CSS 111 - Introduction to Information System Security
Chapter 9, Physical Security
This lesson discusses physical security of IT assets.
important to this lesson:
- What is physical security
- Physical security considerations
- Maintaining the physical environment
author sets what seems to be a new record. His definition of physical
security on page 399 spans four lines. That's too long to be memorable.
Let's try again:
- physical assets -
people, hardware, and supporting systems, which includes buildings and
their various parts
- physical security -
protecting the organization's physical assets, which includes designing
and maintaining methods of protection
The author makes a good point, that a thief who can steal your
hardware can afford to take as much time as he needs to harvest
information from it, which makes physical security as important as
The text begins a list on page 400 that lists major physical
controls, which are full or partial solutions to making a location a
- walls, fences, and gates
- obvious barriers make it
clear to people that they are not allowed to walk beyond a certain
point; gates are obvious points of access, but they are also filter
points if you require staff to show permission to pass through them;
these apply to external and internal environments
- guards - putting a
guard on a gate, a door, or an asset
allows you to set rules for passage and usage that can be interpreted
by a human being or referred to an authorizing level of management
- dogs - guard dogs
should probably appear as a subset of
guards, whether they are working with handlers or left to patrol a
sealed environment; the text explains that a dog can sense things
(noises, aromas) that a human guard cannot
- ID cards (badges) -
can be just a token or a photo ID, and
may have a magnetic stripe, a computer chip, or an RFID; ID cards are
both a proof of authorization and a problem: they need to be collected
when an employee leaves their job, regardless of who decided they were
leaving; the text describes tailgating,
the practice of passing through a door that senses an authorization
code by following someone who actually has authorization when you a)
forgot yours, b)
decided to be lazy, or c) are not authorized; it is
the last variation we worry about, so some secure centers require that
everyone passing a control point show their badge to the sensor to
count heads; the text mentions the use of ID operated turnstiles, which are effective in
- locks - as
indicated above, some locks are opened with
locks require a key, and
others require the
intervention of an
operator (e.g. guard, receptionist); the text
mentions biometric locks and
calls them the most sophisticated locks:
that means that unless they are sophisticated they won't work well
The text mentions two confusing terms on page 404 that have to do with
electronic lock failure. A door that stays
locked if the electronic lock fails has a fail-secure lock. A door that becomes unlocked if the electronic
lock fails has a fail-safe lock.
Since safe and secure are usually synonyms, this
makes no sense. You just have to know which is which.
- mantrap - a
vestibule or air-lock with two doors that both
lock if someone tries to pass through the second door to a secure area
the idea is to alert security to a possible intrusion while containing
- video monitoring -
allows recording of events, also allows
fewer guards to watch over more areas by watching several screens at
once; this typically adds a delay to response time, and may only be
useful for collecting data after an event
- alarm systems -
commonly associated with the opening of a door, may be triggered by
sensors (motion, infrared, touch plates)
The text combines two ideas on page 406, discussing wiring closets/telecommunications rooms
as particular targets for spies and attackers. The second idea in this
section is about custodial staff,
who often have no restrictions on their access to various rooms in a
data center. An attacker who masquerades as a janitor, or a janitor who
decides to become a thief may have a high level of success. They are
most likely to be caught when they continue to conduct their activities
long enough to be noticed.
The text defines the word plenum on page
406 as the space that is above
a physical firewall and below
the floor of the next story of a building. For it to exist, the fire
resistant material must stop below this space, which it often does but
this may not be true of some fire resistant rooms, making them more
Having turned to issues related to fire safety, the text expands on the
topic for several pages. Page 409 discusses several methods of fire
- manual fire detection - depends on a human being to set off
an alarm, which may also set off fire suppression systems
- thermal fire detection - can be triggered by the ambient
temperature reaching a set level (such as 135 degrees F) or by a rapid
rise in temperature
- smoke detection - sensors may be photoelectric, ionization
(ions react with a radioactive element), or air-aspirating (an air
sample is passed by a laser)
- flame detection - a light signature (think of a a spectroscope)
of an area is taken, then compared to signatures of various types of
On page 410, we see some material about fire suppression, beginning with
fire extinguishers. Note that this list is about American standards.
Fire extinguishers are classed by the kind of fire they are able to
put out. The links below will take you to sites with more information
about fire classes and extinguishers. In surveying several sites, I
found that there are currently at least four classes of fires,
and that the symbols for them have been updated to use pictures
instead of letters. Some sites list a Class K for cooking oils (Kitchen
fires), but this does not seem to be universal. The chart below
contains American symbols:
The table below is from a Wikipedia article
on fire classes. It shows that the same kind of fire is called by a
different name in different places:
Comparison of fire classes
||Cooking oil or fat
In most cases, a multiclass extinguisher is preferred. On
extinguishers I examined at my workplace, multiple picture symbols were
used, showing the pictures for classes A, B, and C.
The text also discusses sprinkler systems, foam systems, and gas
- Sprinklers typically spray streams of water or water mist. The test in this video seems to point out a limitation of automatic mist.
dispersant systems used to use Halon,
can, but they are restricted to existing Halon supplies. Carbon dioxide
is an alternative, but both solutions tend to be dangerous to
air-breathing life forms in the immediate area.
- Another system uses foam as a suppressant, and the
this system seem to be enjoying it greatly.
The text begins a new topic on page 415. Environmental and structural failures can affect equipment, staff, or both.
- I have had the pleasure of being in daata
centers that were (on different occasions) so hot and so cold that
staff were sent home. Cold is less important to computer equipment than
to human staff, but extreme heat will shut down computers and people.
Most data centers have HVAC systems that keep the area comfortable for
- Static electricity - ESD, or Electrostatic Discharge, can be a serious cause of problems. Some numbers from a previous text may help you understand the situation:
- A human can't feel a static discharge until it is 3,000 volts or more.
- Normal motion, like moving a chair or a foot can generate 1,000 volts.
- Simply walking across a carpeted area can generate 1,500 to 35,000 volts.
- Picking up a plastic bag can generate 1,200 to 20,000 volts.
- Damage can be done to computer parts with 20 to 30 volts.
The text recommends setting humidity between 40 and 60 percent in rooms holding computer equipment. If you do this, you may minimize another problem: in cold low humidity rooms, avoid letting a rush of hot, humid air into the room, or you may get condensation inside cold devices.
- Several other concerns are listed that are the responsibility of facilities staff.
On page 421, the author turns back to IT concerns. Three types of data interception are mentioned:
- direct observation - someone reads a screen or a report
that is supposed to be secure; typically done in public areas or by
- interception of data transmission - joining a LAN and using a sniffer is effective; wireless LANs are particularly vulnerable
- electromagnetic interception - most cable media radiate
their signals to some degree; sensors that could pick up and record
these emanations would have to be very close to the media
The text discusses the unique risks associated with portable
equipment: laptops and smart devices are meant to be easy to carry,
which makes them tempting to steal. Some observations are offered:
- password protect and encrypt devices that support it
- don't leave a device unattended or in plain sight
- don't leave a device in a car where it will overheat and be ruined
- watch over devices when in airports and restaurants, but be aware that most portable devices are stolen at work, not on the road
On page 424, the text discusses telecommuting, working at
your regular job from a remote location and avoiding travel. The
concerns expressed in the text will not apply to all telecommuters.
Security concerns depend on how telecommuting is performed by
- use a secure workstation, preferably one supplied by your employer
- use a VPN connection to your work network; open connections over the Internet are an invitation to problems
- do not use free Wi-Fi at a restaurant to make your
connection: there is no law against eavesdropping on signals sent
through an unencrypted public access point