Physical Security Issues

Information Protection
Requirements & Environment

Lecture Week-2
 Introduction
• Physical Security deals with
– Preventing things that can be prevented
– Recovering from things that cannot be prevented
 Recap
• What is PHYSICAL SECURITY?
– Goal: to provide safe environment for all
assets & interests of the organization
– … is the protection of personnel,
hardware, programs, networks, and data
from physical circumstances and events
that could cause serious losses or
damage to an enterprise, agency, or
institution. This includes protection from
fire, natural disasters, burglary, theft,
vandalism, and terrorism
 (cont.)
Physical security is often overlooked (and its
importance underestimated) in favor of more
technical and dramatic issues such as hacking,
viruses Trojans, and Spyware. However,
breaches of physical security can be carried
out with little or no technical knowledge on
the part of an attacker. Moreover, accidents
and natural disasters are a part of everyday
life, and in the long term, are inevitable.
 Why Physical Security is important?
• Discussion:
– Central (in the past) vs distributed (nowadays)
– Central : focusing in one area, access restriction is
easy to be implemented i.e locks, alarms.
– What are the concerns when assets are
distributed (i.e server, mobile devices)
• Threats
• Preventive actions
– Logical controls vs Physical control
Among the threats to Physical Security

The Preventing Physical Vandalism Defending

Environment Accidents Access (Network against
(Fire, smoke, (Food and (Raised floor, cables, Terrorism
dust, drinks) dropped network (Acts of war)
humidity, ceilings) connector)
temperature
extreme,
earthquake
etc.)
 Data Protection
• Protecting data
– Eavesdropping (through wiretapping ~ a simple induction loop coiled
around a terminal wire can pick up most voice and RS-232
communications. To prevent wiretapping ~ shield cable, put cable in
steel conduit)
• Protecting backups
– When information is stored on a computer, the operating system's
mechanisms of checks and protections prevents unauthorized people
from viewing the data (and can possibly log failed attempts). After
information is written onto a backup tape, anybody who has physical
possession of the tape can read its contents.
– Verify the backups
– Protect the backups
– Sanitize the media before disposal
– Encrypt the backups
 Role of Physical Security
• Physical security still plays critical role in
protecting the resources of an organization. It
requires :
– Solidly constructed buildings
– Emergency preparedness,
– Adequate environmental protection,
– Reliable power supplies,
– Appropriate climate control
– External & internal protection from
intruders
 (cont.)
• 3 main components to physical security:
1. Obstacles can be placed in the way of potential attackers
and sites can be hardened against accidents and
environmental disasters. Such measures can include
multiple locks, fencing, walls, fireproof safes, and water
sprinklers.
2. Surveillance and Notification Systems can be put in
place, such as lighting, heat sensors, smoke detectors,
intrusion detectors, alarms, and cameras.
3. Methods can be implemented to apprehend attackers
(preferably before any damage has been
done) and to recover quickly from
accidents, fires, or natural disasters.
 Information Protection Requirements

• Outlines the requirements

for physical security protection
• C-I-A Triad :
• Objective of Physical Security is to ensure the system
and its resources are available when needed, the
integrity of the data & system resources is ensured and
the confidentiality of the data is protected
• Combination of all countermeasures + physical controls
 provides a level of assurance that these 3 objectives
will be met
 computers
printers

ATTACKS Storage
personnel
devices

Support
Printed systems
materials
 Threats
Natural/ Earthquakes, floods, storms, hurricanes, volcanic
Environment eruption, extreme temperature, tsunami, building
collapse
Supply Threats to physical
Communication environment
outages. Power distribution (surges,
Systems blackouts), burst pipes
Man-made Explosions, disgruntled employees, unauthorized
access (hackers, crackers), employees errors,
arson/fires, sabotage, hazardous/toxic spills,
chemical contamination, malicious code, vandalism
and theft, unintentional acts (spilled drinks,
overloaded electrical outlets)
Political Bombings, terrorist attacks, riots or civil disturbance,
Events strikes

Can compromise the integrity and confidentiality of resources &

can also make them unavailable to authorized users
• While planning, perform a risk analysis
focusing on existing threats & determine
where countermeasure is most cost-effective
• Do not cause conflict with life safety goals (ie
safe exit). Life safety overrides other security
issues.
 Information Protection Environment

Outlines the elements of the physical

environment of concern to information system
security professionals
• Physical Security requires building/site to be
protected in such a manner that minimizes the
risk of theft, destruction and unauthorized
access.
Layered Approach of Defense Model
Perimeter
Building Grounds

Building Entrance
Building Floors/Office Suites
Offices, Data centers,
Equipment, Media etc
 Approaches to Physical Security
• Deterrence
– Provides countermeasures such as policies, procedures & technical devices &
controls to defend against attacks on the assets being protected
• Detection
– Monitors for potential breakdowns in protective mechanisms that could result
in security breaches
• Delay
– Requires human involvement, covers procedures & actions for assessing the
situation & responding to a breach.
• Response
– Requires human involvement, covers procedures & actions for assessing the
situation & responding to a breach.
• Recovery
– It is a plan to continue business and operations as usual possible after an
incident
• Re-evaluation
– Regularly review your Physical Security plan (assessment & objectives)
especially when situation has changed ~ new threats emerged.
Subtopic areas for Information Protection
Environment

• Crime Prevention through Environmental

Design (CPTED)
• Site Location
• Construction Impacts
• Facility Impacts
Crime Prevention through Environmental Design (CPTED)

CPTED - is a concept that, a basic premise, states that the

physical environment of a building can be changed or
managed to produce behavioral effects that will reduce the
incidence and fear of crime
• Aimed at reducing opportunity for specific crimes/incidents to
occur.
• Combination of security h/ware + psychology + site design =
physical environment discourages crime
• R/ship between Social behavior of people & their
environment, essence to CPTED concept (legitimate feels safe
& illegal feels unsafe to pursue undesirable behavior (i.e
outside lighting)
 (cont.)
• CPTED builds on several key strategies (affect
the designing an external physical security
environment) :
– Territoriality : people protect their own territory &
respect the territory of others, express ownership
such as fences, signs, good
maintenance(deterioration indicates lack of
concern & tolerance for disorder) & landscaping
 (cont.)
– Surveillance: principal tool in the protection of a
space. Maximize the ability to see what is going on
discourages crime i.e landscaping, lighting to
promote natural surveillance and CCTV or
organized security patrol
– Access Control : Properly located entrances, exits,
fencing and landscaping can control the flow or
limit access that discourage crime.
 Site Location
• PS should begin with a detailed site selection process. Several
questions to ask:
– Does the business have specific physical security concerns regarding
the facility location
– Is it vulnerable to crime, riots, demonstrations or terrorism attacks?
– Is it vulnerable to natural disasters? In a high flood plane? Earthquake
zone?
– Location in relation to adjacent buildings/other businesses? Near
chemical factory?
– How far away is it to other types of threats? Nearest airport? Military
base?
– What are neighborhood crime rates & types?
– What type of emergency support response is provided to the area?
 Construction Impacts
• Construction controls involve designing wall,
windows, doors, water/gas lines in secure
fashion
Fire-rated walls, penetration resistant,
windowless etc.
• Question to consider: Could the structure
withstand relevant natural threats, such as
hurricane-force wind? Is it earthquake
resistant?
 Facility Impacts
• Some examples that can affect the level of physical security
– Entry points
– Infrastructure support systems (power, water, plumbing, cables ~
failure/substandard may interrupt operation & cause physical damage to
system etc)
– Electrical power (failure may cost serious business impact, i.e hospitals)
– Heating, ventilation, air conditioning (and refrigeration) ~ location to
these areas could allow unauthorized access or some type of sabotage –
i.e too hot or too cold might harm the system
– Internal sensitive or compartmentalized areas – areas that need
additional physical protection i.e server room, communication center etc.
– Portable computing – remote access introduces vulnerabilities to physical
equipment (i.e non-employees accessing the system, inappropriate
disposals, laptops stolen/lost)
Class Discussion on Physical security :
a paranoid view
• Home
– House & Apartments/flats
•  Transportation
– Mobility
• Workplace
–  Office & Data centre
–  Research lab (science, technology, material etc)
–  Manufacturing
•  Sports arena
•  Shopping complex
 Next week discussion (in a group of 3)
Security risks resulting from convergence between
physical security and other systems with IT
environments is, however, just beginning to occur …
Schultz E. (2007). Risks due to convergence of physical security systems
and information technology environments. Information Security Technical
Report, vol 12, 8 0 – 8 4

Find 2 more related papers. Originality & quality of

discussion carries some merits.