CBK Physical Security

“Many CISSP candidates underestimate the physical security domain. As a result exam scores are often the lowest in this domain.”

CISSP for Dummies, Page 301

This domain examines threats, risks, and countermeasures to protect facilities, hardware, data, media, and personnel. This involves facility selection, authorized entry methods, and environmental and safety procedures. 

Exam Tip. Life safety goals should always take precedence over all other types of goals.

Definitions

SLAs (Service level agreements). Ensure that vendors provide the necessary level of protection.

MTBF (Mean Time Between Failure). It is used to determine the expected lifetime of a device or when an element within that device is expected to give out.

MTTR (Mean Time To Repair). It is used to estimate the amount of time between repairs.

Security Musts. Obliged by law to obey certain safety requirements

Security Shoulds. Protection procedures that should be put into place to help protect the company from devastating activities and their results.

Categories of Threats

• Natural environmental threats. These include floods, earthquakes, storms and tornadoes, fires, extreme temperature conditions etc.
• Supply system threats. These include power distribution outages, communications interruptions, and interruption to other natural energy resources such as water, steam, and gas etc.
• Manmade threats. These include unauthorized access (both internal and external), explosions, damage by angry employees, employee errors and accidents, vandalism, fraud, theft etc.
• Politically motivated threats. These include strikes, riots, civil disobedience, terrorist attacks and bombings etc.

Goals for Organizational physical security program

• Crime and disruption prevention through deterrence. These include fences, security guards, warning signs etc.
• Reduction of damage. Ensures through the use of delaying mechanisms Layers of defenses that slow down the adversary, such as locks, security personnel, barriers.
• Crime or disruption detection. These include smoke detectors, motion detectors, CCTV etc.
• Incident assessment. Response of security guards to detected incidents and determination of damage level.
• Response procedures. These include fire suppression mechanisms, emergency response processes, law enforcement notification, and consultation with outside security professionals.

Designing an Effective Physical Security Plan

• Identify a team of internal employees and/or external consultants who will build the physical security program through the following steps.
• Carry out a risk analysis to identify the vulnerabilities and threats and calculate the business impact of each threat.
• Work with management to define an acceptable risk level of the physical security program.
• Derive the required performance baselines from the acceptable risk level.
• Create countermeasure performance metrics.
• Develop criteria from the results of the analysis, outlining the level of protection and performance required for deterrence, delaying, detection, assessment and response sub categories.
• Identify and implement countermeasures for each program category.
• Continuously evaluate countermeasures against the set baselines to ensure that the acceptable risk level is not exceeded.

Crime Prevention through Environmental Design (CPTED)

It is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance in loss and crime prevention through proper facility construction and environmental components and procedures. CPTED and target hardening are two different approaches.

Target hardening

It focuses on denying access through physical and artificial barriers (alarms, locks, fences, and so on). Traditional target hardening can lead to restrictions on the use, enjoyment, and aesthetics of an environment.

CPTED Approaches

• Natural access control is the guidance of people entering and leaving a space by the placement of doors, fences, lighting, and even landscaping. For example, an office building may have external bollards with lights in them. These bollards actually carry out different safety and security services.
• Natural Surveillance can also take place through organized means (security guards), mechanical means (CCTV), and natural strategies (straight lines of sight, low landscaping, raised entrances). The goal of natural surveillance is to make criminals feel uncomfortable, by providing many ways that observers could potentially see them, and make all other people feel safe and comfortable, by providing an open and well-designed environment.
• Territorial Reinforcement creates physical designs that emphasize or extend the company’s physical sphere of influence so that legitimate users feel a sense of ownership of that space. Territorial reinforcement can be implemented through the use of walls, fences, landscaping, light fixtures, flags, clearly marked addresses, and decorative sidewalks. The goal of territorial reinforcement is to create a sense of a dedicated community.

Facility Management

Issues with Selecting a Site Location

• Visibility
  • Usually a low visibility is desired.
  • Surrounding terrain
  • Building markings and signs
  • Types of neighbors
  • Population of the area
• Surrounding area and external entities
  • Crime rate, riots, terrorism attacks
  • Proximity to police, medical, and fire stations
  • Possible hazards from surrounding area
• Accessibility
  • Road access
  • Traffic
  • Proximity to airports, train stations, and highways
• Natural disasters
  • Likelihood of floods, tornadoes, earthquakes, or hurricanes
  • Hazardous terrain (mudslides, falling rock from mountains, or excessive snow or rain)
• Services
  • Joint Tenancy. Are access to HVAC and environmental controls shared in building?
  • External Services. Proximity to local Fire, Police and medical facilities

Concerns during Facility Design

• The load / Weight. How much weight that can be held of a building’s walls, floors and ceilings needs to be estimated and projected to ensure that the building will not collapse in different situations?
• Positive flow (water and gas lines). Material should flow out of building, not in.
• Internal partitions. Many buildings have hung ceilings, meaning the interior partitions may not extend above the ceiling; therefore an intruder can lift a ceiling panel and climb over the partition.

Guidelines when designing and building a facility

• Walls
  • Acceptable fire and load rating
  • Floor to ceiling
  • Reinforcements for secured areas
• Doors
  • Fire rating
  • Resistant to forcible entry
  • Emergency marking
  • Appropriate placement
  • Secure hinges
  • Directional opening
  • Electric door locks should revert to fail safe settings rather than fail secure to allow safe evacuation of personnel in case of power outages
  • If glass is used then it should be shatterproof or bulletproof
• Ceilings
  • Fire rating
  • Weight-bearing rating
  • Drop-ceiling considerations
• Windows
  • Translucent or opaque requirements
  • Shatterproof
  • Alarms
  • Placement
  • Accessibility to intruders
• Flooring
  • Raised flooring (electrical grounding)
  • Non conducting surface and material
• Heating, ventilation, and air conditioning
  • Positive air pressure
  • Protected intake vents
  • Dedicated power lines
  • Emergency shutoff valves and switches
• Electric power supplies
  • Dedicated feeders to required areas
  • Backup and alternate power supplies
  • Clean and steady power source
  • Placement and access to distribution panels and circuit breakers
• Water and gas lines
  • Shutoff valves—labeled and brightly painted for visibility
  • Positive flow (material flows out of building, not in)
  • Placement—properly located and labeled
• Fire detection and suppression
  • Placement of sensors and detectors
  • Placement of suppression systems
  • Type of detectors and suppression agents

Window Types

• Standard No extra protection. Cheapest and the lowest level of protection.
• Tempered Glass is heated and then cooled suddenly to increase its integrity and strength.
• Acrylic Type of plastic instead of glass. Polycarbonate acrylics are stronger than regular acrylics.
• Wired Mesh of wire is embedded between two sheets of glass. This wire helps to prevent the glass from shattering.
• Laminated Plastic layer between two outer glass layers. Plastic layer helps to increase the strength against breakage.
• Solar window film Provides extra security by being tinted and extra strength through the film’s material.
• Security film Transparent film is applied to the glass to increase its strength.

Power Supply

Electrical Power Definitions

• Ground The pathway to the earth to enable excessive voltage to dissipate.
• Noise Electromagnetic or frequency interference that disrupts the power flow and can cause fluctuations.
• Transient noise Short duration of power line disruption
• Inrush current The initial surge of current required when there is an increase in power demand.
• Clean power Electrical current that does not fluctuate.
• Fault Momentary power loss/outage.
• Blackout Complete / Prolonged loss of power.
• Sag Momentary low voltage
• Brownout Prolonged low voltage
• Spike Momentary high voltage
• Surge Prolonged high voltage
• EMI Electromagnetic interference
• RFI Radio frequency interference

UPS. An uninterruptible power supply (UPS), also known as a battery back-up, provides emergency power and, depending on the topology, line regulation as well. It differs from an auxiliary or emergency power system or standby generator, which does not provide instant protection from a momentary power interruption.

• Offline / Standby UPS. With this type of UPS, a user's equipment is normally connected directly to incoming utility power. And UPS is activated as the main power fails.  It is more cost effective, least secure and batteries life is increased.
• Line-interactive. The Line-Interactive UPS is similar in operation to a Standby UPS, but with some additional features. This type of UPS is able to tolerate continuous under voltage brownouts and over voltage surges without consuming the limited reserve battery power.
• Online systems. Power is drawn by the system through a bank of batteries all the time. The Online UPS is ideal for environments where electrical isolation is necessary or for equipment that is very sensitive to power fluctuations. It is more costly and batteries life is less.
• DC power / Rectifier. These normally have typical protection time of Several hours. A UPSUPS, except that it does not need an output inverter, and often the powered device does not need a power supply. Many systems used in telecommunications use 48 volt DC power, because it is not considered a high-voltage by most electrical codes and is exempt from many safety regulations, such as being installed in conduit and junction boxes. designed for powering DC equipment is very similar to an online

Backup power Supply. Backup power supplies are necessary when there is a power failure and the outage will last longer than a UPS can last. Backup supplies can be a redundant line from another electrical substation or from a motor generator and can be used to supply main power or charge the batteries in a UPS system.

Voltage regulators and line conditioners. These can be used to ensure a clean and smooth distribution of power by tolerating continuous under voltage brownouts and over voltage surges.

Things to Remember for Electrical Power

• Plug in every device to a surge protector to protect from excessive current.
• Shut down devices in an orderly fashion to help avoid data loss or damage to devices due to voltage changes.
• Employ power line monitors to detect frequency and voltage amplitude changes.
• Use regulators to keep voltage steady and power clean.
• Protect distribution panels, master circuit breakers, and transformer cables with access controls.
• Provide protection from magnetic induction through shielded lines.
• Use shielded cabling for long cable runs.
• Do not run data or power lines directly over fluorescent lights.
• Use three-prong connections and adapters if using two-prong cables.
• Do not plug outlet strips and extension cords into each other.

Environmental issues

Positive drains. Contents flow out of building instead of in to the building.

Positive pressurization. Positive pressure is a pressure within a system that is greater than the environment that surrounds that system. If some one opens the door, air will flow out of the room instead of in.

Relative humidity. 40 to 60 % is acceptable level of humidity. As higher humidity can cause corrosion, while low humidity can cause excessive static electricity. A hygrometer is usually used to monitor humidity.

Preventive Steps against Static Electricity

• Use antistatic flooring in data processing areas.
• Ensure proper humidity.
• Have proper grounding for wiring and outlets.
• Don’t have carpeting in data centers, or have static-free carpets if necessary.
• Wear antistatic bands when working inside computer systems.

Components Affected by Specific Temperatures

• Computer systems and peripheral devices           175°F
• Magnetic storage devices                                 100°F
• Paper products                                               350°F

Fire

Fire detectors

• Smoke activated. Normally a photoelectric device. These are good for early-warning devices as can be used to sound a warning alarm before the suppression system activates.
• Heat activated. Rate-of-rise temperature sensors and fixed-temperature sensors. Rate-of-rise temperature sensors usually provide a quicker warning than fixed-temperature sensors because they are more sensitive, but they can also cause more false alarms.
• Flame activated. Senses the infrared energy
• Automatic Dial-up Alarm. Call the local fire station to report detected fire.

Fire suppression

Portable extinguishers should be located within 50 feet of any electrical equipment and located near exists.

Fire Components

Heat, Fuel, Oxygen and chemical reaction are four fire components. A fire suppressant tries to suppress one or more of these components to control the fire.

• Water suppresses the temperature required to sustain the fire.
• Soda Acid suppresses the fuel supply of the fire.
• CO2 suppresses the oxygen supply required to sustain the fire.
• Halon  suppresses the combustion through a chemical reaction.

Type of Fires and Suppressant

Note: Halon as a fire extinguisher has been banned in most countries due to the Montreal Protocol. Approved replacements for Halon include FM-200, NAF-S-III, CEA-410, FE-13, Water, Inergen, Argon and Argonite.

Water Sprinklers

These are simpler and less expensive than halon and FM-200 systems but can cause water damage. In an electrical fire, the water can increase the intensity of the fire, because it can work as conductor for electricity. Electricity must be turned off before the water is released.

• Wet Pipe (Close head Systems). Always contain water in the pipes and are usually discharged by temperature control level sensors.  Water may freeze in colder climates.
• Dry Pipe. The water is in a “holding tank” and held by a valve until a specific temperature is reached. There is a time delay between the predefined temperature being met and the release of water.
• Preaction. Combine the use of wet and dry pipe system. Water is not held in the pipes and is only released into the pipes once a predefined temperature is met. Once this temperature is met, the pipes are filled with water, but it does not release right away. A link has to melt before the water is released from the sprinkler head itself. It allows reaction time to counter to false alarms.
• Deluge. The same as a dry pipe system except the sprinkler head is wide open to release a large amount of water. It is not usually used in data centers.

Perimeter Security

Important: You must have a diversity of controls. For example, if one key works on four different door locks, the intruder has to obtain only one key. Each entry should have its own individual key or authentication combination.

Access control points should be identified, marked, and monitored properly.

Facility Access Control

Enforced through physical and technical components

• Locks. Locks are inexpensive access control mechanisms that are considered delaying devices to intruders.To the curious mind or a determined thief, a lock is considered a little puzzle to solve, not a deterrent.
  • Mechanical Locks. There are two main types of mechanical locks, the warded lock and the tumbler lock.
  • Combination locks. These require the correct combination of numbers to unlock them.
  • Cipher locks. These are also known as programmable locks, are keyless and use keypads to control access into an area or facility. The lock requires a specific combination to be entered into the keypad and possibly a swipe card. Compared to traditional locks, cipher locks can provide a much higher level of security and control of who can access a facility. Options available on many cipher locks:
    • Door delay: If the door is held open for a long period of time, an alarm will trigger to alert personnel of suspicious activity.
    • Key-override: A specific combination can be programmed to be used in emergency situations to override usual procedures or for supervisory overrides.
    • Master-keying: Enables supervisory personnel to change access codes and other features of the cipher lock.
• Hostage alarm: If an individual is in duress and/or held hostage, there can be a combination he or she enter to communicate this situation to the guard station and/or police station.
• Device Locks. These are used to protect devices, attached peripherals or unused physical ports by using switch controls, slot locks, port controls, peripheral switch control and cable traps.
• Keys.  It is important for an organization to have proper documented key management and maintenance procedures. Most organizations have master keys and submaster keys for the facility management staff. A master key opens all the locks within the facility, and the submaster keys open one or more locks. Each lock has its own individual, unique keys as well.

Personnel Access Controls

Piggybacking. When an individual gains unauthorized access by using someone else’s legitimate credentials or access rights. One way to control piggybacking is through use of Mantrap. The entrance is routed through a set of double doors that may be monitored by a guard.

Electronic access control (EAC) tokens. It is a generic term that is used to describe proximity authentication devices, which can be proximity readers, programmable locks, or biometric systems, which identify and authenticate users before allowing them entrance into physically controlled areas.

Wireless Proximity Readers

• User activated. It means that user actually has to do something, e.g. swipe the card or enter a PIN.
• System sensing. Will recognize the presence of the coded device within a specific area.
  • Transponders: A transponder device contains a radio receiver and transmitter, a storage place for the access code, control logic, and a battery.
  • Passive devices: The card does not have any power source of its own. A passive device only uses the power from the reader to detect the presence of the card.
  • Field-powered devices. The card and reader contain a transmitter and active electronics.

External Boundary Protection Mechanism

Fencing. Fences work as “first line of defense” mechanisms.

• 3-4 feet. Deter casual trespassers
• 6-7 feet. Considered too high to climb easy
• 8 feet with 3 strands of barbed wire. Deter intruders.
• PIDAS Fencing. Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.

Gates. There are basically four distinct types of classification when it comes to gates:

• Class I Residential usage.
• Class II Commercial usage, where general public access is expected; examples include a public parking lot entrance, a gated community, or a self storage facility.
• Class III Industrial usage, where limited access is expected; an example is a warehouse property entrance that is not intended to serve the general public.
• Class IV Restricted access; this includes a prison entrance that is monitored either in person or via closed circuitry.

Lighting

Should be used to discourage intruders and provide safety for personnel, entrances, parking areas and critical sections. All critical areas should be illuminated 8 feet high and 2 feet out. Be mindful of glare protection for the security guards.

• Redundant or backup lights should be available in case of power failures or emergencies. Special care must be given to understand what type of lighting is needed in different parts of the facility in these types of situations. This lighting may run on generators or battery packs.
• Responsive area illumination takes place when an IDS detects suspicious activities and turns on the lights within a specific area.

Surveillance Devices

Three main categories:

• Patrol Force and Guards. They have the ability to assess the situation and make determinations.
• Dogs. These are loyal, reliable and have a sense of smell and hearing.
• Visual Recording Devices. These include cameras and CCTV etc. These may be remotely monitored in a control room and may be used as recorded evidence.

IDS Types

• Proximity Detection System / Capacitance detector. These emit a measurable magnetic field while in use. The detector monitors emitted electrical field and an alarm sounds if the field is disrupted.
• Photoelectric or Photometric System. Detects the change in the level of light within an area.
• Wave Patterns. Generates a wave pattern that is sent over an area and reflected back to the receiver.
• Passive Infrared System. Detects through identifying the changes of heat waves with in an area it is configured to protect.
• Acoustical-Seismic Detection System. It is sensitive to sounds and vibrations. It detects the changes in the noise level of an area it is placed in.

IDS Characteristics

• Expensive and requires human intervention to respond to the alarms
• Redundant power supply and emergency backup power are necessary
• Can be linked to a centralized security system
• Should have a fail-safe configuration, which means to default to “activated”
• Should detect, and be resistant to any tampering

Alarms

• Auxiliary station alarms automatically cause an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters.
• Central station alarms are operated by private security organizations.
• Proprietary alarms are similar to central stations alarms except that monitoring is performed directly on the protected property.
• Remote station alarm is a direct connection between the signal-initiating device at the protected property and the signal-receiving device located at a remote station, such as the firehouse. A remote system differs from an auxiliary system in that it does not use the municipal fire of police alarm circuits.

Considerations for CCTV Selection

• Purpose of CCTV Detect, assess, and/or identify intruders
• Type of environment the CCTV camera will work in Internal or external areas
• Field of view that is required Large or small area that needs to be monitored. If the field of view needs to be changed (wide to narrow), the lens must be changed.
• Amount of illumination of the environment Lit areas, unlit areas, areas affected by sunlight
• Integration with other security controls Guards, IDSs, alarm systems

Media Storage Requirements

Data that is no longer needed or used must be destroyed.

Object reuse. The concept of reusing data storage media after its initial use

Data remanence. It is the problem of residual information remaining on the media after erasure.

Stages of data erasure:

• Clearing. Overwriting of data media intended to be reused in the same organization or monitored environment.
• Purging. Degaussing or overwriting media intended to be removed from a monitored environment.
• Destruction. Completely destroying the media and therefore residual data.

Physical Access Logs

Logs should include:

• Date and time of access attempt
• Entry point in which access was attempted
• User ID used when access was attempted
• Unsuccessful access attempts, especially if during unauthorized hours

Reviewing the Logs. As with audit logs produced by computers, access logs are useless unless someone actually reviews them. A security guard may be required to review these logs, but a security professional or a facility manager should also review these logs periodically.