Physical (environmental) Security

Question 1

Fire, what is the heat triangle.

Answer 1

For a fire to burn, it requires three elements (heat Triangle):
heat
oxygen
fuel.

Fire suppression and extinguishing systems fight fires by removing one of these three elements or by temporarily breaking up the chemical reaction between these three element

Question 2

What is a Class A Fire:

Answer 2

Common Combustibles (Wood, Paper, furniture)
Extinguish: Water / Soda Acid

Question 3

What is a Class B Fire:

Answer 3

Burnable fuels, such as gasoline or oil

Extinguish: CO2 , soda acid, or Halon

Question 4

What is a Class C Fire:

Answer 4

Electrical Fire:

Extinguish: CO2 or Halon

Question 5

What is a Class D Fire:

Answer 5

Special (Chemical, Grease)
Extinguish: Total Immersion or Others.
* CISSP doesn’t really cover this :)

Question 6

Water Damage:

Answer 6

Water: Water damage (and damage from liquids, in general) can occur from many different sources, including pipe breakage, firefighting efforts, leaking roofs, spilled drinks, flooding, and tsunamis. Wet computers and other electrical equipment pose a potentially lethal hazard.

Question 7

Vibration / Movement:

Answer 7

Vibration and movement: Causes may include earthquakes, landslides, and explosions. Equipment may also be damaged by sudden or severe vibrations, falling objects, or equipment racks tipping over. More seriously, vibrations or movement may weaken structural integrity, causing a building to collapse.

Question 8

Severe Weather:

Answer 8

Includes hurricanes, tornadoes, high winds, severe thunderstorms and lightning, rain, snow, sleet, and ice. Such forces of nature may cause fires, water damage and flooding, structural damage, loss of communications and utilities, and personnel hazards.

Question 9

Electricity:

Answer 9

Electrostatic discharge (ESD): The ideal humidity range for computer equipment is 40 to 60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD (static electricity). A static charge of as little as 40V (volts) can damage sensitive circuits, and 2,000V can cause a system shutdown. The minimum discharge that can be felt by humans is 3,000V, and electrostatic discharges of over 25,000V are possible — so if you can feel it, it’s a problem for your equipment! The ideal humidity range for computer equipment is 40 to 60 percent.

• Electrical noise: Includes Electromagnetic Interference (EMI) and Radio Frequency Interference (RFI). EMI is generated by the different charges between the three electrical wires (hot, neutral, and ground) and can be common-mode noise (caused by hot and ground) or traverse-mode noise (caused by a difference in power between the hot and neutral wires). RFI is caused by electrical components, such as fluorescent lighting and electric cables. A transient is a momentary line-noise disturbance.

Question 10

Electrical Anomalies:

Mneuonic:
Bob Frequently Buys Shoes In Shoe
Stores

Answer 10

Blackout - loss of all power
Fault - Momentary loss of power
Brownout - prolonged power outage
Sag - Short drop in voltage
Inrush - initial power rush
Spike - Momentary rush of power
Surge - prolonged rush of power

Question 11

Lightning Strikes (electricity):

Answer 11

Approximately 10,000 fires are started every year by lightning strikes in the United States alone, despite the fact that only 20 percent of all lightning ever reaches the ground. Lightning can heat the air in immediate contact with the stroke to 54,000° Fahrenheit (F), which translates to 30,000° Celsius (C), and lightning can discharge 100,000 amperes of electrical current. Now that’s an inrush!

It’s not the volts that kill — it’s the amps!

Question 12

Magnetic Fields (electricity):

Answer 12

• Magnetic fields: Monitors and storage media can be permanently damaged or erased by magnetic fields.

Question 13

Sabbotage / terrorism / war / theft / vandalism

Answer 13

Sabotage/terrorism/war/theft/vandalism: Both internal and external threats must be considered. A heightened security posture is also prudent during certain other disruptive situations — including labor disputes, corporate downsizing, hostile terminations, bad publicity, demonstrations/protests, and civil unrest.

Question 14

Equipment Failure:

Answer 14

Equipment failure: Equipment failures are inevitable. Maintenance and support agreements, ready spare parts, and redundant systems can mitigate the effects

Question 15

Loss of Communication:

Answer 15

Loss of communications and utilities: Including voice and data; electricity; and heating, ventilation, and air conditioning (HVAC). Loss of communications and utilities may happen because of any of the factors
discussed in the preceding bullets, as well as human errors and mistakes.

Question 16

Personal Loss:

Answer 16

Can happen because of illness, injury, death, transfer, labor disputes, resignations, and terminations. The negative effects of a personnel loss can be mitigated through good security practices, such as documented procedures, job rotations, cross-training, and redundant functions.

Question 17

Crime Prevention Through Environmental Design (CPTED)

Answer 17

Adopted by security practitioners in the design of public
and private buildings, offices, communities, and campuses since CPTED was first published in 1971.

CPTED focuses on designing facilities by using techniques such as unobstructed areas, creative lighting, and functional landscaping, which help to naturally deter crime through positive psychological effects.

Question 18

Natural access control ? (CPTED)

Answer 18

• Use security zones to to limit / restrict movement.
• Zones help differentiate between public, semi-private, and private areas that might require differing levels of protection

Question 19

Target Hardening ? (CPTED)

Answer 19

Target hardening complements natural access controls by using mechanical and/or operational controls, such as window and door locks, alarms, picture identification requirements, and visitor sign-in/out procedures.

Question 20

Natural Surveillance ? (CPTED)

Answer 20

• Reduces criminal threats by making intruder activity more observable and easily detected.
• maximizing visibility - windows over streets.
• landscaping to eliminate hidden areas and create clear lines of sight.
• installing open railings on stairways to improve visibility.
• Using low-intensity lighting fixtures to eliminate shadows and reduce security-camera glare or blind spots

Question 21

Territorial Reinforcement (CPTED)

Answer 21

• instills pride in the property, and has a greater chance of making intruders stand out.
• Pick Up Litter, Clean up Graffiti, placing amenities.

Question 22

Choosing a Secure Location:

Answer 22

• Climatology / Natural Disasters - Flood plains, hurricane alley, evacuation routes.
• Local Considerations: HIgh Crime Area, Flight Path.
• Visibility - Is the site near another high visibility location ? Power Plant, government / military establishment.
• Accessibility - local traffic patterns, convenience to airports, proximity to emergency services, housing costs
• Utilities - Power, Fibre,
• Joint Tenants - Will you have full access to environmental controls ?

Question 23

Secure Facility - Other Considerations:

Answer 23

• Exterior Walls - hurricane resistent, electrical dampner
• Windows - Opague, fixed (none openable)
• Interior Walls - be wary of security around secure areas
• Floors - Load bearing (150lb), none conductive (raised)
• Ceilings - Weight bearing, Fire Rated,
• Doors - designed to resist force able entry, locks failopen, fire rated = adjacent wall.
• Lighting - provide safety and discourage invaders
• Wiring - comply with building and fire codes.
• Electricity - load planning in certain areas.
• HVAC - Humidity & env. levels must be controlled.

Question 24

Physical (Environmental) Security Controls

Answer 24

Physical (environmental) security controls include a combination of:

• physical access controls
• technical controls
• environmental and life safety controls
• fire detection and suppression
• administrative controls

Question 25

Physical access controls:

Answer 25

• fencing
• security guards
• dogs
• locks
• storage areas
• security badges
• biometrics

Question 26

Physical Access - Fencing:

3-6-8 = Minimum Hate

Answer 26

Height General Effect
3–4 ft (1m) Deters casual trespassers
6–7 ft (2m) Too high to climb easily
8 ft (2.4m) + three-strand barbed wire Deters more determined intruders

Question 27

Physical Access - Man Trap:

Answer 27

A mantrap is a method of physical access control that consists of a double set of locked doors or turnstiles. The mantrap may be guarded or monitored, may require a different level of access to pass through each door or in a different direction

Question 28

Physical Access Security Guards (PRO):

Answer 28

• Discernment: Guards can apply human judgment to different situations.
• Visibility: Guards provide a visible deterrent, response, and control capability.
• Multiple functions: Guards can also perform reception and visitor escort functions.

Question 29

Physical Access Security Guards (CON):

Answer 29

• Unpredictability: Pre-employment screening and bonding doesn’t necessarily assure reliability or integrity.
• Imperfections: Along with human judgment comes the element of human error.
• Cost: Maintaining a full-time security force (including training) or outsourcing these functions can be very expensive.

Question 30

Physical Security - Guard Dogs:

Answer 30

Like human guards, dogs also provide a highly visible deterrent, response, and control capability. Additionally, guard dogs are typically more loyal and reliable than humans, with more acute sensory abilities.

Other considerations include

• Limited judgment capability
• Cost and maintenance
• Potential liability issues

Question 31

Physical Security - Locks

Answer 31

Simplest way to restrict access to windows and doors is through a lock:

• Preset -Basic mechanical lock, tumblers etc.
• Programmable -Mechanical (use a keypad)
• Electronic - Use a swipe card

Question 32

Storage Areas:

Answer 32

Storage areas that contain spare equipment and parts, consumables, and deliveries should be locked and controlled to help prevent theft.

Additionally, you should be aware of any hazardous materials being stored in such areas, as well as any environmental factors or restrictions that may affect the contents of the storage area.

Question 33

Security Badges:

Answer 33

Security badges (or access cards) are used for identification and authentication of authorized personnel entering a secure facility or area.

Question 34

A Photo Identification Card:

Answer 34

A photo identification card (also referred to as a dumb card) is a simple ID card that has a facial photograph of the bearer.

Question 35

Smart Cards:

Answer 35

Smart cards are digitally encoded cards that contain an integrated chip (IC) or magnetic stripe (possibly in addition to a photo).

• Magnetic Strip - info encoded on the strip (credit card)
• Optical-Coded - info encoded by laser onto digital dots
• Smart Card - electrical contacts, user info, logical access
• Proximity (passive) - electromagnetic from reader
• Proximity (Field-powered) - RF transmitter
• Proximity (Transponder) - Card & Reader contain a transceiver, control logic, and battery.

Can be used in 2 factor authentication.

Question 36

Biometric access controls

Answer 36

Biometrics provide the only absolute method for positively identifying an individual based on some unique physiological or behavioral characteristic
of that individual.

• Finger scan
• Hand geometry
• Retina pattern
• Iris pattern
• Voice recognition
• Signature dynamics

Question 37

Technical controls

Answer 37

Technical controls include monitoring and surveillance, intrusion detection systems (IDSs), and alarms that alert personnel to physical security threats and allow them to respond appropriately.`

Question 38

Surveillance:

Answer 38

Visual surveillance systems include:
photographic and electronic equipment
that provides detective and deterrent controls. When used to monitor or record live events, they’re a detective control. The visible use of these systems also provides a deterrent control.

Electronic systems such as closed-circuit television (CCTV) can extend and improve the monitoring and surveillance capability of security guards.
Photographic systems, including recording equipment, record events for later analysis or as evidence for disciplinary action and prosecution.

Question 39

Intrusion Detection (Physical Domain)

Answer 39

• Systems that detect attempts to gain unauthourised physical access to a building or area.
• Photoelectric sensors - Infrared Red beams
• Dry Contact / metallic tape - alerts on a connection break
• Motion (Wave) - motion changes frequency and alerts
• Motion (Capacitance) - monitors a field for a change in capacitance, which is caused by movement.
• Motion (audio) - triggered by abnormal sound.

Question 40

Alarms (Physical Domain)

Answer 40

Alarms are activated when a certain condition is detected. Examples of systems employing alarms include fire and smoke detectors, motion sensors and
intrusion detection systems (IDSs)

Alarms should have separate circuity and a backup power source.

Question 41

The Five types of Alarm System (physical Domain):

Answer 41

• Local audible alarm, local to building, local response
• Central- alerts are monitored by a central managed sys.
• Proprietary: Same as Central just managed on premise.
• Auxiliary : use local municipal fire and police circuits.
• Remote: Same as auxiliary, save that it is not connected to local municipal curcuits, a remote system calls the police and plays a pre-recorded message.

Question 42

Environmental and life safety controls

Answer 42

These controls are necessary for maintaining a safe and acceptable operating environment for computers and personnel. These controls include electrical
power, HVAC, smoke detection, and fire detection and suppression.

Question 43

Environmental Safety - Electrical Power

Answer 43

• Maintain proper humidity (40 - 60)
• Ensure proper grounding
• Use anti-static flooring, carpeting and floor mats.
• Use a UPS

Question 44

Protective Controls - Electrical Power

Answer 44

• Install powerline conditioners.
• Ensure proper grounding.
• Use shielded Cabling.

Question 45

Protective Controls - HVAC

Answer 45

• ideal temp range for computers 50 - 80 degrees F.

* HVAC equipment should be dedicated, controlled, and monitored

Question 46

Fire Detection

Answer 46

There are 3 main systems:
* Heat-Sensing - rapid temp changes or a fixed value
* Flame-Sensing - flicker/ pulsing/ infrared light of flames
Smoke-Sensing - photoelectric - change in light intensity
Smoke-Sensing - Beam - smoke interrupts Beam
Smoke-Sensing - ioniation - disturbance in the force
Smoke-Sensing - Aspiration - Air sampling.

Question 47

Fire Suppression - Water

Answer 47

Used for a Class A Fire.

• Wet Pipe - nozzle melts / ruptures releasing the water
• Dry Pipe - On activation clapper value releases water
• Deluge - Drown everything (Noah stylie)
• Preaction - combination of wet and dry pipes.

Question 48

Fire Suppression - Gas

Answer 48

• CO2 - (B,C) Must be within 50ft of electrical gear. removes the oxygen from the triangle.
• Soda Acid - (A,B) removes the fuel from the triangle.
• Gas-dischange - (B,C) seperate the triangle.
• Halon - has been banned since 1987 because of ozone depletion.

Question 49

Administrative Controls

Answer 49

These controls include the policies and procedures necessary to ensure that physical access controls, technical controls, and environmental and life safety controls are properly implemented and achieve an overall physical security strategy.

Question 50

Restricted Areas

Answer 50

• areas in which sensitive information is handled.
• should be clearly marked as restricted.
• authourised vs not personnel should be marked.

Question 51

Visitors

Answer 51

• visitor policies should be clearly defined.
• logs books and ID usage for validation are a must.
• colour coded badges and escorts are also options.

Question 52

Personal Privacy

Answer 52

• privacy rules must be clearly defined.

* employees must be aware and consent to to workplace monitoring.

Question 53

Safety

Answer 53

• employee awareness to risks when traveling is recommended.
• Safeguards within the workplace should be continuously reviewed.

Question 54

Audit trails and access logs

Answer 54

Audit trails and access logs are detective controls that provide a record of events.

Question 55

Asset classification and control

Answer 55

Asset classification and control, particularly physical inventories, are an important detective control.

Question 56

Emergency Procedures

Answer 56

• These should be clearly documented and accessible to all employees.
• Regular practice runs should be scheduled
• The document should be regularly audited

Question 57

General HouseKeeping

Answer 57

• None Smoking,

* removal of waste

Question 58

Pre-employment and post-employment procedures

Answer 58

These procedures include background and reference checks, obtaining security clearances, granting access, and termination procedures.