Physical / Environmental Security Flashcards
Threat Mitigation Technique
Internal
Address insider threats, from those who already have access
i.e. A door lock on server room is designed to keep out those already in the building
Threat Mitigation Technique
External
Addresses perimeter security, or access to building or room from outsiders
i.e.
Electric fence surrounding the facility designed to keep out those who don’t have access
Geographical Threats
Hurricane / Tropical Storm
Location of facility should dictate how much is spent in mitigating possible damages
Tornadoes
Rate and severity of tornadoes in an area from historical perspective help determine protective measures
Earthquakes
Treated same way as hurricanes
Floods
Can occur anywhere. Keep computing systems off the floor, Build server rooms and wiring closets on raised floors
Electrical threats
all mission critical systems should be on a UPS
use onsite generators for longer term
maintain 40-60% relative humidity around equipment
use line conditioners to maintain clean, steady power
Communications
Maintain fault-tolerant connections to internet
know contact phone numbers for employee notifications
Establish radio communications over entire compass with repeater antennas to provide comms during emergencies
Man-made threats
explosions
fire
vandalism
Explosions
prevent access to areas where explosions could cause serious damage
Fire
all walls should have 2 hour minimum fire rating
deploy auxiliary station alarm
use proper extinguisher / suppression system
Vandalism
ensure critical components are inaccessible
Man-made threats
Fraud
Theft
Collusion
Fraud
prevent physical access to critical systems
Theft
Prevent physical access to facility
Collusion
can be caused by separation of duties. Consider the tradeoff
Politically Motivated Threats
Strikes Riots Civil disobedience Terrorist acts Bombing
Strikes
can cost productivity and hurt image of company
Riots
Enterprise is seen as willing participant in some perceived slight
Civil Disobedience
physical security of facility becomes important in case action is taken against facility
Terrorist acts
includes emergency planning to address terrorism
reactions should be rehearsed
Bombing
evacuation plans should address terrorist threats and bombings
Site and Facility Design
Layered Defense Model
Reliance should not be based on any single physical security concept but on the use of multiple approaches that support one another
Permiter-Network-Host-Application-Data
CPTED
Crime Prevention Through Environmental Design
3 main strategies
Design facility from ground up to support security
Natural Access Control
place doors, lights, fences, landscaping to satisfy security goals in least obtrusive and appealing way possible
Natural Surveillance
Promotes visibility of all areas to discourage crime
Natural Territorials Reinforcement
Promotes feeling of community, tries to extend sense of ownership to employees
Physical Security Plan Goals
Deter criminal activity
delay intruders
detect intruders
asses situation - id specific personnel, actions to take when event occurs
respond to intrusions and disruptions - anticipate and develop responses to intruders and disruptions
Facility Selection Issues
Visibility - amount depends on organization and processes being done by facility
surrounding areas and external entities - consider nature and operations of surrounding businesses, and people they attract
accessibility - how easily can employees access facility
construction - what are support systems built into the building
internal compartments - are there drop ceilings in rooms that need to be secured?
Computer and Equipment rooms
should be locked and secured
should be in center of building
have single point of entry
avoid top floors of buildings and the basement
install and test fire detection and suppressions systems
install raised flooring
install separate power supplies
use only solid doors
Perimeter Security
Concentric Circle Approach
Perimeter fence
Exterior door
Office door
Locked cabinet
Perimeter Security
Protection from vehicles
Bollards in front of doorways
Perimeter Security
Fences and Gates
Fences
3-4 foot tall fences - casual intruders
6-7 foot fences - too tall to climb easily
8 foot and taller - deter more determined people
Gates Class 1 - Residential Class 2 - Commercial Class 3 - Industrial Class 4 - Restricted
Perimeter Security
Intrusion Detection Systems
Infrared - changes in heat waves
Electromechanical - detect break in electrical circuit
Photometric or Photoelectric - detect changes in light, used in windowless areas
Acoustical - microphones detect sounds
Wave Motion - generate wave pattern and detect any motion that disturbs it
Capacitance Detector - emits magnet field and monitors it
CCTV - cameras for real time view and/or recording
Perimeter Security
Lighting Systems
Continuous Lighting - array of lights producing even amount of illumination across an area
Standby Lighting - illuminates only at certain times or on a schedule
Movable Lighting - can be repositioned as needed
Emergency Lighting - have own power source for use when general power is out
Perimeter Security
Types of Lighting
Fluorescent - low pressure mercury vapor gas-discharge lamp
Mercury Vapor - gas discharge, electronic arc through vaporized mercury
Sodium Vapor - gas discharge, uses excited sodium to produce light
Quartz lamps - UV light source like mercury vapor contained in fused silica bulb that transmits UV light with little absorption
Perimeter Security
Patrol Force
Access Control
Guards can use discriminating judgement which automated systems cannot do
Every successful and unsuccessful attempt to enter facility should record:
date and time
specific entry point
use ID employed during attempt
Building and Internal Security
Doors
Vault Doors - lead into walk-in safes or security rooms
Personnel Doors - used by people to enter facility
Industrial Doors - large doors for vehicles
Vehicle access doors - doors to parking building or lots
Bullet resistant doors - for withstanding firearms
Building and Internal Security
Electronic Locks
Electric locks or cipher locks use a keypad
Proximity Authentication device uses programmable card to deliver access code
These devices typically have these EAC (Electronic Access Control) components
Electromagnetic lock
Credential reader
Closed door sensor
Building and Internal Security
Mantraps
2 doors that hold a person in small room until they’re verified before opening the second door
Building and Internal Security
Warded locks
Key must pass through the wards to unlock
Building and Internal Security
Tumbler locks
If the key is the right pattern, tumblers fall into right place and open the door
Building and Internal Security
Combination locks
Turn the dial left and right to align studs and pins
Building and Internal Security
Glass entries
Standard - used for residential, easily broken
Tempered glass - heated for extra strength
Acrylic - made of polycarbonate acrylic. Much stronger than regular glass. Toxic when burns
Laminated - sheets of glass with plastic film between, making it harder break
Building and Internal Security
Interior considerations
Visitor control - ways to accompany visitor/contractor to destination
Equipment rooms - lock and keep inventory so theft can be discovered
Work areas - prohibiting some employees from certain areas can be beneficial
Secure Data Center
Data center shouldn’t be on top floor or basement
off switch should be located near door for easy access
separate HVAC for these is recommended
environmental monitoring should be deployed with alerting enabled for temp and humidity issues
Use raised floors to help prevent water damage
All systems should have a UPS and room on generator
Fire detectors
smoke activated - uses photoelectric device to detect variations in light caused by smoke particles
Head activated - detects heat changes. Can alert at predefined temperature or when rate of rise is certain value
Flame actuated - optical devices that “look at” an area. Typically react faster to a fire than non-optical devices
Fire Suppression Systems
Wet Pipe
water is contained in pipes to extinguish fire
water could freeze and burst in some areas
not recommended for rooms where equipment can be damaged by water (like computer rooms)
Dry Pipe
water held in a holding tank, not in pipes
only pushed to pipes if actual fire
Fire Suppression
Preaction and Deluge
Preaction
Operates like dry pipe except sprinkler head holds thermal-usable link that must be melted before water is released. Currently the recommended system for computer rooms
Deluge
Allows large amounts of water to be released. Not a good choice for computer rooms
Fire Suppression / Environmental Security
EPA approved replacements for Halon
Water
Argon
NAF-S-III
FM-200
Types of Power Issues
Surge - prolonged high voltage
Brownout - prolonged voltage decrease below normal
Fault - momentary power outage
Blackout - prolonged power outage
Sags - momentary reduction in power level
How to prevent static electricity
antistatic sprays
maintain proper humidity levels
use antistatic mats, wristbands
To protect against dirty power
power conditioners
sits between wall outlet and device to smooth power fluctuations
UPS
between wall outlet and device and has a battery to provide power if source is lost
both can be in same device
HVAC Issues
Heat
High humidity
Low humidity
excess heat causes crashes and reboots
too much humidity causes corrosion
too little humidity causes static, which can cause damage
HVAC Issues
Heat temperature guidelines
at 100 degrees damage starts occurring to magnetic media, primarily floppy disks
at 175 degrees damage starts occurring to computers and peripherals
at 350 degrees damage starts occurring to paper products
Equipment Security
Corporate Procedures should address:
tamper protection
encryption
inventory
physical protection of security devices
tracking devices
portable media procedures
Personnel Privacy and Safety
HR are most important assets
OEP - Occupant Emergency Plan provides coordinated procedures for minimizing loss of life or injury
