UW-Madison Information Systems 365 -- Physical Security -- Lecture 9
-
Upload
nicholas-davis -
Category
Education
-
view
96 -
download
3
Transcript of UW-Madison Information Systems 365 -- Physical Security -- Lecture 9
![Page 1: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/1.jpg)
Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISA, CISSPLecture 9, Physical Security
![Page 2: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/2.jpg)
Today’s CandyToday’s CandyTwizzlersTwizzlers
Twizzlers is a brand of candy in the United States and Canada. Twizzlers is the product of Y&S Candies, Inc., of Lancaster, Pennsylvania, now a subsidiary of The Hershey Company. In 1908 a plant was opened in Montreal and in 1929 the Twizzler brand was established
05/02/23 UNIVERSITY OF WISCONSIN 2
![Page 3: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/3.jpg)
Physical SecurityPhysical Security
It used to be easy, way back in the 1960sToday, with IT assets on every desk, we have:•Theft•Fraud•Vandalism•Sabotage•Accidents
05/02/23 UNIVERSITY OF WISCONSIN 3
![Page 4: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/4.jpg)
Let’s Watch an InterestingLet’s Watch an InterestingVideo About the History of Video About the History of
Physical SecurityPhysical Securityhttps://www.youtube.com/watch?v=-
eVSR9tder0
20 Minutes
05/02/23 UNIVERSITY OF WISCONSIN 4
![Page 5: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/5.jpg)
Funny Cartoon VideoFunny Cartoon VideoBut, it Makes a Good PointBut, it Makes a Good Point
https://www.youtube.com/watch?v=tmOGJVDvJaQ
2 minutes
05/02/23 UNIVERSITY OF WISCONSIN 5
![Page 6: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/6.jpg)
Four Major PhysicalFour Major PhysicalSecurity ThreatsSecurity Threats
• Natural environmental• Supply system• Human made• Politically motivated
Good security program protects against all of these, in layers
05/02/23 UNIVERSITY OF WISCONSIN 6
![Page 7: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/7.jpg)
Physical ThreatsPhysical ThreatsNatural / EnvironmentalNatural / Environmental
Floods, earthquakes, storms, volcanoes
05/02/23 UNIVERSITY OF WISCONSIN 7
![Page 8: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/8.jpg)
Physical ThreatsPhysical ThreatsSupply SystemSupply System
Power, communications, supply of water, etc.
05/02/23 UNIVERSITY OF WISCONSIN 8
![Page 9: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/9.jpg)
Physical ThreatsPhysical ThreatsHuman MadeHuman Made
Unauthorized access, damage by angry employees, employee errors and accidents, vandalism, fraud, theft
05/02/23 UNIVERSITY OF WISCONSIN 9
![Page 10: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/10.jpg)
Physical ThreatsPhysical ThreatsPolitically Motivated Politically Motivated
ThreatsThreatsStrikes, riots, civil disobedience, terrorist attacks, bombings
05/02/23 UNIVERSITY OF WISCONSIN 10
![Page 11: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/11.jpg)
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime and disruption through deterrence
Fences, security guards, warning signs, etc.
05/02/23 UNIVERSITY OF WISCONSIN 11
![Page 12: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/12.jpg)
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Reduction of damage through use of delaying mechanisms
Layers of defenses that slow down the adversary, such as locks, security personnel, barriers
05/02/23 UNIVERSITY OF WISCONSIN 12
![Page 13: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/13.jpg)
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Crime or disruption detection
Smoke detectors, motion detectors, surveillance cameras, etc
05/02/23 UNIVERSITY OF WISCONSIN 13
![Page 14: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/14.jpg)
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Incident assessment
Response of personnel to quickly evaluate situation and damage level
05/02/23 UNIVERSITY OF WISCONSIN 14
![Page 15: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/15.jpg)
What Constitutes a GoodWhat Constitutes a GoodSecurity PlanSecurity Plan
Rapid response procedures
Fire suppression systems, emergency response systems, law enforcement notification
05/02/23 UNIVERSITY OF WISCONSIN 15
![Page 16: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/16.jpg)
5 Core Steps in a Physical5 Core Steps in a PhysicalSecurity SystemSecurity System
• Deter• Delay• Detect• Assess• Respond
05/02/23 UNIVERSITY OF WISCONSIN 16
![Page 17: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/17.jpg)
Sidewalk, Lights andSidewalk, Lights andLandscaping For ProtectionLandscaping For Protection
05/02/23 UNIVERSITY OF WISCONSIN 17
![Page 18: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/18.jpg)
Physical Access ControlPhysical Access ControlFor VisitorsFor Visitors
• Limit the number of entry points• Force all guests to sign-in at a
common location• Reduce entry points even more,
after hours and on weekends• Validate a government issued
picture ID before allowing entry• Require all guests to be escorted
by a full time employee• Encourage employees to question
strangers
05/02/23 UNIVERSITY OF WISCONSIN 18
![Page 19: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/19.jpg)
Natural SurveillanceNatural Surveillance
Natural Surveillance is the intentional and visible surveillance, to make potential criminals aware that they are being watch and make all others feel safe
05/02/23 UNIVERSITY OF WISCONSIN 19
![Page 20: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/20.jpg)
Territorial ReinforcementTerritorial Reinforcement
Building facilities in such a way as you make people feel secure, open, visible, strong, etc.
05/02/23 UNIVERSITY OF WISCONSIN 20
![Page 21: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/21.jpg)
Selecting a Facility SiteSelecting a Facility Site
• Visibility – Terrain, neighbors, population
• Surrounding area – Crime, riots, police, medical, fire, other hazzards
• Accessibility – Road access, traffic, airport access, etc
• Natural Disasters – floods, tornadoes, earthquakes, rain, etc
05/02/23 UNIVERSITY OF WISCONSIN 21
![Page 22: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/22.jpg)
Entry PointsEntry Points
Windows and doors are the standard access points. They should be secure, strong, foolproof
Walls should be at least as strong as the doors and windows
05/02/23 UNIVERSITY OF WISCONSIN 22
![Page 23: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/23.jpg)
A Human TrapA Human Trap
• Only allows one person into a secure area at a time
• Open first door, enter
• Wait for first door to close
• Enter second door to secure area
• Only enough space for one person at a time
05/02/23 UNIVERSITY OF WISCONSIN 23
![Page 24: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/24.jpg)
Don’t Forget AboutDon’t Forget Aboutthe Ceilingthe Ceiling
05/02/23 UNIVERSITY OF WISCONSIN 24
![Page 25: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/25.jpg)
In Computer FacilitiesIn Computer FacilitiesWater Detectors Are Water Detectors Are
ImportantImportantWater detectors should be placed under raised floors and on ceilings
05/02/23 UNIVERSITY OF WISCONSIN 25
![Page 26: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/26.jpg)
Laptops Are One of theLaptops Are One of theMost Frequently Stolen Most Frequently Stolen
Physical AssetsPhysical Assets• Inventory the laptops• Harden the Operating system• Password protect BIOS• Register laptops with vendor• Don’t check laptop as baggage!• Don’t leave laptop unattended• Engrave the laptop visibly• Use a physical cable and lock• Backup data• Encrypt hard disk• Store in secure place when not in use
05/02/23 UNIVERSITY OF WISCONSIN 26
![Page 27: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/27.jpg)
Electric PowerElectric PowerElectricity is the lifeline of the companyUse multiple supply circuits coming into the facilityFilter power for a clean electrical signal, important for computersHave a backup generator, test it regularlyHave an appropriately sized battery backup power supply (UPS)Test EVERYTHING, test OFTEN
05/02/23 UNIVERSITY OF WISCONSIN 27
![Page 28: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/28.jpg)
Keep All Wiring OrganizedKeep All Wiring OrganizedOn Computer EquipmentOn Computer Equipment• Reduces confusion• Makes troubleshooting easier• Lower risk of fire hazard• Lower risk of electrical
interference• Looks professional and
trustworthy, in case visitors come through
• Use shielded cabling to stop electrical interference
• Don’t run electrical wiring close to fluorescent lighting05/02/23 UNIVERSITY OF WISCONSIN 28
![Page 29: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/29.jpg)
An Example of WhatAn Example of WhatNot to DoNot to Do
05/02/23 UNIVERSITY OF WISCONSIN 29
![Page 30: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/30.jpg)
Make Sure All Utility LinesMake Sure All Utility LinesHave Emergency Shutoff Have Emergency Shutoff
ValvesValves
05/02/23 UNIVERSITY OF WISCONSIN 30
![Page 31: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/31.jpg)
Static Electricity, theStatic Electricity, theInvisible EnemyInvisible Enemy
• Protect against static electricity, which can destroy computer equipment:
• Antistatic flooring• Humidity levels should be kept
moderate• Use proper electrical grounding• No carpeting, ever!!!• Use anti-static bands on wrist
when working on a computer server
05/02/23 UNIVERSITY OF WISCONSIN 31
![Page 32: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/32.jpg)
HVAC – Heating, HVAC – Heating, Ventilation,Ventilation,
Air ConditioningAir Conditioning• Important to have commercial grade systems to keep temperature are proper level, and keep air filtered and circulating
05/02/23 UNIVERSITY OF WISCONSIN 32
![Page 33: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/33.jpg)
Every Good CompanyEvery Good CompanyIs Full of LiebertIs Full of Liebert
05/02/23 UNIVERSITY OF WISCONSIN 33
![Page 34: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/34.jpg)
Water Sprinkler SystemsWater Sprinkler Systems
• There are two types:• Wet Pipe – always contains water• Advantage – always ready for use• Disadvantage – most costly,
possibility of accidental release of water
• Dry Pipe – has to be connected to a tank
• Advantage – no risk of accidental water release
• Disadvantage – not ready immediately
05/02/23 UNIVERSITY OF WISCONSIN 34
![Page 35: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/35.jpg)
Other Security ControlsOther Security Controls
• Fences – different heights, strengths
• Bollards – those odd looking posts in front of Best Buy
• Lighting – one of the best deterrents around, cheap and effective
• Locks – usually easy to defeat, but good as once layer of security for defense in depth strategy
• CCTV – Efficient for monitoring05/02/23 UNIVERSITY OF WISCONSIN 35
![Page 36: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/36.jpg)
Auditing Physical AccessAuditing Physical AccessCritical Pieces of Critical Pieces of
InformationInformation• The date and time of the access attempt
• The entry point at which access was attempted
• The user ID associated with the access attempt
• Any unsuccessful attempts, especially if done during unauthorized hours
05/02/23 UNIVERSITY OF WISCONSIN 36
![Page 37: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/37.jpg)
Tests and DrillsTests and Drills
Need to be developedMust be put into action, at least once per year, generally speakingMust be documentedMust be put in easily accessible placesPeople must be assigned specific tasksPeople should be taught and informed on how to fulfill specific tasksDetermine in advance what will determine success
05/02/23 UNIVERSITY OF WISCONSIN 37
![Page 38: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/38.jpg)
A Note About Credit CardA Note About Credit CardReader Physical SecurityReader Physical Security
https://www.youtube.com/watch?v=XipjYIbBj7k
•Physical access to credit card transaction equipment is one of the greatest physical security threats facing most small businesses in the United States, but most people never give it a second thought05/02/23 UNIVERSITY OF WISCONSIN 38
![Page 39: UW-Madison Information Systems 365 -- Physical Security -- Lecture 9](https://reader034.fdocuments.in/reader034/viewer/2022051520/58e5803f1a28abbf5d8b58d9/html5/thumbnails/39.jpg)
05/02/23 UNIVERSITY OF WISCONSIN 39