Physical Security

CHAPTER 5
Agenda

 Facility Considerations
 Perimeter Security
 Internal Security
 Intrusion Detection
 HVAC/Power Concerns
 Fire Safety
Facility Considerations

 Site and Facility Design

 Vulnerability Assessment
 Site Planning
 CPTED (Crime Prevention Through
Environmental Design)
 Location Threats
 Utility Issues
Facility Considerations:
Site and Facility Design

 Ensuring that the building is designed in such a way as to:

 Promote the safe use of the facility (first and foremost)
 Harden the physical structure so as to provide greater security
 Considerations:
 Access zones
 Entry Controls
 Vehicular access
 Standoff Distance (Distance required to preventi unscreened vehicles from
approaching within a certain distance of a building)
 Signage
 Parking
 Loading Docks/Service Access
 Lighting
 Sight Utilities
Facility Considerations:
Risk analysis

 Risk Analysis
 The American Institute of Architects have established
these essential questions in relation to security:
 What do we want to protect?
 What are we protecting against?
 What are our vulnerabilities?
 What are consequences of loss?
 What level of protection is necessary?
 What controls are appropriate?
 What are our constraints?
 What are the specific security design requirements?
Facility Considerations:
Site Planning

 Most important goal is to protect life, property and

operations
 Often convenience, aesthetics are at cross-
purposes with security.
 Holistic approach considers both function and
security
 Layered Defense (Defense in Depth)
 Outer Perimeter
 Building Grounds and Construction
 Ingress/Egress
 Interior
 Facility Considerations:
Target Hardening

 The Four D’s

 Deter
 Delay
 Detect
 Deny
Facility Considerations:
CPTED

 CPTED (Crime Prevention Through

Environmental Design
 Provides instruction on direction of the use
of:
 Organizational (People)
 Mechanical (Technology, hardware)
 Natural Design (landscaping, natural
environment)
Facility Considerations:
CPTED
 Improve Surveillance:
 Improve visibility and eliminate concealment opportunities
 Access Control:
 Actively control traffic, direct visitors, limit access
 Territoriality:
 Providing the impression of a well-tended building provides a
deterrent
 Activity Support:
 Ensure all areas of the facility are occupied at least
occasionally. Use activities like meetings, luncheons to
populate these area
Facility Considerations:
Physical Threats
 Natural
 Fire—proper fire detection and suppression equipment must be in place
 Floods: Buildings should have positive flow where water runs out of the building
 Hurricanes: Backup power supplies are often essential. Other issues such as flooding,
tornadoes, etc can be results
 Tornadoes: Quality of building materials, the presence of a basement or other “safe
place” can mitigate the risks
 Earthquakes: As with all above disasters, Emergency Planning can help in assuring
employees know what to do in the event of a disaster
 Man-made
 Theft
 Vandalism
 Fire
 Terrorist Attack
 Technical
 Failure of HVAC system
Facility Considerations:
Utilities
 Should be designed to ensure necessary power for normal, daily
operational functionality
 If possible, utilities should be concealed, underground, protected
 Minimize signs identifying critical utilities and use fencing to prevent
unauthorized access
 Locate storage tanks for oil, propane and similar substances downhill
from building and at least 100 feet away.
 Utility systems should be at least 50 feet from entrance areas, loading
docks and other high traffic areas
 Protect Drinking water supplies from waterborne contaminants by
securing access points
 Perimeter Security:
Fences
Fencing
 Controls entrance access
 Can be costly and unsightly
 Heights provide degrees of protection
 3-4 feet – deters casual trespassers
 5-7 feet – too high to climb easily (preventive)
 8 feet with 3 strands of barbed wire – (preventive) Will discourage all
but the most determined intruder
 Critical areas should have
 at least 8-foot fences
 Posts should be buried in the ground and secured with cement, 6 feet apart
 Barbed wire directed out from the fence at a 45 degree angle or in a “V”
 The most critical areas should be protected with two sets of fencing and rolls of
concertina wire (razor wire)
 Perimeter Security:
Fences

PIDAS Fencing
 Perimeter Intrusion Detection and Assessment
System
 Detects if someone tries to climb a fence or
damage the fence
 Mesh-wire fence with a passive cable vibration
sensor that sets off an alarm if detected
Can have barbed wire or spikes on top
 Can be Detective as well as preventive
Perimeter Security:
Walls

 Pros
 Hard to scale
 Hard to bypass
 Cons
 More expensive
 Obstruct line of site
 7 feet high with 3-4 strands of barbed wire
 A common alternative to barbed wire is concertina
wire or broken glass in the mortar
Perimeter Security:
Gates

 Gates should provide the same degree of

security as fences/walls
 UL 325 provides the following specifications for
gates:
 Class I: Ornamental/Residential
 Class II: Commercial usage where general public
access is expected: Gated community, self-storage
facility
 Class III: Industrial Usage where limited access is
expected. Example: A Warehouse
 Class IV: Restricted access: Prisons, military
 Perimeter Security:
CCTV

 Detective Control
 Used to correlate facts after a security event
 Short lens offers wider angle view
 Long lens offers close up of an asset
 PTZ (pan, tilt, zoom)
 Automatic Iris (detects and adjusts to
changes in light)
Doors
 Hinges should be protected
 Hinges internal to the door provide protection for the hinges while still allowing
door to open outwardly
 Panic bar allows for quick evacuation
 Kick plate provides cosmetic protection for door
 Strike plate—T-shaped component of lock which provides reinforcement
 In the event of power failure, electronic doors can:
 Fail secure: Fails locked. No evacuation. Only in facilities where value of what
is being protected exceeds human life
 Fail Soft: Opens outward, but door is locked to bar return
 Fail Safe: Door fails open (easiest to evacuate)
 On the CISSP exam never choose fail secure . Fail soft/safe is the best choice
Doors/Windows/Walls

 Secure windows made of polycarbonate (Lexan)

 Windows should be positioned to reduce likelihood of
shoulder surfing
 Walls should provide a 2 hour burn rating (as should doors)
 Walls should go to the true ceiling instead of drop ceiling
HVAC Controls

 Positive Airflow (Contaminants/smoke should

flow out, not in)
 Temperature should be around 70 degrees for
server room
 Humidity should be around 50%
 Too high causes condensation/rust
 Too low causes ESD (Electro static discharge aka
static electricity
Location of Datacenter

 Not in basement because of floods

 Not on first floor because of traffic
 Not on top floor because of fire
 Ideally on 2nd or 3rd floor
 Should be located in center of the building to
avoid data emanation
Security Guards

 Offer Deterrence primarily

 Human element/judgement
 Best defense against piggy-backing
 Most expensive
 Liability
Security Dogs

 Deterrence
 Sense of smell
 Can cover great distance
 Work in the event of power failure
 Can present a liability
Burglar Alarms/Intrusion Detection

 Electro-mechanical
 Most common
 Rely on a connection being broken
 magnet on door and frame. Alarm sounds if the
connection is broken
 Weight based systems based on the same concept
 Volumetric
 More expensive (used for higher value assets
 Photo-electric: Changes in light—no windows
 Acoustic systems: detect certain frequencies of sounds
Power

 Good, clean power is the goal

 EMI (electromagnetic interference) can be
caused by improper grounding
 RFI (radio frequency interference) fluorescent
lighting
 UPS helps provide constant source of power
and most UPS today provide line filtering
Problems with Power

 Power Excess
 Spike: Momentary high voltage
 Surge: Prolonged high voltage
 Power Degradation
 Sag: Momentary degradation
 Brownout: Prolonged degradation
 Power Loss
 Fault: Temporary outage
 Blackout: Prolonged outage
Fire Safety

 Prevention is best!
 Protect flammables
 Limit use/placement of space heaters
 Electrical safety, for instance don’t daisy chain
extension cords
 Class C fire extinguishers should be properly labeled
and within 50 feet of electronic equipment. They
should be tested quarterly
 Halon-based systems were outlawed in the 90s
because of their effect on the ozone layer.
Sprinkler Systems
Sprinkler Systems Continued
Remember…

 Senior management is responsible for the

physical safety of their employee
 Focus on prevention, not correction
 Human life should always supersede other
assets
 Physical security is the first line of defense in
protecting a company’s assets