Add to collection(s) Add to saved
  1. Business
  2. Management

Lecture07: PGP and S/MIME

advertisement 
Lecture 08
Physical Security
Asst.Prof.Supakorn Kungpisdan, Ph.D.
supakorn@mut.ac.th
NETE0519-ITEC4614
1
Reference
 M. E. Whitman and H. J. Mattord, Principles of
Information Security, 3rd Edition, Thomson Course
Technology, ISBN 1-4239-0177-0
NETE0519-ITEC4614
2
Learning Objectives
 Discuss the relationship between threats to
information security and physical security
 Describe the key physical security considerations
including fire control and surveillance systems
 Identify critical physical environment considerations
for computing facilities, including uninterruptible
power supplies
NETE0519-ITEC4614
3
Introduction
 Discuss CIA in Physical Security
NETE0519-ITEC4614
4
Introduction (cont.)
 Physical security addresses design,
implementation, and maintenance of
countermeasures that protect physical resources of
an organization
 Most controls can be circumvented if an attacker
gains physical access
 Physical security is as important as logical security
NETE0519-ITEC4614
5
Major Sources of Physical Loss
Sources
Descriptions
Extreme temperature
Heat, cold
Gases
War gases, commercial vapors, humid or dry air,
suspended particles
Liquids
Water, chemicals
Living organisms
Viruses, bacteria, people, animals, insects
Projectiles
Tangible object in motion, powered objects
Movement
Collapse, shearing, shaking, vibration, liquefaction, flow
waves, separation, slide
Energy anomalies
Electrical surge or failure, magnetism, static electricity,
aging circuitry, radiation
NETE0519-ITEC4614
6
Community Roles in Physical
Security
 General management
 responsible for facility security, draft security policy
 IT management and professionals
 responsible for environmental and access security
 Information security management and
professionals:
 perform risk assessments and implementation reviews
for security controls implemented by general
management and IT management
NETE0519-ITEC4614
7
Physical Access Controls
 Access controls for a building are operated by a group
called Facility management
 Secure facility: physical location engineered with controls
designed to minimize risk of attacks from physical threats
 Secure facility can take advantage of natural terrain, traffic
flow, and degree of urban development; can complement
these with protection mechanisms (fences, gates, walls,
guards, alarms)
NETE0519-ITEC4614
8
Physical Access Controls
Physical Security Controls





Walls, fencing, and gates
Guards
Dogs
ID cards and badges
Locks and keys
NETE0519-ITEC4614
Mantraps
Electronic monitoring
Alarms and alarm systems
Computer rooms and
wiring closets
 Interior walls and doors




9
Perimeter Security
 What to examine:
 Natural boundaries at the
location
 Fences or walls around the
site
 The design of the outer
walls of a building
 Divisions and choke points
within a building
NETE0519-ITEC4614
 A series of mechanisms
includes:
 Fences
 Perimeter Intrusion
Detection and Assessment
Systems (PIDAS)
 Security lighting
 Closed-circuit television
(CCTV)
 Security guards and guard
dogs
 Warning signs and notices
10
PIDAS
 Perimeter Intrusion
Detection and Assessment
Systems
 PIDAS has sensors that
detect intruders and feel
vibrations along the fence
 The system may produce
false positives due to stray
deer, high winds, or other
natural events
NETE0519-ITEC4614
11
Physical Security Controls
Walls, Fencing, and Gates
 Some of the oldest and most reliable methods of
physical security
NETE0519-ITEC4614
12
Fencing
 A fence with proper design and height can delay an
intruder and work as a psychological barrier
 A risk analysis should be performed to evaluate types of
physical assets to be protected
 4-foot fence will deter a casual trespasser
 8-foot fence will keep a determined intruder out
 Need to consider gauge and mesh size of the wire
 The smaller the mesh, the more difficult it is to climb
 The heavier the gauge, the more difficult it is to cut
NETE0519-ITEC4614
13
Gauge and Mesh
16G with 50mm vs 25 mm mesh
NETE0519-ITEC4614
14
Fencing (cont.)
NETE0519-ITEC4614
15
Gates
 UL Standard 325 details
requirements for gates with 4
classifications:




Residential Class 1
Commercial Class 2
Industrial Class 3
Restricted Access Class 4
 Bollards are made of concrete
or steel and used to block
vehicle traffic or to protect
areas where pedestrians are
entering or leaving buildings
NETE0519-ITEC4614
16
Guards
 Guards have the ability to
apply human reasoning
 Most guards have clear
Standard Operating
Procedure (SOPs)
 Need to have job
references and be
subjected to a background
check
NETE0519-ITEC4614
17
Dogs
 Guard dogs are keen to
smell and hearing. They
can detect intrusions that
human guards cannot.
 They can be placed in
harm’s way when
necessary to avoid risking
the human life
NETE0519-ITEC4614
18
ID Cards and Badges
 Ties physical security with
information access control
 ID card is typically concealed
whereas name badge is visible
 Serve as simple form of biometrics
(facial recognition)
 Should not be only means of control
as cards can be easily duplicated,
stolen, and modified
 Tailgating (Piggybacking) occurs
when unauthorized individual follows
authorized user through the control
NETE0519-ITEC4614
19
Locks and Keys
 Two types of locks: mechanical
and electromechanical
 Locks can also be divided into
four categories: manual,
programmable, electronic,
biometric
 Locks fail and alternative
procedures for controlling
access must be put in place
 Locks fail in one of two
ways:
 Fail-safe lock: the lock fails
and the door unlocks
 Fail-secure lock: the lock
fails and the door locks
Where to apply fail-safe or fail-secure locks?
NETE0519-ITEC4614
20
Locks and Keys (cont.)
NETE0519-ITEC4614
21
Mantrap
 Small enclosure that has entry point and different
exit point
 Individual enters mantrap, requests access, and if
verified, is allowed to exit mantrap into facility
 Individual denied entry is not allowed to exit until
security official overrides automatic locks of the
enclosure
NETE0519-ITEC4614
22
Mantraps (cont.)
NETE0519-ITEC4614
23
Electronic Monitoring
 Records events where other types of physical
controls are impractical or incomplete
 May use cameras with video recorders; includes
closed-circuit television (CCTV) systems
 Drawbacks
 Reactive; does not prevent access or prohibited activity
 Recordings often are not monitored in real time; must
be reviewed to have any value
NETE0519-ITEC4614
24
Alarms and Alarm Systems
 Alarm systems notify when an event occurs
 Detect fire, intrusion, environmental disturbance, or
an interruption in services
 Rely on sensors that detect event; e.g., motion
detectors, smoke detectors, thermal detectors,
glass breakage detectors, weight sensors, contact
sensors, vibration sensors
NETE0519-ITEC4614
25
Alarm Sensor
Photoelectric sensor
Motion detection sensor
(photoelectric infrared)
Glass break sensor
NETE0519-ITEC4614
26
Computer Rooms and Wiring
Closets
 Require special attention to ensure confidentiality,
integrity, and availability of information
 Logical controls easily defeated if attacker gains
physical access to computing equipment
NETE0519-ITEC4614
27
Interior Walls and Doors
 Information asset security sometimes compromised by
construction of facility walls and doors
 Facility walls typically either standard interior or firewall
 High-security areas must have firewall-grade walls to
provide physical security from potential intruders and
improve resistance to fires
 Doors allowing access to high security rooms should be
evaluated
 Recommended that push or crash bars be installed on
computer rooms and closets
NETE0519-ITEC4614
28
Fire Security and Safety
 Most serious threat to safety of people who work in
an organization is possibility of fire
 Fires account for more property damage, personal
injury, and death than any other threat
 Imperative that physical security plans examine
and implement strong measures to detect and
respond to fires
NETE0519-ITEC4614
29
Fire Detection and Response
 Fire suppression systems: devices installed and
maintained to detect and respond to a fire
 Deny an environment of heat, fuel, or oxygen




Water and water mist systems
Carbon dioxide systems
Soda acid systems
Gas-based systems
NETE0519-ITEC4614
30
Fire Detection
 Fire detection systems fall into two general
categories: manual and automatic
 Part of a complete fire safety program includes
individuals that monitor chaos of fire evacuation to
prevent an attacker accessing offices
 There are three basic types of fire detection
systems: thermal detection, smoke detection, flame
detection
NETE0519-ITEC4614
31
Fire Suppression
 Systems consist of
portable, manual, or
automatic apparatus
 Portable extinguishers are
rated by the type of fire:
Class A, Class B, Class C,
Class D
 Installed systems apply
suppressive agents;
usually either sprinkler or
gaseous systems
NETE0519-ITEC4614
32
Fire Suppression Classes
 Class A: Fires of ordinary combustible fuels. Use water and
multipurpose, dry chemical fire extinguishers.
 Class B: Fires fueled by combustible liquids or gases, such as
solvents, gasoline, paint, lacquer, and oil. Use carbon dioxide,
multipurpose dry chemical, and halon fire extinguishers.
 Class C: Fires with energized electrical equipment or appliances.
Use carbon dioxide, multi-purpose dry chemical, and halon fire
extinguishers.
 Class D: Fires fueled by combustible metals, such as magnesium,
lithium, and sodium. Use special extinguishing agents and
techniques.
NETE0519-ITEC4614
33
Gaseous Emission Systems
 Until recently, two types of systems:
carbon dioxide
and Halon
 Carbon dioxide robs a fire of oxygen
supply
 Halon is clean but has been
classified as an ozone-depleting
substance; new installations are
prohibited
 Alternative clean agents include FM200, Inergen, carbon dioxide, FE-13
(trifluromethane)
NETE0519-ITEC4614
34
Failure of Supporting Utilities and
Structural Collapse
 Supporting utilities (heating, ventilation, and air
conditioning; power; water; and others) have
significant impact on continued safe operation of a
facility
 Each utility must be properly managed to prevent
potential damage to information and information
systems
NETE0519-ITEC4614
35
Heating, Ventilation, and Air
Conditioning
 Areas within heating, ventilation, and air
conditioning (HVAC) systems that can cause
damage to information systems include:
 Temperature
 Humidity
 Static electricity
NETE0519-ITEC4614
36
Ventilation Shafts
 While ductwork is small in
residential buildings, in
large commercial buildings
it can be large enough for
an individual to climb
though
 If vents are large, security
can install wire mesh grids
at various points to
compartmentalize the runs
NETE0519-ITEC4614
37
Uninterruptible Power Supply (UPS)
 In case of power outage, UPS is backup power
source for major computer systems
NETE0519-ITEC4614
38
Emergency Shutoff
 Important aspect of power management is the need
to be able to stop power immediately should a
current represent a risk to human or machine
safety
 Most computer rooms and wiring closets are
equipped with an emergency power shutoff
NETE0519-ITEC4614
39
Water Problems
 Lack of water poses problem to systems, including
functionality of fire suppression systems and ability
of water chillers to provide air-conditioning
 Surplus of water, or water pressure, poses a real
threat (flooding, leaks)
 Very important to integrate water detection systems
into alarm systems that regulate overall facilities
operations
NETE0519-ITEC4614
40
Structural Collapse
 Unavoidable forces can cause failures of structures
that house organization
 Structures designed and constructed with specific
load limits; overloading these limits results in
structural failure and potential injury or loss of life
 Periodic inspections by qualified civil engineers
assist in identifying potentially dangerous structural
conditions
NETE0519-ITEC4614
41
Maintenance of Facility Systems
 Physical security must be constantly documented,
evaluated, and tested
 Documentation of facility’s configuration,
operation, and function should be integrated into
disaster recovery plans and operating procedures
 Testing helps improve the facility’s physical
security and identify weak points
NETE0519-ITEC4614
42
Interception of Data
 Three methods of data interception:
 Direct observation
 Interception of data transmission
 Electromagnetic interception
 U.S. government developed TEMPEST program to
reduce risk of electromagnetic radiation (EMR)
monitoring
NETE0519-ITEC4614
43
Mobile and Portable Systems
 With the increased threat to information security for
laptops, handhelds, and PDAs, mobile computing
requires more security than average in-house
system
 Many mobile computing systems have corporate
information stored within them; some are
configured to facilitate user’s access into
organization’s secure computing facilities
NETE0519-ITEC4614
44
Mobile and Portable Systems
(cont.)
 Controls support security and retrieval of lost or stolen
laptops
 CompuTrace software, stored on laptop; reports to a central
monitoring center
 Burglar alarms made up of a PC card that contains a motion
detector
NETE0519-ITEC4614
45
Special Considerations for Physical
Security Threats
 Develop physical security in-house or outsource?
 Many qualified and professional agencies
 Benefit of outsourcing includes gaining experience and
knowledge of agencies
 Downside includes high expense, loss of control over
individual components, and level of trust that must be
placed in another company
 Social engineering: use of people skills to obtain
information from employees that should not be
released
NETE0519-ITEC4614
46
Inventory Management
 Computing equipment should be inventoried and
inspected on a regular basis
 Classified information should also be inventoried
and managed
 Physical security of computing equipment, data
storage media, and classified documents varies for
each organization
NETE0519-ITEC4614
47
Physical Security in ISO27001
A.9 Physical and Environmental Security
 A9.1 Secure areas
A9.1.1 Physical security perimeter
A9.1.2 Physical entry control
A9.1.3 Securing offices, rooms, and facilities
A9.1.4 Protecting against external and environmental
threats
 A9.1.5 Working in secure areas
 A9.1.6 Public access, delivery and loading areas




NETE0519-ITEC4614
48
Physical Security in ISO27001
A.9 Physical and Environmental Security (cont.)
 A9.2 Equipment security







A9.2.1 Equipment siting and protection
A9.2.2 Supporting utilities
A9.2.3 Cabling security
A9.2.4 Equipment maintenance
A9.2.5 Security of equipment off-promises
A9.2.6 Secure disposal of re-use of equipment
A9.2.7 Removal of property
NETE0519-ITEC4614
49
Summary
 Threats to information security that are unique to
physical security
 Key physical security considerations in a facility site
 Physical security monitoring components
 Essential elements of access control
 Fire safety, fire detection, and response
 Importance of supporting utilities, especially use of uninterruptible
power supplies
 Countermeasures to physical theft of computing devices
NETE0519-ITEC4614
50
Questions?
NETE0519-ITEC4614
51
Related documents
Chapter 9 - Department of Accounting and Information Systems
Chapter 9 - Department of Accounting and Information Systems
Document15632755 15632755
Document15632755 15632755
Common Structural Forms
Common Structural Forms
Castles – card sort
Castles – card sort
Let the walls fall down (E)
Let the walls fall down (E)
A GUIDE TO GREAT WALLS
A GUIDE TO GREAT WALLS
TOWNSVIEW SCHOOL Grade 7 English Prime Supply List 2015-16
TOWNSVIEW SCHOOL Grade 7 English Prime Supply List 2015-16
Multicore and parallel programming Contact information: Håkan
Multicore and parallel programming Contact information: Håkan
Download
advertisement