OPEN ACCESS
Protecting physical data, networks, and systems has become difficult, increasingly costly, and tougher to manage as technology and environments become more complex and dynamic. This paper presents a theoretical foundation for physical information technology (IT) security by developing a logical description based on a flow-based model. Within this model, a security machine is defined as a sequence of stages in which flow is identified and blocked in a multilevel blockage machine. The main focusses of the paper are the importance of having appropriate physical security in place, discussed with so-called onion/garlic models, and the notion of physical containment. The proposed representation is applied to an actual security plan for an IT department of a government ministry. The results suggest a viable approach to designing physical security strategies.
Conceptual model, diagrammatic representation, physical access control, physical security, systems modeling language.
[1] Ferraiolo, K., The systems security engineering capability maturity model (SSECMM). Proceedings of the International Systems Security Engineering Association, 2000. http://csrc.nist.gov/nissc/2000/proceedings/papers/916slide.pdf (accessed 15 February 2017).
[2] Shirey, R., Internet Security Glossary, Version 2. Internet Engineering Task Force (IETF), RFC 4949, 2007. Figure 20: Attack graph of the second stage of analysis in the example (partial and modified, redrawn from Pieters [30]. 154 S. Al-Fedaghi & O. Alsumait, Int. J. of Safety and Security Eng., Vol. 9, No. 2 (2019)
[3] Krutz, R.L. & Vines, R.D., The CISM Prep Guide: Mastering the Five Domains of Information Security Management, John Wiley & Sons, 2003.
[4] Gregg, M., Hack the Stack: Layer 1: The Physical Layer, Hack the Stack: Using Snort and Ethereal to Master the 8 Layers of an Insecure Network, Syngress Publishing. 2006.
[5] National Computer Security Center (NCSC). US glossary of computer security terms,NCSC-TG-004, version 1. NIST computer security resource center. http://csrc.nist.gov/publications/secpubs/rainbow/tg004.txt (accessed 14 September 2017).
[6] Niles, S., Physical Security In Mission Critical Facilities, Schneider Electric White Paper 82, Revision 2, American Power Conversion, 2004. http://apcmedia.com/salestools/SADE-5TNRPL/SADE-5TNRPL_R2_EN.pdf
[7] St Sauver, J., Physical Security of Advanced Network and Systems Infrastructure, Presented at Spring 2011 Internet 2 Members Meeting, Arlington, Virginia, April 19, 2011.
[8] St Sauver, J., Physical Security: A Crucial (But Often Neglected) Part of Cybersecurity,SlidePlayer.com, 2017 (accessed 11 April 2017).
[9] Hutter, D., Physical Security and Why It Is Important, SANS Institute. https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120(accessed 5 March 2017).
[10] Harris, S., Physical and environmental security, CISSP Exam Guide, 6th ed., USA McGraw-Hill, pp. 427–502. 2013.
[11] Oriyano, S., Physical security. CEHV8: Certified Ethical Hacker Version 8 Study Guide. Wiley: Indianapolis, pp. 393–409, 2014.
[12] Scott, M., Coca-cola data breach highlights: importance of laptop security. ACFE Website, 2014, December 1. http://acfe.com/fraud-examiner.aspx?id=4294986501 (accessed 8 April 2017).
[13] Hunker, J. & Probst, C.W., Insiders and insider threats: an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing,and Dependable Applications (JoWUA), 2(1), pp. 4–27, March 2011.
[14] Homeland Security Research Corporation., China, UAE, Kuwait and Saudi Arabia are fastest growing homeland security markets. Homeland Security Research Corporation Website, January 30, 2014. http://homelandsecurityresearch.com/blog/category/cctv/(accessed 21 March 2017).
[15] Federal Information Security Management Act (FISMA), PE1-PE19, Appendix F, NIST Special Publication pp. 800–53 Rev 3, n.d.
[16] Huang, J., Brief Tour about Android Security, December 7, 2012 [slides].
[17] Schiavone, S., Garg, L. & Summers, K., Ontology of information security in enterprises. Electronic Journal of Information Systems Evaluation, 17(1), pp. 71–87, 2014.
[18] Senstar Cyber. Threats in physical security: understanding and mitigating the risk. senstarcyber. com (accessed 11 February 2017).
[19] Dictionarycom. http://dictionary.com/browse/process?s=t (accessed 11 February, 2017).
[20] franklin-witter, If security is a process, why don’t we manage it like one? Thought Leadership Website. https://symantec.com/connect/blogs/if-security-process-whydont-we-manage-it-one (accessed 10 March 2017).
[21] Al-Fedaghi, S. & Moein, S., Modeling attacks. International Journal of Safety and Security Engineering, 4(2), 2014.
[22] Al-Fedaghi S., New conceptual representation of collision attack in wireless sensor networks. International Journal of Safety and Security Engineering, 3(4),2013
[23] Al-Fedaghi S. & AlMeshari, H., Social networks in which users are not small circles. Informing Science, 18, pp. 205–24, 2015.
[24] Al-Fedaghi, S., Conceptualization of various and conflicting notions of information. Informing Science, 17, pp. 295–308, 2014.
[25] Al-Fedaghi, S. Alsaqa, A., & Fadel, Z., Conceptual model for communication. International Journal of Computer Science and Information Security, 6(2), 2009.
[26] Al-Fedaghi, S., Software requirements as narratives. Third International Conference on Information, Process, and Knowledge Management, Gosier, Guadeloupe, February 2011.
[27] Al-Fedaghi S. & Mahdi, F., Events classification in log audit. International Journal of Network Security & Its Applications, 2(2), 2010.
[28] Al-Fedaghi, S., Flow-based description of conceptual and design levels. IEEE International Conference on Computer Engineering and Technology 2009, Singapore, January 2009.
[29] Simon, H. A., The Sciences of the Artificial, MIT Press: Cambridge, 1996.
[30] Pieters, W., Representing humans in system security models: an actor-network approach. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 2(1), pp. 75–92, 2011.
[31] Bishop, M., Coles-Kemp, L., Gollmann, D., Hunker, J. & Probst, C., 10341 report –insider threats: strategies for prevention, mitigation, and response. Insider Threats: Strategies for Prevention, Mitigation, and Response, Dagstuhl Seminar Proceedings, no. 10341, 2010.
[32] Mobbs, P., Introducing information security. A series of briefings on information security and on-line safety for civil society organisations, http://fraw.org.uk/mei/archive/handouts/apc-pws/pws-01.html, 2002 (accessed 10 March 2017).
[33] Forcht, K.A. & Kruck, S.E., Physical security models, philosophies, and context. Journal of Information Management, 10(2), article 9, 2001.
[34] Robbins, P., CISSP & physical and environmental security & information security. Presentation at ISA 400 Management, Information Security & Assurance Program University of Hawai’i West Oahu, 2015, January 17.
[35] Philpott, D. & Einstein, S., The Integrated Physical Security Handbook. The Counter Terrorist Magazine web site, http://thecounterterroristmag.com/pdf/IntegratedPhysicalSecurityHandbook. pdf (accessed 2 April 2017).
[36] Woodbury, C., Security blueprint [Online]. IBMSystems website, http:// ibmsystemsmag.com/aix/administrator/security/Security-Blueprint/ (accessed 1 April 2017).
[37] Edraw M., Warehouse Security and Access Plan Template [software], 2004–2017.
[38] Lincke, S.J., Physical & Personnel Security, CISA Review Manual 2009, PhD thesis, Univ. of Wisconsin, USA.
[39] Marrone, S., Rodríguez, R.J., Nardone, R., Flammini, F. & Vittorini, V., On synergies of cyber and physical security modelling in vulnerability assessment of railway systems. Computers and Electrical Engineering 47, pp. 275–285, October 2015, August. https://doi.org/10.1016/j.compeleceng.2015.07.011
[40] Vuorinen, J. & Tetri, P., Security as a machine: struggling between order and chaos. Pacific Asia Conference on Information Systems (PACIS) 2009 Proceedings, paper 113, 2009. http://aisel.aisnet.org/pacis2009/113
[41] Vuorinen, J. & Tetri, P., The order machine: the ontology of information security, Journal of the Association for Information Systems, 13(9), pp. 695–713, 2012.
[42] Deleuze, G. & Guattari, F., Anti-Oedipus, Capitalism and Schizophrenia vol. 1, Continuum: London, 2004.
[43] Imbusch, O., Langhammer, F. & von Walter G., Ercatons: thing-oriented programming. Presented at 5th Annual International Conference on Object-Oriented and Internet-Based Technologies, Concepts, and Applications for a Networked World, Net. ObjectDays 2004, Erfurt, Germany, pp. 27–30, September 2004. DOI:10.1007/978-3-540-30196-7_16
[44] Osgood, R., Hard Drive Rootkit Is Frighteningly Persistent. Hackaday Blog web site. http://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/(accessed 14 March 2017).