Transcript Domain 4: Physical (Environmental) Security

Domain 4:
Physical (Environmental)
Security
CISSP Study Group
April 15, 2007
Prepared by Ernie Hayden, CISSP CEH
1
References
•
•
•
•
•
•
•
Official (ISC) Guide to the CISSP CBK
US Army Field Manual 3-19.30, Physical Security
CISSP Prep Guide – Krutz & Vines
Fighting Computer Crime – Parker
CISSP Certification – Shon Harris
CISSP for Dummies (Rev 0) – Miller & Gregory
“Physical Security for Mission-Critical Facilities and Data Centers,” by
Gerald Bowman, Information Security Management Handbook, 5th
Edition, Vol 3
• Mike Meyer’s Passport: Security+
• Uptime Institute www.uptimeinstitute.com
• “Status Of Industry Efforts To Replace Halon Fire Extinguishing
Agents,” Robert T. Wickham,
http://www.periphman.com/fire/statusofindustry.pdf
Prepared by Ernie Hayden, CISSP CEH
2
IMPORTANT TIP!
• “Many CISSP candidates underestimate
the physical security domain. As a result,
exam scores are often the lowest in this
domain.”
CISSP For Dummies
Page 301
Prepared by Ernie Hayden, CISSP CEH
3
Objectives
• Upon completion of this discussion, you
should be able to:
– Describe the threats, vulnerabilities, and
countermeasures related to physically
protecting the enterprise’s sensitive
information assets
– Identify the risk to facilities, data, media,
equipment, support systems, and supplies as
they relate to physical security.
Prepared by Ernie Hayden, CISSP CEH
4
5 Functional Areas
1.
2.
3.
4.
Information Protection Requirements
Information Protection Environment
Security Technology and Tools
Assurance, Trust and Confidence
Mechanisms
5. Information Protection and Management
Services
Prepared by Ernie Hayden, CISSP CEH
5
Risks to CIA
• Interruptions in providing computer
services – Availability
• Physical Damage – Availability
• Unauthorized Disclosure of Information –
Confidentiality
• Loss of Control Over Information –
Integrity
• Physical Theft – Confidentiality, Integrity,
and Availability
Prepared by Ernie Hayden, CISSP CEH
6
Definition: Physical Security
• The physical measures and their
associated procedures to safeguard and
protect against:
– Damage
– Loss
– Theft
Prepared by Ernie Hayden, CISSP CEH
7
Required Physical Controls
• Perimeter and Building Grounds
• Building Entry Points
• Inside the Building – Building Floors /
Offices
• Data Centers or Server Room Security
• Computer Equipment Protection
• Object Protection
Prepared by Ernie Hayden, CISSP CEH
8
5 Functional Areas
1.
2.
3.
4.
Information Protection Requirements
Information Protection Environment
Security Technology and Tools
Assurance, Trust and Confidence
Mechanisms
5. Information Protection and Management
Services
Prepared by Ernie Hayden, CISSP CEH
9
Definition: Threat
• Any indication, circumstance or event with
the potential to cause:
– Loss of or Damage to an Asset
– Personal Injury
– Loss of Live
Prepared by Ernie Hayden, CISSP CEH
10
Threat Types
• Natural / Environmental
–
–
–
–
Earthquakes, floods, storms, hurricanes, fires, smoke, snow, ice
Consequence of Natural Phenomenon
Pandemic Flu
Normally not preventable
• Human – Made / Political Events
–
–
–
–
–
Explosions, vandalism, theft, terrorist attacks, riots
Result of a state of mind, attitude, weakness or character trait
Acts of commission or omission
Overt or covert
Disrupt or destroy
Prepared by Ernie Hayden, CISSP CEH
11
Examples of Threats
• Emergencies
– Fire and Smoke Contaminants
– Building Collapse or Explosion
– Utility Loss (Power, AC, Heat)
– Water Damage (Broken Pipes)
– Toxic Materials Release
Prepared by Ernie Hayden, CISSP CEH
12
Examples of Threats (2)
• Natural Disasters
– Earth Movement (Earthquakes or Mudslides)
– Storm Damage (Snow, Ice, Floods,
Hurricanes)
• Human Intervention
– Sabotage
– Vandalism
– War
– Strikes
Prepared by Ernie Hayden, CISSP CEH
13
Examples of Physical Loss
• Seven Major Sources of Physical Loss
– Temperature – Extreme Variations in Heat and Cold
– Gasses – Sarin, Nerve Gas, PCP from Transformers,
Cleaning Fluids, Smog, Fuel Vapors, Paper Particles
from Printers
– Liquids – Water and Chemicals (flood, plumbing
failures, spilled drinks, fuel leaks, computer printer
fluids)
– Organisms – Viruses, Bacteria, People, Animals and
Insects, Molds, Mildews, Cobwebs
Prepared by Ernie Hayden, CISSP CEH
Ref: Fighting Computer Crime – Donn
B. Parker – Wiley 1998
14
Examples of Physical Loss
• Seven Major Sources of Physical Loss (2)
– Projectiles – Tangible Objects in Motion (Cars,
Trucks, Falling Objects, Meteorites, Bullets, Rockets)
– Movement – Collapse, Shearing, Shaking, Vibration,
Liquefaction, Flows, Waves, Separations and Slides
(Lava Flows, Earthquakes, Adhesive Failures,
Dropping or Shaking Equipment)
– Energy Anomalies – Electrical Surges or Failures,
Magnetism, Static Electricity, Radiation, Sound, Light,
Radio and Magnetic Waves
Prepared by Ernie Hayden, CISSP CEH
15
Site Location
• Security Should include WHERE the building is
and HOW it should be built:
• Choosing a Secure Site –
– Visibility – Usually low visibility is the rule to follow.
What types of neighbors and markings on the
building?
– Local Considerations – Near hazardous waste
dump? In flood control plain? Local crime rate, riots,
strike-prone area?
– Natural Disasters – Weather-related problems,
tornados, flooding, heavy snow, earthquake zone
Prepared by Ernie Hayden, CISSP CEH
16
Site Location (2)
• Choosing a Secure Site –
– Transportation – Excessive highway, air or
road traffic in area, failed bridges will cause
building access problems?
– Joint Tenancy – Are access to HVAC and
environmental controls shared in building?
– Adjacent Buildings
– External Services – Proximity to local Fire,
Police, Hospital/Medical Facilities?
Prepared by Ernie Hayden, CISSP CEH
17
Key Concept: Layered Defense
Model
Prepared by Ernie Hayden, CISSP CEH
18
Key Concept: Layered Defense
Model
Ref: http://rphrm.curtin.edu.au
Prepared by Ernie Hayden, CISSP CEH
19
Designing a Secure Site
• WALLS
– All walls MUST have an acceptable Fire
Rating.
– Be Floor to Ceiling
– Any Closets or Rooms that Store Media must
also have Fire Rating
• CEILINGS
– Be aware if they are WEIGHT BEARING and
their Fire Rating
Prepared by Ernie Hayden, CISSP CEH
20
Designing a Secure Site (2)
• FLOORS
– Slab or Raised?
– SLAB –
• If concrete then concerns are Weight Bearing (aka
Loading) – Usually 150 pounds per square foot.
– RAISED
• Concerned with Fire Rating, Electrical Conductivity
(Grounding against static electricity)
• Must employ non-conducting surface material in
data center
Prepared by Ernie Hayden, CISSP CEH
21
Designing a Secure Site (3)
• DOORS
– Must resist Forced Entry
• Solid or Hollow
• Hinges Hidden, Internal or “Fixed”
– Fire Rating Equal to Walls
– Emergency Exits Must Be Clearly Marked, Monitored,
or Alarmed
– Electrical Doors on Emergency Exits Should Revert to
Disabled State if Power Outage Occurs For Safe
Evacuation
– TIP!! Personnel Safety ALWAYS Takes Precedence!
Doors Can Be Guarded During an Emergency
Prepared by Ernie Hayden, CISSP CEH
22
Designing a Secure Site (4)
• SPRINKLER SYSTEM
– Location and Type of Suppression System
Must Always Be Known
• LIQUID or GAS LINES
– Know Where the Shut Off Valves Are
– Water, Steam and Gas Lines Should Have
“POSITIVE” Drains
• i.e., Flow Outward and Away from Building
Prepared by Ernie Hayden, CISSP CEH
23
Designing a Secure Site (5)
• AIR CONDITIONING
– AC Units Should Have Dedicated Power
Circuits
– Know Where the Emergency Power Off (EPO)
Switch is Located
– Provide Outward, Positive Air Pressure to
Building
– Protected Intake Vents to Prevent Inflow of
Potential Toxins Into a Facility
Prepared by Ernie Hayden, CISSP CEH
24
Designing a Secure Site (6)
• WINDOWS
–
–
–
–
–
Located to Prevent Viewing Monitors or Desks
Standard Plate Glass (Brittle, Breaks Easily)
Tempered Glass (Stronger, Breaks into Small Shards)
Acrylic Materials
Polycarbonate Windows
–
–
–
–
–
–
Wire Mesh Layers
Lexan® (General Electric)
Bomb Blast Film (Prevent Viewing In and Reinforce Window)
Bullet Resistant Windows
Glass Breakage Sensors
Usually Not Accepted in Data Center
• Glass and Polycarbonate Combinations Combine Best of Glass and Acrylics
• If Installed, Should Be Translucent and Shatterproof
– Frames Secured to Walls, Windows Can Be Locked, Glass Can’t be
Removed
Prepared by Ernie Hayden, CISSP CEH
25
Procedural Controls
• Guard Post / Dogs
• Checking and Escorting Visitors on Site
• Managing Deliveries to the Site
– Building-Specific
Prepared by Ernie Hayden, CISSP CEH
26
Facility Security Management
• Administrative Security Controls NOT
Related to Initial Planning Process
– Audit Trails – or Access Logs
• Vital to Know Where Attempts to Enter Existed and
Who Attempted Them
– Emergency Procedures
• Should be Clearly Documented and Readily
Accessible
• Copies Stored Offsite in the Event of a Disaster
• Updated Periodically
Prepared by Ernie Hayden, CISSP CEH
27
Audit Trails
• These are known as DETECTIVE rather than
PREVENTIVE
–
–
–
–
–
Date and Time of Access Attempt
Whether the Attempt was Successful or Not
Where the Access was Granted (i.e., which door)
Who Attempted the Access
Who Modified the Access Privileges at the Supervisor
Level
– Can Send Alarms or Alerts if Required
Prepared by Ernie Hayden, CISSP CEH
28
Emergency Procedures
• Should Include the Following:
– Emergency System Shutdown Procedures
– Evacuation Procedures
– Employee Training, Awareness Programs, and
Periodic Drills
– Periodic Equipment and Systems Tests
Prepared by Ernie Hayden, CISSP CEH
29
Administrative Personnel
Controls
• Pre-Employment Screening
– Employment, References and Educational History
Checks
– Background Investigation and/or Credit Rating Checks
for Sensitive Positions
• On-Going Employee Checks
– Security Clearances
– Ongoing Employee Ratings or Reviews by Supervisors
• Post-Employment Procedures
– Exit Interview, Removal of Network Access, Return of
Computers, etc.
Prepared by Ernie Hayden, CISSP CEH
30
Environmental and Life Safety
Controls
Three Areas of Environmental Control
1. Electrical Power
2. Fire Detection and Suppression
3. Heating, Ventilation and Air
Conditioning (HVAC)
Prepared by Ernie Hayden, CISSP CEH
31
Electrical Power
• Disruptions in Electrical Power Can Have a
Serious Business Impact
• Goals:
•
•
“Clean and Steady Power”
Excellent “Power Quality”
• Design Considerations:
–
–
–
–
Dedicated Feeders
Alternate Power Source
Access Controls
Secure Breaker and Transformer Rooms
Prepared by Ernie Hayden, CISSP CEH
32
Electrical Power Threat
Elements
• NOISE
– Electromagnetic Interference (EMI)
– Radio Frequency Interference (RFI)
• ANOMOLIES
– Brownout, Blackout, Fault, etc.
• ELECTROSTATIC DISCHARGE (ESD)
– Affected by Low Humidity
Prepared by Ernie Hayden, CISSP CEH
33
Electrical “Noise”
• Def: Random Disturbance Interfering With
Devices
– Electromagnetic Interference (EMI)
• Caused by Motors, Lightning, etc.
• “Spark” Noise
– Radio Frequency Interference (RFI)
• Caused by Components of Electrical System
• Caused by Electrical Cables, Fluorescent Lighting, Truck
Ignitions, etc.
• Can Cause Permanent Damage to Sensitive Components in a
System
Prepared by Ernie Hayden, CISSP CEH
34
Electrical “Noise” (2)
• Common Types of EMI
– “Common Mode Noise” – Noise from
Radiation Generated by the Difference
Between the “Hot” and “Ground” Wires
– “Traverse Mode Noise” – Noise from
Radiation Generated by the Difference
Between the “Hot” and “Neutral” Wires
Prepared by Ernie Hayden, CISSP CEH
35
Protective Measures for
“NOISE”
•
•
•
•
Proper Line Conditioning
Proper Grounding of the System to Earth
Cable Shielding
Limited Exposure to Magnets, Electrical
Motors, Space Heaters and Fluorescent
Lights
Prepared by Ernie Hayden, CISSP CEH
36
Electrical Anomalies
Electrical Event*
Blackout
Fault
Brownout
Sag
Definition
Total loss of power
Momentary loss of power
Prolonged drop in voltage (up to 10%)
Short drop in voltage
Inrush
Initial power rush
Spike
Momentary rush of power, Momentary
high voltage
Surge
Prolonged rush of power, prolonged
high voltage
Prepared by Ernie Hayden, CISSP CEH
Mnemonic: “Bob Frequently Buys Shoes in
Shoe Stores”
37
Electrical Anomalies (2)
• Transients
– Line Noise that is Superimposed On the
Supply Circuit Can Cause Fluctuation in Power
• Inrush Current
– The Initial Surge of Current Required When
There is an Increase in Power Demand (e.g.,
starting a large motor)
Prepared by Ernie Hayden, CISSP CEH
38
Electrostatic Discharge (ESD)
• Power Surge Generated by a Person or
Device Contacting Another Device and
Transferring a High Voltage Shock
• Affected by Low Humidity
Prepared by Ernie Hayden, CISSP CEH
39
Now, About Humidity…
• Ideal Humidity Range = 40% to 60%
– High Humidity > 60%
• Causes Problems with Condensation on Computer
Equipment
• Cause Corrosion of Electrical Connections – sort of
like “Electroplating” and Impedes Electrical
Efficiency
– Low Humidity < 40%
• Can Cause Increase in Electrostatic Discharge
• Up to 4000 Volts Under Normal Humidity
• Up to 25,000 Volts Under Very Low Humidity
Prepared by Ernie Hayden, CISSP CEH
40
Static Charge and Damage
Static Charge in Volts
40
Will Damage
1,000
Sensitive Circuits and
Transistors
Scramble Monitor Display
1,500
Disk Drive Data Loss
2,000
System Shutdown
4,000
Printer Jam
17,000
Permanent Chip Damage
Prepared by Ernie Hayden, CISSP CEH
41
Precautions for Static
Electricity
• Use Anti-Static Sprays Where Possible
• Operations or Computer Centers Should
Have Anti-Static Flooring
– “Zinc Whiskers” Problem
• Building and Computer Rooms Should be
Grounded Properly
• Anti-Static Table or Floor Mats
• HVAC Should Maintain Proper Level of
Humidity in Computer Rooms
Prepared by Ernie Hayden, CISSP CEH
42
Electrical Support Systems
• Surge Suppressors
• Uninterruptible Power Supplies
– Only for Duration Needed to Safely Shutdown
Systems
• Emergency Shutoff (EPO Switch)
– Have Monitored by Camera
• Alternate Power Supply
– Generator, Fuel Cell, etc.
Prepared by Ernie Hayden, CISSP CEH
43
FIRE PROTECTION
1. Fire Prevention
2. Fire Detection
3. Fire Suppression
Prepared by Ernie Hayden, CISSP CEH
44
Fire Triangle
A FIRE Needs
These Three
Elements to
Burn
Prepared by Ernie Hayden, CISSP CEH
Fire Fighting Removes
One of These Three
Elements OR By
Temporarily Breaking
Up the Chemical
Reaction
45
Types of Fires
Class
Description (Fuel)
A
Common combustibles such
as paper, wood, furniture,
clothing
B
Burnable fuels such as
gasoline or oil
C
Electrical fires such as
computers and electronics
D
Special fires, such as
chemical, metal
K
Commercial Kitchens
Prepared by Ernie Hayden, CISSP CEH
46
Fire Prevention
• Use Fire Resistant Materials for Walls,
Doors, Furnishings, etc.
• Reduce the Amount of Combustible Papers
Around Electrical Equipment
• Provide Fire Prevention Training to
Employees
– REMEMBER: Life Safety is the Most Important
Issue!
• Conduct Fire Drills on All Shifts So that
Personnel Know How to Exit A Building
Prepared by Ernie Hayden, CISSP CEH
47
Fire Detection
• Ionization-type Smoke Detectors
– Detect Charged Particles in Smoke
• Optical (Photoelectric) Detectors
– React to Light Blockage Caused by Smoke
• Fixed or Rate-of-Rise Temperature Sensors
– Heat Detectors That React to the Heat of a Fire
– Fixed Sensors Have Lower False Positives
• Flame Actuated
– Senses Infrared Energy of Flame or Pulsating of the
Flame
– Very FAST Response Time, Expensive
Prepared by Ernie Hayden, CISSP CEH
48
Fire Detection (2)
• Automatic Dial-Up Fire Alarm
– System Dials the Local Fire or Police Department and
Plays a Prerecorded Message When a Fire is Detected
– Usually Used in Conjunction with One of the Other
Type of Fire Detectors
– This Type of System Can Be Easily/Intentionally
Subverted
• Combinations are Usually Used for The Best
Effectiveness in Detecting a Fire
Prepared by Ernie Hayden, CISSP CEH
49
Fire Classes and
Suppression/Extinguishing Methods
Class
Description (Fuel)
Extinguishing Method
A
Common combustibles such
as paper, wood, furniture,
clothing
Water, Foam
B
Burnable fuels such as
gasoline or oil
C
Electrical fires such as
computers and electronics
Inert Gas, CO2(Note: Most
important step: Turn off
electricity first!)
D
Special fires, such as
chemical, metal
Dry Powder (May require
total immersion or other
special techniques)
K
Commercial Kitchens
Wet Chemicals
Prepared by Ernie Hayden, CISSP CEH
Inert Gas, CO2
50
Fire Suppression
• Carbon Dioxide (CO2), Foam, Inert Gas
and Dry Power Extinguishers DISPLACE
Oxygen to Suppress a Fire
• CO2 Is a Risk to Humans (Because of
Oxygen Displacement)
• Water Suppresses the Temperature
Required to Sustain a Fire
Prepared by Ernie Hayden, CISSP CEH
51
Fire Suppression - Halon
• Halon Banned for New Systems Under 1987
Montreal Protocol on Substances that Deplete
the Ozone Layer
– Began Implementation of Ban in 1992
– Any New Installations of Fire Suppression systems
Must Use Alternate Options
– EU Requires Removal of Halon for Most Applications
• Halon Replacements:
– FM200,
Prepared by Ernie Hayden, CISSP CEH
52
Halon Replacements
Prepared by Ernie Hayden, CISSP CEH
Ref:
http://www.periphman.com/fire/statusofindustry.pdf
53
Fire Suppression - Water
• Wet Pipe
–
–
–
–
–
Always Contains Water
Most Popular and Reliable
165° Fuse Melts
Can Freeze in Winter
Pipe Breaks Can Cause Floods
–
–
–
–
No Water in Pipe
Preferred for Computer Installations
Water Held Back by Clapper
Air Blows Out of Pipe, Water Flows
Wet Pipe
Dry Pipe
• Dry Pipe
Prepared by Ernie Hayden, CISSP CEH
54
Fire Suppression – Water (2)
• Deluge
– Type of Dry Pipe
– Water Discharge is Large
– Not Recommended for Computer Installations
• Preaction
– Most Recommended for Computer Room
– Combines Both Dry and Wet Pipes
– Water Released into Pipe First Then After
Fuse Melts in Nozzle the Water is Dispersed
Prepared by Ernie Hayden, CISSP CEH
55
Fire: Contamination & Damage
•
•
•
•
Smoke
Heat
Water
Suppression Medium Contamination
Prepared by Ernie Hayden, CISSP CEH
56
Heating Ventilation & Air
Conditioning (HVAC)
• Usually the Focal Point for Environmental
Controls
• You Need to Know Who is Responsible for
HVAC in Your Building
• Clear Escalation Steps Need to Be Defined
Well in Advance of an EnvironmentalThreatening Incident
Prepared by Ernie Hayden, CISSP CEH
57
HVAC Issues
• Are Computerized Components Involved?
• Does It Maintain Appropriate Temperature
and Humidity Levels? Air Quality?
– Ideal Temperature = 70° to 74° F
– Ideal Humidity = 40% to 60%
• Maintenance Procedures Should Be
Documented
• Preventive Maintenance Performed and
Documented
Prepared by Ernie Hayden, CISSP CEH
58
5 Functional Areas
1.
2.
3.
4.
Information Protection Requirements
Information Protection Environment
Security Technology and Tools
Assurance, Trust and Confidence
Mechanisms
5. Information Protection and Management
Services
Prepared by Ernie Hayden, CISSP CEH
59
Elements of Physical Security
• Badges
• Restricted Areas
• Lights
• Dogs
• CCTV
• Locks
Prepared by Ernie Hayden, CISSP CEH
• Access Control
• Barriers
• Security Forces
• Fences
• Intrusion
Detection
Systems
60
Functions of Physical Security
1.
2.
3.
4.
5.
Deter
Delay
Detect
Assess
Respond
Prepared by Ernie Hayden, CISSP CEH
61
Layered Defense
•
•
•
•
•
•
•
•
•
•
Security Breach Alarms
On-Premises Security Officers
Server Ops Monitoring
Early Warning Smoke Detectors
Redundant HVAC Equipment
UPS and Backup Generators
Seismically Braced Server Racks
Biometric Access & Exit Sensors
Continuous Video Surveillance
Electronic Motion Sensors
Prepared by Ernie Hayden, CISSP CEH
62
Perimeter Protection
• Perimeter Security Controls are the First
Line of Defense
• Protective Barriers – Natural or
Structural
– Natural Barriers
• Terrains That are Difficult to Cross
• Landscaping (Shrubs, Trees, Spiny Shrubs)
– Structural Barriers
• Fences, Gates, Bollards, Facility Walls
Prepared by Ernie Hayden, CISSP CEH
63
Fences
• Know These Fencing Heights:
– 3 ft – 4 ft High
– 6 ft – 8 ft High
– 8 ft High with
3 Strands of
Barbed Wire
Deters Casual Trespassers
Too Hard to Climb Easily
Deters Intruders
• 3 Types of Fencing
– Chain Link
– Barbed Wire
– Barbed Tape or Concertina Wire
Prepared by Ernie Hayden, CISSP CEH
64
Fences (2)
This is at
least 8 Feet
• Chain Link
– 6 Feet Tall (Excluding Top
Guard)
– 8 Feet Tall (with Top Guard)
– 2 inch Openings or Less
– Reach within 2 Inches of
Ground or On Soft Ground It
Is Below the Surface
– Be Sure Vegetation or
Adjacent Structures Do Not
Bridge Over the Fence
Prepared by Ernie Hayden, CISSP CEH
65
Gates, Bollards, Barriers
Prepared by Ernie Hayden, CISSP CEH
66
Intrusion Detection &
Surveillance
• Perimeter Intrusion Detection Systems
– Sensors That Detect Access Into the Area
• Photoelectric (Usu. Infrared Light)
• Ultrasonic
• Microwave*
• Passive Infrared (PIR)
• Pressure Sensitive (Dry Contact Switch)
• Surveillance Devices
– Closed-Circuit Television (CCTV)
Prepared by Ernie Hayden, CISSP CEH
67
Motion Detectors
• 3 Categories
– Wave Pattern – Generates a Frequency
Wave Pattern. If Pattern is Disturbed as it is
Reflected Back to its Receiver (low, ultrasonic
or microwave range)
– Capacitance – Monitor an Electrical Field
Around an Object. If Field is Disturbed the
Alarm is Triggered. Used for Spot Protection.
– Audio Detectors – Monitor for any Abnormal
Sound Wave Generation. (Lots of False
Alarms)
Prepared by Ernie Hayden, CISSP CEH
68
Intrusion Detection Systems
• Can Be Installed On:
– Windows, Doors, Ceilings, Walls
– Any Other Entry Points Such as
HVAC, Roof Access Openings,
Ducts, etc.
• They Detect Change In:
– Electrical Circuits, Light Beams
– Sounds, Vibrations, Motion
– Capacitance Due to Penetration
of An Electrostatic Field
– Biometrics
Prepared by Ernie Hayden, CISSP CEH
69
CCTV
• Def: A Television Transmission System That
Uses Cameras to Transmit Pictures To Connected
Monitors
• CCTV Levels:
– Detection: The Ability to Detect the Presence of an
Object
– Recognition: The Ability to Determine the Type of
Object (animal, blowing debris, crawling human)
– Identification: The Ability to Determine the Object
Details (person, large rabbit, small deer, tumbleweed)
• Remember: Monitoring Live Events is
Preventive and Recording of Events is
Detective
Prepared by Ernie Hayden, CISSP CEH
70
CCTV Components
• Camera
– Fixed, Zoom
– Pan & Tilt
• Transmission Media
– Coax Cable
– Fiber Cable
– Wireless
• Monitor
Prepared by Ernie Hayden, CISSP CEH
71
CCTV Added Components
•
•
•
•
•
•
Camera Tube
Pan and Tilt Units
Panning Device
Mountings
Switchers/Multiplexers
Remote Camera
Controls
Prepared by Ernie Hayden, CISSP CEH
• Infrared Illuminators
• Time/Date Generators
• Videotape or Digital
Recorders
• Motion Detectors
• Computer Controls
• Video Loss Detectors
72
CCTV Deployment Features
• Cameras High Enough
to Avoid Physical
Attack
• Cameras Distributed
to Exclude Blind Areas
• Appropriate Lenses
• Pan, Tilt, Zoom (PTZ)
as Required
• Ability to be Recorded
Prepared by Ernie Hayden, CISSP CEH
• Camera System Tied
to Alarm System
• Number and Quality
of Video Frames
Increased During
Alarm Event
• Regular Service of
Moving Parts
• Cleaning Lenses
• Human Intervention
73
CCTV Application Guidelines
• Understand the Facility’s Total Surveillance
Requirements
• Determine the Size of the Area to be Monitored
– Depth, Height, and Width
– Ensures Proper Camera Lens Specifications
• Lighting is Important – Different Lamps and
Lighting Provide Various Levels of Effectiveness
– ‘Contrast’ Between the Object and Background
– For Outdoor Use, the US Army Specifies the
Automatically Adjusted Iris Feature
Prepared by Ernie Hayden, CISSP CEH
74
CCTV Design Guidelines
• System Familiarity is Important – Understand
Camera Placement and Detection Field “Shape”
• Exterior Camera Concerns
–
–
–
–
–
–
Weather
Illumination Range
Field of View Alignment
Balanced Lighting
Environmental Housings
Mounting Heights
• In All Cases, Place Camera High Enough to Avoid
Tampering or Collision
Prepared by Ernie Hayden, CISSP CEH
75
CCTV Legal and Practical
Implications
• Storage Implications of Recorded Data
• Video Tapes Must Be Stored to Prevent
Deterioration
• Digital Records Must Be Maintained to
Assert Integrity
• Human Rights and Privacy Implications in
Recording People
• Requirements to Blurr/Pixelate Individuals
Other than Accused
Prepared by Ernie Hayden, CISSP CEH
76
Lighting
• Provides a Deterrent to Intruders
• Makes Detection Likely if Entry Attempted
• Should be Used With Other Controls Such
as Fences, Patrols, Alarm Systems, CCTV
• Critical Protected Buildings Should
Be Illuminated Up to 8 Feet High,
with 2 Foot-Candle Power
Prepared by Ernie Hayden, CISSP CEH
77
Types of Lighting
• Continuous Lighting (Most Common)
– Glare Projection
– Flood Lighting
•
•
•
•
Trip Lighting
Standby Lighting
Movable (Portable)
Emergency Lighting
Prepared by Ernie Hayden, CISSP CEH
78
Access Control
• Card Access
Advisory:
Magnetic
Access Cards
Should Have No
Company ID
On Them
– Smart Cards
– Mag Stripe Cards
– Proximity Cards
• Biometrics
– Fingerprint
– Retina or Iris Scans
– Hand Geometry
– Signature Dynamics
Prepared by Ernie Hayden, CISSP CEH
79
Locks
• Tip: Locks are Considered DELAY
Devices Only
• All Locks Can Be Defeated By Force and/or
the Proper Tools
• Locks Must Never Be Considered a
Stand-Alone Method of Security
Prepared by Ernie Hayden, CISSP CEH
80
Locks (2)
• Types of Locks
– Key Locks
– Combination Locks
• Key Locks
– Key-in-Knob or Key-in-Lever (Cylindrical Lockset) – Only for Low
Security Apps
– Dead Bolt Locks or Tubular Dead Bolts – Good for Storerooms,
Houses (Bolt is “Thrown”)
– Mortise Locks (Lock Case is Recessed or Mortised into the Edge
of Door) – Low Security Apps
– Padlocks
• Combination Locks
– Combinations Must Be Changed at Specific Times and Under
Specific Circumstances
Prepared by Ernie Hayden, CISSP CEH
81
Keyless and Smart Locks
• Keyless (Cipher) Locks
– Push-button locks
• Smart Locks
– Permit Only Authorized People Into Certain
Doors at Certain Times
• E.g., Magnetic Stripe Card that is Time Sensitive
Prepared by Ernie Hayden, CISSP CEH
82
Lock Security Measures
• Key Control Procedures
– Restrict Issue of Keys on a Long-Term Basis to
Outside Maintenance or Janitorial Personnel
– Keep a Record of All Issued Keys
– Investigate the Loss of All Keys
• When in Doubt, Rekey the Affected Locks
– Use as Few Master Keys as Possible
– Issue Keys on a Need-to-Go Basis
– Remember – Keys are a Single-Factor Authentication
Mechanism That Can Be Lost, Stolen, or Copied.
• (Use 2-Factor Methods for More Secure Spaces)
Prepared by Ernie Hayden, CISSP CEH
83
Compartmentalized Area
• Def: Location Where Sensitive
Equipment is Stored and Where Sensitive
Information is Processed
• Must Have a Higher Level of Security
Controls
Prepared by Ernie Hayden, CISSP CEH
84
Data Center
• Walls
– Extend from True Floor to
True Ceiling
• Access Controls
– Depending Upon Sensitivity
of the Information and
Value of Equipment,
Electronic Access Controls
May Need to be Installed
Prepared by Ernie Hayden, CISSP CEH
Ref: CISSP Certification, Shon
Harris
85
Portable Device Security
• Laptops, PDAs, Etc.
– Protect the Device
– Protect the Data in the Device
• Examples:
–
–
–
–
–
–
Locking Cables for Docking Stations
Tracing Software
Audible Motion Alarm
Encryption Software
PIN Protection for PDAs
Inventory System
Prepared by Ernie Hayden, CISSP CEH
86
Alarm Systems
1. Local Alarm Systems – Alarm Sounds
Locally and Must be Protected from Tampering
and Audible for at Least 400 Feet
2. Central Station Units – Monitored 7x24 and
Signaled Over Leased Lines – Usually within
<10 Minutes Travel Time (Private Security
Firms)
3. Proprietary Systems – Similar to Central but
Owned and Operated by Customer
4. Auxiliary Station Systems – Systems that
Ring at Local Fire or Police Stations
Prepared by Ernie Hayden, CISSP CEH
87
Additional Alarm Systems
• Line Supervision
– Alarm Sounds When Alarm Transmission
Medium Detects Tampering.
– Secure Detection and Alarm Systems Require
Line Supervision
• Power Supplies
– Require Separate Circuitry and Backup Power
with 24 Hour Minimum Discharge Time
Prepared by Ernie Hayden, CISSP CEH
88
5 Functional Areas
1.
2.
3.
4.
Information Protection Requirements
Information Protection Environment
Security Technology and Tools
Assurance, Trust and Confidence
Mechanisms
5. Information Protection and Management
Services
Prepared by Ernie Hayden, CISSP CEH
89
Drills & Testing
• Drills/Exercises/Testing
– Keeps Everyone Aware of Their
Responsibilities
– Building Evacuation Drills Are Important
• Physical Vulnerability/Penetration Tests
– Should Identify Weak Entry Points
– Findings Should Be Documented
– Ref: Ira Winkler Stories
Prepared by Ernie Hayden, CISSP CEH
90
Checklist, Maintenance &
Service
• Checklist
– Identifies Those Elements of Physical Security
That Need to be Checked on a Regular Basis
• Maintenance and Service
– Needs to be Done
– Need to Monitor Who Performs the
Maintenance, Especially if it is an Outside
Contractor
Prepared by Ernie Hayden, CISSP CEH
91
5 Functional Areas
1.
2.
3.
4.
Information Protection Requirements
Information Protection Environment
Security Technology and Tools
Assurance, Trust and Confidence
Mechanisms
5. Information Protection and Management
Services
Prepared by Ernie Hayden, CISSP CEH
92
Managed Services
• Be Sure To Address:
– Contractor Understands and is Contractually
Bound to Meet the Organization’s Physical and
Procedural Security Requirements
– The Contracting Organization Has Ability to
Audit or Test the Security Services Provided
– There is a Channel of Communications
Between the Contracting Authority and the
Contractor to Affect Changes As Needed
Prepared by Ernie Hayden, CISSP CEH
93
Media Storage Requirements
• Common Storage Areas for Media
– On Site – safes, desks, storage cabinets
– Off Site – data backup vaults (Transportation can be a
security concern)
• Elements and Resources in Control to
Protect the Media
–
–
–
–
Physical Access Control at Storage Area
Environmental Controls (fire, water protection)
Inventory Controls and Monitoring
Audits
Prepared by Ernie Hayden, CISSP CEH
94
Media Storage Requirements (2)
• Data Destruction and Reuse
– Degaussing or Overwriting Usually Typically
Destroys Most Data
– Normal Formatting Does Not Destroy the
Data
– Format or Overwrite 7 Times (Mil-Spec)
– Consider Shredding Hard Drives, Other
Portable Media
– Paper Records = Confetti Shred or Burn
Prepared by Ernie Hayden, CISSP CEH
95
Physical Summary
• Physical and Procedural Countermeasures:
–
–
–
–
Provide Identification and Authentication
Authorization (Access Control)
Accountability
Provide Physical Contingency Resources and Alternate
Procedures
• Organized in a DEFENSE IN DEPTH
Strategy
• Effectiveness Relies on Knowledge, Skills
and Awareness of Staff
Prepared by Ernie Hayden, CISSP CEH
96
Ernie Hayden CISSP, CEH
[email protected]
Cell: 425-765-1400
Prepared by Ernie Hayden, CISSP CEH
97
Uptime Institute
• www.uptimeinstitute.com
• Zinc Whiskers
– “Conductivity Contamination”
• Data Center Energy Issues
Prepared by Ernie Hayden, CISSP CEH
98