Chris Hare (chare@nortelnetworks.com)

Nortel Networks

 

March 1999

 

This simple study booklet is based directly on the ISC² CBK document. 

 

This guide does not replace in any way the outstanding value of the CISSP Seminar and the fact that you must have been involved into the security field for at least a few years if you intend to take the CISSP exam.  This booklet simply intends to make your life easier and to provide you with a centralized resource for this particular domain of expertise.

 

 

WARNING:

As with any security related topic, this is a living document that will and must evolve as other people read it and technology evolves.  Please feel free to send me comments  or input to be added to this document.  Any comments,  typo correction,  etc… are most welcome and can be sent directly to:  chare@nortelnetworks.com

 

This is NOT a Nortel Networks sponsored document, nor is it to be indented as a representation of Nortel Networks operating practices.

 

This document may be freely read, stored, reproduced, disseminated, translated or quoted by any means and on any medium provided the following conditions are met:

 

·        Every reader or user of this document acknowledges that he his aware that no guarantee is given regarding its contents, on any account, and specifically concerning veracity, accuracy and fitness for any purpose.  Do not blame me if some of the exam questions are not covered or the correct answer is different from the content of this document.   Remember:  look for the most correct answer,  this document is based on the seminar content,  standards,  books,  and wherever possible the source of information will be mentioned.

 

·        No modification is made other than cosmetic, change of representation format, translation, correction of obvious syntactic errors.

 

·        Comments and other additions may be inserted, provided they clearly appear as such.  Comments and additions must be dated and their author(s) identifiable.  Please forward your comments for insertion into the original document.

 

·        Redistributing this document to a third party requires simultaneous redistribution of this licence, without modification, and in particular without any further condition or restriction, expressed or implied, related or not to this redistribution. In particular, in case of inclusion in a database or collection, the owner or the manager of the database or the collection renounces any right related to this inclusion and concerning the possible uses of the document after extraction from the database or the collection, whether alone or in relation with other documents.

 

 

 

Description

The Physical Security domain addresses the threats, vulnerabilities, and countermeasures which can be utilized to physically protect and enterprise's resources and sensitive information. These resources include people, the facility in which they work, and the data, equipment, support systems. medial, and supplies they utilize..

 

Expected Knowledge

 

The professional should fully understand:

 

·        Threats, Vulnerabilities, and Countermeasures related to physically protecting the enterprise's sensitive information assets

 

·        The risk to people, facilities, data. media, equipment, support systems, and supplies as the risk applies to Computer Physical Security

 

The CISSP can meet the expectations defined above by understanding such Physical Security topics and Methodologies as:

 

·        Facility Requirements

·        Restricted Areas/Work Areas

·        Escort Requirements/Visitor Control

·        Fences, Gates, Turnstiles, Mantraps

·        Security Guards/Dogs

·        Badging

·        Keys and Combination Locks

·        Lighting

·        Site Selection, Facility Design, and Configuration

·        Motion Detectors, Sensors, and Alarms

·        CCTV

·        Technical Controls

·        Smart/Dumb Cards

·        Audit Trails/Access Logs

·        Intrusion Detection

·        Biometric Access Controls

·        Environment/Life Safety

·        Power and HVAC Considerations

·        Water Leakage and Flooding

·        Fire Detection and Suppression

·        Natural Disasters

 

Examples of Knowledgeability

 

Define Physical Security Threats

Define and describe the Elements of Physical Security

Define and Describe Elements of IS Processing Center Security

Identify Facility Management & Planning Requirements for IT/IS

Identify and Define Pertinent Personnel Access Controls

 

[ISC991] (ISC)2 CISSP Week 1 Review Material

 

Define Physical Security Threats

n        From [ISC991], Section 3 page 2, the physical security threats are

n        Fire

n        Water (Rising/Falling)

n        Earth Movement (earthquakes, slides, volcanoes)

n        Storms (wind, rain, snow, sleet, ice)

n        Sabotage/Vandalism

n        Explosion

n        Building Collapse

n        Toxic Materials

n        Utility loss (Power, heating, cooling, air, water)

n        Communications Loss (voice, data)

n        Equipment Failure

n        Personnel Loss (strikes, illness, access, transport)

Define and describe the Elements of Physical Security

From [ISC991], Section 3 page 2, the physical security elements are:

n        Threat prevention, detection and suppression

n        Fire ( Sprinklers, halon, extinguishers )

n        Water (Leakage and flooding )

n        Detection control

n        Electrical (UPS and generators )

n        Public, Private and Restricted Areas (Perimeter Security, Prevention, Detection)

n        Environmental (Location, HVAC)

Define and Describe Elements of IS Processing Center Security

I think this one and the next are the same.

Identify Facility Management & Planning Requirements for IT/IS

From [ISC991], Section 3 page 6:

·        Floor Slab

The floor must be capable of a live load of 150 lbs/sq.foot with a good fire rating (flame spread rating <= 25).

·        Raised Flooring

The construction of the raised flooring must be grounded in order to reduce the likelihood of static discharges, and also in the event of an electrical failure, any current sent through the floor frame will be appropriately grounded.  The surface of the floor must be of a nonconductive type to prevent electrical injuries.

·        Walls

The walls must be a floor to ceiling slab (i.e. deck to deck) with a 1 hour minimum fire rating.  Any adjacent walls where records such as paper, media etc. are stored must have a two-hour minimum fire rating.

·        Ceiling

The ceiling must have the same fire rating as the walls, be waterproof to prevent water leakage from above. Since it is part of the floor above, must have an appropriate live load rate for the materials being stored above.

·        Windows

When installing either exterior or interior widows, the glass mst be fixed in place, e.g. the window cannot open.  It must be shatterproof (Lexan is good for this) and translucent. 

·        Doors

The doors should be dewsigned appropriately.  Since most dorrways open out to facilitate easy escape in an emegergency, this places the door hinges outside the door frame.  Appropriate care must be taken to protect the door hardware.  The door frqme must be constructed to prevent the frame from being forced to open the door.

The fire rating must be equal to the walls where the door is placed, and have emergency egress hardware (panic bars, etc.) as appropriate.  The lock mechanism on the door should fail open in the event of an emergency in order to facilitate escape.  If the lock must fail closed, then a firefighter’s key or some other emergency access must be available.

·        Other

Water, steam, and gas lines that run through the facility must have appropriate shut off valves.  The EPO for the electrical system must be located near the exit doors to facilitate power shutoff when exiting during an emergency.

·        Air Conditioning

The AC units for the are must be dedicated to them, and controllable from within the area.  It must be on an independent power source from the rest of the room, and have its own EPO.  The AC unit must keep positive pressure in the room, in order to force smoke and other gases out of the room.  The air intakes must be protected to prevent tampering.  Finally, the area must be monitored for environmental conditions to maintain the correct environment.

 

 

Identify and Define Pertinent Personnel Access Controls

From [ISC991], Section 3 page 4:

The candidate should have several items determined about him or her prir to their acceptance into the company.  These items include:

·        Pre-employment

·        An employment history (provided by applicant)

·        An education history (provided by applicant=

·        Reference Checks

·        Post-Employment

·        (as a condition of employment, promotion or transfer )

·        Background investigation

·        Credit checks

·        Security clearances

·        Ratings/supervision

In addition to the administrative controls identified above, the following physical controls should be implemented within the organization: (I have stuck in relevant info that we wouldn’t normally know.)

n        Access Control Categories

n        Universal Code/Card

n        May exist as a magnetic card stripe, magnetic dot, embedded wire or proximity access.

n        Group Coding

n        Personal Identification Systems

n        User Activated Proximity Systems

n        Wireless keypad

The user identifies themselves by depressing a series of keys on the keypad.  The coded representation of the keys is then transmitted to a remote control device.  (This type of device is prone to shoulder surfing, allowing someone else to see the code that is entered.)

n        Preset Code

The code is present in the device itself.  A single button system, like a garage door opener would be capable of transmitting a single representation.  Multiple button units store multiple codes.

n        System Sensing

Using this technology, the bearer has no action to take except to walk by a card reader.  The card reader senses the card and takes the appropriate action.  Some systems require a battery, while the RF field of the reader energizes other systems.

n        Passive devices

Theses systems contain no battery.  They sense the electromagnetic field of the reader, and retransmit using different frequencies through tuned circuits in the portable device.

n        Field Powered Devices

These units contain active electronic circuits, code storage electronics, a digital sequencer, RF transmitter and a power supply.  The power supply extracts power from the electromagnetic field supplied by the reader.

n        Transponders

These are fully portable two-way radio sets combining a radio transceiver, code storage, control logic and a battery.  The reader transmits and the portable unit receives the interrogating signal.  When received, the portable unit responds by transmitting the coded data to the reader.

n        Facility

n        Fences and Gates

n        Turnstiles

n        Mantraps

n        Guards

n        Identification

n        Photo Identification

Clearly identifies what the wearer looks like.  However, people often do change their appearances.

n        Magnetic ID cards

n        Biometric Systems

There are varieties of measurements available to distinguish between people.  These include

n        Voice prints

n        Finger prints

n        Hand geometry

n        Blood vein patterns (wrist/hand/eye)

n        Retina scan

n        Iris scan

n        Keystroke recorders

n        Signature readers

All of these systems have issues with accuracy.  Accuracy is measured through two metrics:

n        false reject rate – percentage of authorized persons rejected as unidentified/unauthorized;

n        failure to acquire – meaning that the biometric unit couldn’t get enough information to decide;

n        false reject rate – percentage of imposters who are permitted entry.

n        The Crossover error rate, or CER, is that point where the percentage of false acceptances and false rejects is equal.

Biometric systems are measured through speed and throughput.  The standard is 5 seconds from authentication request by the user to the decision from the biometric system.  This translates into a throughput speed of 6-10 per minute.  Biometrics have not gained wide acceptance by users and organizations except in highs security areas.  This has been mainly to do with the cost associated with implementation.

Biometrics have gained acceptance as they are resistant to counterfeiting and generally reliable.  However, there can be significant storage requirements to store the physical characteristics. Often people don’t want to have elements of their physical being stored electronically due to the nature of the information and that some of the available metrics are viewed as generally intrusive.

System Type	Enrollment Time	Response Time	Accuracy (CER)
Fingerprints	< 2 min.	5-7 sec.	5%
Hand Geometry	< 2 min.	3-5 sec.	2%
Voice Pattern	< 2 min.	10-14 sec.	10%
Retina Scan	< 2 min.	4-7 sec.	1.5%
Iris Scan	< 2 min.	2.5-4 sec.	0.5%
Signature Dynamics	< 2 min.	5-10 sec.	Unknown

 

From looking at the table above, the biometric with the lowest CER is the most accurate.  This is the Iris scan.  Notice than palm scanning is not the list as it is not assertive enough in its recognition.

n        CCTV

Other Access control issues that need to be remembered are:

·        Access control points

All entryways must be protected and able to handle visitors, delivery services and other unusual situations.  In addition, internal entryways into sensitive areas should also be protected.

·        Procedures

The access control procedures need to be able to address employees, employees from other company sites, employees who forget their ID, contractors, visitors (including logs and temporary ID), service  and maintenance personnel .