Physical Security for IT Security Professionals

Comments

Transcription

Physical Security for IT Security Professionals
Physical Security for IT Security Professionals
Ted Wade, MA
President,
All Hazards Security, LLC.
Copyright All Hazards Security, LLC 2017
Biography
MA Homeland Security, American Military University
BS Administration of Justice, Penn State University
South Central Task Force
Vice‐Chairperson, Business, Industry, and Infrastructure Subcommittee,
Incident Management Team, Risk and Vulnerability Assessment Team
18 Years in Security Management
Security Geek
Chairperson, ASIS International Central Pennsylvania Chapter Copyright All Hazards Security, LLC 2017
Former Paratrooper
What is the purpose of security?
What is the purpose of brakes on a car?
The function of brakes or security is the opposite of their purpose.
Physical Security can also act as a guardrail to prevent risks intruding into your path or exiting the safe path.
Security allows you to operate more safely in a dangerous environment, without crashing into obstacles.
Copyright All Hazards Security, LLC 2017
What is the difference between IT Security and Physical Security?
The difference is the accent mark!
IT Security
Physical Security
Leadership often assumes IT Security is complex because they don’t get it
Due to a history of low quality Physical Security practitioners they assume anyone can understand the subject Copyright All Hazards Security, LLC 2017
Physical Security Basics
Must be guided by ESRM
Include CPTED principles
Physical Protection Systems
Layered Approach with Barriers and Control Devices
Access Control and Intrusion Detection
CCTV and Sensors
Integrating the Human Element
Physical Security requires carefully implementation to avoid the illusion of security
Copyright All Hazards Security, LLC 2017
Enterprise Security Risk Management
Holistic approach to security and risk that incorporates IT Security and Physical Security as integral partners.
Based on using four principles:
Identify and Prioritize Assets
Identify and Prioritize Risks
Mitigate Prioritized Risks
Improve and Advance
ESRM provides a strategic framework for security that helps the organizational goals!
Copyright All Hazards Security, LLC 2017
Security has to be tuned to the environment
How do you protect a monument to Freedom?
Copyright All Hazards Security, LLC 2017
Crime Prevention Through Environmental Design‐ CPTED
Pronounced Sep‐Ted
Based on using three principles:
Territoriality
Natural Surveillance
Defensible Space
Design should make normal users feel safe, and unwanted users feel vulnerable
Copyright All Hazards Security, LLC 2017
Objectives of Physical Security
Deter
Detect and Assess
Delay
Deny/Respond
Must Detect before you can Assess or Delay
Must Delay until you can Deny or Respond
Physical Security that only accomplishes part of these objectives accomplish none.
Copyright All Hazards Security, LLC 2017
Physical Protection System (PPS)
NOT just a Security System!
Integrate systems, procedures, and personnel between an adversary and protected assets. Provide layers of defense Protect people, equipment, products, and information All avenues of attack should be equally protected but may use different means!
Copyright All Hazards Security, LLC 2017
Goals of Physical Protection System (PPS)
Based on Risk Assessment and Risk Tolerance
Protect Assets including reputation
Built around specific threats and vulnerabilities
Cost effective use of countermeasures (systems, tools, people, and procedures)
Allow detection, assessment and response to incidents
Delay attackers until response force can defeat attack
PPS must be tested routinely to verify it is functioning as expected!
Copyright All Hazards Security, LLC 2017
What should a PPS do?
Prevent unauthorized entry based on the assets
Deter by making the effort to defeat the PPS, unprofitable
Detect unauthorized entry
Assess alarms and incidents
Delay intrusion until a response force can arrive before they can damage or remove the assets.
A PPS is not a security system, it requires procedures and personnel to enable it to protect assets.
Copyright All Hazards Security, LLC 2017
Physical Security Planning and Implementation
Identify assets and their value
Assess threats to the assets
Assess vulnerabilities
Analyze the risks your organization faces
Develop cost‐effective countermeasures to protect assets
No two organizations have the same assets, threats, and vulnerabilities; every PPS is unique.
Copyright All Hazards Security, LLC 2017
Identifying Assets
People
Infrastructure, Equipment, & Operations
Services, Suppliers, & Partnerships
Reputation
Information
An organization’s reputation is its most valuable asset and damage is usually self‐inflicted.
Copyright All Hazards Security, LLC 2017
Assessing Risk
Risk Assessment is strongly dependent upon organizational leadership perception
Key is to reverse the typical equation:
It is not how much to spend on security
It how much risk the organization wants to assume
There are no 100% risk free solutions
Board and Executives should decide what level of risk is acceptable, what probability of this loss is acceptable?
Copyright All Hazards Security, LLC 2017
Layered Approach
Layers of security are more cost effective in providing a level of security
Two 80% effective layers give you 96% effectiveness
More layers also provide greater delay and require multiple techniques to defeat
Visible defenses can be defeated, allows adversary to plan their attack Unexpected layers of security are most likely to trip up a determined threat
Copyright All Hazards Security, LLC 2017
Defense in Depth
Perimeter Fence
Exterior of Building
Building Interior People and Procedures
Assets
Copyright All Hazards Security, LLC 2017
Barriers
Natural
Perimeter Barriers: fencing and walls
Exterior Barriers: walls, floor, roof
Interior Barriers: internal walls, floors
Active Structural Barriers: activated to stop intrusion
Adversaries defeating a barrier make their intentions clear and allow response/prosecution
Barriers have portals that allow entry and all portals must be controlled!
Copyright All Hazards Security, LLC 2017
Fencing
Fencing can vary greatly in effectiveness and aesthetics
Acceptable Standards:
7 feet high, plus 1 foot high Top Guard of barbed or razor wire
Securely fastened to Rigid Metal or Reinforced Concrete Posts Top Guard set at a 45 degree angle, outward
Post 6 feet apart maximum and set in Concrete
9‐Gauge or heavier wire
Within 2 inches of the ground at all locations
In soft ground, fence should extend below surface
Galvanized Mesh with opening 2 inches per side
Twisted and Barbed Selvages at top and bottom
Masonry walls have same height and top guard requirements
Fences can be defeated in seconds, but make the adversaries’ intentions clear
Copyright All Hazards Security, LLC 2017
Portals and Locking Mechanisms
All portals should be secured when not being used
During use must be monitored for Access Control
Windows are a neglected entryway and exit
Safes are a means of creating a small locked portal
Locks have an operating mechanism, a key device, and a bolt or latch
Electric Locks: Do they Fail Safe or Fail Secure?
Locks and readers provide security only if the key, card and cypher control maintains accountability
Copyright All Hazards Security, LLC 2017
Portals
All portals should be secured when not being used
During use must be monitored for Access Control
Doors
Hinges and hardware on inside of door
Gates
Windows
All portals must be accounted for in a security plan and allow effective access control or detection
Copyright All Hazards Security, LLC 2017
Locks
Portals require secure locking devices
Locks have an operating mechanism, a key device, and a bolt or latch.
Mechanical Locks
Electric Locks: Fail Safe or Fail Secure?
Awareness of your locks weaknesses
Locks provide security only if key, card, and cypher control maintains accountability
Copyright All Hazards Security, LLC 2017
Window Protection
Protect windows below 18’ high or within 14’ of trees
Windows or utility gaps larger than 96 square inches
Frames should be securely fastened
Bars and Mesh depending upon the environment
Glazing available to prevent breakage and spalling
May require alarms to detect intrusion
Normal users don’t come through windows; often forget unwanted users may do so!
Copyright All Hazards Security, LLC 2017
Security Lighting
Lighting is one of the most essential security tools
4 Categories of Security Lighting: Continuous, Standby, Movable, Emergency
Each category serves different purposes.
Visibility makes normal users feel comfortable and unwanted users feel vulnerable to detection
Deploy lights pointed at intruders and allow security and critical systems to hide in the dark
Copyright All Hazards Security, LLC 2017
Lighting Sources
Incandescent
Quartz, Quartz‐Halogen
Fluorescent
Mercury Vapor
Metal Halide
Low Pressure Sodium
High Pressure Sodium
All have strengths and weaknesses, must be matched to their purpose
Copyright All Hazards Security, LLC 2017
What do you want to illuminate?
Fences and Portals
Pathways, Entrances, Emergency Exits
Parking Areas
What do you want to keep in the dark?
Critical Infrastructure (standby lighting)
Neighbors
Some Security Features
Copyright All Hazards Security, LLC 2017
Safes and Vaults
Safes are a primary means of delaying an intruder
Alarms have to trigger before access to the safe
UL Safe Ratings: Burglary and Fire Resistance
Rated on type of attack and delay TL=Tools TR=Torch TX=Torch & Explosives
15, 30, or 60 minutes of delay for tool attacks
Fire rated for temperature and 1, 2, or 4 hour duration
Paper 350‐# of hours
Electronic Media 150‐# of hours Copyright All Hazards Security, LLC 2017
Alarms and Sensors
Fire alarms: detect smoke or heat
Security Alarms: detect a specific condition that MAY indicate an intrusion
Different sensors detect different conditions
Categories: Passive or Active, Hidden or Visible, Line of Sight or Terrain Following, Volumetric or Line Detection
ALL alarms must be assessed to determine validity!
Alarms are only as good as their deployed performance and the response they bring
Copyright All Hazards Security, LLC 2017
Alarms and Sensors
Fire alarms: detect smoke or heat
Security Alarms: detect a specific condition that MAY indicate an intrusion
Different sensors detect different conditions
Rated on their performance characteristics
Without assessment alarms are ineffective
Alarms are only as good as the response they bring
Copyright All Hazards Security, LLC 2017
System Performance Characteristics
Probability of Detection‐ Likelihood of detecting and adversary within a protection zone. Measured as 0.0‐
1.0 Nuisance Alarm Rate‐ Rate of alarms from a sensor that are anticipated to be false alarms. Lower the NAR the more confidence in the alarm.
Vulnerability to Defeat‐ Bypass or Spoof the Sensor. Measured as 0.0‐1.0
Unassessed alarm systems have a POD of 0.0
Copyright All Hazards Security, LLC 2017
Categories of Sensors
Passive or Active
Hidden or Visible
Line of Sight or Terrain Following
Volumetric or Line Detection
Application
All alarms sensors are dependent upon their environment and maintenance.
Copyright All Hazards Security, LLC 2017
Applications of Sensors
Outer Perimeter‐Fence line intrusion detection
Building Perimeter‐Door Contacts, Glass Break Sensors, Line Detection, Weighted Switch
Interior Detection‐Space Protection or Interior Perimeters
PPS must be able to identify when activity is expected and when it is an intrusion!
Copyright All Hazards Security, LLC 2017
How Do We Identifying Non‐Intruders? Access Control: Allow authorized users to do their jobs
Identifies an unidentified individual and assesses
Identification Attributes: What a person is (biometrics, retinas, fingerprints)
What a person does (typing rhythm, movements)
What a person has (key, card, fob, smart card)
What a person knows (password or pin number)
Each has strengths and weaknesses, using multiple factors improves identification
Copyright All Hazards Security, LLC 2017
Access Control
Getting people access to what they need
Keeping them from accessing what they do not need
Requires accurate database of identities and access levels
Requires collecting credentials when no longer needed
Card readers preferably with anti‐piggybacking measures
More secure methods for more secure areas
Violations of access control must be assessed
Copyright All Hazards Security, LLC 2017
Visitor Management
Visitors, including Contractors and Service Personnel, must be positively identified
All Visitor Activity must be documented, preferably in a Visitor Management System
Escort Policy for Visitors
Audit trail required for many certifications and standards
Poorly implemented Visitor Management can defeat any security program
Copyright All Hazards Security, LLC 2017
CCTV‐ Closed Circuit Television
Must be designed for their security role in PPS
Detection, Assessment or Evidentiary Purposes
May also serve Risk Mitigation and Business Function Enhancement
Cameras: Fixed, PTZ, B&W, Color, Low‐Light, IR, Thermal
Analytics: Identify behavior to alert, record, or alarm
Monitoring and Recording
CCTV Systems that provide less security than perceived are a major liability!
Copyright All Hazards Security, LLC 2017
CCTV‐ Closed Circuit Television
Must be designed for their purpose in PPS
Monitored for Detection Purposes. How well?
Assessment of Alarms and Conditions
Risk Mitigation
Evidentiary Purpose
Business Function Enhancement
CCTV Systems that provide less security than perceived are a liability.
Copyright All Hazards Security, LLC 2017
CCTV‐ Cameras
Fixed: for surveillance, areas that require observation
Pan, Tilt, Zoom (PTZ) for Assessment
PTZ Tours & Autotracking can allow usage for surveillance
Needs and lighting dictate type of cameras and resolution
B&W, Color, Low‐Light, IR, Thermal
Cameras: Digital or Analog (can be retrofitted) Analytics: Identify behavior to alert, record, or alarm
System must be maintained, a non‐functioning camera is a major risk
Copyright All Hazards Security, LLC 2017
CCTV‐ Monitoring and Recording
Monitored: How effectively?
Perception of monitoring effectiveness exceeds reality
Monitors can be replaced by PCs and Mobile Devices
CCTV Footage should be recorded:
VCR, DVR, NVR, Server, Cloud
Compression for storage reduces quality
PPS should determine storage needs Easy access to stored footage increases the value and utility of a camera system
Copyright All Hazards Security, LLC 2017
The Human Element Physical Security can only function with the intervention and participation of the Human Element
Security can always be defeated by the Human Element
Adversaries include Outside Threats, Insider Threats, Inadvertent Insider Threats, or a Combination
Employee Role: Awareness, compliance, coaching compliance & reporting suspicious activity
Security Personnel: Assessing incidents, response & documentation/reporting of routine and non‐routine
Awareness training is the patch for human naivety! Copyright All Hazards Security, LLC 2017
The Human Element Physical Security can only function with the intervention and participation of the Human Element
Physical Security can always be defeated by the Human Element
Adversaries include Outside Threats, Insider Threats, Inadvertent Insider Threats, or a Combination
The Human Element includes everyone, not just Security Personnel
Security awareness training is the patch for human naivety! Copyright All Hazards Security, LLC 2017
The Human Element Non‐Security personnel must perform their role and responsibility in the PPS:
Maintaining awareness of security policy
Following security policy
Coaching others to follow policy
Reporting suspicious activity
This is especially critical for supervisory, management and executive personnel! Copyright All Hazards Security, LLC 2017
The Human Element Security personnel have the same responsibilities and a duty to perform their role in the PPS:
Assessing all alarms or conditions
Responding or requesting responders
Documentation of routine and non‐routine activities
Reporting suspicious activity
Never underestimate the challenges security personnel face! Copyright All Hazards Security, LLC 2017
Roles for Security Personnel
Access Control
Visitor Management and Escort
Alarm Monitoring
CCTV Monitoring
Dispatch Operations
Patrols: Interior and Exterior
Safety Inspections
PPS System Inspection
Assessment of Activity
Alarm Response
Surveillance Detection
Emergency Communications
Emergency Response
Medical Response
Asset Protection
Use of Force and De‐escalation
Traffic and Crowd Control
Incident Documentation
Incident Investigation
Customer Service
Operational Enhancements
Etc., Etc., Etc.
The knowledge, skills, and abilities of your security personnel must match the expectations! Copyright All Hazards Security, LLC 2017
Emerging Trends
Integration with Operations
Camera Analytics
Facial Recognition Advances
Identity Management
IP and Cloud based security infrastructure
Physical Security Information Management (PSIM)
App & Wearable access control and security devices
Standards Adoption & Compliance
Integration with Emergency Response
Situational Awareness and Social Media
Two‐way Audio Systems Beware of Wiretapping Statutes!
Remote Guarding
Automated Guarding (droids & drones)
Accreditation
The lines between IT and Physical Security will continue too cross, blend and fade. Copyright All Hazards Security, LLC 2017
Questions?
Ted Wade
President
All Hazards Security, LLC.
[email protected]
Twitter @TedatAHS
Copyright All Hazards Security, LLC 2017

Similar documents