vulnerability is low or nonexistent (a tsunami in Ohio, for example), all possi- ble threats must be compiled and examined. Many assessment methods (SSE-CMM or IAM) have the practitioner compile these complete lists before making a determination as to their likelihood. The triad of Confidentiality, Availability, and Integrity is at risk in the phys- ical environment and must be protected. Examples of risks to C.I.A. include the following: ■■ Interruptions in providing computer services—availability ■■ Physical damage—Availability ■■ Unauthorized disclosure of information—Confidentiality ■■ Loss of control over system—Integrity ■■ Physical theft—Confidentiality, Integrity, and Availability Examples of threats to physical security are as follows: ■■ Emergencies ■■ Fire and smoke contaminants ■■ Building collapse or explosion ■■ Utility loss (electrical power, air conditioning, heating) ■■ Water damage (pipe breakage) ■■ Toxic materials release ■■ Natural disasters ■■ Earth movement (such as earthquakes and mudslides) ■■ Storm damage (such as snow, ice, and floods) ■■ Human intervention ■■ Sabotage ■■ Vandalism ■■ War ■■ Strikes Donn B. Parker, in his book, Fighting Computer Crime (Wiley, 1998), has com- piled a very comprehensive list that he calls the seven major sources of physi- cal loss with examples provided for each: 1. Temperature. Extreme variations of heat or cold, such as sunlight, fire, freezing, and heat 2. Gases. War gases, commercial vapors, humidity, dry air, and suspended particles are included. Examples of these would be Sarin nerve gas, PCP from exploding transformers, air conditioning failures, smoke, smog, cleaning fluid, fuel vapors, and paper particles from printers. Physical Security 461 3. Liquids. Water and chemicals are included. Examples of these are floods, plumbing failures, precipitation, fuel leaks, spilled drinks, acid and base chemicals used for cleaning, and computer printer fluids. 4. Organisms. Viruses, bacteria, people, animals, and insects are included. Examples of these are sickness of key workers, molds, contamination from skin oils and hair, contamination and electrical shorting from defecation and release of body fluids, consumption of information media such as paper or cable insulation, and shorting of microcircuits from cobwebs. 5. Projectiles. Tangible objects in motion and powered objects are included. Examples of these are meteorites, falling objects, cars and trucks, bullets and rockets, explosions, and wind. 6. Movement. Collapse, shearing, shaking, vibration, liquefaction, flows, waves, separation, and slides are included. Examples of these are dropping or shaking of fragile equipment, earthquakes, Earth slides, lava flows, sea waves, and adhesive failures. 7. Energy anomalies. Types of electric anomalies are electric surges or failure, magnetism, static electricity, aging circuitry, radiation, sound, light, and radio, microwave, electromagnetic, and atomic waves. Examples of these include electric utility failures, proximity of magnets and electromagnets, carpet static, decomposition of circuit materials, decomposition of paper and magnetic disks, Electro-Magnetic Pulse (EMP) from nuclear explosions, lasers, loudspeakers, high-energy radio frequency (HERF) guns, radar systems, cosmic radiation, and explosions. Controls for Physical Security Under the heading of Physical Security Controls, there are several areas. In general, these controls should match up with the listed threats. In this chapter, we have grouped the controls into two areas: Administrative Controls, and Physical and Technical Controls. Administrative Controls Administrative controls, as opposed to physical or technical controls, can be thought of as the area of physical security protection that benefits from the proper administrative steps. These steps encompass proper emergency proce- dures, personnel control (in the area of Human Resources), proper planning, and policy implementation. 462 The CISSP Prep Guide: Gold Edition We will look at the following various elements of Administrative Controls: ■■ Facility Requirements Planning ■■ Facility Security Management ■■ Administrative Personnel Controls Facility Requirements Planning Facility Requirements Planning describes the concept of the need for planning for physical security controls in the early stages of the construction of a data facility. There might be an occasion when security professionals are able to provide input at the construction phase of a building or data center. Some of the physical security elements involved at the construction stage include choosing and designing a secure site. Choosing a Secure Site The environmental placement of the facility is also a concern during initial planning. Security professionals need to consider such questions as: Visibility. What kind of neighbors will the proposed site have? Will the site have any external markings that will identify it as a sensitive processing area? Low visibility is the rule here. Local considerations. Is the proposed site near possible hazards (for example, a waste dump)? What is the local rate of crime (such as forced entry and burglary)? Natural disasters. Is it likely this location will have more natural disasters than other locations? Natural disasters can include weather-related problems (wind, snow, flooding, and so forth) and the existence of an earthquake fault. Transportation. Does the site have a problem due to excessive air, highway, or road traffic? Joint tenancy. Are access to environmental and HVAC controls complicated by a shared responsibility? A data center might not have full access to the systems when an emergency occurs. External services. Do you know the relative proximity of the local emergency services, such as police, fire, and hospitals or medical facilities? Designing a Secure Site Information Security processing areas are the main focus of physical control. Examples of areas that require attention during the construction planning stage are: Physical Security 463 Walls. Entire walls, from the floor to the ceiling, must have an acceptable fire rating. Closets or rooms that store media must have a high fire rating. Ceilings. Issues of concern regarding ceilings are the weight-bearing rating and the fire rating. Floors. The following are the concerns about flooring: ■■ Slab. If the floor is a concrete slab, the concerns are the physical weight it can bear (known as loading, which is commonly 150 pounds per square foot) and its fire rating. ■■ Raised. The fire rating, its electrical conductivity (grounding against sta- tic buildup), and that it employs a non-conducting surface material are concerns of raised flooring in the data center. Windows. Windows are normally not acceptable in the data center. If they do exist, however, they must be translucent and shatterproof. Doors. Doors in the data center must resist forcible entry and have a fire rating equal to the walls. Emergency exits must be clearly marked and monitored or alarmed. Electric door locks on emergency exits should revert to a disabled state if power outages occur to enable safe evacua- tion. While this may be considered a security issue, personnel safety always takes precedence, and these doors should be manned in an emergency. Sprinkler system. The location and type of fire suppression system must also be known. Liquid or gas lines. Security professionals should know where the shut- off valves are to water, steam, or gas pipes entering the building. Also, water drains should be “positive,” that is, they should flow outward, away from the building, so they do not carry contaminants into the facility. Air conditioning. AC units should have dedicated power circuits. Secu- rity professionals should know where the Emergency Power Off (EPO) switch is. As with water drains, the AC system should provide outward, positive air pressure and have protected intake vents to pre- vent air-carried toxins from entering the facility. Electrical requirements. The facility should have established backup and alternate power sources. Dedicated feeders and circuits are required in the data center. Security professionals should check for access controls to the electrical distribution panels and circuit breakers. 464 The CISSP Prep Guide: Gold Edition Facility Security Management Under the grouping of Facility Security Management, we list audit trails and emergency procedures. These are elements of the Administrative Security Controls that are not related to the initial planning of the secure site, but are required to be implemented on an ongoing basis. Audit Trails An audit trail (or access log) is a record of events. A computer system might have several audit trails, each focused on a particular type of activity—such as detecting security violations, performance problems, and design and programming flaws in applications. In the domain of physical security, audit trails and access control logs are vital because management needs to know where access attempts existed and who attempted them. The audit trails or access logs must record the following: ■■ The date and time of the access attempt ■■ Whether the attempt was successful or not ■■ Where the access was granted (which door, for example) ■■ Who attempted the access ■■ Who modified the access privileges at the supervisor level Some audit trail systems can also send alarms or alerts to personnel if mul- tiple access failure attempts have been made. Remember that audit trails and access logs are detective, rather than pre- ventative. They do not stop an intrusion—although knowing that an audit trail of the entry attempt is being compiled may influence the intruder to not attempt entry. Audit trails do help an administrator reconstruct the details of an intrusion post-event, however. Emergency Procedures The implementation of emergency procedures and the employee training and knowledge of these procedures is an important part of administrative physical controls. These procedures should be clearly documented, readily accessible (including copies stored off-site in the event of a disaster), and updated peri- odically. Elements of emergency procedure administration should include the fol- lowing: ■■ Emergency system shutdown procedures ■■ Evacuation procedures Physical Security 465 ■■ Employee training, awareness programs, and periodic drills ■■ Periodic equipment and systems tests Administrative Personnel Controls Administrative Personnel Controls encompass those administrative processes that are implemented commonly by the Human Resources department during employee hiring and firing. Examples of personnel controls implemented by HR often include the following: ■■ Pre-employment screening: ■■ Employment, references, or educational history checks ■■ Background investigation or credit rating checks for sensitive posi- tions ■■ On-going employee checks: ■■ Security clearances—generated only if the employee is to have access to classified documents ■■ Ongoing employee ratings or reviews by their supervisor ■■ Post-employment procedures: ■■ Exit interview ■■ Removal of network access and change of passwords ■■ Return of computer inventory or laptops Environmental and Life Safety Controls Environmental and Life Safety Controls are considered to be those elements of physical security controls that are required to sustain either the computer’s operating environment or the personnel’s operating environment. The follow- ing are the three main areas of environmental control: 1. Electrical power 2. Fire detection and suppression 3. Heating, Ventilation, and Air Conditioning (HVAC) Electrical Power Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel 466 The CISSP Prep Guide: Gold Edition environment as well as to sustain data operations. Many elements can threaten power systems, the most common being noise, brownouts, and humidity. Noise Noise in power systems refers to the presence of electrical radiation in the sys- tem that is unintentional and interferes with the transmission of clean power. Some power issues have been covered in Chapter 3, “Telecommunications and Network Security,” such as Uninterruptible Power Supplies (UPS) and backup power. In this section, we will go into more detail about these types of power problems and their recommended solutions. There are several types of noise, the most common being Electromagnetic Interference (EMI ) and Radio Frequency Interference (RFI). EMI is noise that is caused by the generation of radiation due to the charge difference between the three electrical wires—the hot, neutral, and ground wires. Two common types of EMI generated by electrical systems are: Common-mode noise. Noise from the radiation generated by the difference between the hot and ground wires Traverse-mode noise. Noise from the radiation generated by the difference between the hot and neutral wires RFI is generated by the components of an electrical system, such as radiat- ing electrical cables, fluorescent lighting, and electric space heaters. RFI can be so serious that it not only interferes with computer operations, but it also can permanently damage sensitive components. Several protective measures for noise exist. Some of the ones that need to be noted are: ■■ Power line conditioning ■■ Proper grounding of the system to the earth ■■ Cable shielding ■■ Limiting exposure to magnets, fluorescent lights, electric motors, and space heaters Table 10.1 lists various electrical power terms and descriptions. Brownouts Unlike a sag, a brownout is a prolonged drop in supplied usable voltage that can do serious physical damage to delicate electronic components. The Ameri- can National Standards Institute (ANSI) standards permit an 8 percent drop between the power source and the building’s meter, and permit a 3.5 percent drop between the meter and the wall. In New York City, 15 percent fluctuations Physical Security 467 are common, and a prolonged brownout can lower the supplied voltage more than 10 percent. In addition, surges and spikes occurring when the power comes back up from either a brownout or an outage can also be damaging to the components. All computer equipment should be protected by surge suppressors, and criti- cal equipment will need an Uninterruptible Power Supply (UPS). Humidity The ideal operating humidity range is defined as 40 percent to 60 percent. High humidity, which is defined as greater than 60 percent, can produce a problem by creating condensation on computer parts. High humidity also cre- ates problems with the corrosion of electrical connections. A process similar to electroplating occurs, causing the silver particles to migrate from the connec- tors onto the copper circuits, thus impeding the electrical efficiency of the components. Low humidity of less than 40 percent increases the static electricity damage potential. A static charge of 4000 volts is possible under normal humidity con- ditions on a hardwood or vinyl floor, and charges up to 20,000 volts or more are possible under conditions of very low humidity with non-static-free car- peting. Although you cannot control the weather, you certainly can control your relative humidity level in the computer room through your HVAC sys- tems. Table 10.2 lists the damage various static electricity charges can do to computer hardware. 468 The CISSP Prep Guide: Gold Edition Table 10.1 Electrical Power Definitions ELEMENT DESCRIPTION Fault Momentary power loss Blackout Complete loss of power Sag Momentary low voltage Brownout Prolonged low voltage Spike Momentary high voltage Surge Prolonged high voltage Inrush Initial surge of power at the beginning Noise Steady interfering disturbance Transient Short duration of line noise disturbances Clean Non-fluctuating pure power Ground One wire in an electrical circuit must be grounded Physical Security 469 Table 10.2 Static Charge Damage STATIC CHARGE IN VOLTS WILL DAMAGE 40 Sensitive circuits and transistors 1,000 Scramble monitor display 1,500 Disk drive data loss 2,000 System shutdown 4,000 Printer jam 17,000 Permanent chip damage CHECK YOUR CARPETS! A major New York City legal client once brought me into an emergency situation. They were scheduled for a cut over to a major new computer system the next weekend and were having problems keeping their system online. They had been operating it successfully in parallel for a few weeks in the lab, but once the system was moved to the operations center, it would frequently abort and reset for no apparent reason. After examining every conceivable parameter of the configuration and scratching my head for a bit, I noticed that I could cause a very small static discharge when I touched the case, thereby resetting the unit. Evidently the building contractor had run out of static-free carpet in the operations center and had finished the job with regular carpeting. Once we relocated the system, everything ran fine. Some precautions you can take to reduce static electricity damage are: ■■ Use anti-static sprays where possible. ■■ Operations or computer centers should have anti-static flooring. ■■ Building and computer rooms should be grounded properly. ■■ Anti-static table or floor mats can be used. ■■ HVAC should maintain the proper level of relative humidity in com- puter rooms. Fire Detection and Suppression The successful detection and suppression of fire is an absolute necessity for the safe, continued operation of information systems. A CISSP candidate will need to know the classes, combustibles, detectors, and suppression methods of fire safety. Fire Classes and Combustibles Table 10.3 lists the three main types of fires, what type of combustible gives the fire its class rating, and the recommended extinguishing agent. For rapid oxidation to occur (a fire), three elements must be present: oxy- gen, heat, and fuel. Each suppression medium affects a different element and is therefore better suited for different types of fires. Water. Suppresses the temperature required to sustain the fire. Soda Acid. Suppresses the fuel supply of the fire. CO 2 . Suppresses the oxygen supply required to sustain the fire. Halon. A little different, it suppresses combustion through a chemical reaction that kills the fire. Anyone who has had the misfortune to throw water on a grease fire in a skillet and has suffered the resultant explosion will never need to be reminded that certain combustibles require very specific suppression methods. Fire Detectors Fire detectors respond to heat, flame, or smoke to detect thermal combustion or its by-products. Different types of detectors have various properties and use the different properties of a fire to raise an alarm. Heat-sensing. Heat-actuated sensing devices usually detect one of the two conditions: 1) the temperature reaches a predetermined level, or 2) the temperature rises quickly regardless of the initial temperature. The first type, the fixed temperature device, has a much lower rate of false positives (false alarms) than the second, the rate-of-rise detector. Flame-actuated. Flame-actuated sensing devices are fairly expensive, as they sense either the infrared energy of a flame or the pulsation of the flame, and have a very fast response time. They are usually used in specialized applications for the protection of valuable equipment. 470 The CISSP Prep Guide: Gold Edition Table 10.3 Fire Classes and Suppression Mediums CLASS DESCRIPTION SUPPRESSION MEDIUMS A Common combustibles Water or soda acid B Liquid CO 2 , soda acid, or Halon C Electrical CO 2 or Halon [...]... however, due to the time required to get back on-line after an incident Preaction This is currently the most recommended water system for a computer room It combines both the dry and wet pipe systems, by first releasing the water into the pipes when heat is detected (dry pipe), then releasing the water flow when the link in the nozzle melts (wet pipe) 471 472 The CISSP Prep Guide: Gold Edition This feature... a standard part of the Basic Input Output System (BIOS ) of many off -the- shelf PCs They might also be called cryptographic locks 481 482 The CISSP Prep Guide: Gold Edition Laptop Control The proliferation of laptops and portables is the next evolution of distributed computing and constitutes a challenge to security practitioners Now the computing resources can be strewn all over the globe, and physical... devices 479 480 The CISSP Prep Guide: Gold Edition Wave Pattern Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver These frequencies can either be in the low, ultrasonic, or microwave range Capacitance Capacitance detectors monitor an electrical field surrounding the object being monitored They are used... keypad on the reader contains either a fixed preset code or a programmable unique key pattern A system-sensing proximity card recognizes the presence of the coded device in the reader’s general area The following are the three common types of system-sensing cards, which are based upon the way the power is generated for these devices: 1 Passive devices These cards contain no battery or power on the card,... other magnetic media) from damage or loss, such as 1 Keep the disks in locked cases 2 Don’t bend the diskettes 3 Maintain the proper temperature and humidity 4 Avoid external magnetic fields (such as TVs or radios) 5 Don’t write directly on the jacket or sleeve 483 484 The CISSP Prep Guide: Gold Edition THE JOY OF DUMPSTER DIVING New York is the capital of ticker-tape parades New Yorkers never seem... more 485 4 86 The CISSP Prep Guide: Gold Edition Sample Questions You can find answers to the following questions in Appendix H 1 The recommended optimal relative humidity range for computer operations is: a 10%–30% b 30%–40% c 40% 60 % d 60 %–80% 2 How many times should a diskette be formatted to comply with TCSEC Orange Book object reuse recommendations? a Three b Five c Seven d Nine 3 Which of the following... Environmental contamination resulting from the fire (or its suppression) can cause damage to the computer systems by depositing conductive particles on the components The following are some examples of fire contaminants: I I Smoke I I Heat I I Water I I Suppression medium contamination (Halon or CO2) 473 474 The CISSP Prep Guide: Gold Edition Table 10.4 lists the temperatures required to damage various... 494 The CISSP Prep Guide: Gold Edition c IG-01 d HCFC-22 12 Which choice below is NOT permitted under computer room raised flooring? a Interconnecting DP cables enclosed in a raceway b Underfloor ventilation for the computer room only c Nonabrasive openings for cables d Underfloor ventilation to the rest of the offices’ ventilation system 13 Which choice below represents the BEST reason to control the. .. destroying the media, and therefore the residual data Paper reports, diskettes, and optical media (CD-ROMs) need to be physically destroyed before disposal The following are the common problems with magnetic media erasure that may cause data remanence: 1 Erasing the data through an operating system does not remove the data, it just changes the File Allocation Table and renames the first character of the file... manual intervention before a full discharge of water on the equipment occurs Gas discharge systems employ a pressurized inert gas and are usually installed under the computer room raised floor The fire detection system typically activates the gas discharge system to quickly smother the fire either under the floor in the cable areas or throughout the room Typical agents of a gas discharge system are carbon . Power Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel 466 The CISSP Prep Guide: Gold Edition environment. to evacuate immediately when deployed, whether Halon is released under the flooring or overhead in the raised ceiling. 472 The CISSP Prep Guide: Gold Edition At the Montreal Protocol of 1987, Halon. check for access controls to the electrical distribution panels and circuit breakers. 464 The CISSP Prep Guide: Gold Edition Facility Security Management Under the grouping of Facility Security