Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
.
CIS 3500 1
Physical Security Controls
Chapter #17:
Architecture and Design
Chapter Objectives
n Explore the importance of physical security controls
n Learn about important environment controls
Physical Security Controls2
Physical Security Controls
n Physical security is an important for businesses dealing with
the security of networks and information systems
n Locking doors, installing alarm systems, using safes,
posting security guards, setting access controls
n Environmental controls protect systems used to process
information
Physical Security Controls3
Lighting
n Proper lighting is essential for physical security
n Unlit or dimly lit areas allow intruders to lurk and conduct
unauthorized activities
n External and internal
n Have sensitive areas well lit and open to observation
n Unauthorized parties in server rooms are more likely to be
detected if the servers are centrally located, surrounded in
windows, and well lit
Physical Security Controls4
.
CIS 3500 2
Signs
n Signs act as informational devices and can be used in a
variety of ways to assist in physical security
n Restricted areas, specific precautions, keeping doors
locked, delineate where visitors are allowed versus where
escorts are required
n Visual clues can take the form of different-color name
badges that indicate the level of access, visual lanyards
that indicate visitors, colored folders
Physical Security Controls5
Fencing/Gate/Cage
Physical Security Controls6
Security Guards
n Security guards are a visible presence with direct
responsibility for security
n They typically monitor entrances and exits and can
maintain access logs
n Security guards typically are not computer security experts,
so they need to be trained
n Strangers parked in the parking lot with laptops or other
mobile computing devices are all indicators of an attack
Physical Security Controls7
Alarms
n A la r m s s e r v e t o a le r t o p e r a t o r s t o a b n o r m a l c o n d i t io n s
n P h y s ic a l s e c u r i t y c a n in v o lv e s e n s o r s , in t r u s io n a la r m s , m o t io n d e t e c t o r s ,
s w i t c h e s t h a t a le r t t o d o o r s b e in g o p e n e d , v id e o a n d a u d io s u r v e i l la n c e
n W h e n t h e s e s y s t e m s h a v e in f o r m a t io n a n a la r m is t h e e a s ie s t m e t h o d o f
a le r t in g p e r s o n n e l t o t h e c o n d i t io n
n A la r m s a r e n o t s im p le : i f a c o m p a n y h a s t o o m a n y a la r m c o n d i t io n s ,
e s p e c ia l ly f a ls e a la r m s , t h e n t h e o p e r a t o r s w i l l n o t r e a c t t o t h e c o n d i t io n s
a s d e s i r e d
n T u n in g a la r m s s o t h a t t h e y p r o v id e u s e f u l , a c c u r a t e , a n d a c t io n a b le
in f o r m a t io n i s im p o r t a n t f o r t h e m t o b e e f f e c t iv e
Physical Security Controls8
.
CIS 3500 3
Safe
n Safes are physical storage devices
n They come in a wide variety of shapes, sizes, and cost
n Safes are not perfect; they are rated in terms of how long
they can be expected to protect the contents from theft or
fire
n The better the rating, the more expensive the safe
Physical Security Controls9
Secure Cabinets/Enclosures
n There are times when a safe is overkill
n A simpler solution is secure cabinets and enclosures
n They do not offer all of the levels of protection like a safe
Physical Security Controls10
Protected Distribution/Protected Cabling
n Cable runs between systems need to be protected by
protected distribution/ protected cabling
n The objective is to prevent any physical damage to the
physical layer portion of the system
Physical Security Controls11
Airgap
n An airgap: physical and logical separation of a network
from all other networks
n Prevent unauthorized data transfers
n Users will move data by other means, such as a USB drive -
- called “sneaker net”
n Unauthorized bypassing of the airgap increases system risk
because it also bypasses checks, logging, and other
processes important in development and deployment
Physical Security Controls12
.
CIS 3500 4
Mantrap
n A mantrap comprises two doors closely spaced that require
the user to card through one and then the other
sequentially
n Mantraps make it nearly impossible to trail through a
doorway undetected
n The implementation of a mantrap is one way to combat
tailgating
Physical Security Controls13
Faraday Cages
n Electromagnetic interference (EMI) is an electrical disturbance
that affects an electrical circuit
n Magnetic radiation enters the circuit by induction, where
magnetic waves create a charge on the circuit
n Modern circuitry is designed to resist EMI
n Cabling: the twists in unshielded twisted pair (UTP), or
Category 5e, 6, 6a, or 7, cable are there to prevent EMI
n Bigger shielding: Faraday cage or Faraday shield, which is an
enclosure of conductive material that is groundedPhysical Security Controls14
Locks
n Many different lock types are used in and around the computer
security arena e.g. computer lockdown cables
n Lock design has not changed much: a metal “token” is used to
align pins in a mechanical device
n High-security locks have been designed to defeat attacks
n Common feature of high-security locks is key control:
restrictions placed on making a copy of the key - patented
keyways that can only be copied by a locksmith, who will keep
recordsPhysical Security Controls15
Biometrics
n Biometrics is the measurement of biological attributes
n Fingerprint readers in laptops and stand-alone USB devices
n Two-part process: enrollment and then authentication
n Biometrics are not foolproof – some biometric measures
can be duplicated to fool a sensor
n Safeguards exist for most biometric bypass mechanisms,
making them a usable security technology
Physical Security Controls16
.
CIS 3500 5
Barricades/Bollards
n The primary defense against a majority of physical attacks
are the barricades between the assets and a potential
attacker — walls, fences, gates, and doors
n Security must be designed carefully, as an attacker has to
find only a single gap to gain access
n Barricades can also be used to control vehicular access
n The simple post-type barricade that prevents a vehicle from
passing but allows people to walk past is called a bollard
Physical Security Controls17
Tokens/Cards
n Badging systems use either tokens or cards that can be tied
to automated ID checks and logging of entry/exit
n They can embed a serialized ID for each user, enabling
user-specific logging
n They offer the same function as keys, but the system can
be remotely updated to manage access in real time
n Users can have privilege revoked without having to recover
the token or card
Physical Security Controls18
Environmental Controls
n Environmental controls are needed for current data centers
n Heating and cooling is important for computer systems as
well as users
n Server rooms require very specific cooling, usually provided
by a series of hot and cold aisles
n Fire suppression is an important consideration when dealing
with information systems
n They contribute to the availability aspect of security
Physical Security Controls19
HVAC
n C o n t r o l l in g a d a t a c e n t e r ’s t e m p e r a t u r e a n d h u m id i t y i s im p o r t a n t t o
k e e p in g s e r v e r s r u n n in g
n H e a t in g , v e n t i la t in g , a n d a i r c o n d i t io n in g ( H V A C ) s y s t e m s a r e c r i t i c a l f o r
k e e p in g d a t a c e n t e r s c o o l
n T y p ic a l s e r v e r s p u t o u t b e t w e e n 1 0 0 0 a n d 2 0 0 0 B T U s o f h e a t ( 1 B T U e q u a ls
t h e a m o u n t o f e n e r g y r e q u i r e d t o r a is e t h e t e m p e r a t u r e o f o n e p o u n d o f
l iq u id w a t e r b y o n e d e g r e e F a h r e n h e i t )
n M u lt ip le s e r v e r s c a n c r e a t e c o n d i t io n s t o o h o t f o r t h e m a c h in e s t o c o n t in u e
t o o p e r a t e
n H u m id i t y n e e d s t o b e c o n t r o l le d t o p r e v e n t s t a t i c i s s u e s ( t o o lo w h u m id i t y )
o r c o n d e n s a t io n i s s u e s ( t o o h ig h h u m id i t y ) Physical Security Controls20
.
CIS 3500 6
Hot and Cold Aisles
n A data center arranged into hot and cold aisles where all the intake
fans on all equipment face the cold aisle, and the exhaust fans all face
the opposite aisle
n The HVAC system is designed to push cool air underneath the raised
floor and up through perforated tiles on the cold aisle
n Hot air from the hot aisle is captured by return air ducts for the HVAC
system
n Never to mix the hot and cold air –cold air is not cheap
n The benefits of this arrangement are that cooling is more efficient and
can handle higher densityPhysical Security Controls21
Fire Suppression
n The ability to respond to a fire quickly and effectively is
thus critical to the long-term success of any organization
n Addressing potential fire hazards and vulnerabilities has
been a concern of organizations in their risk analysis
n Fire suppression systems are designed to provide protection
n They don’t prevent the fire from occurring but they do stop
it once it begins
Physical Security Controls22
Fire Suppression
Physical Security Controls23
Fire Suppression
n Water-based fire suppression systems are today the primary tool
to address and control structural fires
n Electrical equipment does not react well to large applications of
water
n Water is destructive to electronic equipment because of the
immediate electronic shorts but also because of corrosive damage
n Alternative fire suppression methods have been sought.
n Halon systems have been phased out because of environmental
concerns as it is a potent greenhouse gas
Physical Security Controls24
.
CIS 3500 7
Fire Suppression
n Clean-agent fire suppression systems: carbon dioxide (CO2) attacks
all three necessary elements for a fire: displaces oxygen; provides
some cooling and reduces the concentration of “gasified” fuel
n Argon lowers the oxygen concentration below the 15 % level required
for combustible items to burn
n Inergen is composed of three gases: 52% nitrogen, 40 % argon, and
8 % carbon dioxide - reduce oxygen to 12.5 %
n ChemicalSused to phase out halon areFE-13 and FM-200
(heptafluoropropane)
Physical Security Controls25
Fire Detection
n Smoke detector: ionization and photoelectric
n Heat activated: fixed-temperature or fixed-point devices
and ate-of-rise or rate-of-increase temperature devices
n Flame activated: change in the infrared energy that can be
detected – more expensive
Physical Security Controls26
Cable Locks
n Portable equipment—laptops, projectors, and the like—can
be easily removed or stolen
n Cable locks provide a simple means of securing equipment
n They can be used by road warriors to secure laptops from
casual theft, or in open areas such as conference centers or
rooms where portable equipment is exposed to a wide
range of visitors
Physical Security Controls27
Screen Filters
n Shoulder surfing: an attacker directly observing an
individual entering information
n Screen filters are optical filters that limit the angle of
viewability to a very narrow range
n They have a wide range of uses, from road warrior laptops,
to kiosks, to receptionists’ computers, or places where
sensitive data is displayed (medical data in medical
environments)
Physical Security Controls28
.
CIS 3500 8
Cameras
n CCTV (closed-circuit television ) cameras are used to monitor a
workplace for security purposes
n Traditional cameras are analog based and require a video
multiplexer to combine all the signals and make multiple views
appear on a monitor
n IP-based systems add useful functionality but also makes the
cameras subject to normal IP-based network attacks
n Different iris types, focal lengths, and color or infrared
capabilities are all optionsPhysical Security Controls29
Motion Detection
n Motion detector is for areas where there is little or no
expected traffic
n Most are based on infrared (heat) radiation and can be
tuned for size
n They can be useful during off-hours, when traffic is minimal
n They can trigger video systems
Physical Security Controls30
Logs
n Physical security logs provide the same utility as computer logs
n They act as a record of what was observed – e.g. visitors arriving
and departing, equipment received and shipped out
n Remote sensing of badges and RFID tags can create equipment
move logs that include when, where, what, and who—all
automatically
n Capabilities such as this make inventory of movable equipment
easier as its location is tracked and it can be scanned remotely
Physical Security Controls31
Infrared Detection
n Infrared (IR) radiation is not visible to the human eye
n Infrared detection: looking for things that otherwise may
not be noticed
n Infrared detectors can sense differences in temperature,
which can be from a person entering a room, even if not
visible due to darkness
n IR alarms are used extensively to monitor people
movement in areas where there should be none
Physical Security Controls32
.
CIS 3500 9
Key Management
n Physical locks have physical keys, and keeping track of who
has what keys can be a chore – especially with master keys
n Key management is the process of keeping track of where
the keys are and who has access to what
n Environment that does not have a means of key
management is not verifiably secure
Physical Security Controls33
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!