Chapter 7. Physical and Environmental Security

In the beginning of the computer age, it was easy to protect the systems; they were locked away in a lab, weighed thousands of pounds, and only a select few were granted access. Today, computing devices are ubiquitous. We are tasked with protecting devices that range from massive cloud-based multiplex systems to tiny handheld devices. The explosion of both distributed and mobile computing means that computing devices can be located anywhere in the world and are subject to local law and custom. Possession requires that each individual user take responsibility for mobile device security.

Security professionals are often so focused on technical controls that they overlook the importance of physical controls. The simple reality is that physical access is the most direct path to malicious activity, including unauthorized access, theft, damage, and destruction. Protection mechanisms include controlling the physical security perimeter and physical entry, creating secure offices, rooms, and facilities, and implementing barriers to access, such as encryption, monitoring, and alerting. Section 11 of ISO 27002:2013 encompasses both physical and environmental security. Environmental security refers to the workplace environment, which includes the design and construction of the facilities, how and where people move, where equipment is stored, how the equipment is secured, and protection from natural and man-made disasters.

In previous chapters, you learned that to properly protect organizational information we must first know where it is and how critical it is to the organization. Just as we shouldn’t spend as much money or resources to protect noncritical information as we would to protect critical information, so it goes that we shouldn’t spend the same amount to protect a broom closet as we should to protect information-processing facilities such as data centers, server rooms, or even offices containing client information.

Information security professionals rarely have the expertise to address this security domain on their own. It is critical to involve facilities and physical security personnel in strategic and tactical decisions, policies, and procedures. For example, the information security expert designs a server room with a double steel door, card-reading lock, and a camera outside the door. A facilities expert may question the construction of the walls, floor, vents, and ceilings, the capability of the HVAC and fire suppression systems, as well as the potential for a natural disaster, such as an earthquake, fire, or flood. A physical security expert may question the location, the topography, and even the traffic patterns of pedestrians, automobiles, and airplanes. Creating and maintaining physical and environmental security is a team effort.

In this chapter, we will be focusing on design, obstacles, monitoring, and response as they relate to secure areas, equipment security, and environmental controls. We will examine the security issues, related best practices, and of course physical and environmental security policies.

Secure design controls for spaces within a building include (but are not limited to) the following:

Structural protection such as full height walls, fireproof ceilings, and restricted vent access

Alarmed solid, fireproof, lockable, and observable doors

Alarmed locking, unbreakable windows

Monitored and recorded entry controls (keypad, biometric, card swipe)

Monitored and recorded activity

Protected or confidential documents should never be viewable by unauthorized personnel. When not in use, documents should be locked in file rooms, cabinets, or desk drawers. Copiers, scanners, and fax machines should be located in non-public areas and require use codes. Printers should be assigned to users with similar access rights and permissions and located close to the designated users. Users should be trained to retrieve printed documents immediately. Monitors and device screens should be situated to ensure privacy. Password-protected screen savers should be automated to engage automatically. Users should be trained to lock their screens when leaving devices unattended. Physical security expectations and requirements should be included in organizational acceptable use agreements.

Power flucuations are catagorized by changes in voltage and power loss:

Power surges are prolonged increases in the voltage. A power spike is a momentary increase in voltage.

Brownouts are prolonged periods of low voltage. A sag is a momentary low voltage.

Blackouts are prolonged periods of power loss. A fault is a momentary loss of power.

Companies can install protective devices to help guard their premises and assets, such as installing surge protection equipment, line filters, isolation transformers, voltage regulators, power conditioners, uninterruptible power supplies (UPSs), and back-up power supplies. These power protection devices can condition the feed for consistency, provide continuous power for critical systems, and manage a controlled shutdown in the event of total loss of power.

Fire protection is composed of three elements. Active and passive fire prevention controls are the first line of defense. Fire prevention controls include hazard assessments and inspections, adhering to building and construction codes, using flame-retardant materials, and proper handling and storage procedures for flammable/combustible materials. Fire detection is recognizing that there is a fire. Fire detection devices can be smoke activated, heat activated, or flame activated. Fire containment and suppression involve actually responding to the fire. Containment and suppression equipment is specific to fire classification. Data center environments are typically at risk to Class A, B, or C fires:

Class A—Fire with combustible materials as its fuel source, such as wood, cloth, paper, rubber, and many plastics

Class B—Fire in flammable liquids, oils, greases, tars, oil-base paints, lacquers, and flammable gases

Class C—Fire that involves electrical equipment

Class D—Combustibles that involve metals

Facilities must comply with standards to test fire-extinguishing methods annually to validate full functionality.

The best-case scenario is that data centers and other critical locations are protected by an automatic fire-fighting system that spans multiple classes. Like all other major investments, it’s prudent to do a cost/benefit analysis before making a decision. In any emergency situation, human life always takes precedence. All personnel should know how to quickly and safely evacuate an area.

The data can be apparent, hidden, temporary, cached, browser based, or metadata:

Apparent data files are files that authorized users can view and access.

Hidden files are files that the operating system by design does not display.

Temporary files are created to hold information temporarily while a file is being created.

A web cache is the temporary storage of web documents, such as HTML pages, images, and downloads.

A data cache is the temporary storage of data that has recently been read and, in some cases, adjacent data areas that are likely to be accessed next.

Browser-based data includes the following items:

Browsing history, which is the list of sites visted

Download history, which is the list of files downloaded

Form history, which includes the items entered into web page forms

Search bar history, which includes items entered into the search engines

Cookies, which store information about websites visited, such as site preferences and login status

Metadata is details about a file that describes or identifies it, such as title, author name, subject, and keywords that identify the document’s topic or contents.

NIST Special Publication 800-88 defines data destruction as “the result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive.” There are two methods of permanently removing data from a drive—disk wiping (also known as scrubbing) and degaussing. The disk wiping process will overwrite the master boot record (MBR), partition table, and every sector of the hard drive with the numerals 0 and 1 several times. Then the drive is formatted. The more times the disk is overwritten and formatted, the more secure the disk wipe is. The government medium security standard (DoD 5220.22-M) specifies three iterations to completely overwrite a hard drive six times. Each iteration makes two write-passes over the entire drive; the first pass inscribes ones (1) over the drive surface and the second inscribes zeros (0) onto the surface. After the third iteration, a government-designated code of 246 is written across the drive, then it is verified by a final pass that uses a read-verify process. There are several commercially available applications that follow this standard. Disk wiping does not work reliability on solid-state drives; USB thumb drives, compact flash, and MMC/SD cards. Degaussing is the process wherein a magnetic object, such as a computer tape, hard disk drive, or CRT monitor, is exposed to a magnetic field of greater, fluctuating intensity. As applied to magnetic media, such as video, audio, computer tape, or hard drives, the movement of magnetic media through the degaussing field realigns the particles, resetting the magnetic field of the media to a near-zero state, in effect erasing all of the data previously written to the tape or hard drive. In many instances, degaussing resets the media to a like-new state so that it can be reused and recycled. In some instances, this simply wipes the media in preparation for safe and secure disposal. The National Security Agency (NSA) approves powerful degaussers that meet their specific standards and that in many cases utilize the latest technology for top-secret erasure levels.

Cross-cut shredding technology, which reduces material to fine, confetti-like pieces, can be used on all media, ranging from paper to hard drives.

It is common for organizations to outsource the destruction process. Companies that offer destruction services often have specialized equipment and are cognizant of environmental and regulatory requirements. The downside is that the organization is transferring responsibility for protecting information. The media may be transported to off-site locations. The data is being handled by non-employees over whom the originating organization has no control. Selecting a destruction service is serious business, and thorough due diligence is in order.

Both in-house and out-sourced destruction procedures should require that an unbroken pre-destruction chain of custody be maintained and documented and that an itemized post-destruction certificate of destruction be issued that serves as evidence of destruction in the event of a privacy violation, complaint, or audit.

The cost of lost and stolen devices is significant. The most obvious loss is the device itself. The cost of the device pales in comparison to the cost of detection, investigation, notification, after-the-fact response, and economic impact of lost customer trust and confidence, especially if the device contained legally protected information. The Ponemon Institute “2013 Cost of Data Breach Study: Global Analysis” calculated the average business cost of a breach in the United States to be $188 per record across all industries, $215 per record for financial institutions, and $233 per record for healthcare organizations.

Consider this scenario: A laptop valued at $1,500 is stolen. A file on the laptop has information about 2,000 patients. Using the Ponemon conclusion of $215 per record, the cost of the compromise would be $430,000! That cost doesn’t include potential litigation or fines.

We explored the often-overlooked risks of device and media disposal and how important it is to permanently remove data before handing down, recycling, or discarding devices. Even the most innocuous devices or media may contain business or personal data in metadata, hidden or temporary files, web or data caches, or the browser history. Deleting files or formatting drives is not sufficient. DoD-approved disk-wiping software or a degaussing process can be used to permanently remove data. The most secure method of disposal is destruction, which renders the device and/or the media unreadable and unusable.

Mobile devices that store, process, or transmit company data are the newest challenge to physical security. These devices travel the world and in some cases are not even company owned. Threats range the gamut from nosy friends and colleagues to targeted theft. The detection, investigation, notification, and after-the-fact response cost of a lost or stolen mobile device is astronomical. The economic impact of lost customer trust and confidence is long lasting. Encryption and antitheft technology solutions that enable remote locate, remote lock, and remote delete/wipe functionality must be added to the protection arsenal.

Physical and environmental security policies include perimeter security, entry controls, workspace classification, working in secure areas, clean desk and clean screen, power consumption, data center and communications facilities environmental safeguards, secure disposal, and mobile device and media security.

A. Facilities management

B. Information security management

C. Building security

D. A team of experts including facilities, information security, and building security

2. Physical and environmental security control decisions should be driven by a(n) ___________.

A. educated guess

B. industry survey

C. risk assessment

D. risk management

3. Which of the following terms best describes CPTED?

A. Crime prevention through environmental design

B. Crime prevention through environmental designation

C. Criminal prevention through energy distribution

D. Criminal prosecution through environmental design

4. Which of the following is a CPTED strategy?

A. Natural surveillance.

B. Territorial reinforcement.

C. Natural access control.

D. All of the above are CPTED strategies.

5. Which of the following models is known as the construct that if an intruder can bypass one layer of controls, the next layer of controls should provide additional deterrence or detection capabilities?

A. Layered defense model

B. Perimeter defense model

C. Physical defense model

D. Security defense model

6. Which of the following is a location-based threat?

A. Flight path

B. Volcano

C. Political stability

D. All of the above

7. Best practices dictate that data centers should be ______________.

A. well marked

B. located in urban areas

C. inconspicuous and unremarkable

D. built on one level

8. Which of the following would be considered a “detection” control?

A. Lighting

B. Berms

C. Motion sensors

D. Bollards

9. Badging or an equivalent system at a secure facility should be used to identify ____________.

A. everyone who enters the building

B. employees

C. vendors

D. visitors

10. Which of the following statements best describes the concept of shoulder surfing?

A. Shoulder surfing is the use of a keylogger to capture data entry.

B. Shoulder surfing is the act of looking over someone’s shoulder to see what is on a computer screen.

C. Shoulder surfing is the act of positioning one’s shoulders to prevent fatigue.

D. None of the above.

11. The term BYOD is used to refer to devices owned by ____________.

12. Which of the following statements is not true about reducing power consumption?

A. Reducing power consumption saves energy.

B. Reducing power consumption saves money.

C. Reducing power consumption creates less pollution.

D. Reducing power consumption increases CO2 emissions.

13. The United States government Energy Star certification indicates which of the following?

A. The product is a good value.

B. The product was made in the United States.

C. The product has met energy efficiency standards.

D. The product is used by the government.

14. Which of the following actions contribute to reducing daily power consumption?

A. Turning off computers when not in use

B. Turning off monitors when not in use

C. Turning off printers when not in use

D. All of the above

15. Which of the following terms best describes a prolonged increase in voltage?

A. Power spike

B. Power surge

C. Power hit

D. Power fault

16. Common causes of voltage variations include ______________.

A. lightning, storm damage, and electric demand

B. using a power conditioner

C. turning on and off computers

D. using an uninterruptable power supply

17. Adhering to building and construction codes, using flame-retardant materials, and properly grounding equipment are examples of which of the following controls?

A. Fire detection controls

B. Fire containment controls

C. Fire prevention controls

D. Fire suppression controls

18. A Class C fire indicates the presence of which of the following items?

A. Electrical equipment

B. Flammable liquids

C. Combustible materials

D. Fire extinguishers

19. Classified data can reside on which of the following items?

A. Smartphones

B. Cameras

C. Scanners

D. All of the above

20. Which of the following data types includes details about a file or document?

A. Apparent data

B. Hidden data

C. Metadata

D. Cache data

21. URL history, search history, form history, and download history are stored by the device ___________.

A. operating system

B. browser

C. BIOS

D. None of the above

22. Which of the following statements about formatting a drive is not true?

A. Formatting a drive creates a bootable partition.

B. Formatting a drive overwrites data.

C. Formatting a drive fixes bad sectors.

D. Formatting a drive permanently deletes files.

23. Disk wiping works reliably on which of the following media?

A. USB thumb drives

B. Conventional hard drives

C. SD cards

D. Solid-state hard drives

24. The United States Department of Defense (DoD) medium security disk-wiping standard specifies which of the following actions?

A. Three iterations to completely overwrite a hard drive six times

B. Three iterations to completely overwrite a hard drive six times, plus 246 written across the drive

C. Three iterations to completely overwrite a hard drive six times, plus 246 written across the drive, plus a read-verify process

D. Three iterations to completely overwrite a hard drive six times, plus 246 written across the drive, plus a magnetic swipe

25. Which of the following terms best describes the process of using a realigning and resetting particle to erase data?

A. Deleting

B. Degaussing

C. Destroying

D. Debunking

26. Which of the following terms best describes the shredding technique that reduces material to fine, confetti-like pieces?

A. Cross-cut

B. Strip-cut

C. Security-cut

D. Camel-cut

27. A certificate of destruction is evidence that __________________.

A. the media has be destroyed by a third party

B. the media has been destroyed internally

C. the media has been destroyed by its owner

D. the media has been destroyed

28. Which of the following amounts represents the average per-record cost of a data breach in the United States?

A. $1

B. $18

C. $188

D. $1,188

29. Which of the following controls includes remote lock, remote wipe, and remote location?

A. Work-at-home controls

B. Mobile device antitheft controls

C. GPS controls

D. Find-my-car controls

30. In an environmental disaster, priority should be given to _______________.

A. protecting human life

B. saving key documents

C. data center continuity

D. first responder safety

1. Research companies in your area that offer data destruction services.

2. Document the services they offer.

3. Make a list of questions you would ask them if you were tasked with selecting a vendor for data destruction services.

Exercise 7.2: Assessing Data Center Visibility

1. Locate the data center at your school or workplace.

2. Is the facility or area marked with signage? How easy was it to find? What controls are in place to prevent unauthorized access? Document your findings.

Exercise 7.3: Reviewing Fire Containment

1. Find at least three on-campus fire extinguishers (do not touch them). Document their location, what class fire they can be used for, and when they were last inspected.

2. Find at least one fire extinguisher (do not touch it) in your dorm, off-campus apartment, or home. Document the location, what class fire it can be used for, and when it was last inspected.

Exercise 7.4: Assessing Identification Types

1. Document what type of identification is issued to students, faculty, staff, and visitors at your school. If possible, include pictures of these types of documentation.

2. Describe the process for obtaining student identification.

3. Describe the procedure for reporting lost or stolen identification.

Exercise 7.5: Finding Data

1. Access a public computer in either the library, computer lab, or classroom.

2. Find examples of files or data that other users have left behind. The files can be apparent, temporary, browser based, cached, or document metadata. Document your findings.

3. What should you do if you discover “personal” information?

1. You are going to conduct a physical assessment of a computing device you own. This could be a desktop computer, a laptop, a tablet, or a smartphone. Use the following table as a template to document your findings. You can add additional fields.

2. Determine the physical and environmental dangers (threats); for example, losing or forgetting your laptop at school. Document your findings.

3. For each danger (threat), identify the controls that you have implemented; for example, your case is pink (recognizable) and the case and laptop are labeled with your contact information. It is expected that not all threats will have corresponding safeguards. Document your findings.

4. For threats that do not have a corresponding safeguard or ones for which you feel the current safeguards are inadequate, research the options you have for mitigating the danger. Based on your research, make recommendations. Your recommendation should include initial and ongoing costs. Compare the costs of the safeguard to the cost impact of the danger. Document your findings.

Project 7.2: Assessing Data Center Design

1. You have been tasked with recommending environmental and physical controls for a new data center to be built at your school. You are expected to present a report to the Chief Information Officer. The first part of your report should be a synopsis of the importance of data center physical and environmental security.

2. The second part of your report should address three areas: location, perimeter security, and power.

a. Location recommendations should include where the data center should be built and a description of the security of the surrounding area (for example, location-based threats include political stability, susceptibility to terrorism, the crime rate, adjacent buildings, roadways, pedestrian traffic, flight paths, utility stability, and vulnerability to natural disasters).

b. Access control recommendations should address who will be allowed in the building and how they will be identified and monitored.

c. Power recommendations should take into account power consumption as well as normal and emergency operating conditions

Project 7.3: Securing the Perimeter

1. The security perimeter is a barrier of protection from theft, malicious activity, accidental damage, and natural disaster. Almost all buildings have multiple perimeter controls. We have become so accustomed to perimeter controls that they often go unnoticed (that is, security guards). Begin this project with developing a comprehensive list of perimeter controls.

2. Conduct a site survey by walking around your city or town. You are looking for perimeter controls. Include in your survey results the address of the building, a summary of building occupants, type(s) of perimeter controls, and your opinion as to the effectiveness of the controls. In order to make your survey valid, you must include at least ten properties.

3. Choose one property to focus on. Taking into consideration the location, the depth security required by the occupants, and the geography, comment in detail on the perimeter controls. Based on your analysis, recommend additional physical controls to enhance perimeter security.

“Computer Energy Usage Facts,” Cornell University, accessed on 06/28/2013, http://computing.fs.cornell.edu/Sustainable/fsit_facts.cfm.

Bray, Megan, “Review of Computer Energy Consumption and Potential Savings,” December 2006, accessed on 06/2013, www.dssw.co.uk/research/computer_energy_consumption.html.

“Efficiency: How we do it,” Google, accessed on 6/28/2013, www.google.com/about/datacenters/efficiency/internal/index.html#temperature.

“Facilities Services Sustainable Computing Guide,” Cornell University, accessed on 06/2013, http://computing.fs.cornell.edu/Sustainable/FSSustainableComputingGuide.pdf.

“Foundations Recovery Network notifying patients after a laptop with PHI was stolen from an employee’s car,” PHIprivacy.net, June 24, 2013, accessed on 06/2013, www.phiprivacy.net/?p=12980.

Glanz, James, “The Cloud Factories: Data Barns in a Farm Town, Gobbling Power and Flexing Muscle,” The New York Times, September 23, 2012, accessed on 06/2013, www.nytimes.com/2012/09/24/technology/data-centers-in-rural-washington-state-gobble-power.html?pagewanted=all&_r=2&.

“Tripplite Glossary,” accessed on 06/2013, www.tripplite.com/support/glossary.cfm.

“Google Data Centers,” Google.com, accessed on 06/2013, www.google.com/about/datacenters/.

“Insider Threat and Physical Security of Organizations,” CERT Insider Threat Center, May 20, 2011, accessed on 06/2013, www.cert.org/blogs/insider_threat/2011/05/insider_threat_and_physical_security_of_organizations.html.

Jeffery, C. Ray, Crime Prevention Through Environmental Design, Second Edition, Beverly Hills: Sage Publications, 1977.

“Laptop Theft Recovery,” Winthrop University, accessed on 06/2013, www.winthrop.edu/police.

“Latest Incidents,” DataLossDB, accessed on 06/2013, http://datalossdb.org/.

Marshall-Genzar, Nancy, “Cell phone theft is on the rise, but the industry isn’t helping much (Infographic),” Marketplace Morning Report for Tuesday May 14, 2013, accessed on 06/2013, www.marketplace.org/topics/business/cell-phone-theft-rise-industry-isnt-helping-much-infographic.

Miller, Rich “Major Outage at Seattle Data Center,” Data Center Knowledge, July 3, 2009, accessed on 06/2013, www.datacenterknowledge.com/archives/2009/07/03/major-outage-at-seattle-data-center.

Ponemon Institute, “The Billion Dollar Lost Laptop Problem: Benchmark Study of U.S. Organization.” October 31, 2010.

Ponemon Institute, “2013 Cost of Data Breach Study.” May, 2013.

“Stolen Laptop May Have Compromised Students Personal Info,” ABC Columbia, June 27, 2013, accessed on 06/2013, www.abccolumbia.com/news/local/Stolen-Laptop-May-Have-Compromised-Students-Personal-Info-213435101.html.

“Unscrubbed Hard Drives Report,” Information Commissioner’s Office, April 25, 2012, accessed on 06/2013, http://www.ico.org.uk/news/latest_news/2012/~/media/documents/library/Data_Protection/Research_and_reports/unscrubbed_hard_drives_report.pdf.

Vanhorn, Chris, “Cornell University Facilities Services Computing Energy Conservation Recommendations,” September 8, 2005, accessed on 06/28/2013, http://computing.fs.cornell.edu/Sustainable/ComputingEnergyConservation.pdf.

Vedder, Tracy, “Detective’s stolen laptop puts thousands at risk of identity theft,” KOMONEWS, June 24, 2013, accessed on 06/2013, www.komonews.com/news/local/Stolen-sheriffs-office-laptop-puts-thousand-at-risk-of-identity-theft-212860341.html.

“Voltage Variations,” United Energy and Multinet Gas, accessed on 6/28/2013, www.unitedenergy.com.au/customers/your-electricity/electricity-outages/voltage-variations.aspx.

“Your Guide To Degaussers,” Degausser.com, accessed on 06/2013, http://degausser.com/.