PHYSICAL SECURITY

At the end of the lesson, the students should be able to:

 Identify the physical assets of an organization
 Implement physical security.

In this lesson, we're going to discuss physical security.

The more secure your facility is, the harder it will be for an individual to gain access to your network systems. In
some instances, your efforts may even be enough to discourage individuals from attempting an attack.

There are three general concepts to consider when determining physical security: prevention, detection, and
recovery. It's much easier to prevent an attack than it is to try to recover from one. Your primary goal is to prevent
attacks by making your network and computer systems difficult to access. Most attackers look for easy targets, so if
your systems are properly secured, most will move on.

Detection is the method used to identify a breach when it happens. You need to be able to identify the breach
almost immediately. This means knowing when the breach occurred, where the entry point was, what systems
were accessed, and whether anything was damaged or stolen as a result.

In the event that you're attacked, you need to recover as quickly as possible. You need to fix damage that occurred,
replace stolen components, and plan security measures needed to prevent your system from being compromised
again.

Let's look at some ways you can physically protect your organization and systems. To do this, we're going to use
what's known as the defense in depth strategy.

Defense in depth is the concept of layering defense after defense so that even if an attacker breaches one layer,
they're faced with yet another obstacle. And if they're able to overcome that obstacle, they're faced with another
and another.

For example, let's say we have a priceless family heirloom that needs to be protected from thieves. So, to protect
it, we put it in a safe. But we know these thieves are master safe crackers, so we decide to put that safe in a locked
cage, which is in a locked room that only has one entrance. That room is inside a building that's patrolled by guards
and monitored by video cameras. Around that building is a ten-foot-high fence covered in barbed wire, and for
good measure, we electrify the fence.

With this example, you can see that even if the thieves are able to make it through the fence, say, by digging under
it, they still have to get through the guards and cameras. If they sneak past those, they still have to get inside the
house and then the room and then they have to crack the safe. This is the idea behind defense in depth. By
layering our defenses, we increase the overall security of our organization.

In this example, we have three levels of physical access security:

Perimeter Security

Perimeter security is designed to keep unauthorized persons from even getting to the building. Fencing is one
example of perimeter security. Video surveillance can also be used to track anyone entering or exiting the
perimeter. Access can also be managed from one gate, either by a security guard or a keypad. It's also important to
be sure that the building's perimeter has plenty of lighting. Security guards can only be effective if they can see.

Information Assurance and Security 2

Facility Access Security

Once someone has passed through the perimeter " whether authorized or unauthorized" they should encounter
some type of building access security. The most basic type of access security is a locked door. A locked door does a
lot to discourage would-be intruders. These doors could be accessed by employees using a proximity card,
biometric scanner, or smart card. For an extra layer of security, you could have a security guard or a receptionist,
either in person or via a camera, to verify anyone entering the facility.

Piggybacking and Tailgating

Another risk is piggybacking and tailgating. Piggybacking is when a person with credentials gains access but then
allows others to follow without requiring them to authenticate. Tailgating is when the authorized person is
unaware that they let someone else in.

Employee Education

There are several ways you can prevent this type of attack. The first, and probably most important, is employee
education. Train employees never to allow people to follow them into the building and to never provide building
access to people who don't have their own access card.

Attackers trying to use piggybacking may appeal to empathy by having a large stack of items in their arms or saying
they forgot their card at home. Some may even try to tell you that they were just hired and don't have their access
card yet. Again, educating your employees about all these types of attacks and what to do in these situations is
crucial.

Mantrap

A more sophisticated way of preventing tailgating and piggybacking is to use a mantrap, sometimes referred to as
an airlock. A mantrap creates a security buffer zone between two areas by using a small space between two sets of
interlocking doors.

For someone to get through the first door, they must gain authorization, either from a security guard or an
automated access pad. Before the second door can open, the first door must close. At that point, authorization can
be provided to open the second door. Since both doors cannot be open at the same time, another person must
wait before they can enter the first door. In addition to providing two points of authentication, a mantrap can also
be used to safely trap an intruder should they fail to provide proper authentication, allowing ample time for
authorities to arrive and detain the individual.

Inner-Facility Access

Once an individual has cleared the perimeter and building security, they should be faced with a third level of
security called inner-facility access. The goal of inner-facility access is to regulate access to areas within the facility
itself.

The most basic forms of inner-facility security are locked doors and signage indicating that only authorized
personnel should enter an area. Other examples include keyfobs, swipe cards, or ID badges to control who can go
where within the facility.

Information Assurance and Security 2

 Physical Security

Physical security is the protection of corporate assets from threats, such as theft or damage. There are three
factors to keep in mind with physical security: prevention, detection, and recovery.

 Prevention is making the location less tempting to break into.

 Detection is identifying what was broken into, what is missing, and the extent of the damage.
 Recovery is the review of the physical security procedures, repairing any damage, and hardening the
physical security of the company against future problems.

Important aspects of physical security include:

 Restricting physical access to facilities and computer systems.

 Preventing interruptions of computer services caused by problems such as loss of power or fire.
 Preventing unauthorized disclosure of information.
 Disposing of sensitive material.
 Protecting the interior and exterior of your facility.

Control Measures

Physical security should implement the following measures.

Control Measure Description

Perimeter barriers The first measure in physically securing a building is to secure the perimeter and restrict
access to secure entry points. Methods for securing the perimeter are explained in the
following list.

 Fences provide an environmental barrier that prevents easy access to the facility.
A low fence (3-4 feet) acts as a deterrent to casual intrusion. A higher fence (6-7
feet) acts as a deterrent unless the trespasser has a specific intent to violate
security. A fence 8 feet or higher topped with barbed wire is an effective
deterrent.
 Barricades can be erected to prevent vehicles from approaching the facility.
 Bollards are short, sturdy posts used to prevent a car from crashing into a secure
area.
 Signs should be posted to inform individuals that they are entering a secured area.
 Guard dogs are generally highly reliable, but are appropriate only for physical
perimeter security. They can be expensive to keep and maintain. Their use might
raise issues of liability and insurance.
 Lighting deters casual intruders, helps guards see intruders, and is necessary for
most cameras to monitor the area. To be effective, lights should be placed to
eliminate shadows or dark spots.
 Security guards offer the best protection for perimeter security because they can
actively respond to a variety of threat situations. Security guards can also
reference an access list that explicitly lists who can enter a secure facility.
However, guards are expensive, require training, and can be unreliable or
inconsistent.

Closed-Circuit Closed-circuit television can be used as both a preventative tool (when monitoring live
Television (CCTV) events) or as an investigative tool (when events are recorded for later playback). Camera

Information Assurance and Security 2

 types include:

 A bullet camera, which has a built-in lens. It is long and round in shape. Most
bullet cameras can be used indoors or outdoors.
 A c-mount camera, which has interchangeable lenses. It is typically rectangle in
shape with the lens on the end. Most c-mount cameras require a special housing
to be used outdoors.
 A dome camera, which is a camera protected with a plastic or glass dome. These
cameras are more vandal-resistant than other cameras.
 A pan tilt zoom (PTZ) camera, which lets you dynamically move the camera and
zoom in on specific areas. Cameras without PTZ capabilities are manually set
looking toward a specific direction. Automatic PTZ mode automatically moves the
camera between several preset locations. A manual PTZ lets an operator remotely
control the position of the camera.

When selecting cameras, be aware of the following characteristics:

 The focal length measures the magnification power of a lens. The focal length
controls the distance that the camera can see, as well as how much detail can be
seen at a specific range. The focal length is expressed in millimeters (mm). A
higher focal length lets you see more detail at a greater distance. Most cameras
have a 4 mm lens with a range of 30-35 feet. This allows you to see facial features
at that distance. A fixed lens camera has a set focal length. A varifocal camera lens
lets you adjust the focus (zoom).
 A 70-degree view angle is the largest view angle possible without distorting the
image.
 The resolution is rated in the number of lines (such as 400) included in the image.
In general, the higher the resolution, the sharper the image.
 LUX is a measure of the sensitivity to light. The lower the number, the less light is
necessary for a clear image.
 Infrared cameras can record images in little or no light. Infrared cameras have a
range of about 25 feet in no light and further in dimly-lit areas.

When CCTV is used in a preventative way, you must have a guard or other person who
monitors one or more cameras in real time. The cameras effectively expand the area that
can be monitored by the guard. Cameras can only detect security breaches. Guards can
prevent and react to security breaches.
Doors A mantrap is a specialized entrance with two doors that create a security buffer zone
between two areas.

 Once a person enters into the space between the doors, both doors are locked.
 To enter the facility, authentication must be provided. Authentication may include
visual identification and identification credentials.
 Mantraps should permit only a single person to enter. The person must provide
authentication.
 If authentication is not provided, the intruder is kept in the mantrap until
authorities arrive.

A turnstile is a barrier that permits entry in only one direction.

 Physical turnstiles are often used to control entry for large events such as concerts

Information Assurance and Security 2

 and sporting events.
 Optical turnstiles use sensors and alarms to control entry.
 Turnstiles are often used to permit easy exit from a secure area. Entry is controlled
through a mantrap or other system that requires authentication for entry.

A double-entry door has two doors that are locked from the outside but have crash bars on
the inside that allow easy exit. Double-entry doors are typically used only for emergency
exits and alarms sound when the doors are opened.
Door locks Door locks allow access only to people with the proper key. Lock types include:

 Pick-resistant locks with restricted key duplication are the most secure key lock. It
is important to note that all traditional key locks are vulnerable to lock-picking
(shimming).
 Keypad locks require knowledge of a code and reduce the threat from lost keys
and cards. Clean keypads frequently to remove indications of buttons used.
 Smart cards have the ability to encrypt access information. Smart cards can be
contact or contactless. Contactless smart cards use the 13.56 MHz frequency to
communicate with proximity readers. A smart card can communicate a great deal
of information.
 Proximity cards, also known as radio frequency identification (RFID) cards, are a
subset of smart cards that use the 125 kHz frequency to communicate with
proximity readers. Proximity cards differ from smart cards because they are
designed to communicate only the card's identity.
 Biometric locks increase security by using fingerprints or iris scans. They reduce
the threat from lost keys or cards.

Physical access logs Physical access logs are implemented by the guards of a facility and require everyone
gaining access to the facility to sign in.
Physical access controls Physical access controls can be implemented inside the facility.

 Physical controls can include key fobs, swipe cards, or badges.

 To control access to sensitive areas within the facility, require a card swipe or
reader.
 Some systems can track personnel movement within a facility and proactively lock
or unlock doors based on the access token device.
 An anti-passback system prevents a card holder from passing their card back to
someone else.
 Physical controls are often implemented along with sensors and alarms to detect
unauthorized access. Photoelectric sensors detect motion and are best suited to
detect a perimeter breach rather than interior motion detection. Wave pattern,
heat sensing, and ultrasonic sensors are better suited for interior motion detection
than perimeter breach detection.

As you implement physical security, be sure to keep the safety of employees and visitors in mind. Consider the
importance of the following actions:

 Implement adequate lighting in parking lots and around employee entrances.

Information Assurance and Security 2

  Implement emergency lighting that runs on protected power and automatically switches on when the
main power goes off.
 Implement fail-open locking systems that allow employees to exit your facility quickly in the event of an
emergency.
 Devise escape plans that utilize the best escape routes for each area in your organization. Post these
escape plans in prominent locations.
 Conduct emergency drills to verify that the physical safety and security measures you have implemented
function correctly.

Defense in Depth

Physical security should deploy in the following sequence. If a step in the sequence fails, the next step should
implement itself automatically.

 Deter initial access attempts

 Deny direct physical access
 Detect the intrusion
 Delay the violator to allow for response

When designing physical security, implement a layered defense system. Defense in depth is a process in which
controls are implemented in layers to ensure that defeating one level of security does not allow an attacker
subsequent access. Using multiple types of security controls within the same layer further enhances security. Tips
for implementing a multi-layered defense system include:

 Protect entry points with a card access system, or some other type of control, as well as a security
camera.
 Use a reception area to prevent the public, visitors, or contractors from entering secure areas of the
building without an escort.
 Use the card access or other system to block access to elevators and stairwells. This prevents someone
who successfully tailgates from gaining further access.
 Use a variety of access systems such as key locks, keypad locks, or biometric controls to secure offices or
other sensitive areas.
 Implement security within offices and data centers using locking storage areas and computer passwords.

Perform physical security inspections quarterly. Violations should be addressed in a formal manner, with warnings
and penalties imposed.

Information Assurance and Security 2

Learning Assessment:

Based on a review of physical security at your office, you have recommended several improvements. Your
plan includes installing smart card readers, IP cameras, signs, and an access log book.

In this lab, your task is to:

Implement your physical security plan by dragging the correct items from the shelf onto the various locations in
the building. As you drag the items from the shelf, the picture of the items should be seen in the area where you
install them. To implement your plan, you must: (Drag the picture to the area). The number indicated in the picture
means the quantity that you can install per item. Meaning there are 2 IP Security Camera available to install etc….
each item correctly installed is equivalent to 2 points.

 Install two IP security cameras in the appropriate location to record which employees access the key
infrastructure. The security cameras should operate over the TCP/IP network.
 Install the smart card key readers in the appropriate location to control access to key infrastructure.
The key card readers should be contactless and record more information than the card's ID.
 Install a Restricted Access sign on the networking closet door to control access to the infrastructure.
 Install the visitor log on the lobby desk.

Information Assurance and Security 2

Information Assurance and Security 2