Chapter 7.

Physical Security Control

Introduction
An often-overlooked connection between physical
systems (computer hardware) and logical systems (the
software that runs on it) is that, to protect logical
systems, the hardware running them must be physically
secure. If you can’t physically protect your Physical
security deals with who has access to buildings,
computer rooms, and the devices within them.
Controlling physical security involves protecting sites
from natural and man-made physical threats through
proper location and by developing and implementing
plans that secure devices from unauthorized physical
contact.
Physical Security Threats

• You need to understand the threats that physical

security control systems address before you learn
about design and implementation. As you learn later in
this chapter, site selection depends heavily upon a list
of potential physical security threats for a given
location.
• The CBK defines these major categories of physical security
threats:
•  Weather: Tornadoes, hurricanes, floods, fire, snow, ice, heat,
cold, humidity, and
• so forth
•  Fire/chemical: Explosions, toxic waste/gases, smoke, and fire
•  Earth movement: Earthquakes and mudslides Structural
failure: Building
• collapse because of snow/ice or moving objects (cars, trucks,
airplanes, and so
• forth)
• 
• Energy: Loss of power, radiation, magnetic wave
interference, and so forth
•  Biological: Virus, bacteria, and infestations of animals or
insects
•  Human: Strikes, sabotage, terrorism, and war
Factors such as geographic locale determine the likelihood of specific physical security
threats.

• Providing Physical Security

• The rest of this chapter discusses in some detail the
five areas of physical security that
• address the aforementioned types of physical security
threats:
•  Education for personnel
•  Administrative access controls, such as work area
restrictions, visitor control, and
• site selection
•  Physical security controls, such as perimeter security
controls, badging, keys and
• combination locks, security dogs, lighting, fencing, and guards
•  Technical controls, such as smart cards, audit trails, intrusion
detection systems,
• and biometrics
•  Environmental/life safety controls
• Education for Personnel
• An educated staff that knows about the potential for
theft and misuse of facilities and
• equipment is the best weapon a company can have
against illegitimate and accidental
• acts by others. Just as the staff should be prepared for
the potential of unforeseen acts
• of nature, employees should be reminded periodically
of the importance of helping to
• secure their surroundings
•  Being mindful of physical and environmental considerations
required to protect
• the computer systems
•  Adhering to emergency and disaster plans
•  Monitoring the unauthorized use of equipment and services,
and reporting
• suspicious or unusual activity to security personnel
•  Recognizing the security objectives of the organization
•  Accepting individual responsibilities associated with their
own security and that
• of their coworkers, as well as the equipment they use and how
they use it
• Administrative Access Controls
• The second category of physical access controls,
administrative access controls,
• addresses the procedural and codified application of
physical controls. For example, you
• will learn about several different physical control
devices that make a site more secure.
• One of the administrative access controls in this
section, site selection, involves planning
• for and designing the site before it is constructed.
• Restricting Work Areas
• A physical security plan, developed by executive management, department managers,
• and physical security site personnel as one of the many policy and standards documents
• that all effective security programmes require (see Chapter 4, “Governance and Risk
• Management”), should first identify the access rights to the site (campus) in general and
• then identify the various access rights each location (building) within the site requires.
• Within a manufacturing plant, individuals might need different access privileges, based
• on the department or area they are attempting to enter, even though they have gained
• general admittance to the plant. A single mechanism can control various levels of security
• access. This can be a badge reader encoded to allow the individual into specific areas of
• the facility based on function or business need. The important point to remember is that,
• just as security experts assign data to specific security classes, varying degrees of
• physical access can be based on security requirements within the facility
• Visitor Control
• Controlling visitor access to a building is not a new
concern. Most companies have long
• had some kind of procedure for requiring visitors to
sign in and specify a purpose for their
• visit, and then wait for an escort who authorizes their
presence before granting access to
• the visitor. However, with heightened post-September
11, 2001, security and the
• formation of the U.S. Department of Homeland
Security, visitor control has taken on
• increased importance because of concern over foreign
• Site Selection
• Site designers and planners must make at least the
following considerations when
• deciding on the location for a facility. This example
considers the location of a data
• operations center for a major corporation
•  Visibility: How conspicuous will the facility be at a particular site? Most
data
• centers look nondescript for a reason: They don’t want to advertise what they
are
• and attract undue attention. You will never find signs along the highway
stating,
• “Highly Secure but Anonymous-Looking Data Operations Facility, Exit Here!”
• Low-key is the byword.
•  Locale considerations: A wise prospective homeowner should always
inspect the
• neighborhood before purchasing a new house. The same rule applies to
site_x0002_selection committees. What are the local ordinances and
variances? What is the
• crime rate of the surrounding neighborhood? Are potentially hazardous sites
• nearby, such as landfills, hazardous waste dumps, or nuclear reactors?
•  Natural disasters: Several major corporations (including Charles Schwab) have
• moved their computer operations centers from the West Coast, particularly the
• San Francisco Bay area, to more geologically stable locations because of the
• risk of earthquakes. Other obvious natural threats to consider are tornadoes,
• hurricanes, floods, wildfires, chemical fires, vermin, pest damage, and snow and
• ice. Mother Nature’s hand is far reaching, but site planners can minimize risk by
• examining local weather patterns, checking the history of weather-related
• disasters, and determining their risk tolerance.
•  Transportation: Are transportation routes such as airports, highways, and
• railroads nearby? If so, are they navigable? A good transportation system is
• important not only for the delivery of goods and services, but also for emergency
• evacuation procedures as part of a disaster recovery plan (DRP).
• Physical Security Controls
• Spectrums of physical controls are needed to support the
principle of defense in depth.
• These include controls for the perimeter of the data center,
employee and visitor badging,
• guard dogs when deemed appropriate, and building lighting.
• Perimeter Security Controls
• Controls on the perimeter of the data center are designed to
prevent unauthorized access
• to the facility. These types of controls might have different “states”
or behaviors based on
• the time of day or the day of the month. For example, a gate might
allow controlled access
• during the day but be locked or closed at night
• Mantraps, as the name implies, are enclosed areas with a
secure door on either end that
• literally “trap” an individual between doors. They address the
problem of “piggybacking,”
• in which an individual without proper authorization enters a
secure area behind an
• authorized person. To pass through the second door of the
mantrap, the individual must
• pass a second level of validation—perhaps the authorization of
a security guard, the
• entering of a password, or some other mechanism (see Figure
8.1 for an example of a
• mantrap).
• Badging
• Issued by a site security office, the photo identification badge is a
perimeter security
• control mechanism that not only authenticates an individual, but
also continues to identify
• the individual while inside the facility. Most sites issuing photo
identification require that
• the individual display the badge where it is most visible, usually on
the upper torso. The
• badge alone is no guarantee that unauthorized individuals are
denied access—badges
• can be stolen and photos replaced—but combined with other
perimeter controls, the
• badge offers a familiar and comfortable sense of security in most
organizations.
Keys and Combination Locks
Keys and combination locks are how most people know physical
security, mainly
because they are the least complicated and expensive devices. Beyond
the mechanical
door lock opened with a key, locks can be programmed and opened with
a combination
of keys (such as the five-key pushbutton lock once popular in IT
operations), a security
badge with a magnetic strip, or some other mechanism. Locks are
typically unguarded
and are meant to delay intruders, not to deny them access. For that
reason, you rarely
find these devices in areas that require a high level of access
authorization
• Security Dogs
• Dogs are not just man’s best friend—they also make great security
guards. Dogs can be
• unflinchingly loyal and rely on all their senses to detect intruders.
They can also be trained
• to perform specialized services, such as sniffing out drugs or
explosives at airports or
• alerting the blind to fire. The picture of the German shepherd
tethered to a door behind
• an auto junkyard might be the first image that comes to mind
when thinking about security
• dogs, but dogs are a highly effective form of perimeter security
control when handled
• properly and humanely
• Lighting
• Lighting is another form of perimeter protection that discourages intruders or other
• unauthorized individuals from entering restricted areas. You are likely familiar with how
• shopping malls use streetlights to discourage parking lot break-ins, and many
• homeowners have motion-detector lights installed on garages and back porches. Critical
• buildings and installations should use some form of lighting as a deterrent, whether
• floodlights, streetlights, or searchlights. According to the National Institute of Standards
• and Technology, critical areas (fire escapes, emergency exits, and so forth) require
safety
• lighting to be mounted 8 feet high and burn with a candlepower of 2 candelas (the
• equivalent of a strong spotlight)
• Technical Controls
• The next group of physical security controls involves
using computer hardware and
• software to protect facilities. The following are
prominent technical controls:
•  Smart/dumb cards
•  Audit trails/access logs
•  Intrusion detection
•  Biometric access controls
• Smart Cards
• A smart card resembles a regular payment (credit)
card, but it carries a semiconductor
• chip with logic and nonvolatile memory (see Figure
8.2). Unlike a security access card
• (badge with magnetic strip), the smart card has many
purposes, including value for
• consumer purchases, medical identification, travel
ticketing and identification, and
• building access control.
• FYI: A Taxonomy of Smart Cards
• Smart cards are essentially working computers with an infinite
possibility of uses. On the
• physical level, smart cards are classified as contact, contactless,
or combinations of the
• two. Contact smart cards require a reader (and/or writer) in which
the card is inserted
• when it’s needed. Contactless cards contain an antenna read by
remote receivers.
• Combination cards can be used both ways, depending on the
applications intended.
• Logically, you’ll find smart cards classified three different ways.
Memory cards (the
• simplest form) are used to store values for future uses.
• The most common example of a memory card is a prepaid
phone card redeemable
• through the bright-yellow reader slot found on modern pay
phones. Protected memory
• cards require entry of a secret code or PIN before a stream of
data can be sent to or
• received from the chip. Microprocessor cards contain a
semiconductor chip to hold
• microcode that defines command structures, data file structures,
and security structures.
• They are present when more intelligence or information storage
is needed, and they often
• show up in multi-application products and services, such as
combined access and stored_x0002_value cards.
• Audit Trails and Access Logs
• In financial settings such as banks, audit trails enable
examiners to trace or follow the
• history of a transaction through the institution. For example,
bank auditors or examiners
• can determine when information was added, changed, or
deleted within a system, to
• understand how an irregularity occurred and hopefully correct
it. The immediate goal is
• to detect the problem in order to prevent similar problems in
the future. The audit trail
• should contain the following information:
•  The user ID or name of the individual who performed
the transaction
•  Where the transaction was performed (hopefully
using a fixed terminal ID)
•  The time and date of the transaction
•  A description of the transaction—that is, what
function the user performed and
• on what device
• Creating an audit log is not enough to protect a site,
however. The retention period of the
• audit logs, recovery time (how long it takes to recall an
archived log file), and, perhaps
• most important, the integrity of the data must also be
considered, and the logging system
• must be designed appropriately
• Intrusion Detection
• Intrusion detection is another type of technical control. In this case, intrusion
detectors
• and alarms alert security personnel when an unauthorized person attempts
to access a
• system or building. Unlike the security guards, guard dogs, and security
fencing
• discussed in the section on facility access control, this type of physical
security control
• distinguishes itself by using technology. The burglar alarm is the most
commonly known
• intrusion detection device, but as you can imagine, the technology has
become much
• more sophisticated since the first devices were used. Consider the two
categories of
• devices
•  Perimeter intrusion detectors: These devices are based on dry contact switches
• or photoelectric sensors. The former consists of metallic foil tape placed on
• windows or doorframes using contact switches. Disturbing the switches sets off
• an alarm. Dry contact switches are used in residential homes and shop fronts,
• where cost is important. Photoelectric sensors receive light beams, typically
• infrared, from a light-emitting device. When an intruder breaks the beams of light,
• he or shetrips an alarm. This type of intrusion detection device is more expensive
• and usually found in larger facilities.
•  Motion detectors: These devices detect unusual movements within a
well_x0002_defined interior space. Included in this category of intrusion detection
devices are
• wave pattern detectors that detect changes to light-wave patterns and audio
• detectors that passively receive unusual sound waves and set off an alarm.
• Alarm Systems
• The implementation of a series of the aforementioned
intrusion detectors is referred to
• as an alarm system. A local alarm system sets off an
alarm on the premises, alerting
• guards. Private security firms manage central-station
systems, such as home alarms
• from ADT and other well-known home security
companies. They monitor a system 24
• hours a day and respond to alerts from a central
location.
• Biometrics
• The use of biometrics (the Greek word for “life measurements”) in conjunction with more
• standard forms of authentication such as fixed passwords and PINs is beginning to
attract
• attention as the cost of the technology decreases and its sophistication increases. In fact,
• the traditional scheme of password-based computer security could lose stature as the
• use of smart card–based cryptographic credentials and biometrics authentication
• becomes commercially viable. Companies such as the American Biometrics Corporation
• claim that using an individual’s unique physical characteristics along with other
• identification and authentication (I&A) techniques can almost unequivocally authenticate
• a user. Biometrics authentication uses characteristics of the human face, eyes, voice,
• fingerprints, hands, signature, and even body temperature; naturally, each technique has
• its strengths and weaknesses.
• How Best Can Authentication Be Achieved?
• Today, the use of fingerprints appears to be the cheapest and most reliable form of
• biometrics authentication, although techniques such as retina scanning and thermal
• patterns are currently being developed. Apple’s iPhone has the capability to register the
• user’s fingerprint with the device to unlock its functionality instead of using a PIN. The tip
• of the finger has characteristics called friction idges, enclosures, and bifurcation points
• that uniquely differentiate one print from the print of any other individual. Because the
• fingerprint can vary in appearance throughout the day due to changes in temperature,
• skin moisture, dryness, oiliness, or cuts and abrasions, a direct comparison of digital
• images of the fingerprint cannot guarantee true authentication. Doing so would also
• require storing a complete image of the fingerprint in a database, which would attract the
• attention of civil liberties groups and government agencies.
• Instead, fingerprints are compared based on their
previously described characteristics
• and are thus characterized. How does this process work?
The following steps generally
• describe the use of authenticating an individual using a
fingerprint:
• 1. Multiple images of the individual’s fingerprint are taken, using the center of the
• image as the reference point for the orientation and placement of other
• features.
• 2. The minutia features (ridges and other points) of importance surrounding the
• center of the image are computed as coordinate (XY) points and are
• catalogued in a database.
• 3. Each sample is scored based on the number and quality of coordinate values.
• The image with the highest (best sample) score becomes the “template” for
• the individual. This template is stored on a database and becomes the user’s
• baseline or foundational template. Because it contains only a subset of the
• fingerprint detail, the template cannot be used to reconstruct the fingerprint or
• impersonate a sample fingerprint.
• 4. When a user wants to authenticate, an algorithm is used to process the
• template stored in the database against the minutiae of the sample fingerprint.
• The level of security required determines the number of coordinate values that
• must match.
• Environmental/Life Safety Controls
• Think of the infrastructure required to maintain the
optimal operating environment for man
• and machine, and you have environmental and life
safety controls. The three most critical
• areas follow:
•  Power (electrical, diesel)
•  Fire detection and suppression
•  Heating, ventilation, and air conditioning (HVAC)
• Each of these areas is discussed briefly next. For a more complete
discussion, see the
• CISSP Common Body of Knowledge description (www.isc2.org/).
• Power
• Whereas human beings can light candles when the power goes out,
computers depend
• on an uninterrupted and regulated supply of power for constant voltage
and current—
• computer equipment is highly sensitive to fluctuations in either voltage
or current. We
• hardly need to mention the importance of electricity in our working and
private lives, but
• whereas the consumer patiently waits for the lights to come back on,
businesses count
• the minutes in terms of lost revenue and productivity.
• Fire Detection and Suppression
• It is outside the scope of this book to discuss at length
the details surrounding this
• extremely important technical control. If you plan to
study more about physical security,
• you will need to understand these particulars. We
briefly touch on the main areas of this
• control here, but you should consult one of the
websites or CISSP exam prep books
• recommended throughout this text for further
information.
•  Fire types: Fires are classified according to the type of combustibles and
• recommended methods of suppression. The four types of fires include common
• combustibles (wood, paper, and so forth), liquids (petroleum products, coolants,
• and so forth), electrical, and combustible metal (such as magnesium).
•  Fire detectors: Fire detectors can be one of several types. Heat-sensing
systems
• respond to either a predetermined threshold or a rapid rise in temperature.
Flame
• detectors sense infrared energy or the pulsation of the flame. Smoke detectors
• use photoelectric sensors to respond to variations in the light hitting the
• photoelectric cells.
•  Fire-extinguishing systems: When a fire occurs, the heating, ventilation, and
air
• conditioning system (HVAC) must be stopped immediately to prevent the flow of
• oxygen. To extinguish the fire, either a water-sprinkler system or a gas discharge
• system is used.
• Water-sprinkler systems have four classifications: wet
pipe, dry pipe, deluge, and pre
• action. Wet pipe systems hold water in the pipes that is
released when heat opens a
• valve. Dry pipe systems do not have standing water in
the pipes, so they eliminate the
• potential damage of a flood from a burst pipe in a wet
pipe system. When water is needed,
• a central valve outside the data center is opened
(automatically when a fire is sensed),
• and water flows into the plumbing only when it’s
required to extinguish a fire. The deluge
• system is a dry pipe system with a substantially higher
volume of water. The pre action
• system combines elements of both wet and dry pipe
systems and is the recommended
• fire-extinguishing system for computer rooms.
• Heating, Ventilation, and Air Conditioning (HVAC)
• The classifieds always seem to have ads for HVAC repairmen. That’s
because reliable
• and uninterrupted heating, ventilation, and air conditioning systems
are critical
• environmental controls. Computers are particularly sensitive to the
smallest fluctuations
• in temperature and humidity. We frequently take HVAC environmental
controls for
• granted, but the IT manager or the person(s) responsible for these
systems should know
• exactly what to do and whom to contact in the event of failure.
Routine maintenance of
• critical infrastructure systems should prevent any significant failure of
HVAC systems.