Lecture 4: Physical Security: Succeed We Must

Faculty of Computing and Informatics
Succeed We Must
Lecture 4: Physical Security
 Physical Security Concern
Computer Security Research Group
 Introduction
 Physical Security Controls
 Controls for protecting the secure facility
 Maintenance of Facility Systems
 Interception of Data
 Mobile and Portable Systems
 Remote Computing Security
 Special Considerations for Physical
Security Threats
 Inventory Management
 Practical Exercise
07/12/22 Fred Kaggwa 1
Is Physical Security An IT Concern?
Succeed We Must
 You have been working hard to secure your network

from cyber attacks
 But what if an attacker gains access to the server

room or network wiring closet or your room ...
 Is your network, computer etc still safe?
 Attackers could use ‘side-channel attack’ to

facilitate cyber-attack:
 Use keyboard sound to know key strokes
 Use computer screen light change to detect

information
 Attach USB key to spy/record
 Good to read about these three

Succeed We Must
Introduction
 Physical security addresses design,
implementation, and maintenance of

countermeasures that protect physical
resources of an organization.
 Most controls can be circumvented if
attacker gains physical access
 Physical security is as important as logical
security

Succeed We Must
Introduction cont’d
Seven major sources of physical Loss
•Extreme temperature: heat, cold

•Gases: war gases, commercial vapors, humid or dry air,
suspended particles
•Liquids: water, chemicals
•Living organisms: viruses, bacteria, people, animals, insects
•Projectiles: tangible objects in motion, powered objects
•Movement: collapse, shearing, shaking, vibration, liquefaction,
flows waves, separation, slide

•Energy anomalies: electrical surge or failure, magnetism, static
electricity, aging circuitry; radiation: sound, light, radio,

microwave, electromagnetic, atomic. Donn B. Parker: author

Succeed We Must
Introduction cont’d
 Community roles
 General management: responsible for

facility security
 IT management and professionals:
responsible for environmental and access
security
 Information security management and
professionals: perform risk assessments
and implementation reviews
Succeed We Must
Physical Security Controls
 Secure facility: physical location
engineered with controls designed to

minimize risk of attacks from physical
threats
 Secure facility can take advantage of

natural terrain, traffic flow, and degree of
urban development; can complement these
with protection mechanisms (fences, gates,
walls, guards, alarms)
Controls for protecting the secure facility
Succeed We Must
 Walls, fencing, and gates
 Guards
 Dogs
 ID Cards and badges
 Locks and keys
 Mantraps
 Electronic monitoring
 Alarms and alarm systems
 Computer rooms and wiring closets
 Interior walls and doors

ID Cards and Badges
Succeed We Must
 Ties physical security with information access

control
 ID card is typically concealed
 Name badge is visible
 Serve as simple form of biometrics (facial

recognition)
 Should not be only means of control as cards
can be easily duplicated, stolen, and modified
 Tailgating occurs when unauthorized individual
follows authorized user through the control

Locks and Keys
Succeed We Must
 Two types of locks: mechanical and

electromechanical
 Locks can also be divided into four categories:
manual, programmable, electronic, biometric
 Locks fail and alternative procedures for controlling
access must be put in place
 Locks fail in one of two ways
 Fail-safe lock-lock fails, door becomes unlocked
 Fail-secure lock-lock fails, door remains locked
 More on locks and keys (next 5 slides)
Compromising Locks
Succeed We Must
 For centuries, the lock has been one of the

cornerstones of physical security

 We rely on dozens of them every day to protect
people and assets

 The trust most people place in locks is
unwarranted
 Most locks can be easily compromised with
nondestructive methods
 Sometimes within seconds and with readily
available tools
 “Locks keep honest people honest”
1860: Yale Pin Tumbler Lock
Succeed We Must
• Modern version of
the Egyptian single-

pin design
• Utilizes two pins for
Public domain image of Linus Yale, Jr.
locking
• Modern version of
the Egyptian single-
pin design
• Utilizes two pins for
locking

How Does a Pin Tumbler Lock Work?
Succeed We Must
1. When a key is not present, the

pin stacks are pushed down by
the springs so that the driver

(top) pins span the plug and
the outer casing, preventing
the plug from rotating.
2. When the correct key is
inserted, the ridges of the key
push up the pin stacks so that
the cuts of the pin stacks are
aligned with the shear line.
3. The alignment of the cuts with
the shear line allows the plug
to be rotated.
Images from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

How Does a Pin Tumbler Lock Work?
Succeed We Must
 If an inappropriate
key is inserted, then
the pins do not align
along the shear line
and the lock does
not turn.
Image from http://en.wikipedia.org/wiki/File:Pin_tumbler_with_key.svg used with permission under Gnu Free Documentation License 1.2

Succeed We Must
Tubular lock
 Usually on car alarms or
vending machines
 6-8 pins
 Easy to pick with special tool
 The tool could become a new
key
Images from http://en.wikipedia.org/wiki/File:Tubular_locked.png used with permission under Gnu Free Documentation License 1.2

Succeed We Must
Mantraps
 Small enclosure that has entry point and different
exit point
 Individual enters mantrap, requests access, and if

verified, is allowed to exit mantrap into facility
 Individual denied entry is not allowed to exit until

security official overrides automatic locks of the
enclosure

Succeed We Must
Mantraps

Succeed We Must
Electronic Monitoring
 Records events where other types of physical
controls are impractical or incomplete

 May use cameras with video recorders; includes
closed-circuit television (CCT) systems
 Drawbacks
 Reactive; do not prevent access or prohibited
activity
 Recordings often not monitored in real time;
must be reviewed to have any value

Succeed We Must
Alarms and Alarm Systems
 Alarm systems notify when an event occurs
 Detect fire, intrusion, environmental

disturbance, or an interruption in services
 Rely on sensors that detect event; e.g.,
motion detectors, smoke detectors, thermal
detectors, glass breakage detectors, weight
sensors, contact sensors, vibration sensors

Succeed We Must
Computer Rooms and Wiring Closets
 Require special attention to ensure
confidentiality, integrity, and availability of

information
 Logical controls easily defeated if attacker
gains physical access to computing equipment
 Custodial staff often the least scrutinized
persons who have access to offices; are given
greatest degree of unsupervised access

Succeed We Must
Interior Walls and Doors
 Information asset security sometimes compromised
by construction of facility walls and doors

 Facility walls typically either standard interior or
firewall
 High-security areas must have firewall-grade walls to
provide physical security from potential intruders and
improve resistance to fires
 Doors allowing access to high security rooms should
be evaluated
 Recommended that push or crash bars be installed
on computer rooms and closets

Succeed We Must
Fire Security and Safety
 Most serious threat to safety of people who
work in an organization is possibility of fire
 Fires account for more property damage,

personal injury, and death than any other
threat
 Imperative that physical security plans
examine and implement strong measures to
detect and respond to fires

Succeed We Must
Fire Detection and Response
 Fire suppression systems: devices installed
and maintained to detect and respond to a

fire
 Deny an environment of heat, fuel, or oxygen
 Water and water mist systems
 Carbon dioxide systems
 Soda acid systems
 Gas-based systems
Succeed We Must
Fire Detection
 Fire detection systems fall into two general
categories: manual and automatic
 Part of a complete fire safety program includes

individuals that monitor chaos of fire evacuation to
prevent an attacker accessing offices
 There are three basic types of fire detection

systems: thermal detection, smoke detection, flame
detection

Succeed We Must
Fire Suppression
 Systems consist of portable, manual, or
automatic apparatus
 Portable extinguishers are rated by the type

of fire: Class A, Class B, Class C, Class D
 Installed systems apply suppressive

agents; usually either sprinkler or gaseous
systems

Gaseous Emission Systems
Succeed We Must
 Until recently, two types of systems: carbon

dioxide and Halon

 Carbon dioxide robs a fire of oxygen supply
 Halon is clean but has been classified as
ozone-depleting substance; new installations
are prohibited
 Alternative clean agents include FM-200,
Inergen, carbon dioxide, FE-13
(trifluromethane)

Failure Of Supporting Utilities and Structural Collapse
Succeed We Must
 Supporting utilities (heating, ventilation and

air conditioning; power; water; and others)

have significant impact on continued safe
operation of a facility
 Each utility must be properly managed to

prevent potential damage to information
and information systems

Heating, Ventilation, and Air
Succeed We Must
Conditioning
 Areas within heating, ventilation, and air
conditioning (HVAC) system that can cause

damage to information systems include:
 Temperature
 Filtration
 Humidity
 Static electricity

Succeed We Must
Ventilation Shafts
 While ductwork is small in residential
buildings, in large commercial buildings it

can be large enough for individual to climb
though
 If vents are large, security can install wire

mesh grids at various points to
compartmentalize the runs

Power Management and Conditioning
Succeed We Must
 Electrical quantity (voltage level; amperage rating)

is a concern, as is quality of power (cleanliness;

proper installation)
 Noise that interferes with the normal 60 Hertz cycle
can result in inaccurate time clocks or unreliable
internal clocks inside CPU
 Grounding ensures that returning flow of current is
properly discharged to ground
 Overloading a circuit causes problems with circuit
tripping and can overload electrical cable,
increasing risk of fire

Uninterruptible Power Supply (UPS)
Succeed We Must
 In case of power outage, UPS is backup

power source for major computer systems

 Four basic UPS configurations
 Standby
 Ferroresonant standby
 Line-interactive
 True online (double conversion online)

Succeed We Must
Emergency Shutoff
 Important aspect of power management is
the need to be able to stop power

immediately should current represent a risk
to human or machine safety
 Most computer rooms and wiring closets

equipped with an emergency power shutoff

Succeed We Must
Water Problems
 Lack of water poses problem to systems, including
functionality of fire suppression systems and ability

of water chillers to provide air-conditioning
 Surplus of water, or water pressure, poses a real
threat (flooding; leaks)
 Very important to integrate water detection
systems into alarm systems that regulate overall
facilities operations

Structural Collapse
Succeed We Must
 Unavoidable forces can cause failures of

structures that house organization

 Structures designed and constructed with
specific load limits; overloading these limits
results in structural failure and potential
injury or loss of life
 Periodic inspections by qualified civil
engineers assists in identifying potentially
dangerous structural conditions
Maintenance of Facility Systems
Succeed We Must
 Physical security must be constantly

documented, evaluated, and tested

 Documentation of facility’s configuration,
operation, and function should be
integrated into disaster recovery plans and
operating procedures
 Testing helps improve the facility’s physical
security and identify weak points

Succeed We Must
Interception of Data
 Three methods of data interception
 Direct observation
 Interception of data transmission
 Electromagnetic interception
 E.g. The U.S. government developed
TEMPEST program to reduce risk of
electromagnetic radiation (EMR) monitoring
 How about in Uganda? Find out!

Succeed We Must
Mobile and Portable Systems
 With the increased threat to information
security for laptops, handhelds, and PDAs,

mobile computing requires more security
than average in-house system
 Many mobile computing systems have

corporate information stored within them;
some are configured to facilitate user’s
access into organization’s secure
computing facilities
Mobile and Portable Systems cont’d
Succeed We Must
 Controls support security and retrieval

of lost or stolen laptops

 CompuTrace software, stored on laptop;
reports to a central monitoring center
 Burglar alarms made up of a PC card
that contains a motion detector

Succeed We Must
Remote Computing Security
 Remote site computing: away from organizational
facility
 Telecommuting: computing using
telecommunications including Internet, dial-up, or
leased point-to-point links
 Employees may need to access networks on
business trips; telecommuters need access from
home systems or satellite offices
 To provide secure extension of organization’s
internal networks, all external connections and
systems must be secured
Special Considerations for Physical Security Threats
Succeed We Must
 Develop physical security in-house or outsource?

 Many qualified and professional agencies

 Benefit of outsourcing includes gaining
experience and knowledge of agencies
 Downside includes high expense, loss of control
over individual components, and level of trust
that must be placed in another company
 Social engineering: use of people skills to obtain
information from employees that should not be
released

Succeed We Must
Inventory Management
 Computing equipment should be
inventoried and inspected on a regular

basis
 Classified information should also be
inventoried and managed
 Physical security of computing equipment,
data storage media and classified
documents varies for each organization

Succeed We Must
Summary
 Threats to information security that are unique to
physical security
 Key physical security considerations in a facility site
 Physical security monitoring components
 Essential elements of access control
 Fire safety, fire detection, and response
 Importance of supporting utilities, especially use of
uninterruptible power supplies
 Countermeasures to physical theft of computing
devices

Succeed We Must
Individual Exercise
 You are required to move around the MUST Upper or Lower
(Choose one but not both) campus and make a summarized
report concerning the physical security of the upper campus.

In your Report,
 Identify the weaknesses in the physical security of the
different facilities (networks, buildings etc.) at the campus.
 Propose the appropriate physical security mechanisms that
can be put in place to counter those weaknesses.
 Mention the Status (see table next slide) for attention
 Use a sample table below(next slide) for your summarized
report
 Hand in your report by 4:30pm sharp (Hand written)

MUST Lower/Upper Campus Physical Security Report
Succeed We Must
FACILITY WEAKNESS PROPOSED STATUS (Urgent, Not

(Item) SOLUTION Urgent, Can Wait)

Lecture 4: Physical Security: Succeed We Must

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 4: Physical Security: Succeed We Must

Uploaded by

Copyright:

Available Formats

Faculty of Computing and Informatics

 You have been working hard to secure your network

 But what if an attacker gains access to the server

 Attackers could use ‘side-channel attack’ to

 Use computer screen light change to detect

 Good to read about these three

07/12/22 Fred Kaggwa 2

implementation, and maintenance of

07/12/22 Fred Kaggwa 3

•Extreme temperature: heat, cold

•Living organisms: viruses, bacteria, people, animals, insects

•Projectiles: tangible objects in motion, powered objects

•Movement: collapse, shearing, shaking, vibration, liquefaction,

flows waves, separation, slide

electricity, aging circuitry; radiation: sound, light, radio,

07/12/22 Fred Kaggwa 4

 General management: responsible for

engineered with controls designed to

 Secure facility can take advantage of

 ID Cards and badges

 Locks and keys

 Alarms and alarm systems

 Computer rooms and wiring closets

 Interior walls and doors

07/12/22 Fred Kaggwa 7

 Ties physical security with information access

 ID card is typically concealed

 Name badge is visible

 Serve as simple form of biometrics (facial

07/12/22 Fred Kaggwa 8

 Two types of locks: mechanical and

 For centuries, the lock has been one of the

cornerstones of physical security

people and assets

the Egyptian single-

07/12/22 Fred Kaggwa 11

1. When a key is not present, the

the springs so that the driver

07/12/22 Fred Kaggwa 12

07/12/22 Fred Kaggwa 13

07/12/22 Fred Kaggwa 14

 Individual enters mantrap, requests access, and if

 Individual denied entry is not allowed to exit until

07/12/22 Fred Kaggwa 15

07/12/22 Fred Kaggwa 16

controls are impractical or incomplete

07/12/22 Fred Kaggwa 17

 Detect fire, intrusion, environmental

07/12/22 Fred Kaggwa 18

confidentiality, integrity, and availability of

07/12/22 Fred Kaggwa 19

by construction of facility walls and doors

07/12/22 Fred Kaggwa 20

 Fires account for more property damage,

07/12/22 Fred Kaggwa 21

and maintained to detect and respond to a

categories: manual and automatic

 Part of a complete fire safety program includes

 There are three basic types of fire detection

07/12/22 Fred Kaggwa 23

 Portable extinguishers are rated by the type

 Installed systems apply suppressive