chapter13_physical_security.pdf

Computer Security:

Computer Security:

Principles and Practice

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Chapter 13 – Physical and

Chapter 13 – Physical and

Agenda

Agenda

 Announcements_{Announcements}

 Mr. Vaislay – April 25Mr. Vaislay – April 25thth 10 AM 10 AM

 _{Discuss management aspect of securityDiscuss management aspect of security}

 Physical securityPhysical security  BreakBreak

Physical and Infrastructure

Physical and Infrastructure

Security

Security

 now consider physical / premises security_{now consider physical / premises security}

 three elements of info system security:_{three elements of info system security:}

 logical security - protect computer datalogical security - protect computer data

Physical Security

Physical Security

 protect physical assets that support the _{protect physical assets that support the} storage and processing of information

storage and processing of information

 involves two complementary requirements:_{involves two complementary requirements:}

 prevent damage to physical infrastructureprevent damage to physical infrastructure

• _{information system hardwareinformation system hardware} • physical facility_{physical facility}

• supporting facilities_{supporting facilities}

• personnel_personnel

Physical Security Threats

Physical Security Threats

 look at physical situations / occurrences _{look at physical situations / occurrences} that threaten information systems:

that threaten information systems:

 environmental threats (incl. natural disasters)environmental threats (incl. natural disasters)  technical threatstechnical threats

 human-caused threatshuman-caused threats

Natural Disasters

Natural Disasters

 tornado_tornado

 hurricane_hurricane  earthquake_earthquake

 ice storm / blizzard_{ice storm / blizzard}  lightning_lightning

Environmental Threats

Environmental Threats

 inappropriate temperature and humidity_{inappropriate temperature and humidity}

 fire and smoke_{fire and smoke}  water_water

 chemical, radiological, biological hazards_{chemical, radiological, biological hazards}  dust_dust

Technical Threats

Technical Threats

 electrical power is essential to run equipment_{electrical power is essential to run equipment}

 power utility problems: power utility problems:

• under-voltage - dips/brownouts/outages, interrupt service_{under-voltage - dips/brownouts/outages, interrupt service}

• over-voltage - surges/faults/lightening, can destroy chips_{over-voltage - surges/faults/lightening, can destroy chips}

• noise - on power lines, may interfere with device operation_{noise - on power lines, may interfere with device operation}

 _{electromagnetic interference (EMI)electromagnetic interference (EMI)}

 from line noise, motors, fans, heavy equipment, other from line noise, motors, fans, heavy equipment, other

computers, nearby radio stations & microwave relays

computers, nearby radio stations & microwave relays

Human-Caused Threats

Human-Caused Threats

 less predictable, may be targeted, harder _{less predictable, may be targeted, harder} to deal with

to deal with

 include:_include:

 unauthorized physical accessunauthorized physical access

• _{leading to other threatsleading to other threats}

 theft of equipment / datatheft of equipment / data

Mitigation Measures

Mitigation Measures

Environmental Threats

Environmental Threats

 inappropriate temperature and humidity_{inappropriate temperature and humidity}

 environmental control equipment, powerenvironmental control equipment, power

 fire and smoke_{fire and smoke}

 alarms, preventative measures, fire mitigationalarms, preventative measures, fire mitigation

 smoke detectors, no smokingsmoke detectors, no smoking

 _waterwater

 manage lines, equipment location, cutoff sensorsmanage lines, equipment location, cutoff sensors

Mitigation Measures

Mitigation Measures

Technical Threats

Technical Threats

 electrical power for critical equipment use_{electrical power for critical equipment use}

 use uninterruptible power supply (UPS) use uninterruptible power supply (UPS)  emergency power generator emergency power generator

 electromagnetic interference (EMI)_{electromagnetic interference (EMI)}

Mitigation Measures

Mitigation Measures

Human-Caused Threats

Human-Caused Threats

 physical access control_{physical access control}

 IT equipment, wiring, power, comms, mediaIT equipment, wiring, power, comms, media

 have a spectrum of approaches_{have a spectrum of approaches}

 restrict building access, locked area, secured, restrict building access, locked area, secured,

power switch secured, tracking device power switch secured, tracking device

Recovery from Physical

Recovery from Physical

Security Breaches

Security Breaches

 redundancy_redundancy

 to provide recovery from loss of datato provide recovery from loss of data

 ideally off-site, updated as often as feasibleideally off-site, updated as often as feasible  can use batch encrypted remote backupcan use batch encrypted remote backup

 extreme is remote hot-site with live dataextreme is remote hot-site with live data

 physical equipment damage recovery_{physical equipment damage recovery}

Threat Assessment

Threat Assessment

1.

1. set up a steering committee set up a steering committee

2.

2. obtain information and assistance obtain information and assistance

3.

3. identify all possible threats identify all possible threats

4.

4. determine the likelihood of each threat determine the likelihood of each threat

5.

5. approximate the direct costs approximate the direct costs

6.

6. consider cascading costs consider cascading costs

7.

Planning and Implementation

Planning and Implementation

 after assessment then develop a plan for _{after assessment then develop a plan for} threat prevention, mitigation, recovery

threat prevention, mitigation, recovery

 typical steps:_{typical steps:}

1.

1. assess internal and external resourcesassess internal and external resources

2.

2. identify challenges and prioritize activitiesidentify challenges and prioritize activities

3.

3. develop a plandevelop a plan

4.

Physical / Logical Security

Physical / Logical Security

Integration

Integration

 have many detection / prevention devices_{have many detection / prevention devices}

 more effective if have central control_{more effective if have central control}

 hence desire to integrate physical and _{hence desire to integrate physical and} logical security, esp access control

logical security, esp access control

 need standards in this area_{need standards in this area}

 FIPS 201-1 “FIPS 201-1 “Personal Identity Verification Personal Identity Verification

(PIV) of Federal Employees and Contractors

Summary

Summary

 introduced physical security issues_{introduced physical security issues}

 threats: environmental,technical, human_{threats: environmental,technical, human}  mitigation measures and recovery_{mitigation measures and recovery}