CSS 111 - Introduction to Information System Security

Chapter 9, Physical Security


This lesson discusses physical security of IT assets. Objectives important to this lesson:

  1. What is physical security
  2. Physical security considerations
  3. Maintaining the physical environment
Chapter 9

The author sets what seems to be a new record. His definition of physical security on page 399 spans four lines. That's too long to be memorable. Let's try again:

  • physical assets - people, hardware, and supporting systems, which includes buildings and their various parts
  • physical security - protecting the organization's physical assets, which includes designing and maintaining methods of protection

The author makes a good point, that a thief who can steal your hardware can afford to take as much time as he needs to harvest information from it, which makes physical security as important as logical security.

The text begins a list on page 400 that lists major physical controls, which are full or partial solutions to making a location a secure facility.

  • walls, fences, and gates - obvious barriers make it clear to people that they are not allowed to walk beyond a certain point; gates are obvious points of access, but they are also filter points if you require staff to show permission to pass through them; these apply to external and internal environments
  • guards - putting a guard on a gate, a door, or an asset allows you to set rules for passage and usage that can be interpreted by a human being or referred to an authorizing level of management
  • dogs - guard dogs should probably appear as a subset of guards, whether they are working with handlers or left to patrol a sealed environment; the text explains that a dog can sense things (noises, aromas) that a human guard cannot
  • ID cards (badges) - can be just a token or a photo ID, and may have a magnetic stripe, a computer chip, or an RFID; ID cards are both a proof of authorization and a problem: they need to be collected when an employee leaves their job, regardless of who decided they were leaving; the text describes tailgating, the practice of passing through a door that senses an authorization code by following someone who actually has authorization when you a) forgot yours, b) decided to be lazy, or c) are not authorized; it is the last variation we worry about, so some secure centers require that everyone passing a control point show their badge to the sensor to count heads; the text mentions the use of ID operated turnstiles, which are effective in metering traffic
  • locks - as indicated above, some locks are opened with credentials; some locks require a key, and others require the intervention of an operator (e.g. guard, receptionist); the text mentions biometric locks and calls them the most sophisticated locks: that means that unless they are sophisticated they won't work well
    The text mentions two confusing terms on page 404 that have to do with electronic lock failure. A door that stays locked if the electronic lock fails has a fail-secure lock. A door that becomes unlocked if the electronic lock fails has a fail-safe lock. Since safe and secure are usually synonyms, this makes no sense. You just have to know which is which.
  • mantrap - a vestibule or air-lock with two doors that both lock if someone tries to pass through the second door to a secure area and fails; the idea is to alert security to a possible intrusion while containing the intruder
  • video monitoring - allows recording of events, also allows fewer guards to watch over more areas by watching several screens at once; this typically adds a delay to response time, and may only be useful for collecting data after an event
  • alarm systems - commonly associated with the opening of a door, may be triggered by sensors (motion, infrared, touch plates)

The text combines two ideas on page 406, discussing wiring closets/telecommunications rooms as particular targets for spies and attackers. The second idea in this section is about custodial staff, who often have no restrictions on their access to various rooms in a data center. An attacker who masquerades as a janitor, or a janitor who decides to become a thief may have a high level of success. They are most likely to be caught when they continue to conduct their activities long enough to be noticed.

The text defines the word plenum on page 406 as the space that is above a physical firewall and below the floor of the next story of a building. For it to exist, the fire resistant material must stop below this space, which it often does but this may not be true of some fire resistant rooms, making them more secure.

Having turned to issues related to fire safety, the text expands on the topic for several pages. Page 409 discusses several methods of fire detection:

  • manual fire detection - depends on a human being to set off an alarm, which may also set off fire suppression systems
  • thermal fire detection - can be triggered by the ambient temperature reaching a set level (such as 135 degrees F) or by a rapid rise in temperature
  • smoke detection - sensors may be photoelectric, ionization (ions react with a radioactive element), or air-aspirating (an air sample is passed by a laser)
  • flame detection - a light signature (think of a a spectroscope) of an area is taken, then compared to signatures of various types of flames

On page 410, we see some material about fire suppression, beginning with fire extinguishers. Note that this list is about American standards. Fire extinguishers are classed by the kind of fire they are able to put out. The links below will take you to sites with more information about fire classes and extinguishers. In surveying several sites, I found that there are currently at least four classes of fires, and that the symbols for them have been updated to use pictures instead of letters. Some sites list a Class K for cooking oils (Kitchen fires), but this does not seem to be universal. The chart below contains American symbols:

Description of Extinguisher Class
Letter and Shape Symbol for Class
Picture for Class
Class A: paper, cloth, wood.
A in a triangle symbol
Icon for class A fires
Class B: oil, gasoline, kerosene, propane.
B in a square
Icon for class B fires
Class C: electrical
C in a circle
Icon for class C fires
Class D: combustible metals, such as magnesium, potassium, sodium
D in a sta
Icon for class D fires
Class K: combustible cooking oils
K symbol for kitchen fires
Icon for class K fires

The table below is from a Wikipedia article on fire classes. It shows that the same kind of fire is called by a different name in different places:
Comparison of fire classes
American European Australian/Asian Fuel/Heat source
Class A Class A Class A Ordinary combustibles
Class B Class B Class B Flammable liquids
Class C Class C Flammable gases
Class C UNCLASSIFIED Class E Electrical equipment
Class D Class D Class D Combustible metals
Class K Class F Class F Cooking oil or fat

In most cases, a multiclass extinguisher is preferred. On extinguishers I examined at my workplace, multiple picture symbols were used, showing the pictures for classes A, B, and C.

The text also discusses sprinkler systems, foam systems, and gas dispersant systems.

  • Sprinklers typically spray streams of water or water mist. The test in this video seems to point out a limitation of automatic mist.
  • Gas dispersant systems used to use Halon, and still can, but they are restricted to existing Halon supplies. Carbon dioxide is an alternative, but both solutions tend to be dangerous to air-breathing life forms in the immediate area.
  • Another system uses foam as a suppressant, and the people testing this system seem to be enjoying it greatly.

The text begins a new topic on page 415. Environmental and structural failures can affect equipment, staff, or both.

  • Temperature - I have had the pleasure of being in daata centers that were (on different occasions) so hot and so cold that staff were sent home. Cold is less important to computer equipment than to human staff, but extreme heat will shut down computers and people. Most data centers have HVAC systems that keep the area comfortable for both.
  • Static electricity - ESD, or Electrostatic Discharge, can be a serious cause of problems. Some numbers from a previous text may help you understand the situation:
    • A human can't feel a static discharge until it is 3,000 volts or more.
    • Normal motion, like moving a chair or a foot can generate 1,000 volts.
    • Simply walking across a carpeted area can generate 1,500 to 35,000 volts.
    • Picking up a plastic bag can generate 1,200 to 20,000 volts.
    • Damage can be done to computer parts with 20 to 30 volts.
      The text recommends setting humidity between 40 and 60 percent in rooms holding computer equipment. If you do this, you may minimize another problem: in cold low humidity rooms, avoid letting a rush of hot, humid air into the room, or you may get condensation inside cold devices.
  • Several other concerns are listed that are the responsibility of facilities staff.

On page 421, the author turns back to IT concerns. Three types of data interception are mentioned:

  • direct observation - someone reads a screen or a report that is supposed to be secure; typically done in public areas or by social engineers
  • interception of data transmission - joining a LAN and using a sniffer is effective; wireless LANs are particularly vulnerable
  • electromagnetic interception - most cable media radiate their signals to some degree; sensors that could pick up and record these emanations would have to be very close to the media

The text discusses the unique risks associated with portable equipment: laptops and smart devices are meant to be easy to carry, which makes them tempting to steal. Some observations are offered:

  • password protect and encrypt devices that support it
  • don't leave a device unattended or in plain sight
  • don't leave a device in a car where it will overheat and be ruined
  • watch over devices when in airports and restaurants, but be aware that most portable devices are stolen at work, not on the road

On page 424, the text discusses telecommuting, working at your regular job from a remote location and avoiding travel. The concerns expressed in the text will not apply to all telecommuters. Security concerns depend on how telecommuting is performed by particular employees.

  • use a secure workstation, preferably one supplied by your employer
  • use a VPN connection to your work network; open connections over the Internet are an invitation to problems
  • do not use free Wi-Fi at a restaurant to make your connection: there is no law against eavesdropping on signals sent through an unencrypted public access point

Assignment 1: Chapter 9 review questions

  1. Review Questions for chapter 9 start on page 428. Answer numbers 3, 7, 10, 12, 14, and 20.

Assignment 2: Physical Security

  1. Read the handout assignment on Physical Security.
  2. Work in a group of at least 3 people. People must be named on your submission.
  3. Make at least four recommendations for the office depicted in the handout. Justify your recommendations with references to the facts supplied in the handout and your observations about the picture.
  4. Submit your recommendations, along with your justifications.