ITNS and CERIAS
CISSP Luncheon Series:
Physical (Environmental) Security
Presented by Scott L. Ksander
1
Physical Security
 From (ISC)2 Candidate Information
Bulletin:
• The Physical (Environmental) Security domain
addresses the threats, vulnerabilities, and
countermeasures that can be utilized to
physically protect an enterprise’s resources
and sensitive information. These resources
include people, the facility in which they
work, and the data, equipment, support
systems, media, and supplies they utilize.
2
Physical Security
 From (ISC)2 Candidate Information
Bulletin:
• The candidate will be expected to know the
elements involved in choosing a secure site,
its design and configuration, and the
methods for securing the facility against
unauthorized access, theft of equipment and
information, and the environmental and
safety measures needed to protect people,
the facility, and its resources.
3
Introduction
 Threats to physical security include:
•
•
•
•
•
Interruption of services
Theft
Physical damage
Unauthorized disclosure
Loss of system integrity
4
Introduction
 Threats fall into many categories:
• Natural environmental threats (e.g., floods,
fire)
• Supply system threats (e.g., power outages,
communication interruptions)
• Manmade threats (e.g., explosions,
disgruntled employees, fraud)
• Politically motivated threats (e.g., strikes,
riots, civil disobedience)
5
Introduction
 Primary consideration in physical security
is that nothing should impede “life safety
goals.”
• Ex.: Don’t lock the only fire exit door from
the outside.
 “Safety:” Deals with the protection of life
and assets against fire, natural disasters,
and devastating accidents.
 “Security:” Addresses vandalism, theft,
and attacks by individuals.
6
Physical Security Planning
 Physical security, like general information
security, should be based on a layered
defense model.
 Layers are implemented at the perimeter
and moving toward an asset.
 Layers include: Deterrence, Delaying,
Detection, Assessment, Response
7
Physical Security Planning
 A physical security program must address:
• Crime and disruption protection through deterrence
(fences, security guards, warning signs, etc.).
• Reduction of damages through the use of delaying
mechanisms (e.g., locks, security personnel, etc.).
• Crime or disruption detection (e.g., smoke detectors,
motion detectors, CCTV, etc.).
• Incident assessment through response to incidents
and determination of damage levels.
• Response procedures (fire suppression mechanisms,
emergency response processes, etc.).
8
Physical Security Planning
 Crime Prevention Through
Environmental Design (CPTED)
• Is a discipline that outlines how the
proper design of a physical
environment can reduce crime by
directly affecting human behavior.
• Concepts developed in 1960’s.
• Think: Social Engineering
9
Physical Security Planning
 CPTED has three main strategies:
• Natural Access Control
• Natural Surveillance
• Territorial Reinforcement
10
Physical Security Planning
 Natural Access Control
• The guidance of people entering and
leaving a space by the placement of
doors, fences, lighting, and
landscaping
• Be familiar with: bollards, use of
security zones, access barriers, use of
natural access controls
11
Physical Security Planning
 Natural Surveillance
• Is the use and placement of physical
environmental features, personnel walkways,
and activity areas in ways that maximize
visibility.
• The goal is to make criminals feel
uncomfortable and make all other people feel
safe and comfortable, through the use of
observation.
12
Physical Security Planning
 Territorial Reinforcement
• Creates physical designs that highlight
the company’s area of influence to give
legitimate owners a sense of
ownership.
• Accomplished through the use of walls,
lighting, landscaping, etc.
13
Physical Security Planning
 CPTED is not the same as “target
hardening”
 Target hardening focuses on denying
access through physical and artificial
barriers (can lead to restrictions on
use, enjoyment, and aesthetics of
the environment).
14
Physical Security Planning
 Issues with selecting a facility site:
• Visibility (terrain, neighbors, population of
area, building markings)
• Surrounding area and external factors (crime
rate, riots, terrorism, first responder
locations)
• Accessibility (road access, traffic, proximity
to transportation services)
• Natural Disasters (floods, tornados,
earthquakes)
15
Physical Security Planning
 Other facility considerations:
• Physical construction materials and
structure composition
» Be familiar with: load, light frame
construction material, heavy timber
construction material, incombustible
material, dire resistant material (know
the fire ratings and construction
properties).
16
Physical Security Planning
 “Mantrap:” A small room with two doors. The
first door is locked; a person is identified and
authenticated. Once the person is
authenticated and access is authorized, the first
door opens and allows the person into the
mantrap. The person has to be authenticated
again in order to open the second door and
access a critical area. The mantrap area could
have a weight sensing floor as an additional
control to prevent literal piggybacking.
17
Physical Security Planning
 Automatic door lock configuration:
 “Fail safe:” If a power disruption
occurs, the door defaults to being
unlocked.
 “Fail secure:” If a power disruption
occurs, the door defaults to being
locked.
18
Physical Security Planning
 Windows can also be used to promote
physical security.
 Know the different types of glass:
•
•
•
•
•
•
•
Standard
Tempered
Acrylic
Wired
Laminated
Solar Window Film
Security Film
19
Physical Security Planning
 Consider use of internal partitions
carefully:
• True floor to true ceiling to counter
security issues
• Should never be used in areas that
house sensitive systems and devices
20
Internal Support Systems
 Power issues:
• A continuous supply of electricity assures the
availability of company resources.
• Data centers should be on a different power
supply from the rest of the building
• Redundant power supplies: two or more
feeds coming from two or more electrical
substations
21
Internal Support Systems
 Power protection:
• UPS Systems
» Online UPS systems
» Standby UPS System
• Power line conditioners
• Backup Sources
22
Internal Support Systems
 Other power terms to know:
•
•
•
•
•
•
•
Ground
Noise
Transient Noise
Inrush Current
Clean Power
EMI
RFI
23
Internal Support Systems
 Types of Voltage Fluctuations
• Power Excess
» Spike
» Surge
• Power Loss
» Fault
» Blackout
• Power Degradation
» Sag/dip
» Brownout
» Inrush Current
24
Internal Support Systems
 Environmental Issues
• Positive Drains
• Static Electricity
• Temperature
25
Internal Support Systems
 Environmental Issues: Positive Drains
• Contents flow out instead of in
• Important for water, steam, gas lines
26
Internal Support Systems
 Environmental Issues: Static Electricity
• To prevent:
» Use antistatic flooring in data processing
areas
» Ensure proper humidity
» Proper grounding
» No carpeting in data centers
» Antistatic bands
27
Internal Support Systems
Environmental Issues: Temperature

•
Computing components can be
affected by temperature:
» Magnetic Storage devices: 100 Deg. F.
» Computer systems and peripherals:
175 Deg. F.
» Paper products: 350 Deg. F.
28
Internal Support Systems
 Ventilation
• Airborne materials and particle
concentration must be monitored for
inappropriate levels.
• “Closed Loop”
• “Positive Pressurization”
29
Internal Support Systems
 Fire prevention, detection, suppression
 “Fire Prevention:” Includes training employees
on how to react, supplying the right equipment,
enabling fire suppression supply, proper
storage of combustible elements
 “Fire Detection:” Includes alarms, manual
detection pull boxes, automatic detection
response systems with sensors, etc.
 “Fire Suppression:” Is the use of a suppression
agent to put out a fire.
30
Internal Support Systems
 American Society for Testing and
Materials (ASTM) is the organization
that creates the standards that
dictate how fire resistant ratings
tests should be carried out and how
to properly interpret results.
31
Internal Support Systems

Fire needs oxygen and fuel to continue to
grow.

Ignition sources can include the failure of an
electrical device, improper storage of
materials, malfunctioning heating devices,
arson, etc.

Special note on “plenum areas:” The space
above drop down ceilings, wall cavities, and
under raised floors. Plenum areas should
have fire detectors and should only use
plenum area rated cabling.
32
Internal Support Systems
Types of Fire:

A: Common Combustibles
•
»
»
Elements: Wood products, paper, laminates
Suppression: Water, foam
B: Liquid
•
»
»
Elements: Petroleum products and coolants
Suppression: Gas, CO2, foam, dry powders
C: Electrical
•
»
»
Elements: Electrical equipment and wires
Suppression: Gas, CO2, dry powders
D: Combustible Metals
•
»
»
Elements: magnesium, sodium, potassium
Suppression: Dry powder
K: Commercial Kitchens
•
»
»
Elements: Cooking oil fires
Suppression: Wet chemicals such as potassium acetate.
33
Internal Support Systems
 Types of Fire Detectors
• Smoke Activated
• Heat Activated
• Know the types and properties of each
general category.
34
Internal Support Systems
 Different types of suppression agents:
•
•
•
•
•
•
Water
Halon and halon substitutes
Foams
Dry Powders
CO2
Soda Acid
• Know suppression agent properties and the types of
fires that each suppression agent combats
• Know the types of fire extinguishers (A,B,C, D) that
combat different types of fires
35
Internal Support Systems
 Types of Sprinklers
• Wet Pipe Systems (aka Closed Head
System)
• Dry Pipe Systems
• Preaction Systems
• Deluge Systems
36
Perimeter Security
 The first line of defense is perimeter
control at the site location, to
prevent unauthorized access to the
facility.
 Perimeter security has two modes:
• Normal facility operation
• Facility closed operation
37
Perimeter Security
 Proximity protection components put
in place to provide the following
services:
• Control of pedestrian and vehicle traffic
• Various levels of protection for
different security zones
• Buffers and delaying mechanisms to
protect against forced entry
• Limit and control entry points
38
Perimeter Security
 Protection services can be provided by:
•
•
•
•
•
•
Access Control Mechanisms
Physical Barriers
Intrusion Detection
Assessment
Response
Deterrents
39
Perimeter Security
 Fences are “first line of de’fence’”
mechanisms. (Small Joke!)
 Varying heights, gauge, and mesh
provides security features (know them).
 Barbed wire direction makes a difference.
40
Perimeter Security
 Perimeter Intrusion Detection and
Assessment System (PIDAS):
• A type of fencing that has sensors on
the wire mesh and base of the fence.
• A passive cable vibration sensor sets
off an alarm if an intrusion is
detected.
41
Perimeter Security
Gates have 4 distinct types:

•
•
•
•
Class I: Residential usage
Class II: Commercial usage, where general public
access is expected (e.g., public parking lot, gated
community, self storage facility)
Class III: Industrial usage, where limited access is
expected (e.g., warehouse property entrance not
intended to serve public)
Class IV: Restricted access (e.g., a prison entrance
that is monitored either in person or via CCTV)
42
Perimeter Security
 Locks are inexpensive access control
mechanisms that are widely accepted
and used.
 Locks are considered delaying
devices.
 Know your locks!
43
Perimeter Security
 Types of Locks
• Mechanical Locks
» Warded & Tumbler
• Combination Locks
• Cipher Locks (aka programmable locks)
» Smart locks
• Device Locks
» Cable locks, switch controls, slot locks, port
controls, peripheral switch controls, cable
traps
44
Perimeter Security
 Lock Strengths:
• Grade 1 (commercial and industrial use)
• Grade 2 (heavy duty residential/light duty
commercial)
• Grade 3 (residential and consumer expendable)
 Cylinder Categories
• Low Security (no pick or drill resistance)
• Medium Security (some pick resistance)
• High Security (pick resistance through many different
mechanisms—used only in Grade 1 & 2 locks)
45
Perimeter Security
 Lighting
• Know lighting terms and types of lighting to
use in different situations (inside v. outside,
security posts, access doors, zones of
illumination)
• It is important to have the correct lighting
when using various types of surveillance
equipment.
• Lighting controls and switches should be in
protected, locked, and centralized areas.
46
Perimeter Security
 “Continuous lighting:” An array of lights that provide an even
amount of illumination across an area.
 “Controlled lighting:” An organization should erect lights and use
illumination in such a way that does not blind its neighbors or any
passing cars, trains, or planes.
 “Standby Lighting:” Lighting that can be configured to turn on and
off at different times so that potential intruders think that different
areas of the facility are populated.
 “Redundant” or “backup lighting:” Should be available in case of
power failures or emergencies.
 “Response Area Illumination:” Takes place when an IDS detects
suspicious activities and turns on the lights within the specified
area.
47
Perimeter Security
 Surveillance Devices
• These devices usually work in
conjunction with guards or other
monitoring mechanisms to extend their
capacity.
• Know the factors in choosing CCTV,
focal length, lens types (fixed v. zoom),
iris, depth of field, illumination
requirements
48
Perimeter Security
 “Focal length:” The focal length of a lens
defines its effectiveness in viewing
objects from a horizontal and vertical
view.
 The sizes of images that will be shown on
a monitor along with the area that can be
covered by one camera are defined by
focal length.
• Short focal length = wider angle views
• Long focal length = narrower views
49
Perimeter Security
 “Depth of field:” Refers to the portion of
the environment that is in focus
 “Shallow depth of focus:” Provides a
softer backdrop and leads viewers to the
foreground object
 “Greater depth of focus:” Not much
distinction between objects in the
foreground and background.
50
Perimeter Security
 Intrusion Detection systems are used
to detect unauthorized entries and to
alert a responsible entity to respond.
 Know the different types of IDS
systems (electro-mechanical v.
volumetric) and changes that can be
detected by an IDS system.
51
Perimeter Security
 Patrol Force and Guards
• Use in areas where critical reasoning
skills are required
 Auditing Physical Access
• Need to log and review:
»
»
»
»
Date & time of access attempt
Entry point
User ID
Unsuccessful access attempts
52
Physical Security
 Final Concept to Guide in Assessing
Physical Security Issues on Exam:
•
•
•
•
•
Deterrence
Delay
Detection
Assessment
Response
53
Physical Security
 Resources
• All in One Book (Shon Harris, 2005)
• Official (ISC)² Guide to the CISSP CBK
((ISC)², 2006)
54