Chapter 7 – Physical Security pptx

Physical Security Layers n/b• Deterrence – fences, guards, signs • Reducing/Avoiding damage by Delaying attackers – slow down the attackers locks, guards, barriers • Detection – motion s

All-In-One Edition Chapter 7 – Physical Security

Brian E Brzezicki

Note: A LOT of this chapter is “missing” from the book That is the book is only 12 pages I have put over 70 slides in this chapter (one of the longest) These

things you should expect to see on the exam So

pay extra attention to these slides!

Physical Security

There is NO security without

Physical Security

We spend A LOT of money on logical (technical)

security However without physical security there is

NO security Physical security is a weak link

usually!

• Attackers can walk off with machines

• If I can get physical access to your machine I will

be able to get whatever info I want or load “bad”

software on it, or even just change the

root/administrator account password!

• Plug into a network and attack it from within!

Some physical Security Attacks

(187)

• LiveCDs (Knoppix, BackTrack)

• USB/CDs and “auto play” – talk about this LATER

• No BIOS/Default BIOS passwords

• Disk Imaging (how?)

• Copying off sensitive data

Physical Security Layers (n/b)

• Deterrence – fences, guards, signs

• Reducing/Avoiding damage by Delaying attackers – slow down the attackers (locks, guards, barriers)

• Detection – motion sensors, smoke detectors

• Incident assessment – response of guards, and determination of damage level

• Response procedures – fire suppression, law

enforcement notification etc

Physical Security Terms and

Concepts

Bollards

Bollards (n/b)

Bollards are small concrete pillars, sometimes

containing lights or flowers

They are used to stop people from driving through

a wall, often put between a building and parking lot

They can be arranged to form a natural path for walking

Fencing (n/b)

Can deter and delay intruders, first line of defense

• Fences 3-4 feet high only deter casual

trespassers

• Fences 6-7 feet high are considered too high to climb easily

• Fences 8 feet high should are considered

serious Use for Critical areas

Walls (n/b)

You know what they are

• Choose a wall with the strength to support the security application This might also include fire rating!

Zones (n/b)

Fences, Walls, Bollards, etc along with access control mechanisms can be brought together to create

“security” zones Each zone has some different

security level or work type

• Example

– Lobby – low security, public access

– Offices – medium security, restricted access

– R&D – high security, extremely restricted access

(see next slide)

Security Zones (n/b)

• Zones are used to physically separate areas into

different security areas

•Each inner level becomes more restricted and more secure

•Stronger Access Control and Monitoring at the

entry point to each zone

Lighting (n/b)

Lighting is obviously important in perimeter

security It decreases the probability of criminal activity

• Each light should cover it’s own zone and there should not be gaps in the coverage

• Coverage in fact should overlap

• Lighting should be directed AWAY from the

security guards etc

locked and unlocked position.

• Pin tumbler – uses pins

• Wafer – uses wafer (not very secure)

Warded Lock (n/b)

Tumbler Lock (n/b)

• Grade 3 – residential throw away locks

There are also 3 cylinder categories

Low – no pick or drill resistance providedMedium – a little pick resistance

High – higher degree of pick resistance

Attacks against key type locks (n/b)

Tension wrench – shaped like an L and is used to apply tension to the cylinder, then use a pick to

manipulate the individual pins

Pick – used in conjunction with a tension wrench to manipulate the pins into place so you can turn the cylinder

Visualization next slide

Lock Picking

• Combination locks – rather than use a key, turn

Locks (n/b)

• Cipher locks – electronic locks

– Combination can be changed

– Combination can be different for different people

– Can work during different times of day

– Can have emergency codes

– Can have “override codes”

Cipher Lock

Man Trap (n/b)

• Avoids piggybacking

• Can trap intruder

Surveillance (n/b)

CCTVs and recording devices to record video of site

• It deters criminal activity

• Can be used later as evidence or to determine what happened

• CCTVs should generally have PTZ capability, and auto-irises

Intrusion Detection Systems (n/b)

IDS (physical IDS, NOT network IDS) – help detect the physical presence of an intruder

Can be multiple types

Electromechanical – traditional types, determine a opening of a window by a break in connectivity.– Vibration sensors are also electromechanical– Pressure pads are also electromechanical

IDS (n/b)

Photoelectric – uses light beams to detect when

something crosses the beam (slide image)

Passive Infrared (PIR) – monitors heat signatures in a room (a lot of home automatically light systems are

of this type) (slide image)

Acoustical Detection – uses sound

Proximity detector/capacitance detectors – emits a

measurable magnetic field If field is disrupted it sets off the alarm (usually this field is a very small area,

as magnetic fields disperse quickly as the area

increases)

Passive Infrared IDS

Passive Infrared (PIR) – monitors heat signatures in

a room (a lot of home automatic light systems are

of this type)

Photoelectric IDS

Photoelectric – uses light beams

to detect when something

crosses the beam

Personnel Access Controls

Personnel access controls

There are different technologies to grant access to a building, generally called an “access token”

• User activated – a user does something (swipe

cards, biometrics)

• Proximity devices/transponders – a system

recognizes the presence of an object (Electronic

access control tokens) is a generic term for proximity authentication systems)

Smart Cards Vs Memory cards

What is memory Cards? (see slide)

What is a smart Card? (see slide)

How are they different?

Which is more secure?

Memory Cards

Smart Card

Biometrics (195)

• Bio – life, metrics - measure

• Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE)

• Require enrollment before being used* (what is enrollment? Any ideas)

• EXPENSIVE

• COMPLEX

Biometrics (195)

• Can be based on

– behavior (signature dynamics) – might change over time

– Physical attribute (fingerprints, iris, retina scans)

– We will talk about the different types of biometrics later

• Can give incorrect results

• False negative – Type 1 error* (annoying)

• False positive – Type 2 error* (very bad)

CER (n/b)

• Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the

false positive rate

• Lower number CER is better/more accurate* (3 is better than an 4)

• Also called Equal Error Rate

• Use CER to compare vendors products objectively

Biometrics (n/b)

• Systems can be calibrated, for example of you

adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is

where the CER come in (see next slide)

• Some areas (like military) are more concerned with one error than the other (ex Would rather deny a valid user than accept an invalid user)

• Can you think of any situations for each case?

CER (n/b)

Biometric Types Overview (n/b)

We will talk in more depth of each in the next

Finger Print

Fingerprint (n/b)

• Measures ridge endings an bifurcations (changes in the qualitative or topological structure) and other

details called “minutiae”

• Full fingerprint is stored, the scanners just compute specific features and values and sends those for

verification against the real fingerprint

Hand Geometry (n/b)

• Overall shape of hand

• Length and width of fingers

• This is significantly different between individuals

Retina Scan

Iris Scan

Iris Scan (n/b)

• Measures colors

• Measures rifts

• Measures rings

• Measures furrow (wrinkle, rut or groove)

• Provides most assurance of all biometric systems

• IRIS remains constant through adulthood

• Place scanner so sun does NOT shine through aperture*

• Type I (what is type I again?) error high

• Type II (what is type II again?) error low

Keyboard dynamics (n/b)

• Measure the speeds and motions as you type,

including timed difference between characters typed For a given phrase

• This is more effective than a password believe it or not, as it is hard to repeats someone's typing style, where as it’s easy to get someone's password

Voice Print (n/b)

• Enrollment, you say several different phrases

• Measures speech patterns, inflection and intonation (i.e pitch and tone)

• For authentication words are jumbled

Facial Scan

• Camera on the side at an angle snaps a pictures

• Not unique enough to stand on it’s own, but can be used with hand geometry to add assurance

Biometrics wrap up

We covered a bunch of different biometrics

• Understand some are behavioral* based

– Voice print

– Keyboard dynamics

– Can change over time

• Some are physically based

– Fingerprint

– Iris scan

Biometrics wrap Up

• Fingerprints are probably the most commonly used and cheapest

• Iris scanning provides the most “assurance”

• Some methods are intrusive

• Understand Type I and Type II errors

• Be able to define CER, is a lower CER value better

or worse?

• Privacy Issues

Device Security

Device Security

Devices can be stolen

• Use a drive encryption technology such as bit locker

or encrypting file system

• Use device or port locks to secure items

• Laptops

– should be inventoried

– “Lojack” type devices should be installed

– Encrypt the Disks

(more)

• Disable Auto Play

• Use privacy Screen

• Securely Dispose of Devices

Environmental Security

Fire Suppression

A – Common Combustibles

• Use for: Wood, paper, laminates

• Uses water or foam as suppression agent

B – Liquid

• Use for: gas or oil fires

• Use: Gas (CO2), foam, dry powders

Fire Suppression

C – Electrical

• Use on: electrical equipment and wires

• Uses: Gas, CO2, dry powder

Fire Suppression (Halon)

Before any type of dangerous gas (Halon, CO2) is released there should be some type of warning emitted (CO2 will suffocate people)

Halon is a type of gas that used to be commonly used, it is no longer used do to CFCs (it is also dangerous to people) It was banned by the

“Montreal protocol”* in 1987 effective

replacement is FM-200 or others on top of pg

444*

Fire Suppression Note

HVAC system should be set to shutdown when an automatically suppression system activates

Now we need to understand automatic fire

suppression systems

Sprinkler Heads

The “Thermal Linkage” is often a small glass tube with colored liquid that is

designed to shatter at a fixed temperature.

The fire will heat the Thermal Linkage to its break point, at which point the water in the pipe will flow freely through the opening at a high

pressure The pressure of the water causes it to spread in a wide area when it hits the

deflector

Automatic fire suppression (n/b)

Sprinklers –

• Wet Pipe – high pressure water in pipe directly

above sprinkler heads

•Deluge – Type of wet pipe with a high volume of water

dispersal, not used for data centers.

Automatic fire suppression (n/b)

• Dry Pipe – Air in pipe overhead, water in

reservoir, released on fire detection

Automatic fire suppression (n/b)

• Pre action – like dry pipe, but a delay exists

before release Best for computer rooms if a

water based system is used

Fire random tidbit (n/b)

The space between the “ceiling” and the actual

floor above is called the “plenum” You should

know this term, you should understand that

when running network cables and other plastics insulated wiring, you need to use a certain type

of wire called “plenum” wire, this is because

burning plastic gives off toxic gases and small

fires in plenum areas could distribute toxic gases throughout the building air systems

Environmental Issues (n/b)

Improper environments can cause damage to

equipment or services

Water and Gas

• Make sure there are shutoff valves and that they have positive drains (flow out instead of in, why?)

Environmental Issues (n/b)

• Static electricity – besides ensuring proper humidity

– use anti-static flooring in data processing areas– Don’t use carpeting in data centers

– Wear anti-static bands when working inside

computers

Electric power issues (n/b)

There power interference that stops you from getting

“clean power” this is called “line noise”

Electric power issues (n/b)

Line Noise can be caused by the following

• Electromagnetic Interference – electromagnetic that can create noise (motors can generate fields)

• Radio Frequency Interference – fluorescent lights

Electrical Power Issues (n/b)

There are times where the voltage delivered falls outside normal thresholds

Excess

• Spike – momentary high voltage

• Surge – prolonged

Shortage

• Sag/dip – momentary low voltage

• Brownout – prolonged low voltage

Loss

• Fault – momentary outage

• Black out

Electrical power issues (n/b)

• “In rush current” – when a bunch of things are turned

on, power demands are usually higher, and may

stress power supplies, causing a sag/dip

• Try to have computer equipment on different

electrical supplies Do not use microwaves or

vacuums on computer power lines

Power best practices (n/b)

• Use surge protectors on desktops

• Do not daisy change surge protectors (see next

• Use UPS systems in computer rooms

• If possible shield power cables

• Do not run power over or under fluorescent lights

Computer Room (n/b)

• Temperature and Humidity levels should be properly maintained

– Humidity too low, static electricity*

– Humidity too high, corrosion of metal parts*

• CR should be on separate electrical systems than the rest of the building

• Should have redundant power systems and UPS

Review Questions

Q What feature can allow a windows computer to

automatically run a Trojan program on an inserted CD or USB drive

Q Which of the following water based automatic fire

suppression systems would be best used for a data center.

Q Why is access to a network jack a risk?

Q What is the CER in terms of biometrics

Q What is a type 1 and type 2 error?

Review Questions

Q If providing access to a bank vault, would I

prefer higher false positives or higher false

negatives?

Q What type of fire rating is electrical fires?

Q What is the difference between smart cards and memory cards

Q What type of motion sensor detects a human

through emanated heat?