BLM5102

Computer Systems and

Network Security
Prof. Dr. Hasan Hüseyin BALIK

(4th Week)
 Outline
• 4. Management ıssues
—4.1. IT Security Management and Risk
Assessment
—4.2. IT Security Controls, Plans and Procedures
—4.3. Physical and Infrastructure Security
—4.4. Human Resources Security
—4.5. Security Auditing
4.3. Physical and Infrastructure Security
 4.3. Outline
• Overview
• Physical Security Threats
• Physical Security Prevention and Mitigation
Measures
• Recovery from Physical Security Breaches
• Example: A Corporate Physical Security
Policy
• Integration of Physical and Logical Security
Physical and Infrastructure
Security
Logical security
•Protects computer-based data from software-based and communication-based threats

Physical security
•Also called infrastructure security
•Protects the information systems that contain data and the people who use, operate,
and maintain the systems
•Must prevent any type of physical access or intrusion that can compromise logical
security

Premises security
•Also known as corporate or facilities security
•Protects the people and property within an entire area, facility, or building(s), and is
usually required by laws, regulations, and fiduciary obligations
•Provides perimeter security, access control, smoke and fire detection, fire suppression,
some environmental protection, and usually surveillance systems, alarms, and guards
 Physical Security
Overview
• Protect physical assets that support the storage and
processing of information

Concerns include
information system
Prevent damage to
hardware, physical
physical infrastructure
facility, support facilities,
Involves two and personnel
complementary
requirements: Prevent physical Includes vandalism, theft
infrastructure misuse that of equipment, theft by
leads to the misuse or copying, theft of
damage of protected services, and
information unauthorized entry
Physical Security Threats
Physical situations and occurrences
that threaten information systems:

•Environmental threats
•Technical threats
•Human-caused threats
Characteristics of Natural Disasters

Source: ComputerSite Engineering, Inc.

 Fujita
Tornado
Intensity
Scale
Saffir/Simpson Hurricane Scale
Temperature Thresholds for Damage to
Computing Resources
Com pon e n t or M e diu m Sust a ine d Am bie nt
Te m pe r a t u r e a t w h ich
D a m a ge M a y Be gin
Flexible disks, magnetic tapes, 38 ºC (100 ºF)
etc.

Optical media 49 ºC (120 ºF)

Hard disk media 66 ºC (150 ºF)
Computer equipment 79 ºC (175 ºF)
Thermoplastic insulation on 125 ºC (257 ºF)
wires carrying hazardous
voltage
Paper products 177 ºC (350 ºF)
Source: Data taken from National Fire Protection Association.
 1300
2300

1200 2200

2100

1100
2000

1900
1000
Fire Temperature, ºC

Fire Temperature, ºF
1800

900 1700

1600

800 1500

1400

700 1300

1200

600 1100

1000
500
900

800
400
1 2 3 4 5 6 7 8

Duration, hours

Figure 16.1 Standard Fire Temperature-Time Relations Used for Testing of

Building Elements
 Temperature Effect
260 Cº/ 500 ºF Wood ignites
326 Cº/ 618 ºF Lead melts
415 Cº/ 770 ºF Zinc melts
480 Cº/ 896 ºF An uninsulated steel file
tends to buckle and expose
its contents
Temperature
Effects
Temperature Effect
625 Cº/ 1157 ºF Aluminum melts

1220 Cº/ 2228 ºF Cast iron melts

1410 Cº/ 2570 ºF Hard steel melts
 Water Damage

A pipe may burst

Primary danger is an Sprinkler systems set
from a fault in the
electrical short off accidentally
line or from freezing

Due diligence should

Floodwater leaving a
be performed to ensure
muddy residue and
that water from as far as
suspended material in
two floors above will
the water
not create a hazard
 Chemical, Radiological,
and Biological Hazards
• Pose a threat from intentional attack and from accidental
discharge
• Discharges can be introduced through the ventilation
system or open windows, and in the case of radiation,
through perimeter walls
• Flooding can also introduce biological
or chemical contaminants
 Dust and Infestation
Dust Infestation
• Often overlooked • Covers a broad range of
• Rotating storage media living organisms:
and computer fans are the • High-humidity conditions
most vulnerable to damage can cause mold and mildew
• Can also block ventilation • Insects, particularly those
• Influxes can result from a that attack wood and paper
number of things:
• Controlled explosion of a
nearby building
• Windstorm carrying debris
• Construction or maintenance
work in the building
 Technical Threats
• Electrical power is essential to run equipment
• Power utility problems:
• Under-voltage - dips/brownouts/outages, interrupts service
• Over-voltage - surges/faults/lightening, can destroy chips
• Noise - on power lines, may interfere with device operation
Electromagnetic interference (EMI)
• Noise along a power supply line, motors, fans, heavy
equipment, other computers, cell phones, microwave relay
antennas, nearby radio stations
• Noise can be transmitted through space as well as through
power lines
• Can cause intermittent problems with computers
 Human-Caused Threats
• Less predictable, designed to overcome
prevention measures, harder to deal with
• Include:
• Unauthorized physical access
• Information assets are generally located in restricted areas
• Can lead to other threats such as theft, vandalism or misuse
• Theft of equipment/data
• Eavesdropping and wiretapping fall into this category
• Insider or an outsider who has gained unauthorized access
• Vandalism of equipment/data
• Misuse of resources
Physical Security Prevention
and Mitigation Measures
• One prevention measure is the use of cloud computing
• Inappropriate temperature and humidity
• Environmental control equipment, power supply
• Fire and smoke
• Alarms, preventative measures, fire mitigation
• Smoke detectors, no smoking
• Water
• Manage lines, equipment location, cutoff sensors
• Other threats
• Appropriate technical counter-measures, limit dust entry, pest
control
 Uninterruptible
power supply
(UPS) for each
piece of critical
Mitigation
equipment
Measures

Critical
equipment
should be
Technical
connected to an
emergency
power source
Threats
(like a generator)

To deal with
electromagnetic
interference (EMI) a
combination of filters
and shielding can be
used
 Mitigation Measures
Human-Caused Physical
Threats
Physical access control
• Restrict building access
• Controlled areas patrolled or guarded
• Locks or screening measures at entry points
• Equip movable resources with a tracking device
• Power switch controlled by a security device
• Intruder sensors and alarms
• Surveillance systems that provide recording and real-time remote viewing
 Recovery from
Physical Security Breaches
Physical equipment
damage recovery
• Depends on nature of damage
Most essential element of and cleanup
recovery is redundancy • May need disaster recovery
• Provides for recovery from loss of specialists
data
• Ideally all important data should
be available off-site and updated as
often as feasible
• Can use batch encrypted remote
backup
• For critical situations a remote hot-
site that is ready to take over
operation instantly can be created
Physical and Logical Security
Integration
• Numerous detection and prevention devices
• More effective if there is a central control
• Integrate automated physical and logical
security functions
• Use a single ID card
• Single-step card enrollment and termination
• Central ID-management system
• Unified event monitoring and correlation

• Need standards in this area

• FIPS 201-1 “Personal Identity Verification (PIV) of Federal Employees and
Contractors”
PIV Card Issuance Access Control
and Management Authorization
PKI directory &
data
certificate status
responder Physical Access Control
Physical
I&A Authorization resource
Identity profiling

& maintenance
& registration

Card issuance

management
Key
Logical Access Control
Logical
I&A Authorization resource

Authorization
data
I&A = Identification and Authentication
Card reader
/writer LEGEND
Shapes
Direction of information flow
PIV card Processes

PIN input Components

device

Biometric Shading
reader PIV system subsystem

PIV Front end Related subsystem

Figure 16.2 FIPS 201 PIV System Model

 Contactless Physical access control Smartcard
smartcard reader system (PACS) server reader

Optional
biometric Certificate Vending, e-purse and
reader authority other applications

card enrollment PI V Optional

Smartcard and biometric
station system biometric middleware reader

Access
Camera control Smartcard
system reader
Card
printer

Optional
Smartcard biometric
programmer reader Human resources
database
Active directory

Other user directories

Figure 16.3 Convergence Example

Degrees of Security and Control
for Protected Areas (FM 3-19.30)
 Unr e st r ict e d
Cont r olle d
Lim it e d

Ex clusion
PKI CAK+ BI O– A

C
BI O
B
CH UI D + VI S CAK

( a ) Acce ss Cont r ol M ode l

CON TROLLED LI M I TED

AREA EXCLUSI ON
AREA AREA

Room housing
C
Fe nce d- in t r a de se cr e t s
a r e a cont a ining Building housing
a num be r of la b spa ce a nd ot he r
buildings B se nsit ive a r e a s

Fa cilit y se r vice s
HQ Adm in
Buildings
Visit or A
Re gist r a t ion

( b) Ex a m ple Use

Figur e 1 6 .4 Use of Aut he nt ica t ion

M e cha nism s for Physica l Acce ss Cont r ol