be configured to call the local fire station, and possibly the police station, to report a detected fire. The system plays a prerecorded message that gives the necessary information so officials can properly prepare for the stated emergency and arrive at the right location. A recording of someone screaming “We are all melting” would not be helpful to fire officials.
67
Emphasis: Fire Resistant Ratings
Fire Resistant RatingsFire resistant ratings are the result of tests carried out in laboratories using specific configurations of environmental settings. The American Society for Testing and Materials (ASTM) is the organization that creates the standards that dictate how these tests should be performed and how to properly interpret the test results. ASTM accredited testing centers carry out the evaluations in accordance with these standards and assign fire resistant ratings that are then used in federal and state fire codes. The tests evaluate the fire resistance of different types of materials in various environmental configurations. Fire resistance represents the ability of a laboratory-constructed assembly to contain a fire for a specific period of time. For example, a 5/8-inch-thick drywall sheet installed on each side of a wood stud provides a one-hour rating. If the thickness of this drywall is doubled, then this would be given a two-hour rating. The rating system is used to classify different building components.
68
Bullets: Response procedures
Fire suppression mechanisms, emergency response processes, law enforcement notification, and consultation with outside security professionals
69
Explanations: Plenum Area
Wiring and cables are strung through plenum areas, such as the space above dropped ceilings, the space in wall cavities, and the space under raised floors. Plenum areas should have fire detectors. Also, only plenum-rated cabling should be used in plenum areas, which is cabling that is made out of material that does not let off hazardous gases if it burns.
70
Explanations: External Boundary Protection Mechanisms
Proximity protection components are usually put into place to provide one or more of the following services:
71
Bullets: Port controls
Block access to disk drives or unused serial or parallel ports
72
Bullets: Noise
Electromagnetic or frequency interference that disrupts the power flow and can cause fluctuations
73
Bullets: Acrylic
A type of plastic instead of glass. Polycarbonate acrylics are stronger than regular acrylics.
74
Emphasis: Surveillance Devices
Surveillance DevicesUsually, installing fences and lights does not provide the necessary level of protection a company needs to protect its facility, equipment, and employees. Areas need to be under surveillance so improper actions are noticed and taken care of before damage occurs. Surveillance can happen through visual detection or through devices that use sophisticated means of detecting abnormal behavior or unwanted conditions. It is important that every organization have a proper mix of lighting, security personnel, IDSs, and surveillance technologies and techniques.
75
Explanations: Administrative Responsibilities
It is important for a company not only to choose the right type of lock for the right purpose, but also to follow proper maintenance and procedures. Keys should be assigned by facility management, and this assignment should be documented. Procedures should be written out detailing how keys are to be assigned, inventoried, and destroyed when necessary, and what should happen if and when keys are lost. Someone on the company’s facility management team should be assigned the responsibility of overseeing key and combination maintenance.
76
Explanation Bullets: Water detectors can help prevent damage to
* Equipment
* Flooring
* Walls
* Computers
* Facility foundations
77
Bullets: High security
Pick resistance protection through many different mechanisms (only used in grade 1 and 2 locks)
78
Emphasis: Acrylic glass
Acrylic glass can be made out of polycarbonate acrylic, which is stronger than standard glass but produces toxic fumes if burned. Polycarbonate acrylics are stronger than regular acrylics, but both are made out of a type of transparent plastic. Because of their combustibility, their use may be prohibited by fire codes. The strongest window material is glass-clad polycarbonate. It is resistant to a wide range of threats (fire, chemical, breakage), but, of course, is much more expensive. These types of windows would be used in areas that are under the greatest threat.
79
Bullets: Crime and disruption prevention through deterrence
Fences, security guards, warning signs, and so forth
80
Explanations: Fire Suppression
How about if I just spit on the fire?Response: I’m sure that will work just fine.
81
Explanations: Auditing Physical Access
Physical access control systems can use software and auditing features to produce audit trails or access logs pertaining to access attempts. The following information should be logged and reviewed:
82
Emphasis: Wave-pattern motion detectors
Wave-pattern motion detectors differ in the frequency of the waves they monitor. The different frequencies are microwave, ultrasonic, and low frequency. All of these devices generate a wave pattern that is sent over a sensitive area and reflected back to a receiver. If the pattern is returned undisturbed, the device does nothing. If the pattern returns altered because something in the room is moving, an alarm sounds.
83
Emphasis: eight feet high
• Fences eight feet high (possibly with strands of barbed or razor wire at the top) means you are serious about protecting your property. They often deter the more determined intruder.
84
Explanations: Electric Power Issues
Electric power enables us to be productive and functional in many different ways, but if it is not installed, monitored, and respected properly, it can do us great harm.
85
Bullets: Sag/dip
Momentary low-voltage condition, from one cycle to a few seconds
86
Explanations: Crime Prevention Through Environmental Design
This place is so nice and pretty and welcoming. No one would want to carry out crimes here.
87
Bullets: Hostage alarm
If an individual is under duress and/or held hostage, a combination he enters can communicate this situation to the guard station and/or police station.
88
Explanations: Facility
I can’t see the building.Response: That’s the whole idea.
89
Emphasis: Facility Access Control
Facility Access ControlAccess control needs to be enforced through physical and technical components when it comes to physical security. Physical access controls use mechanisms to identify individuals who are attempting to enter a facility or area. They make sure the right individuals get in and the wrong individuals stay out, and provide an audit trail of these actions. Having personnel within sensitive areas is one of the best security controls because they can personally detect suspicious behavior. However, they need to be trained on what activity is considered suspicious and how to report such activity.
90
Auditing Physical Access : Physical access control systems can use software and auditing features to produce audit trails or access logs pertaining to access attempts. The following information should be logged and reviewed:
* The date and time of the access attempt
* The entry point at which access was attempted
* The user ID employed when access was attempted
* Any unsuccessful access attempts, especially if during unauthorized hours
91
Explanation Bullets: Doors Different door types for various functionalities include the following:
* Vault doors
* Personnel doors
* Industrial doors
* Vehicle access doors
* Bullet-resistant doors
92
Emphasis: Entry Points
Entry PointsUnderstanding the company needs and types of entry points for a specific building is critical. The various types of entry points may include doors, windows, roof access, fire escapes, chimneys, and service delivery access points. Second and third entry points must also be considered, such as internal doors that lead into other portions of the building and to exterior doors, elevators, and stairwells. Windows at the ground level should be fortified, because they could be easily broken. Fire escapes, stairwells to the roof, and chimneys are many times overlooked as potential entry points.
93
Bullets: Wired
A mesh of wire is embedded between two sheets of glass. This wire helps prevent the glass from shattering.
94
Emphasis: territorial
The third CPTED strategy is natural territorial reinforcement, which creates physical designs that emphasize or extend the company’s physical sphere of influence so legitimate users feel a sense of ownership of that space. Territorial reinforcement can be implemented through the use of walls, fences, landscaping, light fixtures, flags, clearly marked addresses, and decorative sidewalks. The goal of territorial reinforcement is to create a sense of a dedicated community. Companies implement these elements so employees feel proud of their environment and have a sense of belonging, which they will defend if required to do so. These elements are also implemented to give potential offenders the impression that they do not belong there, that their activities are at risk of being observed, and that their illegal activities will not be tolerated or ignored.
95
Emphasis: surge
Surge A surge is a prolonged rise in voltage from a power source. Surges can cause a lot of damage very quickly. A surge is one of the most common power problems and is controlled with surge protectors. These protectors use a device called a metal oxide varistor, which moves the excess voltage to ground when a surge occurs. Its source can be from a strong lightning strike, a power plant going online or offline, a shift in the commercial utility power grid, and electrical equipment within a business starting and stopping. Most computers have a built-in surge protector in their power supplies, but these are baby surge protectors and cannot provide protection against the damage that larger surges (say, from storms) can cause. So, you need to ensure all devices are properly plugged into larger surge protectors, whose only job is to absorb any extra current before it is passed to electrical devices.
96
Explanation Bullets: Just as most software is built with functionality as the number-one goal, with security somewhere farther down the priority list, many facilities and physical environments are built with functionality and aesthetics in mind, with not as much concern for providing levels of protection. Many thefts and deaths could be prevented if all organizations were to implement physical security in an organized, mature, and holistic manner. Most people are not aware of many of the crimes that happen every day. Many people also are not aware of all the civil lawsuits that stem from organizations not practicing due diligence and due care pertaining to physical security. The following is a short list of some examples of things companies are sued for pertaining to improper physical security implementation and maintenance:
* An apartment complex does not respond to a report of a broken lock on a sliding glass door, and subsequently a woman who lives in that apartment is raped by an intruder.
* Bushes are growing too close to an ATM, allowing criminals to hide behind them and attack individuals as they withdraw money from their accounts.
* A portion of an underground garage is unlit, which allows an attacker to sit and wait for an employee who works late.
* A gas station’s outside restroom has a broken lock, which allows an attacker to enter after a female customer and kill her.
* A convenience store hangs too many advertising signs and posters on the exterior windows, prompting thieves to choose this store because the signs hide any crimes taking place inside the store from people driving or walking by.
* Backup tapes containing sensitive information are lost during the process of moving from an on-site to an off-site facility.
* A laptop containing Social Security numbers and individuals’ financial information is stolen from an employee’s car.
* A malicious camera is installed at an ATM station, which allows a hacker to view and capture people’s ATM PIN values.
* Bollards are not implemented in high foot traffic areas outside of a retail store and someone driving a car accidently swerves his car and injures some pedestrians.
* A company builds an office building that does not follow fire codes. A fire takes place and some people are trapped and cannot escape the fire.
97
Bullets: Deluge
A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments.
98
Bullets: Door delay
If a door is held open for a given time, an alarm will trigger to alert personnel of suspicious activity.
99
Bullets: Low security
No pick or drill resistance provided (can fall within any of the three grades of locks)
100
Explanation Bullets: Proximity protection components are usually put into place to provide one or more of the following services:
* Control pedestrian and vehicle traffic flows
* Various levels of protection for different security zones
* Buffers and delaying mechanisms to protect against forced entry attempts
* Limit and control entry points
101
Emphasis: Lock bumping
Lock bumping is a tactic that intruders can use to force the pins in a tumbler lock to their open position by using a special key called a bump key. The stronger the material that makes up the lock, the smaller the chance that this type of lock attack would be successful.
102
Emphasis: Fire suppression
Fire suppression is the use of a suppression agent to put out a fire. Fire suppression can take place manually through handheld portable extinguishers, or through automated systems such as water sprinkler systems, or halon or CO2 discharge systems. The upcoming “Fire Suppression” section reviews the different types of suppression agents and where they are best used. Automatic sprinkler systems are widely used and highly effective in protecting buildings and their contents. When deciding upon the type of fire suppression systems to install, a company needs to evaluate many factors, including an estimate of the occurrence rate of a possible fire, the amount of damage that could result, the types of fires that would most likely take place, and the types of suppression systems to choose from.
103
Bullets: Ground
The pathway to the earth to enable excessive voltage to dissipate
104
Bullets: Solar window film
Provides extra security by being tinted and offers extra strength due to the film’s material.
105
Bullets: The purpose of CCTV
To detect, assess, and/or identify intruders
106
Bullets: Key override
A specific combination can be programmed for use in emergency situations to override normal procedures or for supervisory overrides.
107
Bullets: Laminated
The plastic layer between two outer glass layers. The plastic layer helps increase its strength against breakage.
108
Emphasis: activity support
CPTED also encourages activity support, which is planned activities for the areas to be protected. These activities are designed to get people to work together to increase the overall awareness of acceptable and unacceptable activities in the area. The activities could be neighborhood watch groups, company barbeques, block parties, or civic meetings. This strategy is sometimes the reason for particular placement of basketball courts, soccer fields, or baseball fields in open parks. The increased activity will hopefully keep the bad guys from milling around doing things the community does not welcome.
109
Bullets: Crime or disruption detection
Smoke detectors, motion detectors, CCTV, and so forth
110
Bullets: Medium security
A degree of pick resistance protection provided (uses tighter and more complex keyways [notch combination]; can fall within any of the three grades of locks)
111
Emphasis: load
The load (how much weight can be held) of a building’s walls, floors, and ceilings needs to be estimated and projected to ensure the building will not collapse in different situations. In most cases, this is dictated by local building codes. The walls, ceilings, and floors must contain the necessary materials to meet the required fire rating and to protect against water damage. The windows (interior and exterior) may need to provide ultraviolet (UV) protection, may need to be shatterproof, or may need to be translucent or opaque, depending on the placement of the window and the contents of the building. The doors (exterior and interior) may need to have directional openings, have the same fire rating as the surrounding walls, prohibit forcible entries, display emergency egress markings, and—depending on placement—have monitoring and attached alarms. In most buildings, raised floors are used to hide and protect wires and pipes, and it is important to ensure any raised outlets are properly grounded.
112
Bullets: Natural environmental threats
Floods, earthquakes, storms and tornadoes, fires, extreme temperature conditions, and so forth
113
Bullets: Brownout
Prolonged power supply that is below normal voltage
114
Explanation Bullets: Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. What is important to understand is that this is a rampant, and potentially very dangerous, crime. Many people claim, “My whole life is on my laptop” or possibly their smartphone. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands. The following list provides many of the protection mechanisms that can be used to protect laptops and the data they hold:
* Inventory all laptops, including serial numbers, so they can be properly identified if recovered.
* Harden the operating system.
* Password-protect the BIOS.
* Register all laptops with the vendor, and file a report when one is stolen. If a stolen laptop is sent in for repairs, after it is stolen it will be flagged by the vendor.
* Do not check a laptop as luggage when flying.
* Never leave a laptop unattended, and carry it in a nondescript carrying case.
* Engrave the laptop with a symbol or number for proper identification.
* Use a slot lock with a cable to connect a laptop to a stationary object.
* Back up the data from the laptop and store it on a stationary PC or backup media.
* Use specialized safes if storing laptops in vehicles.
* Encrypt all sensitive data.
115
Explanations: Issues with Selecting a Facility Site
When selecting a location for a facility, some of the following items are critical to the decision-making process:
116
Explanations: Environmental Issues
Improper environmental controls can cause damage to services, hardware, and lives. Interruption of some services can cause unpredicted and unfortunate results. Power, heating, ventilation, air-conditioning, and air-quality controls can be complex and contain many variables. They all need to be operating properly and to be monitored regularly.
117
Emphasis: plenum areas
Wiring and cables are strung through plenum areas, such as the space above dropped ceilings, the space in wall cavities, and the space under raised floors. Plenum areas should have fire detectors. Also, only plenum-rated cabling should be used in plenum areas, which is cabling that is made out of material that does not let off hazardous gases if it burns.
118
Bullets: Physical barriers
Fences, gates, walls, doors, windows, protected vents, vehicular barriers
119
Emphasis: Crime Prevention Through Environmental Design (CPTED)
Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance in loss and crime prevention through proper facility construction and environmental components and procedures.
120
Bullets: Slot locks
Secure the system to a stationary component by the use of steel cable that is connected to a bracket mounted in a spare expansion slot
121
Emphasis: Cipher locks
Cipher locks, also known as programmable locks, are keyless and use keypads to control access into an area or facility. The lock requires a specific combination to be entered into the keypad and possibly a swipe card. They cost more than traditional locks, but their combinations can be changed, specific combination sequence values can be locked out, and personnel who are in trouble or under duress can enter a specific code that will open the door and initiate a remote alarm at the same time. Thus, compared to traditional locks, cipher locks can provide a much higher level of security and control over who can access a facility.
122
Bullets: Grade 2
Heavy-duty residential/light-duty commercial
123
Bullets: Politically motivated threats
Strikes, riots, civil disobedience, terrorist attacks, bombings, and so forth
124
Emphasis: security zones
The CPTED model shows how security zones can be created. An environment’s space should be divided into zones with different security levels, depending upon who needs to be in that zone and the associated risk. The zones can be labeled as controlled, restricted, public, or sensitive. This is conceptually similar to information classification, as described in Chapter 2. In a data classification program, different classifications are created, along with data handling procedures and the level of protection that each classification requires. The same is true of physical zones. Each zone should have a specific protection level required of it, which will help dictate the types of controls that should be put into place.
125
Bullets: Cable traps
Prevent the removal of input/output devices by passing their cables through a lockable unit
126
Emphasis: Visual Recording Devices
Visual Recording DevicesBecause surveillance is based on sensory perception, surveillance devices usually work in conjunction with guards and other monitoring mechanisms to extend their capabilities and range of perception. A closed-circuit TV (CCTV) system is a commonly used monitoring device in most organizations, but before purchasing and implementing a CCTV, you need to consider several items:
127
Bullets: Peripheral switch controls
Secure a keyboard by inserting an on/off switch between the system unit and the keyboard input slot
128
Emphasis: Bollards
Bollards usually look like small concrete pillars outside a building. Sometimes companies try to dress them up by putting flowers or lights in them to soften the look of a protected environment. They are placed by the sides of buildings that have the most immediate threat of someone driving a vehicle through the exterior wall. They are usually placed between the facility and a parking lot and/or between the facility and a road that runs close to an exterior wall. Within the United States after September 11, 2001, many military and government institutions, which did not have bollards, hauled in huge boulders to surround and protect sensitive buildings. They provided the same type of protection that bollards would provide. These were not overly attractive, but provided the sense that the government was serious about protecting those facilities.
129
Explanation Bullets: Location of water detectors should be
* Under raised floors
| * On dropped ceilings
