ch04 PhysicalSecurity

(1)

Computer Security:

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Chapter 13 – Physical and

(2)

Physical and Infrastructure

Security

 now consider physical / premises security_{now consider physical / premises security}

 three elements of info system security:_{three elements of info system security:}

 logical security - protect computer datalogical security - protect computer data

(3)

Physical Security

 protect physical assets that support the _{protect physical assets that support the} storage and processing of information

storage and processing of information

 involves two complementary requirements:_{involves two complementary requirements:}

 prevent damage to physical infrastructureprevent damage to physical infrastructure

• information system hardware_{information system hardware}

• physical facility_{physical facility}

• supporting facilities_{supporting facilities}

• personnel_personnel

(4)

(5)

Physical Security Threats

 look at physical situations / occurrences _{look at physical situations / occurrences} that threaten information systems:

that threaten information systems:

 environmental threats (incl. natural disasters)environmental threats (incl. natural disasters)  technical threatstechnical threats

 human-caused threatshuman-caused threats

(6)

Natural Disasters

 tornado_tornado

 hurricane_hurricane  earthquake_earthquake

 ice storm / blizzard_{ice storm / blizzard}

(7)

Environmental Threats

 inappropriate temperature and humidity_{inappropriate temperature and humidity}

 fire and smoke_{fire and smoke}  water_water

 chemical, radiological, biological hazards_{chemical, radiological, biological hazards}

 dust_dust

(8)

Technical Threats

 electrical power is essential to run equipment_{electrical power is essential to run equipment}

 power utility problems: power utility problems:

• under-voltage - dips/brownouts/outages, interrupt service_{under-voltage - dips/brownouts/outages, interrupt service}

• over-voltage - surges/faults/lightening, can destroy chips_{over-voltage - surges/faults/lightening, can destroy chips}

• noise - on power lines, may interfere with device operation_{noise - on power lines, may interfere with device operation}

 _{electromagnetic interference (EMI)}_{electromagnetic interference (EMI)}

 from line noise, motors, fans, heavy equipment, other from line noise, motors, fans, heavy equipment, other

computers, nearby radio stations & microwave relays

(9)

Human-Caused Threats

 less predictable, may be targeted, harder _{less predictable, may be targeted, harder} to deal with

to deal with

 include:_include:

 unauthorized physical accessunauthorized physical access

• leading to other threats_{leading to other threats}

 theft of equipment / datatheft of equipment / data

(10)

Mitigation Measures

Environmental Threats

 inappropriate temperature and humidity_{inappropriate temperature and humidity}

 environmental control equipment, powerenvironmental control equipment, power

 fire and smoke_{fire and smoke}

 alarms, preventative measures, fire mitigationalarms, preventative measures, fire mitigation

 smoke detectors, no smokingsmoke detectors, no smoking

 water_water

 manage lines, equipment location, cutoff sensorsmanage lines, equipment location, cutoff sensors

 other threats_{other threats}

 appropriate technical counter-measures, limit dust appropriate technical counter-measures, limit dust

entry, pest control

(11)

Mitigation Measures

Technical Threats

 electrical power for critical equipment use_{electrical power for critical equipment use}

 use uninterruptible power supply (UPS) use uninterruptible power supply (UPS)  emergency power generator emergency power generator

 electromagnetic interference (EMI)_{electromagnetic interference (EMI)}

(12)

Mitigation Measures

Human-Caused Threats

 physical access control_{physical access control}

 IT equipment, wiring, power, comms, mediaIT equipment, wiring, power, comms, media

 have a spectrum of approaches_{have a spectrum of approaches}

 restrict building access, locked area, secured, restrict building access, locked area, secured,

power switch secured, tracking device power switch secured, tracking device

(13)

Recovery from Physical

Security Breaches

 redundancy_redundancy

 to provide recovery from loss of datato provide recovery from loss of data

 ideally off-site, updated as often as feasibleideally off-site, updated as often as feasible  can use batch encrypted remote backupcan use batch encrypted remote backup

 extreme is remote hot-site with live dataextreme is remote hot-site with live data

 physical equipment damage recovery_{physical equipment damage recovery}

(14)

Threat Assessment

1.

1. set up a steering committee set up a steering committee

2.

2. obtain information and assistance obtain information and assistance

3.

3. identify all possible threats identify all possible threats

4.

4. determine the likelihood of each threat determine the likelihood of each threat

5.

5. approximate the direct costs approximate the direct costs

6.

6. consider cascading costs consider cascading costs

7.

7. prioritize the threatsprioritize the threats

8.

(15)

Planning and Implementation

 after assessment then develop a plan for _{after assessment then develop a plan for} threat prevention, mitigation, recovery

threat prevention, mitigation, recovery

 typical steps:_{typical steps:}

1.

1. assess internal and external resourcesassess internal and external resources

2.

2. identify challenges and prioritize activitiesidentify challenges and prioritize activities

3.

3. develop a plandevelop a plan

4.

(16)

(17)

Physical / Logical Security

Integration

 have many detection / prevention devices_{have many detection / prevention devices}

 more effective if have central control_{more effective if have central control}  hence desire to integrate physical and _{hence desire to integrate physical and}

logical security, esp access control

 need standards in this area_{need standards in this area}

 FIPS 201-1 “FIPS 201-1 “Personal Identity Verification Personal Identity Verification

(PIV) of Federal Employees and Contractors

(18)

(19)

(20)

Summary

 introduced physical security issues_{introduced physical security issues}

 threats: environmental,technical, human_{threats: environmental,technical, human}  mitigation measures and recovery_{mitigation measures and recovery}

 assessment, planning, implementation_{assessment, planning, implementation}