1 / 54

Physical Site Security

Physical Site Security. (slides from Isabel Summe and Daniel Castro). Site Policy. What is a site policy? “Sets out rules and principles which affect the way an organization approaches problems”

jshelton
Download Presentation

Physical Site Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Physical Site Security (slides from Isabel Summe and Daniel Castro)

  2. Site Policy • What is a site policy? • “Sets out rules and principles which affect the way an organization approaches problems” • “Leads to the specification of the agreed conditions of use of an organization's resources for users and other clients” • “Exists to prevent the loss of an asset or its value” Source: McMillan, Rob. “Site Security Policy Development”. from Australian CERT

  3. Site Policy • Site policy should: • State mission/purpose of the facility • Compliment… • Facility use policy, facility safety policy, IT policy, business plan and any other policy related to the facility • Have buy in from management • Must be consistent and enforceable • Point to responsible parties (including facilities manager). Who should do what? • Empower people to execute their responsibilities

  4. Site Policy • A site policy should: • Describe how visitors are handled • Describe how buildings or facilities are accessed by employees, contractors & visitors • Review physical access points to the network and who and how people can get on the network • Review what hardware and media can enter or exit the facility and who has permission to do that • Describe how communication will occur (staff, managers, incident reporting, etc.)

  5. Site Policy • Determine what you are protecting • Document the assets you are protecting • Assign a value (convert all values to $ for easy comparison) • This is hard as it is easy to overlook many functions and tools that are taken for granted • For example information doesn't solely exist in computers or CDs, DVDs…it can exists on paper, on walls, in people’s brain. It can be transferred not only via the computer network, but verbally, sign language, etc. • Assign a risk for each asset under the current conditions

  6. Site Policy • Regulatory requirements • There may be Sarbanes-Oxley requirements that affect site policy if the site contains a computer room: • Access control • Ensuring protection of critical systems • OSHA requirements

  7. Physical Security • Reasons for physical security • Theft • Console-based attacks • Network sniffing, key logging, remote access • Who has physical access? Should they? How do we prevent tampering? Etc.

  8. Control Volume of Facility By drawing a control volume around the facility, a flow of items that go in and out of facility can be more easily identified • Visitors • Shipments • Employees • Animals • Malicious people • Information (CD, network, memory sticks) • Vehicles IN • Visitors • Shipments • Employees • Animals • Snow, Sleet, Ice • Malicious people • Information (CD, network, memory sticks) • Vehicles Trees, Satellite, Equipment, People, Buildings, Hardware, Information- on paper, Network, Server, Client, Brains OUT

  9. Physical Security Countermeasures

  10. Layers of physical security • Wired / wireless • Border • Campus • Building • Secure floor • Computer room • Secure system, file cabinet, etc.

  11. Wired / Wireless • Physical access to wireless / wired outlets • Patrol perimeter • Wireless perimeter security (Newbury) • Faraday cage / TEMPEST shield

  12. Border - Countermeasures • Goal: Provide security to campus and buildings • Fencing, gates, guards, access control, airspace control

  13. Campus - Entering the facility • Employees • Photo ID badges, w/RFID, biometrics, uniforms • Turn styles • Metal detectors • Drop off points • Automobiles • Tags • Items allowed on site • Weapons (or potential weapons) • PCs from home • Computer media

  14. Campus - Entering the facility • Visitors • Allow laptops in building / on network • Require visitors to sign in • Escort visitors while on facility • Only permit expected visitors • Limit access

  15. Campus - Exiting the facility • Sign out/badge swipe/biometric • Declaration of items carried out (audit) • Designated exits

  16. Campus - Conduct • Possible requirements • Badge visible at all times • Parking tags • Visitors’ conduct • Make visitors wear neon hats • Who is responsible for visitors’ conduct? • Employee & contractor conduct and acceptable access while on site

  17. Campus - Countermeasures • Area – remote, industrial, crime-level, etc. • Barriers – fencing, walls, water, etc. • Lighting – low level floodlights & alarms • CCTV – supplement to guards & patrols • Intruder & fire alarms

  18. Building - Countermeasures • Audio / visual monitoring • Time-lapse recording logs who accessed resources • Store offsite & retain tapes for sufficient time period • Facility locks – key locks, keypads, keycards, smartcards, biometrics • Doors & door frame • Shut automatically • Sound alarm when propped open • Educate employees

  19. Building - Communication systems • Regularly inspect communication systems to preventing tapping • Use encryption when possible • Difficult to restrict access to communication systems from those who “need” it • Search for transmitting “bugs” • Papers should be shredded, whiteboard erased, etc. • Monitors directed away from windows • Prevent access to fax machines & similar devices by unauthorized users

  20. Secure Floor • Receptionist • First line of defense • Force sign-in, sign-out • Reception area always attended • Work areas are neat and clutter free • Power cords and cables do not cross walkways • Older, unsafe furniture/fixtures are replaced • Obsolete computer equipment is not stored in the computer room on a regular basis • Combustible material not currently in use is not stored on the secure floor • Walkways and fire exits are kept clear • Exits are well marked

  21. Computer Room - Location • Do’s • Inside overall complex • Intruder must pass numerous people • Far from hazards (other buildings, combustible storage tanks, railway lines, aircraft flight plans, etc.) • One route in & out • Have secure/controlled/monitored entrance • In high security environments, prevent signal leakage

  22. Computer Room - Location • Don’ts • Not on perimeter • Not on outside ground floor wall • Underground • Allow windows into computer room • Allow external windows to open • Permit people inside computer room without need

  23. Computer Room - UPS • Uninterruptible Power Supply • Large scale UPS for important infrastructure • Do not run equipment directly from generator without checking power quality • If available, UPS software on the equipment can provide a controlled shutdown • Test the UPS, either in response to a power disruption, or as part of a planned test

  24. Computer Room - Environment • Goal: Minimize the risks of heat, fire, and water damage to computing assets and facilities • Install smoke, heat and water sensors • Fire suppression • Manually activated / automatically activated fire suppression equipment • Fire extinguisher conveniently located and well marked. • Inspect and test fire suppression equipment routinely or as required by local fire regulations       • Visually inspect self-contained, portable fire extinguishers & service by qualified servicing personnel • Employees with access to the computer room are trained in the use of fire extinguishers • Employees expected to use the fire extinguishers must be trained on a yearly basis according to OSHA regulations

  25. Computer Room - Environment • Fire suppression • Fireproof walls for computer room • Do not use water – water damage • Dry chemical or gas fire suppression system • Floods • Protect computing assets from standing water • Raised floors – 18 inches off ground • But protect from intruders • Do not put computers in basement • Heat • A/C units are installed that are sufficient to support the equipment in the room

  26. Computer Room - Access control • Unauthorized people kept out because: • Accidental or malicious damage • Confidential information • Interfere with operations & operators • Introduce contamination • Do not know policies of computer room

  27. Compute Room - Access Control • Physical access to the computer room is restricted and logged • Ceilings - Drop ceilings commons, but can allow intruders access into computer room • Logs should contain at a minimum: • Date, Time, Reason, User Identification • If combination locks are used, the combinations are changed when turnover occurs or at least once a year • If key locks are used, the locks are changed when a key cannot be accounted for • Procedures exist to grant access to room • Access requests are approved by IT management • Review access to secure areas to ensure that access is still appropriate

  28. Computer Room - Other • Visitors/service personnel must sign in & be escorted • Utility systems secured (A/C, power supplies, network connections, emergency power) • Logs of all equipment including configuration & serial numbers • All incoming/outgoing documents/products are logged • All incoming packages are inspected • Printed & electronic media are disposed of properly

  29. Wiring / Cabling • Access to wiring areas secured & monitored • Steel doors and locks • Service providers are monitored when they need access to wiring/cabling areas • Maintenance & access logs are kept to wiring/cabling areas

  30. Desktops • Secure placement within offices • Protect for cabling & wires • Automatically log off users when not in use • Environmental & structural protection • Property tags & ID • Secure computer cases • Protect from electrical surges • Proper disposal • Steel cables tie system to solid objects

  31. Hardware & Software • Theft common • Prevention • Mark with permanent ID • Physical restraints • Lock away when not in use • Verify that access not granted to unauthorized users

  32. Tips to reduce costs • Centralize & minimize number of secure areas • Reduce risks by changing site, layout or structure

  33. Backups • Computer media with backups must be secure, but accessible in case of emergency • Ideally, stored off-site in fire-proof & intruder-proof storage • Ensure environmental conditions do not damage media (humidity, temperature) • Ensure safe during transit • Ensure copies of disaster plan kept offsite

  34. Working hours • Only access granted to those with need, but not restrictive enough to interfere with work • Access to computer room also dependent on access to building • Use of access cards & identification badges • Locks still necessary during working hours

  35. Non-working hours • Alarms • Door & window alarms • Glass break detectors • Passive infra-red devices • Alarm faults caused by human errors • Use silent & audible alarms • Have contacts who can respond quickly to alarms

  36. People • High risk • Screen employees, check references, monitor change of behavior & circumstance • Do not allow smoking, eating & drinking in computer room • Do not allow staff to bring visitors or other non-work related access

  37. Guards and patrols • Deny access to secure areas to guards • Use CCTV or other viewing for guards to monitor secure areas • Must generate evidence that they completed checks • Have system of controlled & accountable access to keys in case of emergency

  38. Guards and patrols • Background checks & references for guards • Evaluate training standards • If armed, review weapons policy & applicable laws • Understand any legal limitations or ramifications of using armed guards

  39. Cleaning crews • Cleaners (interior & window cleaners) • Often entrusted to lock-up & engage alarm • Preferable to clean during office hours, although less convenient • Provide company supervision & escort • Vet cleaning staff & deny substitute staff • Ensure terminals locked, manuals & documents put away

  40. Disgruntled Employee • Threat • Familiarity with layout, design, security weaknesses, open doors, sensitive information & equipment • Duplicate keys • Friends who still work there • Countermeasures • Security notified / managers notified • Access limited • Train staff • Update access controls • e.g. change locks, key codes, remove access, escort from building, get any keys that were issued returned

  41. Activists • Threat • Motivated & intelligent (sometimes) • Plan & organize for attacks • Have financial support • Do extensive research • Have skills for B&E • Are not too concerned with law enforcement as deterrent

  42. Activists • Countermeasures • Update security staff of any known threats • Contact law enforcement for any specific threats • Circulation of information regarding activities minimized • Critical information secured inside facility • Profile of facility is minimized; use decoy • Develop contingency plans

  43. Vandals, saboteurs & spies • Threat • May be well-trained & experienced • May perform extensive research • May have financial resources • Skilled at eluding security & law enforcement

  44. Vandals, saboteurs & spies • Countermeasures • Update security staff of any known threats • Contact law enforcement for any specific threats • Do not label internal layout of facility • Access control measures • Surveillance cameras • Train to resist social engineering • Paper & media destroyed before disposal • Night lighting, CCTV, alarms • Post signs with “no trespassing” and awards for info leading to arrests • Work with community (watch) programs

  45. Terrorists • Countermeasures • Minimize ability to conceal packages • Shrubs, plants, outdoor furniture, trash receptacles, mailboxes, etc. • Design roads to keep unauthorized vehicles at least 100 feet from building • Eliminate potential access to building • utility tunnels, personholes, corridors, etc. • Develop suspicious package screening

  46. Disaster Preparedness

  47. Disaster Preparedness • Types of disasters • Natural Disasters • Power outages, volcanoes erupting, floods, snow, etc. • Attacks • Bombs, human error, malicious attack, etc.

  48. Natural Disasters • Two goals: • Secure against natural disaster damaging resources • Resources are securable if evacuation of facility or community is necessary

  49. Disaster - Countermeasures • Protected from leaking / flooding • Removal plan for IT assets in event building is damaged so that it cannot be used • Alternative facility (hot site / cold site) – staff (?) • Procedures in place to shut down equipment & secure facility if personnel must be evacuated • Offsite backup location of duplicate media, documentation & data

  50. Bombs & Bomb Threats • Bomb threats • Real • Scare tactic • Prepare • To prevent panic • To harden against attacks • To limit search space for bomb

More Related