CISSP Domain 3 Review | Mind Map (9 of 9) | Physical Security

hey i'm rob witcher and i'm here to help you pass the cisp exam we're going to go through a review of all the major topics related to physical security in domain three to understand how they interrelate and to guide your studies this is the final ninth of nine videos for domain three i've included links to the other mind map videos in the description below physical security is critical in achieving confidentiality integrity and availability there's an expression i like if you can touch the box you own the box in other words if an attacker can gain

physical access to a device like a firewall or a server they can easily gain control of the device this is because our equipment has all sorts of bypass controls built into it like factory reset buttons we need to carefully control who can gain physical access to our facilities specific rooms and even certain equipment physical security is also critical in achieving integrity and availability as physical security controls like ups's and generators provide a good clean supply of power electricity hvac systems provide cooling air at the right temperature and humidity and fire detection and suppression systems help

to ensure our facilities don't burn to the ground all very important things in achieving confidentiality integrity and availability there is one overarching primary goal of physical security and it is safety of people people are the most valuable asset the most important asset of any organization and physical security controls must prioritize the safety of people above all else there are five categories of controls used in physical security deter delay detect assess and respond deterrent controls discourage things like trespassing property damage theft and intrusion through signage and other environmental design of a building and the land around

it delay controls delay a risk from occurring for example locks delay an attacker from gaining unauthorized access detective controls detect if a risk has occurred cctv cameras are a perfect example of a detective control assess controls are used to determine the method of attack and the target and finally respond controls take appropriate action to remediate the risk when we are implementing the aforementioned controls we never want to implement a control in isolation if there is only one control protecting an asset and that control fails then bad stuff will happen this is why we want to

have multiple layers of controls and at each layer have a combination of preventive detective and corrective controls or in physical security terms deterrent detective and assassin respond controls this is the concept of defense in depth or layered security the first layer of defense protecting a facility is often an outside perimeter like a fence another perimeter will be the exterior walls of the building what is the best way to secure the perimeter minimize the number of entrances and exits the number of doors landscaping refers to the foliage around a building the trees and plants you want

to ensure that foliage is maintained to provide clear sight lines for cameras and that a would-be attacker can't just climb up a tree and into the building grading refers to how the land is sloped around a building you want the ground to slope down and away from the building so in the event of a flood you're nice and dry on an island and not at the bottom of a lake cctv closed circuit television camera systems are an important part of physical security as a deterrent detective control and can also be used for monitoring and auditing

cameras are primarily detective controls passive infrared or infrared devices are motion sensors they are essentially really low resolution cameras that detect infrared light the heat that is emitted by objects in his field of view you as a homeothermic mammal when you walk into a room then the amount of infrared light in the room is going to increase and thus your movement will be detected these devices must automatically recalibrate themselves if the ambient air temperature changes lighting is an important physical security control a well-lit building helps to deter crime and good lighting is important for the

safety of people card readers are electronic systems used to control who is authorized to pass through a door and into a building or into different rooms within the building there are two major types of card reader systems contact and contact list in contact systems an employee must swipe their card through the reader for older magnetic readers in newer contactless systems an employee only needs to hold their card near the rfid radio frequency identification systems reader badges are simply an employee name and photo on a card doors are the primary way we control who can gain

access to a building and specific parts of the building a social engineering attack on doors is tailgating or piggybacking an intruder follows an authorized person through a door after they've unlocked it this is a super common and successful attack that can be prevented by using specialized doors man traps or turnstiles man traps are two doors one after another you must unlock the first door enter a small space close the first door behind you and only then can you unlock the second door man traps prevent someone from tailgating or piggybacking locks are a perfect example of

a delay control in physical security it is just a matter of time before an attacker picks forces or breaks a lock and gains entry check out the lock picking lower if you don't believe me because locks are delay controls they should never be implemented in isolation remember layered security or defense in depth there are loads of different types of locks out there a couple of broad categories are mechanical locks for example key locks mechanical combination locks and magnetic locks and a second broad category are electronic or digital locks proximity or rfid locks electronic combination locks

and biometric locks one of the most important factors that determines the security of a combination lock is the complexity of the combination we all love natural light that streams in through windows but windows are often a weak link in the perimeter of a building there are various types of glass that a window can be made out of plate tempered laminated wired polycarbonate to name just a few but i don't suggest you memorize the different types of glass instead understand a couple of types of sensors that can be used to detect if the glass has been

broken shock sensors are attached directly to a pane of glass and they are designed to detect the small shock wave that is generated when a window breaks glass break sensors on the other hand are essentially microphones that are constantly listening for the specific frequencies of sound that are generated when glass breaks which would be better in a loud occupied room shock sensors or glass break sensors shock sensors walls are obviously rather critical to physical security it's tough to secure a building that doesn't have exterior and interior walls i've thrown skimming in here for lack of

a better place to put it skimming is where crooks an attacker uses an electronic device to steal card information from a valid transaction so for instance install a little electronic device on a bank machine which records your debit card number or on a point of sale machine to skim your credit card details when you pay for something or an attacker stands near a secure door and wirelessly records the rfid communications from your employee card these are all examples of skimming let's now talk about the three major infrastructure services that are critical to the operation of

a facility network power and hvac network means a reliable connection to the largest distributed network in the world the internet and or other locations of the organization it's tough to find equipment nowadays that doesn't require electricity and harder yet to imagine a business that could continue to function without electronic systems of some sort accordingly security is very concerned with providing a consistent supply of clean power and by clean power i don't mean renewable sources like wind or solar which are awesome sources of power but rather by clean power i mean alternating current power that oscillates

at a perfect 60 hertz with no noise or distortion in the line it's a perfect sine wave a couple of important devices that are used to provide a consistent supply of clean power ups and generators ups uninterruptible power supplies are basically giant batteries that provide instantaneous but short-term power until the generator has time to start up and come online generators are typically large diesel engines connected to an alternator and generators can provide long-term backup power for hours or even days depending on how much fuel is on site there are various types of power outages that

physical security is concerned with a blackout is no power for a long period of time and faults are momentary losses of power power degradation means there is too little or too much power brownouts are an intentional reduction of voltage by the utility company sags and dips are short periods of low voltage and surges are a momentary spike of too much power think lightning strike that's a surge hvac stands for heating ventilation and air conditioning these are the systems that provide error to a data center or to a building at the correct temperature and humidity and

filter the air the primary reason we bring cool air into a data center is to cool the equipment and ensure the equipment is operating within a desired temperature range thankfully for the cissp exam you don't need to memorize the optimal temperature ranges hvac systems also provide air at the right humidity too dry and you get static electricity too humid and you get condensation both are bad and again you don't need to memorize the optimal humidity ranges the final major function of hvac systems is to filter the air to remove dust and other contaminants in a

data center the air is being sucked into and through servers and other equipment and if there were contaminants in the air they could clog up the equipment causing shorts or for the equipment to overheat and fail related to air quality you should know a term positive pressurization the idea is this nice clean filtered air will be blown into the data center at slightly above ambient pressure thus positively pressurizing the data center why would you want to do this if there are any cracks in the walls or someone opens a door the nice clean air is

being forced out preventing any dirty air from or contaminants from infiltrating okay now a favorite topic of mine fire fire is a significant risk and like any other risk we need to put controls in place to mitigate the risk of fire whenever we implement controls we want a combination of preventive detective and corrective controls what's the best way to prevent a fire limit or eliminate any combustible materials you can never entirely prevent the risk of fire though so if a fire does occur you want to detect it as quickly as possible so we'll talk about

different fire detections methods in a moment and as soon as you detect a fire you want to correct it as quickly as possible so we'll finish this mind bap by talking about different fire suppression systems all right fire detection systems there are three major types flame detectors smoke detectors and heat detectors flame detectors detect the infrared and ultraviolet light created by flames flame detectors are essentially video cameras that you point at something you are concerned might start on fire there's always smoke before a fire and one of the best ways of detecting a fire as

early as possible is using a smoke detector there are two major types of smoke detectors ionization and photoelectric ionization detectors respond more quickly to what are known as flaming or fast fires whereas photoelectric sensors often referred to as optical detectors respond more quickly to smoldering fires most good quality detectors these days are known as dual detectors they combine ionization and photoelectric detectors into one device and finally heat detectors often referred to as thermal detectors are essentially temperature sensors and they are monitoring for a rapid rise in temperature if the temperature rapidly spikes you probably have

a fire which of these systems will detect a fire as early as possible remember there is always smoke before a fire and the type of fire we are most concerned with is flaming or fast fires so pick ionization detectors let's now talk about how we suppress a fire there are two major types of systems water-based and gas-based water-based systems are cheaper than gas-based systems but water and expensive electrical equipment in a data center is a terrible combination so gas-based fire suppression systems are cost justified in data centers water-based systems are common in office buildings hotels

and other spaces where some water is not going to destroy millions of dollars worth of equipment there are four major types of water-based systems that you should know about wet pipe systems always have pressurized water in the pipes just waiting to be released wet pipe systems are the cheapest but have significant downsides you can't use them anywhere where the pipes might freeze and because there is pressurized water in the pipes at all times you are inevitably going to get leaks dry pipe systems look identical to wet pipe systems but the key difference is the pipes

are dry they're filled with pressurized gas and water only comes flooding into the dry pipes when needed there's also pre-action and deluge systems and both of those of course use water to put out the fire gas-based systems use various types of gas to put out the fire some gas-based systems displace the oxygen from a room no oxygen equals no fire but also no oxygen equals no human life so it is critical to have safety systems in place to allow people to exit the data center before the gas is released another method some gas-based systems use

to suppress a fire is to interrupt the chemical exothermic process that is fire there are four major types of gases that you need to know about energen argonite fm 200 and air okay all of them are gas-based fire suppression agents there's one i'll highlight air okay it is supposedly safe for equipment it won't damage the precious servers and is apparently also safe for people but i'm not keen to test that one on myself the final tool in your fire suppression arsenal is fire extinguishers these are the little red things you see all over the place

hanging on a wall there are five different types of fire extinguishers a b c d and k each class is meant to put out a different type of fire and we'll use different suppression agents there's only one class that i'll highlight and that is class c classy fire extinguishers are designed to put out electrical fires the type you might have in a data center and class c extinguishers will often use co2 good old carbon dioxide as the suppression agent co2 is an excellent fire suppression agent to use in data centers because co2 is non-corrosive it

won't damage the expensive equipment it doesn't leave a residue doesn't conduct electricity and provided you don't use too much it's safe for humans and there you go that is an overview of physical security within domain three covering the most critical concepts to know for the exam if you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this mind map series then please subscribe and hit the bell icon to get notifications i will provide links to the other mind map videos in

the description below thanks very much for watching and all the best in your studies you