CISSP For Dummies

Physical (Environmental) security controls include a combination of physical access controls, technical controls, environmental and life safety controls, fire detection and suppression, and administrative controls.

Physical access controls

Physical access controls consist of the systems and techniques used to restrict access to a security perimeter and provide boundary protection. These include fencing, security guards, dogs, locks, storage areas, security badges, and biometric access controls.

Fencing

Fencing is the primary means for securing an outside perimeter or external boundary and an important element of physical security that the CISSP candidate must know for the exam. Fencing provides physical access control and includes fences, gates, turnstiles, and mantraps. The main disadvantages of fencing are cost and appearance. General fencing height requirements are listed in Table 13-3.

Mantraps

A mantrap is a physical access control method consisting of a double set of locked doors or turnstiles. The mantrap may be guarded or monitored, may require different levels of access to pass through both doors or in a different direction and, in more advanced systems, may have a weight-sensing floor to prevent more than one person from passing through at once.

Security guards

Throughout history, guards have been used to provide physical security for many different situations and environments. Although modern surveillance equipment, biometric access controls, and intrusion detection systems (IDS) may seem to diminish the role of security guards; on the contrary, these tools have increased the need for skilled physical security personnel capable of operating advanced technology and applying discerning judgment. The major advantages of security guards include

• Discernment: Guards can apply human judgment to different situations.

• Visibility: Guards provide a visible deterrent, response, and control capability.

• Dual functions: Guards can also perform reception and visitor escort functions.

Some disadvantages include

• Unpredictability: Preemployment screening and bonding doesn’t necessarily assure reliability or integrity.

• Imperfections: Along with human judgment comes the element of human error.

• Cost: Maintaining a full-time security force (including training) or out-sourcing these functions can be very expensive.

 Instant Answer   The main advantage of security guards is their ability to use human judgment when responding to different situations.

Dogs

Like human guards, dogs also provide a highly visible deterrent, response, and control capability. Additionally, dogs are typically more loyal and reliable than humans, with more acute sensory abilities (smell and hearing). However, the use of guard dogs is typically restricted to an outside security perimeter. Other considerations include

• Limited judgment capability

• Cost and maintenance

• Potential liability issues

Locks

Doors, windows, and other access points into secure or sensitive areas need to be protected. One of the simplest ways to accomplish this is with a lock. The three basic types of locks are

• Preset: These are basic mechanical locks that consist of latches, cylinders, and deadbolts; all require a key to open them.

• Programmable: These can be mechanical (such as dial combination or five-key pushbutton) or electronic (cipher lock or keypad). Shoulder surfing, a social engineering technique commonly used against these types of locks, involves casually observing an authorized individual entering an access code.

• Electronic: These locks utilize an electronic key (similar to the fancy keys found on expensive cars) that functions like a hybrid smart card (covered later in this section) and physical key.

Storage areas

Storage areas containing spare equipment and parts, consumables, and deliveries should be locked and controlled to help prevent theft. Additionally, you should be aware of any hazardous materials being stored in such areas and any environmental factors or restrictions that may affect the contents of the storage area.

Security badges

Security badges (or access cards) are used for identification and authentication of authorized personnel entering a secure facility or area.

A photo identification card (also referred to as a dumb card) is a simple ID card with a facial photograph of the bearer. Typically, no technology is embedded in these cards for authentication purposes, requiring that a security guard determines whether entry is permitted by the bearer.

Smart cards are digitally encoded cards that contain an integrated chip (IC) or magnetic stripe (possibly in addition to a photo). Various types of smart cards include

• Magnetic stripe: The most basic type of smart card. Information is encoded in a magnetic stripe. Common examples include credit cards and automatic teller machine (ATM) cards.

• Optical-coded: Similar to, but more reliable than, a magnetic stripe card.

  Information is encoded in a laser-burned lattice of digital dots. These are becoming more common on U.S. state driver’s licenses.

• Electric circuit: Contains printed electrical contacts on the card surface.

  These are true smart cards, commonly used for logical access control to computer systems.

• Proximity card: Doesn’t require the bearer to physically insert the card into the reader. Instead, the reader senses the card in the general area and takes the appropriate action. The three common types of system-sensing proximity cards are

  • Passive: These devices contain no battery or power on the card. They use the electromagnetic field transmitted by the reader to transmit access information (identification) at different frequency levels.

  • Field-powered: These devices contain active electronics, an RF transmitter, and power supply on the card.

  • Transponders: Both the card and reader contain a transceiver, control logic, and battery. The reader transmits an interrogating signal (challenge) causing the card to transmit an access code (response).

Although more common in logical access controls, smart cards can also provide two-factor authentication in physical access control systems by requiring the user to enter a personal identification number (PIN) or password, or by incorporating an authentication token or other challenge-response mechanism.

Smart cards, and their associated access control systems, can be programmed to permit multilevel access, restrict access to certain periods (day and time), and log access information.

 Warning   In the Physical (Environmental) Security domain, smart card is used as a general term to describe any security badge or access card with built-in identification and authentication features, such as embedded technology. This may be as simple as a magnetic stripe on an ID card that’s swiped through a card reader. However, in the Access Control domain, a smart card refers to a very specific, highly specialized type of access card: A magnetic stripe doesn’t qualify.

Biometric access controls

Biometrics provides the only absolute method for positively identifying an individual based on some unique physiological or behavioral characteristic of that individual (something you are). We discuss biometrics extensively in Chapter 4. Although biometrics in the Physical (Environmental) Security domain refers to physical access control devices (rather than logical access control devices, as in the Access Control domain), the underlying concepts and technologies are the same. To review, the major biometric systems in use today include

• Finger scan systems

• Hand geometry systems

• Retina pattern

• Iris pattern

• Voice recognition

• Signature dynamics

The accuracy of a biometric system is normally stated as a percentage, in the following terms:

• False Reject Rate (FRR) or Type I error: Authorized users who are incorrectly denied access, stated as a percentage.

• False Accept Rate (FAR) or Type II error: Unauthorized users who are incorrectly granted access, stated as a percentage.

• Crossover Error Rate (CER): The point at which the FRR equals the FAR, stated as a percentage.

Technical controls

Technical controls include monitoring and surveillance, intrusion detection systems (IDS), and alarms that alert personnel to physical security threats and allow them to respond appropriately.

Surveillance

Visual surveillance systems include photographic and electronic equipment that provide detective and deterrent controls. When used to monitor or record live events, they’re a detective control. The visible use of these systems also provides a deterrent control.

Electronic systems such as closed-circuit television (CCTV) are used to extend and improve the monitoring and surveillance capability of security guards. Photographic systems, including recording equipment, are used to record events for later analysis or as evidence for disciplinary action and prosecution.

Intrusion detection

Intrusion detection in the physical security domain refers to systems that detect attempts to gain unauthorized physical access to a building or area. Modern intrusion detection systems (IDS) commonly use the following types of sensors:

• Photoelectric sensors: A grid of visible or infrared light is projected over the protected area. If a beam of light within the grid is disturbed, an alarm is sounded.

• Dry contact switches and metallic tape: These systems are inexpensive and commonly used along a perimeter or boundary on door and window frames. For example, if the circuit switch is opened or the metallic tape broken, an alarm is sounded.

• Motion detectors: Three categories of motion detectors are

  • Wave pattern: Generates a low frequency, ultrasonic, or microwave field over a protected area up to 10,000 square feet (3,000 square meters). Any motion changes the frequency of the reflected wave pattern, causing an alarm to be sounded.

  • Capacitance: Monitors an electrical field for changes in electrical capacitance caused by motion. This type of motion detector is typically used for spot protection within a few inches of a protected object.

  • Audio: Passive system (doesn’t generate a wave pattern or electrical field) triggered by any abnormal sound. This type of device generates more false alarms and should only be used in areas with low ambient noise.

 Warning   Don’t confuse intrusion detection systems (IDS) used to detect physical intruders in the Physical (Environmental) Security domain with network-based and host-based intrusion detection systems (IDS) used to detect cyber-intruders.

Alarms

Alarms are activated when a certain condition is detected. Examples of systems employing alarms include fire and smoke detectors, motion sensors and intrusion detection systems (IDS), metal and explosives detectors, access control systems (physical and logical), environmental (for instance, standing water), and climate control monitoring systems.

Alarm systems should have separate circuitry and a backup power source. Line supervision, comprising technology and processes used to detect attempts to tamper with or disable an alarm system, should also be implemented.

The five general types of alarm systems are

• Local systems: An audible alarm is sounded on the local premises. These systems require a local response capability; that is, someone must call the police/fire department and/or respond directly.

• Central station systems: These systems are operated and monitored by private security organizations connected directly to the protected site via leased lines.

• Proprietary systems: These are similar to central station systems but are operated and monitored directly on the premises.

• Auxiliary station systems: These systems - which require prior authorization - use local municipal police or fire circuits to transmit an alarm to the appropriate police or fire headquarters. These systems are typically used in conjunction with one of the above systems (particularly central station systems) to improve response capabilities.

• Remote station systems: These systems are similar to auxiliary station systems but don’t use police and fire circuits and also don’t necessarily send the alarm to a police or fire department. An automatic dial-up fire alarm that dials a local police or fire department and plays a prerecorded message is an example of a remote station system.

Environmental and life safety controls

These are the controls necessary for maintaining a safe and acceptable operating environment for computers and personnel. These include electrical power, HVAC, smoke detection, and fire detection and suppression.

Electrical power

General considerations for electrical power include having a dedicated feeder(s) from one or more utility substations or power grids and also ensuring that adequate physical access controls are implemented for electrical distribution panels and circuit breakers. An Emergency Power Off (EPO) switch should be installed near major systems and exit doors to shut down power in case of fire or electrical shock. Additionally, a backup power source should be established, such as a diesel power generator. Backup power should only be provided for critical facilities and systems including emergency lighting, fire detection and suppression, mainframes and servers (and certain workstations), HVAC, physical access control systems, and telecommunications equipment.

Protective controls for ESD include

• Maintain proper humidity levels (40–60 percent)

• Ensure proper grounding

• Use anti-static flooring, anti-static carpeting, and floor mats

Protective controls for electrical noise include

• Install power line conditioners

• Ensure proper grounding

• Use shielded cabling

Using an Uninterruptible Power Supply (UPS) is perhaps the most important protection against electrical anomalies. A UPS provides clean power to sensitive systems and a temporary power source during electrical outages (black-outs, brownouts, and sags); it’s important that this power supply is sufficient to properly shut down the protected systems. Note: A UPS should not be used as a backup power source. A UPS - even a building UPS - is designed to provide temporary power, typically for 5–30 minutes, in order to give a diesel generator time to start up or to allow a controlled and proper shutdown of protected systems.

Surge protectors and surge suppressors provide only minimal protection for sensitive computer systems and are more commonly (and dangerously) used to overload an electrical outlet or as a daisy-chained extension cord. The protective circuitry in most of these units cost less than one dollar (compare the cost of a low-end surge protector with that of a 6-foot extension cord), and you get what you pay for - these glorified extension cords provide only minimal spike protection. True, a surge protector does provide more protection than nothing at all, but don’t be lured into complacency by these units - check them regularly for proper use and operation and don’t accept them as a viable alternative to a UPS.

HVAC

Heating, ventilation, and air conditioning (HVAC) systems maintain the proper environment for computers and personnel. HVAC requirements planning involves complex calculations based on numerous factors including the average BTUs (British Thermal Units) produced by the estimated computers and personnel occupying a given area, the size of the room, insulation characteristics, and ventilation systems.

The ideal temperature range for computer equipment is between 50–80° F (10–26° C). At temperatures as low as 100° F (38° C), magnetic storage media can be damaged.

 Instant Answer   The ideal temperature range for computer equipment is between 50–80° F (10–26° C).

The ideal humidity range for computer equipment is between 40–60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD or static electricity.

Doors and side panels on computer equipment racks should be kept closed (and locked, for physical access control) to ensure proper airflow for cooling and ventilation.

Heating and cooling systems should be properly maintained and air filters cleaned regularly to reduce dust contamination and fire hazards.

Most gas discharge fire suppression systems will automatically shut down HVAC systems prior to discharging, but a separate EPO should be installed near exits to facilitate a manual emergency shutdown.

Ideally, HVAC equipment should be dedicated, controlled, and monitored. If the systems aren’t dedicated or independently controlled, proper liaison with the building manager is necessary to ensure that escalation procedures are effective and understood. Monitoring systems should alert the appropriate personnel when operating thresholds are exceeded.

Fire detection and suppression

Fire detection and suppression systems are some of the most essential life safety controls for protecting facilities, equipment, and most important, human lives.

Detection systems

The three main types of fire detection systems are

• Heat-sensing: These devices either sense temperatures exceeding a predetermined level (fixed-temperature detectors) or rapidly rising temperatures (rate-of-rise detectors). The former are more common and exhibit a lower false alarm rate.

• Flame-sensing: These devices either sense the flicker (or pulsing) of flames or the infrared energy of a flame. These systems are relatively expensive but provide an extremely rapid response time.

• Smoke-sensing: These devices detect smoke, one of the by-products of fire. There are four types of smoke detectors:

  • Photoelectric: These sense variations in light intensity.

  • Beam: Similar to photoelectric by sensing when smoke interrupts beams of light.

  • Ionization: These detect disturbances in the normal ionization current of radioactive materials.

  • Aspirating: These draw air into a sampling chamber to detect minute amounts of smoke.

 Instant Answer   The three main types of fire detection systems are heat-sensing, flame-sensing, and smoke-sensing.

Suppression systems

The two primary types of fire suppression systems are

• Water sprinkler systems: Water extinguishes fire by removing the heat element from the fire triangle and is most effective against Class A fires. Water is the primary fire-extinguishing agent for all business environments. Although water can potentially damage equipment, it’s one of the most effective, inexpensive, readily available, and least harmful (to humans) extinguishing agents available. The four variations of water sprinkler systems are

  • Wet pipe (or closed head system): Most commonly used and considered the most reliable. Pipes are always charged with water and ready for activation. Typically a fusible link in the nozzle melts or ruptures, opening a gate valve that releases the water flow. Disadvantages include flooding because of nozzle or pipe failure and because of frozen pipes in cold weather.

  • Dry pipe: No standing water in the pipes. Upon activation, a clapper valve opens, air is blown out of the pipe, and water flows. This type of system is less efficient than the wet pipe system but reduces the risk of accidental flooding; the time delay provides an opportunity to shut down computer systems (or remove power), if conditions permit.

  • Deluge: Operates similarly to a dry pipe system but is designed to quickly deliver large volumes of water. Deluge systems are typically not used for computer equipment areas.

  • Preaction: Combines wet and dry pipe systems. Pipes are initially dry. When a heat-sensor is triggered, the pipes are charged with water, and an alarm is activated. Water isn’t actually discharged until a fusible link melts (like in wet pipe systems). This system is recommended for computer equipment areas because it reduces the risk of accidental discharge by permitting manual intervention.

   Instant Answer   The four main types of water sprinkler systems are wet pipe, dry pipe, deluge, and preaction.

• Gas discharge systems: Gas discharge systems may be portable (such as a CO2 extinguisher) or fixed (beneath a raised floor). These systems are typically classified according to the extinguishing agent that’s employed. These include

  • Carbon dioxide (CO2): CO2 is a commonly used colorless, odorless gas that extinguishes fire by removing the oxygen element from the fire triangle. (Refer to Figure 13-1.) CO2 is most effective against Class B and C fires. Because it removes oxygen, its use is potentially lethal and best suited for unmanned areas or with a delay action (with manual override) in manned areas.

  CO2 is also used in portable fire extinguishers, which should be located near all exits and within 50 feet (15 meters) of any electrical equipment. All portable fire extinguishers (CO2, water, and soda acid) should be clearly marked (listing the extinguisher type and the fire classes to be used for) and periodically inspected. Additionally, all personnel should receive training on proper fire extinguisher use.

  • Soda acid: This includes a variety of chemical compounds that extinguish fires by removing the fuel element (suppressing the flammable components of the fuel) of the fire triangle. (Refer to Figure 13-1.) Soda acid is most effective against Class A and B fires. It is not used for Class C fires because of the highly corrosive nature of many of the chemicals used.

  • Gas discharge: Gas discharge systems suppress fire by separating the elements of the fire triangle (a chemical reaction) and are most effective against Class B and C fires. (Refer to Figure 13-1.) Inert gases don’t damage computer equipment, leave no liquid or solid residue, mix thoroughly with the air, and spread extremely fast. However, these gases in concentrations above 10 percent are harmful if inhaled, and some types degrade into toxic chemicals (hydrogen fluoride, hydrogen bromide, and bromine) when used on fires with temperatures above 900°F (482°C).

  Halon used to be the gas of choice in gas-discharge fire suppression systems. However, because of Halon’s ozone-depleting characteristics, the Montreal Protocol of 1987 prohibited the further production and installation of Halon systems beginning in 1994, instead encouraging replacement of existing systems. Acceptable replacements for Halon include FM-200 (most effective), CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

 Instant Answer   Halon is an ozone-depleting substance. Acceptable replacements include FM-200, CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

Administrative controls

These include the policies and procedures necessary to ensure that physical access, technical controls, and environmental and life safety controls are properly implemented and achieve an overall physical security strategy.

Restricted areas

Areas in which sensitive information is handled or processed should be formally designated as restricted areas with additional security controls implemented. Restricted areas should be clearly marked, and all employees should know the difference between authorized and unauthorized personnel: specifically, how to detect whether someone on the premises is authorized or not.

Visitors

Visitor policies and escort requirements should be clearly defined in the organizational security policy. All visitors should be required to present proper identification to a security guard or receptionist, sign a visitor log, complete a nondisclosure agreement (when appropriate), and wear a conspicuous badge that both identifies them as a visitor and clearly indicates whether an escort is required (often done with color-coded badges). If an escort is required, the assigned escort should be identified by name and held responsible for the visitor at all times while on the premises.

Audit trails and access logs

Audit trails and access logs are detective controls that provide a record of events. These records can be analyzed for unauthorized access attempts and patterns of abuse; they can also potentially be used as evidence. We cover audit trails in Chapter 12.

Asset classification and control

Asset classification and control, particularly physical inventories, are an important detective control. The proliferation of desktop PCs, notebooks, personal digital assistants (PDAs), and wireless devices has made theft a very common and difficult physical security threat to counter. An accurate inventory helps identify missing equipment and may potentially be used as evidence.

Emergency procedures

Emergency procedures must be clearly documented, readily accessible (often posted in appropriate areas), periodically updated, and routinely practiced (in training and drills). Additional copies may also be kept at secure off-site facilities. Emergency procedures should include emergency system shutdown procedures, evacuation plans and routes, and business continuity plan/disaster recovery plan (BCP/DRP), which we cover in Chapter 11.

General housekeeping

Good housekeeping practices are an important aspect of physical security controls. Implementing and enforcing a no-smoking policy helps to reduce not only potential fire hazards but also contamination of sensitive systems. Cleaning dust and ventilation systems helps maintain a cleaner computing environment and also reduces static electricity and fire hazards. Keeping work areas clean and trash emptied reduces potential fire hazards (combustibles) and also helps identify and locate sensitive information that may have been improperly or carelessly handled.

Pre-employment and post-employment procedures

These include procedures for background and reference checks, obtaining security clearances, granting access, and termination procedures. These procedures are covered extensively in Chapters 6 and 10.