Donald HesterMarch 29, 2011
For audio call Toll Free 1-888-886-3951
and use PIN/code 661899
• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.
HousekeepingHousekeeping
Adjusting AudioAdjusting Audio
1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close CaptionsSaving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and PollingEmoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Donald Hester
IntroductionIntroduction
Topics Covered• Physical security of information systems
• Environmental protection of information system (Not the green type)
• Some life safety issues
Heat (internal and external) Water (leak, flood, weather) Theft Power (loss or spike) Fire (smoke) Natural disaster (earthquake, tornado etc..) Man made disaster (chemical spill) Loss of life
8
Start at the top:• The organization understand the importance
and will to commit need resources
Policy should:• Addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities, and compliance
9
Designate sensitive verses publicly accessible areas
List of authorized personnel• To access sensitive areas
Review the list regularly• To make sure you remove anyone who no
longer needs access
10
Selecting Internal areas that need more control
Determine what assets require extra security
Control access of customers (students)
Restrict computer access or LAN access from lobbies
Enforce access authorizations Verify access authorization before
granting access Control entry Control publicly accessible areas in
accordance with risk Secure keys, combinations, passwords,
PINs, and other physical devices
12
Secure keys, combinations, passwords, PINs, and other physical devices• Key log (who has the keys)
• Rekey (when a key is lost)
• Recovery (get keys back)
• Change combination (like password)
Important events• Someone is terminated or leaves
• Lost or compromised
14
Doors• No more than two doors
• Locks, or electronic door locks
• Strike-plates on doors
• Tamper-resistant hinges on doors
• Resistant to forcible entry
• Fire rated doors and walls
• Internal windows should be small and shatter or bullet proof
15
Control access to the cables used for communication• Ethernet
• Telecom
• Wiring closets
• Spare jacks
• Conduit or cable trays
16
What output devices need control?• Printers
• Monitors
• Audio devices For example HR prints to a printer no one
can simple walk by and pick up the print out (restricted area)
Same with finance and transcripts
Protect from theft
17
Monitor physical access• CCTV especially in cash collection sites
Log access• Access control devices can log who gained
access
• Netbotz (example not an endorsement)
Detect and respond to incidents
18
Closed-circuit TV• Wired or wireless
Simplest camera connected to TV monitor
More complex can detect, recognize, or identify• Smart CCTV – facial recognition technology
Purpose to detect & deter also used in investigations
Security Applications Safety Applications Management Tool Investigation Tool
Contractors and employees access to restricted areas
Monitor visitor activity Sign in Check ID Did you know they were coming?
• Appointment only
21
Keep records Review records Records should include:
• Name/organization of the person visiting
• Signature of the visitor
• Form(s) of identification
• Date of access, time of entry and departure
• Purpose of visit
• name/organization of person visited
22
Concern is loss of power resulting in down time
Protect power equipment• Access control to sub panels
• Fire code issues
Protect power cables• Redundant or parallel power cables
23
Power switch to turn off all system• Life safety issue
Server rooms can be equipped with a switch that will turn off all equipment included those on battery backup
Place switch in a accessible location Protect switch from accidental
activation
24
Provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss• UPS for short time periods
• What is your current UPS rated for?
• Is that enough time for a orderly shutdown?
• Have you check the battery life lately?
25
Provide a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source• Power generator
• How important is uptime?
• How reliable is the power grid?
26
Employ and maintains automatic emergency lighting• Life safety issue again
• Typically lights are in common areas and not always in a server room
• Typically handled by facilities personnel
27
Fire suppression and detection devices/systems• Fire Prevention
• Fire Detection
• Fire Alarm
• Fire Suppression
• Fire Drills
28
Fire suppression devices/systems Should have an independent power source Properly rated fire extinguisher Sprinklers, dry pipe best Should have automatic shut down of servers Halon FM-200 (or FE-227), FE-13, FE-25,
Novec-1230, inert gas systems like Argonite, Inergen or CO2
Toxic fumes from burning plastic
29
30
Maintains temperature and humidity levels
Monitors temperature and humidity levels• Maintain a constant temperature be
between 70-74F (21-23C)
• Maintain a constant humidity between 45-60%
High humidity causes corrosion and low humidity causes static electricity.
31
Positive air pressure• Air flow out of the room
• Limits dust getting in
Protected air vents • Possible entry point
Filtered air• Dust reduces heat transfer and can cause
heat damage to circuits
Redundant HVAC systems
32
Protects the information system from damage resulting from water leakage
Master shutoff valves• Accessible
• Working
• Known by key personnel
Not just for the server room, wire closets Positive flow water drains
• Protect from the risk of flooding
33
Authorizes, monitors, and controls computer equipment entering or exiting the facility
Record of those items Theft is the big issues here
34
Part of Business Continuity Planning Consider physical and environment
controls in alternate work site
35
Position information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access• Where is the best place in your facility for a
server room?
• External issues? Proximity of emergency services Offsite hazards
36
Avoid the basement Avoid the top floor Avoid the first floor Avoid be located near stairs, bathrooms,
water pipes, elevators or EMI emissions Avoid locating it on an external wall Avoid external windows and doors
37
Plenum space• Requires plenum cabling
Raised false floors• Access to & protect cabling
Drop ceilings can give access to server rooms • Walls should extend beyond any
false or drop ceilings
Security Mesh to help stop break-ins through gypsum walls
38
Site Location (Site Survey)• Proximity to emergency services• Flood zones, types of natural
events, e.g. earthquake, hurricane, tornado
• Proximity to hazardous materials, e.g. next to a oil refinery, train tracks
• Redundant roads or ways in to the area
• Crime rates for the area
Crime Prevention Through Environmental Design (CPTED)• The building and facilities (campus) are
designed in such a way as to limit or deter crime.
• Parking lots & lighting
• Perimeter lighting
• Perimeter security
• Landscaping
• Barriers (bollards)
42
Tempest Protect the information
system from information leakage due to electromagnetic signals emanations
43
Shielding from: • Electromagnetic interference (EMI)
• Radio frequency interference (RFI)
• Shielded cabling, room
Electrostatic discharge (ESD)• Anti-static flooring
• Anti-static wrist strap
44
For life safety• Clearly mark exits for life safety
• Clearly mark locations of fire extinguishers
• Clearly mark shutoff switches and valves
For theft• Signs create a psychological barrier
• Asset tag equipment for possible recovery
45
A Communication systems design to alert, warn or notify a receiver of an event or danger.
Made up of 3 parts, sensor (detector) that detects the condition, and alarm system circuit to transmit the information to an annunciator (signal, alarm)
Standards UL, ISO and IEEE
Consider security before returning a failed hard drive
Data remanence Software Data
removers Degauss Shredding Incinerators
Not illegal Industrial espionage Some consider it a
hobby Can find private,
confidential information on paper or media or computers
49http://www.youtube.com/watch?v=iC38D5am7go
Netbotz • (now owned by APC)
IT WatchDogs• www.itwatchdogs.com
APC• www.apc.com
SynapSense• www.synapsense.com
50
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas Collegewww.LearnSecurity.org | www.linkedin.com/in/donaldehester | www.facebook.com/LearnSec | www.twitter.com/sobca
Q&AQ&A
Evaluation Survey LinkEvaluation Survey Link
Help us improve our seminars by filing out a short online evaluation survey at:
http://www.surveymonkey.com/s/PhysSecurity
Thanks for attendingFor upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
Top Related