Physical security how to secure physically
- 1. © 2006 Carnegie Mellon University 95752-2:1 Physical Security
- 2. © 2006 Carnegie Mellon University 95752-2:2 Three Security Disciplines • Physical – Most common security discipline – Protect facilities and contents • Plants, labs, stores, parking areas, loading areas, warehouses, offices, equipment, machines, tools, vehicles, products, materials • Personnel – Protect employees, customers, guests • Information – The rest of this course
- 3. © 2006 Carnegie Mellon University 95752-2:3 Information Revolution • Information Revolution as pervasive at the Industrial Revolution • Impact is Political, Economic, and Social as well as Technical • Information has an increasing intrinsic value • Protection of critical information now a critical concern in Government, Business, Academia
- 4. © 2006 Carnegie Mellon University 95752-2:4 Politics and Technology • The end of the Cold War resulted in a greater political complexity • Information critical to all aspects of government • Military • Commerce • Politics – Information is Power – Protection of information more important than ever
- 5. © 2006 Carnegie Mellon University 95752-2:5 Business and Technology • Information has become a product on its own • Information technologies critical • Protection of information essential • Business now dependent on the Net • Who controls the ON/OFF Switch?
- 6. © 2006 Carnegie Mellon University 95752-2:6 The New World • The Internet allows global connectivity • Cyber-space has no borders • Anonymity easy to accomplish • New breed of threat • Technically smart • Determined, knowledgeable • Physical Security often overlooked in the new threat environment
- 7. © 2006 Carnegie Mellon University 95752-2:7 Nature of the Threat • Threat environment changes • Nation-state threat – Countries see computers as equalizers – New balance of power through information control • Non-state actors – New levels of potential threat – “Strategic Guns for Hire” – Terrorism remains physical act • Physical attacks against information sources requires minimal effort for maximum effect - Gums up the Gears!!!!
- 8. © 2006 Carnegie Mellon University 95752-2:8 How Has It Changed? • Physical Events Have Cyber Consequences •Cyber Events Have Physical Consequences
- 9. © 2006 Carnegie Mellon University 95752-2:9 • Physical Attacks require little resources • Insider threat very real • Disgruntled employee • Agent for hire • Tactics well known and hard to stop • World Trade Center • Aldrich Aimes • Financial network facilities viable target • Target information readily available Threat and Physical Security
- 10. © 2006 Carnegie Mellon University 95752-2:10 Why Physical Security? • Not all threats are “cyber threats” • Information one commodity that can be stolen without being “taken” • Physically barring access is first line of defense • Forces those concerned to prioritize! • Physical Security can be a deterrent • Security reviews force insights into value of what is being protected
- 11. © 2006 Carnegie Mellon University 95752-2:11 Layered Security • Physical Barriers • Fences • Alarms • Restricted Access Technology • Physical Restrictions • Air Gapping • Removable Media • Remote Storage • Personnel Security Practices • Limited Access • Training • Consequences/Deterrence
- 12. © 2006 Carnegie Mellon University 95752-2:12 Physical Barriers • Hardened Facilities • Fences • Guards • Alarms • Locks • Restricted Access Technologies – Biometrics – Coded Entry – Badging • Signal Blocking (Faraday Cages)
- 13. © 2006 Carnegie Mellon University 95752-2:13 Outer Protective Layers • Structure – Fencing, gates, other barriers • Environment – Lighting, signs, alarms • Purpose – Define property line and discourage trespassing – Provide distance from threats
- 14. © 2006 Carnegie Mellon University 95752-2:14 Middle Protective Layers • Structure – Door controls, window controls – Ceiling penetration – Ventilation ducts – Elevator Penthouses • Environment – Within defined perimeter, positive controls • Purpose – Alert threat, segment protection zones
- 15. © 2006 Carnegie Mellon University 95752-2:15 Inner Protective Layers • Several layers • Structure – Door controls, biometrics – Signs, alarms, cctv – Safes, vaults • Environment – Authorized personnel only • Purpose – Establish controlled areas and rooms
- 16. © 2006 Carnegie Mellon University 95752-2:16 Example System: SEI • Building Structure: – 6 exterior doors – Windows secured – Exterior Lit • Middle Layers: – Guard desk – Proximity card system – CCTV • Inner Layers: Intellectual Property Protection
- 17. © 2006 Carnegie Mellon University 95752-2:17 Other Barrier Issues • Handling of trash or scrap • Fire: – Temperature – Smoke • Pollution: – CO – Radon • Flood • Earthquake
- 18. © 2006 Carnegie Mellon University 95752-2:18 Physical Restrictions • Air Gapping Data • Limits access to various security levels • Requires conscious effort to violate • Protects against inadvertent transmission • Removable Media • Removable Hard Drives • Floppy Disks/CDs/ZIP Disks • Remote Storage of Data • Physically separate storage facility • Use of Storage Media or Stand Alone computers • Updating of Stored Data and regular inventory
- 19. © 2006 Carnegie Mellon University 95752-2:19 Personnel Security Practices • Insider Threat the most serious • Disgruntled employee • Former employee • Agent for hire • Personnel Training • Critical Element • Most often overlooked • Background checks • Critical when access to information required • Must be updated • CIA/FBI embarrassed
- 20. © 2006 Carnegie Mellon University 95752-2:20 People • Disgruntled employee / former employee • Moonlighter • Marketing, sales representatives, etc. • Purchasing agents, buyers, subcontract administrators • Consultants • Vendor/Subcontractor • Clerical • Applicants, Visitors, Customers
- 21. © 2006 Carnegie Mellon University 95752-2:21 Activities or Events • Publications, public releases, etc. • Seminars, conventions or trade shows • Survey or questionnaire • Plant tours, “open house”, family visits • Governmental actions: certification, investigation • Construction and Repair
- 22. © 2006 Carnegie Mellon University 95752-2:22 Technical Security • Alarms • Loud and Noisy • Silent • Integrated into barrier methods • Video/Audio • Deterrent factor • Difficult to archive • Bio-Metrics • Identification • Reliability questions
- 23. © 2006 Carnegie Mellon University 95752-2:23 NISPOM National Industrial Security Operating Manual • Prescribes requirements, restrictions and other safeguards that are necessary to prevent unauthorized disclosure of information • Protections for special classes of information: Restricted Information, Special Access Program Information, Sensitive Compartmented Information • National Security Council provides overall policy direction • Governs oversight and compliance for 20 government agencies
- 24. © 2006 Carnegie Mellon University 95752-2:24 The Place of Physical Security • Physical Security is part of integrated security plan • Often overlooked when considering Information Security • No information security plan is complete without it!