12- Assignment , Discussion

Colin Horn

ISOL634PhysicalSecurityLesson12.pdf

Home >Information Systems homework help >12- Assignment , Discussion

ISOL 634 Physical Security

Lesson 12 - Physical Security Recap

Definition of Physical Security

• Security risks and problems in many forms – Elimination and/or mitigation require planning

and understanding of: • Security needs

• Conditions

• Threats

• Vulnerabilities

2 1 P

h y s ic

a l S

e c u rity

Definition of Physical Security

• Risk management—basic first step of assessing security and planning appropriate levels of assets protection

• Physical security—use of physical controls to protect premises, site, and other physical assets

Definition of Physical Security

• Application of physical security:

– Process of using layers of physical protective measures to prevent:

• Unauthorized access

• Harm

• Destruction of property

Definition of Physical Security

• Contributes to protection of people and information Number 1 goal is safety of personnel

– Non-physical protection methods also used

– Physical security are the baseline security measure on which all other security measures and functions are built

Definition of Physical Security

• Used to ensure that only authorized persons have access

– Must be appropriate for operating environment

• Manufacturing facility measures should be different than sales offices

• Different areas of a country or different countries may need different types of physical security

Perimeter Protection – Defense-in-Depth

• Defense-in-depth is the practice of combining multiple mitigating security controls to protect resources and data

• In this concept, people, procedures, and equipment integrate forming systems of controls

• When you layer these controls upon each other, you require an attacker to expend resources in attempting to get through each layer

• Procedures within one layer need to dovetail with other processes in adjoining layers in order to minimize process gaps

• No single physical control will fulfill all security needs

Notifications

• Have procedures to notify management, incident response teams, or public safety officials (police, ambulance, fire) in case of an incident

• In case of environmental problems, have a way to notify appropriate government agency

Outer Layers of Protection

• Depend on type of facility and location

– Examples:

• Walls of an office building in a city may be the only perimeter

• Manufacturing facility in an industrial district may have parking lots, storage areas, and grounds surrounding the building(s)

Outer Layers of Protection

• Perimeter is layer of first control and may take many forms:

– Building walls

– Fence line or wall at property edge

– Outermost layer could be:

• Highway

• Natural physical barrier

• Other human-made barriers

Grounds

• Many purposes:

– Purely decorative

– Functional—storage and warehouses

– Buffer or barrier between perimeter and building

– Clear zone—unobstructed observation

– If used for storage, should be organized and maintained

Roads

• Both necessary and problematic

– Allow easy access to facility

– Allow unauthorized personnel easy access too

– Degree of control needed varies

• Depends on type of road and its uses

Roads

• Public or private:

– Public—no allowance for additional controls • Exist to facilitate

movement of vehicles and people in municipality, city, or state

• If facility adjacent, controls can only begin where property begins

• Private:

– Much greater control

– Can install controls that restrict passage

– Can determine who has access and under what conditions

– Should begin as close to outer perimeter as possible

Fences, Walls, Gates, Other Barriers

• Two barrier types for perimeter protection

– Natural barriers • Rivers, lakes, other bodies

of water

• Cliffs

• Dense and/or thorny plant life

– Structural barriers • Highways

• Fences

• Walls

• Gates

• Other types of construction prohibiting or inhibiting access

Fences, Walls, Gates, Other Barriers

• Fences

– Most common barrier

– Erected quickly for low cost (basic chain-link)

– More effective by adding:

• Barbed wire or concertina wire

• Alarm systems

• Doubled fencing with alarmed clear zones between

– Type selected determined by specific need

Fences

• Typical fence:

– 7 feet high with 9-guage wire

– Rests no more than 2 inches above ground

– Concrete trough/border at base

– Three strands of barbed wire on top, placed at 45o overhang facing away from property

– Structures and trees far enough away

Walls

• Same purpose as fences

– Generally more expensive

– May be—brick, block, masonry, stone

– Greater aesthetic value

– Most effective

• At least 7 feet high, three strands of barbed wire

Walls

• Disadvantage

– Obstruct view of area

• Overcome for keeping clear zones for several feet on each side

• Video cameras for observation

• Use of roving patrols

– Controlling access to other openings critical when walls are only outer barrier

Gates

• Both facilitate and control access

– Must be controlled to ensure only authorized personnel

– Controls include:

• Guards

• Electronic interactive access control systems

• Remote control access with video camera

Gates

• Number should be kept at a minimum

– The more gates, the more resources used

– More potential problems—a potential vulnerability

• Closed, locked, eliminated when not used

– Additional gate useful for periodic need

– Monitor when not in use

– Physical inspection to ensure security

Natural Barriers

• Effectiveness depends on:

– Barrier itself

– How it used

• May need to augment with human-made barrier.

• Need to be monitored as much as man-made barriers

Other Openings

• Openings not designed for personnel:

– Sewage pipes and drains

– Utility tunnels

– Heating, ventilation, and AC ducts (HVAC)

• Lock or monitor

– Any opening larger than 96 square inches: • Doors, bars, or grillwork

• Not practical for openings requiring access

– Assess all openings and implement protective measures

Buildings and Doors

• Often where outer security ends and inner security begins

– Keep areas close to building exteriors clear

• Clear zone of 10–15 feet

• Gives unobstructed observation by cameras and guards – First line of defense for inner perimeter

Parking

• Necessary for employees, customers

– Should not be allowed within outer perimeter

• Place to conceal stolen items

• Contraband or weapons

– If necessary to park within outer perimeter

• Additional fencing should be erected to separate parking area from rest of facility

Parking

• Parking spaces linked to company status

– City and state laws on parking for disabled

– Difficult to manage and police

– Establish parking rules

– Company-owned vehicles only exception to parking within perimeter

• Park in secure, well-lighted area

• Should not be parked in same area as privately owned vehicles

Lighting

• Several purposes:

– Reduces accidents/injury possibility

– Deterrent to intruders

– Clear observation of grounds, fences, wall, building

Lighting

• Guidance for levels of illumination from:

– Federal sources

– Sellers/installers of exterior and parking lot lighting

• Best to conduct an actual test

Lighting

• Adequate lighting a deterrent

– Intruders less likely to enter

• Should be protected from tampering

– Kept within perimeter

– High enough to make tampering difficult

– Backup power

Lighting

• Can be:

– Programed to turn on/of at specific times

– Light- , movement- , heat-sensitive

– Linked to alarm systems and support CCTV

• Requires frequent inspection

Lighting

• Needs vary with site or facility

– Should be considered as part of security

– For areas requiring direct protection, lighting:

• Should illuminate area

• Should not interfere with ability to monitor area – Too much lighting causes spots on camera and sight

• Should illuminate doors, gates, other entrances

• Should illuminate areas with heavy traffic

Lighting

• Issues about lowering utility costs

– Security lights on in daytime / photocell or timers not working properly

– How to reduce costs

• Possible answers

– Solar-powered lighting

– LED lighting

Surveillance

• Accomplished by:

– Security guards

– Cameras

– Combination of both—maximum observation and effectiveness

• Assess need against existing practice and capability

Surveillance

• Plan considerations for surveillance:

– Purpose—deterrence or observation

– Identify critical/high-risk areas

– Camera and guard mix

– Camera location and need for hidden camera

– Recording capability needed

– Type of camera needed

Surveillance

• Check for alternatives if no budget for cameras

– For example: Fake cameras with LED powered by batteries to indicate camera is working

• Appears surveillance cameras being used

• May deter some intruders

• Does not see area activities

• If not done correctly, gives itself away

Alarms

• One of many layers of protection

– Use/extent determined in planning process

– Site physical security survey should identify:

• Vulnerabilities (current and potential)

• Layers of protection in use

– When assessed against threats, alarm need will become apparent

Alarms

• Augment barriers and guards

– Enhance detection process

• Serve as a deterrent

– Used to call attention to immediate problem

– Audible alarm systems serve as obstacle more than silent alarms

Alarms

• Types of alarm systems, most often:

– Intrusion detection—as part of outer barrier, used to indicate penetrations

• Different types available for fences, gates, walls

– Fire detection

Alarms

• Used for both inner and outer layers of physical security

– Outer layer—advanced warning notice that outer layer is compromised

• Indicator that intruder is in area of property being protected

Alarms

• Only effective is there is a response

– Response is essential

– Intruders may test alarm system by activating, then waiting for response

– Periodically test/time responses

Alarms

• Balance in protection capabilities/costs

– Reduce need for large, stationary guard force

– Allow for configuration of:

• Alarm monitors

• Respondents

• Patrol

– Save money by replacing some guards

Alarms

• Cost more to install than maintain – Once installed, maintenance/monitoring costs less

than personnel costs

– Over years, usually more cost-effective

• Decisions on: – Audible alarm or silent alarm?

– Connected to security command center?

– Duress alarms

– Monitoring contract

Inner Layers

• Outer layer—outside the building

– Sometimes outer perimeter security begins at building walls—single outer layer of security

• First layer—walls, doors, windows – Single layer of outer physical security

– Penetration of single layer allows access to inner layers

Buildings, Doors, Windows, Glass

• In urban areas, walls, doors, windows may be outermost perimeter or first layer of inner perimeter

– Depends on facility configuration

– Control all openings • Doors

• Windows

• Ducting passageways

• Conduits

• Power, communication, HVAC system entry points

– Any openings serving no function should be permanently closed.

Buildings, Doors, Windows, Glass

• Modify openings larger than 96 square inches to prevent human access – Windows—locked and

alarmed • Alarms to detect entry or

tampering

• May need man bars, screening

• Type of glass to vary depending on location

• Windows (con’t) – Ground level—stronger

glass, may be bulletproof

– Risk assessment including personnel safety to make cost- effective decision

Buildings, Doors, Windows, Glass

• Doors:

– Locked when not in use

– Controlled when in use • Guards at door

• Mechanical or electronic access control systems

• Exterior doors stronger than interior doors unless interior doors used to provide specific protection to assets

• Door accessories same strength as doors

– Locks

– Hinges (on inside)

Locks, Keys, Combinations

• Locks an essential part of physical security

– Cost effective—largest expenses:

• Initial purchase

• Installation

• Control of use

– Simple means of denying access

• Usually little maintenance required

Locks, Keys, Combinations

• Higher quality of lock, longer it takes to break it.

– Simple locks easily picked, damaged

– Vary in quality and type

– Choosing appropriate lock based on:

• Planned usage

• Specific needs

• Assets requiring protection

Locks, Keys, Combinations

• Control of locks, keys, combination essential

– Severely limit issuance of master keys

– Account for all locks, keys, combinations

• Keys, combination issued in accordance to need to perform a job

• Permanent record of personnel issued keys

• Rekey locks when keys lost or stolen

Locks, Keys, Combinations

• Never issue keys on permanent basis

– Annual assessment of needs/requirements

• Identify lost/stolen keys not reported to security

– Issue locks, keys, combinations to individuals

• Not to groups

• If individual accountability is a requirements

• Sharing risks theft or misappropriation (like sharing computer passwords)

Roofs

• Part of outer or inner perimeter

– Openings for:

• Maintenance

• Power

• HVAC

• Other conduits

Roofs

• Same principles as barriers and walls

– Control openings

– Locking devices and barriers

• Screens

• Bars

– Control ladders/stairs leading to roofs

– Make access difficult to unauthorized personnel, but follow fire regulations

Areas, Rooms, Containers, and Safes

• Inside buildings:

– Open work areas

– Individual offices

– Storage containers

– Safes

• Protection dependent on their use and asset value

Areas, Rooms, Containers, and Safes

• Open work areas

– May not require additional controls

– Employees, visitors need to move freely here

– Access authorization verified at outer or inner perimeter

– Based on risk management

– Other areas—conference rooms, cafeterias—may not more controls.

Areas, Rooms, Containers, and Safes

• Requiring additional controls:

– Areas/rooms where more sensitive work done

– More sensitive material located

• Simplest controls on entryways:

– Locking devices

– Access control

• Physical controls dependent on cost-risk philosophy

Areas, Rooms, Containers, and Safes

• Most sensitive information/materials:

– Safes

• Various sizes and strengths

• Simple combination or key lock safes for less sensitive material

• Most sensitive information/material—high-security safes and vaults

Access Controls

• A critical component of security in layers

– Ensures only authorized personnel and vehicles enter and exit

– Reduces risk of loss/damage to assets

– Require integration of security functions

Access Controls

• Useful access control tools:

– Security officers

– Locks—combination, code, or key

– Card reader systems—magnetic stripe, optical bar code, proximity cards, and biometric systems

Access Controls

• Physical security survey:

– Focus on identifying access control vulnerabilities, existing practices

– Compared with what is needed

– Develop/implement access control profile best fitting site

• Profile must address:

– Who has authorized access

– Under what conditions

– Individual security processes

– Tools needed to design/implement controls

Access and Visitor Logs

• Access and visitor logs are in common use in most corporate environments

• Logs are often kept at a guard location at the entrance to a secure area

• They should be stored in a safe location for review at a later date, should that prove necessary

Data Center Facilities • Security starts with entry into the facility, which

requires passing a receptionist or guard, then a proximity card

• As you progress to the innermost area, you require the same proximity card, along with a PIN, plus a biometric device

• Internal mantrap or portal at data centers can enhance access control methods even further

• No windows • Walls from Floors to Ceiling (No drop ceiling) • Separate HVAC

Communications Equipment • WAPs (Wireless Access Points) - Exposed Throughout -

Should be hard to remove/open and monitored • NAC (Network Access Control) - Access and validity

control to network devices - Can monitor WAPs - Validate software and release (VPN)

• Cabling • Conduit - can be pressurized/anti-tamper – prevent

moisture • Utility and power rooms - Power Over Ethernet (POE) /

UPS / Generators • Controls and Countermeasures to the same level as

server room

Work Area Security

• What are some best practices for work area security?

• Usually less secure than network

• Two Man Rule (One person not left alone)

• Restricted / Common Work Areas

Environmental Controls

• Key threats to support systems:

– Power loss

– HVAC failure (not sq ft, but load) Temp should be between 70-74 F / 40-45% Humidity

– Water (flooding / dripping / leaking)

– Gas leaks

– Fire (greatest risk)

– Sewage backup/breakage

What Should Be Controlled—Vehicles

• All vehicles entering and exiting

– Only those authorized on site

– Need procedures on traffic flow and parking

– Violations enforced

– At the least, consider random inbound and outbound searches.

What Should Be Controlled—Employees

• Procedures to allow easy access to work areas

– Prompt and efficient movement in/out of facility

– Same for all employees

– Identification for authorized access a standard practice

What Should Be Controlled—Employees

• If more than 50 employees:

– Do not rely on personal recognition

– Personnel changes and turnover better accomplished with automated systems

– Employees should be subject to random entry/exit searches

• NO exceptions

Vendors, Suppliers, Customers, and Visitors

• Few non-employees should be allowed free and complete facility access

– Vendors/suppliers assigned to a site on a full-time basis, requiring unrestricted site access

• Provide non-employee identification

• Scheduled periodic review of need

• Have an established expiration date

• Random entry/exit searches

• Might require escort

How Do You Control Them?

• Vehicle and Personnel Gates

– First line of protection for facility access

• Employees and visitors enter here

• Process in place to: – Allow employees through

– Properly process visitors according to procedures

• Employee ID badges with electronic card ID system most common tool

Building Lobbies and Doors

• Same controls for gates effective for lobbies and doors

– Guards/receptionists

• Priority is access control, not receptionist

• If conflict in role, should have separate personnel for both jobs

Interior Areas and Rooms

• Access control mechanisms:

– Lock and key devices—discussed above

– Card key access systems and badges—discussed above

– Other employees:

• Important role in access control

• Should be trained to challenge unauthorized personnel or to report it to security

Badges

• Primary use—employee identification

– Can be coupled with access control systems

• Magnetic or bar codes, proximity cards linked to ID badge

• Can contain specific employee characteristics to make badge a reliable authentication device

Badges

• To ensure effectiveness, process of using the badge must be controlled.

– Establish and maintain specific parameters and rules: • Who is authorized?

• Data needed on badge

• Security controls issuance and accountability

• Badges recovered from those leaving

• Reported lost or stolen badges; remove from system

• Worn or damaged, exchange for new

• Tracking system

• Periodic review

• Badges not in use— controlled or destroyed

• Tamper-resistant features

Badges

• At small facilities, personal recognition best form of ID

– Ensure ability to ID those who have left

– Larger facilities—personal ID not practical

• Need badge system

Badges

• Need to control access and movement of visitors, suppliers, customers

– Badge process for nonemployees

– Clearly IDs person as nonemployee, with appropriate restrictions

• Escort requirements

• Badge expiration dates

• Specific areas authorized

Badges

• Educate employees on badge process

– Guidance and training

– Able to recognize authorized badges and how to react to unauthorized badges

– Need employee buy-in to make badge process work

Guards

• Integral part of physical security profile

– Add human element, used in situations requiring:

• Observation

• Training

• Judgment – Example: Vehicle access control functions (checking ID of

vehicle and driver, flexibility for vehicle inspection)

Guards

• Capability of patrolling site/facility

– Making observation and noting changes to be investigated

– Mobility makes them valuable

• One of most common security functions outsourced and/or replaced with high- technology devices

Guards

• Factor to consider—armed guards:

– Some laws may prohibit use

– Executive management may not want it

– Creates presence of security

– May be at some locations but not others (according to where assets are located)

– More highly trained, may cost more

Alarms and Surveillance in Inner Layer

• Requires same considerations as outer layer:

– Extent to which they are used or not depends on:

• Threats

• Vulnerabilities

• Risks

• Criticality of assets

Physical Security Costs

• Must find an appropriate balance between:

– Adequate protection levels

– Cost of physical protection

• Too little security leads to vulnerability

• Too much reduces risks, but is an unnecessary expenditure

– Difficult to objectively demonstrate need for expenses

Physical Security Costs

• Common security axiom:

– The more doors and openings, the more difficult to control access

• Tradeoff—cost of security against employee convenience

• Comes down to what is acceptable risk after risk mitigation / value of loss

Physical Risk Assessments

• Understanding of threats to assets and likelihood of an occurrence is fundamental to developing a profile

– Recognizing threats helps plan effective security measures without implementing redundant measures

Physical Risk Assessments

• Assessing physical threats after vulnerabilities—not easy

– Need to understand business environment

– Benchmarking:

• Identify similar business and their perceived threats

• Determine their protective measures

Physical Risk Assessments

• Other means of threat assessment:

– Consult experts

– Seek guidance of security professionals in similar situations

– Consult with insurance provider

– Talk to risk managers

– Talk to local police about local crime

Physical Risk Assessments

• Risk assessment—product of determining threats and their consequences

– If significant, implement protective measures

– If not significant may be inefficient use of resources that do not add value

• Read Chapter 21

• Review of Article Where Physical Security Failed o Submit a review of an article where physical security failed

o Propose a possible change in that organization’s physical security that could have prevented the breach for that scenario

o Submit at least 2 but no more than 4 pages double spaced. No photos or graphs.

o Reference all sources used

o You may submit a second review if you change your mind after submitting the first review, but only the last attempt will be graded

o Assignment is worth 50 points

Assignment