1 / 63

ISSAP Session 5 Physical Security

Learn how to identify and protect restricted work areas, select secure facility locations, and address facility infrastructure to mitigate physical security risks. Topics include unauthorized access, traffic monitoring, barriers, parking, and surveillance devices.

kcarney
Télécharger la présentation

ISSAP Session 5 Physical Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISSAP Session 5Physical Security 14 September 2011

  2. Physical Security • Questions from Session 4 ? • Session 1, 2, 3, &4 handouts are posted on www.silverbulletinc.com/DM2 • Contact Shelton Lee for credentials • Shelton.lee@lmco.com

  3. Physical Security • Schedule – Ten Sessions 08/24/2011 Organization08/29/2011 Access Control pg 3-6208/31/2011 Access Control pg 62-117 09/07/2011 Cryptography pg 125-17209/12/2011 Cryptography pg 173-21209/14/2011 Physical Security pg 222-28509/19/2011 Requirements pg 293-35109/21/2011 BCP & DRP pg 357-371 Telecom pt 1 pg 379-399 09/26/2011 Telecomm pt 2 pg 399-44009/28/2011 Review

  4. Physical Security • Identification and Protection of restricted work areas including traffic controls, access controls, and monitoring • Selection of locations and design of secure facilities • Addressing facility infrastructure • Remediation of Risks

  5. Physical Security • Physical Security Risks • Risk: Chance of encountering harm or loss; hazard; danger” • Risk can be reduced or mitigated • Logical can control electronics, physical control can prevent theft

  6. Physical Security • Unauthorized Access • Traffic Monitoring • CCTV, entry control point • Roadway design • Minimise speed • Barriers, berms, high curbs, trees, earthworks • Existing: add speed bumps barriers • Parking • Keep threat away from building • Perimeter buffer zones • Barriers • Structural hardening • Clear zone area

  7. Physical Security • FEMA – things to keep away from entrances, vehicles, parking, maintenance. • Emergency generator, fuel system, day tank, fire sprinklers, water supply • Large fuel storage • Telephone distribution • Fire pumps • Building control centers • UPS • Elevator Machinery • Shafts for stairs, elevators, & utilities • Feeders for emergency power

  8. Physical Security • Parking garage • Two main threats: crime and vehicles hitting pedestrians • Control access Gate • Transponders • Badge reader • Visitors and all deliveries kept outside

  9. Physical Security • Open Area Parking • Initial access control • Automatic gate • Controlled perimeter • Entry only/exit only design • View of buildings but past stand-off zone • Loading Docks • Designed to be invisible • Specific guard • Log records • Secure Overhead doors • Implement personnel screening • Detailed logging, preferably remote • Security Awareness Training • No direct access from loading area to offices

  10. Physical Security • Signage • Designed to be discrete from outside yet deter intruders • No more than 100 feet apart. Not on fences, posts, or light poles • Direct employees • Prevent accidental entry • At entry point warn of procedures • Caution drivers and pedestrians • May need to be multi-lingual

  11. Physical Security • Surveillance Devices • Three characteristics • Detection • Nuisance alarm rate • Vulnerability to defeat • Open terrain for flat cleared areas • Infrared, microwave, combination, new emerging video content analysis and motion path analysis

  12. Physical Security • Infrared • Passive are heat based • Active uses transmitted beam, detects interruption • Microwave • Bistatic • Detects motion • Goes through steel and concrete • Volumetric detection field • Sender and receiver • Monostatic • Single device • May have cut off circuit to limit range • Less nuisance alarms.

  13. Physical Security • Coaxial Strain Sensitive Cable • Microswitches and turnbuckles • Small animals may trigger • Some suceptible to electromagnetic triggering & RFI which may false. • Defeat Measures • Tunnelling, jumping, bridging • Taut wire system • Microswitches and turnbuckles • Internal Magnetic contact • Ignores small animals • Most costly

  14. Physical Security • Time Domain Reflectometry • Induced RF signals through a cable • Climbing or flexing causes change • Can tell by delay where alarm triggered • Closed loop – can detect cut • Large area and depth detection • Requires training – high false rate

  15. Physical Security • Closed Circuit TV (CCTV) • Visual confirmation • Not first line • Effective at evaluating threat • Combination of CCTV, DVR, keyboard, monitors • Highly flexible for monitoring, survellance, deterrance • Immediate • Survellance. Assessment, Deterrance, Evidentiary Archives

  16. Physical Security • Digital Video Recorder • Replaced tape • 8port or 16 port (8-16 cameras) • 80GB to 1 TB • CD burners • Most specs require 45 days or recordings • Dependant on frame rate, resolution, compression ratio • Record on motion – optional feature

  17. Physical Security • Video Content Analysis & Motion Path Analysis • Newest technology for Intrusion Detection • Complex algorithms on video images • Detect/filter normal video events • Tell difference between rabitt and person • Gap closing between software and an alert human • Do not get tired • Monitor more cameras with fewer opearators at lower cost

  18. Physical Security • Guard Force • Physical precense and deterrant • Patrol and inspect property to protect against fire, theft, vandalism, and illegal activity • Conduct foot patrols • Fixed or stationary posts to prevent access • Render assistance • Escort visitors • Respond to events

  19. Physical Security • Access Control System (ACS) • Limit access to controlled areas to authorized persons • Regulation of flow of materials • Access control must be tailored to need • May begin at property line • Goal is to limit the opportunity for improper access • ACS compares credentials to Access Control List (ACL) • Can log and archive activity • Can require multi-factors for access • Limit effect of lost or stolen credential

  20. Physical Security • Card Types • Magnetic Stripe (tape) • Old and limited technology • Easy to program • Proximity • Passive RF • Limited range • Limited storage (~10,000 • Smart Cards • Memory or processor • ISO 7816 & 14443 Contact or Contacless • Size of credit card • May have multiple factors • Defined for PIV • Can be impossible to duplicate

  21. Physical Security • Badge Equipment • Camera • Software • Badge Printer • Computer • Can be purchased in bulk (prox needs preprogramming)

  22. Physical Security • Biometrics • Fingerprint, facial image, retinal scan, Iris scan. hand geometry • In addition to PIN • More Likely in SCIFs • Future trend • Downside: some easy to forge • Gummi bears • Cost vs accuracy. • More layers better

  23. Physical Security • Access Control Head End • Hierarchial computing • Access control systems (Lenel OnGuard, Software House CCure) – each panel has limited storage • Failure may allow only common users access • Event tracking and event logs

  24. Physical Security • Facility Risk • Facility risk assessment similar to logical • Identify hazards and provide mitigations • DiD • If physical access to computer is possible, logical access will follow • May need encryption • Need to be aware of all types of risk and apply mitigations • Threat • Vulnerability • Countermeasure

  25. Physical Security • Low Profile (SBO) • Plain building without identification • Facility screened by landscaping or terrain • Personnel operational security • Concealing badges when off property • Loose lips • Annual briefing • Nondescript parking stickers • Not stop targetted attacks

  26. Physical Security • Location Hazards • Target Identification • Identify threats • Identify assets • Identify hazards • Walk through facility to gain static picture • Layout • Access and choke points • Personnel

  27. Physical Security • What to protect • What to protect against • What is asset valuation • What is the effect of loss • What level of protection is needed • What protection is appropriate • What are protection constraints • What Are Design requirements • How do we respnd • 9 items

  28. Physical Security • Threat assessment • Very High – major weakness • High – Significant Weakness • Medium High – Important weakness • Medium – likely weakness • Medium Low – minor weakness • Low – no weakness

  29. Physical Security • Site Planning • Primary goal of a physical program is to control access • DiD can reduce likelihood of a sucessful attack • Can at least slow and provide time to respond • Position for response and capability • Buy in from employees essential • Easiest in new design, design for excess loads • Cheap in beginning

  30. Physical Security • Restricted Work Areas • Sensitive Compartmented Information Facilities (SCIF • Not just classified • Walls three layers of 5/8 drywall • One door with x-09 combination lock • Doors must be plumbed in frame and open in with closer • Strong enough to avoid distortion • Any duct over 96 sq in must have manbars • White noise or sound masking to prevent eavesdropping • Response to perimeter within 15 minutes

  31. Physical Security • Data Centers • Greatest risk is from ordinary activity • Segregation where no “need to know” • Do not allow wandering • DC – “restricted area” • No food, drink, or smoking • Mandatory authentication at entrance • Network Operations Center NOC • Central security control point (SOC ?) • Fire, power, weather, temperature, humidity monitoring • Redundant means of communication • 24/7

  32. Physical Security • NOC • Access to compuer room through NOC • Cleaning in pairs and escorted • DiD • Building access • Lobby • NOC (prox card) • DC card +PIN or biometric • Mantrap or portal

  33. Physical Security • DC: ten common mistakes • Weak or missing policies • Poor Physical Access Controls • Specific Security Concerns – access points, loose media. • Location and Layout • First vs second floor DRP • Unsecured Computers • Utility Weakness – back up generators • Rogue Employees – control access, HR training • Separation of Physical and Logical Security – should be merged • Outsourcing <- never outsource 100% • No third party security assessments or audits – evolving risk

  34. Physical Security • Entrances and Exits • Designate specific entry points by use • Lobby Entrances • Vital component of access • Requires greeting • Control area • Visitors require escort • Common courtesy • Control access • Temporary badges are distinctive • Dated • Visitor management system - log

  35. Physical Security • Turnstyles and Mantraps • Piggybacking/tailgating • AntiPassback – one badge/multiple people • Two man rule – requires two to enter security area • Doors • Hollow steel or steel clad • Strength of latch and frame match door • Hinges in secure area, security hinges if out • Glass must be laminate • Sensitive areas need automatic closers

  36. Physical Security • Door Locks • Electric lock • Code • Bolt moves • Expensive • Special hinge • Retrofit requires new door • Electric Strikes • Bolt stationary • Fail Safe or fail secure ? • Manual exit • Retrofit on existing door

  37. Physical Security • Door Locks • Magnetic Lock • Easy retrofit • Surface mount on door and frame • Normally fail safe • Life safety manual override • Passive Infrared Sensor (PIR) on approach

  38. Physical Security • Door Lock Issues • Codes • Extra devices may compromise security • PIR passive InfraRed • REX request to open • May allow deactivation

  39. Physical Security • Exit Technologies • Normal vs emergency • Simplest – crash bar • Electric/Magnetic – REX button • PIR have loophole in that anyone passing may trigger • Alarm fail safe vs fail secure • Who has choice

  40. Physical Security • Mobile Devices • Laptops: any information device must be secured from physical loss • Use cable lock • Do not leave unattended • Use strong Passwords • Encrypt data – only real protection • Remove Drive (one screw for Dells)

  41. Physical Security • Laptop Loss Prevention • Conduct audit: how many, where, and for what • Determine who needs • Classify data on laptop: must be understood • Determine if laptop is necessary to job • Conduct a risk assessment: determine loss scenarios • Implement protection strategies • Create loss response team

  42. Physical Security • LoJack for Laptop • Inserted in BIOS • Reports when connected to network • Must be able to boot

  43. Physical Security • Cellular Telephones • Directory, storage, e-mail capability • Android and iPhone are computers • GSM A5/1 encryption has been broken • Few adopt A5/3 • Bluetooth • Headset • Keyboard • Short range • Can be tapped • When using must be changed from defaults, use a long PIN, set nondiscoverable mode • Most can’t

  44. Physical Security • Personal Digital Assistants • Started with Newton • Being replaced by smart phones and tablets • Physical loss or theft just as important • Protect data with encryption • Limit access if cannot • AES-256 is recommended • Firewall and antivirus

  45. Physical Security • Security Awareness Programs • Awareness is not training • Intended to allow employees to recognise situations and respond accordingly • Can help with viruses, spyware, hacking, physical access, emergency procedures • Recognize social engineering • (book jumps subjects)

  46. Physical Security • Fire • One fire equals three moves • 43% of businesses suffering fire damage never recover enough to reopen. • 29% still in business in 2 years • 93% loss of IT for 9 days file bankruptcy within a year • 50% filed immediately

  47. Physical Security • Fire Control • Water system must be protected • 50 feet from high risk areas • Interior mains looped or sectionalized • Can be main suppression but will cause electrical damage • Detectors that alarm • Warn people of smoke • Non-toxic fire suppressant • Limited Combustible Cabling (LCC)

  48. Physical Security • Fire Detection and Alerting • Panel is hub • Ground floor near entrance • Smoke and heat detectors • Smoke detectors • Early warning • Photoelectric Detectors • Beam or refraction • Beam is solid, absence triggers • Refraction works on reflection • Ionization detects change in air

  49. Physical Security • Fire detection • Flame detectors • IR and UV • IR looks for heat, UV for opacity • UV has higher falsing but faster • Rate of Rise detectors • Must be close • 10-15 degrees per minute • Heat detectors should not replace smoke detectors • Combination of detection methods is best

  50. Physical Security • Fire Suppression • Class A – ordinary combustible • Class B – flammable liquids • Class C – electrical equipment • Class D – combustable metals e.g. Magnesium • Class K – wet chemical – kitchen • All buildings should have fire suppression • All facilities should have portable extinguishers • Pull, Aim, Squeeze, Sweep

More Related