Physical Security

Physical security has to do with the implementation of countermeasures and actions taken in order to protect resources and assets such as people, buildings, and information from theft and environmental destruction.

This is the Age of the Internet. It seems that most security discussions or “security hoopla” focuses on the protection of resources from cyber thieves and damaging programs on the Internet. All that is fine and dandy. However, direct internal access to a system or resource provides a major opportunity for someone with malicious intent to corrupt, steal, or damage your information easily. Physical security focuses on using physical barriers and devices in order to limit access to important resources for authorized personnel only.

Physical security also places emphasis on the protection of resources from damage that can be cause by such things as fire, electricity, water, earthquakes, and storms. Next, we will discuss the specific topics that CompTIA expects you to know regarding physical security.

Access Control

Throughout the first five chapters of this book, we have discussed controlling access to information such as files, folders, and system information. Physical security primarily places an emphasis on controlling access to sensitive physical areas.

One of the first things you need to consider when addressing access control is the development and implementation of a documented access control policy. Most businesses have employees that support external clients who visit the business. These employees have periodic maintenance and service personnel visit the main site and remote locations and have them receive deliveries. It is imperative that you have a procedure that identifies who has access to certain locations within a secured local or remote site. The procedure should contain instructions for such things as ID changes and verification if you use electronic pass systems.

The important need for an access control policy can be seen in the following example.

An electrical maintenance worker calls your building’s security guard or you and requests access to one of your remote locations for “routine maintenance.” You happen to have important server systems connected to your internal network at that location. What do you do? Does the security guard know what to do? The real-life answer to this question and for the real exam is based on what’s in that little access control policy that you and your company have developed. In other words, you might have a digital pass system and ACL (Access Control List), a remote surveillance device, or biometric device that can be used to determine remotely whether the worker should be allowed or denied entry to the remote site.

Next, we will discuss the physical barriers that are implemented typically to control access; we will also revisit biometric access controls.

Physical Barriers

A collective system of physical separators (barriers), exit and entry controls, alarms, and physical intrusion detection devices should be implemented to truly detect, deter, and delay unauthorized access or malicious intrusion to a secured area. In today’s world the combination of this type of separation and protection is not always feasible. Budget restraints, lack of personnel, and the idea that “nothing bad has ever happened to us before, so let’s spend the money on something else,” are usually the causes for weak physical security restraints.

The following are physical controls that are commonly implemented in order to place a barrier or form of protection between unauthorized personnel and sensitive locations or data:

• Guards

• Dogs

• Gates and fences

• Turnstiles

• Mantraps

• Biometric devices

• Magnetic identification cards

• Photo ID cards

Biometrics Revisited

As you might recall, biometrics were described in Chapter 2. For physical security study purposes and the fact that you will most likely encounter several questions relating to this topic on the real exam, here is a refresher.

Biometrics are human- or character-based authentication methods that allow or disallow real-time access to systems, resources, or physical locations based on physical characteristics or behaviors.

Biometric authentication devices usually require the person who desires access to a specific physical location or resource to be present at the time of authentication or identification. These devices also eliminate the need for remembering passwords or PINs. Biometric devices also eliminate the need for a physical pass, card, or token that can be lost easily or stolen.

Environment

The security threats from physical and environmental conditions can be limited by following proper standards, codes, and guidelines. It is important when planning for a new site as well as an existing site, that the location be as secure as possible and that the proper measures are taken to protect an environment from fire, water, and electricity as well as forms of possible sabotage. There are many precautions that can be taken to reduce possible damage that can occur as a result of unfavorable environmental conditions. CompTIA expects you to know the following subtopics and the precautions associated with them.

Location

Determining a new site location for your company can play a major role in the overall success and security of a business. It is of utmost importance that you choose a site located in an area with favorable conditions. Some conditions that you should look for are as follows:

• A site located in an area with a low crime rate.

• Multiple access paths into and out of the site location.

• A geographically stable site. For example, no fault lines, a low flood area, and no trash dumps.

• Away from airline, railway, and major construction paths.

Ultimately, the amount of money your company budgets will determine your overall success rate for a new site location project. Sometimes, it is more cost effective to build a new site from the ground up than to move into a previously occupied site. If you are provided the opportunity with the construction of a new site, here are some internal physical building and room specifications you will need to consider:

• Secured doors should be resistant to forcible entry and should unlock automatically in the case of an emergency.

• Ceilings should meet building fire codes. Avoid drop ceilings, if possible.

• Walls should meet building fire codes. Rooms containing highly sensitive machinery and data should have their own power circuits, air conditioning support, and have a higher fire rating than rooms with general access.

• Raised floors that meet fire ratings should be used for data and computer centers.

• Fluorescent lighting is less expensive than traditional lighting and conserves energy. Use fluorescent lighting if possible.

• All building air conditioning should be on separate dedicated power circuits.

• A backup generator with the capability of supporting building power should be located in a secure area away from general access.

• Certified professionals should install an internal sprinkler system.

Once all these physical characteristics are in place, responsibilities and procedures must be implemented in order to facilitate prompt and proper response to any emergency situation regarding these factors.

Shielding

Shielding important systems, media, electrical components, wiring, and secured areas from external and internal environmental threats should be a top priority in your security planning. It is very important that all critical media be stored in a secure safe location. Magnetic tapes, disks, CDs, tokens, and important documents should be stored in a fireproof vault of safe if possible.

Electrical power panels, generators, and larger redundant power systems such as UPS backup units should be in sealed areas located away from general access.

All doors providing access to secured areas should have the ability to close airtight. The doors should be fireproof and include a fire sensor that automatically unlocks the doors if fire is detected or a power failure occurs.

Electrical and network cabling should not be exposed. If cables or wires are exposed currently, consider using a conduit or covering that meets wiring and building fire codes. Only allow certified electrical technicians to work with electric wires and circuitry in your building.

In Chapter 4, it was mentioned that fiber-optic cable is more secure than many other types of cabling media and is less susceptible to interference or crosstalk. If you can afford fiber-optic cabling, you should implement it for better network performance as well as its security benefits. Other types of cabling, such as CAT5, are not as secure and can be wiretapped easily. As far as coaxial cable, replace it if possible. It is highly susceptible to interference, it can be easily tapped, and its protective covering produces a poisonous gas if burned.

Fire Suppression

It is critical that you have the proper equipment and procedures in place to detect, prevent, suppress, and react to the physical security threat of fire. Fire and smoke detection alarm devices, sprinkler systems, and accessible hand held fire extinguishers are the best resources for fire detection and suppression.

There are various types and specifications associated with the devices just mentioned. The most important devices you need to be concerned with for the exam will be mentioned next. Keep in mind: the exam is likely to confront you with the proper suppression method that should be implemented in case of a fire. Only one of the choices will be valid, all others will contain inaccurate information. In simple terms, the exam will try to trick you here.

Fire Extinguishers

Handheld fire extinguishers should be placed in easy-to-reach locations throughout a facility. For the exam, be sure and know which type of fire extinguisher should be used for various types of fires.

You should be familiar with the four following types of handheld fire extinguishers:

• APW (Air Pressurized Water): An APW fire extinguisher is a large, silver handheld extinguisher that is filled with a combination of air and water. It should never be used to put out a chemical or electrical fire. This is an older type of extinguisher that is used primarily to take the heat element away from a fire.

• Dry Chemical (ABC and BC): These types of handheld extinguishers are very effective at putting out various types of fire. Dry Chemical extinguishers smother a fire with a phosphorous chemical that separates the oxygen and fuel within a fire. ABC type extinguishers can be used to put out chemical, electrical, or normal wood burning or paper fires. You can identify whether the extinguisher is an ABC or a BC extinguisher by the pictures and labels on the extinguisher itself. A word of caution: never use a BC extinguisher on a fire classified as A. Class BC fires are electrical and chemical only. Class A fires are normal paper/wood burning fires. Simply put, educate yourself on the types of extinguishers available at your facility. Chances are you have ABC type fire extinguishers proliferated around your building.

• Carbon Dioxide (CO2): These types of extinguishers use carbon dioxide gas to remove or displace the oxygen in a burning fire. They can easily be identified by a hard black horn or spout used to spray the chemical. Carbon Dioxide handheld fire extinguishers are designed to put out BC type fires.

• Halon-Halon extinguishers: These are filled with a gas instead of a chemical powder. This gas is more effective at putting out ABC type fires than an ABC type extinguisher. Besides providing better fire suppression than the previously mentioned extinguisher types, a Halon extinguisher will not ruin whatever you have just saved from fire destruction. The chemicals in an ABC type extinguisher will ruin electrical wires, computers, or anything else you use them on. Although Halon works well at putting out fires, Halon extinguishers are banned in many places. It has been scientifically proven that Halon gas depletes the ozone and is considered very dangerous to humans. A good substitute for Halon is FM-200. FM-200 is a widely accepted, chemically based, fire suppressor that extinguishes fire by cooling or removing the heat from the flames.

Sprinkler Systems

As stated earlier, your best weapons to combat fire within a building are fire extinguishers and sprinkler systems. As with the various types of hand held fire extinguishers, you should be familiar with the basic types of sprinklers and systems used to distribute water or Halon. This is an important issue because some types of systems will offer you the ability to turn a sprinkler system off if a fire is contained. Others will destroy your computers and other electronic devices as well as surrounding material. Sprinkler systems or pipe systems are classified into the following categories:

• Wet pipes: Water always remains in the pipes that lead to the sprinkler head or nozzle in this type of system. This can be a great system to have in the event of a fire that you personally are not able to contain. If the system detects fire, water is quickly sprayed over the area. However, there is little you can do to shut off this type of system if the fire has been sensed but you happen to personally contain it. You will have put out the fire and the system will spray everything anyway.

• Dry pipes: Water is held far back from the nozzle by a clapper valve with this closed sprinkler-head system. If the system detects fire, there remains significant time to shut down the system if you happen to put the fire out before water is needed.

• Deluge: A deluge system also uses a valve to hold back water in the pipe. However, it uses an open sprinkler nozzle or head to rapidly distribute water.

• Preaction: This is a closed-head system and is a combination of wet-pipe/dry-pipe technology. It uses a built-in alarm mechanism to warn before it distributes water. This type of sprinkler system is often found in and recommended for electronic data centers and computer rooms.

• Gas Discharge system: This is a system that does not use water. Instead, it uses halon, carbon dioxide, or FM-200.

Physical Security Best Practices

In conclusion to our discussion on physical security, you should be aware of the following best practices:

Create a physical security policy: You need to implement and document security practices and procedures that are designed to meet the needs of your specific location and business. For example, if your business is located in a hurricane zone, you need proper instructions that educate employees on what to do in case of a hurricane. Your policy should also include rules for “who is allowed where” and proper instructions for handling disaster prevention devices. Your policy should also include federal, state, and local regulations as they pertain to the use of specific emergency related equipment and rules.

• Control access to all important areas containing valuable assets: This includes server rooms, electronic rooms, and access to places where security devices, such as recording mechanisms and controls, are located or stored.

Also be aware of these best practices:

• Use human guards to monitor and review access to secured areas.

• Use combination keypads, magnetic proximity badges, and biometric devices to control access to secure locations.

• Audit and log all access controls.

• Test all security controls periodically to ensure they are in working order.

• Educate all valid and authorized employees on the need to know physical security practices, policies and proceedures.

• Use common sense.

Other Security Controls

There are several other types of operational security controls that you should be made aware of just in case the CompTIA exam decides to spring them on you. They are as follows:

• Corrective controls: These types of controls are typically implemented after a weakness has been discovered or a problem occurs. For example, hardening or patching a Web server after a breach has occurred or a new threat has been discovered. Another example: implementing more restrictive file level permissions after a breach has occured.

• Detective controls: These controls are used to track or identify security breaches. Examples of detective controls are implementing, auditing, and reviewing log files, and monitoring suspicious activity.

• Preventive controls: These types of controls are implemented as a means of preventing a security breach. Using NTFS file level permissions before confidential files have been viewed and implementing such things as antivirus protection and strong passwords are examples of preventive controls.

• Recovery controls: These controls include having the ability to restore or rebuild a system and/or network environment after a disaster or security related incident has occurred. Example: a good backup system.