Add to collection(s) Add to saved
  1. Science
  2. Earth Science
  3. Biogeography

Presentation Slides

advertisement 
IT Series:
Physical and Environment Security for IT
Donald Hester
March 29, 2011
For audio call Toll Free 1-888-886-3951
and use PIN/code 661899
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
IT Series:
Physical and Environment Security for IT
Donald Hester
Introduction
Topics Covered
• Physical security of information systems
• Environmental protection of information
•
system (Not the green type)
Some life safety issues
Threats






Heat (internal and external)
Water (leak, flood, weather)
Theft
Power (loss or spike)
Fire (smoke)
Natural disaster (earthquake, tornado
etc..)
 Man made disaster (chemical spill)
 Loss of life
8
Policy
 Start at the top:
• The organization understand the importance
and will to commit need resources
 Policy should:
• Addresses purpose, scope, roles,
responsibilities, management commitment,
coordination among organizational entities,
and compliance
9
Granting Physical Access
 Designate sensitive verses publicly
accessible areas
 List of authorized personnel
• To access sensitive areas
 Review the list regularly
• To make sure you remove anyone who no
longer needs access
10
Restricted/Sensitive/Secure Areas
 Selecting Internal
areas that need more
control
 Determine what
assets require extra
security
 Control access of
customers (students)
 Restrict computer
access or LAN
access from lobbies
Physical Access Control
 Enforce access authorizations
 Verify access authorization before
granting access
 Control entry
 Control publicly accessible areas in
accordance with risk
 Secure keys, combinations, passwords,
PINs, and other physical devices
12
Exterior Security
Physical Access Control
 Secure keys, combinations, passwords,
PINs, and other physical devices
• Key log (who has the keys)
• Rekey (when a key is lost)
• Recovery (get keys back)
• Change combination (like password)
 Important events
• Someone is terminated or leaves
• Lost or compromised
14
Physical Access Control
 Doors
• No more than two doors
• Locks, or electronic door locks
• Strike-plates on doors
• Tamper-resistant hinges on doors
• Resistant to forcible entry
• Fire rated doors and walls
• Internal windows should be small and
shatter or bullet proof
15
Control Access to Cables
 Control access to the cables used for
communication
• Ethernet
• Telecom
• Wiring closets
• Spare jacks
• Conduit or cable trays
16
Output Device Access Control
 What output devices need control?
• Printers
• Monitors
• Audio devices
For example HR prints to a printer no one
can simple walk by and pick up the print out
(restricted area)
 Same with finance and transcripts

 Protect from theft
17
Monitoring
 Monitor physical access
• CCTV especially in cash collection sites
 Log access
• Access control devices can log who gained
access
Netbotz (example not an endorsement)
•
 Detect and respond to incidents
18
CCTV
 Closed-circuit TV
• Wired or wireless
 Simplest camera connected to TV
monitor
 More complex can detect, recognize, or
identify
• Smart CCTV – facial recognition technology
 Purpose to detect & deter also used in
investigations
CCTV uses




Security Applications
Safety Applications
Management Tool
Investigation Tool
Visitor control
 Contractors and employees access to
restricted areas
 Monitor visitor activity
 Sign in
 Check ID
 Did you know they were coming?
• Appointment only
21
Access Records
 Keep records
 Review records
 Records should include:
• Name/organization of the person visiting
• Signature of the visitor
• Form(s) of identification
• Date of access, time of entry and departure
• Purpose of visit
• name/organization of person visited
22
Power
 Concern is loss of power resulting
in down time
 Protect power equipment
• Access control to sub panels
• Fire code issues
 Protect power cables
• Redundant or parallel power cables
23
Emergency Shutoff
 Power switch to turn off all system
• Life safety issue
 Server rooms can be equipped with
a switch that will turn off all
equipment included those on battery
backup
 Place switch in a accessible location
 Protect switch from accidental
activation
24
Emergency Power
 Provide a short-term uninterruptible
power supply to facilitate an orderly
shutdown of the information system in
the event of a primary power source loss
• UPS for short time periods
• What is your current UPS rated for?
• Is that enough time for a orderly shutdown?
• Have you check the battery life lately?
25
Emergency Power
 Provide a long-term alternate power
supply for the information system that is
capable of maintaining minimally
required operational capability in the
event of an extended loss of the primary
power source
• Power generator
• How important is uptime?
• How reliable is the power grid?
26
Emergency Lighting
 Employ and maintains automatic
emergency lighting
• Life safety issue again
• Typically lights are in common areas and
•
27
not always in a server room
Typically handled by facilities personnel
Fire Hazard
 Fire suppression and detection
devices/systems
• Fire Prevention
• Fire Detection
• Fire Alarm
• Fire Suppression
• Fire Drills
28
Fire Suppression
 Fire suppression devices/systems
Should have an independent power source
 Properly rated fire extinguisher
 Sprinklers, dry pipe best
 Should have automatic shut down of servers
 Halon FM-200 (or FE-227), FE-13, FE-25,
Novec-1230, inert gas systems like Argonite,
Inergen or CO2
 Toxic fumes from burning plastic

29
Fire Protection
30
Temperature and Humidity Controls
 Maintains temperature and
humidity levels
 Monitors temperature and
humidity levels
• Maintain a constant temperature be
•
between 70-74F (21-23C)
Maintain a constant humidity
between 45-60%

31
High humidity causes corrosion and
low humidity causes static electricity.
HVAC
 Positive air pressure
• Air flow out of the room
• Limits dust getting in
 Protected air vents
• Possible entry point
 Filtered air
• Dust reduces heat transfer and can cause
heat damage to circuits
 Redundant HVAC systems
32
Water Damage Protection
 Protects the information system from
damage resulting from water leakage
 Master shutoff valves
• Accessible
• Working
• Known by key personnel
 Not just for the server room, wire closets
 Positive flow water drains
• Protect from the risk of flooding
33
Delivery and Removal
 Authorizes, monitors, and controls
computer equipment entering or exiting
the facility
 Record of those items
 Theft is the big issues here
34
Alternate Work Site
 Part of Business Continuity Planning
 Consider physical and environment
controls in alternate work site
35
Locate Systems
 Position information system components
within the facility to minimize potential
damage from physical and environmental
hazards and to minimize the opportunity
for unauthorized access
• Where is the best place in your facility for a
•
server room?
External issues?
Proximity of emergency services
 Offsite hazards

36
Location, Location, Location




Avoid the basement
Avoid the top floor
Avoid the first floor
Avoid be located near stairs, bathrooms,
water pipes, elevators or EMI emissions
 Avoid locating it on an external wall
 Avoid external windows and doors
37
Areas
 Plenum space
• Requires plenum cabling
 Raised false floors
• Access to & protect cabling
 Drop ceilings can give access to
server rooms
• Walls should extend beyond any
false or drop ceilings
 Security Mesh to help stop
break-ins through gypsum walls
38
Site Security
 Site Location (Site Survey)
• Proximity to emergency services
• Flood zones, types of natural
•
•
•
events, e.g. earthquake,
hurricane, tornado
Proximity to hazardous materials,
e.g. next to a oil refinery, train
tracks
Redundant roads or ways in to the
area
Crime rates for the area
Site Location
Site Examples
Other Site Issues
 Crime Prevention Through
Environmental Design (CPTED)
• The building and facilities (campus) are
•
•
•
•
•
42
designed in such a way as to limit or deter
crime.
Parking lots & lighting
Perimeter lighting
Perimeter security
Landscaping
Barriers (bollards)
Information Leakage
 Tempest
 Protect the information
system from information
leakage due to
electromagnetic signals
emanations
43
Interference
 Shielding from:
• Electromagnetic interference (EMI)
• Radio frequency interference (RFI)
• Shielded cabling, room
 Electrostatic discharge (ESD)
• Anti-static flooring
• Anti-static wrist strap
44
Signage
 For life safety
• Clearly mark exits for life safety
• Clearly mark locations of fire extinguishers
• Clearly mark shutoff switches and valves
 For theft
• Signs create a psychological barrier
• Asset tag equipment for possible recovery
45
Alarm Systems
 A Communication systems
design to alert, warn or notify a
receiver of an event or danger.
 Made up of 3 parts, sensor
(detector) that detects the
condition, and alarm system
circuit to transmit the information
to an annunciator (signal, alarm)
 Standards UL, ISO and IEEE
Secure Disposal (End of Life Cycle)
 Consider security
before returning a
failed hard drive
 Data remanence
 Software Data
removers
 Degauss
 Shredding
 Incinerators
Dumpster Diving
 Not illegal
 Industrial espionage
 Some consider it a
hobby
 Can find private,
confidential
information on paper
or media or
computers
Copiers
49
http://www.youtube.com/watch?v=iC38D5am7go
Monitoring Tools
 Netbotz
• (now owned by APC)
 IT WatchDogs
• www.itwatchdogs.com
 APC
• www.apc.com
 SynapSense
• www.synapsense.com
50
Q&A
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca
DonaldH@MazeAssociates.com
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/PhysSecurity
IT Series:
Physical and Environment Security for IT
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
Related documents
To reduce crime and protect people, their
To reduce crime and protect people, their
Materials Unit 4c
Materials Unit 4c
Radiation
Radiation
Wind and Weather lesson 2014
Wind and Weather lesson 2014
Misperception of Random Data
Misperception of Random Data
Mike Tondra - RI Homeless.
Mike Tondra - RI Homeless.
Product sheet as PDF
Product sheet as PDF
Paul Walker
Paul Walker
Compliance Checklist - Data Protection in Schools
Compliance Checklist - Data Protection in Schools
Download
advertisement