Thursday, December 20, 2012

Defense in Depth Layer 2: Physical Security


“Security is always excessive until it's not enough.”
— Robbie Sinclair, Head of Security, Country Energy, NSW Australia


The next layer of Defense in Depth (DID), working inward or upward, is physical security.  Preventing access to items that should remain secure may seem like a no-brainer, but physical security is often taken for granted, and complacency can lead to lax security efforts.  The purpose of physical security is to make it extremely difficult, if not impossible, for intruders to gain access to tangible assets such as personnel, servers, network equipment and cabling, computers, data storage devices, and other valuable resources.

This image, retrieved from http://technet.microsoft.com/library/dd365117.aspx, refreshes the memory of our DID layers.  



The Facilities Physical Security Measures Guideline by ASIS (http://www.abdi-secure-ecommerce.com/asis/ps-920-30-1854.aspx) suggests that there are eight main categories of physical security.  We will use these categories to address the layers of security within the physical layer:

1. Crime Prevention Through Environmental Design (CPTED)
-Uses architectural design and the physical environment as protection against opportunities for crime
-Relies on an awareness of how people use space for legitimate and illegitimate purposes
-Designed to support and control desired and acceptable behaviors
-Uses mechanical measures (locks, gates, etc.), organizational measures (teaching employees how to protect themselves and the spaces they occupy, routine activity theory/capable guardians), and natural/architectural measures (spaces are designed to be effective for users while at the same time deterring crime)

2. Physical Barriers and Site Hardening (keeping unwanted parties out)
-A physical barrier may be natural (fields, rivers, mountains) or structural (landscaping, ditches, walls, doors, roofs).
-Meant to physically and psychologically discourage unauthorized access
-Keeps people and property within a given area, e.g. keeps property from being thrown out the window to be retrieved later
-Directs pedestrian or vehicle traffic in predictable patterns
-Demonstrates a concern for security, e.g. indicates there are further security measures in store
-May delay access by determined attackers
-Includes protection for practical openings (doors and windows) and other openings (ducts, vents, utility channels, tunnels)
-Examples:  Fences (chain-link, barbed wire, ornamental, wooden, concrete, etc.), planters, bollards, concrete barriers, steel barricades, gates, turnstiles, fortification with steel bars and wire mesh, etc.
-Site hardening includes protecting structural integrity against attacks and natural disasters and provides for redundancy of operating systems and utilities.

3. Physical Entry and Access Controls (allowing some people in and keeping others out)
Access control systems may be manual (use personnel to control access), machine-aided manual (i.e. metal detectors), or automated (use technology alone to control access).
-Access control barriers – doors, gates, turnstiles, elevators, etc.
-Electronic access control systems – require credentials, i.e. something you know, something inherent to you, and something you carry
-Personnel access control – tokens or other items in an employee’s possession, i.e. metal key, swipe card, photo ID card, password, PIN number, biometric features (fingerprint, iris/retinal patterns, speech)
-Locks – mechanical, electrified, electromagnetic, card-operated, biometric, key system, etc.
-Contraband detection – physical searches by security officers or trained canines, metal detectors, x-ray machines, explosive detectors, etc.
-Vehicle access control – placards, stickers, RFID tags, bar codes, etc.
-Procedures and controls – should address such issues as wearing of badges, number of access attempts allowed, list of prohibited materials, access hours and levels of access, authorized visitor access, etc.


Image retrieved from http://gcn.com/articles/2012/10/30/free-suite-tests-for-biometric-compliance.aspx.


4. Security Lighting
-May deter adversaries and suspicious activities
-Improved surveillance and security response
-Reduced liability
-Witness potential
-Useful both outdoors and indoors
-Intensity is a factor
-Many different lighting types and applications, i.e. continuous, standby, emergency, floodlight, LED, etc.
-Requires adequate power, mounting, and maintenance

5. Intrusion Detection Systems (Alarm Systems)
-Deter intruders when warning signs are posted
-Detect an impending or actual security breach
-Delay intruders by activating other physical barriers
-Respond by pinpointing location of intrusion and where the intruder has moved
-Examples:  position detection devices, motion detectors, sound detectors, vibration sensors, heat sensors, impact sensors
-Include alarm transmission, monitoring, and notification

6. Video Surveillance
-Systems are usually closed-circuit television (CCTV) systems.
-Detects activities that call for a security response
-Collects images of an incident for later review and evidence if needed
-Assists in alarm analysis
-There are a variety of considerations for camera types, requirements, and features, i.e. motion detecting, transport medium, length of storage, resolution, lighting, lens selection, etc.
-Requires adequate power, mounting, and maintenance

7. Security Personnel
-Implements, monitors, and maintains physical security measures
-May include Chief Security Officer (CSO), security manager, security officer, guard, etc.
             
8. Security Policies and Procedures
Although we discussed policies and procedures in last week’s post, it is important to note that special consideration should be given to physical security measures.
-Establish strategic security objectives and priorities
-Set forth responsibilities and expectations for all people in the organization
-Must be communicated effectively

At this point, it would be a good idea to briefly mention the concept of security convergence.  Security convergence is the integration of physical security and logical security (cybersecurity).  The theory is that a holistic approach to security will yield more benefits than either one alone will.  It provides a more streamlined approach to management that maximizes efficiencies.  We will revisit this topic at another time.  

Whew!  There was a lot of information to cover here.  Next time we will discuss perimeter security as we begin our move to the creamy nougat center of our DID layer model. (Blogging makes me hungry!)

Thanks for reading!

Jen

No comments:

Post a Comment