Chapter 3: Physical Security

At the end of the unit, the students should be able to:

 Discuss the relationship between information security and physical security
 Describe key physical security considerations, including fire control and surveillance systems
 Identify critical physical environment considerations for computing facilities, including
uninterruptible power supplies
INTRODUCTION

Physical security encompasses the design, implementation, and maintenance of countermeasures

that protect the physical resources of an organization, including the people, hardware, and supporting
system elements and resources that control information in all its states (transmission, storage, and
processing). Most technology-based controls can be circumvented if an attacker gains physical access
to the devices being controlled. In other words, if it is easy to steal the hard drives from a computer
system, then the information on those hard drives is not secure. Therefore, physical security is just as
important as logical security to an information security program.

Physical Access Control

 An organization’s general management oversees its physical security.
 Commonly a building’s access controls are operated by a group called facilities management.
 A secure facility is a physical location that has in place controls to minimize the risk of attacks
from physical threats.
 Larger organizations may have an entire staff dedicated to facilities management, while smaller
organizations often outsource these duties.

Physical Security
There are a number of physical security controls that an organization’s communities of interest should
consider when implementing physical security inside and outside the facility. Some of the major
controls are:

1. Walls, fencing, and gates

 Some of the oldest and most reliable elements of physical security are walls, fencing,
and gates.
 Each exterior perimeter control requires expert planning to ensure that it fulfills the
security goals and that it presents an image appropriate to the organization.
2. Guards
 Guards, on the other hand, can evaluate each situation as it arises and make reasoned
responses.
 Most guards have clear standard operating procedures (SOPs) that help them to act
decisively in unfamiliar situations.
3. Dogs
 Dogs can be a valuable part of physical security if they are integrated into the plan and
managed properly.
 Guard dogs are useful because their keen sense of smell and hearing can detect
intrusions that human guards cannot, and they can be placed in harm’s way when
necessary to avoid risking the life of a person.

4. ID cards and badges

 An identification (ID) card is typically concealed, whereas a name badge is visible.
 Both devices can serve a number of purposes.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
29
Chapter 3: Physical Security
i. They serve as simple forms of biometrics in that they use the cardholder’s
picture to authenticate his or her access to the facility
i. ID cards that have a magnetic strip or radio chip that can be read by
automated control devices allow an organization to restrict access to sensitive
areas within the facility.
5. Locks and keys
 There are two types of lock mechanisms: mechanical and electromechanical.
i. The mechanical lock may rely on a key that is a carefully shaped piece of
metal, which is rotated to turn tumblers that release secured loops of steel,
aluminum, or brass
ii. Electromechanical locks can
accept a variety of inputs as
keys, including magnetic strips
on ID cards, radio signals from
name badges, personal
identification numbers (PINs)
typed into a keypad, or some
combination of these to activate
an electrically powered locking
mechanism.
 Electronic locks can be integrated into
alarm systems and combined with other
building management systems.
 The most sophisticated locks are
biometric locks. Finger, palm, and
hand readers, iris and retina scanners,
and voice and signature readers fall into
this category.
Figure 4.1 Locks

6. Mantraps
 A common enhancement for locks in high security areas is the mantrap.
 A mantrap is a small enclosure that has separate entry and exit points.
7. Electronic monitoring
 Electronic monitoring includes closed-circuit television (CCT) systems.
 CCT systems collect constant video feeds, while others rotate input from a number of
cameras, sampling each area in turn.
8. Alarms and alarm systems
 Closely related to monitoring are the alarm systems that notify people or systems when
a predetermined event or activity occurs.
 Alarms can detect a physical intrusion or other untoward event.
 Motion detectors detect movement within a confined space and are either active or
passive.
 Thermal detectors measure rates of change in the ambient temperature in the room.
 Contact and weight sensors work when two contacts are connected as, for example,
when a foot steps on a pressure sensitive pad under a rug, or a window is opened,
triggering a pin-and-spring sensor.
 Vibration sensors also fall into this category, except that they detect movement of the
sensor rather than movement in the environment.
9. Computer rooms and wiring closets
 Computer rooms and wiring and communications closets require special attention to
ensure the confidentiality, integrity, and availability of information.
 Custodians are given the greatest degree of unsupervised access.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
30
Chapter 3: Physical Security
 They are often handed the master keys to the entire building and then ignored, even
though they collect paper from every office, dust many desks, and move large
containers from every area.
 Thus, custodial staffs should be carefully managed not only by the organization’s
general management, but also by IT management.
10. Interior walls and doors
 The walls in a facility are typically of two types: standard interior and firewall.
 Building codes require that each floor have a number of firewalls, or walls that limit the
spread of damage should a fire break out in an office.
 Interior walls reach only part way to the next floor, which leaves a space above the
ceiling but below the floor of the next level up and this space is called a plenum.
 The doors that allow access into high-security rooms should also be evaluated.
 Standard office-grade doors provide little or no security.
 To secure doors, install push or crash bars on computer rooms and closets.

FIRE SECURITY AND SAFETY

The most important security concern is the safety of the people present in an organization’s
physical space—workers, customers, clients, and others. The most serious threat to that safety is fire.
Fires account for more property damage, personal injury, and death than any other threat to physical
security. As a result, it is imperative that physical security plans examine and implement strong
measures to detect and respond to fires and fire hazards.
FIRE DETECTION
Fire detection systems fall into two general categories: manual and automatic.
1. Manual fire detection systems include human responses, such as calling the fire department,
as well as manually activated alarms, such as sprinklers and gaseous systems.
2. The automatic fire-detection system, like any other asset, has a lifespan of 10 to 15 years.
After 15 years, it is no longer considered reliable, and there may not be parts available for its
repair.

Three basic types of fire detection systems:

1. Thermal detection systems contain a sophisticated heat sensor that operates in one of two
ways.
a. Fixed temperature sensors detect when the ambient temperature in an area reaches a
predetermined level, usually between 135 degrees Fahrenheit and 165 degrees
Fahrenheit, or 57 degrees Centigrade to 74 degrees Centigrade.
a. Rate-of-rise sensors detect an unusually rapid increase in the area temperature within
a relatively short period of time.
2. Smoke detection systems are perhaps the most common means of detecting a potentially
dangerous fire, and they are required by building codes in most residential dwellings and
commercial buildings.
a. Photoelectric sensors project and detect an infrared beam across an area.
a. Ionization sensors contain a small amount of a harmless radioactive material within a
detection chamber
a. Air-aspirating detectors are sophisticated systems and are used in high sensitivity
areas.

3. The flame detector is a sensor that detects the infrared or ultraviolet light produced by an open
flame.

How Fire-Detection Systems Work:

“The field of fire detection has advanced to where smoke detectors and alarm devices have combined
to become life-safety systems”

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
31
Chapter 3: Physical Security
 Fire is one of the most dangerous events possible; somewhere in the world, one occurs every
minute of every day. While fire can be our friend in some instances, it can be our worst
enemy when it’s uncontrolled and allowed to continue through a building.
 The field of fire detection has advanced to where smoke detectors and alarm devices have
combined to become life-safety systems. The purpose of an automatic fire-alarm system is to
detect an occurrence, alert the control panel and proper authorities, and notify the occupants to
take action.
Current Fire-Detection Systems
 The fire-detection system today consists of an FACP (fire alarm control panel) – this is the
system’s brain, and it’s capable of making rapid decisions. Detection devices run the gamut,
from smoke detectors and heat detectors to multi-capability detectors, which contain a number
of functions in one detector.

Extra Functions

Your fire-detection system can also:

 Discharge clean agent fire-suppression systems in computer rooms or clean rooms.
 Activate deluge fire systems in aircraft hangers or similarly dangerous areas.
 Open a dry pipe sprinkler system for a pre-action suppression system.
 Be used for notification of other events, such as severe weather, terrorism, bomb threats,
hazardous chemical incidents, evacuation, etc.
 Monitor carbon-monoxide detectors.

*Keep in mind that there are a number of specialized detection devices designed to increase life safety
and reduce the potential for unwanted or nuisance alarms. There are also qualified professionals who
can provide valuable assistance in reviewing the circumstances of your operation and provide
guidance and recommendations for your needs.

FIRE SUPPRESSION
 Fire Suppression are used to extinguish or prevent the spread of fire in a building.
Suppression systems use a combination of dry chemicals and/or wet agents to suppress
equipment fires.
 Fire suppression systems work by releasing a gas or mixture of gasses into the air, generally
with the aim of reducing the amount of oxygen in the air that feeds the flames. The clean
agent, such as CO2, is often stored a distance away from the area it will be protecting.

Types of Fire Suppression:

• Fire Sprinkler System (Wet ,Dry ,Pre-action and deluge) - is an active fire protection method,
consisting of a water supply system, providing adequate pressure and flow rate to a water
distribution piping system, onto which fire sprinklers are connected.
• Gaseous fire suppression - also called clean agent fire suppression, is a term to describe the
use of inert gases and chemical agents to extinguish a fire. The system typically consists of the
agent, agent storage containers, agent release valves, fire detectors, fire detection system
(wiring control panel, actuation signaling), agent delivery piping, and agent dispersion nozzles.
• Wet chemicals fire suppression - Wet Chemical Systems use wet agents to suppress
commercial cooking fires. This method of fire protection helps prevent major fire damage from
happening in your commercial cooking area. The wet chemical fire suppression systems
effectively work because the liquid spray hits a burning surface and quickly reacts with fats and
oils to produce foam that cools the surface to prevent the re-igniting of a fire.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
32
Chapter 3: Physical Security
• Dry chemical fire suppression - Dry Chemical Fire Suppression Systems consist of dry
chemical compounds that suppress fire effectively because they are easy to install in any
industrial setting. The Dry Chemical Fire Suppression Systems provide excellent fire coverage.
The Dry Chemical agents come in ABC or BC. You must recharge them after every operation.
These fire suppression systems are affordable and great to use when a water supply is not
available to help extinguish fires.
• Fully Automatic Vehicle Fire Suppression Systems - Automatic fire suppression
systems control and extinguish fires without human intervention. Examples of automatic
systems include fire sprinkler system, gaseous fire suppression, and condensed
aerosol fire suppression.
• Manual Vehicle Fire Suppression Systems - using FORAY dry chemical agent for Class A,
B, and C fires. The system is designed for use on large, off-road type construction and mining
equipment, underground mining equipment and specialty vehicles.

Which Gas is used for Fire Suppression?

• This system uses Inert gases - such as nitrogen, argon, and carbon dioxide—to reduce the
oxygen level around the fire and suppress it in the process. The concentration of gasses
used in Inergen systems is safe to use around people.
How much is the Fire Suppression?
• The average costs for a fire sprinkler system are as follows: A
complete fire sprinkler system integrated into a new construction project costs about $1 – 2 per
square foot. This includes equipment and installation. Retrofitting an existing building
usually costs between $2 – 7 per square foot.
What is the differences between Fire Extinguisher and Fire Suppression?
The main differences between a fire sprinkler and fire suppression systems are how they
extinguish fires and when each system would be ideal to use. Fire sprinklers use water to extinguish
and control fires, while fire suppression systems can use a number of different agents.
The Main types of Fire suppression:
 Gas System
 Kitchen Fire Suppression
 Water Mist System
 Foam Deluge System
 Pneumatic Heat Detection Tube
FAILURE OF SUPPORTING UTILITIES AND STRUCTURAL COLLAPSE
HEATING VENTILATION AND AIR CONDITIONING
 Heating, ventilation, and air conditioning (HVAC) is the technology of indoor and vehicular
environmental comfort. Its goal is to provide thermal comfort and acceptable indoor air quality.
HVAC system design is a sub discipline of mechanical engineering, based on the principles
of thermodynamics, fluid mechanics and heat transfer. "Refrigeration" is sometimes added to
the field's abbreviation, as HVAC&R or HVACR or "ventilation" is dropped, as in HACR (as in
the designation of HACR-rated circuit breakers).
1. Temperature and Filtration
 Computer systems are electronic, and as such are subject to damage from extreme
temperature and particulate contamination.
 Rapid changes in temperature, from hot to cold or from cold to hot, can produce
condensation, which can create short circuits or otherwise damage systems and
components.
 The optimal temperature for a computing environment (and for people) is between 70
and 74 degrees Fahrenheit.
2. Humidity and Static Electricity
IASEC 2-Information Assurance and Security 2
Leary John H. Tambagahan, LPT
Instructor
33
Chapter 3: Physical Security
 Humidity is an important thing to understand because it affects both weather and climate
as well as global climate change. Humidity also affects indoor environments, so
understanding it can help you determine the best place to store your books, clothing and
other important items in your house.
Relative Humidity
 You've probably heard about relative humidity in weather reports. This is the amount of
water vapor in the air relative to what the air can hold. Think about it this way: if you
have a cup that is half-full of water, the cup contains 50% of what it can hold. Air works
the same way.
Dew Point
 Dew is when water condenses at ground level because the air is saturated. Just like the
water spills over the side of the full cup, when air is saturated, the excess water 'spills
over' and builds up on leaves, cars, buildings or anything else that is surrounded by the
saturated air. Therefore, the temperature at which saturation occurs is called the dew
point.

3. Ventilation shafts
 In fact, with moderate security precautions, these shafts can be completely eliminated as a
security vulnerability. In most new buildings, the ducts to the individual rooms are no larger
than 12 inches in diameter and are flexible, insulated tubes.
 In most new buildings, the ducts to the individual rooms are no larger than 12 inches in
diameter and are flexible, insulated tubes. The size and nature of the ducts precludes most
people from using them, but access may be possible via the plenum. If the ducts are much
larger, the security team can install wire mesh grids at various points to compartmentalize the
runs.

POWER MANAGEMENT AND CONDITIONING

1. Grounding and Amperage
 Grounding ensures that the returning flow of current is properly discharged to the
ground.
 Power should also be provided in sufficient amperage to support needed operations.
 Nothing is more frustrating than plugging in a series of computers, only to have the
circuit breaker trip.
2. Uninterruptible Power Supply (UPS)
 An uninterruptible power supply or uninterruptible power source (UPS) is an
electrical apparatus that provides emergency power to a load when the input power
source or main power fails
 A standby or offline UPS is an offline battery backup that detects the interruption of
power to the equipment and activates a transfer switch that provides power from
batteries, through a DC to AC converter, until the power is restored or the computer is
shut down.
 A ferroresonant standby UPS improves upon the standby UPS design. It is still an
offline UPS, with the electrical service providing the primary source of power and the
UPS serving as a battery backup.
 The line-interactive UPS has a substantially different design than the previously
mentioned UPS models. In line-interactive UPSs, the internal components of the
standby models are replaced with a pair of inverters and converters.
 In a true online UPS, the primary power source is the battery, and the power feed from
the utility is constantly recharging this battery. This model allows constant use of the
system, while completely eliminating power fluctuation.
3. Emergency Shutoff

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
34
Chapter 3: Physical Security
 One important aspect of power management in any environment is the ability to stop
power immediately should the current represent a risk to human or machine safety.
 Most computer rooms and wiring closets are equipped with an emergency power
shutoff, which is usually a large red button that is prominently placed to facilitate
access, and has a cover to prevent unintentional use.
4. Water Problems
 Another critical utility infrastructure element is water service.
 Flooding, leaks, and the presence of water in areas where it should not be is
catastrophic to paper and electronic storage of information.
5. Structural Collapse
 Unavoidable environmental factors or forces of nature can cause failures in the
structures that house the organization.
 Structures are designed and constructed with specific load limits, and overloading these
design limits inevitably results in structural failure.
6. Maintenance of Facility System
 Ongoing maintenance of systems is required as part of the systems’ operations.
 Testing provides information necessary to improve the physical security in the facility
and identifies weak points.

INTERCEPTION OF DATA
Three methods of data interception
1. Direct observation, requires that an individual be close enough to the information to breach
confidentiality.
2. Interception of data transmissions, has become easier in the age of the internet. If attackers
can access the media transmitting the data, they needn’t be anywhere near the source of the
information
3. Electromagnetic interception, sounds like it could be from a Star Trek episode. For decades,
scientists have known that electricity moving through cables emits electromagnetic signals
(EM).

MOBILE AND PORTABLE SYSTEM

Remote Computing System
 Remote site computing, which is becoming increasingly popular, involves a wide variety of
computing sites that are distant from the base organizational facility and includes all forms of
telecommuting.
 Telecommuting is off site computing that uses Internet connections, dialup connections,
connections over leased point-to-point links between offices, and other connection
mechanisms.
 A virtual organization is a group of individuals brought together for a specific task, usually
from different organizations, divisions, or departments.

Special Considerations for Physical Security

 There are a number of special considerations to take into account when developing a physical
security program. The first of these is the question of whether to handle physical security in-
house or to outsource it.
 The benefits of outsourcing physical security include gaining the experience and knowledge of
these agencies, many of which have been in the field for decades.
Five considerations for physical Security
 Identify your physical weak points and determine your need
 The first thing you need to do is figure out where your vulnerabilities are. For example,
it is never a good idea to build a data centre against outside walls, similarly pay
attention to what is housed above and below your data storage facility.
IASEC 2-Information Assurance and Security 2
Leary John H. Tambagahan, LPT
Instructor
35
Chapter 3: Physical Security
 Keep track of all your workflow processes
 It is critical that you keep track of your operations and compliance-related activities. You
want to limit access to your data storage centre to IT staff and organizational
stakeholders. As such, you should regularly monitor your access logs and perform audit
checks.
 Keep track of peripherals, servers and data center management software, looking for
any suspicious activity. If your data center is in a colocation facility, and you have a
trusted provider, most likely your assets are safe and well-maintained.
 Watch out for human error
 The most common form of data breach is that committed by insiders. It is now
recognized that danger comes in the form of poor engineering, carelessness, or
corporate espionage, but in all cases, people working in your facility pose the biggest
risk. Accordingly, it is necessary that you implement strong security policies that hold
personnel accountable for their access permissions.
4. Educate your people on security policies
 A big part of having a strong security system is staff member training e.g. explaining to
staff why they should not lend each other access cards and instructing them to report
any suspicious activity.
 Let them understand that for compliance purposes, workflow processes are strictly
segregated and monitored. Eliminating duplication of means that you are able to adhere
to compliance standards with greater ease.
5. Ask your business stakeholders for their feedback
 Once you have a security system fully in place, the next thing for you to do is discuss
your policies with staff members.
 Inventory management
1. The management of computer inventory is an important part of physical security.
2. The formality of having to sign for a document cements its worth in the mind of the
recipient.

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
36
Chapter 3: Physical Security

ACTIVITIES

Activity 1. Review Questions

1. What is physical security? What are the primary threats to physical security? How are they
made manifest in attacks against the organization?
2. What are the roles of IT, security, and general management with regard to physical security?
3. How does physical access control differ from the logical access control described in earlier
chapters? How is it similar?

Activity 2.
Assume that you have converted part of an area of general office space into a server room.
Describe the factors you would consider when planning for each of the following:
a. Walls and doors
b. Physical access control
c. Fire detection
d. Fire suppression
e. Heating, ventilating, and air-conditioning
f. Power quality and distribution

Case Exercises
Amy walked into her office cubicle and sat down. The entire episode with the blond man had
taken well over two hours of her day. Plus, the police officers had told her the district attorney would
also be calling to make an appointment to speak to her, which meant she would have to spend even
more time dealing with this incident. She hoped her manager would understand.

Questions:
1. Based on this case study, what security awareness and training documents and posters had
an impact in this event?
2. Do you think that Amy should have done anything differently? What would you have done in
the situation in which she found herself?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
37
Chapter 3: Physical Security

Activity 1
1. What is physical security? What are the primary threats to physical security? How are they
made manifest in attacks against the organization?

2. What are the roles of IT, security, and general management with regard to physical security?

3. How does physical access control differ from the logical access control described in earlier
chapters? How is it similar?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
38
Chapter 3: Physical Security

Activity 2.
Assume that you have converted part of an area of general office space into a server room. Describe
the factors you would consider when planning for each of the following:
a. Walls and doors

b. Physical access control

c. Fire detection

d. Fire suppression

e. Heating, ventilating, and air-conditioning

f. Power quality and distribution

1. There are several online passphrase generators available. Locate at least two of them on the
Internet, and try them out. What did you observe?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
39
Chapter 3: Physical Security

Case Exercises
Questions:

1. Based on this case study, what security awareness and training documents and posters had
an impact in this event?

2. Do you think that Amy should have done anything differently? What would you have done in
the situation in which she found herself?

IASEC 2-Information Assurance and Security 2

Leary John H. Tambagahan, LPT
Instructor
40