CISSP Physical Security – Bk2D3T7

Module Objectives
  1. Apply security principals to site and facility design.
  2. Implement and manage physical security controls.
  3. Implement and manage physical controls in wiring closets and intermediate distribution facilities.
  4. Implement and manage physical controls in server rooms and data centers.
  5. Implement and manage physical controls in media storage facilities.
  6. Implement and manage physical controls for evidence storage.
  7. Implement and manage physical controls in restricted area.
  8. Implement and manage physical controls in work area.
  9. Implement and manage environmental controls for utilities and power.
  10. Implement and manage controls for heating, ventilation, and air conditioning (HVAC).
  11. Implement and manage environmental control.
  12. Implement and manage environmental controls for fire prevention, detection, and suppression.

Physical Security

Physical security plans and infrastructure are often designed, implemented, and operated by physical security specialists in larger organizations. Physical security infrastructure is typically controlled outside of IT or IT security control in larger organizations. However, the CISSP MUST understand physical security fundamentals in order to do the following:

  • Assess the risk reduction value of physical security controls
  • Communicate physical security needs to physical security managers
  • Identify risks to Information Security due to physical security weaknesses

While the CISSP may never actually design or implement physical security in a larger organization, they may very well be required to implement physical security elements in smaller organizations. It is also vital for the CISSP to understand the impact of either good or bad physical security as it impacts information system security, regardless of organization size.

A role of the CISSP in some cases may be to translate information security needs or requirements in such a way that the physical security or facilities operators can understand those needs in their terms.

Apply Security Principals to Site and Facility Design

Physical design should support confidentiality, integrity, and availability of information systems and must consider human safety and external factors as well. Physical security at the facility level does support confidentiality, integrity, and availability at the information system level. Facility design absolutely supports system availability and can have a particularly high impact on continuity of operations and disaster recovery.

Physical Design that Supports Confidentiality, Integrity, and Availability (CIA)

Physical design elements can protect information systems from unauthorized access. It can enable auditing or observation of sensitive physical access areas, such as server rooms or wiring infrastructure, and either complement or simplify the information system controls   that must be applied to achieve adequate overall security. Facilities management ensures robust services (e.g., power, cooling) to information systems and provides backup or redundant capabilities.

Physical Design that Supports Human Safety

Some physical design elements directly support human safety. It is important to ensure the controls remain in place as security controls are applied. In some cases, physical security restrictions could imperil human safety and that must be avoided. For example, physical access restrictions could impede building evacuation during an emergency and must be designed to allow rapid exit while still protecting against improper entry. In other cases, facility modifications done to support information systems could necessitate additional human safety controls to be installed. This might include additional emergency alarms (audible, visible), new or updated egress routes, or additional safety equipment.

Information systems and their support elements (e.g., UPS, HVAC) consume large amounts of power and the power terminals that are often located with the equipment. This may necessitate emergency power shutoff switches (big red button on the wall) or equipment shutoffs to ensure electrical accidents are minimized. Additionally, equipment lockouts for power may be advisable. These are manual or physical lock latches that physically lock circuit breakers or switches in the off position while staff are exposed to power cabling.

Site and Facility Design Considerations

The following list includes top level design considerations for physical security and facilities:

  • Personnel policy and procedure
  • Personnel screening
  • Workplace violence prevention
  • Response protocols and training
  • Mail screening
  • Shipping and receiving
  • Property ID and tracking
  • Parking and site security
  • Site and building access control
  • Video surveillance
  • Internal access control
  • Infrastructure protection
  • Onsite redundancy
  • Structural protections
Implement and Manage Physical Security

To implement effective physical security, a physical risk assessment consistent with the Risk Assessment described in Domain 1 should be conducted. It should consider potential human action, natural disaster, industrial accident, equipment failure, and so forth. As in information security, a set of layered physical protections and countermeasures for identified physical risks must be developed so that the protections are commensurate with the risk assessment. For example, the physical and facility controls associated with a foreign embassy level of protection would be very different from those needed to mitigate the physical risks associated with a small remote office of a commercial business.

One important consideration is that physical risk controls will impact information system design. For example, weak physical controls may necessitate more complex information system protections to compensate, while strong physical protections may lower the overall risk of an information system and allow for less costly or complicated controls to be applied at the information system level.

Just as information system controls must be monitored for effectiveness, physical controls must also be monitored and tested for effectiveness. This is especially true for controls associated with human safety, continuity of operations, disaster recovery, and emergency backups.

Related Product : Certified Information System Security Professional | CISSP

Perimeter Security Controls

Figure 3.11 shows the layers of perimeter controls that may exist. This model is based on a campus or multi-structure type site, but it can be applied to a single building or facility. In cases where an organization is located on a single floor or office space within a larger facility, there may be limited control over the perimeter security controls, but they should still be evaluated for effectiveness and any positive or negative impacts.

Physical Security

Surrounding areas concerns include the following:

  • Roadways: Roads close to or adjacent to the site.
  • Waterways: Adjacent or crossing the This may include navigable waterways or small drainage features if they impact the site security.
  • Geography: Terrain of the site in terms of potential visibility limits, concealment opportunities, or natural barriers to entry.
  • Lines of sight: Areas where visibility is limited by features or structures is a concern.

Associated considerations include the following:

  • Is the facility visible from roads?
  • Is there a potential for vehicle borne threats?
  • Where are the vehicular and pedestrian access points?
  • Is there adequate fencing, or impassible perimeter landscaping (natural fence)?

Areas to assess for site entry and exit points include the following:

  • Vehicular: Are vehicular access points protected against credible vehicular threats?
  • Public/customer/visitor: Are there separate entry controls for public, customer, or visitor access?
  • Staff/employee: Do staff or employees have dedicated controlled access points?
  • Delivery/truck: Is there a delivery or truck entrance, and how is it controlled?
  • Pedestrian: Are there controlled pedestrian entry points to the site?

Considerations for site entry and exit:

  • Access controls: What are the access controls to enter or leave the site—badge, proximity card, guard monitored?
  • Surveillance: Is there sufficient surveillance capability to cover site entry and exit points?
  • Lighting: Is lighting sufficient to allow humans or video systems to adequately make subject identification in all light conditions?
  • Intrusion detection: Are sensors or intrusion detection devices installed on unattended or unmonitored access points?
  • Barriers/traffic control: Are barriers in place or available for traffic control at any or all of the vehicular access points?

At larger sites, there may be external facilities that include the following:

  • Parking structures/lots
  • Utilities components
  • Electric transformers/lines
  • Telecommunications
  • Landscaping

For these consider the following:

  • Lighting: Does the lighting provide sufficient lighting under all conditions for human and/or video identification of subjects? Does the lighting limit shadow areas or areas of no visibly during darkness?
  • Surveillance: Does surveillance cover areas where security or human safety is a concern?
  • Intrusion detection: Are alarms or sensors installed in unattended external buildings or facilities?
  • Lines of sight: Are lines of site sufficient and dead space eliminated?

Operational Facilities are the following:

  • Where employees work
  • Where IT operates

For these consider the following:

  • Exterior lighting and surveillance: Appropriate to expected Lighting is of sufficient brightness and coverage to limit shadows and make human or video identification of subjects possible.
  • Building materials: Appropriate for the level of security required.
  • Doors, windows, walls: Are of the appropriate type and security level to mitigate expected risk.
  • Entry/exit points and access controls: Unattended access conditions, guard monitoring, video monitoring.
  • Staff/employee entrance: Is there a staff only entrance, and how is it controlled? Attended, unattended?
  • Public/customer entrance: Is there a public or customer entrance with different security needs from the staff entrance?
  • Delivery entrance: Is there a loading dock or delivery facility?
  • Sensors/intrusion detection: Have sensors or alarms been installed on doors and windows?

Typical perimeter control types:

  • Lighting
    • Bright enough to cover target areas
    • Limits shadow areas
    • Sufficient for operation of cameras, must be coordinated with camera plan
  • Surveillance/Camera
    • Narrow focus for critical areas
    • Wide focus for large areas
    • IR/low light in unlit areas
    • Monitored and/or recorded
    • Dummy cameras
  • Intrusion Detection
    • Cut/break sensors
    • Sound/audio sensors
    • Motion sensors
  • Barriers
    • Fixed barriers to prevent ramming
    • Fixed barriers to slow speeds
    • Deployable barriers to block access ways
    • Fencing/Security landscaping
    • Slows and deters
    • Should not impede monitoring
  • Building Material security examples: o High-security glass
    • Steel/composite doors
    • Steel telecommunications conduit
    • Secure walls
    • True floor to ceiling walls (wall continues above drop ceiling)
    • Anchored framing material
    • Solid walls/in wall barriers
  • Lock security examples: 
    Available in varying grades
    Physical key locks
    Mechanical combination locks
    Electronic combination locks
    Biometric locks
    Magnetic locks
    Magnetic strip card locks
    Proximity card locks
    Multi-factor locks (e.g., card + pin)
Internal Security Controls
  • Controls for human safety
    • Visible and audible alarms, fire suppression, response plans/training, emergency shutoffs
  • Controls to manage access
    • Door locks (e.g., magnetic, card key, mechanical key, combination lock)
    • Access point security (e.g., mantraps, limited ingress, alarmed emergency egress)
    • Multifactor access (e.g., key card + pin for room entry)
  • Internal monitoring
    • Physical access control system/monitor (e.g., records key card use)
    • Video surveillance/cameras
    • Radio Frequency (RF) monitoring
Implement Site and Facility Security Controls

The following sections will provide recommended controls or considerations for special areas of the facility. These areas may require special or enhanced physical controls both from the security perspective as well as for maintaining information systems and protection of human life.

The special areas considered are the following:

  • Wiring closets/intermediate distribution facilities
  • Server rooms/data centers
  • Media storage facilities
  • Evidence storage
  • Restricted area security
  • Utilities
  • Heating, ventilation, and air conditioning (HVAC)
  • Fire prevention, detection, and suppression
Wiring Closets/Intermediate Distribution Facilities

The facility wiring infrastructure or “cable plant” is integral to overall information system security and reliability.

Entrance facility

  • External communications enter facility
  • Phone, network, special connections
  • May house internet service provider (ISP) or telecommunications provider equipment

Equipment room

  • Primary communication hub for facility
  • Houses wiring/switch components
  • May be combined with entrance facility
  • Backbone distribution
  • Connects entrance facility, equipment room and telecommunication room(s)

Telecommunications room (wiring closet)

  • Serves a particular area of a facility
  • Floor, section, wing,
  • Terminates local wiring into patch panels

Backbone distribution is broken out to individual connections (e.g., switch)

  • Horizontal Distribution System
  • Cables, patch panels, jumpers, cable

Security protections for the overall cable plant:

  • Rooms must be secured against unauthorized access
  • Access to rooms should be monitored/recorded
  • Secondary locks on equipment/racks
    • Rooms may share space with non-IT equipment and require access by non-IT staff
  • Conduit or tamper protections for wiring

Environmental protections for the cable plant:

  • Protection from lightning/surge
  • Backup power/uninterruptible power supply (UPS)
  • Heating/cooling/air flow
    • Critical in enclosed spaces
  • Appropriate fire detection/suppression
  • Emergency shutoffs for high power connections
  • May not be necessary in all closets
Server Rooms/Data Centers

Rooms in the facility where multiple computer assets are installed and operate. Server rooms have similar security and environmental protections to wiring closets. However, they may have higher human traffic, and it is critical that access point security and access monitoring is in place. When server room space is shared with other organizational units or even other businesses, it can be critical to employ rack or equipment level locking.

Power, surge protection, and uninterruptible power supplies (UPS) must tailored to the operating equipment and of sufficient capacity. As equipment is modified or replaced, power concerns must be readdressed to ensure capacities are not exceeded.

Human safety becomes an issue with power levels in most server rooms and emergency shutoffs, and non-conductive hooks/gloves become important for human safety. Non-conductive personal protective equipment or hooks can be used to disengage equipment from a power source or safely disengage a human from a live power source without endangering another human.

Appropriate training may also be necessary to ensure staff respond appropriately to electrical emergencies by cutting power and/or safely resolving the emergency.

For server rooms, appropriate fire detection/suppression must be considered (e.g., sprinkler is inappropriate for electrical fires) based on the size of the room, typical human occupation, egress routes, and risk of damage to equipment.

Server rooms are typically maintained at a higher level of physical security than the rest of the facility.

Media Storage Facilities

Media storage facilities may be onsite and offsite from the main facility. If onsite with the main facility, backup copies should ideally be stored offsite and fireproof/waterproof containers should be employed. Offsite storage should duplicate critical media stored onsite and retain the ability to recover critical information. Media typically contains sensitive historical data that likely still requires protection. Some media types may support encryption while others do not. If sensitive data is stored on unencrypted media access, control must be strictly limited and monitored. Some organizations may limit access to dedicated archivists.

Temperature and humidity should be consistent with media storage requirements of the particular media in the facility. As media types evolve, this must be continually reassessed but must be maintained consistently with the needs of all stored media. Fire protection should be in place at both room and container levels.

Evidence Storage

Evidence storage facilities or rooms are special-access areas with strictly limited access and may be aggressively monitored. They will typically contain individual lockers or secure containers for each investigation or investigator assigned to the facility. This is to ensure evidence accountability and chain of custody is maintained at all times to prove evidence has not been modified or tampering has not occurred. Evidence is protected against damage or theft, and appropriate environmental protections should be commensurate with evidence types stored (e.g., paper, digital, media).

Restricted Area Security

Restricted area security applies to any spaces or rooms within the facility where highly sensitive work occurs or information is stored. This includes secure facilities and classified workspaces. These spaces typically have extremely high access control protections and logging of all access, and they may include audio protections against eavesdropping such as white noise machines. They may also include enhanced visual screening from exterior spaces or have no windows at all. In the most extreme cases, they may include protection against the detection of electromagnetic emissions from equipment.

Utilities

Power

  • Redundant power input from utilities
  • Redundant transformers/power deliver
  • Backup generators
  • Battery backups
  • Dual power infrastructure within data centers
  • Backup sources must be tested/exercised
  • Backup sources must be sized appropriately and upgraded when load increases

Telecommunications

  • Multiple service provider inputs
  • Redundant communication channels/mechanisms
  • Redundancy on key equipment (eliminate single points of failure)

Water/Sewer

  • Cooling/Human habitation
  • Risk of leaks/damage to equipment
  • Supports most building-wide fire suppression plans

Safety concerns with utilities are critical as generators, battery backups, and data center power feeds may carry very high electrical loads that are inherently dangerous.

Emergency power shutoffs in high-load areas:

  • Safeguard human life in case of electrocution (big red button)
  • Safeguard equipment in case of overload (automated shutoff)
  • Safeguard humans and equipment in emergencies

High-load areas should provide access to non-conductive gloves/ equipment and push/pull rods in case of emergency.

Heating, Ventilation, and Air Conditioning (HVAC)

All computer equipment has a range of acceptable operating temperatures. High density equipment and equipment within enclosed spaces requires adequate cooling and airflow. Cooling must be designed match the equipment and space to be cooled.

High-capacity rooms (e.g., operations center) must have sufficient airflow for the number of human occupants (CO2 danger), and air for all uses should be filtered for contaminants (natural or intentionally introduced).

Fire Prevention and Detection

Human training and awareness is critical to fire prevention. Sensors (infrared temperature, smoke) can detect conditions leading  up  to  a fire as well as fire initiation and may assist with prevention, but they are primarily valuable for detection. Smoke detectors include optical (photoelectric) and physical process (ionization). Flame detectors include infrared and ultraviolet detectors

Fire Suppression

Buildings should be equipped with one or more types of fire suppression systems. There are two main types of suppression systems: water-based and gas-based:

Water-based

  • Effective for common material fires (e.g., wood, paper, building materials)
  • Safe for human spaces
  • Damages equipment
  • Ineffective for electrical or petroleum fires
  • Typically cheaper than gas-based

Gas-based

  • Effective for any fire type
  • Typically safe for equipment
  • May be dangerous to humans in enclosed spaces (depending on type)
  • Costly to install and maintain compared to water-based

Gas-based systems may be safe for humans under certain conditions but not others. System design must take into account the size and ventilation of protected rooms and volume calculations for the gas. If well implemented, most modern gas systems can be safe for human occupied spaces, but some risk of suffocation may still exist if not implemented correctly of if unusual conditions apply.

Water-based system types:

  • Wet pipe: Most common, water in pipes, heat activated sprinkler heads that typically operate independently
  • Dry pipe: Pressurized gas in pipes, water released after the first sprinkler head is activated, slight delay in operation. Sprinkler heads operate independently. Beneficial due to less danger of pipe leaks or freezing, often used in open facilities (e.g., parking garage).
  • Pre-action: Combines elements of wet and dry pipe actions. Fire sensors initiate pre-action charging of the water pipes that can then activate independently as in a wet pipe system. In other instances, the system may require both an independent fire sensor and one or more sprinklers to activate prior to water entering the system.
  • Deluge: Similar to pre-action operation but with open sprinkler heads. Once the overall system is activated by a heat or fire sensor, all sprinkler heads will be active simultaneously when the central valve is opened.

Gas system examples:

  • Hydrofluorocarbon
    • Halon (older type-mostly gone) o FM-200
  • Inert gas (e.g., Argon/Nitrogen) o Argonite
    • Inergen
  • Aerosol
    • Aero-K

Note: Aerosol-based systems typically inject an inert gas with some type of aerosol liquid into the protected area. They are typically  safe for human occupied areas

Environmental Issues

The following is a limited list of environmental hazards that may be encountered that could affect the facility. These hazards should be considered based on expected frequency and potential impact for the geographic area in which the facility is located.

  • Hurricane
  • Tornado
  • Forest/wildfire
  • Earthquake
  • Flooding
  • Mudslide
Case: WannaCry Ransomware

In May of 2017, a ransomware attack known as WannaCry was initiated and affected over 230,000 computers in 150 companies. The attack encrypted user files and requested a ransom be paid to an anonymous address using Bitcoins. Ransomware maliciously using encryption was not new at this point, but this incident raised public awareness of these types of attacks.

The attack used vulnerabilities largely existing in older computer systems and had the greatest impact within industries that historically use embedded or long lifespan systems.

Attack anatomy:

The exploit used vulnerabilities in a Microsoft Server Message Block v1 (SMBv1) protocol to transfer itself across the network. SMBv1 is an older protocol, having been replaced in more modern systems with v2 and later since 2006. However, it was maintained for backwards compatibility through Windows Server 2012. The malware used flaws in SMBv1 to execute arbitrary code on the affected systems and install itself. It then encrypted user files and attempted to spread itself using the same SMB vulnerability.

FAILURES THAT MADE IT POSSIBLE

Architecture:

The malware spread using an older network protocol (SMBv1). This protocol is used by Microsoft systems for file and print sharing. There is no reason for this protocol to be accessible from external sources, yet some infections occurred via external computers exploiting a vulnerability in an internal protocol. Had SMB port blocks been better implemented on organizational external defenses (e.g., firewalls), OR had internal blocks that limited traversal of internal networks been in place, the impact and spread would have been significantly reduced.

Many affected systems were older type systems using outdated operating systems. The medical community was hit particularly hard in Great Britain with many pieces of medical equipment being impacted. For older or embedded systems, tight network segmentation and limitation of ports, protocols, and services allowed to access those systems would have significantly reduced the impact.

System updates:

As noted on the architecture, many of the affected systems were older type systems and embedded type systems. However, patches for the cores vulnerabilities were available from Microsoft prior to the initial malware release. Had older systems been fully updated, the impact would have been significantly reduced.

FAILURES THAT CONTRIBUTED TO THE MALWARE DEMISE:

Malware authors make mistakes as well. In the case of WannaCry, the developer made some interesting implementation mistakes that allowed counteractions against the malware to reduce its effects. In particular, two malware flaws included the following:

  1. Kills switch: Security researchers determined the malware attempted to contact a specific URL prior to encrypting data. This was easily determined by observing the malware operating in a sandbox, and there was no secure verification process. It simply attempted to locate the URL and if successful shut down. By registering the domain name, impact of the malware was significantly reduced. (https:// csoonline.com/article/3227906/ransomware/what-is- wannacry-ransomware-how-does-it-infect-and-who-was- responsible.html )
  2. Ransomware/Cryptolocker type malware has some practical limitations for use. In some cases, it is feasible to recover the cryptographic keys from the system memory. Since the encryption key has to be onboard the system to encrypt and decrypt files, it can be recovered. Boston University, MITRE, and University College London researchers had previously developed a mechanism that can recover some malicious crypto keys. (http://cs-people.bu.edu/wfkoch/my-data/pubs/ paybreak.pdf)

Summary

The Security Architecture and Engineering Domain introduces several concepts for applying security architecture and engineering principles. We have covered basic security models and security control frameworks. This included applying control frameworks and developing assessable evaluation criteria. The domain introduced several common security capabilities inherent in modern information systems and introduced common vulnerabilities and mitigations that exist in different types of information systems. The history of cryptography is very long, but over the last 50 years or so, cryptography has become an integral and necessary part of security implementations.

Cryptography can be very effective in providing some key security services such as confidentiality, integrity, authenticity (proof of origin), non-repudiation, and access control. There are basic fundamental ways to do cryptography, stream and block ciphers. Symmetric key cryptography is very fast but has problems related to key distribution and scalability.

Asymmetric key cryptography is very slow but solves the problems related to key distribution and scalability. Hashing, which is defined as one-way encryption, can be very useful in addressing integrity of stored and transmitted information. Digital signatures can achieve non- repudiation of origin and non-repudiation of delivery. Key management and key management techniques are the most important aspects of secure cryptography implementations. There are many cryptanalysis attacks that try and break cryptography systems. Finally, we applied security concepts to the physical environment and facilities.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/