Physical Security and IT Resources Brian Hunt Physical Security Specialist State of Nevada Department of Information Technology Office of Information Security Introduction Physical security defined as: Physical measurers, polices, and procedures to protect an organizations electronic information systems, facilities/buildings and equipment from unauthorized access, natural and environmental hazards. How is this accomplished: Physical Security is accomplished by performing an assessment of the facility/building and the surrounding premises.
Physical security enhancements should be considered during the budget process. Consideration of alternative funding sources should be taken into account such as Homeland Security Grant Funding, One Shot Appropriations from governing bodies and Capital Improvement Projects (CIP) During new construction Physical security should be taken into account during the budgeting process Physical security designs should be performed by a qualified professional regarding the topology and architecture of the systems and how they will integrate Physical security installations should be performed by a
manufacturer certified/authorized dealer Physical Security Assessments Examples of questions to ask when performing a Physical Security Assessment: What are you protecting? Determining what you are protecting will determine the amount of security you will place on the information and/or facility Is the facility located in a high crime area? Do you own or lease/rent the facility?
Is the facility a multiunit or multiple tenant facility? Is the facility designed for the type of environment the work will be performed? (IE. Power, structure, communications, HVAC and fire suppression) Evaluation of Assets and Data What is the net worth of the assets to be guarded How much would it cost your organization to overcome a catastrophic loss of data or property Implementing physical security measures worth the cost of
the data or property Perform an impact statement to determine if the cost of implementing physical security measures is cost effective or prohibitive. Physical Security Domains There are a number of ways to subdivide physical security, to simplify we have divided Physical Security into five parts. Part I: Perimeter protection and outer structure Part II: Access Control & Closed Circuit Television (CCTV)
Part III: Power Part IV: Heating, ventilation and Air Conditioning (HVAC) Part IV: Life safety Part I: Perimeter protection and outer structure Facility may require a perimeter fencing: Chain link fence should be at least 11 gauge steel. Common installation, easy to climb or cut for entry Concrete masonry unit (CMU), One of the strongest
installations, offers privacy, very expensive Wrought iron fencing, offers great protection, very expensive. Box steel welded fence construction, Architecturally acceptable, offers great protection, offers very little privacy and expensive Nevada National Guard Perimeter protection Are barriers located onsite of the facility: Physical barriers such as fences and walls deter
intruders and restrict visibility into the premises Inspect barriers for deterioration Nevada National Guard Nevada Highway Patrol Southern Command Outer Structure Windows are conducive to forced entry: Windows have the highest vulnerability to forced entry The location and characteristics of windows needs to
be inspected Doors that have windows should not be within a 40 proximity to the door lock Windows that are less than 18 feet from the ground are the most vulnerable since they are easily accessible from the building exterior Outer Structure Facility doors should be constructed of material that will discourage breakage: Steel or Solid wood doors, not hollow core doors
Doors that are constructed of glass, should be inspected for glass type such as tempered glass, wire mesh or safety glass Outer Structure Ensure door strikes and strike plates are adequate and properly installed: Door strikes should be secured and properly fastened Door strike protectors should be installed on doors that require protectors or exterior doors
Inspect doors with exterior hinges that may be in a sensitive area of exposure: Normally doors that open out are the issue Door that open out are easier to compromise Outer Structure Door frames should be strong and tight to prevent forcing/spreading: Inspect door frame to ensure the frame is plumb and level
Ensure fasteners are tight and properly installed Door locks should be in good repair: Inspect for rust or deterioration Inspect for proper operation Outer Structure Door locks should include a dead bolt with 1-inch throw:
Measure the depth of the deadbolts Inspect door frames to ensure frame can support deadbolt force Exterior areas should be free from concealing structures or landscaping: Inspect for "pony walls" Inspect for over grown landscaping next to external windows Outer Structure visitors should be required to sign in:
Require a visitors log Require visitors identification badges Have an attendant oversee the visitors log Review the visitors log periodically Outer Structure Escort facility visitors:
Create a policy on escorted and unescorted visitors Provide different color identification badges for escorted and unescorted visitors Require visitors to turn in identification badges after visit Part II: Security Access Control and Closed Circuit Television Access control systems are typically a scalable management solution encompassing complete access control, advanced event monitoring and administration auditing. Access control systems typically involve a central server or host for control and monitoring.
Basic Access Control: Remote capability to lock and unlock doors Audit log of who and when personnel utilized a door Audit log when a door has been forced or help open Capability to restrict or remove access to specific person or group Monitoring of room occupancy by intrusion-detection
systems Access Control Selection Criteria: What manufacture of system to purchase How many facilities attached to the access control system How do you communicate with the access control system How many card holders will you have
Who will administrate the system What type of card technology to use (FIP 201 compliance) Access Control and the Nevada Access System (NAS) Security Access Control System for the State of Nevada: Software House CCURE 800 Infinite facilities as required world wide
TCP/IP preferred and main communication utilized, RS232/485, Modem and cellular 250,000 cardholders (Expandable to 5000,000) Facility based administration or global administration Card technology is proximity (FIPS 201 compliance migration) Nevada Access System (NAS) NAS is a scalable security management solution encompassing advanced access control and high scale
event monitoring Nevada Access Systems main hub or server is a Software House CCURE 800 which provides users with scalable access control solution that allows functionality and increased capacity as the system needs grow CCURE 800 is a complete integration solution with unlimited application Nevada Access System (NAS) CCURE 800 is a complete integration solution that reaches beyond traditional security, it provides integration with critical business applications including: Closed Circuit Television (CCTV) and Digital Video Management systems (DVMS) other integration applications include:
Fire Alarms Intercoms Burglar alarms Environmental building controls Crystal reporting Time management or time tracking software
Nevada Access System (NAS) Network capabilities for the CCURE 800 client work stations and iSTAR controllers can be placed directly an existing networks and transmitted across SilverNet and multiple WANs statewide Open Architecture Support. The CCURE 800 ensures universal support and enormous flexibility. As such, CCURE 800 interacts with industry standards database, video recorders and cameras, and networks CCURE 800 is a complete integration solution with unlimited application Nevada Access System (NAS)
CCURE 800 Foundation Security Features: Event and Alarm Monitoring Database Partitioning Windows 2000 professional, Windows server 2003, Window XP Professional for servers Open journal data format for enhanced reporting Automated personnel import
Wireless reader support Nevada Access System (NAS) CCURE 800 advanced Security Features: CCTV Integration Enhanced monitoring with split screen views Escort management Card holder access events
Single subscriber Email and paging Open journal data format for enhanced reporting ODBC support Benefits of the Nevada Access System (NAS) Benefits of the Nevada Access System: Access control, audit, and convenience through the use of one access control card Computer workstations, technical systems and door locks
will have access control with audit capabilities, and convenience with a single access control card or state issued identification card. This approach eliminates the need for quantities of mechanical keys and a reduction of passwords an individual has to carry or memorize Benefits of the Nevada Access System (NAS) Standardizing of employee identification, recognition and verification statewide NAS will provide a mainstay for access control support and technical assistance through out career and life cycles of systems CCURE 800 based users groups statewide to provide support among Departments, Agencies, Counties and other
Municipalities Closed Circuit Television and Digital Video Management Systems Closed Circuit Television (CCTV) and Digital Video Management System (DVMS) has taken many advances over the years. The evolution of CCTV is an interesting history that combines the entertainment industry, consumer electronics and CCTV. None of the three are a combination we put together, but there is a strong parallel that has moved the industry to where it is today History of Closed Circuit Television Systems The original CCTV systems were built using equipment intended for the use of the broadcast industry and industrial television Cameras were large
Expensive Required high energy consumption Required frequent maintenance History of Closed Circuit Television Systems As a result of the high expense and the need to change tubes in the equipment coupled with the heat generated by the equipment, service calls and service technicians made for a lucrative business. The high expense of CCTV installation and the cost of servicing the equipment made it possible for only the wealthy to afford such systems since
the cost of installation and maintenance out weighted the cost of the assets to be protected for most In the mid-60s, CCTV started to evolve as an industry. Two inventions facilitated this change and allowed the cost of installation and the maintenance of CCTV systems to become an affordable option. The Pan, Tilt and Zoom (PTZ) was invented along with the motorized lens. The PTZ function allowed the camera to move up, down and side to side. The motorized lens allowed remote control of zoom. Focus and iris adjustment. These inventions reduced the number of cameras required to cover an area History of Closed Circuit Television Systems In the consumer electronic market, amateur video taping, movie rentals and the mass production and use of the video cassette recorder (VCR) become less expensive and lightweight. Soon the two technologies merged creating
the camera and recorder or what we know today as the Camcorder In the late 80s a mass market of products began to dramatically reduce prices and improvements in quality and availability. What was once enjoyed by the wealthy was now made affordable and available to the general public and industry Designing a Closed Circuit television Systems When designing a usable Closed Circuit Television System (CCTV) it does not take an expert to design a system. Some of the most usable CCTV system have been designed by individuals that said time and time again I do not know anything about this, but shouldnt we.. If you take a common sense approach based on specific applications and needs of your organization the basic placement of cameras can be accomplished keeping in mind cameras are like people they only can see what people can see
Designing a Closed Circuit television Systems System use, Security or surveillance: Security is defined as watching objects or items Surveillance is defined as watching people Will operators manage the system: Operators will be required for surveillance
The potential for large storage may be required for security or the watching of objects or items (recommended seven days of storage) Designing a Closed Circuit television Systems Cameras selection and locations, indoors or outdoors: PTZ or fixed cameras Indoor cameras are used, are they covert or in plain site Outdoor cameras are used, what is your outdoor
climate Storage of video: Hard drive storage or the network storage Video cassette recorder Closed Circuit Television Systems Designs Common short comings of many CCTV systems Not enough cameras Cameras installed incorrectly or incorrect cameras
installed for application No operator Not enough storage or improper media for storage Improperly trained personnel Neglected or improperly maintained systems to include cameras, power supplies, VCRs, DVRs, software application and network connection IT concerns for Closed Circuit Television Systems
Network traffic for IP cameras Network traffic with the Integration of CCTV and access control Improperly trained personnel Storage of video on site with specific hard drives or network storage Transfer of video files via email
The downloading of updates for windows based DVRs The potential of viruses on windows based DVRs Part III: Power Does the facility have multiple services from the power company Primary and secondary service in case of power loss Secondary services (if available) require a device called Tie-breaker in the electrical service main Power Conditioning
One to one transformer for power conditioning Main service(s) over-current protection, is it fused or manual/auto reset breaker Main service should be protected by adequate Ground Fault protection Electrical systems dedicated to computer systems the main electrical service and distribution panels should have an isolated ground (IE. Orange receptacles) Are the use of K rated transformers for harmonics instituted within your facilities
Back Up Power Generators What is the intended use of the generator (emergency lighting, Computers or back up of the facility) Generator should be sized for the load Back up generators should be tested weekly, monthly or annually All generator should have strict maintenance schedules with work performed by generator mechanics/specialist Back Up Power Uninterrupted Power Supply (UPS)
What is the intended use of the UPS Is the UPS sized for the load UPS 5 KVA or great are they Standby or in use type (Standby UPSs usually do not have power conditioners) What is the maintenance schedule for the UPS Is the UPS surge factor greater than 1.15 UPS should include a feature to alarm when a low battery condition exists
UPS should have remote alarm panels located in server rooms and security/maintenance office Part IV Heating, ventilation and Air Conditioning (HVAC): Is the facility equipped with the proper HVAC system Is the HVAC system sized for the current occupancy and heat/cooling load Was the HVAC system designed with electronic equipment in mind (heat load and humidity)
Does the HVAC system connect to an environmental control system or direct digital control (DDC) Who provides programming and support for the HVAC application if the system is controlled by DDC Is the HVAC application on the network and is it network dependant to operated Heating, ventilation and Air Conditioning in server rooms: Server rooms and remote communication closets should have proper and separate HVAC Systems: Inspect HVAC system to ensure separate heating and cooling controls are within server rooms and
telecommunications closets Within server rooms and telecommunication closets are high and low temperature warning mechanism present Are HVAC filters changed on a regular basis Is the HVAC system serviced on a periodic basis Is the HVAC system for server rooms and telecommunications closets on a back up generator Part V Life Safety: Fire Alarms
Does the facility have a fire alarm system Fire alarm system are required by law to be periodically test (Annually) Manual pull stations and horn/strobes must be located near the exits Fire alarm system should attached to a UL approved monitoring service A representative from your organization should be for the administration of the fire alarm system
Fire Suppression: Does the facility have a fire sprinkler system Fire sprinkler system are required by law to be periodically tested (Annually, inspection tag looped on main valve) Fire sprinkler system spray heads shall not have any object within eighteen inches (18) from the spray head vertically and two (2) feet horizontally Server rooms should have an emergency power shut off switch at the exit doors to shut down power in the event a water fire suppression system is activated within the room
Fire Extinguishers: Does the facility have fire extinguishers Fire extinguishers should be periodically tested (annually licensed and certified personnel) Where are the fire extinguishers located and are they depicted on an emergency evacuation plan Personnel should receive training on fire extinguisher use. A quick reference below would be the word PASS
Pull Aim Squeeze Sweep Integrator Challenges and IT Resources: Challenges that face many security integrators is the lack of administrative authority on a network (for good reason) and the lack of understanding of a network or the dynamics of an organizations network Key questions to ask an integrator when a system is to be installed: Will the system and application require administrative rights on a machine or the network How does the system communicate. (TCP/IP, RS
232/485, modem etc.) Does the system require a software application? If so, how many client/nodes are allowed Who will retain the software and software license Integrator Challenges and IT Resources: How much bandwidth will be consumed by the system or application How much data storage will be required for the system
Is the system capable of running if the application loses communication Will the integrator retain an administrative account on the system Will the integrator have an remote connection to the system, during and after the project What is the recommended specifications of the host or server machine Management and Planning of IT Based Physical Security Discussing the challenges ahead:
The challenges that face many organizations currently, is finding a balance between Physical Security personnel with knowledge of IT systems and physical security solutions that are IT based dependant. The relationship of physical security IT systems requiring IT knowledge and background verse physical security is eighty/twenty (80/20). Eighty percent physical security and twenty percent IT system based background knowledge. Many IT organizations assume the responsibility of an IT based physical security system understanding approximately twenty percent of the system. Access Control and the State of Nevada Challenges for the State:
Through shared resources such as the Nevada Access System IT organizations on a statewide level can assume the responsibility of an IT based physical security system with greater understanding and support . Challenges ahead such as Federal Identification Process Standard 201 (FIPS 201) and the Real ID Act, shared resources will become invaluable to the success of our statewide programs. Currently no one person or organization has the answers, with constant changing standards and never ending technology it is nearly impossible to keep up. I invite each of you to join together to assist in the progress of physical IT security allowing for consistency statewide. Physical Security and IT resources
Brian Hunt Physical Security Specialist State of Nevada Department of Information Technology Office of Information Security (775) 684-7349 Office (775) 687-1155 Fax [email protected]
HW Pass. Computer Time. Preferable seating . Prize. ... 2-Day Exam (multiple choice, short answer and extended response) Administered to assess students' progress toward the Common Core Standards in English Language Arts. New York State Mathematics Test.
Measures have been included for the CHA. Domain 9 revamped. Domains 11 and 12 have been revamped. General rearranging, rewording, and updating. Click to edit Master title style. ... This can include posting on a website or a department intranet,...
from his textbook: "Pattern Recognition and Machine Learning" A commonsense way to use limited computational resources First train a model on all of the data Lets assume it get the great majority of the cases right. Then train another model...
Parametric mapping. Early PET focussed on quantitation of parameters. See also . Lammertsma & Hume (1996) [source of figure] Prof . Terry Jones. interviewed by UCL Centre for History of Medicine:"It was as if I could take a bit of...
Go to www.portal.det.wa.edu.au and sign in using your E-number and password. Click on the K-10 Syllabus icon. In the K-10 Syllabus website Located in the featured RESOURCES section Front screen of the planner Schedules Literacy & Numeracy Schedules Planner -...
Example: 30% of sample affirms an item. Given the CI, we can. be 95% confident that the true population value lies within 30% ± 6. or between 24% and 36%. Given the sample frame of roughly 75,000 . residents, this...