CISSP

EXAM
CRAM PHYSICAL SECURITY
PRINCIPLES & CONTROLS
 I N T R O D U C T I O N : CISSP EXAM DOMAINS

1. Security and Risk Management 15%

2. Asset Security 10%

3. Security Architecture and Engineering 13%

4. Communication and Network Security 14%

5. Identity and Access Management 13%

6. Security Assessment and Testing 12%

7. Security Operations 13%

8. Software Development Security 10%

D O M A I N 3 : SECURITY ARCHITECTURE & ENGINEERING

3.8 Apply security principles to site and facility design

3.9 Design site and facility security controls
➢ Wiring closets/intermediate ➢ Utilities and Heating, Ventilation,
distribution facilities and Air Conditioning (HVAC)
➢ Server rooms/data centers ➢ Environmental issues
➢ Media storage facilities ➢ Fire prevention, detection, and
suppression
➢ Evidence storage
➢ Restricted and work area ➢ Power (e.g., redundant, backup)
security
functional order of security controls

Deterrence Denial Detection Delay

physical security controls
Physical security controls can be divided into three groups:
Administrative
also known as management controls and include policies and procedures, like site
management, personnel controls, awareness training, and emergency response
and procedures.
Logical
also known as technical controls and are implemented through technology like
access controls, intrusion detection, alarms, CCTV, monitoring, HVAC, power
supplies, and fire detection and suppression.
Physical
use physical means to protect objects and includes fencing, lighting, locks,
construction materials, mantraps, dogs, and guards.
physical security requirements
Know the logical controls for physical security
Technical controls for physical security include:
- access controls
- intrusion detection
- alarms
- CCTV and monitoring
- HVAC
- power supplies
- fire detection and suppression
physical security requirements
Know administrative controls for physical security
Administrative controls for physical security include:
- facility construction
- facility selection
- site management
- personnel controls
- awareness training
- emergency response
- emergency procedure
physical security requirements
Know the physical controls for physical security
Physical controls for physical security include:
- fencing
- lighting
- locks
- construction materials
- mantraps
- dogs
- guards
physical security requirements

There is no security without physical security

Without control over the physical environment, no
amount of administrative or technical/logical access
controls can provide adequate security.
If a malicious person can gain physical access to your
facility or equipment, they can do just about anything they
want, from destruction to disclosure and alteration.
FENCES

3-4 feet
deters the casual trespasser Fence is a DETERRENT control
PIDAS is a DETECTIVE control
6-7 feet
too difficult to climb easily
may block vision (providing additional security)

8-feet (topped with barbed wire) EXPENSIVE and may

will deter determined intruders generate false positives

PIDAS (perimeter intrusion detection and assessment system)

will detect someone attempting to climb a fence.
ELECTRICAL IMPACTS
Blackout Surge
prolonged loss of power prolonged high voltage
Brownout Spike
prolonged low voltage temporary high voltage
Fault Sag
short loss of power temporary low voltage
Surge Brownout
prolonged high voltage prolonged low voltage
Spike Fault
temporary high voltage short loss of power
Sag Blackout
temporary low voltage prolonged loss of power

power loss inside the power meter is your responsibility !

lighting

should not illuminate the positions of guards, dogs, patrol

posts, or other similar security elements.
lighting used for perimeter protection should illuminate critical
areas with 2 feet of candle power from a height of 8 feet
light poles should be placed the same distance apart as the
diameter of the illuminated area
20 feet of coverage means poles 20 feet apart
TEMPERATURE AND HUMIDITY

Know ideal levels as well as effects of temperature and humidity

Humidity
40% – 60% ideal

Temperature
for computers ideal is 60-75F (15-23C), damage at 175F.
Managed storage devices damaged at 100F
humidity and static electricity

“
Too much humidity can cause corrosion. Too
little humidity causes static electricity. Even on
nonstatic carpet, low humidity can generate
20,000-volt static discharge!
 fire and suppression agents
Class A (ASH) fires are common combustibles such as wood, paper, etc. This
type of fire is the most common and should be extinguished with water or soda acid.

Class B (BOIL) – fires are burning alcohol, oil, and other petroleum products
such as gasoline. They are extinguished with gas or soda acid. You should never use
water to extinguish a class B fire.

Class C (CONDUCTIVE) – fires are electrical fires which are fed by electricity
and may occur in equipment or wiring. Electrical fires are conductive fires, and the
extinguishing agent must be non-conductive, such as any type of gas.

Class D (DILYTHIUM) – fires are burning metals and are extinguished with dry
powder.

Class K (KITCHEN) – fires are kitchen fires, such as burning oil or grease. Wet
chemicals are used to extinguish class K fires.

The three categories of fire detection systems include smoke sensing, flame sensing, and heat sensing.
fire extinguisher classes
Fire extinguishers and suppression agents

Class Type Suppression material

Common Water, soda acid (a dry

A
combustibles powder or liquid chemical)
B Liquids CO2, halon, soda acid
C Electrical CO2, halon
D Metal Dry powder
K Kitchen Wet chemicals
fire extinguisher classes
Fire extinguishers and suppression agents

Class Type Suppression material

Common Water, soda acid (a dry

use water A
combustibles powder or liquid chemical)
B Liquids CO2, halon, soda acid
don’t use C Electrical CO2, halon
water ! D Metal Dry powder
K Kitchen Wet chemicals
damage from fire and fire supression
The destructive elements of a fire include smoke and heat but
also the suppression medium, such as water or soda acid.
Smoke is damaging to most storage devices.
Heat can damage any electronic or computer component.
Suppression mediums can cause short circuits, initiate
corrosion, or otherwise render equipment useless.

All of these issues must be addressed when designing a fire

response system. #1 concern is ALWAYS human safety!
water suppression systems
good for areas with people + computers
Preaction systems use closed sprinkler heads, and the pipe is charged with
compressed air instead of water. The water is held in check by an electrically-
operated sprinkler valve and the compressed air.

Wet pipe systems are filled with water. Dry pipe systems contain compressed
air until fire suppression systems are triggered, and then the pipe is filled with water;
and flame activated sprinklers trigger when a predefined temperature is reached.

Dry pipe systems also have closed sprinkler heads: the difference is the pipes
are filled with compressed air. The water is held back by a valve that remains
closed as long as sufficient air pressure remains in the pipes. Often used in areas
where water may freeze, such as parking garages.

Deluge systems are similar to dry pipes, except the sprinkler heads are open
and larger than dry pipe heads. The pipes are empty at normal air pressure; the
water is held back by a deluge valve.
water and electricity do not mix!
gas discharge systems
Usually more effective than water discharge systems, but
should not be used in environments where people are located,
because they work by removing oxygen from the air.

Halon is effective, but bad for environment (ozone-depleting),

turns to toxic gas at 900F. Suitable replacements include:
• FM-200 (HFC-227ea) • Argon (IG55) or Argonite (IG01)
• CEA-410 or CEA-308 • Inergen (IG541)
• NAF-S-III (HCFC Blend A) • Aero-K
• FE-13 (HCFC-23)
voltage and noise
Electromagnetic interference
• Common mode noise. Generated by the
difference in power between the hot and Static
Possible Damage
ground wires of a power source operating Voltage
electrical equipment 40 Destruction of sensitive circuits
and other components
• Traverse mode noise. Generated by a
difference in power in the hot and neutral wires 1,000 Scrambling of monitor displays
of a power source operating electrical 1,500 Destruction of hard drive data
equipment 2,000 Abrupt system shutdown

Radio frequency interference (RFI) 4,000 Printer jam or component

damage
is the source of interference that is generated by Permanent circuit damage
17,000
electrical appliances, light sources, electrical cables
and circuits, and so on.
lock types
Electronic Combination Locks
(aka Cipher lock) Something you know

Key Card Systems

Something you have
Pin-tumbler locks are the
Biometric Systems world's most popular lock
Something you are
bumping requires no skill
Conventional Locks
Easily picked / bumped & keys easily duplicated

Pick-and-Bump Resistant Locks

Expensive, harder to pick & keys not easily duplicated.
site design design elements that affect physical security

Site Selection
Should be based on the security needs of the organization.
Security requirements take precedence over cost and location.

Location what types of natural disasters occur here?

Proximity to other buildings and businesses?
What kind of traffic do they draw?
Is it on a hill or in a valley? Is there sufficient drainage?
Visibility be wary of elements that obscure visibility
What is the surrounding terrain?
Easy to approach by vehicle or on foot without being seen?
facility design specifications

Remember what types of locks can be

picked or bumped
Remember how high lights and fences
need to be
Know the different physical controls
related to entry
mantrap
facility design specifications

Remember what types of locks can be

picked or bumped
Remember how high lights and fences
need to be
Know the different physical controls
bollard related to entry
secure work area design and configuration
Know how to design and configure secure work areas.

There should not be equal access to all locations within a

facility. Areas with high-value assets require restricted access.
Valuable and confidential assets should be located in the
heart or center of protection provided by a facility.
Centralized server or computer rooms need not be human
compatible.
threats to physical access controls
No matter which physical access control is used, a security
guard or other monitoring system must be deployed to prevent:

Abuses of physical access control include propping open

secured doors and bypassing locks or access controls.
Masquerading is using someone else’s security ID to gain
entry to a facility.
Piggybacking is following someone through a secured
gate or doorway without being identified or authorized
personally.
securing a wiring closet
Know the security concerns of a wiring closet

This is where the networking cables for a floor or even a whole

building are connected to essential equipment, such as patch
panels, switches, routers, and backbone channels.
Most security focuses on preventing physical unauthorized
access. If an unauthorized intruder gains access, they may
steal equipment, pull/cut cables, or plant a listening device.
physical security requirements
Understand how to handle visitors in a secure facility.

If a facility employs restricted areas to control physical

security, then a mechanism to handle visitors is required.
Often an escort is assigned to visitors, and their access
and activities are monitored closely.
Tracking actions of outsiders when they are granted
access to prevent malicious activity against the most
protected assets.
physical security requirements
Understand the needs for media storage
Media storage facilities should be designed to securely store
blank, reusable, and installation media.
Concerns include, theft, corruption, data remnant recovery
Media storage facility protections include
- locked cabinets or safes
- using a librarian/custodian
- implementing a check-in/check-out process
- using media sanitization
evidence storage
Understand the concerns for evidence storage
Used to retain logs, drive images, virtual machine snapshots,
and other datasets for recovery, internal investigations, and
forensic investigations.
Protections for evidence storage include:
- locked cabinets or safes
- dedicated/isolated storage facilities
- offline storage
- access restrictions and activity tracking
- hash management and encryption
Audit trails and access logs
Audit trails and access logs are useful tools for managing
for physical access control.
Creation May need to be created manually by security guards or
may generated automatically with the right equipment (smartcards
and certain proximity readers).
Monitoring You should also consider monitoring entry points with
CCTV. Through CCTV, you can compare the audit trails and access
logs with a visually recorded history of the events.

Why are these important? Such information is critical to

reconstructing the events of an intrusion, breach, or attack.
the need for clean power
Power supplied by electric companies is not always
consistent and clean.
Most electronic equipment requires clean power in order to
function properly and avoid damage.

A UPS is a type of self-charging battery that can be used to

- supply consistent, clean power to sensitive equipment.
- supply power for minutes or hours (depending on it’s size)
in the event of power failure
INSIDE AZURE
M A N A G E M E N T

THANKS
F O R W A T C H I N G!