Oscar Calle

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network capacity planning is an effective way to determine the organization’s network capacity adequate or not. A key feature of network planning is determining how much bandwidth the network actually needs . QoS is a vital feature in network capacity planning. All links have congestion points and have periodic spikes in traffic. QoS polices are essential to ensure traffic spikes/congestion points are smoothed out, and more bandwidth is allocated to critical network traffic. Without proper QoS policies in place, all traffic has equal priority, and it is impossible to ensure your business-critical applications are getting sufficient bandwidth. For instance, without detailed knowledge of the type of traffic passing through a network, it is not possible to predict if QoS parameters for services like VoIP are meeting target levels. Â Network traffic monitoring will give you the visibility that you need to properly plan network capacity and ensure QoS. Ipswich Flow Monitor network traffic monitoring is invaluable to help you understand bandwidth requirements and for network capacity planning.

Inadequate capacity planning can lead to the loss of the customer and business. Excess capacity can drain the company’s resources and prevent investments into more lucrative ventures. The question of when capacity should be increased and by how much are the critical decisions. Failure to make these decisions correctly can be especially damaging to the overall performance when time delays are present in the system.

https://en.wikipedia.org/wiki/Capacity_planning

Question 1: How would you determine if an organization’s network capacity is adequate or inadequate?

What impacts could be expected if a portion of an organization’s network capacity is inadequate?
The capacity are the available resources for the network. To determine if the capacity of the network is adequate, you would conduct a Performance test and compare it to the capacity of the network. For example: If the machine has 8 GB of RAM installed, the capacity of RAM for the system is < 8GB (Actually it would be even less than 8GB because the system will shut down if it hits a certain threshold, which is set closer to 7GB).

The impact of a system that reached its max capacity would be system shutdown. To make this system functional, you would have to increase the capacity of the resource. In my example, you would add more RAM, if the board / system was able to utilize the added resources (The mother board may not be able to support the additional capacity for the resource).
This is what happens during a DDoS (Denial of Services) attack.

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?

I would block all incoming traffic because it would be better for the 3 information system security objectives, and still allow for business to operate, it would just operate the way businesses operated in the 1980’s. No email, only phone calls and face-to-face meetings. No website visiting, only getting in your car and visiting the store, or website at another location, but no incoming traffic.
This would only allow a security breach from inside the organization

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network capacity is the maximum capacity of a link or network path to convey data from one location in the network to another. Network capacity planning is a method to determine whether the organization’s network capacity is adequate or not. As a key feature of network planning is determining how much bandwidth the network actually needs.
The common approaches to Network Capacity Planning as following below:
1. Long-range views of average utilization: this will show a long-term trend of utilization, but the long-term view will average out those spikes of high utilization, thus hiding the problem.
2. Peak utilization, e.g. showing the busiest minute for each day in a month: This shows what days had a busy minute, but doesn’t give insight into the amount of time during which time a link is congested.
4. Traffic totals: easy to show all links on a single view, showing the links with most traffic and even periodic trends to show month-by-month usage. However, it does not give any indication of congestion except in extreme cases.

Inadequate network capacity could make the organization network unstable, unresponsive – or worse – unavailable. The bad network performance would result in ineffective service to the business and unfulfilled customers. It would lost possible customers by low level service, so network connectivity is important to an organization’s effectiveness and efficiency.

source; http://enterprise.netscout.com/capacityplanning

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network capacity must be able meet service-level agreement (SLA) targets of delay, jitter, loss, and availability. SLA requirements for a traffic class can be translated into bandwidth requirements. The ability to meet SLAs is dependent on ensuring that core network bandwidth is adequately provisioned, which depends on network capacity planning.
1. Measure the traffic (aggregate) and forecast the use by the traffic. The bandwidth must be able to handle traffic easily.
2. Test if the bandwidth is always significantly over provisioned to meet committed SLAs
3. Perform simulation testing to overlay the forecast demands
4. Test should be stimulated taking failure cases into consideration.
5. Forecast the usage with the provisioned bandwidth. IF the results vary then capacity is inadequate
6. Possibility and investigation of congestion – The distribution of bandwidth must be such that network availability is good even during high traffic.
7. Costs – It is important to consider overload on network and no situation should be under provisioned, but the costs will increase if the network is too much over provisioned and not utilized
Companies can perform futuristic situation based customized testing to test the capacity is adequate or not.
– What will the response time to if traffic doubles?
– How will applications perform after addition of new application, how many users would it have?
– How will service levels be affected if VMs are active to their full capacity?
– How will changes to I/O devices, network bandwidth, and the size and number of CPUs affect daily operations?
Companies can also perform automotive calculation to determine network capacity adequacy
– Which of my applications have failed to meet SLA in last 6 months?
– Where will the future bottlenecks be?
– How long will it be before my current configurations will fail to meet service levels?
– What will response time will applications need during next month?
In case the capacity is inadequate then many things could go wrong mainly the unavailability of network. Network performance will be slow which will affect daily business tasks and total time not utilized would be a lost especially during peak hours. This will leave systems and resources inefficient incurring costs.

http://www-07.ibm.com/services/pdf/nametka.pdf
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_10_0_1/Design/design_guide/UCCE_BK_UEA1023D_00_unified-cce-design-guide/UCCE_BK_UEA1023D_00_unified-cce-design-guide_chapter_01101.html

To know if the organization’s network capacity is adequate, the organization must partake in Capacity planning and Performance Management. Capacity planning is the processes for determining the network resources that is required to prevent a performance or availability impact on business-critical applications. Performance management is the practice of managing and monitoring network response time, consistency and quality. Some of the tools within this process is what-if analysis, base-lining, trending, exception management and QoS management.

The first part of capacity planning and performance management is to gather configuration and traffic information. This allows the organization to observe statistics, collect capacity data, and analyze traffic to create a baseline for the organization’s network capacity. The baseline consists of inventorying resource (software, applications, network communication, VOIP, etc,), users, and the bandwidth that is required to enable the organization to run it’s day-to-day and critical business applications.

Once a baseline is established then a trend analysis can help the organization identify network and capacity issues to understand future upgrade requirements. For example, a new internal portal allows the organization’s employees to share videos of community service events. As more users are aware of the new portal, it receives more traffic and the performance of other web-application is reduced.

Once the problem is identified, the organization will plan for the changes and do a what-if analysis to determine the affect of a network change. After it is evaluated then the changes are implemented.

Inadequate capacity can lead to employee not being able to get the resources they need to do their job. For example, if a Supply Chain application was experiencing performance issues, due to inadequate capacity, and the employee was unable to order production materials; then time and money is loss with idle production capacity and resources.

Good Summary Jianhui,

I think that the “Long range view of average utilization” is probably not the best indication of required network capacity. As we know, average is just a faux number and will not absolute. What I mean by this is; 1) it doesn’t account for capacity utilization during peak hours, 2) it overstates capacity requirements for idle network capacity. If you build your network based on average, then you will experience latency or performance issues during peak hours of usage. I guess, the hardest part is tradeoff between how much capacity the organization wants to have available at all times and how much they are willing to spend to maintain it.

Fred, good post, I believe the performance test is the most common way to help an organization determine whether or not its network capacity is adequate. Then they can compare the result with the previous results or the capacity to check the network capacity. It is critical for the network to have excessive/more capacity to avoid DDoS attack.

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network capacity is the maximum capacity of a link or network path to convey data from one location in the network to another. (From IT Law Wiki)

One way to effectively identify the parameters that can affect the network’s performance or availability of an organization in a predictable time is network capacity planning. Through conducting performance simulation and capacity analysis based on traffic information, infrastructure capacity and network utilization, the results provide indications of the expected loading in the network. then planners can compare it against the provisioned network capacity, to determine maximum capability of current resources and the amount of new resources needed to cater to future requirements.

Inadequate network capacity may lead to overload, or crash of network.

Priya,

This is a very good explanation to this question. You mentioned all important points which should be considered to determine if an organization’s network capacity is adequate or inadequate. One point I like the most is to test should be stimulated taking failure cases into consideration. It is very important to manage the network downtime and failures to prevent loss of business. BCP DR should always be considered of prime importance while answering the adequacy of the network.
Let’s take an example of banking industry. A network downtime for a bank can make it’s customers unable to lead to unavailability of online banking to it’s customers and can also stop the daily activities of a bank. This can lead to financial loss to it’s customers as well as to the bank too. Hence this should be taken care of while designing the network and testing it’s adequacy to meet any kind of unwanted event.

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network Capacity Planning would be an ideal way to identify if the current infrastructure can support the the amount of resources necessary for the applications to operate sufficiently during peak hours of the business. Depending on the network in question and the service provider for the network, most provide online tools to enable the client to monitor their traffic in real time as well as set utilization reports to run automatically at certain times of day/month. Also, there are a number of techniques that can be used such as traffic shaping and quality of service/class of service to prioritize traffic and to ensure that the mission critical applications get the necessary bandwidth needed during peak hours.

If a new application was rolled out that was a resource “hog” and was tying up all of the necessary bandwidth that had negative performance consequences for other applications using the same bandwidth. This can be very costly to a business, specifically in the financial sector, where the need for real-time information in order to effectively make money. Any type of lag or jitter in these instances can be devastating in the financial markets. All service providers will back specific type of lines with SLAs surrouding availability, mean time to repair, jitter, latency, etc. It would be good practice to also compare

Inorder to determine network capacity is adequate or inadequate we need to have a network capacity planning which includes finding out

1) Traffic Characteristics-Type and amount of traffic
• Traffic volumes and rates
• Prime versus non-prime traffic rates
• Traffic volumes by technology

2) Present Operational Capacity
• WAN percent capacity used
• LAN percent capacity used

3) Evidence of Congestion
• Packet discards which can be checked with ping operation
• Top error interfaces

4)Network growth over a period of time.
Requires detailed view into current bandwidth usage, combined with historical accounts of capacity usage

5)QoS
To check if Business-critical applications are getting sufficient bandwidth.

If the network capacity is inadequate it will lead to slow network performance which will disrupt the company critical operations.
Delay in deliverable which can tarnish company image
During the peak office hours of morning the slowdown in network will also waste important time of employees if critical applications are running slow

http://www-07.ibm.com/services/pdf/nametka.pdf
https://www.ipswitch.com/resources/best-practices/network-capacity-planning

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Capacity planning is the process of determining the production capacity is adequate or inadequate needed by an organization to meet changing demands for its products.
There are three steps for capacity planning:
1. Determine service level requirements
2. Analyze current capacity
3. Plan for the future
To manage capacity effectively and to provide adequate bandwidth for critical services, these are some questions people should keep in mind: How much bandwidth does your business need? How close towards maximum utilization are your servers? Which network interfaces will be most utilized 30 days from now?
If portion of network capacity is not adequate it will lead to loss of customers and business because network may be interrupted and therefore unable to perform the service for clients. In addition, there are negative impact expected on business operations flow and possibly data corruption.

Source: https://www.sevone.com/supported-technologies/capacity-planning-and-bandwidth-management

Network capacity is the measurement of the maximum amount of data that may be transferred between network locations over a link or network path. The network capacity measurement is complex and there are many different variables (network engineering, subscriber services, rate at which handsets enter and leave a covered cell site area) and scenarios that make actual network capacity rarely accurate. With that said, a key indicator of inadequate network capacity would be too much network traffic causing bottlenecks in your process and a slow network which could be caused by an overload of network errors and network congestion

source: https://www.techopedia.com/definition/18179/capacity-network

Great answer, Wenlin. You’ve correctly pointed out that “QoS policies are essential to ensure traffic spikes/congestion points are smoothed out, and more bandwidth is allocated to critical network traffic”. I’d like to add that to quantitatively measure quality of service, various aspects of the network service are often considered, such as error rates, bit rate, throughput, transmission delay, availability, jitter, etc. If a portion of a network’s capacity is inadequate one can expect problems such as dropped packets, latency, out of order delivery and errors due to interference and low throughput.

Well put, Vaibhav. You’ve covered the important points for check network capacity adequacy very well. I especially liked that you’ve mentioned that network growth over time is also an important area to look into. It is easy to overlook slowly but gradually degrading network performance till a major incident occurs. To ensure that such a scenario doesn’t take place, it is important to look at trends for network performance parameters so that any capacity related issue can be identified at the earliest and dealt with appropriately.

I want to add the some approaches of how to evaluate the network capacity to your comments. .
1. Long-range views of average utilization: this will show a long-term trend of utilization, but the long-term view will average out those spikes of high utilization, thus hiding the problem.
2. Peak utilization, e.g. showing the busiest minute for each day in a month: This shows what days had a busy minute, but doesn’t give insight into the amount of time during which time a link is congested.
4. Traffic totals: easy to show all links on a single view, showing the links with most traffic and even periodic trends to show month-by-month usage. However, it does not give any indication of congestion except in extreme cases.

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?

I would block all incoming traffic because it would be better for the 3 information system security objectives, and still allow for business to operate, it would just operate the way businesses operated in the 1980’s. No email, only phone calls and face-to-face meetings. No website visiting, only getting in your car and visiting the store, or website at another location, but no incoming traffic.
This would only allow a security breach from inside the organization

Although this decision would greatly be dependent on the type of business and the situation which calls for such a choice to be made, I personally, would choose to block outbound traffic. My decision is based on the below reasons, keeping in mind the objectives of CIA ( confidentiality, integrity, availability) and assuming that this is only for a short duration (may be due to an upgrade activity or other infrastructural change taking place)

1) Since most resources and tools that the employees use will be on the intranet, employees would be able to perform their duties either way
2) A considerable portion of incoming traffic would be incoming emails from clients and customers. Receiving these emails is very critical. Emails which require immediate action or response need to reach the employees so appropriate action can be taken. For outbound communication, Employees can always contact customers via phone and inform them to expect delay. Non-urgent emails can be responded to later.
3) Blocking outbound traffic would also mean the confidentiality and integrity of company information is maintained. Availability of company resources to internal employees is not hampered in any case so from CIA objective perspective too, this decision would be the right one.
4) Allowing inbound traffic could be opening doors to cyber-attacks, phishing, viruses etc however, having the network secured by firewall and antivirus would greatly reduce the probability of such an attack being successful.

Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?

I would say “b” because blocking the traffic going out to the internet is like cutting the organization from the outside world. The internet will only work between the company network. Blocking the traffic going out will definitely reduce the risk of an attack. Plus, employee would be focus on what they are supposed to do since they can’t access other sites such as Facebook, shopping sites, illegal sites…
It would be counterproductive to block the incoming network because it would block communication inside the company. How would people use share drive in the network?

If I had to choose whether to allow inbound traffic or outbound traffic I would go for outbound traffic (intranet to internet) for security reasons alone and block inbound traffic (internet to intranet). In most cases that we hear of data breach, we find that attackers come in on inbound connections rather than outbound.
Though there are cases wherein there are attacks from within the organization due to human error or negligence I find inbound traffic to be less secure for the following reasons:
-Confidentiality: In case of inbound traffic we will not be sure of the source from where data is coming. Controls like filters, firewalls, anti-virus and routers may not be enough to monitor the inflow.
-Integrity: Multiple type of encryptions may be used. As we cannot control the environment outside the organization, more chances of the data to be altered. This opens the system to malicious mails, virus, worms, social engineering attacks, DOS attacks.
-Availability: If there is a non-availability of data due to server issue or broken route, it is not very easy to get it fixed. It would need third party involvement and will completely depend on the source to rectify the issue.
Outbound traffic is more secure as it is flowing out of the organization and it is in the control of the network administrator. It becomes easier to predict and provide preventive and corrective controls if needed.
-Confidentially: The access is given only to the authorized user to be able to send the information
-Integrity: The encryption used to send the data is decided by the network team and so it can be more secure as per the design. Alteration to data can be done by user with malicious intent but this is rare and can be prevented with proper authorization permissions and segregation of duties
-Availability: Availability is directly related to the datacenter or the network within the organization. So DRP defined can help restore the information within the timeline identified by the company.

Absolutely, I agree.

There is a huge security risk associated with out bound traffic. For instance, DDoS attacks. But if you don’t have an open port to move traffic out, the probability of your network to be a participant (botnet) of such an attack decreases.

There are other risks as well, like, uncontrolled email and file transfers from your network to outside network can compromise the confidentiality aspect.

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and availability), if you could only filter and selectively block one network traffic direction which one you would you concentrate on and why?

The answer to this question comes from another question: For what reason there is a need to block the network. CIA is highest level of objective which an organization wants to achieve with respect to data and security rules and regulations revolves around how to maintain the CIA.

So if there is a case an employee is working suspiciously on some important data and is making efforts to leak the data from the organization to the outside world, we would need to block network traffic going out from the intranet to the internet(Outbound). The other case where we would want to block outbound traffic is if there is a malware attack and due to which outside attackers are able to access data. A similar case occurred recently in Wells Fargo where employees had an unauthorized access to the customer data. In such case employee who have access to customer’s personnel data can easily be leaked to the outside world therefore blocking the outbound traffic is the step which would be needed in such incident.

Blocking the network traffic coming into its intranet from the internet would be necessary in case there is a cyber-attack on the network. The attacks can be a virus attack, denial of service attack (DDOS), Man in the middle attack and so on. In becomes very difficult to control such kind of attack from outside. Hence blocking the inbound network is the only option to prevent data breach and internal network.

Fred,

I think it might be depends on nature of business, if the organization doesn’t want to communicate in industry so blocking all income network is good practice, However, I think in terms of confidentiality we should block or be sensitive about outbound information.

I strongly agree with you Deepali, that the decision to choose between allowing inbound traffic or outbound traffic is very much dependent on the scenario that calls for such a choice to be made in the first place. You gave excellent examples of both such scenarios – one where the need of the hour is to contain data within the company and one where the need of the hour to keep external threat agents out. I think it is safe to say that there cannot be a fixed right decision purely because the decision is one which needs to be made considering different factors.

Mansi,

Good point, I agree with you it totally depends on nature of business, However outbound traffic is more important in my view, I remember in advisory session we had couple weeks ago, we analyze the case that the problem was in outbound traffic wasn’t protected so there was a main problem on that case.

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by bombarding it with traffic from multiple sources
Spear-phishing attack is carefully crafted and customized to look as if it comes from a trusted sender on a connected subject. Spear-phishing scams often take advantage of a variety of methods to deliver malware .

Spam-phishing attack is targeted on by sending mass amount of junk emails and unwanted codes to the recipient through different methods
As mentioned the DDoS is a collective effort so it is launched by a large number of computers or bots together to attack a particular website and server by overwhelming it with huge traffic .In this case the spam phishing is a bigger threat in launching DDoS
Every network service has its bandwidth and if it is flooded by spam email and code it actually causes a DDoS..

I wanna take an example of how the large amount spam emails can disable the work completely.
In my previous organization while working on setting up an SMTP server for client website,I had given up my organization email to test the content of email being received.I had mistakenly put up the code inside a unending while loop and tested the code.It was in minutes my entire mailbox was filled with test mails and I could not receive any further emails .Every single mail deleted will bring another numerous test email.My outlook went completely down

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

In the contexts of being attacked by a DDoS, a bigger threat to an organization is Spear phishing because it is often an email from a familiar source, or so it looks.

Spear phishing is a form of email, instant message, text, ect attack. The attacker poses as a familiar contact and persuades the user into performing a certain action. Since this is coming from a reputable source, the user will unknowingly infect the system by performing the action requested by the reputable source. This would be a bigger threat to me because SPAM is common these days and everyone deletes things they don’t recognize. Spear phishing is something you will recognize.

In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

Fraudsters use phishing emails to steal personal information. Although, the email may look harmless but they can convince employees to follow links or download attachments that can be dangerous and compromise PII (name, address, SSN, credit card number, etc.).

Spear-phishing is fundamentally based on the same idea except regular employees are not the target for the attackers; they want the access to the organization’s valuable resources.

Spear-fishers typically gather information from social media sites and other sources to craft highly targeted messages. During an attack, they will send emails to a few employees and not everyone onto the organization’s network (like they do in phishing email attack) to avoid getting filtered out by anti-phishing software. Malwares used by spear-fishers are not like the typical malware that will flood the screen with pop-ups, these malwares are difficult to spot. There have been cases where these malware have improved computer performances. Critical information like customer information, confidential files, organization proprietary information, trade secrets, etc. can be compromised.

In a scenario, where top executives of an organization were spear-fished and their system was compromised, request sent from their botnets will probably not be ignored and is a bigger threat, I believe.

Source: https://www.sans.org/reading-room/whitepapers/analyst/protect-advanced-email-borne-malware-phishing-social-media-fraud-guide-36467

Spam phishing: Phishing attacks use spam (electronic equivalent of junk mail) or malicious websites (clicking on a link) to collect personal and financial information or infect your machine with malware and viruses.

Spear phishing: Spear phishing is highly specialized attacks against a specific target or small group of targets to collect information or gain access to systems.

A distributed denial-of-service (DDoS) attack is when a malicious user gets a network of zombie computers to sabotage a specific website or server. The attack happens when the malicious user tells all the zombie computers to contact a specific website or server over and over again. That increase in the volume of traffic overloads the website or server causing it to be slow for legitimate users, sometimes to the point that the website or server shuts down completely.

As for DDoS attack, Spear phishing should be a bigger threat because spam phishing is easier to control than spear phishing. First the email has its own ability to identify spams. Second, spams are easier to tell if people have awareness of protecting themselves to click links or download files in unwanted emails. On the other hand, spear phishing is more targeting to collect specific information. For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.

https://staysafeonline.org/stay-safe-online/keep-a-clean-machine/spam-and-phishing
https://www.getcybersafe.gc.ca/cnt/rsks/cmmn-thrts-en.aspx

Vaibhav,

I think your example makes clear the ways in which spam can take down a network and computer systems. I think the question being asked this week is “double-dipping” in a way.

For spam phishing the example you gave makes it clear that overloading a network or system can bring it down.

However, spear phishing could also bring networks/systems down if the target that was compromised had privileged access, or something to that effect.

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

For DDos attack, I think spear phishing is a more targeted form of phishing whereas spam phishing involves malicious emails sent to any random email account. Spear phishing emails are designed to appear to come from someone the recipient knows and trusts, such as a colleague, business manager or human resources department. For attackers, they may study victims’ social networking, like Facebook, LinkedIn, WhatsApp, etc., to gain intelligence about a victim and choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust.
Nowadays, organization’s computers have already installed spam stopper software or tools to prevent these kind of spam phishing emails to their accounts. So spear phishing becomes more popular than spam phishing for attackers because people have already had consciousness for spams, but people still lack consciousness for spear phishing because of emails sent by “familiar” people.

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

In the contexts of being attacked by a resource for distributed denial of service (DDoS), I would say that spear phishing a bigger threat to an organization’s network and computer resources. A Distributed Denial of Service (DDoS) attack is an attempt to make the target unavailable by overwhelming it with traffic from multiple sources. A typical spear phishing emails is extremely deceptive as they attempt to represent an identity that is trusted or related to the business itself or user’s interest. It is more likely for the users to open the email and download the malicious file. For spam phishing, I believe this kind of phishing emails would be detected by the email security system. Users are less likely to open the emails if they don’t recognize the contents.

One of the most recent example was the Dyn suffering from a DDoS attack, resulting in network and system downtime for many hours. Social network users could not access to their social media account or commercial transactions could not go through.

Definition of Spear phishing:
Spear phishing is highly specialized attacks against a specific target or small group of targets to collect information or gain access to systems.

Definition of Spam phishing:
Spam phishing is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages, many of which contain hoaxes or other undesirable contents such as links to phishing sites.

Hi Mengxue, Great post, I like how you stated that Spear phishing should be a bigger threat to an organization because targets the specific organization with collecting specific contents. And you outstanding example shows how the spear phishing hacker will ask for the customer list. Spear phishing does not have to be carrying malicious software or botnet, it can also ask for your financial information/client’s data/personal private information.

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?
Spam phishing is a bigger threat to an organization becoming a resource for distributed denial of service (DDoS) attack. Spam phishing typically utilizes mass email to target as many people as possible. In a way, similar to the “shotgun approach,” in that more is better. Conversely spear phishing uses a different strategy by target a small number of victims. Spear phishing will often use social engineering to lure employees into clicking a link on an infected email. While both will often use email, the goals are not generally the same. Because spear phishing targets a much smaller number of people than Spam, it usually is trying to steal sensitive data, financial information, and other valuable information. Spam phishing uses a much larger scale because it often recruits the victims computer in to a “zombie” computer, collectively known as a botnet. These computers are then used for DDoS attacks.

In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

Generally, the spam phishing attack is a form of electronic junk mail sent to users, and it’s a very dangerous phishing scam since the attackers may use it to obtain sensitive personal information from victims like their credit card information or the password of online banking. Different from traditional spam phishing attack, the spear phishing is focusing on specific targets like employees or management of the organizations. Besides the email phishing attacks, pear phishing attackers also usually built fake websites with virus or malware, if the specific targets open the fake websites, the virus may copy the highly sensitive information from inside of the organization, and cause significantly data leak and damage the information assets of the company.

Comparing these two phishing, the spear phishing is a bigger threat to an organization’s network. Indeed, the spam phishing is more widely affected, but from the perspective of organization’s network, the spear phishing may cause more serious damage. Because the spear phishing is targeting the specific victims like management who have access authority to login to the company’s systems. If the attackers use spear phishing successfully obtain the accessibility of the information systems of the company, all confidential information are under the monitoring of the attackers, even worse, they can steal this sensitive information.

I think that in the context of being attacked by a DDoS that spear phishing is the bigger threat. A DDoS to take down an organization’s resources would need to know how to access servers via IP or by figuring out how to get past firewalls. Network administrators may be targeted to reveal this sensitive information. A spear phisher may request permission to audit and the administrator may reveal these resources’ locations against normal protocol. Neither spam phishing or spear phishing would change a DDoS on the organization’s public website as that IP is already known.
Conversely, I think in the context of the organization’s network becoming a botnet for a DDoS that spam phishing is the bigger threat. The botnet’s goal is to become as large as possible with as many connected computer resources at its disposal. The most effective botnets barely change normal computer operation making them difficult to know if you’re even infected. Targeting singularly important users in a company is not a strategy aligned with this goal.

Spear phishing is highly specialized attacks against a specific target or group of targets to collect information or gain access to systems through personalized e-mail messages and social engineering. This is not random kind of attack, attacker knows target name, target email address, and at least a little about target. It’s a more in depth version of phishing that requires special knowledge about target.
spear phishing is an effective method for targeting several industries, appear to come from a trusted source.
Spam is the electronic equivalent of junk mail. It’s annoying and can potentially be very dangerous if part of a larger phishing scam.
I believe that spear phishing is the bigger threat to an organization’s network. attacks have potential consequences such as identity theft, financial fraud or stealing intellectual property. spear phishing is a real threat and it can bypass normal technical anti-threat barriers and exploits users to infiltrate systems.
Here are solutions to mitigate the Spear phishing attack:
– Consider extra level of authorization such as 2 step of verification.
– Frequently change password.
– Employees training
– Deploy a SPAM filter that detects viruses, blank senders.

Noah,

Its interesting, I didn’t think the way you explained! True its based on reason for attacks or what is the goal of attackers.

If attacker aims botnet, spam phishing as it sent out in mass quantities can be a bigger treat, and if attacker aims specific information spear phishing as its target specific group of organization is a bigger treat.

In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

Spear phishing would be a bigger threat to an organization’s network because it is more targeted towards the victim and is more likely to be effective.

Spam phishing is a smaller threat and less effective because spam emails are usually easily detected. Users who receive spam emails can usually tell that it’s a spam because they tend to be random and unrelated to anything. Spam emails can also be filtered by spam filtering programs in the email service so they rarely even appear in employee emails.

Spear phishing emails on the other hand target specific employee. The emails are uniquely crafted specific to that employee such as appearing as sent by someone the employee knows or is related to something the employee done recently. The email may also be social engineered to get the employee to divulge information. Humans are susceptible to these kinds of emails because we tend to be more positive. When we receive an email that appears to be from someone we know, our initial instinct is to accept it and not be suspicious of it.

Good example of Dyn suffering from the DDoS attack. In this case, the cyberattacks cause the network and system down for couple hours, which damaged the information assets of the company and also the reputation. Just curiosity, in the Dyn’s case, is that the spear phishing attacks allowed the attacker got the accessibility by stealing the PII from the administrator?

Hey everyone,

I see your point that and agree that spear phishing is the more dangerous of the two. However, I interpreted the question to be that if you were being attacked by a botnet or an attack is attempting to make your computer a part of a botnet, what is more of a concern; Spam Phishing or Spear Phishing? In that case, I believe it will most likely be a spam phishing attack and not a spear phishing attack. I suppose which phishing attempt one should focus on depends on the exact risk.

If I am worried about a DDoS, then my concern would be over a spam phishing attack or just spam attack in general. A DDoS is caused by many computer requests coming in from multiple computer locations. If I were to get millions of spam emails in a matter of seconds, then my email system would go offline. Therefore, for the DDoS risk, I would be more concern with spam phishing or just enough spam to knock off my services.

If I am worried about my computer or computer resources becoming part of a botnet, I would be more concerned still with spam phishing. The reason for this, is because those looking to increase their botnet aren’t to particularly keen on whose computer resources it is. My grandma’s laptop works just as well as a botnet as the laptop of a Fortune 500 CEO, so therefore to increase their numbers it is more quantity over quality. Therefore, botnet owners will likely use spam phishing as a method for increasing their botnet and therefore to address this risk, I would focus on spam phishing. However, Abhay brought up a good point that spear phishing shouldn’t be 100% ruled out as a method for acquiring computer resources for a botnet.

If I am worried about social engineering, then I would be more concerned with spear phishing. Since spear phishing is targeted to only a couple of individuals, the cause behind such attempts isn’t so much to get access to computer resources for a botnet, but more to get access to an organization’s data such as PII or sensitive business information like patents. Since spear phishing is so particular and targets a small group of individuals, as opposed to a spam phishing attempt which can targets millions, the chance of success is greater.

Hi Fangzhou,

Great post, I agree with you that spam phishing is widely affected because it targets a massive amount of email users. It is inexpensive, quite and convenient but the success rate is lower compared to spear phishing. Compared to spam, spear phishing may take long time to modify the email for specific targets!

Hi, Yuming

You made great points. One thing I want to point out is that spam messages often contain images that the sender can track. When you open the email, the images will load and the spammer will be able to tell if your email works, which could result in even more spam. What we can do as email users to avoid this is by turning off email images.

With phishing scams, people should use their best judgement.
– never send someone money just because you’ve received an email request.
– never download email attachments you weren’t expecting because they might contain malware that could damage your computer and steal your personal information.

Hi, Fangzhou

You are absolutely right that spam phishing is widely affected. I found some statistics online that was very interesting. There was a campaign, it sent 1000000 messages through spam phishing attack, the open rate was 3%, and click through rate was 5%. However, only 1000 message sent through spear phishing, the open rate was 70%, and click through rate was 50%. You can tell there is a huge difference! There are more people opening their email when it was sent through spear phishing.

Source: https://ilookbothways.com/tag/spam/

Dyn definitely was the victim of a DDoS attack, but were they also the victim of spear or spam phishing? No question that others were certainly victims because so many connected devices were infected and turned to bots. But Dyn simply suffered from an inundation of traffic from this botnet, which may only be indirectly related to the phishing. It’s definitely very relevant to the attack, but not sure that either directly affected Dyn from what I’ve seen in the news.

For the “health” of the business, it is very practical to do testing of the Business Continuity Plan (BCP). However, testing (by nature) can be disruptive and intrusive. In the “Disaster Recovery and Business Continuity Planning” article by Yusufali Musaji that we read this week, he gives four methods for testing.

They are:

– Hypothetical
– Component
– Module
– Full

In descending order, they become more burdensome to implement. However, something that Mr. Musaji writes about in his “Setting Objectives” section stood out to me. He mentions documentation testing and “third-party” evaluations of offsite locations (a backup data center, for example). Documentation seems to be the bane of most company’s/employee’s existence, but their is certainly a need for it in BCP. This documentation can serve as the foundation of what to do in the event of outages or changes, as long as it is high quality and people are trained in how to use it. Furthermore, reaching out to a third-party to conduct BCP evaluations frees up your own in-house resources, so the company can be more productive while evaluations are conducted.

BCP is a plan that allows a business to plan in advance what it needs to do to ensure that its key products and services continue to be delivered in case of a disaster,.A business continuity plan enables critical services or products to be continually delivered to clients. Instead of focusing on resuming to a complete strength after a disaster, a business continuity plan endeavors to ensure that critical operations continue to be available.

It is very difficult and less practical to conduct BCP test in an organization.But testing can be a major challenge to many organizations because it requires
1) Management support,
2) Time for preparation and execution,
3) Funding
4) Structured process from pre-test through test and post-test evaluation
5)Clients do not cooperate to test as post test the results suggests some solution which will be very costly to implement

The full BCP test verifies that each component under each module is workable and the complete strategy and objectives are satisfied.So in most cases you wouldn’t be able to perform the full testing but you will be able to test all the parts of business continuity separately
Component and module testing can be a good option as an alternative.It helps verify details and procedures of individual processes .The emphasis can be laid on more critical components.

2. Is it practical to conduct a thorough test of a Business Continuity Plan? Why might it not be practical? If it is not practical, what alternative ways can you recommend for testing a BCP?

It isn’t practical to conduct a thorough test because the plan would affect everyone who is utilizing the environment. This would be a huge project that wouldn’t make business or financial sense. An alternative way to test the BCP plan is to conduct it on a pre-defined environment. Conduct a beta-test on “dummy” users. All companies will perform beta-testing before pushing things down to the end users.

A thorough test of a BCP is not practical. There would be great expense and it can cause disruption to employees. Also, the organization may be outsourcing some of IT and cannot view inside their operations.
We can do a lot of disaster recover testing in general though insted of a thorough test. There are four main categories of testing; hypothetical, component, module, and full. Hypothetical tests are there to prove that there is a plan in case something breaks. This is the fastest method of testing.
Component testing is a chunk of instructions from the BCP to be performed, usually for one feature. This can be for verifying compatibility for things such as tape storage, recovery, or security packages.
Module testing is testing that multiple components will work together after being recovered.
Full testing is to check that all the components can be up and running in a certain acceptable amount of time.

source; disaster recovery and BCP

Fred, Thanks for you post. I don’t agree that thorough testing for the BCP/DRP is impractical or that it doesn’t make business or financial sense. Like you said, testing is required before anything is set in to production. Some products may even go through hundreds of tests before being approved. So why shouldn’t a BCP/DRP be put through the same rigor? You don’t know if it will work as intended unless you test it. Yes, some aspects may be expensive, like flipping the switch on the cold-site, but I think it’ll be more expensive to find out that the switch doesn’t work when an disastrous event have already occurred.

Nice post Vaibhav. Sometimes it is not possible to have a full operational BCP test as it can be expensive and also result in a loss of productive time.To conduct a full operational test , the organization should have tested the plan well on paper and locally before completely shutting down operations.
Other alternate methods are
1. Desk-based evaluation/paper test: A paper walkthrough of the plan where what happens if a particular service disruption occurs is studied.
2. Preparedness test: It is a localized version of the full test wherein actual resources are used in the simulation of system crash. It is cost effective way to know if the BC plan is good.
Usually before conducting a full operational test both paper test and preparedness test is done to ensure that the operations do not come to a standstill.
Methods to test BCP:
1. Checklist test
A checklist test determines if the plan is current, if the backup site has adequate, correct telephone numbers and contact information are available, emergency forms, copies of the plan and any supplemental documentation are available.
2. Structured walk-through test
This test done team-wise or department wise where in a detailed walk-through of the various components of the plan is conducted. The type of disaster and parts of the plan that needs to be tested is decided by the team leader.
3. Emergency evacuation drill.
A facility evacuation should be conducted at least once a year with all employees to be sure that the employee understands how the evacuation should proceed, where to go, whom to reach out to, how to handle personnel with physical limitations in case of emergency etc.
4. Recovery simulation
In this testing, the team uses equipment, facilities and supplies as they would in a disaster situation provided in the plan. It checks if the team is able to carry out critical functions using the recovery and restoration procedures.

Loi,

I do think the test should be conducted, but not a thorough test. It is impractical and too expensive. I say this because I use the Merrian Websters definition of Thorough as, “Including every possible part or detail”.

Using this definition, I believe a thorough test shouldn’t be performed.

With that being said, I do believe tests should be conducted and for those processes that require more cumbersome testing, should be conducted on a smaller scale, and on a replicated environment vs. the actual, until the replicated environment test is successful, then you would move to the actual on a much smaller scale..

This conversation was intreging and decided to ask Bob Deliosi, the tour guide from Sungard this question. Here was his response and some stuff on Sungard. He is going to send me a link to the Mobile truck they use for clients’ BCP’s.

Fred, It was my pleasure, all were very interested.
Here is a link to some Sungard AS Youtube stuff. Looking for the Truck video.
Companies typically do not shut down production services for a BCP test.
Typically, they isolate a DR network and that small team works in that arena testing for a number of hours/days.

Here is the link to show how companies responded to Hurricane Sandy, a few short years ago.

Check out the end when they talk about mobile trucks and how companies worked out of the trucks.

So, I was a little confused in answering this question, because I’m not sure if you’re looking for a “X amount of hours” answer or a more general “this is what RTO” is answer. In either case, the FEMA document you mentioned as a hint has the following in Annex H, Subsection 7:

“Organizations must ensure that the communications capabilities required by this Directive are maintained, are operational as soon as possible following a continuity activation, and in all cases within 12 hours of continuity activation, and are readily available for a period of sustained usage for up to 30 days or until normal operations can be reestablished. Organizations must plan accordingly for essential functions that require uninterrupted communications and IT support, if applicable.”

If I’m reading it correctly, my understanding is that if you work for the Federal Government, you have no more than 12 hours to meet the required communications continuity plan.

Another portion of the Directive discusses teleworking options to support continuity, and that made me think of my own experience. As a contractor for the Federal Government, if there is inclement weather that prevents me from working on-site, I do have permission to work from home for the period of time required. The readings made me wonder what the plan would be if my organization had to move buildings. We’re small enough to likely be able to work temporarily at another on-site building, and our enterprise IT systems are designed to work across all the government buildings at the Navy Yard.

Andres,

Good post. I came to the same conclusion. Communication can not be interrupted for more than 12 hours and the back-up communication system needs to support up to 30 days of operations.

From experience in the Army, they told us our communication system required 100% up-time, at all times. Or, lives are lost. We had several systems on stand-by in case of an outage. We would also have equipment on call in case of a bare-metal restore for severs and workstation.

Nice post Andres.

RTO- ‘Recovery Time Objective is the targeted duration of time, a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.’

As per the ‘Homeland Security (2012) Federal Continuity Directive 1 – available from FEMA.gov’- US federal Government requires that the PMEFs(Primary Mission Essential Functions) must be operational within 12 (RTO) hours after an event has occurred under all threat conditions. The capabilities include operability of the essential functions, access and usage of essential records/information, physical security and protection against all threats identified in the facility.

Reference: https://en.wikipedia.org/wiki/Recovery_time_objective

PHYSBITS is Physical Security Bridge to Information Security. It is the collaboration between physical security and information security, where as links information system are used to control physical access to facilities, information infrastructure and resources. PHYSBITS focuses on the human aspect of physical security by integrating information security to provide authorized access to facilities and activities monitoring of personnel.

An organization implementing an PHYSBITS solution may experience physical security risks associated with loss of credentials/badges or other identifiable information. Depending on what types of authentication the organization uses, for instance a badge that provides access to restricted areas, if stolen or else compromised can give attackers access to the area to steal, vandalize, or destroy information system hardware or facilities. Another threat is to cause harm to personnel within the facility, like in the Fort Knox shooting.

To mitigate risks of unauthorized access may be to add additional security controls such as biometrics at restricted site or keypads that requires the person to provide a pin along with the badge. To prevent intentional or unintentional harm to personnel mitigation could be to establish strict policies weapons or a screening process like the TSA.

The main motive of physbits is to enable collaboration between physical and IT security to support overall enterprise risk management needs.Converging these security environments addresses security gaps that fall between these two different security disciplines and helps protect organizations against multifaceted
security threats.The Physbits include some common solutions

1) Employee Provisioning and Access Management — Setting up new hires with:
system and facility access; self-serve password management; access card management; and
employee de-provisioning

2)Card Management — issuance and life cycle management of access cards

3)Directory Management — infrastructure that enables distributed, scalable access to user
information and attributes.

There are some risk associated with Physbits
1) In case the access card or pin get stolen it can be misused by some miscreant to gain unauthorized access
2)Verification of card or pin access occurs through the directory which has list of credible users and directory can be hacked by the hackers to input the desired credentials
3) The failure of IT infrastructure providing the access could disrupt any form of authorized access like swipe machines

In order to mitigate such risks
The integration of biometric access along with card or pin access will reduce any form of unauthorized access which can happen in case the card or credentials get lost or stolen
The central directory or employee database server should have proper firewall,IDS in place to prevent any hacks
Backup of IT infrastructure in case any failures occurs an and alternate method which may involve human approach to check the physical security during the given failure time

https://www.oasis-open.org/committees/download.php/7778/OSE_white_paper.pdf

To add

1. Tailgating can pose a risk.

Control: It can be mitigated by having a security person in place to just watch who comes and who goes out

2. Sometimes vendors or contractors are allowed inside the building without a badge accompanied by an employee.

Control: By having a physical registry keeping track of the people coming inside the building.

Physical Security Bridge to IT Security is a standard approach for enabling integration of physical and IT security. PHYSBITS provides a architecture for managing and monitoring physical and IT security systems by bridging both securities. There could be risks in using Physbits,
1. Implementation will be complex and time consuming. IT would be difficult to establish the complex structure again at the merged or acquired companies.
2. It will be difficult to maintain single authentication factor for a person who needs to have different physical accesses s and move between locations.
3. If one system fails the other will be impacted. If there is a restriction like, a person who is physically inside the company premises only is allowed to logically enter the database.If the access card reader is not working even if the person has entered the facility with a visitor, he will not be able to login to the database server.
4. Attackers will be able to target one and attack both the systems. When IT and physical security are integrated, a person who manages to disable access by attacking the database can get physical access to the organization.
5. Dependency of systems – Lets consider that HR software module needs to be updated and will be closed for maintenance for 1 day, it would be impossible to issue access cards that day. In this case the access management would be done manually by paper registry but the system will not be able to record any transaction. This is a major risk considering there would be no monitoring on how access is granted.
6. Complexities in the system will rise in case of tasks like patchwork management, installation of new software.
7. In certain cases it could be challenging to prevent authentication in local setup when global policies have authorized. ex. Is it possible to stop the user from entering via the workstation in Chicago when we know that he “badged” into the Los Angeles office?
8. IT security and Physical security have different reporting system. To track performance and tasks of a security guard and a software developer will be difficult to maintain same level of reporting. e.g Security guards may come in shifts and will be responsible to secure the same area.

Adding mitigation for risks in PHYSBITS:
-Dependencies for maintenance activities of both the systems must be minimum.
-As far as possible the reporting structures of physical and IT securities must be considered to resolve the dependencies that can be avoided.
-Segregate authorization levels depending on locations, the assigned rights must also consider the location criteria. And there should be 1:M relation between person and location.
-Ensure vulnerability assessment must be done for applications handling both physical and IT security. A vulnerability in one interface of physical security system must also be verified in IT security system.
-A good visitor management system and escort system must be maintained.
In case of system failure hard copies can be maintained. Proper authorization and monitoring must be done while in such case. The paper entries must be added to the system once it is up and running.

The main purpose of physical bits is to allow collaboration between physical and IT security to ensure support to the enterprise risk management. By conjoining these two security environments bridges the security gaps within the two security realms by establishing and strengthening the organization against security threats.
However, some risk may occur such as authentication, accessibility and hacking. The bases of these risk are the intermingling of the systems.
-Systems failure (natural disaster, power outage, etc.)
– The access between the physical bits may not be integrated correct and could arise some risk and weaknesses.
– If the system is hacked, they are able to get physical access to the company as well as the databases
I’d mitigate these risk by enabling bio-metrics, escort security throughout the facility, encryption of data and firewalls.

The Physical Security Bridge to IT Security (PHYSBITS) focusing on integration of physical and IT security technologies. It is a vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs. The technical portion of the document presents a data model for exchanging information between physical security and IT security systems.
Risks associated with the implementing PHYSBITS are:

– Very complicated to implement
– Creating a central data base that ensures integrity should include all identification record which is usually stored in HR database. Here is a biggest risk because IT active directory should be separated of HR data base.
– Because of the integration another risk is; if one system fails the other system would be fail

This system has 3 main goal; Data Auditing, Strong Authentication and user right management.
In order to mitigate this risks:
– Consider additional security level such as biometrical authentication.
– Considering business continuity plan.
– Consider good monitoring services including camera or a physical person to check visitors.

Great post Vaibhav. I strongly agree with the 3rd risk you mentioned. In case of failure of IT systems what can be done? Do you think a temporary manual system can work? You mentioned about access being blocked due to not functioning of card readers. In this case should the company be prepared to open the doors without the access readers? Is it another risk to have a back up plan like this. I think companies might have to proactively think about failure of infrastructure to support mainly 2 things, one, in case of IT failure how will the process work and two in case of natural disaster, a BCP like situation how will the physical access systems work?

What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would recommend to lesson them?

The two biggest risks I see in implementing a PHYSBITS solution are:

1. An ex-employee taking a current employees badge
This could cause several physical security risks. The ex-employee may be able to access the physical equipment and compromise the integrity of the system. One example is accessing an electrical grid site. Imagine if an ex-employee had access to the electrical grid, secretly accessed an electrical storage area, and shutting down the electricity for the city of Philadelphia. Yikes!
The mitigations you could put into place would be to update badges on a quarterly basis for employees with “admin” type access to the sites. You could also assign a “pin” number to enter after you swipe your card. This will provide multi-level authentication.

2. An authorized person allowing a non-authorized person in the restricted area

As you mentioned in class, some people will think they are being nice by holding the door open for someone else. Unfortunately, that “someone else” may not have access to the room on other side of the door. I have seen this happen at my children’s daycare. I did bring it up to the director.

The mitigation she put in place was an email specific to security measures. The facility also includes real-time camera’s throughout the entire facility. Parents can access the camera’s through the website at any time.

For a larger organization, you could put in man-trap doors. This means one door closes before the other door opens. This allows a more secure look to the environment and may make the authorized person think twice about being nice.

Binu,

Great point about sub-contractors allowed inside buildings. One of my clients has a high level of security measures in place. It is a pharmaceutical company in the surrounding suburbs. All vendors and contractors must attend a securities class on the physical grounds and authorized areas. We are only allowed to use the entrance and exit assigned to vendors, and only had access to certain areas, but the biggest thing I noticed is that security was second nature. Tailgating didn’t happen because the employees knew not to do it. We would simply wait for the other person to swipe their card. It was frustrating but it was the culture. Security is a top priority and the entire company culture practices security like a daily habit.

The best way to get a secure environment is to have the employees participate in the policies and understand why they are in place.

Fred,

As you mentioned , PHYSBITS focuses on the human aspect of physical security by integrating information security. I agree with Ex- employee risk and the controls you considered for it is smart , adding additional level of access control.

From a physical security perspective, I’d say Tulsa, OK or Denver, CO.

Why Tulsa?

First, the access to the city excellent. It is conveniently located in the direct path of the central fiber corridor that connects Houston to Chicago.The risk of seismic activity is also low. Second, for data centers that rely on water for chilling, the state has many aquifers, including the Great Plaines Aquifer and numerous rivers that crosscut the state.

Why Denver?
It is located in a state with low-risk climate and geographical features. CO offers an optimal area for disaster recovery. As Tulsa it is also a low seismic zone.

Why not:
Miami? Too close to the water and vulnerable to hurricane. Hurricane cane quickly destroy data center in a matter of seconds and put companies in trouble.
Redlands? High seismic risk. Prone to earthquakes.

When considering the natural disasters in physical security, the organization should choose Denver, Co.

According to the Disaster Hot Zones of the World (http://io9.gizmodo.com/5698758/a-map-of-the-world-that-shows-natural-disaster-hot-zones), the other choices seems more riskier than Denver.

Miami, FL: Is located in a hurricane path which could cause flooding, destruction of property, and residual effects of debris left by the hurricane. It can cause disruption of business during hurricane seasons for business closures for inclement weather and extended recovery times. It is also in an chemical accident zone, such as the oil spills can affect the health of its employees. Utilities and power may also disrupted and roadways maybe inaccessible in an event of a hurricane.

Redlands, CA: Prone to seismic activities that can have long-lasting effects on the data center. It can damage computer hardware and equipment and worst damage facilities structural integrity. It can also affect utilities and road networks that will prevent movements of critical supplies, like fuel for generators, if utilities network (pipes and power lines) are also down.

Tulsa, OK: Located in Tornado valley (https://www.ncdc.noaa.gov/file/1536) that can cause structural damage to facilities and loss outside equipment. It is also located near the New Madrid fault line, which according to USGS is as likely as CA to experience seismic activities (http://www.dailymail.co.uk/news/article-1366603/Earthquake-map-America-make-think-again.html)

Denver, CO: The risks from natural disasters effecting physical security is lower in Denver, than the other choices. It has low seismic activities and away from storms.

For an organization choosing among Denver Colorado, Miami Florida, Redlands California and Tulsa Oklahoma, from a physical security perspective – where would be the best place to locate their data center? Why is this place better and the other places worse?

From a physical security perspective, it would be best for an organization to locate their data center in Denver, Colorado. In fact, among the proposed 4 cities, Denver less risky.

According to Bankrate, Florida, Oklahoma, and California are among the 10 states most at risk for major disasters:

“Florida has been roughed up by dozens of tropical storm systems since the 1950s, none worse than Hurricane Andrew in 1992. The Category 5 hurricane with gusts over 200 mph held the title as the most expensive natural disaster in U.S. history until Hurricane Katrina in 2005. Severe freezes have been disastrous for Florida farmers on multiple occasions.”

“The monster tornado that blasted through the Oklahoma City suburbs in May 2013 is only the latest devastating storm to hit a state that has recorded an average of more than 55 twisters per year since 1950. The worst in recent history struck near Oklahoma City in May 1999 with winds over 300 mph and killed 36 people. Other disaster declarations have involved severe winter storms, wildfires, floods…”

“California has weathered wildfires, landslides, flooding, winter storms, severe freezes and tsunami waves. But earthquakes are the disaster perhaps most closely associated with the nation’s most populous state. The worst quakes in recent years have included a magnitude 6.9 quake near San Francisco in 1989 that killed 63 and a magnitude 6.7 quake in Southern California in 1994 that killed 61”

The worse place to locate a data center would be Redlands California.

Source: http://www.bankrate.com/finance/weather/natural-disasters/states-most-at-risk-for-major-disasters-10.aspx

The spots not ideally for data centers would be Miami, FL – Tulsa, OK – Redlands, CA.

Miami, FL – Hurricane season can wreck havoc in the area and cause damage many parts of the city. Also, the heat can play a factor because it will mess with the network signal and cause lag. I remember during my time at Comcast doing tech support, Florida would have outrage or weak signal issues because of either the heat caused signal interference, the rain would also cause interference and when the lines are wet, businesses experienced downtime in internet connection or outages.

Tulsa, OK – Tulsa has problems with Tornadoes, which is their major climate concern. Now tornadoes have their seasons and the prime season for it is between March-August (source: http://okc.about.com/od/forthehome/ht/oktornadotips.htm) but it can hit anytime. A data center there wouldn’t be a wise choice seeing as it get knocked offline.

Redlands, CA – Redlands are a prime spot for earthquakes, making it possible for data centers, utility facilities and other sites to get severely damaged. The downtimes can make it hard for businesses to run effectively because if some important data is unavailable, then certain functions can’t do their jobs slowing the overall process. Another threat would be wildfires, as California is sometimes affected by it due to droughts and very high temperatures. They can last for days and if a data center gets hit by a wildfire, recovery time is very high while an organization tries to plan on how to get back on their feet.

Spot for data center would be Denver, CO. Denver’s climate makes it an ideal choice because the seasons are well spread out and it gets more sunshine. The issues with Denver is the snow, as March is the month where snowfall is heaviest but it does get better. (source: http://www.denver.com/weather). But Denver isn’t near any major fault lines to get hit by earthquakes as much as California nor will it encounter tornadoes and hurricanes. The heavy snowfall is of concern but with Denver being used to it, the city is well-equipped to handle it. This allows for organizations to quickly get back to work, sometimes without skipping a beat.

Hi Brou,

I agree that Denver can be a good choice. As far as Tulsa is concerned, the reason why I think it’s risky as it falls in the Tornado Alley, which basically means that tornadoes more than 15 can be expected on an average in that alley.

This should help: https://en.wikipedia.org/wiki/Tornado_Alley#/media/File:Tornado_Alley.gif

I agree with you Alexandra that Miami should not be considered as an option.
Miami is the second most humid city in the US. The servers need the relative humidity in the air to be around 45-55%. If humidity levels rise, water condensation occurs which results in hardware corrosion and component failure. In Miami, additional cost would be required to control humidity and maintain it at expected levels.

Well explained Niel. I agree with you that Denver could be the best choice. To add to your points I would say that Denver has good temperature balance to host a data center. Experts say that cooling management is the most difficult and costly to handle. Average yearly temperatures in Denver ranges from 64 F highest to 36 F lowest.

For an organization choosing among Denver Colorado, Miami Florida, Redlands California and Tulsa Oklahoma, from a physical security perspective – where would be the best place to locate their data center? Why is this place better and the other places worse?

From the geographical perspective, both Miami Florida and Redlands California are very close to the coastline. As for Denver Colorado and Tulsa Oklahoma, these two cities locate away from the coastline. Since the place to locate the data center should consider the physical security and ensure the location has less affected by the natural disasters like flood, hurricane or earthquake.

Both of the Denver and Tulsa are reasonable places to locate the data center, because they both located in the low geographical risk areas. The worse place to locate the data center I think is the Miami Florida, because the city is near the ocean, which higher the risk that the core servers physically damaged by the natural disasters like hurricane and tsunami.

Good post Loi, and I totally agree with you that Miami is the not a good choice to locate the data center. Actually, to mitigate the risk of natural disasters may damage the data center, I think to transfer the risk to the third party might also work like purchasing an insurance.

I totally agree with you, Brou. Miami is near the coastline, and the risk that natural disasters occurred is higher than other three cities. I also agree with you that Tulsa and Denver may be the better choice to locate the data center, but I was thinking which one of them is the best choice?

For an organization choosing among Denver Colorado, Miami Florida, Redlands California and Tulsa Oklahoma, from a physical security perspective – where would be the best place to locate their data center? Why is this place better and the other places worse?

As others have said, Denver, CO would be the best location for the data center to be located.

The other locations listed in this question all have significant physical/environment security risks. For example, with rising seas, Miami is at real risk of losing significant amounts of land; Redlands’ proximity to major faults means that strong earthquakes are a risk and Tulsa is located in tornado alley.

Denver, on the other hand, is exposed to considerably less environmental risks and has the added benefit of having a cooler climate, which should reduce cooling costs.

For an organization having to choose between Denver- Colorado, Miami – Florida, Redlands – California and Tulsa Oklahoma, from a physical security perspective, In my view, the best place to have the data center set up would be at Denver, Colorado. The pros and cons for each of the places are as below :

Miami, Florida – is located in the Hurricane zone thereby increasing the probability of disruption and destruction during and due to the annual tropical storm activities. Almost every year, the area has witnessed severe storms, rain and resulting flooding. This makes it a poor choice for setting up data centers.

Redlands, California – is close to the Pacific ring of Fire and in an area of high seismic activity. This too would be a high risk area. Apart from the seismic activity, California is also undergoing drought for the 6th year and is susceptible to wildfires. Areas close to these forest fires which often last for days and weeks are in danger of buildings and systems being destroyed due to fire. Because of this, Redlands would not be a good choice to set up a data centre.

Tulsa, Oklahoma – Tulsa, Oklahoma is situated in an area that is prone to Tornadoes and Flooding. In 1999, a total of 74 tornadoes swept across Oklahoma and nearby states in less than 21 hours. In 2015, many areas of Oklahoma suffered their worst floods. In 2013, a 1-2 mile wide tornado swept the ground for 39 minutes and caused damages estimated at over 2 billion dollars. Due to this, even Tulsa would not be a good fit for setting up a data centre.

Denver, Colorado – The City and its surrounding areas have a very low probability of natural disasters occurring. The climate being much cooler, also is favorable such that organizations can utilize free and cheaper cooling in the data centers. Infact, companies like IBM have their data-centers located in Boulder, Colorado which is close to Denver.

For an organization choosing among Denver Colorado, Miami Florida, Redlands California and Tulsa Oklahoma, from a physical security perspective – where would be the best place to locate their data center? Why is this place better and the other places worse?

Out of the options provided, I think Denver, Colorado will be the best choice to locate their data center.
Denver, CO:

According to the For-Trust-Data-Center, Colorado has a low-risk position for natural disasters due to low incidences such as earthquakes, floods, hurricanes and tornadoes. According to FOR-TRUST, Colorado is located in seismic zone 1, which is the lowest risk areas for earthquakes.

As far as flood is concerned, according to FEMA, flooding can occur anywhere in the United States. In Colorado, flooding occurs due to spring snowmelt when rivers swell and flow from Colorado’s mountain ranges. Colorado has a sophisticated infrastructure to prevent snowmelt and rain from flooding the areas.

For Tornadoes, The National Oceanic and Atmosphere Administration has ranked Colorado 9th in the nation in the context of the number of tornadoes occurred in a year. Colorado also falls outside the “tornado alley.”

Colorado also escapes from the major effects of hurricane as it is mostly experienced by the areas that have low proximity to coast. According to the NOAA, the wild hurricanes have always struck the Gulf Coast and the East Coast.

Snowfall is something that can is commonly associated with Colorado but the snow accumulation is typically on the west of Denver, which has semi-arid climate. It is also located on the foot of Rocky Mountains; thus the climate is mild.

As far as wildfires are concerned, there haven’t been wildfires of a major magnitude that have impacted Denver. Out of 60 devastating wildfires that have listed by National Interagency Fire Center, only three have occurred in Colorado and hence it presents a very low risk.

As far as other resources, Denver is also located on the western and eastern halve of the country and has access to major communication networks.

Why not Miami?

According to the NOAA, Southeast United States are significantly susceptible to yearly hurricane activies.

Why not Tulsa?

Falls under the Tornado Alley, more than 15 tornado activities a year on average.

Why not Redlands?

Falls under the Seismic Zone 3, probability of earthquakes is more.

When deciding a location in the country, it is important to consider the environmental factors that could affect the data center. The danger of each hazard fluctuates throughout the country. This includes earthquakes, floods, hurricanes, tornadoes, and even volcanoes. To determine the safest location we can consider if any location is at high risk of a disaster.

Miami, Florida is a poor location since there is a risk of hurricanes and the floods they can cause. Miami is also listed as one of the most vulnerable cities to hurricanes.

Redlands, California is at risk of earthquakes. It is very difficult to protect a datacenter from an earthquake.

Tulsa, Oklahoma is prone to tornadoes. There is a vertical strip in the middle of the country referred to as tornado alley because that is where most tornadoes occur in the US.

Denver, Colorado besides being snowy is not known for being prone to natural disasters. A blizzard can disrupt service but will leave a lot less damage than the previously mentioned potential disasters. Denver is also very capable of dealing with heavy snow conditions. I would choose Denver as the city to build the datacenter.

I think that you rule out Miami Florida and Redlands, California due to the risk of natural disasters and forest fires. The backbone of the data center is power and network connectivity so I would choose a place with a geographic area that has access to a reliable power grid. I bet that Tulsa and Denver would both have access to a power grid so it then comes down to your company’s current location. If building from scratch wasn’t an issue than I would look for a location with room for expansion and an area accessible by multiple roadways and/or near an airport. I believe Denver is a bigger city than Tulsa and I bet Tulsa has much more room for expansion, yet still has an airport and multiple roads that would allow the location to be easily accessible. So although I know being close to customers provides advantages and my customers will probably not be in JUST Tulsa, I think the growth of the virtual world and virtual customers will cause me to pick Tulsa.

Source: https://www.expedient.com/blog/the-where-and-why-of-choosing-data-center-location/

Hi, Ian

You had a very good analysis! I like how you take the location into consideration.
However, I think Tulsa, OK has higher environmental risk than Denver, CO. Homefacts recorded Tulsa, OK is a Very High Risk area for tornados. According to records, the largest tornado in the Tulsa area was an F5 in 1960 that caused 81 injuries and 5 deaths. In addition, the yearly average for tornados is three. Therefore, I believe Denver, NC is a better option to locate the data center at .

Source: http://www.homefacts.com/tornadoes/Oklahoma/Tulsa-County/Tulsa.html

Ian,

I don’t think Tulsa is a good idea because due to tornadoes and seismic activities. Truth that you want to have a data center with easy access. however, I do not think that it is wise to locate it in a place where the risk of natural disaster is high.

Abhay,

You did a great analysis of why Denver is the best place for a data center. The only thing I would mention to everyone is…

Two is better than one, three is better than two, and so on…

Redundancy is the key. Denver is the best place but finding another location in the world that matches Denver might be a good idea too

Abhay – that is good insight. I did not think about Tulsa being a tornado valley but you are definitely right. With that said, I may change my choice from Tulsa to Denver. Denver has the mountains to block if from tornados and it is not near the coast so you do not have to worry about hurricanes. Denver also has a major airport and is not an overly huge/crowded city. Plenty of land right outside the city to build the data center, yet still has major roads keeping it easy to get to.

The sources of EMP are typical chemical-based explosions but most likely large nuclear detonations. An EMP occurs when a nuclear device is detonated high in the atmosphere.

An EMP is a physical security threat because of its nature. In fact, it is a super-energetic radio wave that can destroy, damage, or cause the malfunction of electronic systems by overloading their circuits. An EMP attack on the U.S. would leave the country with no electricity, no communications, no transportation, no fuel, no food, and no running water. That’s huge.
Also, today’s world depends on advanced electronics systems which makes it even more vulnerable to EMP.

In order to defend itself against EMP an organization needs to have an integrated catastrophic planning including equipment protection like installing surge protectors installed or store important electronics in a faraday cage or electromagnetic shield.

An electromagnetic pulse (EMP), also sometimes called a transient electromagnetic disturbance, is a short burst of electromagnetic energy. Such a pulse’s origination may be a natural occurrence or man-made and can occur as a radiated, electric or magnetic field or a conducted electric current, depending on the source. Caused by the high-altitude detonation of a nuclear weapon, electromagnetic pulse can cause widespread damage to electric systems across a wide area.

All electronic equipment and apparatus could be destroyed. Every device that relies on integrated circuits for operation could be immediately disabled or destroyed.
Unlike a cyber-attack where “fingerprints” can often be found for forensic analysis, an IEMI attacker will not leave any information behind.
An EMP shutdown of electronics is so rapid that the log files in computers will not record the event

Pursue Intelligence, Interdiction, and Deterrence to Discourage
EMP Attack, highest priority is to prevent attack, shaped global environment to reduce incentives to create EMP weapons, and make it difficult and dangerous to try
What’s more, Protect Critical Components of Key Infrastructures, especially “long lead” replacement components

Resource: http://www.heritage.org/research/reports/2010/11/emp-attacks-what-the-us-must-do-now

EMP stands for Electromagnetic pulse, which is essentially a short burst of electromagnetic energy. This pulse if strong enough, can cause damage or destruction to electronic computers posing as a significant threat to businesses. The article I found in the New York Times on EMPs (see below) is revolved around how an EMP can be used as a weapon of mass destruction and is a threat against the United States. However, not all EMPs are that drastic. Thunders storms are a common form of EMP, which if the storm is strong enough and lightning strikes are close, the lightning can fry your electronic devices. Not only that, but the sun can create solar flares that emit an EMP which can reach the earth and cause damage. Therefore, from a risk analysis standpoint, it is more likely that a thunder storm or solar flare takes out one’s equipment than a full-fledged EMP attack on the United States.

Since EMPs can cause damage or destruction to computer electronics, businesses would consider it a physical threat since it can be considered as a natural disaster. In order for business to protect itself, it can follow what the government has done which the Wall Street Journal identifies as using surge arrestors, faraday cages, micro-grids, and using underground data centers. Therefore, businesses if wanting to address the risk of an EMP, will likely need to set up a datacenter that specifically implements these protections against EMPs. Likewise, businesses need to include in their Business Continuity Plans the ability to resume their businesses in the event of a loss of technology and electricity. While a large scale EMP such as a weapon of mass destruction or solar flare is a threat that could destroy a business, businesses’ need to decide if it is a risk worth addressing or not.

Articles: http://www.wsj.com/articles/james-woolsey-and-peter-vincent-pry-the-growing-threat-from-an-emp-attack-1407885281
http://www.computerworld.com/article/2606378/new-data-center-protects-against-solar-storms-and-nuclear-emps.html

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

EMP, electro magnetic pulse is a short burst of electromagnetic energy. It can be due to natural occurrence like lightening or manmade.
EMP radiation can be caused by detonation of a nuclear bomb, a solar flare, a device indented to cause EMP, a close lightening stroke, a massive power-line short circuit. EMP source is a device that intentionally produces electromagnetic pulse. And it can be a small device used by the police to disable a fleeing vehicle, a source used to test equipment for EMP resistance or a weapon intended to disable the enemy equipment.

Computer equipments, appliances containing microprocessor, semiconductor electronics, cellular phones, power grids, generators, transmission lines, computer disks, UPS are all susceptible to EMP. The EMP interference can damage an electronic equipment or disrupt its performance. The EMP induces large current in the conductors that are connected to the equipment damaging the equipment. At higher energy levels like lightening EMP can damage the entire building.

An organization can protect itself from EMP threats by:
.
• By enclosing the wiring with metal conduits and shield wiring connected to sensitive equipment. Make sure to ground the shields
• By making sure any person entering the organization are not carrying any EMP devices that can damage the equipment
• Ensure that the equipment bought are not faulty and do not produce EMP
• Fuse long wires and cables and use large ferrite beads on power wiring.
• Increase the current carrying capacity of the building ground.
• Avoiding or minimizing the use of semiconductors where possible. and if used, make sure they are rated at maximum voltages and currents at least 10 times the values actually in use.
• Bypass suitable electronics to ground with capacitors rated for several thousand volts and heavy currents.
• Design circuitry to be resistant to high voltages and currents.
• Provide battery backup power for essential equipment.
• Provide the above protections to essential equipment, such as emergency communications and traffic signals.
Corrective measurements to be taken to restore operations after an EMP has occurred
• Stock replacement equipment and parts in metal containers or rooms.
• Wrap replacement parts in aluminum foil.
• Keep a stock of batteries. And rotate the stock, so the newest ones are not taken out and used first.
• Stock up on light bulbs that are not CFL or LED.

It is always better to take necessary steps to prevent the risk and also have some corrective measures in place. EMP can cause extensive damage to the organization. Though the probability is too low the organization needs to be prepared and cannot neglect it.

Source: http://midimagic.sgc-hosting.com/emp.htm

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An EMP is a high-intensity burst of electromagnetic energy caused by the rapid acceleration of charged parties. The causes could be: detonation of a nuclear bomb, a solar flare, a device intended to cause an EMP, a close lightning stroke, a massive powerline short circuit. The sources of EMP can be: a small device used by police to disable a fleeing vehicle, a source used to test equipment for resistance to EMP and a weapon intended to disable enemy equipment. It is a physical security threat because its power to destroy computers and computer equipment and all electrical and technological infrastructure, effectively sending the U.S. back to the 19th Century. Organizations defend itself against EMP by storing equipment inside metal cases with no openings, using old-style electric telephone equipment, shield wiring connected to sensitive equipment, or enclose wiring in metal conduits, or using large ferrite beads on power wiring.
Sources: http://midimagic.sgc-hosting.com/emp.htm
http://www.heritage.org/issues/missile-defense/electromagnetic-pulse-attack

An electromagnetic pulse is an extremely powerful burst of electromagnetic energy capable of causing damage and/or disruption to electrical and electronic equipment.
What can cause and EMP? 1. Detonation of a nuclear bomb 2. A solar flare 3. A device intended to cause and EMP 4. A close lighting stroke 5. A massive powerline short circuit.
What is an EMP source? An EMP source is a device that intentionally produces a small EMP. There are three kinds:1. A small device used by police to disable a fleeing vehicle (the source shown in the table) 2. A source used to test equipment for resistance to EMP (classified strength) 3. A weapon intended to disable enemy equipment (classified strength)
Why is it a physical security threat? For example, if a lightning stroke is close enough to occur and EMP to your data center. If there were no protections set up before, then there is a high chance that your data center is ruined. All the servers, monitors will be destroyed as well.
How can an organization defend itself against EMP? 1.) Shield wiring connected to sensitive equipment, or enclose wiring in metal conduits. Ground the shields 2.) Fuse long wires and cables 3.) Increase the current carrying capacity of the building ground 4.) Avoid the use of semiconductors where possible 5.) If semiconductors are used, make sure they are rated at maximum voltages and currents at least 10 times the values actually in use 6.) Use large ferrite beads on power wiring 7.) Bypass suitable electronics to ground with capacitors rated for several thousand volts and heavy currents 8.) Design circuitry to be resistant to high voltages and currents. 9.) Provide battery backup power for essential equipment 10.) Provide the above protections to essential equipment, such as emergency communications and traffic signals.

link: http://midimagic.sgc-hosting.com/emp.htm

Although EMP is not as common as cyber threats posed on a organizations information infrastructure, it should not be a threat that is taken lightly. A massive EMP, either naturally or man-made, can have devastating consequences to any organization. When deciding how a company should protect itself from this risk, I believe it should also come down the criticality of each system that it used. What if they can’t protect all of their computers and datacenter? The organization needs to decide which systems are critical (backups, critical servers, or generators) for the business to continue and recover after an event.

In this case a massive EMP would likely take out power grids, utilities services, generators and pretty much any electronic equipment. It is also important to consider the protection of physical assets required to keep the information systems running like generators, UPS, water pumps for cooling, etc.

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An electromagnetic pulse (EMP) is a short burst of electromagnetic energy caused by an abrupt, rapid acceleration of charged particles, usually electrons. The sources of EMP can be a natural occurrence or man-made and can occur as a radiated, electric or magnetic field or a conducted electric current, depending on the source.
Natural EMP events can be:
• Lightning
• Electrostatic discharge
Man made EMP events can be:
• Electric motors
• Gasoline engine ignition systems
• Nuclear Electromagnetic pulse due to nuclear explosion

It can be a physical security threat as:

For example, a high voltage level an EMP can induce a spark, such as an electrostatic discharge when fueling a gasoline-engine vehicle can cause fuel-air explosions. Such a large and energetic EMP can induce high currents and voltages.
A very large EMP event such as a lightning strike can damage objects such as data centers, IT infrastructure set up, electricity grids (failure of which can lead to nonfunctioning of a country’s economy including IT Sector), destroy electronic network, buildings and aircraft directly, either through heating effects or the disruptive effects of the very large magnetic field generated by the current. An indirect effect can be electrical fires caused by heating.

Organizations can defend themselves from against EMP in the following ways:

Building their own Power sources as a part of Business continuity planning such as solar panels, Hydroelectric power systems which can help them to continue their functioning during an EMP event.

Also organizations need protection from EMP weapons and should have proper controls to restrain any outsider or the employees to bring or to use any such products within the premises.

What are the sources of Electromagnet Pulse (EMP)?

EMP is a short burst of electromagnetic energy. The sources EMP could be manmade such as directed energy weapons or nuclear blasts and naturally, and natural such as solar flares.

Why is it a physical security threat?
The role of physical security is to protect the physical assets that support the storage and processing of information. The EMP damages the physical assets directly such as solar flare’s damage to bulk power system assets (e.g., transformers. ) by exploiting the vulnerabilities of it.

How can an organization defend itself against EMP?
1,Grounding
Proper grounding and a proper relationship between the neutral and the ground is not only
essential to meet National Electric Code (NEC) requirements, but is imperative to achieve
optimum performance of microprocessor based equipment such as computers, programmable
logic controllers, communications systems and telemetry systems.
2,Shielding
Surge events cause a magnetic field to be induced in conductors within a given radius,
depending on the magnitude.
3.Filtering
Passive filter networks block out induced surge currents and voltages on data and power
circuits for hardening electronics against lightning and EMP surge energy.
4.Surge Protection
A voltage induced between conductors can drive a surge current into an electronic circuit,
or conversely, a current induced onto a conductor can create a voltage across a series
impedance as the current propagates into a circuit.

Source: http://www.eei.org/issuesandpolicy/cybersecurity/Documents/Electromagnetic%20Pulses%20(EMPs)%20-%20Myths%20vs.%20Facts.pdf

http://thehill.com/blogs/floor-action/house/225640-house-passes-bill-to-mitigate-threat-of-emp-attacks

Vacca, Physical Security Essentials, Chapter 54

http://www.afcea.org/signal/documents/lea.pdf

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An electromagnetic pulse (EMP) is a high-frequency burst of electromagnetic energy caused by the rapid acceleration of changed particles. A catastrophic EMP would cause the collapse of critical civilian infrastructures such as the power grid, telecommunications, transportation, banking, finance, food and water systems across the entire continental United States—infrastructures that are vital to the sustenance of our modern society and the survival of its citizens. EMP can be used as a weapon of mass destruction and Boeing has announced that it successfully tested an electromagnetic pulse.

The sources of EMP are:

1) A deliberate electromagnetic weapon attack
Without causing any harm to humans, the effects from an IEMI weapon could disable regional electronic devices.
2) A nuclear device detonated in space, high above the U.S.
A High-Altitude Electromagnetic Pulse (HEMP) detonated 30 miles or higher above the Earth’s surface would destroy electronic devices within a targeted area without creating blast damage, radiation damage, or injuring anyone.

The EMP can cause damage to electronic equipment within an organization or it can affect its performance. An EMP could permanently destroy all electronic equipment including hardware, software, and data.

An organization can protect and defend itself against EMP by:
1. Having a business recovery plan to resume their business loss
2. Provide battery backup power for essential equipment.
3. Provide the above protections to essential equipment, such as emergency communications and traffic signals.

Sources:
http://empactamerica.org/our-work/what-is-electromagnetic-pulse-emp/

What Is EMP?

http://midimagic.sgc-hosting.com/emp.htm

An electromagnetic pulse (EMP) is a short burst of electromagnetic energy. It may originate from natural or man-made occurrence. It occurs as a radiated, electric, magnetic field or a conducted electric current, depending on the source.

Natural occurrence that cause EMP include:
-Lightning
-Electrostatic Discharge (two charged objects coming into close proximity with each other)
-Coronal Mass Ejection (A massive burst of gas and magnetic field arising from the solar corona and being released into the solar wind sometimes referred to as a Solar EMP)

Man-made occurrence that cause EMP include:
-Switching action of electrical circuitry, whether isolated or repetitive (as a pulse train).
-Electric motors can create a train of pulses as the internal electrical contacts make and break connections as the armature rotates.
-Gasoline engine ignition systems can create a train of pulses as the spark plugs are energized or fired.
-Continual switching actions of digital electronic circuitry.
-Power line surges. These can be up to several kilovolts, enough to damage electronic equipment that is insufficiently protected.
-Nuclear electromagnetic pulse (NEMP), as a result of a nuclear explosion.

EMP is a physical threat because it is generally disruptive or damaging to electronic equipment, and at higher energy levels a powerful EMP event such as a lightning strike can damage physical objects such as buildings.

In order to protect itself against EMP, the organization can utilize:

– Faraday Cage – Surround important electronic equipment completely within metal as it conducts electromagnetic radiation.
– Electrical Grid – Acts as a huge antenna which captures electromagnetic radiation and conducting it into the earth.
-Surge protectors

In addition, business should always have backup and data recovery plan in the event that the above protection fail.

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An electromagnetic pulse is a sudden burst of electromagnetic radiation that large enough to cause wide-scale disruption (Wikipedia), the sources of EMP could be but not limited to detonation of a nuclear bomb, a solar flare, a device intended to cause an EMP, a close lightning stroke, a massive powerline short circuit.

EMP is capable of causing damage and/or disruption to electrical and electronic equipment, so it is a physical security threat to most organizations.

Firstly, one company can transfer the risk to an assurance company. Then, in order to defend against EMP, one organization can do as follow:

Shielding: First, the equipment or rooms that require protection (e.g. communications console, utility room, electrical service room, entertainment room, or even the entire shelter), are covered with an overall shield. This is the first line of defense and provides excellent, although not perfect, protection. The shield must be very carefully designed and constructed; e.g., improper materials selection may not achieve enough shielding, incompatible materials may result in corrosion, and incorrect seams or bonding may greatly reduce or even destroy the shield’s effectiveness.

Alternative power source: Even if the devices could survive from EMP, they will need to have a usable and sustainable source of power. This can be done by setting up alternative energy sources in advance.

Source: http://www.csmonitor.com/2005/1219/p25s02-stct.html

Loved the detailed explanation, Binu. In addition to the causes you mentioned, EMP could also be caused by geo-magnetic storms. To elaborate further on why Electro Magnetic Pulses are a physical threat,
I’d like to explain the Compton Effect, which is an intense release of electromagnetic energy that causes photons to knock loose electrons in the atmosphere. The electrons, guided by the Earth’s magnetic field, essentially become a giant and powerful circuit. The current flowing in this circuit, generates intense electromagnetic fields that propagate to the surface of the earth. When these fields cross conductive materials they release energy into the material. As we know, electronic devices are full of conductive material so given a sufficient density, the energy absorbed can fry the device.

Source : Robert Frost, NASA

Great explanation Paul. As you mentioned companies should consider the Business Continuity aspect especially when protection against EMP can done only with a little additional cost. The concept of underground data centers and using shields or cabinets made out of EMP resistant special materials is great.
Experts also mention he risk is not high as expectancy of event is low currently. However, with the increasing face of terrorism protection against EMP terrorist-sponsored nuclear blast has become topic of much discussion for data center professionals. Even if consider the risk as low right now, the impact is high.
Iron Mountain’s National Data Center in Western Pennsylvania has been built to EMP resistant. It is located 220 feet below ground in a more than 450 acre area in an underground facility. The data center facility naturally absorbs 90 percent of the EMP pulses. This greatly reduces the cost and impact of any minimal residual shielding required in a customer’s individual space to ensure electrical, mechanical, power infrastructure and subsystems are thoroughly shielded and tested to be EMP-resistant.

What would the cost be for an underground data center. Seems like it would be more expensive than building one above ground. Would the risk/impact justify the expense? Without considering the cost, it would be an effective strategy.

I definitely agree to all of your risk strategies. Although I was thinking that if an organization is affected by an EMP, than most likely others will be as well. So even if that data center is protected and survives the EMP, how will the surrounding damage affect its ongoing operation? If it is severe and infrastructure and businesses are affected, it might have a long term affect. For example, how long can the back up generator last? How does it recharge? Fuel or electricity?

I first learned about the EMP from the movie, Ocean’s Eleven. They used the device to take out all the electronic devies in Las Vegas to break into a casino. While this is fiction as the device they used is probably too small to take out an area that large, I don’t doubt that the EMP can be shrunk to do damage to key technology inside a company. Here is a video of someone who claims to have built a small EMP that can damage a cellphone.