2. Domain overview
• The domain addresses...
– Threats,
– Vulnerabilities
– Countermeasures
• Focuses on protecting enterprise resources…
– People
– Data
– Facility
– Equipment
3. CISSP expectations
• A candidate must know elements involved in…
– Choosing a secure site
– Design and configuration of a site
– Securing the facility against
• Unauthorized access
• Theft of equipment and information
– Environmental and safety measures needed to protect
• People
• Facility
• Equipment
11. CIA triad
• Risks to CIA
– Interruptions in providing computer services?
– Physical damage?
– Unauthorized disclosure of information?
– Loss of control over information?
– Physical theft?
14. Physical controls
• Implement physical security
• Where are they needed?
– At perimeter and building grounds
– At building entry points
– Inside the building
• Offices / Rooms
– For data centers or server room security
– Computer equipment protection
28. Floors
• Slab
– 150 pounds per square foot weight bearing
• Raised
– Concerned with
• Fire rating
• Electrical conductivity
– Employ non conducting surface material in data center!
29. Doors
• Must resist forced entry
• Solid or hollow?
• Hinges hidden, internal or fixed
• Fire rating equivalent to that of adjacent wall
• Emergency exits must be...
– Clearly marked
– Monitored
– Alarmed
• Electrical doors
– Fail safe or fail secure?
37. Keep an eye on…
• Sprinkler systems
– Location and type must be known
• Water and gas pipelines
– Location of the shut off valves must be known
– Water, steam and gas lines should have positive drains
• Flow outward and away from the building!
• Air conditioning
– Dedicated power for data centers
– EPO switch should be known
– Provide outward positive air pressure
– Prevent intake of potential toxins into the facility
39. Audit logs
• Identify entry attempts and who attempted them
• Preventive or detective controls?
– Date and time of access attempt
– Whether the attempt was successful or not
– Where the access was granted (i.e. which door)
– Who attempted the access
– Who modified the access privileges at the supervisor level
– Can send alarms or alerts if required
40. Emergency procedures
• Should be clearly documented and readily accessible
• Copies should be stored offsite in the event of a
disaster
• Should be updated periodically
• Should include the following…
– Emergency system shutdown procedures
– Evacuation procedures
– Employee training, awareness programs, and periodic drills
• Fire drills
– Periodic equipment and systems tests
46. Environmental control areas
• Electrical Power
• Fire Detection and Suppression
• Heating, Ventilation and Air Conditioning (HVAC)
47. Electrical power
• Disruptions in electrical power can have a serious
business impact
• Goals…
– Clean and steady power
– Excellent power quality
• Design considerations…
– Dedicated feeders
– Alternate power source
– Access controls
• Secure breaker and transformer rooms
49. Electrical noise
• Random disturbance interfering with devices
– EMI and RFI
• Caused by…
– Components of electrical system
– Fluorescent lighting, Truck ignitions
• Can cause permanent damage to sensitive
components in a system!
50. Types of EMI noise
• Common mode noise
– Noise from radiation generated by the difference between
the “Hot” and “Ground” wires
• Transverse mode noise
– Noise from radiation generated by the difference between
the “Hot” and “Neutral” wires
51. Protective measures for noise
• Proper line conditioning
• Proper grounding of the system to earth
• Cable shielding
• Limited exposure to magnets, electrical motors, and
fluorescent lights
52. Electrical anomalies
• Power excess
– Spike – Momentary high voltage
– Surge – Prolonged high voltage
• Power loss
– Fault – Momentary power outage
– Blackout – Complete loss of power
• Power degradation
– Sag/dip – Momentary low voltage condition for few
seconds
– Brownout – Prolonged low voltage power supply
53. Electrical anomalies
• Transients
– Line noise that is superimposed on the supply circuit can
cause fluctuation in power
• Inrush current
– Initial surge of current required to start a load
54. Electrical support systems
• Surge suppressors
• Uninterruptible power supplies
– Only for duration needed to safely shutdown systems
• Emergency shutoff switch (EPO switch)
– Should be monitored by camera
• Alternate Power Supply
– Generator, Fuel Cell, etc.
55. Electrostatic discharge
• Power surge generated by a person or device
contacting another device and transferring a high
voltage shock!
• Affected by low humidity!
56. Static charge and damage
• At 40 Volts
– Sensitive circuits and transistors
• At 1000 Volts
– Scramble monitor display
• At 1500 Volts
– Disk drive data loss
• At 2000 Volts
– System shutdown
• At 4000 Volts
– Printer jam
57. Static charge and damage (2)
• At 17000 Volts
– Permanent chip damage
58. Acceptable humidity
• Ideal humidity range = 40% to 60%
– High humidity > 60%
• Causes problems with condensation on computer equipment
• Cause corrosion of electrical connections – sort of like “Electroplating”
and impedes electrical efficiency
– Low humidity < 40%
• Can cause increase in electrostatic discharge
• Up to 4000 Volts under normal humidity
• Up to 25,000 Volts under very low humidity
59. Precautions for static electricity
• Use anti-static sprays where possible
• Operations or computer centers should have anti-
static flooring
• Building and computer rooms should be grounded
properly
• Anti-static table or floor mats
• HVAC should maintain proper level of humidity in
computer rooms
60. Fire protection
• Three ways to tackle fire…
– Fire Prevention
– Fire Detection
– Fire Suppression
• Three elements that keep the fire going…
– Heat
– Oxygen
– Fuel
– We just need to kill one element to kill the fire!
61. Types of fires
Class Description (Fuel)
A Common combustibles such as paper, wood, furniture,
clothing
B Burnable fuels such as gasoline or oil
C Electrical fires such as computers and electronics
D Special fires such as chemical, metal
K Commercial kitchen fire
62. Fire prevention
• Use fire resistant materials for walls, doors,
furnishings, etc.
• Reduce the amount of combustible papers around
electrical equipment
• Provide fire prevention training to employees
– REMEMBER: Life safety is the most important issue!
• Conduct fire drills on all shifts so that personnel
know how to exit a building!
63. • Ionization-type Smoke Detectors
– Detect charged particles in smoke
• Optical (Photoelectric) Detectors
– React to light blockage caused by smoke
• Fixed or Rate-of-Rise Temperature Sensors
– Heat detectors that react to the heat of a fire
– Fixed sensors have lower false positives
• Flame Actuated
– Senses infrared energy of flame or pulsating of the flame
– Very FAST response time but expensive!
Fire detection
64. Fire extinguishing methods
Class Description (Fuel) Extinguishing Method
A Common combustibles such as paper,
wood, furniture, clothing
Water, Foam
B Burnable fuels such as gasoline or oil Inert Gas, CO2
C Electrical fires such as computers and
electronics
Inert Gas, CO2 (Note: Most
important step: Turn off
electricity first!)
D Special fires, such as chemical, metal Dry Powder (May require
total immersion or other
special techniques)
K Commercial kitchen fire Wet Chemicals
65. Fire suppression
• Carbon Dioxide, Foam, Inert Gas and Dry Powder
Extinguishers DISPLACE Oxygen to suppress a fire
• CO2 is a risk to humans (Because of oxygen
displacement)
• Water suppresses the temperature required to
sustain a fire
66. Fire suppression - Halon
• Halon banned for new systems under 1987 Montreal
Protocol on substances that deplete the Ozone Layer
– Began implementation of ban in 1992
– Any new installations of fire suppression systems must use
alternate options
– EU requires removal of Halon from most applications
• Halon replacements:
– FM200
– Water
67. Fire suppression - Water
• Wet Pipe
– Always contains water
– Most popular
– 165°F Fuse Melts
– Can freeze in winter
– Pipe breaks can cause floods
• Dry Pipe
– No water in pipe
– Preferred for computer installations
– Water held back by clapper
– Air blows out of pipe, water flows
68. Fire Suppression – Water (2)
• Deluge
– Type of dry pipe
– Water discharge is large
– Not recommended for computer installations
• Preaction
– Most recommended for computer room
– Combines both dry and wet Pipes
– Water released into pipe first then after fuse melts in
nozzle the water is dispersed
69. HVAC
• Heating, Ventilation, and Air Conditioning
• Usually the focal point for Environmental Controls
• You need to know who is responsible for HVAC in
your building
• Clear escalation steps need to be defined well in
advance of an environmental threatening incident
70. HVAC issues
• Are computerized components involved?
• Does it maintain appropriate temperature and
humidity levels and air quality?
– Ideal Temperature = 70° to 74° F
– Ideal Humidity = 40% to 60%
• Maintenance procedures should be documented
74. Perimeter protection
• Perimeter security controls are the first line of
defense
• Protective barriers – Natural or structural
– Natural barriers
• Terrains that are difficult to cross
• Landscaping (Shrubs, Trees, Spiny shrubs)
– Structural barriers
• Fences, Gates, Bollards, Facility Walls
75. Fences
• Know These Fencing Heights:
– 3 ft – 4 ft high Deters casual trespassers
– 6 ft – 8 ft high Too hard to climb easily
– 8 ft high with
3 strands of
barbed wire Deters intruders
• Types of fencing
– Chain link
– Barbed wire
– Barbed tape or Concertina wire
76. Fences (2)
• Chain link…
– 6 feet tall (Excluding top guard)
– 8 feet tall (With top guard)
– 2 inch openings or less
– Reach within 2 inches of
ground or on soft ground
should be below the surface
– Be sure vegetation or adjacent
structures do not bridge over
the fence
This is at least
8 Feet
80. Intrusion detection & surveillance
• Perimeter Intrusion Detection Systems
– Sensors that detect access into the area
• Photoelectric
• Ultrasonic
• Microwave
• Passive infrared (PIR)
• Pressure sensitive (Dry contact switch)
– Surveillance Devices
• Closed-Circuit Television (CCTV)
81. Motion detectors
• Wave Pattern
– Generates a frequency wave pattern
• Capacitance
– Monitors an electrical field around an object
• Audio Detectors
– Monitors any abnormal sound wave generation
– Lots of false alarms
82. CCTV
• A television transmission system that uses cameras
to transmit pictures to connected monitors
• CCTV levels:
– Detection: The ability to detect the presence of an object
– Recognition: The ability to determine the type of object
(animal, blowing debris, crawling human)
– Identification: The ability to determine the object details
(person, large rabbit, small deer, tumbleweed)
84. CCTV deployment features
• Cameras high enough to
avoid physical attack
• Cameras distributed to
include blind areas
• Appropriate Lenses
• Pan, Tilt, Zoom (PTZ) as
required
• Ability to be recorded
• Camera system tied to
alarm system
• Number and quality of
video frames increased
during alarm event
• Regular service of
moving parts
• Cleaning lenses
85. CCTV application guidelines
• Understand the facility’s total surveillance
requirements
• Determine the size of the area to be monitored
– Depth, Height, and Width
– Ensures proper camera lens specifications
• Lighting is important – Different lamps and lighting
provide various levels of effectiveness
– ‘Contrast’ between the object and background
– For outdoor use, the US army specifies the automatically
adjusted Iris feature
86. CCTV legal & practical implications
• Storage implications of recorded data
• Video tapes must be stored to prevent deterioration
• Digital records must be maintained to assert integrity
• Human rights and privacy implications in recording
people
• Requirements to blur/pixelate individuals other than
accused!
87. Lighting
• Provides a deterrent to intruders
• Makes detection likely if entry attempted
• Should be used with other controls such as fences,
patrols, alarm systems, CCTV
• Critical protected buildings should be illuminated up
to 8 feet high, with 2 foot-candle power!
89. Locks
• Locks are considered delay devices only
• Defeated by force and/or the proper tools
• Never be considered stand-alone method of security
• Types of locks…
96. Lock security measures
• Key control procedures
– Restrict issue of keys on a long-term basis to outside
maintenance or janitorial personnel
– Keep a record of all issued keys
– Investigate the loss of all keys
• When in doubt, rekey the affected locks
– Use as few master keys as possible
– Issue keys on a need-to-go basis
– Remember – Keys are a single-factor authentication
mechanism that can be lost, stolen, or copied!
• (Use 2-factor methods for more secure areas)
97. Compartmentalized area
• Location where sensitive equipment is stored and
where sensitive information is processed
– Must have a higher level of security controls!
98. Portable device security
• Laptops, PDAs, Etc.
– Protect the device
– Protect the data in the device
• Examples:
– Locking the cables
– Tracing software
– Encryption software
– PIN Protection for PDAs
– Inventory system
99. Alarm systems
• Local alarm systems
– Alarm sounds locally and must be protected from
tampering and audible for at least 400 feet
• Central station units
– Monitored 7x24 and signaled over leased lines – Usually
within < 10 minutes travel time
– Private security firms
• Proprietary systems
– Similar to central but owned and operated by customer
100. Alarm systems (2)
• Auxiliary station systems
– Systems that ring at local fire or police stations
• Line supervision
– Alarm sounds when alarm transmission medium detects
tampering
104. Maintenance
• Monitor the maintenance
• Contractually bound the contractors
– Audit services provided
• Proper change and configuration management
105. Data destruction
• Data Destruction and Reuse…
– Degaussing or overwriting usually destroys most data
– Normal formatting does not destroy the data
– Format or overwrite 7 times (Mil-Spec)
– Consider shredding hard drives, other portable media
– Paper records = Confetti shred or burn!
107. Question 1
• Under what conditions would the use of a "Class C"
hand-held fire extinguisher be preferable to the use
of a "Class A" hand-held fire extinguisher?
A. When the fire is in its incipient stage.
B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
108. Question 1
• Under what conditions would the use of a "Class C"
hand-held fire extinguisher be preferable to the use
of a "Class A" hand-held fire extinguisher?
A. When the fire is in its incipient stage.
B. When the fire involves electrical equipment.
C. When the fire is located in an enclosed area.
D. When the fire is caused by flammable products.
109. Question 2
• Which of the following is the most costly
countermeasure to reducing physical security risks?
A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
110. Question 2
• Which of the following is the most costly
countermeasure to reducing physical security risks?
A. Procedural controls
B. Hardware devices
C. Electronic systems
D. Personnel
111. Question 3
• Which type of fire extinguisher is most appropriate
for an information processing facility?
A. Type A
B. Type B
C. Type C
D. Type D
112. Question 3
• Which type of fire extinguisher is most appropriate
for an information processing facility?
A. Type A
B. Type B
C. Type C
D. Type D
113. Question 4
• Which of the following floors would be most
appropriate to locate information processing
facilities in a 6-stories building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
114. Question 4
• Which of the following floors would be most
appropriate to locate information processing
facilities in a 6-stories building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor