Why would security cover things like natural disasters?

Question

I'm taking a course which is designed with the CISSP certification in mind. Though the class is categorized as software engineering, we talked a lot about physical security and, in particular, floods, fires, earthquakes and cars running into things. How is this security? For example we were told that data centres are safest in the middle of a building because if the roof was leaking the top wouldn't be safe, and water tends to go down so the lower floors would be the first to flood.

Is this really a security issue? For example, if the roof leaks the engineer would be at fault, not the security analyst. You wouldn't hire a security analyst to make sure the roof is solid.

UPDATE: Also, things like having bollards around a building to protect pedestrians from cars, how's this security? No one's really explained this yet. I was told the companies most valuable assets are their employees, but with this line of reasoning, what isn't security?

If the availability is so encompassing, what isn't part of security?

Personal opinion, I think it's a way for them to get you to think outside of the box, so to speak. Which is what you would need to do in real-life scenarios. Information security is not constrained to digital protection but also physical protection of data. — Jonathan Gray, Jan 10 '16 at 06:00
You quickly apply the physical security question to an "analyst". The CISSP is for higher level security folks than those at the analyst level. Do you want to know why the CISSP includes natural disasters or why an analyst should care? — schroeder, Jan 10 '16 at 16:35
If the course is designed towards CISSP, then it is not a software engineering course. Information security includes paper records, personal security, availability of services etc — Rory Alsop, Jan 10 '16 at 16:58
Do you really care what is attacking your data? Does it make a difference to you (and more importantly, to how you protect it) if someone is intentionally destroying your data center or if a natural weather phenomena is? — corsiKa, Jan 11 '16 at 07:13
"if the roof leaks the engineer would be at fault" but if this results in any security problem, the security analyst is at fault. The goal is not to find someone to blame but to keep the resources available and secure. Your goal should be to have *every* possibility considered. If the roof leaks you should either have written somewhere that this is a risk the company is willing to accept or have mitigations. But in any case, it is your job to have considered it! — Josef, Jan 11 '16 at 08:25
@Josef 1) I wouldn't call it blame I'd call it reasonable 2) It wasn't a security measure in the first place to have a non-leaking roof so it wouldn't be the security analyst's fault 3) in that sense what wouldn't be security? — Celeritas, Jan 11 '16 at 08:50
I guess my point is, in a practical scenario, which would a company more likely do: make sure they have a good quality roof, or pay for water proof computers? With the security perspective we seem to be talking about the latter, which isn't cost effective. — Celeritas, Jan 11 '16 at 08:55
Of course they will make sure to have a good quality roof. But it is **your responsibility as a security analyst** to make sure the roof is good. With CISSP you ate **not** a _computer guy_. You are responsible for **security** and the roof, doors, walls... are part of that! — Josef, Jan 11 '16 at 09:00
@Josef wouldn't that require a background in carpentry or structural engineering, and be best left to those types of professionals? Plus feel free to stop using exclamation marks and bold letters. — Celeritas, Jan 11 '16 at 11:25
@Celeritas No. That's not how management works! You have to decide how the roof has to be, get feedback from specialists if needed, and then task a specialist to make it this way! If you need a new internet connection you also don't get your shovel, do you? You decide how it has to be (bandwidth, technology, two cables in different directions for redundancy...) and then pay someone to dig and put in the cable! But you also don't just call some random guy and tell him "get me the internet with your digger". — Josef, Jan 11 '16 at 11:44
@Celeritas to make that clear: With "make sure the roof is good" I don't mean you should go up on the roof and hammer on it or pour water and see if it leaks. Usually you would hire a professional who would guarantee you (in a written contract) that the roof adheres to certain standards and can sustain given amounts of rain and what not. But it is your task to bring up the issue and management will decide with your input what standards the roof has to adhere to. Or they tell you they don't care. Then you **write that down**. — Josef, Jan 11 '16 at 11:48
@Celeritas the bollards ARE to protect the building, pedestrian safety is a happy by-product. There is a type of crime called "ram raiding". — Burgi, Jan 11 '16 at 13:19
**Security isn't just about "guarding" in the "security guard" sense** — Jon Story, Jan 11 '16 at 15:53
@Burgi that's what I thought but when I said that in class everyone laughed and said it's for pedestrian safety. — Celeritas, Jan 11 '16 at 23:09
This might help your argument: http://www.marshalls.co.uk/commercial/street-furniture/products/anti-ram-supermarket-bollard-webfa100039 — Burgi, Jan 12 '16 at 00:55
You might try to look at things from an employer's point of view. If you refuse to do things that the employer thinks are your responsibility, then you will soon be an ex-employee. — gnasher729, Jan 12 '16 at 08:51
@gnasher729 you misunderstood: I said an employer is less likely to higher a security consultant rather than some sort of sort of construction worker for things like the roof or fire proofing. — Celeritas, Jan 12 '16 at 09:46
@Celeritas Of course it is best to hire a construction worker for building safety, a shrink for psychological profiling of employees and a hundred more professionals. But who hires these people? Higher management doesn't want to think about a hundred scenarios and find out what people they need. They don't have 100 problems, they have a single requirement "99,9% uptime" and they will hire a single guy who will guarantee this. It is the job of this guy to find all the possible things which could go wrong and hire specialists. And that guy is the security-manager ;-) — Falco, Jan 12 '16 at 12:48
Let's say a meteorite hits the building and totally destroys it. Your client would have expected you to prepare for such an eventuality (eg with remote backups). If you say "Ah yes, your data is gone forever, but technically it's not a security issue", what do you think their reaction will be? Mine would be "Well, it doesn't seem like you kept in secure if it's now gone forever". — Max Williams, Jan 12 '16 at 14:19
Categories do not exist in nature, they are created by people for people. Disaster planning goes with security because the actions required to mitigate them go well with the actions required to do security (and in some cases are the same actions). — Ben, Jan 12 '16 at 14:57

Deer Hunter · Accepted Answer · 2016-01-10T16:57:56.120

All other answers are fine. I'm going to offer you a classic security perspective.

Starting a fire/flood is a textbook scenario for physical penetration/exfiltration. People under stress are less likely to challenge strangers.
A fire can be used to destroy forensic evidence, in particular when there's insider involvement.
An earthquake or, indeed, any natural disaster (like bush fires) is a potential complication for security because law and order break down and looting rears its ugly head.
Perimeter security against SVBIEDs is a necessary consideration in certain countries and threat environments. If a suicide car bomber can drive close to the walls of your data center, it is your failure as a security consultant. Hence bollards, flowerbeds, and concrete barriers.
Security is a holistic discipline. Every specialist cares about bits and pieces of the enterprise, and by necessity of life loses sight of the whole. There should be at least one person out there who thinks in terms of adversary's behavior and not his/her own pigeonhole. Which, incidentally, is a security consultant's job description.

Especially strangers wearing yellow trench coats who came in with legitimate firefighters. — corsiKa, Jan 11 '16 at 07:14
I'm pretty sure that's such a common use case that it's even a tvtrope. But I don't want to get sucked into that hole so I'm not going to look for a link ;) — Wayne Werner, Jan 13 '16 at 00:57

score 50 · Answer 2 · edited Jan 10 '16 at 15:48

50

It comes down to the classic security triad; Integrity, Confidentiality and Availability. The last of which could certainly suffer from any type of natural disaster, which is why you must include it in your continuity plan.

edited Jan 10 '16 at 15:48

Scruffy

123
5

answered Jan 10 '16 at 01:19

Jingo

674
4
10

3

Isn't that an overly pedantic view of availability? If there's someone using a computer that you need to be on, you wouldn't say that's a security problem. – Celeritas Jan 10 '16 at 01:22
16

@Celeritas: Sharing a computer with someone has a pretty low bar for security; availability isn't that critical in that situation. But if you're a company where your integrity and availability really are important, natural disasters could ruin you. Image if your bank flooded and they lost all your money (or you lost access to your money for a very extended period of time). Or imagine you're an email provider and a car crashes into your building: your users are going to be in trouble if that caused you to lose their data (or prevented access for a prolonged period). – Cornstalks Jan 10 '16 at 03:54
1

@Celeritas I'd say that it comes out of business goals. There is a huge overlap between ensuring confidentiality, integerity and availability and "pure security" tasks, but, as you say, there are also differences. However, in the end it's the *total* CIA that matters, it is never sufficient to handle only software security, so business needs to plan and do all of them anyway, and because of the large overlap it is often efficient to have it handled by the same processes and people instead of having software security separate from physical security and disaster response. – Peteris Jan 10 '16 at 11:02
Wouldn't integrity also be affected by a natural disaster, potentially? – Todd Wilcox Jan 10 '16 at 17:19
@ToddWilcox I think integrity violations are cases where you can still access the data, but it's been changed (or could have been changed) _without you realizing it_. I doubt a natural disaster would have that kind of effect. I guess you could count something like a stray cosmic ray striking some RAM and altering the result of a critical computation, but it's a bit of a stretch to consider that a disaster! (Though still worth protecting against, to some extent.) – David Z Jan 10 '16 at 17:54
4

@ToddWilcox risks of integrity and confidentiality is very likely to be affected by *your response* to a natural disaster. For example, if some office or data center is physically unavailable due to a natural disaster, most companies will still continue working with confidential data and make sensitive financial decisions no matter what, even if the ordinary secure environment is unavailable, or some usually mandatory verifications are simply skipped because the needed data or systems are unavailable. You need to secure also your 'failover' process/procedures, not only business as usual. – Peteris Jan 10 '16 at 21:13
1

This. The subject is not the security of your computer(s), its the security of your data. If you can't get to the data (temporarily or worse permanently) that's a problem. – dmckee --- ex-moderator kitten Jan 11 '16 at 00:39
So anything that would hamper availability is a security problem? Somethings seem to be more a usability issue, like if the user does not know how to turn on the computer or insert the media. – Celeritas Jan 11 '16 at 08:53
4

@Celeritas: The denial of service attack a common example of an availability issue in security. – Venge Jan 11 '16 at 10:55
8

@Celeritas: It's not "*anything* that hampers availability is a security issue". Amazon being a few seconds slower at Christmas is an acceptable degradation of service and therefore not a security issue; taking 600 seconds to serve a page is undoubtedly a denial of service for Amazon. Somewhere on the spectrum between 1 and 600 there comes a point where you stop thinking of it as slightly inconveniencing your customers and start thinking of it as losing your customers. – Eric Lippert Jan 11 '16 at 14:09
2

You always have to see things from the perspective of the company. If a user can turn on a computer or not is not important. Important is that the employee can fulfill the tasks the company needs from her! If the task of the person is to guard the gate and check incoming persons, it certainly is a huge security problem if she can't turn on the computer to get the list of allowed employees and doesn't know how to scan a badge. If the job is to write confidential information and it ends up on paper instead of the secure computer, it is a security problem... – Josef Jan 12 '16 at 09:28
1

Natural disasters can also affect I, not just A. Do you have enough UPS time to ensure that all transactions are written to disk and things properly spun down, or are you going to have to deal with recovering a crashed database? And if that was your DBA that got hit by the car, do you have someone else on-site that can perform a recovery, or will you need to bring in someone from another site, or someone who hasn't been vetted by your company? – Joe Jan 12 '16 at 20:55

score 50 · Answer 3 · answered Jan 10 '16 at 11:20

CISSP is an information security certification not a computer security certification.

Information security is about the protecting the confidentiality, integrity, availabity of information in general. Information is not only stored on computers. They are printed out and stored in filing cabinets, they are memorized and stored in your employee's brains. Therefore, apart from ensuring that your computer networks are secure, you need to ensure physical security of your premises. If those confidential documents are stolen or destroyed in a disaster, it is also a loss of availability. If your employees sell the information to a competitor, then it is considered a loss of confidentiality. That is why policies and physical security measures are important.

Exactly! CISSPs Job is to guarantee the security of the information. And if it leaks you can't dance around and play the blame game. It is your responsibility to guarantee the safety and if it fails it is your fault. That is why you get a nice compensation. — Falco, Jan 12 '16 at 12:54

score 17 · Answer 4 · answered Jan 10 '16 at 05:56

Even if you take a narrow view of computer security as being limited to dealing with intentional malicious attacks, any way in which your system is vulnerable to a natural disaster also represents a way in which a well-equipped (or clever) attacker could disrupt your service. For example, if a data center is vulnerable to flooding, someone who wants to take it offline could cut a sprinkler pipe in the building. So it makes sense to protect against natural disaster scenarios as part of an overall security plan.

score 14 · Answer 5 · answered Jan 10 '16 at 01:22

Disasters are as much a security issue as mitigating denial of service attacks. In the ISC2 (CISSP) docs, security is often represented by the CIA triad: Confidentiality, Integrity and Availability. Disaster recovery strategies and DDOS mitigation both pertain to establishing and maintaining availability.

score 7 · Answer 6 · answered Jan 11 '16 at 19:58

I'll toss in my 2c and mention something that others have not specifically mentioned: Business Continuity Plans

BCP is an important function of a security analyst's job, and as such, the CISSP provides a broad overview of the issues that can impact disasters and outages. Knowing these high-level details helps the CISSP build a foundation for knowledge and the mindsets required to do BCP.

Please note that what is covered in the CISSP material is a broad, high-level overview of the topics. There is much, much more a Security pro needs to know and consider to properly create and manage a BCP program.

score 4 · Answer 7 · answered Jan 11 '16 at 20:37

If we look in a dictionary one of the secondary meanings of "security" is:

the fact that something is not likely to fail or be lost

While we often think of Information Security as guards, guns, and hackers in dark glasses, what it is really about is protection of information from threats. These threats could be:

External attackers - hackers
Malicious insiders
Natural disasters
Technical problems - leaks, power outages
Honest mistakes - like losing a CD full of data
A lot more!

The reason CISSP covers all these is that an organisation needs someone to look after these issues. Turns out the sort of things you do to defend against the threats are pretty similar, so it makes sense to have one department take care of them.

score 3 · Answer 8 · answered Jan 13 '16 at 11:43

I'm going to turn it around:

Disaster planning is not part of security, because security is part of disaster planning.

Disaster Planning, which is made up of Disaster Prevention and Disaster Recovery, covers a range of topics (e.g. redundancy, backups) including security.

score 2 · Answer 9 · answered Jun 24 '16 at 02:54

Information security is about the protecting the integrity,confidentiality, and availability of information. Without being able to protect the information and make it available to those who require it even during a natural disaster could mean the end of a business.

I helped to develop Business Continuity Plans where one of the critical requirements was that certain information had to be (by law) available 24 hours a day, 7 days a week, 365 days a year. There was no allowed down time, even during a natural disaster such as a horrific earthquake.

There was no simple solution - business impact analysis had to be conducted. Information is not only being stored on computers. It is often scattered about and not just found in one centralized location. Identifying the critical information which is necessary to keep the business functioning is very tricky. Once the identification of critical systems and components is completed and reviewed. There is additional risk assessment which needs to take place.

During large natural disasters, such as earthquakes or large tornados, there is a high probability that the physical premises will be out of commission for some time. There were even examples where there was no building left or the team had limited access (15 to 20 minutes) to gather what was needed before no one would ever be allowed back into the building. Also, you could plan on some delays, because it had to be determined the buildings were sound enough for anyone to access them.

If it is a large disaster, where do you go or how is the continuity of operations accomplished. Local employees are certainly going to be affected by the disaster as well. It could be weeks before they are in any position to come back to work. In the case of one BCP I worked on, the employees were also faced with their homes being totally destroyed or they only had a few minutes to enter their homes and gather up belongings. Many told me they grabbed clothes and toothbrushes, and identification documents and had to leave other personal items behind.

So part of the technical strategy can be developing a multitude of options depending on the Risk Assessment. There can be plans for cold sites, warm sites, and hot sites depending on the budget. Strategies for protecting identified critical servers and hardware with RAID, clustering, and load balancing, focusing on fault tolerance. Of course, there is protection of data through backs up and plans for restoring critical data and having it available to be utilized by the cold sites, warm sites, and hot sites, ensuring confidential documents are protected and available to those who require the information at all times.

Once in place, all of these strategies, plans, and policies need to reviewed, maintained, and verified. It requires a lot of personnel to be involved and to be aware. The one constant thing is change. New hardware and software solutions are being implemented. Business requirements and laws are being modified. I can certainly understand why it is mentioned. Information security is about the protecting the integrity, confidentiality, and availability of information.

Why would security cover things like natural disasters?

9 Answers9