ISSAP Session 5
Physical Security
14 September 2011
Physical Security
• Questions from Session 4 ?
• Session 1, 2, 3, &4 handouts are posted
on www.silverbulletinc.com/DM2
• Contact Shelton Lee for credentials
– [email protected]
Physical Security
• Schedule – Ten Sessions
08/24/2011 Organization
08/29/2011 Access Control pg 3-62
08/31/2011 Access Control pg 62-117
09/07/2011 Cryptography pg 125-172
09/12/2011 Cryptography pg 173-212
09/14/2011 Physical Security pg 222-285
09/19/2011 Requirements pg 293-351
09/21/2011 BCP & DRP pg 357-371
Telecom pt 1 pg 379-399
09/26/2011 Telecomm pt 2 pg 399-440
09/28/2011 Review
Physical Security
• Identification and Protection of restricted
work areas including traffic controls,
access controls, and monitoring
• Selection of locations and design of
secure facilities
• Addressing facility infrastructure
• Remediation of Risks
Physical Security
• Physical Security Risks
– Risk: Chance of encountering harm or loss;
hazard; danger”
– Risk can be reduced or mitigated
– Logical can control electronics, physical
control can prevent theft
Physical Security
• Unauthorized Access
– Traffic Monitoring
• CCTV, entry control point
• Roadway design
– Minimise speed
– Barriers, berms, high curbs, trees, earthworks
– Existing: add speed bumps barriers
• Parking
–
–
–
–
–
Keep threat away from building
Perimeter buffer zones
Barriers
Structural hardening
Clear zone area
Physical Security
• FEMA – things to keep away from entrances,
vehicles, parking, maintenance.
• Emergency generator, fuel system, day tank, fire sprinklers,
water supply
• Large fuel storage
• Telephone distribution
• Fire pumps
• Building control centers
• UPS
• Elevator Machinery
• Shafts for stairs, elevators, & utilities
• Feeders for emergency power
Physical Security
• Parking garage
– Two main threats: crime and vehicles hitting
pedestrians
– Control access
Gate
– Transponders
– Badge reader
• Visitors and all deliveries kept outside
Physical Security
• Open Area Parking
• Initial access control
–
–
–
–
Automatic gate
Controlled perimeter
Entry only/exit only design
View of buildings but past stand-off zone
• Loading Docks
– Designed to be invisible
– Specific guard
» Log records
– Secure Overhead doors
– Implement personnel screening
– Detailed logging, preferably remote
– Security Awareness Training
– No direct access from loading area to offices
Physical Security
• Signage
• Designed to be discrete from outside yet deter
intruders
• No more than 100 feet apart. Not on fences, posts,
or light poles
• Direct employees
• Prevent accidental entry
• At entry point warn of procedures
• Caution drivers and pedestrians
• May need to be multi-lingual
Physical Security
• Surveillance Devices
– Three characteristics
• Detection
• Nuisance alarm rate
• Vulnerability to defeat
– Open terrain for flat cleared areas
• Infrared, microwave, combination, new emerging
video content analysis and motion path analysis
Physical Security
• Infrared
– Passive are heat based
– Active uses transmitted beam, detects interruption
• Microwave
– Bistatic
•
•
•
•
Detects motion
Goes through steel and concrete
Volumetric detection field
Sender and receiver
– Monostatic
• Single device
• May have cut off circuit to limit range
– Less nuisance alarms.
Physical Security
• Coaxial Strain Sensitive Cable
– Microswitches and turnbuckles
– Small animals may trigger
– Some suceptible to electromagnetic triggering & RFI
which may false.
– Defeat Measures
• Tunnelling, jumping, bridging
• Taut wire system
•
•
•
•
Microswitches and turnbuckles
Internal Magnetic contact
Ignores small animals
Most costly
Physical Security
• Time Domain Reflectometry
•
•
•
•
•
•
Induced RF signals through a cable
Climbing or flexing causes change
Can tell by delay where alarm triggered
Closed loop – can detect cut
Large area and depth detection
Requires training – high false rate
Physical Security
• Closed Circuit TV (CCTV)
•
•
•
•
•
Visual confirmation
Not first line
Effective at evaluating threat
Combination of CCTV, DVR, keyboard, monitors
Highly flexible for monitoring, survellance,
deterrance
• Immediate
– Survellance. Assessment, Deterrance,
Evidentiary Archives
Physical Security
• Digital Video Recorder
•
•
•
•
•
Replaced tape
8port or 16 port (8-16 cameras)
80GB to 1 TB
CD burners
Most specs require 45 days or recordings
– Dependant on frame rate, resolution, compression ratio
– Record on motion – optional feature
Physical Security
• Video Content Analysis & Motion Path
Analysis
•
•
•
•
•
Newest technology for Intrusion Detection
Complex algorithms on video images
Detect/filter normal video events
Tell difference between rabitt and person
Gap closing between software and an alert human
– Do not get tired
– Monitor more cameras with fewer opearators at lower
cost
Physical Security
• Guard Force
• Physical precense and deterrant
• Patrol and inspect property to protect against fire,
theft, vandalism, and illegal activity
• Conduct foot patrols
• Fixed or stationary posts to prevent access
• Render assistance
• Escort visitors
• Respond to events
Physical Security
• Access Control System (ACS)
–
–
–
–
–
–
Limit access to controlled areas to authorized persons
Regulation of flow of materials
Access control must be tailored to need
May begin at property line
Goal is to limit the opportunity for improper access
ACS compares credentials to Access Control List
(ACL)
– Can log and archive activity
– Can require multi-factors for access
• Limit effect of lost or stolen credential
Physical Security
• Card Types
– Magnetic Stripe (tape)
• Old and limited technology
• Easy to program
– Proximity
• Passive RF
• Limited range
• Limited storage (~10,000
– Smart Cards
•
•
•
•
•
•
Memory or processor
ISO 7816 & 14443 Contact or Contacless
Size of credit card
May have multiple factors
Defined for PIV
Can be impossible to duplicate
Physical Security
• Badge Equipment
•
•
•
•
•
Camera
Software
Badge Printer
Computer
Can be purchased in bulk (prox needs
preprogramming)
Physical Security
• Biometrics
– Fingerprint, facial image, retinal scan, Iris
scan. hand geometry
– In addition to PIN
– More Likely in SCIFs
– Future trend
– Downside: some easy to forge
• Gummi bears
• Cost vs accuracy.
• More layers better
Physical Security
• Access Control Head End
• Hierarchial computing
• Access control systems (Lenel OnGuard, Software
House CCure) – each panel has limited storage
• Failure may allow only common users access
• Event tracking and event logs
Physical Security
• Facility Risk
•
•
•
•
Facility risk assessment similar to logical
Identify hazards and provide mitigations
DiD
If physical access to computer is possible, logical access will
follow
– May need encryption
• Need to be aware of all types of risk and apply mitigations
– Threat
– Vulnerability
– Countermeasure
Physical Security
• Low Profile (SBO)
• Plain building without identification
• Facility screened by landscaping or terrain
• Personnel operational security
–
–
–
–
–
Concealing badges when off property
Loose lips
Annual briefing
Nondescript parking stickers
Not stop targetted attacks
Physical Security
• Location Hazards
– Target Identification
• Identify threats
• Identify assets
• Identify hazards
– Walk through facility to gain static picture
• Layout
• Access and choke points
• Personnel
Physical Security
•
•
•
•
•
•
•
•
•
•
What to protect
What to protect against
What is asset valuation
What is the effect of loss
What level of protection is needed
What protection is appropriate
What are protection constraints
What Are Design requirements
How do we respnd
9 items
Physical Security
• Threat assessment
•
•
•
•
•
•
Very High – major weakness
High – Significant Weakness
Medium High – Important weakness
Medium – likely weakness
Medium Low – minor weakness
Low – no weakness
Physical Security
• Site Planning
– Primary goal of a physical program is to
control access
– DiD can reduce likelihood of a sucessful
attack
• Can at least slow and provide time to respond
– Position for response and capability
– Buy in from employees essential
– Easiest in new design, design for excess
loads
• Cheap in beginning
Physical Security
• Restricted Work Areas
– Sensitive Compartmented Information
Facilities (SCIF
•
•
•
•
Not just classified
Walls three layers of 5/8 drywall
One door with x-09 combination lock
Doors must be plumbed in frame and open in with
closer
– Strong enough to avoid distortion
• Any duct over 96 sq in must have manbars
• White noise or sound masking to prevent
eavesdropping
• Response to perimeter within 15 minutes
Physical Security
• Data Centers
–
–
–
–
–
–
–
Greatest risk is from ordinary activity
Segregation where no “need to know”
Do not allow wandering
DC – “restricted area”
No food, drink, or smoking
Mandatory authentication at entrance
Network Operations Center NOC
•
•
•
•
Central security control point (SOC ?)
Fire, power, weather, temperature, humidity monitoring
Redundant means of communication
24/7
Physical Security
• NOC
– Access to compuer room through NOC
– Cleaning in pairs and escorted
– DiD
•
•
•
•
•
Building access
Lobby
NOC (prox card)
DC card +PIN or biometric
Mantrap or portal
Physical Security
• DC: ten common mistakes
•
•
•
•
Weak or missing policies
Poor Physical Access Controls
Specific Security Concerns – access points, loose media.
Location and Layout
– First vs second floor DRP
•
•
•
•
Unsecured Computers
Utility Weakness – back up generators
Rogue Employees – control access, HR training
Separation of Physical and Logical Security – should be
merged
• Outsourcing <- never outsource 100%
• No third party security assessments or audits – evolving risk
Physical Security
• Entrances and Exits
– Designate specific entry points by use
– Lobby Entrances
•
•
•
•
Vital component of access
Requires greeting
Control area
Visitors require escort
– Common courtesy
– Control access
– Temporary badges are distinctive
» Dated
– Visitor management system - log
Physical Security
• Turnstyles and Mantraps
•
•
•
•
Piggybacking/tailgating
AntiPassback – one badge/multiple people
Two man rule – requires two to enter security area
Doors
–
–
–
–
–
Hollow steel or steel clad
Strength of latch and frame match door
Hinges in secure area, security hinges if out
Glass must be laminate
Sensitive areas need automatic closers
Physical Security
• Door Locks
– Electric lock
•
•
•
•
•
Code
Bolt moves
Expensive
Special hinge
Retrofit requires new door
– Electric Strikes
•
•
•
•
Bolt stationary
Fail Safe or fail secure ?
Manual exit
Retrofit on existing door
Physical Security
• Door Locks
– Magnetic Lock
•
•
•
•
•
Easy retrofit
Surface mount on door and frame
Normally fail safe
Life safety manual override
Passive Infrared Sensor (PIR) on approach
Physical Security
• Door Lock Issues
– Codes
– Extra devices may compromise security
– PIR passive InfraRed
– REX request to open
– May allow deactivation
Physical Security
• Exit Technologies
– Normal vs emergency
– Simplest – crash bar
– Electric/Magnetic – REX button
– PIR have loophole in that anyone passing
may trigger
– Alarm fail safe vs fail secure
• Who has choice
Physical Security
• Mobile Devices
– Laptops: any information device must be
secured from physical loss
•
•
•
•
•
Use cable lock
Do not leave unattended
Use strong Passwords
Encrypt data – only real protection
Remove Drive (one screw for Dells)
Physical Security
• Laptop Loss Prevention
•
•
•
•
•
Conduct audit: how many, where, and for what
Determine who needs
Classify data on laptop: must be understood
Determine if laptop is necessary to job
Conduct a risk assessment: determine loss
scenarios
• Implement protection strategies
• Create loss response team
Physical Security
• LoJack for Laptop
– Inserted in BIOS
– Reports when connected to network
– Must be able to boot
Physical Security
• Cellular Telephones
– Directory, storage, e-mail capability
– Android and iPhone are computers
– GSM A5/1 encryption has been broken
• Few adopt A5/3
– Bluetooth
•
•
•
•
•
Headset
Keyboard
Short range
Can be tapped
When using must be changed from defaults, use a long PIN,
set nondiscoverable mode
• Most can’t
Physical Security
• Personal Digital Assistants
– Started with Newton
– Being replaced by smart phones and tablets
– Physical loss or theft just as important
– Protect data with encryption
• Limit access if cannot
• AES-256 is recommended
• Firewall and antivirus
Physical Security
• Security Awareness Programs
– Awareness is not training
– Intended to allow employees to recognise
situations and respond accordingly
– Can help with viruses, spyware, hacking,
physical access, emergency procedures
– Recognize social engineering
– (book jumps subjects)
Physical Security
• Fire
– One fire equals three moves
– 43% of businesses suffering fire damage
never recover enough to reopen.
• 29% still in business in 2 years
• 93% loss of IT for 9 days file bankruptcy within a
year
– 50% filed immediately
Physical Security
• Fire Control
– Water system must be protected
• 50 feet from high risk areas
• Interior mains looped or sectionalized
• Can be main suppression but will cause electrical
damage
– Detectors that alarm
• Warn people of smoke
• Non-toxic fire suppressant
• Limited Combustible Cabling (LCC)
Physical Security
• Fire Detection and Alerting
– Panel is hub
• Ground floor near entrance
• Smoke and heat detectors
• Smoke detectors
– Early warning
– Photoelectric Detectors
» Beam or refraction
» Beam is solid, absence triggers
» Refraction works on reflection
– Ionization detects change in air
Physical Security
• Fire detection
– Flame detectors
•
•
•
•
IR and UV
IR looks for heat, UV for opacity
UV has higher falsing but faster
Rate of Rise detectors
– Must be close
– 10-15 degrees per minute
• Heat detectors should not replace smoke detectors
– Combination of detection methods is best
Physical Security
• Fire Suppression
•
•
•
•
•
Class A – ordinary combustible
Class B – flammable liquids
Class C – electrical equipment
Class D – combustable metals e.g. Magnesium
Class K – wet chemical – kitchen
– All buildings should have fire suppression
– All facilities should have portable
extinguishers
– Pull, Aim, Squeeze, Sweep
Physical Security
• Fire Suppression
• Wet: constant supply of water, all heads
• Dry: electric, activated by heat
• Preaction: detection system, valves closed,
selective
• Deluge: preaction – heads open
– Gas Suppression
• Aero-K: non corrosive, non toxic, does not bother
elecronics
• FM-200: no residue and does not displace oxygen
– expensive
Physical Security
• Defense in Depth
– Primary goal is to prevent entry
– Multiple layers delays and deters attack
– Hardware rather than software
• Automatic doors
• Silent alarms
Physical Security
• DiD
– Deter
– Detect
– Delay
– Respond
Physical Security
• Protection Plans
– Integrate people, procedures, and equipment
into design
• Easier before than after
– People are an asset and a layer of security
• Need to know how to respond
– Consider sequencing
• Most important services have least impact
– GPS and High Resolution surveillance
Physical Security
• Evacuation Drills
– Who has authority to order
– Who will shut down operations
– Locate and copy site and building drawings
•
•
•
•
•
Evacuation routes and exits
Appropriate for location
Staff training
Copies for responders
Plan two (min) ways out of building
Physical Security
– Away from traffic, safe for pedestrians
– Account for all personnel
• Head count
• Roster
• Notify if leaving
– Who may designate “all clear”
• What are requirements
– Multiple locations or buildings, each needs plan
– High rise or public location requires coordination with
other tenants
– Rent or lease – involve owner
Physical Security
• High Rise Buildings
• Know where emergency exit is
• Know a second way out
• Cover against (under ?) table or desk if items
falling
• Away from filing cabinets, bookcases or pianos
• Away from exterior wall
• Listen for and follow instructions
• Emergency supply kit near
• Do not use elevators
• Stay to side in stairwells
Physical Security
• Shelter in place
– Storm cellar or basement
– Interior room or hallway on lowest floor
– Away from windows or glass doors or exterior
walls
– Remain until danger is past
Physical Security
• Contaminated air
• Predesignate conference room or interior location
– Few window or doors
• Presupply with sealing material – 2mil plastic, tape
• May need one per floor
– To Seal
•
•
•
•
Close business, everyone in room
Lock doors, close windows, turn off a/c
Take emergency supply kit.
Seal doors, windows and air ducts
– Measure and cut in advance
Physical Security
• Incident Response
• Plan is essential
• May not survive but is start & helps focus
• Best tie to respond is before it happens
– No time for decisions
– Identify what can happen
– Put together team
– Communication Plan
– Identify who does what
– Test the plan
Physical Security
• Design Validation
– Penetration tests
• May be best if third party
– Do security controls work
• Particularly those relying on people
Physical Security
• Access control violation monitoring
– Do monitors work
– What happens when triggered
– DiD
• Single point failure if not detected
– Audit trail
• Find out what happened
Physical Security
• End of Physical Security session
• Will continue with Requirements on 19
September
• Questions ?