Domain 5: Physical And Environmental Security Flashcards
List some controls that have been implemented for physical security.
Security guards, CCTV, surveillance, intrusion detction, system, requirement for employees to hqv a higher level of security awareness.
CCTV =
Closed circuit TV
Layered defense model
physical security controls should work together with tiered archicture. `if one fails, the other will protect it.
Thecompany’s most sensitive assets would be placed in the innermost contolled zone of the environment.
How does the AIC triad apply to physical security?
- Availability of company resources
- Integrity of the assets and environment
- Confidentiality of the data and business processes.
Examples of natural enivornmental threas
Flods, earthquakes, storms and tornadoes, fires, extreme termperature conditions
Examples of Supply system threats
power distributions outages, communications interruptions, interruption of other resources such as water, gas, air filtration, etc.
Examples of manmade threats
Unauthorized access, both external and internal, explosions, damage by disgruntled employees, employee errors and accidents, vandalism, fraud, themft and others
Examples of politically motivated threats
strikes, riots, civil disobedience, terrorist attacks, bombings and so forth
What is the priority in physical security
Life safety goals. Protecting human life.
Physical security is a combination of:
people, processes, procedures, technology, and equipment, all to protect resources.
First thing an organization must do in the planning process is
define the vulnerabilities, threats, threat agents, and targets
What is collusion? Is it an internal or external threat?
An internal and external threat, where two or more people work together to carry ut fraudulent activity. Many criminal cases have uncovered insiders working with outsiders to defraud or damage a company.
What are some controls for collusion?
procedural protection mechanisms, access contrl, like separation of duties, preemployment background checks, rotations of duties, supervision
Physical security goals: drime and disruption prevention through deterrence. Provide examples
fences
security guards
warning signs
Physical security program goals - reduction of damage through the use of delaying mechanisms. Provide examples
layers of defense that slow down the adversary
•locks
•security personnel
barriers
physical security program goals address: creme or disruption detection. Provide examples
- smoke detectors
- motion detectors
- CCTV
Physical security program goals should address: incident assessment
- Response of security guards to detected incidents
* Determination of damage level
Physical Security Program goals should address: Response Procedures. Provide examples:
- Fire suppression mechanisms
- Emergency response processes
- Law enforcement notification
- Consultation with outside security professionals
What is a performance based approach for physical security.
A method tto determine how beneficial and affective your physical security program is.
Devise measurements and metrics to gauge the effectiveness of your countermeasures.
Management can make informed decisions
Name some performance metrics that could be used in performance based approache
- # of successful crimes
- # of successful disruptions
- # of unsuccessful crimes
- time between detection, assessment, and recovery steps
- # false positive detection alerts
- financial loss of successful disruption or crime
Physical security design will contorporate controls required for these five categories:
1- deterrence 2 - delaying 3 - detection 4 - assessment 5 - response
CPTED
Crime Prevention through Environmental Design
A discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. Provides guidance in loss and crime prevention through proper facility construction and environmental components and procedures.
Physical security target hardening focuses on
denying access through physical and artificial barriers likes alarms, locks, fences
You want to protect a side door. Describe the target hardening approach and the CPTED approach.
Target hardening: locks, alarms, cameras on the door; access control mechanism like proximity reader; security guards to monitor
CPTED: no sidewalk leading to the door, no tall trees or bushes to offer seclusion.
What are the 3 main strategies that CPTED brings together the physical environment with social behavior to increase overall protection?
1 - Natural Access Control
2 - Natural Surveillance
3 - Natural Territorial Reinforcement
What is natural access control?
Guidance of people entering and leaving a space by the placement of doors, fences, lighting, landscaping.
Principles of natural surveillance
Natural surveillance strategies include straight lines of sight, low landscaping, raised entrances.
Goal: make criminals feel uncomfortable by providing many ways observers could potentially see them and to make other people feel safe and comfortable by providing an open and well-designed enviornment.
Natural Territorial Reinforcement
Creates physical designs that emphaiszeor extend the company’s physical sphere of influence so that leginitimate users feel a sense ovf ownership of that space.
Every organization should have a facility safety officer. What is their main job?
- Understand all the components that make up the facility and what the company needs to do to protect its assets and stay within compliance.
- Oversee facility management duties day in and day out
- Be heavily involved with the team that has been organized to evaluate the organizations physical security program
What is a physical security program?
- A collection of controls that are implemented and maintained to provide the protection levels necessary to be in compliance with the physical security policy.
- Should embody all regulations and laws
- Should sett the risk level the company is willing ot accept.
What are some issues with selecting a facility site? (4)
- Visibility (surrounding terrain, building markings and signs, types of neighbors, population of the area)
- Surrounding area and external entities (crime rate, riots, terrorism attacks. Proximity to police, medical, and fire stations. Possible hazards from surrounding area)
- Accessibility (road acces. Traffic. Proximity to airports, train stations, highways).
- Natural disaster (likelihood of floods, tornadoes, earthquakes, or hurricanes. Hazardous terrain like mudlides, falling rock, excessive snow/rain).
When designing and buliding a facility, what needs to be addressed from a physical security point of view with the walls?
- combustibility of material (wood, steel, concrete)
- fire rating
- reinforcements for secured areas
When desigining and builidng a fcility, what needs to be addressed from a physical security point of view with the doors?
- combustibility of material (wood, pressed board, aluminum)
- fire rating
- resistance to forcibile entry
- emergency marking
- placement
- locked or controlled entrance
- alarms
- secure hinges
- directional openings
- electic door locks that revert to an unlocked state for safe evacuation in power outages
- type of glass - shatterproof or bulletproof glass requirements
When desigining and building a facility, what needs to be addressed from a physical security point of view for the ceilings?
- combustibility of material (wood, steel, concrete)
- fire rating
- weight-bearing rating
- drop ceiling considerations
When designing and bulidng a facility, what needs to be addressed from a physical sec POV for the windows?
- translucent or opaque requirements
- shatterproof
- alarms
- placement
- accessibility to intruders
When desiging/building a facility, waht needs to be considered about the flooring?
-weight-bearing rating
- combustibiity of material (wood, steel, concrete)
- fire rating
raised flooring
nonconducting surface and material
When designing and building a facility, what needs to e addressed with the HVAC?
Heating, ventilation, and air conditioning:
- positive aire pressure
- protected intake vents
- emergency shutoff valves and switches
- placement
When desiging/building a facility, wha tneeds to be addressed for the elctric power supplies:
- backup and alternate power supplies
- clean and steady power source
- dedicated feeders to required areas
- placement and access to distribution panels and circuit breakers
When desigining/building a faciility, what needss to be considered with the water and gas lines?
- shutoff valves (labeled and brightly painted for visibility)
- positive flow (material flows out of builidng, not in)
- placement (properly located and labeled)
When desigining/building a faiclity, what needs to be considered with fire detection and suppression?
- placement of sensors and detectors
- placement of suppressin system
- types of detectors and suppression agents
Light frame construciton material provides the ____ amount of protection against fire adn forcible entry attempts.
least
Which type of construction material is commonly used for office buildings?
heavy timber
There are requirements on ____ and ____ of the heavy timber construciton material to provide more protection from fire.
Thickness & Composition
Requiremnts for heavy timber construction material include;
- be at least 4” in thickness
- denser woods, fastened with metal bolts and plates
- fire rate of one hour
Example of incombustible material and what does it provide? What’s a negative side of this?
- Steel.
- Provides a higher level of fire protection.
- Loses strength under extreme temperatures which could cause the building to collapse.
Fire-resistant material: what is it, how it made, what does it do?
- Construction material is fire-retardant.
- Could have steel rods encased inside of concrete walls and support beams
- Provides most protectioin against fire and forced entry attempts.
Examples of entry points
Doors, windows, roof access, fire escapes, chimneys, service delivery access points.
Why are mantraps used and how to they work?
Used so unauthorized individuals entering a facility cannot get in or out if it is activated.
It is a small roomw ith two doors; first is locked. Person is identified and authenticated by a security guard/biometric system/smart card reader/swipe card reader. Once aaccess is authorized first door opens and person enters mantrap and is locked in. Person must be authenticated againbefore the 2nd door ulocks and allows him into the facility.
Also possibility to weigh a person to control piggybacking.
Describe doorways with automatic locks with teh fail-safe setting.
if a power disruption occurs that affects the automatic locking system, the doors default to being unlocked. Deals with portecting people.
Describe doorways with a fail-secure configuration.
Default to being locked if there are any problems with the power.\
Best for doors that people do not need to use for escape.
Entry Point: Windows
This type of window is commonly used in residential homes and easily broken.
Standard Glass
Entry points: windows.
This type of glass is made by heating the glass and then suddenly cooling it which increases the mechanical strenght meaning it can handle more stress and is harder to break. It’s also five to sevent imes stronger than standard glass.
Tempered glass.
Acrylic glass can be made out of ______ which is ____ than standard glass but produces ______ if burned. These might be prohibilted by fire codes. The strongest window material is ___________, resistent to a wide rangte of threats, but much more expensive.
Polycarbonate acrylic.
stronger
Toxic fumes
glass-glad polycarbonate
Glass with embedded wires helps…
reduce the likelhood of the window being broken or shattering
This kind of glass has two sheets of glass with a plastic film in between. It makes it more difficult to break, and can come in different depths (the greater the depth, harder to break).
Laminated glass.
- vertically to save space
- mounted on racks or placed inside equipment cabinets
- wiring close to equipment to save on cable costs and reduce tripping hazards
How should you store smaller systems?
UPS
Uninterrupted Power Supply
What are the main threats that physical security components combat?
Theft, interruptions to services, physical damage, compromised system and environment integrity, and unauthorized access.
Protection mechanisms against stolen laptops:
nventory, with serial #
○ Hardent the OS
○ Password-protect the BIOS
○ Register with the vendor and file report when stolen. If sent in for repairs, it will be flagged.
○ Do not check a laptop as luggage
○ Never leave unattended. Carry in a nondescript carrying case.
○ Engrave with a symbol or # fo rID.
○ Use a slot lock with a cable to connect to a stationary object
○ Backup data
○ Use specialized safes for laptops
Encrypt sensitive data.
Name some of the goals of smart grids (5)
1 - self-healing
2 - resistent to physical and cyber-attacks
3 - bidirectional communicaiton capabilities
4 - increased efficiency
5 - better integration of renewable energy sources
Name some of the computerized components of the Smart Grid
Smart meters, smarth thermostats, amutomated control software, automated feedback loops, digital scheduling and load shifting
What are the three ways protecting power can be done?
1 - UPSs
2 - Power Line Conditioners
3 - backup sources
How does a UPS work? Online and standby.
uses battery packs (range in size and capacity).
Online: Use AC line voltage to charge a bank of batteries. While in use, the UPS has an inverter that changes the DC output from the batteries when required AC form and that regulates the voltage as it powers computer devices.
Because Online UPS systems have the _______ passing through them,t they can easily detect ____.
normal primary power
when a power failure takes place
Standby UPS devices stay ______ until a power line fails. The system has ______ that detect a power failure and the load is switched to the battery pack
Inactive
sensors
+/- to online v. standby UPS
Online picks up the power failure more quickly
standby costs less.
Whena re backup power supplies necessary?
when an outage will last longer than a UPS can last.
Backup supplies can be a _______ from another electrical substation fo rfrom a motor generator, and can be used to _______ or to _______.
redundant line
supply main power
charge batters of a UPS system
When clean power is being provided, power supply contains no_____ or _____
interference (line noise)
- electromagentic interference (EMI)
- radio frequency interference (RFI) - can cause disrubance in the flow of electic power when it travels across a power line.
What causes RFI (radio frequency interference)
anything that creates radio waves.
flourescent lighting (mitigate by shielded cabling)
Why is interference damaging to people and devices?
interrupts the flow of an electrical current and can deliver a different level of voltage than what was expected.
Electric power voltage fluctaitons: Power Execess (2)
- Spike: momentary high voltage
2. Surge: prolonged high voltage. One of th emsot common power publesm, controlled with surge protectors.
Electric power voltage fluctuations: Power loss (2)
1 - Fault: Momentary power outage
2 - Blackout: Prolonged, complete loss of electric power
Electric power voltage fluctuations: Power degredation (3)
1 - Sag/dip: momentary low-voltage condition, from one cycle tpo a few seconds
2 - brownout: prolonged power supply that is below normal voltage
3 - In-rush current: initial surge of current required to a load
Ground
Pathway to the eart that enable excessive voltage to disspate
Noise
Electromagnetic or frequency interference that disrupts the power flo and can cause fluctations
Transient Noise
Short duration of power line disruption
Clean Power
Electrical current that does not flucturate
EMI
Electromagnetic interference
RFI
Radio frequency interference
What can cause a surge and how are the protected?
Caused by: strong lightning strike, power plant going onlien or offline, shift in commercial utility power grid, electrical equipment within a business starting and stopping.
Protected by surge protecture which moves the excess voltage to-ground (absorbs extra current before passed onto electrical devices).
A blackout is when _____. This can be caused by ____. A _____ is required for business continuity.
voltage drops to zero
lighning, a car taking out a power line, storms, or failure to pay the bill
backup power source
A brownout is when the voltage in a electrical grid is _____ because of _____. ______ can be used to regulate this fluctuation of power. They can use ______ of voltage and only release the expected _____ volts of alternating current to devices.
reduced
high demand
constant voltage transformers
120
What can be used to ensure a clean and smooth distribution of power? (2)
How do they work?
What’s the goal?
1 - voltage regulators
2 - line conditioners
The primary power runs through a regulator or conditioner, they have the cability to absorb the extra current if there is a spike and to store energey to add current to the line if there is a sag.
Goal: keep the current flowing at a nice, steady level.
Surges, sags, brownouts, blackouts, and voltage spikes frequently cause ____ _____, so data centers are built to provide a high level of protection.
data corruption
What are some preventitive measures and good practices when protecting devices when dealing with electric power issues? (10)
1 - surge protectors to protect from excessive current
2 - shut down devices in an orderly fashion - help avoid data loss or damage
3 - power line monitors (detect frequency and voltage amplitude changes)
4 - use regulaators (keep voltage steady and power clean)
5 - protect distriubtion panels, master circuit breakers, transformer cables with access controls
6 - protection from magnetic induction t hrough shielded ines
7 - shielded cabling: long cable runs)
8 - do not run data or power lines directly over flourescent lights
9 - 3-pronged connections or adapters if using 2-pronged connections
10 - don’t plug outlets and extensions into eachother.
During facility construction, physical security team must make certain that water, steam, and gas lines have proper ____ and ______, which means ______.
shutoff valves
positive drains
their contents flow out instead of in
Physical security is usually the first line of defense against ______ risks and _______.
environmental
unpredictable human behavior
