ITNS and CERIAS

CISSP Luncheon Series:

Physical (Environmental)
Security

Presented by Scott L. Ksander

Physical Security
From (ISC)2 Candidate Information
Bulletin:

The Physical (Environmental) Security

domain addresses the threats,
vulnerabilities, and countermeasures that
can be utilized to physically protect an
enterprises resources and sensitive
information. These resources include
people, the facility in which they work, and
the data, equipment, support systems,
media, and supplies they utilize.

Physical Security
From (ISC)2 Candidate Information
Bulletin:

The candidate will be expected to know the

elements involved in choosing a secure site,
its design and configuration, and the
methods for securing the facility against
unauthorized access, theft of equipment
and information, and the environmental and
safety measures needed to protect people,
the facility, and its resources.

Introduction

Threats to physical security include:

Interruption of services
Theft
Physical damage
Unauthorized disclosure
Loss of system integrity

Introduction
Threats fall into many categories:
Natural environmental threats (e.g., floods,
fire)
Supply system threats (e.g., power outages,
communication interruptions)
Manmade threats (e.g., explosions,
disgruntled employees, fraud)
Politically motivated threats (e.g., strikes,
riots, civil disobedience)

Introduction
Primary consideration in physical
security is that nothing should impede
life safety goals.

Ex.: Dont lock the only fire exit door from

the outside.

Safety: Deals with the protection of

life and assets against fire, natural
disasters, and devastating accidents.
Security: Addresses vandalism, theft,
and attacks by individuals.
6

Physical Security Planning

Physical security, like general
information security, should be based
on a layered defense model.
Layers are implemented at the
perimeter and moving toward an asset.
Layers include: Deterrence, Delaying,
Detection, Assessment, Response

Physical Security Planning

A physical security program must address:
Crime and disruption protection through
deterrence (fences, security guards, warning signs,
etc.).
Reduction of damages through the use of delaying
mechanisms (e.g., locks, security personnel, etc.).
Crime or disruption detection (e.g., smoke
detectors, motion detectors, CCTV, etc.).
Incident assessment through response to incidents
and determination of damage levels.
Response procedures (fire suppression
mechanisms, emergency response processes, etc.).

Physical Security Planning

Crime Prevention Through

Environmental Design (CPTED)
Is a discipline that outlines how the
proper design of a physical
environment can reduce crime by
directly affecting human behavior.
Concepts developed in 1960s.
Think: Social Engineering
9

Physical Security Planning

CPTED has three main strategies:

Natural Access Control
Natural Surveillance
Territorial Reinforcement

10

Physical Security Planning

Natural Access Control

The guidance of people entering and
leaving a space by the placement of
doors, fences, lighting, and
landscaping
Be familiar with: bollards, use of
security zones, access barriers, use of
natural access controls

11

Physical Security Planning

Natural Surveillance
Is the use and placement of physical
environmental features, personnel
walkways, and activity areas in ways that
maximize visibility.
The goal is to make criminals feel
uncomfortable and make all other people
feel safe and comfortable, through the use
of observation.

12

Physical Security Planning

Territorial Reinforcement
Creates physical designs that
highlight the companys area of
influence to give legitimate owners a
sense of ownership.
Accomplished through the use of
walls, lighting, landscaping, etc.

13

Physical Security Planning

CPTED is not the same as target

hardening
Target hardening focuses on
denying access through physical
and artificial barriers (can lead to
restrictions on use, enjoyment, and
aesthetics of the environment).

14

Physical Security Planning

Issues with selecting a facility site:

Visibility (terrain, neighbors, population of

area, building markings)
Surrounding area and external factors
(crime rate, riots, terrorism, first responder
locations)
Accessibility (road access, traffic, proximity
to transportation services)
Natural Disasters (floods, tornados,
earthquakes)

15

Physical Security Planning

Other facility considerations:

Physical construction materials and
structure composition
Be familiar with: load, light frame
construction material, heavy timber
construction material, incombustible
material, dire resistant material
(know the fire ratings and
construction properties).
16

Physical Security Planning

Mantrap: A small room with two doors. The
first door is locked; a person is identified and
authenticated. Once the person is
authenticated and access is authorized, the
first door opens and allows the person into
the mantrap. The person has to be
authenticated again in order to open the
second door and access a critical area. The
mantrap area could have a weight sensing
floor as an additional control to prevent literal
piggybacking.

17

Physical Security Planning

Automatic door lock configuration:

Fail safe: If a power disruption
occurs, the door defaults to being
unlocked.
Fail secure: If a power disruption
occurs, the door defaults to being
locked.
18

Physical Security Planning

Windows can also be used to promote
physical security.
Know the different types of glass:

Standard
Tempered
Acrylic
Wired
Laminated
Solar Window Film
Security Film

19

Physical Security Planning

Consider use of internal partitions

carefully:
True floor to true ceiling to counter
security issues
Should never be used in areas that
house sensitive systems and devices

20

Internal Support Systems

Power issues:
A continuous supply of electricity assures
the availability of company resources.
Data centers should be on a different power
supply from the rest of the building
Redundant power supplies: two or more
feeds coming from two or more electrical
substations

21

Internal Support Systems

Power protection:
UPS Systems
Online UPS systems
Standby UPS System

Power line conditioners

Backup Sources

22

Internal Support Systems

Other power terms to know:

Ground
Noise
Transient Noise
Inrush Current
Clean Power
EMI
RFI

23

Internal Support Systems

Types of Voltage Fluctuations
Power Excess
Spike
Surge

Power Loss
Fault
Blackout

Power Degradation
Sag/dip
Brownout
Inrush Current

24

Internal Support Systems

Environmental Issues
Positive Drains
Static Electricity
Temperature

25

Internal Support Systems

Environmental Issues: Positive

Drains
Contents flow out instead of in
Important for water, steam, gas lines

26

Internal Support Systems

Environmental Issues: Static Electricity
To prevent:
Use antistatic flooring in data processing
areas
Ensure proper humidity
Proper grounding
No carpeting in data centers
Antistatic bands

27

Internal Support Systems

Environmental Issues:
Temperature

Computing components can be

affected by temperature:
Magnetic Storage devices: 100 Deg.
F.
Computer systems and peripherals:
175 Deg. F.
Paper products: 350 Deg. F.
28

Internal Support Systems

Ventilation
Airborne materials and particle
concentration must be monitored for
inappropriate levels.
Closed Loop
Positive Pressurization

29

Internal Support Systems

Fire prevention, detection, suppression
Fire Prevention: Includes training employees
on how to react, supplying the right
equipment, enabling fire suppression supply,
proper storage of combustible elements
Fire Detection: Includes alarms, manual
detection pull boxes, automatic detection
response systems with sensors, etc.
Fire Suppression: Is the use of a
suppression agent to put out a fire.
30

Internal Support Systems

American Society for Testing and

Materials (ASTM) is the organization
that creates the standards that
dictate how fire resistant ratings
tests should be carried out and how
to properly interpret results.

31

Internal Support Systems

Fire needs oxygen and fuel to continue to

grow.

Ignition sources can include the failure of an

electrical device, improper storage of
materials, malfunctioning heating devices,
arson, etc.

Special note on plenum areas: The space

above drop down ceilings, wall cavities, and
under raised floors. Plenum areas should
have fire detectors and should only use
plenum area rated cabling.
32

Internal Support Systems

Types of Fire:

A: Common Combustibles

Elements: Wood products, paper, laminates

Suppression: Water, foam

B: Liquid

Elements: Petroleum products and coolants

Suppression: Gas, CO2, foam, dry powders

C: Electrical

Elements: Electrical equipment and wires

Suppression: Gas, CO2, dry powders

D: Combustible Metals

Elements: magnesium, sodium, potassium

Suppression: Dry powder

K: Commercial Kitchens

Elements: Cooking oil fires

Suppression: Wet chemicals such as potassium acetate.
33

Internal Support Systems

Types of Fire Detectors

Smoke Activated
Heat Activated
Know the types and properties of each
general category.

34

Internal Support Systems

Different types of suppression agents:

Water
Halon and halon substitutes
Foams
Dry Powders
CO2
Soda Acid

Know suppression agent properties and the types

of fires that each suppression agent combats
Know the types of fire extinguishers (A,B,C, D) that
combat different types of fires
35

Internal Support Systems

Types of Sprinklers
Wet Pipe Systems (aka Closed Head
System)
Dry Pipe Systems
Preaction Systems
Deluge Systems

36

Perimeter Security

The first line of defense is

perimeter control at the site
location, to prevent unauthorized
access to the facility.
Perimeter security has two modes:
Normal facility operation
Facility closed operation

37

Perimeter Security

Proximity protection components

put in place to provide the following
services:
Control of pedestrian and vehicle
traffic
Various levels of protection for
different security zones
Buffers and delaying mechanisms to
protect against forced entry
Limit and control entry points
38

Perimeter Security
Protection services can be provided by:

Access Control Mechanisms

Physical Barriers
Intrusion Detection
Assessment
Response
Deterrents

39

Perimeter Security
Fences are first line of defence
mechanisms. (Small Joke!)
Varying heights, gauge, and mesh
provides security features (know them).
Barbed wire direction makes a
difference.

40

Perimeter Security

Perimeter Intrusion Detection and

Assessment System (PIDAS):
A type of fencing that has sensors on
the wire mesh and base of the fence.
A passive cable vibration sensor sets
off an alarm if an intrusion is
detected.

41

Perimeter Security
Gates have 4 distinct types:

Class I: Residential usage

Class II: Commercial usage, where general
public access is expected (e.g., public parking
lot, gated community, self storage facility)
Class III: Industrial usage, where limited access
is expected (e.g., warehouse property entrance
not intended to serve public)
Class IV: Restricted access (e.g., a prison
entrance that is monitored either in person or via
CCTV)

42

Perimeter Security

Locks are inexpensive access

control mechanisms that are widely
accepted and used.
Locks are considered delaying
devices.
Know your locks!

43

Perimeter Security
Types of Locks

Mechanical Locks

Warded & Tumbler

Combination Locks
Cipher Locks (aka programmable locks)
Smart locks

Device Locks

Cable locks, switch controls, slot locks, port

controls, peripheral switch controls, cable
traps

44

Perimeter Security
Lock Strengths:
Grade 1 (commercial and industrial use)
Grade 2 (heavy duty residential/light duty
commercial)
Grade 3 (residential and consumer expendable)

Cylinder Categories
Low Security (no pick or drill resistance)
Medium Security (some pick resistance)
High Security (pick resistance through many
different mechanismsused only in Grade 1 & 2
locks)

45

Perimeter Security
Lighting
Know lighting terms and types of lighting to
use in different situations (inside v. outside,
security posts, access doors, zones of
illumination)
It is important to have the correct lighting
when using various types of surveillance
equipment.
Lighting controls and switches should be in
protected, locked, and centralized areas.
46

Perimeter Security
Continuous lighting: An array of lights that provide an even
amount of illumination across an area.
Controlled lighting: An organization should erect lights and
use illumination in such a way that does not blind its neighbors
or any passing cars, trains, or planes.
Standby Lighting: Lighting that can be configured to turn on
and off at different times so that potential intruders think that
different areas of the facility are populated.
Redundant or backup lighting: Should be available in case
of power failures or emergencies.
Response Area Illumination: Takes place when an IDS detects
suspicious activities and turns on the lights within the specified
area.

47

Perimeter Security

Surveillance Devices
These devices usually work in
conjunction with guards or other
monitoring mechanisms to extend
their capacity.
Know the factors in choosing CCTV,
focal length, lens types (fixed v.
zoom), iris, depth of field, illumination
requirements
48

Perimeter Security
Focal length: The focal length of a
lens defines its effectiveness in viewing
objects from a horizontal and vertical
view.
The sizes of images that will be shown
on a monitor along with the area that
can be covered by one camera are
defined by focal length.
Short focal length = wider angle views
Long focal length = narrower views

49

Perimeter Security
Depth of field: Refers to the portion of
the environment that is in focus
Shallow depth of focus: Provides a
softer backdrop and leads viewers to
the foreground object
Greater depth of focus: Not much
distinction between objects in the
foreground and background.
50

Perimeter Security

Intrusion Detection systems are

used to detect unauthorized entries
and to alert a responsible entity to
respond.
Know the different types of IDS
systems (electro-mechanical v.
volumetric) and changes that can
be detected by an IDS system.
51

Perimeter Security

Patrol Force and Guards

Use in areas where critical reasoning
skills are required

Auditing Physical Access

Need to log and review:

Date & time of access attempt

Entry point
User ID
Unsuccessful access attempts
52

Physical Security

Final Concept to Guide in Assessing

Physical Security Issues on Exam:

Deterrence
Delay
Detection
Assessment
Response

53

Physical Security

Resources
All in One Book (Shon Harris, 2005)
Official (ISC) Guide to the CISSP CBK
((ISC), 2006)

54