Physical (Environmental) Security Controls

Physical (environmental) security controls include a combination of physical access controls, technical controls, environmental and life safety controls, fire detection and suppression, and administrative controls.

Physical access controls

Physical access controls consist of the systems and techniques used to restrict access to a security perimeter and provide boundary protection, including fencing, security guards, dogs, locks, storage areas, security badges, and biometric access controls.

Fencing

Fencing is the primary means for securing an outside perimeter or external boundary and an important element of physical security that the CISSP candidate must know for the exam. Fencing provides physical access control and includes fences, gates, turnstiles, and mantraps. The main disadvantages of fencing are cost and appearance. General height requirements for fencing are listed in Table 13-3.

Table 13-3 General Fencing Height Requirements

Height	General Effect
3–4 ft (1m)	Deters casual trespassers
6–7 ft (2m)	Too high to climb easily
8 ft (2.4m) + three-strand barbed wire	Deters more determined intruders

Mantraps

A mantrap is a method of physical access control that consists of a double set of locked doors or turnstiles. The mantrap may be guarded or monitored, may require a different level of access to pass through each door or in a different direction (for example, exit may be permitted at all times, but entry after normal business hours is restricted to only certain people). In more advanced systems, the mantrap may have a weight-sensing floor to prevent more than one person from passing through at the same time.

Security guards

Throughout history, guards have provided physical security for many different situations and environments. You might think that modern surveillance equipment, biometric access controls, and intrusion detection systems (IDSs) would have diminished the role of security guards, but these tools have actually increased the need for skilled physical-security personnel who are capable of operating advanced technology and applying discerning judgment. The major advantages of security guards include

Discernment: Guards can apply human judgment to different situations.

Visibility: Guards provide a visible deterrent, response, and control capability.

Multiple functions: Guards can also perform reception and visitor escort functions.

Some disadvantages include

Unpredictability: Pre-employment screening and bonding doesn’t necessarily assure reliability or integrity.

Imperfections: Along with human judgment comes the element of human error.

Cost: Maintaining a full-time security force (including training) or outsourcing these functions can be very expensive.

The main advantage of security guards is their ability to use human judgment when responding to different situations.

Guard dogs

Like human guards, dogs also provide a highly visible deterrent, response, and control capability. Additionally, guard dogs are typically more loyal and reliable than humans, with more acute sensory abilities (smell and hearing). However, the use of guard dogs is typically restricted to an outside security perimeter. Other considerations include

Limited judgment capability

Cost and maintenance

Potential liability issues

Locks

Doors, windows, and other access points into secure or sensitive areas need to be protected. One of the simplest ways to accomplish this protection is by using a lock. The three basic types of locks are

Preset: Basic mechanical locks that consist of latches, cylinders, and deadbolts; each requires a particular key to open it.

Programmable: Mechanical (such as dial combination or five-key pushbutton) or electronic (cipher lock or keypad). Shoulder surfing, a social-engineering technique commonly used against these types of locks, involves casually observing an authorized individual entering an access code.

Electronic: These locks utilize an electronic key (similar to the fancy keys found on expensive cars) that functions like both a hybrid smart card (covered in the section “Security badges,” later in this chapter) and a physical key.

Storage areas

Storage areas that contain spare equipment and parts, consumables, and deliveries should be locked and controlled to help prevent theft. Additionally, you should be aware of any hazardous materials being stored in such areas, as well as any environmental factors or restrictions that may affect the contents of the storage area.

Security badges

Security badges (or access cards) are used for identification and authentication of authorized personnel entering a secure facility or area.

A photo identification card (also referred to as a dumb card) is a simple ID card that has a facial photograph of the bearer. Typically, no technology is embedded in these cards for authentication purposes, so a security guard determines whether to allow the bearer to enter.

Smart cards are digitally encoded cards that contain an integrated chip (IC) or magnetic stripe (possibly in addition to a photo). Various types of smart cards include

Magnetic stripe: The most basic type of smart card. Information is encoded in a magnetic stripe. Common examples include credit cards and automatic teller machine (ATM) cards.

Optical-coded: Similar to, but more reliable than, a magnetic stripe card. Information is encoded in a laser-burned lattice of digital dots. These types of smart cards are becoming more common on U.S. state driver’s licenses.

Smart card: Contains printed electrical contacts on the card surface; electric circuit smart cards are true smart cards in that they do more than just identify the user and carry limited personal information, they actually contain information that permits the user to perform a job function and are commonly used for logical access control to computer systems.

Proximity card: Doesn’t require the bearer to physically insert the card into the reader. Instead, the reader senses the card in the general area and takes the appropriate action. The three common types of system-sensing proximity cards are

• Passive: These cards don’t contain any sort of electrical power supply (such as a battery). They use the electromagnetic field transmitted by the reader to transmit access information (identification).

• Field-powered: These devices contain active electronics, an RF transmitter, and power supply on the card.

• Transponders: Both the card and reader contain a transceiver, control logic, and battery. The reader transmits an interrogating signal (challenge), causing the card to transmit an access code (response).

Although more common in technical access controls, smart cards can also provide two-factor authentication in physical access control systems by requiring the user to enter a personal identification number (PIN) or password, or by incorporating an authentication token or other challenge-response mechanism.

See Chapter 4 for a complete description of the different types of access controls. Smart cards, and their associated access control systems, can be programmed to permit multilevel access, restrict access to certain periods (days and times), and log access information.

Smart card is used as a general term to describe any security badge or access card that has built-in identification and authentication features, such as embedded technology. This may be as simple as a magnetic stripe on an ID card that’s swiped through a card reader. However, in the Access Control domain, a smart card refers to a very specific, highly specialized type of access card: A magnetic stripe doesn’t qualify.

Biometric access controls

Biometrics provide the only absolute method for positively identifying an individual based on some unique physiological or behavioral characteristic of that individual (something you are). We discuss biometrics extensively in Chapter 4. Although biometrics in the Physical (Environmental) Security domain refers to physical access control devices (rather than logical access control devices, as in the Access Control domain), the underlying concepts and technologies are the same. The major biometric systems in use today include

Finger scan

Hand geometry

Retina pattern

Iris pattern

Voice recognition

Signature dynamics

The accuracy of a biometric system is normally stated as a percentage, in the following terms:

False Reject Rate (FRR) or Type I error: Authorized users who are incorrectly denied access

False Accept Rate (FAR) or Type II error: Unauthorized users who are incorrectly granted access

Crossover Error Rate (CER): The point at which the FRR equals the FAR

Technical controls

Technical controls include monitoring and surveillance, intrusion detection systems (IDSs), and alarms that alert personnel to physical security threats and allow them to respond appropriately.

Surveillance

Visual surveillance systems include photographic and electronic equipment that provides detective and deterrent controls. When used to monitor or record live events, they’re a detective control. The visible use of these systems also provides a deterrent control.

Electronic systems such as closed-circuit television (CCTV) can extend and improve the monitoring and surveillance capability of security guards. Photographic systems, including recording equipment, record events for later analysis or as evidence for disciplinary action and prosecution.

Intrusion detection

Intrusion detection in the physical security domain refers to systems that detect attempts to gain unauthorized physical access to a building or area. Modern intrusion detection systems (IDSs) commonly use the following types of sensors:

Photoelectric sensors: A grid of visible or infrared light is projected over the protected area. If a beam of light within the grid is disturbed, an alarm sounds.

Dry contact switches and metallic tape: These systems are inexpensive and commonly used along a perimeter or boundary on door and window frames. For example, if the circuit switch is opened or the metallic tape broken, an alarm sounds.

Motion detectors: Three categories of motion detectors are

• Wave pattern: Generates a low-frequency, ultrasonic, or microwave field over a protected area up to 10,000 square feet (3,000 square meters). Any motion changes the frequency of the reflected wave pattern, causing an alarm to sound.

• Capacitance: Monitors an electrical field for changes in electrical capacitance caused by motion. This type of motion detector is typically used for spot protection within a few inches of a protected object.

• Audio: A passive system (meaning it doesn’t generate a wave pattern or electrical field) triggered by any abnormal sound. This type of device generates a lot of false alarms and should be used only in areas that have low ambient noise.

Don’t confuse intrusion detection systems (IDSs) used to detect physical intruders in the Physical (Environmental) Security domain with network-based and host-based intrusion detection systems (IDSs) (discussed in Chapters 5 and 10) used to detect cyber-intruders.

Alarms

Alarms are activated when a certain condition is detected. Examples of systems employing alarms include fire and smoke detectors, motion sensors and intrusion detection systems (IDSs), metal and explosives detectors, access control systems (physical and logical), detectors geared towards certain environmental conditions (standing water, for instance), and climate-control monitoring systems.

Alarm systems should have separate circuitry and a backup power source. Line supervision, comprising technology and processes used to detect attempts to tamper with or disable an alarm system, should also be implemented.

The five general types of alarm systems are

Local systems: An audible alarm sounds on the local premises. These systems require a local response capability, meaning someone must call the police/fire department and/or respond directly.

Central station systems: Operated and monitored by private security organizations connected directly to the protected site via leased or dial-up lines.

Proprietary systems: Similar to central station systems, but operated and monitored directly on the premises.

Auxiliary station systems: These systems — which require prior authorization — use local municipal police or fire circuits to transmit an alarm to the appropriate police or fire headquarters. These systems are typically used in conjunction with one of the systems discussed in the preceding bullets (particularly central station systems) to improve response capabilities.

Remote station systems: These systems are similar to auxiliary station systems, except they don’t use police and fire circuits, and also don’t necessarily send the alarm to a police or fire department. An automatic dial-up fire alarm that dials a local police or fire department and plays a prerecorded message is an example of a remote station system.

Environmental and life safety controls

These controls are necessary for maintaining a safe and acceptable operating environment for computers and personnel. These controls include electrical power, HVAC, smoke detection, and fire detection and suppression.

Electrical power

General considerations for electrical power include having one or more dedicated feeders from one or more utility substations or power grids, as well as ensuring that adequate physical access controls are implemented for electrical distribution panels and circuit breakers. An Emergency Power Off (EPO) switch should be installed near major systems and exit doors to shut down power in case of fire or electrical shock. Additionally, a backup power source should be established, such as a diesel or natural-gas power generator. Backup power should only be provided for critical facilities and systems, including emergency lighting, fire detection and suppression, mainframes and servers (and certain workstations), HVAC, physical access control systems, and telecommunications equipment.

Although natural gas can be a cleaner alternative than diesel for backup power, in terms of air and noise pollution, it’s generally not acceptable for emergency life systems (such as emergency lighting and fire protection systems) because the fuel source (natural gas) can’t be locally stored, so the system relies instead on an external fuel source that must be supplied by pipelines.

Protective controls for electrostatic discharge (ESD), discussed in the earlier section “Physical Security Threats,” include

Maintain proper humidity levels (40 to 60 percent).

Ensure proper grounding.

Use anti-static flooring, anti-static carpeting, and floor mats.

Protective controls for electrical noise include

Install power line conditioners.

Ensure proper grounding.

Use shielded cabling.

Using an Uninterruptible Power Supply (UPS) is perhaps the most important protection against electrical anomalies. A UPS provides clean power to sensitive systems and a temporary power source during electrical outages (blackouts, brownouts, and sags); this power supply must be sufficient to properly shut down the protected systems. Note: A UPS shouldn’t be used as a backup power source. A UPS — even a building UPS — is designed to provide temporary power, typically for 5 to 30 minutes, in order to give a backup generator time to start up or to allow a controlled and proper shutdown of protected systems.

Surge protectors and surge suppressors provide only minimal protection for sensitive computer systems, and they’re more commonly (and dangerously) used to overload an electrical outlet or as a daisy-chained extension cord. The protective circuitry in most of these units costs less than one dollar (compare the cost of a low-end surge protector with that of a 6-foot extension cord), and you get what you pay for — these glorified extension cords provide only minimal spike protection. True, a surge protector does provide more protection than nothing at all, but don’t be lured into complacency by these units — check them regularly for proper use and operation, and don’t accept them as a viable alternative to a UPS.

HVAC

Heating, ventilation, and air conditioning (HVAC) systems maintain the proper environment for computers and personnel. HVAC-requirements planning involves complex calculations based on numerous factors, including the average BTUs (British Thermal Units) produced by the estimated computers and personnel occupying a given area, the size of the room, insulation characteristics, and ventilation systems.

The ideal temperature range for computer equipment is between 50 and 80°F (10 and 26°C). At temperatures as low as 100°F (38°C), magnetic storage media can be damaged.

The ideal temperature range for computer equipment is between 50 and 80°F (10 and 26°C).

The ideal humidity range for computer equipment is between 40 and 60 percent. Higher humidity causes condensation and corrosion. Lower humidity increases the potential for ESD (static electricity).

Doors and side panels on computer equipment racks should be kept closed (and locked, as a form of physical access control) to ensure proper airflow for cooling and ventilation. When possible, empty spaces in equipment racks (such as a half-filled rack or gaps between installed equipment) should be covered with blanking panels to reduce hot and cold air mixing between the hot side (typically the power-supply side of the equipment) and the cold side (typically the front of the equipment); such mixing of hot and cold air can reduce the efficiency of cooling systems.

Heating and cooling systems should be properly maintained, and air filters should be cleaned regularly to reduce dust contamination and fire hazards.

Most gas-discharge fire suppression systems automatically shut down HVAC systems prior to discharging, but a separate Emergency Power Off (EPO) switch should be installed near exits to facilitate a manual shutdown in an emergency.

Ideally, HVAC equipment should be dedicated, controlled, and monitored. If the systems aren’t dedicated or independently controlled, proper liaison with the building manager is necessary to ensure that everyone knows who to call when there are problems. Monitoring systems should alert the appropriate personnel when operating thresholds are exceeded.

Fire detection and suppression

Fire detection and suppression systems are some of the most essential life safety controls for protecting facilities, equipment, and (most important) human lives.

Detection systems

The three main types of fire detection systems are

Heat-sensing: These devices sense either temperatures exceeding a predetermined level (fixed-temperature detectors) or rapidly rising temperatures (rate-of-rise detectors). Fixed-temperature detectors are more common and exhibit a lower false-alarm rate than rate-of-rise detectors.

Flame-sensing: These devices sense either the flicker (or pulsing) of flames or the infrared energy of a flame. These systems are relatively expensive but provide an extremely rapid response time.

Smoke-sensing: These devices detect smoke, one of the by-products of fire. The four types of smoke detectors are

• Photoelectric: Sense variations in light intensity

• Beam: Similar to photoelectric; sense when smoke interrupts beams of light

• Ionization: Detect disturbances in the normal ionization current of radioactive materials

• Aspirating: Draw air into a sampling chamber to detect minute amounts of smoke

The three main types of fire detection systems are heat-sensing, flame-sensing, and smoke-sensing.

Suppression systems

The two primary types of fire suppression systems are

Water sprinkler systems: Water extinguishes fire by removing the heat element from the fire triangle, and it’s most effective against Class A fires. Water is the primary fire-extinguishing agent for all business environments. Although water can potentially damage equipment, it’s one of the most effective, inexpensive, readily available, and least harmful (to humans) extinguishing agents available. The four variations of water sprinkler systems are

• Wet-pipe (or closed-head): Most commonly used and considered the most reliable. Pipes are always charged with water and ready for activation. Typically, a fusible link in the nozzle melts or ruptures, opening a gate valve that releases the water flow. Disadvantages include flooding because of nozzle or pipe failure and because of frozen pipes in cold weather.

• Dry-pipe: No standing water in the pipes. At activation, a clapper valve opens, air is blown out of the pipe, and water flows. This type of system is less efficient than the wet pipe system but reduces the risk of accidental flooding; the time delay provides an opportunity to shut down computer systems (or remove power), if conditions permit.

• Deluge: Operates similarly to a dry-pipe system but is designed to deliver large volumes of water quickly. Deluge systems are typically not used for computer-equipment areas.

• Preaction: Combines wet- and dry-pipe systems. Pipes are initially dry. When a heat sensor is triggered, the pipes are charged with water, and an alarm is activated. Water isn’t actually discharged until a fusible link melts (as in wet-pipe systems). This system is recommended for computer-equipment areas because it reduces the risk of accidental discharge by permitting manual intervention.

The four main types of water sprinkler systems are wet-pipe, dry-pipe, deluge, and preaction.

Gas discharge systems: Gas discharge systems may be portable (such as a CO2 extinguisher) or fixed (beneath a raised floor). These systems are typically classified according to the extinguishing agent that’s employed. These agents include

• Carbon dioxide (CO2): CO2 is a commonly used colorless, odorless gas that extinguishes fire by removing the oxygen element from the fire triangle. (Refer to Figure 13-1.) CO2 is most effective against Class B and C fires. Because it removes oxygen, its use is potentially lethal and therefore best suited for unmanned areas or with a delay action (that includes manual override) in manned areas.

CO2 is also used in portable fire extinguishers, which should be located near all exits and within 50 feet (15 meters) of any electrical equipment. All portable fire extinguishers (CO2, water, and soda acid) should be clearly marked (listing the extinguisher type and the fire classes it can be used for) and periodically inspected. Additionally, all personnel should receive training in the proper use of fire extinguishers.

• Soda acid: Includes a variety of chemical compounds that extinguish fires by removing the fuel element (suppressing the flammable components of the fuel) of the fire triangle. (Refer to Figure 13-1.) Soda acid is most effective against Class A and B fires. It is not used for Class C fires because of the highly corrosive nature of many of the chemicals used.

• Gas-discharge: Gas-discharge systems suppress fire by separating the elements of the fire triangle (a chemical reaction); they are most effective against Class B and C fires. (Refer to Figure 13-1.) Inert gases don’t damage computer equipment, don’t leave liquid or solid residue, mix thoroughly with the air, and spread extremely quickly. However, these gases in concentrations higher than 10 percent are harmful if inhaled, and some types degrade into toxic chemicals (hydrogen fluoride, hydrogen bromide, and bromine) when used on fires that burn at temperatures above 900°F (482°C).

Halon used to be the gas of choice in gas-discharge fire suppression systems. However, because of Halon’s ozone-depleting characteristics, the Montreal Protocol of 1987 prohibited the further production and installation of Halon systems (beginning in 1994)and encouraging the replacement of existing systems. Acceptable replacements for Halon include FM-200 (most effective), CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

Halon is an ozone-depleting substance. Acceptable replacements include FM-200, CEA-410 or CEA-308, NAF-S-III, FE-13, Argon or Argonite, and Inergen.

Administrative controls

These controls include the policies and procedures necessary to ensure that physical access controls, technical controls, and environmental and life safety controls are properly implemented and achieve an overall physical security strategy.

Restricted areas

Areas in which sensitive information is handled or processed should be formally designated as restricted areas, with additional security controls implemented. Restricted areas should be clearly marked, and all employees should know the difference between authorized and unauthorized personnel — specifically, how to detect whether someone on the premises is authorized.

Visitors

Visitor policies and escort requirements should be clearly defined in the organizational security policy. Any visitor should be required to present proper identification to a security guard or receptionist, sign a visitor log, complete a nondisclosure agreement (when appropriate), and wear a conspicuous badge that both identifies him or her as a visitor and clearly indicates whether an escort is required (often done with color-coded badges). If an escort is required, the assigned escort should be identified by name and held responsible for the visitor at all times while that visitor is on the premises.

Personnel Privacy

Organizations need to clearly define their privacy policy for employees. Work and personal lives have become increasingly commingled in our “always- connected” world and individual expectations of privacy on the job may not be consistent with the security needs of the organization. Organizations that actively monitor their networks and connected devices — including personal devices used in the workplace — must ensure that employees are aware of and consent to workplace monitoring and that their privacy rights are understood.

Safety

Organizations need to implement appropriate safeguards to create a safe working environment for all employees. Additionally, organizations need to ensure that employees are aware of increased risks when traveling, such as crime, duress, terrorism, and accidents, and that they know the appropriate safeguards to ensure their personal safety and to protect both personal and company property.

Audit trails and access logs

Audit trails and access logs are detective controls that provide a record of events. These records can be analyzed for unauthorized access attempts and patterns of abuse; they can also potentially be used as evidence. We cover audit trails in Chapter 10.

Asset classification and control

Asset classification and control, particularly physical inventories, are an important detective control. The proliferation of desktop PCs, notebooks, smartphones, tablets, and wireless devices has made theft a very common and difficult physical security threat to counter. An accurate inventory helps identify missing equipment and may potentially be used as evidence.

Emergency procedures

Emergency procedures must be clearly documented, readily accessible (often posted in appropriate areas), periodically updated, and routinely practiced (in training and drills). Additional copies may also be kept at secure off-site facilities. Emergency procedures should include emergency system shutdown procedures, evacuation plans and routes, and a Business Continuity Plan/Disaster Recovery Plan (BCP/DRP). (We cover BCP/DRP in Chapter 11.)

General housekeeping

Good housekeeping practices are an important aspect of physical security controls. Implementing and enforcing a no-smoking policy helps reduce not only potential fire hazards, but also contamination of sensitive systems. Cleaning dust and ventilation systems helps maintain a cleaner computing environment and also reduces static electricity and fire hazards. Keeping work areas clean and trash emptied reduces potential fire hazards (by removing combustibles) and also helps identify and locate sensitive information that may have been improperly or carelessly handled.

Pre-employment and post-employment procedures

These procedures include background and reference checks, obtaining security clearances, granting access, and termination procedures. These procedures are covered extensively in Chapters 6 and 10.