Introduction
Threat | Description |
---|---|
Physical damage | Availability |
Theft | Confidentiality and Availability |
Unauthorized entry to the facility | Confidentiality and Integrity |
Natural Disasters (Fire, Flood, Earthquakes, and so on.) | Availability |
Human Intervention (Sabotage, Vandalism, Strikes) | Availability, Confidentiality |
Emergencies (Fire, Smoke, Building collapse, Explosion, Water leak, Toxic material release) | Availability |
-
Temperature: Extreme variation of temperature
-
Gases: War gases, commercial vapors, humidity, dry air, and so on. Examples would be transformer explosion gas, air-conditioning failures, smoke or smog, printer’s liquids and toners, and cleaning liquids
-
Liquids: Water and chemicals. Example would be water pipe leakages, sanitary leakages, fuel leaks, spilled drinks, acids, and chemicals used for cleaning
-
Organisms: Viruses, bacteria, people, animals, and insects
-
Projectiles: Tangible objects in motion such as moving vehicles, cars, trucks, and explosions
-
Movements: Collapse, shearing, shaking, vibrations, and so on.
-
Energy Anomalies: Electric surges, failures, magnetism, static electricity, radiation, sound, light, radio and microwaves. Examples include static electricity or carpets, cosmic radiation, explosion, and decomposition of magnetic tapes
-
General management policies and procedures to secure the facility. Includes security guards, allowing visitors inside the facility after proper vetting, escorting visitors, building access, and surveillance cameras at each and every important location, both outside and inside of the facility.
-
IT security policies and procedures to guard against unauthorized access to restricted areas such as server rooms, control and privileges of administrators, password policies, remote access policies, and access card privileges. Also, environmental controls required for the server/data farms/centers such as temperature, humidity, static, and dust controls.
-
Physical damage of hardware/software as an act of sabotage, theft, unauthorized access to the server/computer rooms, or labs with the intention to damage physical assets
-
Unauthorized access to server rooms/data center/labs
-
Physical theft of equipment, systems, and other accessories
-
Bringing personal storage devices and injecting viruses, worms, and other malicious software into the trusted networks
Physical and Technical Controls
-
Security Guards at each of the entry and exit points
-
ID cards and badges to all employees, and contractors
-
Electronic Access cards for all the major doors
-
Electronic monitoring and Surveillance cameras
-
Metal Detectors
-
Electric Fencing
-
Alarms and Alarm systems
-
Specialized access to computer labs, data centers, server rooms, and R&D labs
-
Biometrics
-
Automatic Locks and keys
ID Cards and Badges
Photo ID cards
Magnetic Access Cards
Other Access Mechanisms
-
Wireless proximity readers do not require users to physically swipe the card. The card reader senses the card automatically and allows the user who is in possession of the card to enter the door, which opens automatically. Radio Frequency Identification (RFID) technology is the one typically used by wireless proximity readers. Figure 14-1 shows one example of a RFID reader that is used for access control.
Locks and Keys
-
These are normal locks used in the houses and door locks. They are preset and the keys are fixed, you cannot change the keys.
-
Programmable locks: These are either mechanical or electronic. A mechanical lock is generally an electromagnetic lock where a combination of numbers has to be entered to unlock. Common mechanical type programmable locks can be found in earlier labs and office doors. These are the common five-key pushbutton lock that requires users to enter a combination of numbers. This is a very popular lock for IT operations, server rooms, and so on. Nowadays, the mechanical locks have been replaced by electronic combinations, where the user is required to punch in a code on a number pad to get the access. This type of lock is known as a cipher lock or keypad access control.
Electronic Monitoring and Surveillance Cameras
Alarms and Alarm Systems
Biometrics
-
Acquiring data
-
Extraction of features
-
Encryption of template so that it is not tampered with
-
Capture of data and matching
-
Access is allowed or denied based on the match or no-match.
Some of the important biometric mechanisms
-
Voice Recognition: Voicepatterns differ from person to person. The pitch value and frequency value are unique to each person and hence voice patterns are easily used for identity / authentication / verification purposes. Input voice is captured and the features are extracted from this using suitable training methods and the voice sample is stored as a template in the database. Training the voice samples is an important step. When the actual voice has to be tested, it is processed, the features out of the same are extracted and compared with the templates saved in the database. When there is a match the person is verified. Cleaning up the voice sample for noise is an important step and is carried out during preprocessing.2
-
Signature Patterns:Keystrokes, the style of writing, orientation of writing, and the pressure applied while writing are the features of writing which differ from one person to the other. Hence, for a long time, banks and financial systems are relying upon the signature verification against the lodged signatures for authenticating a person or the documents signed by a person. Various government agencies also use this method effectively and extensively.
-
Fingerprint Biometrics: It is well known that fingerprints are most used in criminal investigations. In many countries fingerprints were taken as additional authentication to the signatures during the registration of properties, deeds, and so on. Fingerprint biometrics has almost percolated to most of the fields including companies to passport authorities to immigration authorities to many other fields. This is one of the comparatively cost effective, easy to use, and easy to implement systems available for identification and authentication or verification. The fingerprint biometrics uses the minutiae like arches, whorls, loops, ridges, valleys, and furrows which allow one fingerprint to be differentiated from the other.2 Figure 14-2 shows an example of a fingerprint reader device.
-
Facial Biometrics: Facialfeatures like distance between two eyes; geometry of eyes, nose, lips, ears, and so on are the features used to differentiate one face from the other. Faces are captured and the facial features are extracted and used as a template. When the face is to be matched, again the same process is used to extract the features, the features so extracted are matched with the stored templates and when there is a match that means that the person is authenticated or verified. Some people have privacy reservations about this method.
-
Hand Biometrics: Here the handfeatures such as size, length, width of the hand; lengths and angles of the fingers, bones, muscles, and ligaments of the hand are used to identify a person. Even the pressure applied by the hand on the scanner is one of the features that may be used.2,3
-
Iris Biometrics: The use of Iris biometrics is picking up in critical and sensitive areas which require better entry controls. Iris differs from person to person significantly. Even iris may differ from left eye to right eye of the same person. Iris is the area surrounding the pupil in the eye of a human being. This is the area of the eye that determines eye color such as blue eyed, black eyed, and so on. The ring structures, furrows, and freckles pertaining to the iris are used as the features. This is easy to implement but requires specific readers and the eye has to be positioned appropriately for effective reading and is relatively costly to implement. Some people still express it as a privacy invasion.
-
Retina Biometrics: Retina is the area within the human eye that reflects the image. This has different blood vessels flowing through it. These are captured as features as these differ from person to person significantly. This is difficult to capture as it requires appropriate lighting and exposure for a sufficiently long time span.
-
Vascular Pattern Biometrics: Here the thickness and location of veins in a person’s hand are used as features. These differ from person to person. Scanning the hand is easy and also does not involve privacy issues.2
How the biometric system works
-
Enrollment stage
-
Recognition stage
Enrollment
Recognition
Performance of the Biometrics System
The test of a good biometric system
-
Unique: The feature being captured for matching purposes should be unique to each person.
-
Repeatable: If again, after time lapse, the same characteristics are captured, the features extracted should be the same as that of earlier time, that is, it should be repeatable over a period of time. It should not change from one period of time to the next period of time.
-
Accessible: The characteristics should be easy to be captured, such as through a simple scanner.
-
Universal: Any biometrics system is not useful if it can be applied to only a portion of the target group. It should be easy to apply to all the target personnel. It should not require having some other alternative system for certain people as the system in question is not possible to be used by them.
-
Acceptable: The method of biometrics should be acceptable to all. People should not have any objections about the same, like privacy related objections.
-
False Acceptance Rate (FAR): A person’s biometric characteristics match with somebody else’s from the template database. This should not be the case as this can allow access to somebody else in the place of the genuine person. This is also known as False Match Rate.
-
False Rejection Rate (FRR): A person’s biometric characteristics do not match even though his feature template is already captured in the corresponding template database. This should not be the case as the person who requires genuine access may be denied access. This is also known as False Non-Match Rate.
-
True Acceptance Rate (TAR): This is rate of correct match, that is, the person’s identity is established correctly.
-
True Rejection Rate (TRR): This is the rate of non-match correctly established, that is, if the person is falsifying the identity, that is correctly found by the biometrics system and the match is rejected correctly.
Possible information security issues with the Biometric Systems
-
Possibility of forging the fingerprint by molding or fabricating it
-
Possibility of false acceptance match
-
Leakage of biometrics data may raise privacy and misuse concerns
-
If not stored in encrypted mode, it may be possible for hackers to substitute the template and hence get unauthorized entry into an organization
-
Possibility of the registration of a wrong person instead of a genuine person during the enrolment process without verifying the identity of the person being enrolled
Multimodal biometric system
Advantages of Biometric systems
-
Users do not need to remember passwords
-
Users need not have to carry an ID card
-
Unless the person is physically present, access is denied. No impersonation of identity is possible
-
Biometric traits cannot be stolen or duplicated
-
Biometric systems are hard to break
-
Biometric systems have good accuracy
-
With the advent of the computers, the declining cost of computers, the cost of the biometric systems have significantly reduced
Administrative Controls
Fire Safety Factors
-
Do not stock any inflammables like oil, old papers, and chemicals within the office premises. If you need to store them, store them separately in a secluded area and ensure that the area does not have any fire threats.
-
Have smoke detectors installed at all the important places and high risk fire prone places within the organization.
-
Have a good fire alarm system installed which has the capability to identify the zone in which the fire has originated and provide sufficiently audible strong alarm across the place impacted by fire.
-
Have appropriate fire extinguishers installed at all the strategic and important locations within the organization, in sufficient numbers.
-
Train your security guards, Emergency Response Team members, other staff members on effectively using the fire extinguishers.
-
Maintain, test, and understand continued effective working of the smoke detectors.
-
Ensure that the fire extinguishers have the requisite pressure maintained, the contents have not expired.
-
Ensure that the electrical wiring and the switches used are of high quality and adhere to the product specifications.
-
If there is an in-house canteen, ensure safe fire handling precautions. Also, have the fire extinguishers installed in sufficient numbers in that area.
-
Get water sprinklers installed across the organization so that in case of huge fires the water sprinklers are activated and can control the fire.
-
Train all the Emergency Response Team members in effectively handling emergency responses, effective evacuation of the employees. Carry out periodical fire-drills and ensure that the staff members understand the do’s and don’ts to be followed during any fire emergency. Record the learnings of the fire drill and ensure that the Emergency Response Plans (in most of the organizations part of Disaster Recovery & Business Continuity Plans) are updated to reflect the applicable learnings.
-
Ensure that the electrical earth points are well maintained.
-
Emergency exits to be clearly marked and the path to the nearest emergency exit clearly specified.
-
Security guards and others did not know how to handle the fire extinguishers.
-
Security guards did not know the priority of evacuation. When the security guards were asked, they mentioned that the computers which are costly have to be evacuated first as they are costly and surprisingly not human beings!!
-
Fire Alarm Panels were not working.
-
Smoke detectors were not working.
-
Fire extinguishers had expired / did not have the requisite pressure.
-
Fire exits were physically locked and they had a difficult time locating the key.
-
Fire drills were carried out for the sake of complying with certain certifications. The learnings were not recorded and acted upon.
-
Earth pits were not maintained.
-
Electrical wiring was substantially old and was patched up at many places. Electrical panels were not well maintained.
-
Old papers and inflammables were stored very near to the canteen area.
-
Sufficient care was not exercised during the fire drills and some of the laptops were stolen by somebody when all the doors were opened automatically!!
Interception of Data
Mobile and Portable Devices
-
When not in use and needs to be left unattended, lock it to the desk using the locking cable
-
While travelling, ensure that the laptop is held securely by you. Do not leave the laptop unattended at airports. Do not leave your laptop in your car when you are away from the car. Data on a laptop should be always held in encrypted form.
-
Do not leave your mobile phones unattended anywhere. Ensure again that the organization has the policy to encrypt the data on the mobile. In case of loss of mobile, the organization should have the capability to wipe out the data on the mobile remotely.
-
Always keep as little data as required on the mobile devices. If you are storing some content on these while not being connected to the office servers, ensure that the data is appropriately transferred back to the office servers once you are back at office or able to connect to the office servers; and delete the data from your mobile device.
Visitor Control
Chapter Summary
-
We looked at the importance of physical security and at some of the threats and how they impact the information security aspects like confidentiality, integrity, and availability. We also briefly looked into the necessity of having physical security in the context of cloud infrastructure. We also looked into the need for IT physical security.
-
We looked into the physical and technical controls. We described ID Cards and Badges, Locks and Keys, Electronic Monitoring and Surveillance Cameras, and Alarms and Alarm Systems.
-
We explored what Biometrics is, and the different types of biometric systems in use such as behavior trait based and physical trait based systems. We looked into various behavior trait based and various physical trait based biometric system details. We explained how the biometric systems work through enrollment and recognition phases. We explored the performance of biometric systems and the characteristics of a good biometric system in detail. We looked into the security issues related to biometric systems. We then explored the value of multimodal biometric systems over unimodal biometric systems.
-
We elaborated upon the administrative controls like fire safety controls, protection against interception of data, controls required over mobile and portables devices, and visitor control.