Security controls that pertain to physical and operations are predominantly in the authentication and authorization processes. Unauthorized intrusions are a common threat in this domain. The following sections provide some of the common security threats, vulnerabilities, and countermeasures in this domain.
We have seen the concept of threats and vulnerabilities in various security domains in the earlier chapters. Though the threats are predominantly common across most of the security domains, the vulnerabilities they could exploit will vary, and the countermeasures are generally unique. Some of the threats and vulnerabilities that could exploit the infrastructure (infrastructure includes IT infrastructure as well) and its associated components are listed here.
Some of the common threats to physical environment are as follows:
- Theft
- Heat and temperature
- Humidity
- Organic materials and chemicals that are in gaseous or liquid form
- Organisms such as microbes
- Missiles or bombs that are used as projectiles
- Natural calamities such as earthquake, flood, and so on
- Electrical power disruptions that includes electro-magnetic interference
Vulnerabilities that the preceding threats could exploit but are not limited to include the following:
- Lack of physical entry controls and accountability
- Lack of fire extinguishers or improper maintenance
- Improper or poor cabling
- Inappropriate chemicals used in the fire extinguishers for the protection of a particular type of asset
- Inappropriate storage of magnetic media
- Weak access controls and intrusion detection systems
- No backup or business continuity plans
- Lack of power control systems
A deeper understanding of these threats and vulnerabilities are essential to do a thorough risk assessment. It is also important to understand relevant specifications pertaining to equipment's as well as physical security standards while designing countermeasures.
Security controls and monitoring processes for physical and operations areas can be subdivided into two main sections. One is related to a perimeter that is external to boundaries, and the other pertains to an interior or operational area. In both these sections, the following core controls need to be considered:
- Preventative controls: These are designed to prevent a security event. For example, having a high-raise wall will be a control to prevent intrusion.
The following are some of the examples that are preventive physical controls:
- A high-rise wall
- Fences
- Locks
- Detective controls: These controls are designed to detect an event before it could damage the facilities. The following are some of the examples that are detective physical controls:
- Fire alarm
- Intrusion detection systems such a motion and heat sensors
- Surveillance monitors such as CCTV
- Reactive controls: These controls are designed to react in a timely manner to a security event, for example, armed response to an intrusion. The following are some of the examples that are reactive physical controls:
- Armed responses
- Mantrap systems
- Deterrent controls: These controls are designed to act as a deterrent against an attempt to breach the security; for example, guards and dogs. The following are some of the examples that are deterrent physical controls:
- Guards
- Dogs
- Lighting
Perimeter security relates to the security considerations pertaining to the boundaries. In other words, securing the entry and exit points of the facility, networks, and so on, will fall under perimeter security.
In physical and operations security domain, the following controls are applicable to perimeter security:
- Guards are a form of security control used to prevent, detect, deter, and react to an intrusion event. They also act as a physical access control to the facility. Their ability to adapt to situations is a major plus to this type of security. The disadvantages are related to their availability in hostile environments that do not support human intervention, reliability, and cost.
- Dogs are a type of security control used to prevent, detect, deter, and react to an intrusion event. Their ability where a judgment is necessary is, however, limited.
- Fencing is an access control for perimeter security. High-rise walls, gates, mantraps, and turnstiles are some of the examples for the same. The following are some of the height requirements pertaining to fencing:
- 3' to 4' high deters casual trespassers
- 6' to 7' high is too hard to climb easily
- 8' high with 3 strands of barbed wire deters most of the intruders
- Locks are preventative access control to perimeter security. Preset locks have preset internal mechanisms, whereas programmable locks have dials that can be programmed to contain digits, letters, or a combination of both.
- Lighting is a deterrent control. The purpose of lighting is to discourage intruders as well as detect suspicious movements. NIST standards specify an illumination of 2 feet wide and 8 feet high for critical areas.
- Closed circuit televisions (CCTV) are used to monitor live movements as well as provide an audit trail during incident review. Heat sensors are also used to monitor the facilities for detecting live movements.
- Access control devices such as access cards control physical access to the facility.
- Biometric devices use physical characteristics of a person to identify and provide access to the facility. Some examples of it are fingerprint scanners, retina scanning, and more.
Interior security refers to the security considerations pertaining to the facilities that are inside the perimeter. This will include equipment inside the data center and personnel working in such facilities.
One of the most important aspects of interior security is the threats posed by unauthorized intrusions, fire, electrical power, and Heating, Ventilation, and Air-conditioning (HVAC).
Intrusions to the interior are controlled by motion detectors, mantraps, and more. Motion detectors are used in interior security to detect suspicious movements. They raise an alarm based on the type of motion detection technique used.
Mantrap systems are designed to stop and trap an intruder in between two entrances. Based on the physical access control mechanisms, a mantrap gets activated on detection of suspicious movement either automatically or manually.
The wave pattern is a type of motion detector that would generate an alarm when the wave pattern is disturbed. There are three types of sensors used in wave pattern motion detectors. They are passive infrared, ultrasonic, and microwave sensors.
When an electric field is used around an object being monitored and the field gets charged to raise an alarm, then it is called a capacitance-based motion detector.
Audio detectors are a type of motion detector that passively listen to abnormal sounds to detect motion.
Fire is a threat that could damage the physical assets, such as computers, networks, as well as the data center.
Fire spreads through combustible materials. While fire extinguishers or suppression agents are used to contain the rapid spread of fire, a professional has to be cautious about the type of extinguishing material used.
For fire to catch and spread, a combustible material is required. Based on the type of combustible material, fire is classified into four classes.
National Fire Protection Association (NFPA) provides the following specifications pertaining to the fire classes based on the type of the combustible material; it also classifies them based on suppression mediums:
- Class A combustible materials are wood, paper, cloth, rubber. Most of the plastics also fall into this class.
- Class B combustible materials are oils, greases, oil-based paints, lacquers, and flammable liquids and gases.
- Class C is predominantly electrical equipment that is energized.
- Class D refers to flammable chemicals, such as magnesium and sodium.
Fire detectors are controls for detecting and responding to heat, flames, or smoke. Depending upon the type of detection, they can be classified as heat, flame, or smoke sensors.
Fire suppression is critical to protect lives, operational systems, and the data center. Using a suitable or applicable fire suppression medium is important if you want to have effective protection:
- Water, soda acid, CO2, and Halon are some of the fire suppression mediums
- Portable fire extinguishers predominantly use Carbon Dioxide (CO2) or soda acid
- Halon is a suppressing medium that is no longer allowed to be used, as it is designated as an ozone depleting substance
Fire extinguishers use either water sprinkler or gas dischargers to suppress fire.
Water sprinklers are of four types. They are Wet pipe, Dry pipe, Deluge, and Preaction:
- Wet pipe sprinkling systems always contain water and the valve opens when the heat rises above 165°F
- In Dry pipe sprinkling systems, water flows from the outer valve when the heat rises above the threshold level
- Deluge sprinkler systems are used to discharge large volumes of water
- Preaction combines wet as well as dry pipe systems such that the water flow is controlled
Clean electrical power is a requirement for proper equipment functioning. If the power is not clean, then it will result in spoiling or damaging the equipment. This may lead to the malfunctioning of devices, leading to unavailability and the corruption of data.
The following are some of the most important terms that are related to electrical power that could affect equipment:
- When the power fluctuates due to interference, the effect is called noise.
- When there is a charge difference between neutral, hot, and ground electrical wires, it results in Electromagnetic Interference (EMI). This interference is caused by electromagnetic waves.
- Radio Frequency Interference (RFI) is caused by radio waves generated by the electrical system components such as cables, florescent lights, and so on.
The following definitions are related to electrical power that a candidate should be thorough with:
- When there is a momentary power loss, it is called a Fault
- If the power loss is complete, then it is called a Blackout
- When there is a momentary low voltage, it is called a Sag
- When the voltage is low for a prolonged period of time, it is called a Brownout
- When the voltage is temporarily high, then it is called a Spike
- If the voltage is high for a prolonged period of time, then it is called a Surge
- When the incoming power at the beginning is high, then it is called a Inrush
- When there is a steady interference, it is called a Noise
- When the interference is of short duration, it is called a Transient
- When the power is non-fluctuating, then it is called a Clean
Humidity is the percentage of water vapor present in the air. For proper functioning of the computer systems, the humidity levels should be between 40 and 60 percent. If the humidity is low, then due to dryness, static electricity would set in. If the humidity is high, then due to wetness, some of the components would rust.