Physical Security Threats

Threats to physical security come in many forms, including natural disasters, emergency situations, and man-made threats. All possible threats must be identified in order to perform a complete and thorough risk analysis and develop an appropriate and effective control strategy. Some of the more common threats to physical security include

Fire: Threats from fire can be potentially devastating and lethal. Proper precautions, preparation, and training not only help limit the spread of fire and damage, but more important, can also save lives. Saving human lives is the first priority in any life-threatening situation. Other hazards associated with fires include smoke, explosions, building collapse, release of toxic materials or vapors, and water damage.

For a fire to burn, it requires three elements: heat, oxygen, and fuel. These three elements are sometimes referred to as the fire triangle. (See Figure 13-1.) Fire suppression and extinguishing systems fight fires by removing one of these three elements or by temporarily breaking up the chemical reaction between these three elements (separating the fire triangle). Fires are classified according to the fuel type, as listed in Table 13-1.

Table 13-1 Fire Classes and Suppression/Extinguishing Methods

Class	Description (Fuel)	Extinguishing Method
A	Common combustibles, such as paper, wood, furniture, and clothing	Water or soda acid
B	Burnable fuels, such as gasoline or oil	CO2, soda acid, or Halon (We discuss these methods in the section “Suppression systems,” later in this chapter.)
C	Electrical fires, such as computers or electronics	CO2 or Halon (Note: The most important step to fight a fire in this class: Turn off electricity first!)
D	Special fires, such as chemical or grease fires	May require total immersion or other special techniques

Saving human lives is the first priority in any life-threatening situation.

You must be able to describe Class A, B, and C fires and their primary extinguishing methods. Class D is less common, and the CISSP exam doesn’t ask about it.

Water: Water damage (and damage from liquids, in general) can occur from many different sources, including pipe breakage, firefighting efforts, leaking roofs, spilled drinks, flooding, and tsunamis. Wet computers and other electrical equipment pose a potentially lethal hazard.

Vibration and movement: Causes may include earthquakes, landslides, and explosions. Equipment may also be damaged by sudden or severe vibrations, falling objects, or equipment racks tipping over. More seriously, vibrations or movement may weaken structural integrity, causing a building to collapse.

Severe weather: Includes hurricanes, tornadoes, high winds, severe thunderstorms and lightning, rain, snow, sleet, and ice. Such forces of nature may cause fires, water damage and flooding, structural damage, loss of communications and utilities, and personnel hazards.

Electricity: Sensitive equipment can be damaged or affected by various electrical hazards and anomalies, including

• Electrostatic discharge (ESD): The ideal humidity range for computer equipment is 40 to 60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD (static electricity). A static charge of as little as 40V (volts) can damage sensitive circuits, and 2,000V can cause a system shutdown. The minimum discharge that can be felt by humans is 3,000V, and electrostatic discharges of over 25,000V are possible — so if you can feel it, it’s a problem for your equipment!

The ideal humidity range for computer equipment is 40 to 60 percent.

• Electrical noise: Includes Electromagnetic Interference (EMI) and Radio Frequency Interference (RFI). EMI is generated by the different charges between the three electrical wires (hot, neutral, and ground) and can be common-mode noise (caused by hot and ground) or traverse-mode noise (caused by a difference in power between the hot and neutral wires). RFI is caused by electrical components, such as fluorescent lighting and electric cables. A transient is a momentary line-noise disturbance.

• Electrical anomalies: These anomalies include the ones listed in Table 13-2.

Table 13-2 Electrical Anomalies

Electrical Event	Definition
Blackout	Total loss of power
Fault	Momentary loss of power
Brownout	Prolonged drop in voltage
Sag	Short drop in voltage
Inrush	Initial power rush
Spike	Momentary rush of power
Surge	Prolonged rush of power

You may want to come up with some meaningless mnemonic for the list in Table 13-2, such as “Bob Frequently Buys Shoes In Shoe Stores,” because you need to know these terms for the CISSP exam.

• Lightning strikes: Approximately 10,000 fires are started every year by lightning strikes in the United States alone, despite the fact that only 20 percent of all lightning ever reaches the ground. Lightning can heat the air in immediate contact with the stroke to 54,000° Fahrenheit (F), which translates to 30,000° Celsius (C), and lightning can discharge 100,000 amperes of electrical current. Now that’s an inrush!

It’s not the volts that kill — it’s the amps!

• Magnetic fields: Monitors and storage media can be permanently damaged or erased by magnetic fields.

Sabotage/terrorism/war/theft/vandalism: Both internal and external threats must be considered. A heightened security posture is also prudent during certain other disruptive situations — including labor disputes, corporate downsizing, hostile terminations, bad publicity, demonstrations/protests, and civil unrest.

Equipment failure: Equipment failures are inevitable. Maintenance and support agreements, ready spare parts, and redundant systems can mitigate the effects.

Loss of communications and utilities: Including voice and data; electricity; and heating, ventilation, and air conditioning (HVAC). Loss of communications and utilities may happen because of any of the factors discussed in the preceding bullets, as well as human errors and mistakes.

Personnel loss: Can happen because of illness, injury, death, transfer, labor disputes, resignations, and terminations. The negative effects of a personnel loss can be mitigated through good security practices, such as documented procedures, job rotations, cross-training, and redundant functions. (See Chapters 6 and 10 for complete discussions of these practices.)