RIGHT WRONG WAY ITITITIIIITT FIGURE 97. 1 An overview of the computer and communications security environmen people; hardware for carrying out(or peripheral to)computing and communications, people involved in operating the facility; utility connections (e.g, power ) and interconnection paths to outside terminals and users, including hard-wired connections, modems for computer(and FAX) communication over telephone lines, and electromag- etic links(e.g, to satellite links, to ground antenna links, and to aircraft, spacecraft, and missiles). Each of these points of termination is also likely to incorporate computer(or controller) processing. Other factors implied include the threats of fire, water damage, loss of climate control, electrical disturbances (e.g, due to lightning or power loss), line taps or TEMPEST emanations interception, probes through known or unknown dial-up connections, unauthorized physical entry, unauthorized actions by authorized personnel, and delivery through ordinary channels (e. g, mail)of information(possibly misinformation) and software (possibly containing embedded threat programs). Also indicated is guidance for personnel about acceptable and unacceptable actions through policy and regulations. The subject breadth can be surveyed by categorizing into physical security, cryptology techniques, software security, hardware security, network security, and per sonnel security (including legal and ethical issues). Because of the wide variety of threats, vulnerabilities, and assets, selections of controls and performance assessment typically are guided by security-specific decision- support analyses, including risk analysis and probabilistic risk assessment(PRA) Physical Security Physical access security ranges from facility access control (usually through personal identification or authen- tication)to access(or antitheft)control for individual items(e. g, diskettes and personal computers). Techniques used generally center around intrusion prevention(or invoking a significant time delay for an adversary) and intrusion detection, which allows a response through security guard, legal or administrative action, or automatic devaluation of the penetration goal(e.g, through information destruction)[ Cooper, 1989] Physical environmental security protects against natural threats, such as power anomalies or failures,water damage, fire, earthquake, and lightning damage, among others. An example suited to computer requirements c 2000 by CRC Press LLC© 2000 by CRC Press LLC people; hardware for carrying out (or peripheral to) computing and communications; people involved in operating the facility; utility connections (e.g., power); and interconnection paths to outside terminals and users, including hard-wired connections, modems for computer (and FAX) communication over telephone lines, and electromag￾netic links (e.g., to satellite links, to ground antenna links, and to aircraft, spacecraft, and missiles). Each of these points of termination is also likely to incorporate computer (or controller) processing. Other factors implied include the threats of fire, water damage, loss of climate control, electrical disturbances (e.g., due to lightning or power loss), line taps or TEMPEST emanations interception, probes through known or unknown dial-up connections, unauthorized physical entry, unauthorized actions by authorized personnel, and delivery through ordinary channels (e.g., mail) of information (possibly misinformation) and software (possibly containing embedded threat programs). Also indicated is guidance for personnel about acceptable and unacceptable actions through policy and regulations. The subject breadth can be surveyed by categorizing into physical security, cryptology techniques, software security, hardware security, network security, and per￾sonnel security (including legal and ethical issues). Because of the wide variety of threats, vulnerabilities, and assets, selections of controls and performance assessment typically are guided by security-specific decision￾support analyses, including risk analysis and probabilistic risk assessment (PRA). Physical Security Physical access security ranges from facility access control (usually through personal identification or authen￾tication) to access (or antitheft) control for individual items (e.g., diskettes and personal computers). Techniques used generally center around intrusion prevention (or invoking a significant time delay for an adversary) and intrusion detection, which allows a response through security guard, legal or administrative action, or automatic devaluation of the penetration goal (e.g., through information destruction) [Cooper, 1989]. Physical environmental security protects against natural threats, such as power anomalies or failures, water damage, fire, earthquake, and lightning damage, among others. An example suited to computer requirements FIGURE 97.1 An overview of the computer and communications security environment