‫السعودية االلكترونية‬

College of‫الجامعة‬
Computing
‫الجامعة السعودية االلكترونية‬
and Informatics

IT Security and Policies

26/12/2021
 Security Program and Policies
Principles and Practices

by Sari Stern Greene

Updated 02/2018

Chapter 7: Physical & Environmental

Security
Objectives
 Define the concept of physical security and how it relates to information
security
 Evaluate the security requirements of facilities, offices, and equipment
 Understand the environmental risks posed to physical structures, areas
within those structures, and equipment
 Enumerate the vulnerabilities related to reusing and disposing of
equipment
 Recognize the risk posed by the loss or theft of mobile devices and media
 Develop policies designed to ensure the physical and environmental
security of information, information systems, and information processing
and storage facilities
Introduction
 ISO 27002:2013 encompasses both physical and environmental
security.
 Environmental security refers to the workplace environment, which
includes the design and construction of the facilities, how and where
people move, where equipment is stored, how the equipment is
secured, and protection from natural and man-made disasters.
 A physical security expert may question the location, the topography,
and even the traffic patterns of walkers, automobiles, and airplanes.
Introduction
 Creating and maintaining physical and environmental security is a
team effort.
 Security professionals often focus on technical controls and can
overlook the importance of physical controls
 Early Computer Age (Easy system protection):
 Locked labs, heavy computers and only few were granted access to
information
 Today:
 Transportable computers, cloud environment, many employees/workers
and limited privacy
Understanding the Secure Facility Layered Defense Model
 In Layered Defense Model, If an intruder bypasses one layer of
controls, the next layer should provide additional defense and
detection capabilities
 *Both physical and psychological
 *The appearance of security is deterrent
 E.g., Medieval ‫ القرون الوسطى‬castles:
 Built of stone, on a high hill, with guards, and one entry way
 All designed to ward of intruders.
How to Secure the Site
 Physical protection is required for information-processing facilities.
 Information-processing facilities consist of:
1. A closet of one server
2. A complex of buildings with thousands of computers
 In addressing site physical security, we must think of:
1. Theft
2. Malicious activity
3. Accidental damage
4. Damage that results from natural disasters
 The design of a secure site starts with the location
 Evaluating location-based threats:
1. Political stability
2. Susceptibility to terrorism
3. Crime rate in the area
4. Roadways and flight paths
5. Utility stability
6. Vulnerability to natural disasters
How to Secure the Site (Cont…)
 Critical information processing facilities should be inconspicuous and unremarkable
 They should not have signage relating to their purpose, nor should their outward
appearance hint at what may be inside.
 The physical perimeter can be protected using:
1. Obstacles:
 Berms, Fences, Gates , and Bollards
 Illuminated entrances, exits, pathways, and parking areas
2. Detection systems:
 Cameras, closed-circuit TV, alarms, motion sensors, and security guards
3. Response system:
 Locking gates and doors, personnel notification and direct communication with
police.
How Is Physical Access Controlled?
 Next area to consider is Physical entry and exit controls:
 Physical entry and exit controls can be selected from
1. Authorizing Entry (building access)
2. Securing Offices, Rooms, and Facilities (within the building)
3. Working in Secure Areas
4. Ensuring clear desks and screens
 Access control rules should be designed for:
 Employees
 Third-party (contractors/partners/vendors)
 Visitors
 Physical entry/access controls (rules):
 Authorized users should be authorized prior to gaining access to protected area
 Visitors should be identified, labeled, and authorized prior to gaining access to protected area
 Visitors should be required to wear identification that can be evaluated from a distance, such as
a badge
 Identification should start as soon as a person attempts to gain entry
Physical Entry Controls Policy Example
Securing Offices, Rooms, and Facilities
 Workspaces should be classified based on the level of protection required
 Some internal rooms and offices as well as parts of individual rooms (cabinets
and closets) may also require different levels of protection
 Classification system should address
1. Personnel security
2. Information system security
3. Documents security
 Secure design controls for spaces within a building include (but are not
limited to) the following:
1. Structural protection such as full height walls, fireproof ceilings, and restricted
vent ‫وصول‬access
2. Alarmed solid, fireproof, lockable, and observable doors
3. Alarmed locking, unbreakable windows
4. Monitored and recorded entry controls (keypad, biometric, card swipe)
5. Monitored and recorded activity
Working in Secure Areas
 It is not enough to just physically secure an area but, close
attention should be paid to
 Who is allowed to access the area
 What they are allowed to do
 The area should be
 Continually monitored
 Access control lists should be review frequently
 Based on the circumstances, devices are restricted from
entering certain areas
 Cameras, smartphones, tablets, and USB drives
Ensuring Clear Desks and Screens
 *Companies have a responsibilities to protect physical and digital information (during the
workday and non-business hours)
 Protected or confidential documents should never be viewable to unauthorized personnel
1. Document should be locked in file rooms, desk drawers and cabinets when not in use
2. Copiers, scanners, and fax machines should be located in nonpublic areas and require the use
of codes
 Unauthorized access can be the result of viewing a document left unattended
 Also protect documents or screens from Shoulder Surfing
 Shoulder surfing, is the act of looking over someone’s shoulder to see what is displayed on a
monitor or device.
 Password-protected screen savers should be automated to engage automatically.
 Users should be trained to lock their screens when leaving devices unattended.
 Physical security expectations and requirements should be included in organizational
acceptable use agreements.
Clear Desk and Clear Screen Policy Example
Protecting Equipment (Energy Consumption)
 No power, no processing—it’s that simple
 All information systems rely on clean, consistent, and abundant supplies of electrical power.
 Portable devices that run on battery power require electricity for replenishment.
 Power is not free.
 Power can be very expensive, and excessive use has an environmental and geopolitical impact
 After lighting, computers and monitors have the highest energy consumption in office
environments.
 As power consumption and costs rise, saving energy is becoming a significant issue
 Universities and Fortune 500 organizations have been leaders in the sustainable “green”
computing movement.
 The goals of sustainable computing are to
1. Reduce the use of hazardous materials,
2. Maximize energy efficiency during the product’s lifetime,
3. Promote the recyclability or biodegradability of defunct products and factory waste.
Protecting Equipment
 Both company and employee-owned equipment should be protected
 To function properly, systems need consistent power delivered at the correct
voltage level.
 Systems need to be protected from power loss, power degradation, and
even from too much power, all of which can damage equipment.
 Common causes of voltage variation include:
1. Lightning; damage to overhead lines from storms, trees, birds, or
animals
2. Vehicles striking poles or equipment
3. Load changes or equipment failure on the network.
4. Heat waves can also contribute to power interruptions as the demand in
electricity
Protecting Equipment
 Hardware assets must be protected from:
1. Power surges: Prolonged increase in voltage
2. Power spikes: momentary increase in voltage
3. Brownout: Prolonged period of low voltage
4. Sag: Momentary periods of low voltage
5. Blackouts ‫ انقطاع التيار الكهربائي‬: Prolonged periods of power loss
6. Fault: momentary loss of power
 Protective devices can be installed to help protect the area and assets such as
1. Voltage regulators
2. Isolation transformers ‫محوالت العزل‬
3. Line filters
 No power, No processing
 Reduce power consumption, for example by purchasing Energy Star certified
devices
How Dangerous Is Fire?
Three elements of fire protection:
1. Fire prevention controls
 These are the first line of defense.
 Fire prevention controls include:
 Hazard assessments and inspections,
 Adhering to building and construction codes,
 Using flame-retardant/nonflammable materials, and
 Proper handling and storage procedures for flammable/combustible materials.
2. Fire detection
 It is recognizing that there is a fire.
 Fire detection devices can be
 Smoke activated,
 Heat activated, or
 Flame activated.
3. Fire containment and suppression
 It involves actually responding to the fire.
 Containment and suppression equipment is specific to fire classification.
How Dangerous Is Fire (Fire Classification)
 Responding to the fire based on its specific classification
 Class A: Fire with combustible materials (‫ )مواد قابلة لالشتعال‬as its fuel
source, such as wood, cloth, paper, rubber, and many plastics
 Class B: Fire in flammable liquids, oils, greases (‫)شحوم‬, tars, oil-base
paints, lacquers (‫)دهان‬, and flammable gases
 Class C: Fire that involves electrical equipment
 Class D: Combustibles that involve metals
 Facilities must comply/fullfill with standards to test fire-extinguishing (‫مطفاءة‬
‫ )حريق‬methods annually to validate full functionality.
 The best-case scenario is that data centers and other critical locations are
protected by an automatic fire-fighting system that spans multiple classes.
 In any emergency, human life always takes precedence. All personnel should
know how to quickly and safely evacuate an area.
What About Disposal?
 What do servers, workstations, laptops, tablets,
smartphones, firewalls, routers, copies, scanners, printers,
memory cards, cameras, and flash drives have in
common?
 They all store data that should be permanently removed
before handing down, recycling, or discarding.
What About Disposal (Data Files)?
 The data can be apparent, hidden, temporary, cached, browser based, or metadata.
1. Apparent data files are files that authorized users can view and access.
2. Hidden files are files that the operating system by design does not display.
3. Temporary files are created to hold information temporarily while a file is being created.
4. A web cache is the temporary storage of web documents, such as HTML pages, images, and
downloads.
5. A data cache is the temporary storage of data that has recently been read and, in some cases,
adjacent data areas that are likely to be accessed next.
6. Browser-based data includes the following items:
1. Browsing history, which is the list of sites visited
2. Download history, which is the list of files downloaded
3. Form history, which includes the items entered into web page forms
4. Search bar history, which includes items entered into the search engines
5. Cookies, which store information about websites visited, such as site preferences and login status
7. Metadata is details about a file that describes or identifies it, such as title, date, author name, subject,
and keywords that identify the document’s topic or contents.
Data Destruction Standard
 NIST Special Publication 800-88 defines data destruction as
“the result of actions taken to ensure that media cannot be
reused as originally intended and that information is virtually
impossible to recover or prohibitively expensive.”
What About Disposal?
 Removing data from drives
 Formatting a hard drive or deleting files does not mean that the data located
on that drive cannot be retrieved
 Two methods for permanently removing data from drives before their
disposal:
 Disk wiping (overwriting the hard drive with 0 and 1)
 Degaussing (exposing the hard drive to high magnetic field)
What About Disposal?
 Disk wiping
 The process will overwrite the master boot record (MBR), partition table, and every
sector of the hard drive with the numerals 0 and 1 several times. Then the drive is
formatted.
 The more times the disk is overwritten and formatted, the more secure the disk wipe is.
 Disk wiping does not work reliability on solid-state drives: USB thumb drives, compact
flash, and MMC/SD cards.
 Degaussing
 The process wherein a magnetic object, such as a computer tape, hard disk drive, or
CRT monitor, is exposed to a magnetic field of greater, fluctuating intensity.
 As applied to magnetic media, such as video, audio, computer tape, or hard drives, the
movement of magnetic media through the degaussing field realigns the particles,
resetting the magnetic field of the media to a near-zero state, erasing all the data written
to the tape or hard drive.
 In many instances, degaussing resets the media to a like-new state so that it can be
reused and recycled.
 What About Disposal?
 Destroying materials
 *The objective of physical destruction is to render the device and/or the media
unreadable and unusable.
 Devices and media can be crushed, shredded, or, in the case of hard drives,
drilled in several locations perpendicular to the platters and penetrating clear
through from top to bottom.
 Cross-cut shredding technology, which reduces material to fine, confetti-like
pieces (‫)قطع تشبع القصاصات‬, can be used on all media, ranging from paper to
hard drives.
 What About Disposal?
 Outsource the destruction process
 Companies that offer destruction services often have specialized equipment
and are aware of environmental and regulatory requirements.
 The downside is that the organization is transferring responsibility for protecting
information.
 *The media may be transported to off-site locations. The data is being handled
by non-employees over whom the originating organization has no control.
 Selecting a destruction service is serious business, and thorough due
diligence/care is in order.
Stop, Thief! (Statistics)
 According to the Federal Bureau of Investigation (FBI), on average:
 1/10 individuals will have their laptop stolen at some point.
 97% of laptops stolen will never be returned to their rightful owners.
 The cost of lost and stolen devices is significant:
 *The most obvious loss is the device itself.
 What cost more is the cost of detection, investigation, notification,
after-the-fact response, and economic impact of lost customer trust
and confidence, especially if the device contained legally protected
information.
Summary
 The physical perimeter of the company must be secured.
 Some internal rooms and offices must be identified as needing
more security controls than others. These controls must be
deployed.
 Environmental threats such as power loss or a fire must be taken
into account and the proper hardware must be placed.
 A clean screen and desk policy is important to protect the
confidentiality of company-owned data.
 It is important to permanently remove data before recycling or
disposing of a device.
Thank
You