Domain 4: Physical (Environmental) Security CISSP Study Group April 15, 2007 Prepared by Ernie Hayden, CISSP CEH 1 References • • • • • • • Official (ISC) Guide to the CISSP CBK US Army Field Manual 3-19.30, Physical Security CISSP Prep Guide – Krutz & Vines Fighting Computer Crime – Parker CISSP Certification – Shon Harris CISSP for Dummies (Rev 0) – Miller & Gregory “Physical Security for Mission-Critical Facilities and Data Centers,” by Gerald Bowman, Information Security Management Handbook, 5th Edition, Vol 3 • Mike Meyer’s Passport: Security+ • Uptime Institute www.uptimeinstitute.com • “Status Of Industry Efforts To Replace Halon Fire Extinguishing Agents,” Robert T. Wickham, http://www.periphman.com/fire/statusofindustry.pdf Prepared by Ernie Hayden, CISSP CEH 2 IMPORTANT TIP! • “Many CISSP candidates underestimate the physical security domain. As a result, exam scores are often the lowest in this domain.” CISSP For Dummies Page 301 Prepared by Ernie Hayden, CISSP CEH 3 Objectives • Upon completion of this discussion, you should be able to: – Describe the threats, vulnerabilities, and countermeasures related to physically protecting the enterprise’s sensitive information assets – Identify the risk to facilities, data, media, equipment, support systems, and supplies as they relate to physical security. Prepared by Ernie Hayden, CISSP CEH 4 5 Functional Areas 1. 2. 3. 4. Information Protection Requirements Information Protection Environment Security Technology and Tools Assurance, Trust and Confidence Mechanisms 5. Information Protection and Management Services Prepared by Ernie Hayden, CISSP CEH 5 Risks to CIA • Interruptions in providing computer services – Availability • Physical Damage – Availability • Unauthorized Disclosure of Information – Confidentiality • Loss of Control Over Information – Integrity • Physical Theft – Confidentiality, Integrity, and Availability Prepared by Ernie Hayden, CISSP CEH 6 Definition: Physical Security • The physical measures and their associated procedures to safeguard and protect against: – Damage – Loss – Theft Prepared by Ernie Hayden, CISSP CEH 7 Required Physical Controls • Perimeter and Building Grounds • Building Entry Points • Inside the Building – Building Floors / Offices • Data Centers or Server Room Security • Computer Equipment Protection • Object Protection Prepared by Ernie Hayden, CISSP CEH 8 5 Functional Areas 1. 2. 3. 4. Information Protection Requirements Information Protection Environment Security Technology and Tools Assurance, Trust and Confidence Mechanisms 5. Information Protection and Management Services Prepared by Ernie Hayden, CISSP CEH 9 Definition: Threat • Any indication, circumstance or event with the potential to cause: – Loss of or Damage to an Asset – Personal Injury – Loss of Live Prepared by Ernie Hayden, CISSP CEH 10 Threat Types • Natural / Environmental – – – – Earthquakes, floods, storms, hurricanes, fires, smoke, snow, ice Consequence of Natural Phenomenon Pandemic Flu Normally not preventable • Human – Made / Political Events – – – – – Explosions, vandalism, theft, terrorist attacks, riots Result of a state of mind, attitude, weakness or character trait Acts of commission or omission Overt or covert Disrupt or destroy Prepared by Ernie Hayden, CISSP CEH 11 Examples of Threats • Emergencies – Fire and Smoke Contaminants – Building Collapse or Explosion – Utility Loss (Power, AC, Heat) – Water Damage (Broken Pipes) – Toxic Materials Release Prepared by Ernie Hayden, CISSP CEH 12 Examples of Threats (2) • Natural Disasters – Earth Movement (Earthquakes or Mudslides) – Storm Damage (Snow, Ice, Floods, Hurricanes) • Human Intervention – Sabotage – Vandalism – War – Strikes Prepared by Ernie Hayden, CISSP CEH 13 Examples of Physical Loss • Seven Major Sources of Physical Loss – Temperature – Extreme Variations in Heat and Cold – Gasses – Sarin, Nerve Gas, PCP from Transformers, Cleaning Fluids, Smog, Fuel Vapors, Paper Particles from Printers – Liquids – Water and Chemicals (flood, plumbing failures, spilled drinks, fuel leaks, computer printer fluids) – Organisms – Viruses, Bacteria, People, Animals and Insects, Molds, Mildews, Cobwebs Prepared by Ernie Hayden, CISSP CEH Ref: Fighting Computer Crime – Donn B. Parker – Wiley 1998 14 Examples of Physical Loss • Seven Major Sources of Physical Loss (2) – Projectiles – Tangible Objects in Motion (Cars, Trucks, Falling Objects, Meteorites, Bullets, Rockets) – Movement – Collapse, Shearing, Shaking, Vibration, Liquefaction, Flows, Waves, Separations and Slides (Lava Flows, Earthquakes, Adhesive Failures, Dropping or Shaking Equipment) – Energy Anomalies – Electrical Surges or Failures, Magnetism, Static Electricity, Radiation, Sound, Light, Radio and Magnetic Waves Prepared by Ernie Hayden, CISSP CEH 15 Site Location • Security Should include WHERE the building is and HOW it should be built: • Choosing a Secure Site – – Visibility – Usually low visibility is the rule to follow. What types of neighbors and markings on the building? – Local Considerations – Near hazardous waste dump? In flood control plain? Local crime rate, riots, strike-prone area? – Natural Disasters – Weather-related problems, tornados, flooding, heavy snow, earthquake zone Prepared by Ernie Hayden, CISSP CEH 16 Site Location (2) • Choosing a Secure Site – – Transportation – Excessive highway, air or road traffic in area, failed bridges will cause building access problems? – Joint Tenancy – Are access to HVAC and environmental controls shared in building? – Adjacent Buildings – External Services – Proximity to local Fire, Police, Hospital/Medical Facilities? Prepared by Ernie Hayden, CISSP CEH 17 Key Concept: Layered Defense Model Prepared by Ernie Hayden, CISSP CEH 18 Key Concept: Layered Defense Model Ref: http://rphrm.curtin.edu.au Prepared by Ernie Hayden, CISSP CEH 19 Designing a Secure Site • WALLS – All walls MUST have an acceptable Fire Rating. – Be Floor to Ceiling – Any Closets or Rooms that Store Media must also have Fire Rating • CEILINGS – Be aware if they are WEIGHT BEARING and their Fire Rating Prepared by Ernie Hayden, CISSP CEH 20 Designing a Secure Site (2) • FLOORS – Slab or Raised? – SLAB – • If concrete then concerns are Weight Bearing (aka Loading) – Usually 150 pounds per square foot. – RAISED • Concerned with Fire Rating, Electrical Conductivity (Grounding against static electricity) • Must employ non-conducting surface material in data center Prepared by Ernie Hayden, CISSP CEH 21 Designing a Secure Site (3) • DOORS – Must resist Forced Entry • Solid or Hollow • Hinges Hidden, Internal or “Fixed” – Fire Rating Equal to Walls – Emergency Exits Must Be Clearly Marked, Monitored, or Alarmed – Electrical Doors on Emergency Exits Should Revert to Disabled State if Power Outage Occurs For Safe Evacuation – TIP!! Personnel Safety ALWAYS Takes Precedence! Doors Can Be Guarded During an Emergency Prepared by Ernie Hayden, CISSP CEH 22 Designing a Secure Site (4) • SPRINKLER SYSTEM – Location and Type of Suppression System Must Always Be Known • LIQUID or GAS LINES – Know Where the Shut Off Valves Are – Water, Steam and Gas Lines Should Have “POSITIVE” Drains • i.e., Flow Outward and Away from Building Prepared by Ernie Hayden, CISSP CEH 23 Designing a Secure Site (5) • AIR CONDITIONING – AC Units Should Have Dedicated Power Circuits – Know Where the Emergency Power Off (EPO) Switch is Located – Provide Outward, Positive Air Pressure to Building – Protected Intake Vents to Prevent Inflow of Potential Toxins Into a Facility Prepared by Ernie Hayden, CISSP CEH 24 Designing a Secure Site (6) • WINDOWS – – – – – Located to Prevent Viewing Monitors or Desks Standard Plate Glass (Brittle, Breaks Easily) Tempered Glass (Stronger, Breaks into Small Shards) Acrylic Materials Polycarbonate Windows – – – – – – Wire Mesh Layers Lexan® (General Electric) Bomb Blast Film (Prevent Viewing In and Reinforce Window) Bullet Resistant Windows Glass Breakage Sensors Usually Not Accepted in Data Center • Glass and Polycarbonate Combinations Combine Best of Glass and Acrylics • If Installed, Should Be Translucent and Shatterproof – Frames Secured to Walls, Windows Can Be Locked, Glass Can’t be Removed Prepared by Ernie Hayden, CISSP CEH 25 Procedural Controls • Guard Post / Dogs • Checking and Escorting Visitors on Site • Managing Deliveries to the Site – Building-Specific Prepared by Ernie Hayden, CISSP CEH 26 Facility Security Management • Administrative Security Controls NOT Related to Initial Planning Process – Audit Trails – or Access Logs • Vital to Know Where Attempts to Enter Existed and Who Attempted Them – Emergency Procedures • Should be Clearly Documented and Readily Accessible • Copies Stored Offsite in the Event of a Disaster • Updated Periodically Prepared by Ernie Hayden, CISSP CEH 27 Audit Trails • These are known as DETECTIVE rather than PREVENTIVE – – – – – Date and Time of Access Attempt Whether the Attempt was Successful or Not Where the Access was Granted (i.e., which door) Who Attempted the Access Who Modified the Access Privileges at the Supervisor Level – Can Send Alarms or Alerts if Required Prepared by Ernie Hayden, CISSP CEH 28 Emergency Procedures • Should Include the Following: – Emergency System Shutdown Procedures – Evacuation Procedures – Employee Training, Awareness Programs, and Periodic Drills – Periodic Equipment and Systems Tests Prepared by Ernie Hayden, CISSP CEH 29 Administrative Personnel Controls • Pre-Employment Screening – Employment, References and Educational History Checks – Background Investigation and/or Credit Rating Checks for Sensitive Positions • On-Going Employee Checks – Security Clearances – Ongoing Employee Ratings or Reviews by Supervisors • Post-Employment Procedures – Exit Interview, Removal of Network Access, Return of Computers, etc. Prepared by Ernie Hayden, CISSP CEH 30 Environmental and Life Safety Controls Three Areas of Environmental Control 1. Electrical Power 2. Fire Detection and Suppression 3. Heating, Ventilation and Air Conditioning (HVAC) Prepared by Ernie Hayden, CISSP CEH 31 Electrical Power • Disruptions in Electrical Power Can Have a Serious Business Impact • Goals: • • “Clean and Steady Power” Excellent “Power Quality” • Design Considerations: – – – – Dedicated Feeders Alternate Power Source Access Controls Secure Breaker and Transformer Rooms Prepared by Ernie Hayden, CISSP CEH 32 Electrical Power Threat Elements • NOISE – Electromagnetic Interference (EMI) – Radio Frequency Interference (RFI) • ANOMOLIES – Brownout, Blackout, Fault, etc. • ELECTROSTATIC DISCHARGE (ESD) – Affected by Low Humidity Prepared by Ernie Hayden, CISSP CEH 33 Electrical “Noise” • Def: Random Disturbance Interfering With Devices – Electromagnetic Interference (EMI) • Caused by Motors, Lightning, etc. • “Spark” Noise – Radio Frequency Interference (RFI) • Caused by Components of Electrical System • Caused by Electrical Cables, Fluorescent Lighting, Truck Ignitions, etc. • Can Cause Permanent Damage to Sensitive Components in a System Prepared by Ernie Hayden, CISSP CEH 34 Electrical “Noise” (2) • Common Types of EMI – “Common Mode Noise” – Noise from Radiation Generated by the Difference Between the “Hot” and “Ground” Wires – “Traverse Mode Noise” – Noise from Radiation Generated by the Difference Between the “Hot” and “Neutral” Wires Prepared by Ernie Hayden, CISSP CEH 35 Protective Measures for “NOISE” • • • • Proper Line Conditioning Proper Grounding of the System to Earth Cable Shielding Limited Exposure to Magnets, Electrical Motors, Space Heaters and Fluorescent Lights Prepared by Ernie Hayden, CISSP CEH 36 Electrical Anomalies Electrical Event* Blackout Fault Brownout Sag Definition Total loss of power Momentary loss of power Prolonged drop in voltage (up to 10%) Short drop in voltage Inrush Initial power rush Spike Momentary rush of power, Momentary high voltage Surge Prolonged rush of power, prolonged high voltage Prepared by Ernie Hayden, CISSP CEH Mnemonic: “Bob Frequently Buys Shoes in Shoe Stores” 37 Electrical Anomalies (2) • Transients – Line Noise that is Superimposed On the Supply Circuit Can Cause Fluctuation in Power • Inrush Current – The Initial Surge of Current Required When There is an Increase in Power Demand (e.g., starting a large motor) Prepared by Ernie Hayden, CISSP CEH 38 Electrostatic Discharge (ESD) • Power Surge Generated by a Person or Device Contacting Another Device and Transferring a High Voltage Shock • Affected by Low Humidity Prepared by Ernie Hayden, CISSP CEH 39 Now, About Humidity… • Ideal Humidity Range = 40% to 60% – High Humidity > 60% • Causes Problems with Condensation on Computer Equipment • Cause Corrosion of Electrical Connections – sort of like “Electroplating” and Impedes Electrical Efficiency – Low Humidity < 40% • Can Cause Increase in Electrostatic Discharge • Up to 4000 Volts Under Normal Humidity • Up to 25,000 Volts Under Very Low Humidity Prepared by Ernie Hayden, CISSP CEH 40 Static Charge and Damage Static Charge in Volts 40 Will Damage 1,000 Sensitive Circuits and Transistors Scramble Monitor Display 1,500 Disk Drive Data Loss 2,000 System Shutdown 4,000 Printer Jam 17,000 Permanent Chip Damage Prepared by Ernie Hayden, CISSP CEH 41 Precautions for Static Electricity • Use Anti-Static Sprays Where Possible • Operations or Computer Centers Should Have Anti-Static Flooring – “Zinc Whiskers” Problem • Building and Computer Rooms Should be Grounded Properly • Anti-Static Table or Floor Mats • HVAC Should Maintain Proper Level of Humidity in Computer Rooms Prepared by Ernie Hayden, CISSP CEH 42 Electrical Support Systems • Surge Suppressors • Uninterruptible Power Supplies – Only for Duration Needed to Safely Shutdown Systems • Emergency Shutoff (EPO Switch) – Have Monitored by Camera • Alternate Power Supply – Generator, Fuel Cell, etc. Prepared by Ernie Hayden, CISSP CEH 43 FIRE PROTECTION 1. Fire Prevention 2. Fire Detection 3. Fire Suppression Prepared by Ernie Hayden, CISSP CEH 44 Fire Triangle A FIRE Needs These Three Elements to Burn Prepared by Ernie Hayden, CISSP CEH Fire Fighting Removes One of These Three Elements OR By Temporarily Breaking Up the Chemical Reaction 45 Types of Fires Class Description (Fuel) A Common combustibles such as paper, wood, furniture, clothing B Burnable fuels such as gasoline or oil C Electrical fires such as computers and electronics D Special fires, such as chemical, metal K Commercial Kitchens Prepared by Ernie Hayden, CISSP CEH 46 Fire Prevention • Use Fire Resistant Materials for Walls, Doors, Furnishings, etc. • Reduce the Amount of Combustible Papers Around Electrical Equipment • Provide Fire Prevention Training to Employees – REMEMBER: Life Safety is the Most Important Issue! • Conduct Fire Drills on All Shifts So that Personnel Know How to Exit A Building Prepared by Ernie Hayden, CISSP CEH 47 Fire Detection • Ionization-type Smoke Detectors – Detect Charged Particles in Smoke • Optical (Photoelectric) Detectors – React to Light Blockage Caused by Smoke • Fixed or Rate-of-Rise Temperature Sensors – Heat Detectors That React to the Heat of a Fire – Fixed Sensors Have Lower False Positives • Flame Actuated – Senses Infrared Energy of Flame or Pulsating of the Flame – Very FAST Response Time, Expensive Prepared by Ernie Hayden, CISSP CEH 48 Fire Detection (2) • Automatic Dial-Up Fire Alarm – System Dials the Local Fire or Police Department and Plays a Prerecorded Message When a Fire is Detected – Usually Used in Conjunction with One of the Other Type of Fire Detectors – This Type of System Can Be Easily/Intentionally Subverted • Combinations are Usually Used for The Best Effectiveness in Detecting a Fire Prepared by Ernie Hayden, CISSP CEH 49 Fire Classes and Suppression/Extinguishing Methods Class Description (Fuel) Extinguishing Method A Common combustibles such as paper, wood, furniture, clothing Water, Foam B Burnable fuels such as gasoline or oil C Electrical fires such as computers and electronics Inert Gas, CO2(Note: Most important step: Turn off electricity first!) D Special fires, such as chemical, metal Dry Powder (May require total immersion or other special techniques) K Commercial Kitchens Wet Chemicals Prepared by Ernie Hayden, CISSP CEH Inert Gas, CO2 50 Fire Suppression • Carbon Dioxide (CO2), Foam, Inert Gas and Dry Power Extinguishers DISPLACE Oxygen to Suppress a Fire • CO2 Is a Risk to Humans (Because of Oxygen Displacement) • Water Suppresses the Temperature Required to Sustain a Fire Prepared by Ernie Hayden, CISSP CEH 51 Fire Suppression - Halon • Halon Banned for New Systems Under 1987 Montreal Protocol on Substances that Deplete the Ozone Layer – Began Implementation of Ban in 1992 – Any New Installations of Fire Suppression systems Must Use Alternate Options – EU Requires Removal of Halon for Most Applications • Halon Replacements: – FM200, Prepared by Ernie Hayden, CISSP CEH 52 Halon Replacements Prepared by Ernie Hayden, CISSP CEH Ref: http://www.periphman.com/fire/statusofindustry.pdf 53 Fire Suppression - Water • Wet Pipe – – – – – Always Contains Water Most Popular and Reliable 165° Fuse Melts Can Freeze in Winter Pipe Breaks Can Cause Floods – – – – No Water in Pipe Preferred for Computer Installations Water Held Back by Clapper Air Blows Out of Pipe, Water Flows Wet Pipe Dry Pipe • Dry Pipe Prepared by Ernie Hayden, CISSP CEH 54 Fire Suppression – Water (2) • Deluge – Type of Dry Pipe – Water Discharge is Large – Not Recommended for Computer Installations • Preaction – Most Recommended for Computer Room – Combines Both Dry and Wet Pipes – Water Released into Pipe First Then After Fuse Melts in Nozzle the Water is Dispersed Prepared by Ernie Hayden, CISSP CEH 55 Fire: Contamination & Damage • • • • Smoke Heat Water Suppression Medium Contamination Prepared by Ernie Hayden, CISSP CEH 56 Heating Ventilation & Air Conditioning (HVAC) • Usually the Focal Point for Environmental Controls • You Need to Know Who is Responsible for HVAC in Your Building • Clear Escalation Steps Need to Be Defined Well in Advance of an EnvironmentalThreatening Incident Prepared by Ernie Hayden, CISSP CEH 57 HVAC Issues • Are Computerized Components Involved? • Does It Maintain Appropriate Temperature and Humidity Levels? Air Quality? – Ideal Temperature = 70° to 74° F – Ideal Humidity = 40% to 60% • Maintenance Procedures Should Be Documented • Preventive Maintenance Performed and Documented Prepared by Ernie Hayden, CISSP CEH 58 5 Functional Areas 1. 2. 3. 4. Information Protection Requirements Information Protection Environment Security Technology and Tools Assurance, Trust and Confidence Mechanisms 5. Information Protection and Management Services Prepared by Ernie Hayden, CISSP CEH 59 Elements of Physical Security • Badges • Restricted Areas • Lights • Dogs • CCTV • Locks Prepared by Ernie Hayden, CISSP CEH • Access Control • Barriers • Security Forces • Fences • Intrusion Detection Systems 60 Functions of Physical Security 1. 2. 3. 4. 5. Deter Delay Detect Assess Respond Prepared by Ernie Hayden, CISSP CEH 61 Layered Defense • • • • • • • • • • Security Breach Alarms On-Premises Security Officers Server Ops Monitoring Early Warning Smoke Detectors Redundant HVAC Equipment UPS and Backup Generators Seismically Braced Server Racks Biometric Access & Exit Sensors Continuous Video Surveillance Electronic Motion Sensors Prepared by Ernie Hayden, CISSP CEH 62 Perimeter Protection • Perimeter Security Controls are the First Line of Defense • Protective Barriers – Natural or Structural – Natural Barriers • Terrains That are Difficult to Cross • Landscaping (Shrubs, Trees, Spiny Shrubs) – Structural Barriers • Fences, Gates, Bollards, Facility Walls Prepared by Ernie Hayden, CISSP CEH 63 Fences • Know These Fencing Heights: – 3 ft – 4 ft High – 6 ft – 8 ft High – 8 ft High with 3 Strands of Barbed Wire Deters Casual Trespassers Too Hard to Climb Easily Deters Intruders • 3 Types of Fencing – Chain Link – Barbed Wire – Barbed Tape or Concertina Wire Prepared by Ernie Hayden, CISSP CEH 64 Fences (2) This is at least 8 Feet • Chain Link – 6 Feet Tall (Excluding Top Guard) – 8 Feet Tall (with Top Guard) – 2 inch Openings or Less – Reach within 2 Inches of Ground or On Soft Ground It Is Below the Surface – Be Sure Vegetation or Adjacent Structures Do Not Bridge Over the Fence Prepared by Ernie Hayden, CISSP CEH 65 Gates, Bollards, Barriers Prepared by Ernie Hayden, CISSP CEH 66 Intrusion Detection & Surveillance • Perimeter Intrusion Detection Systems – Sensors That Detect Access Into the Area • Photoelectric (Usu. Infrared Light) • Ultrasonic • Microwave* • Passive Infrared (PIR) • Pressure Sensitive (Dry Contact Switch) • Surveillance Devices – Closed-Circuit Television (CCTV) Prepared by Ernie Hayden, CISSP CEH 67 Motion Detectors • 3 Categories – Wave Pattern – Generates a Frequency Wave Pattern. If Pattern is Disturbed as it is Reflected Back to its Receiver (low, ultrasonic or microwave range) – Capacitance – Monitor an Electrical Field Around an Object. If Field is Disturbed the Alarm is Triggered. Used for Spot Protection. – Audio Detectors – Monitor for any Abnormal Sound Wave Generation. (Lots of False Alarms) Prepared by Ernie Hayden, CISSP CEH 68 Intrusion Detection Systems • Can Be Installed On: – Windows, Doors, Ceilings, Walls – Any Other Entry Points Such as HVAC, Roof Access Openings, Ducts, etc. • They Detect Change In: – Electrical Circuits, Light Beams – Sounds, Vibrations, Motion – Capacitance Due to Penetration of An Electrostatic Field – Biometrics Prepared by Ernie Hayden, CISSP CEH 69 CCTV • Def: A Television Transmission System That Uses Cameras to Transmit Pictures To Connected Monitors • CCTV Levels: – Detection: The Ability to Detect the Presence of an Object – Recognition: The Ability to Determine the Type of Object (animal, blowing debris, crawling human) – Identification: The Ability to Determine the Object Details (person, large rabbit, small deer, tumbleweed) • Remember: Monitoring Live Events is Preventive and Recording of Events is Detective Prepared by Ernie Hayden, CISSP CEH 70 CCTV Components • Camera – Fixed, Zoom – Pan & Tilt • Transmission Media – Coax Cable – Fiber Cable – Wireless • Monitor Prepared by Ernie Hayden, CISSP CEH 71 CCTV Added Components • • • • • • Camera Tube Pan and Tilt Units Panning Device Mountings Switchers/Multiplexers Remote Camera Controls Prepared by Ernie Hayden, CISSP CEH • Infrared Illuminators • Time/Date Generators • Videotape or Digital Recorders • Motion Detectors • Computer Controls • Video Loss Detectors 72 CCTV Deployment Features • Cameras High Enough to Avoid Physical Attack • Cameras Distributed to Exclude Blind Areas • Appropriate Lenses • Pan, Tilt, Zoom (PTZ) as Required • Ability to be Recorded Prepared by Ernie Hayden, CISSP CEH • Camera System Tied to Alarm System • Number and Quality of Video Frames Increased During Alarm Event • Regular Service of Moving Parts • Cleaning Lenses • Human Intervention 73 CCTV Application Guidelines • Understand the Facility’s Total Surveillance Requirements • Determine the Size of the Area to be Monitored – Depth, Height, and Width – Ensures Proper Camera Lens Specifications • Lighting is Important – Different Lamps and Lighting Provide Various Levels of Effectiveness – ‘Contrast’ Between the Object and Background – For Outdoor Use, the US Army Specifies the Automatically Adjusted Iris Feature Prepared by Ernie Hayden, CISSP CEH 74 CCTV Design Guidelines • System Familiarity is Important – Understand Camera Placement and Detection Field “Shape” • Exterior Camera Concerns – – – – – – Weather Illumination Range Field of View Alignment Balanced Lighting Environmental Housings Mounting Heights • In All Cases, Place Camera High Enough to Avoid Tampering or Collision Prepared by Ernie Hayden, CISSP CEH 75 CCTV Legal and Practical Implications • Storage Implications of Recorded Data • Video Tapes Must Be Stored to Prevent Deterioration • Digital Records Must Be Maintained to Assert Integrity • Human Rights and Privacy Implications in Recording People • Requirements to Blurr/Pixelate Individuals Other than Accused Prepared by Ernie Hayden, CISSP CEH 76 Lighting • Provides a Deterrent to Intruders • Makes Detection Likely if Entry Attempted • Should be Used With Other Controls Such as Fences, Patrols, Alarm Systems, CCTV • Critical Protected Buildings Should Be Illuminated Up to 8 Feet High, with 2 Foot-Candle Power Prepared by Ernie Hayden, CISSP CEH 77 Types of Lighting • Continuous Lighting (Most Common) – Glare Projection – Flood Lighting • • • • Trip Lighting Standby Lighting Movable (Portable) Emergency Lighting Prepared by Ernie Hayden, CISSP CEH 78 Access Control • Card Access Advisory: Magnetic Access Cards Should Have No Company ID On Them – Smart Cards – Mag Stripe Cards – Proximity Cards • Biometrics – Fingerprint – Retina or Iris Scans – Hand Geometry – Signature Dynamics Prepared by Ernie Hayden, CISSP CEH 79 Locks • Tip: Locks are Considered DELAY Devices Only • All Locks Can Be Defeated By Force and/or the Proper Tools • Locks Must Never Be Considered a Stand-Alone Method of Security Prepared by Ernie Hayden, CISSP CEH 80 Locks (2) • Types of Locks – Key Locks – Combination Locks • Key Locks – Key-in-Knob or Key-in-Lever (Cylindrical Lockset) – Only for Low Security Apps – Dead Bolt Locks or Tubular Dead Bolts – Good for Storerooms, Houses (Bolt is “Thrown”) – Mortise Locks (Lock Case is Recessed or Mortised into the Edge of Door) – Low Security Apps – Padlocks • Combination Locks – Combinations Must Be Changed at Specific Times and Under Specific Circumstances Prepared by Ernie Hayden, CISSP CEH 81 Keyless and Smart Locks • Keyless (Cipher) Locks – Push-button locks • Smart Locks – Permit Only Authorized People Into Certain Doors at Certain Times • E.g., Magnetic Stripe Card that is Time Sensitive Prepared by Ernie Hayden, CISSP CEH 82 Lock Security Measures • Key Control Procedures – Restrict Issue of Keys on a Long-Term Basis to Outside Maintenance or Janitorial Personnel – Keep a Record of All Issued Keys – Investigate the Loss of All Keys • When in Doubt, Rekey the Affected Locks – Use as Few Master Keys as Possible – Issue Keys on a Need-to-Go Basis – Remember – Keys are a Single-Factor Authentication Mechanism That Can Be Lost, Stolen, or Copied. • (Use 2-Factor Methods for More Secure Spaces) Prepared by Ernie Hayden, CISSP CEH 83 Compartmentalized Area • Def: Location Where Sensitive Equipment is Stored and Where Sensitive Information is Processed • Must Have a Higher Level of Security Controls Prepared by Ernie Hayden, CISSP CEH 84 Data Center • Walls – Extend from True Floor to True Ceiling • Access Controls – Depending Upon Sensitivity of the Information and Value of Equipment, Electronic Access Controls May Need to be Installed Prepared by Ernie Hayden, CISSP CEH Ref: CISSP Certification, Shon Harris 85 Portable Device Security • Laptops, PDAs, Etc. – Protect the Device – Protect the Data in the Device • Examples: – – – – – – Locking Cables for Docking Stations Tracing Software Audible Motion Alarm Encryption Software PIN Protection for PDAs Inventory System Prepared by Ernie Hayden, CISSP CEH 86 Alarm Systems 1. Local Alarm Systems – Alarm Sounds Locally and Must be Protected from Tampering and Audible for at Least 400 Feet 2. Central Station Units – Monitored 7x24 and Signaled Over Leased Lines – Usually within <10 Minutes Travel Time (Private Security Firms) 3. Proprietary Systems – Similar to Central but Owned and Operated by Customer 4. Auxiliary Station Systems – Systems that Ring at Local Fire or Police Stations Prepared by Ernie Hayden, CISSP CEH 87 Additional Alarm Systems • Line Supervision – Alarm Sounds When Alarm Transmission Medium Detects Tampering. – Secure Detection and Alarm Systems Require Line Supervision • Power Supplies – Require Separate Circuitry and Backup Power with 24 Hour Minimum Discharge Time Prepared by Ernie Hayden, CISSP CEH 88 5 Functional Areas 1. 2. 3. 4. Information Protection Requirements Information Protection Environment Security Technology and Tools Assurance, Trust and Confidence Mechanisms 5. Information Protection and Management Services Prepared by Ernie Hayden, CISSP CEH 89 Drills & Testing • Drills/Exercises/Testing – Keeps Everyone Aware of Their Responsibilities – Building Evacuation Drills Are Important • Physical Vulnerability/Penetration Tests – Should Identify Weak Entry Points – Findings Should Be Documented – Ref: Ira Winkler Stories Prepared by Ernie Hayden, CISSP CEH 90 Checklist, Maintenance & Service • Checklist – Identifies Those Elements of Physical Security That Need to be Checked on a Regular Basis • Maintenance and Service – Needs to be Done – Need to Monitor Who Performs the Maintenance, Especially if it is an Outside Contractor Prepared by Ernie Hayden, CISSP CEH 91 5 Functional Areas 1. 2. 3. 4. Information Protection Requirements Information Protection Environment Security Technology and Tools Assurance, Trust and Confidence Mechanisms 5. Information Protection and Management Services Prepared by Ernie Hayden, CISSP CEH 92 Managed Services • Be Sure To Address: – Contractor Understands and is Contractually Bound to Meet the Organization’s Physical and Procedural Security Requirements – The Contracting Organization Has Ability to Audit or Test the Security Services Provided – There is a Channel of Communications Between the Contracting Authority and the Contractor to Affect Changes As Needed Prepared by Ernie Hayden, CISSP CEH 93 Media Storage Requirements • Common Storage Areas for Media – On Site – safes, desks, storage cabinets – Off Site – data backup vaults (Transportation can be a security concern) • Elements and Resources in Control to Protect the Media – – – – Physical Access Control at Storage Area Environmental Controls (fire, water protection) Inventory Controls and Monitoring Audits Prepared by Ernie Hayden, CISSP CEH 94 Media Storage Requirements (2) • Data Destruction and Reuse – Degaussing or Overwriting Usually Typically Destroys Most Data – Normal Formatting Does Not Destroy the Data – Format or Overwrite 7 Times (Mil-Spec) – Consider Shredding Hard Drives, Other Portable Media – Paper Records = Confetti Shred or Burn Prepared by Ernie Hayden, CISSP CEH 95 Physical Summary • Physical and Procedural Countermeasures: – – – – Provide Identification and Authentication Authorization (Access Control) Accountability Provide Physical Contingency Resources and Alternate Procedures • Organized in a DEFENSE IN DEPTH Strategy • Effectiveness Relies on Knowledge, Skills and Awareness of Staff Prepared by Ernie Hayden, CISSP CEH 96 Ernie Hayden CISSP, CEH enhayden@centurytel.net Cell: 425-765-1400 Prepared by Ernie Hayden, CISSP CEH 97 Uptime Institute • www.uptimeinstitute.com • Zinc Whiskers – “Conductivity Contamination” • Data Center Energy Issues Prepared by Ernie Hayden, CISSP CEH 98