4.5 Explain the importance of physical security

  • Detection Methods
    • Camera
    • Motion Detection
    • Asset Tags
    • Tamper Detection
  • Prevention Methods
    • Employee Training
    • Access Control Hardware
      • Badge Readers
      • Biometrics
    • Locking Racks
    • Locking Cabinets
    • Access Control Vestibule (mantrap)
    • Smart Lockers
  • Asset Disposal
    • Factory Reset / Wipe Configuration
    • Sanitize Devices for Disposal


All our security- measures are pointless if we don’t have good physical security.  A hacker with physical access to our network infrastructure can cause significant damage or disruption.  Just like the software configuration, we must also ensure that our physical security comes in layers.

Proper lighting is important for

  • Physical safety of people walking.  Hazards can be illuminated.  It is important to provide bright lights on all entrances and walkways

  • Making things visible.  Intruders and criminals are more tempted to access buildings at night.

  • Emergencies.  Emergency lighting is necessary and may be required under various building codes.  Emergency lighting is battery-operated and activates in the event of a power outage.

Bad people can hide in dark corners and then sneak into the building or mug people walking by.

A Camera System is important for physical security.  Cameras in sensitive places can be hijacked.  It is important that

  • Each camera is physically secure so that it cannot be removed or manipulated

  • The connection between the camera and its monitoring station is encrypted

  • The camera software is secured.  Cameras connected to the internet can be exploited by botnets.

A Fence or Gate or Cage keeps people out or keeps people in.  For example, a tool storage area inside a building/warehouse might be fenced in.

Consider

  • Who you are trying to stop.  A chain-link fence can be cut with wire cutters easily.  Even a barbed wire fence can be cut.  Fences are good for slowing down random people who are trying to climb over but are not so good for vehicles or sneaky people.  In those cases, a concrete wall may be required.

    • An electric fence is more effective at keep people out but may introduce unwanted legal liability.  An electric fence must have clear signage that identifies it as such.  It should also be separated from the public by a normal fence so that people cannot inadvertently contact it.

  • Whether the fence is opaque or transparent (chain link).  The fence may need to be opaque so that people can’t see inside.

  • The height of the fence.  A tall fence may stop people from climbing or seeing over it, but it is irrelevant if people can cut through the fence or fly drones into the facility.

  • Fences can be used in combination with other security measures.  The fence provides a buffer zone.  It slows people down.  By the time a person has penetrated the fence, security will have been able to intercept them.  The fence can be monitored with cameras, security patrols, and sensors.

Inside a building, chain link fencing can be used to set up cages for controlled physical access. It is cheaper to build a cage than a physical room.

A security guard is a human who provides security.  The security guards may be stationed in key areas, may walk around, or may drive patrol vehicles.

Proper training is important.  A security guard who is not vigilant will not be effective.  Security guards who use excessive force, are disrespectful, or are perceived to be incompetent, will cost the company money, introduce legal liability, and damage its reputation.

Security guards may be outsourced from a company like G4S or Garda.  There is no good reason to outsource, except for cost.  When renting security guards, it is important to ensure that the security company sends the same people each time, so that they become familiar with the premises.  Many companies outsource security so that they do not have to risk legal liability in the event that a security guard acts inappropriately.

A larger organization may be able to better train an internal security force, even with as few as 50 security guards.

The security guard’s most important tool is his brain.  Security guards also have other tools like guns, handcuffs, batons, and pepper spray, depending on the state/province that they are in.  The organization must decide if it should risk the liability and cost of training to supply security guards with weapons.

Artificial intelligence is no substitute for a human brain.  It is important to ensure that the security guard is aware of his surroundings.  A security guard who is complacent may be worse than no security guard at all.  Security guards are human and can be manipulated through social engineering techniques.

In general, a security guard is not a law enforcement officer.  A security guard is entitled to

  • Enforce the law when seeing an actual commission of a crime on the organization’s property

  • Use reasonable force to protect himself or another human being from physical harm or death

  • Use reasonable force to protect the physical property of his organization

  • Detain an individual who the security guard knows has committed a felony (an indictable offense in Canada), and promptly turn him to a law enforcement agent

  • Use reasonable force to prevent a trespasser from entering a secured facility

Security guards may also have dogs that can detect for food, drugs, or explosives.  Like a weapon, the use of a dog can also subject the organization to serious legal liability.

A security guard also keeps track of visitors

  • Signs visitors in and out

  • Verifies that the visitors are legitimate

  • Ensures that visitors have been briefed on the organization’s security and safety policies and that they are wearing appropriate personal protective equipment (PPE), if required

  • Escorts visitors to the appropriate locations

An alarm is necessary to protect critical assets.  The two main types of alarms

  • Intruder alarm – detects intrusions

  • Environmental alarm – detects a fire, flood, high temperatures, etc.

The alarm will have multiple components

  • Sensor.  The sensor detects an event

    • Motion Sensor detects motion, which could indicate the presence of an unauthorized person

    • Glass Break Sensor detects if glass has been broken based on the specific sound frequency that broken glass makes

    • Door/Window Contact detects if a door/window is closed or if has been opened.  The sensor consists of a magnet that sits on the door/window and a contact that sits on the door/window frame.  This creates a closed circuit.  When opened, the door/window breaks the circuit, and an alarm activates

    • Smoke Detector detects for the presence of smoke but can also sound a false alarm.  It can be triggered by dusty conditions.

    • Flood Detector detects moisture content.  This may be installed in a server room.

    • Thermostat detects temperatures that are too high or too low.  High temperatures can lead to equipment damage.  Cold temperatures can cause water pipes to burst.

  • Controls.  The controls allow the alarm to be programmed.  The controls collect data from the sensors and decide if an abnormal event has occurred, in which case the alarm is triggered.  The controls send an alert to another device.

  • Alerts.  The alarm must make an alert, or else it will have no purpose.  It must notify somebody that an abnormal condition is present.  Some forms of alerts

    • Siren/Flashing Lights can scare intruders but are by themselves just a nuisance.  Some intruders will ignore the alarms, especially when there are many false alarms.  A police department will probably not respond to an audible alarm unless they are specifically notified that a crime is in progress.

    • Alert on a control panel.  The alarm can notify a monitoring station so that the responsible people can verify that the alarm is real and take additional action such as calling the police, calling for emergency services, or dispatching a security guard to investigate.

    • Automated phone call/email/SMS alert to an on call person, who may or may not respond.

When an alarm is triggered, a security guard might first review the surveillance cameras in the relevant areas to determine if there is a problem.  The security guard would then physically investigate the areas and act as appropriate.  If nothing out of the ordinary is present, the security guard may turn off the alarm and record his findings.

An alarm system can be divided into multiple zones.  Each zone is subject to its own rules.  For example, a zone can be always armed, or it can be armed at night.  A server room might always be armed unless somebody needs to access it.  An office might only be armed at night when nobody is present.

When an alarm is in an armed state, any sensor activity will trigger an alarm.  When an alarm is disarmed, then sensor activity will not trigger an alarm.

The control system for an alarm must be in a physically secure room.  The control system must itself be alarmed (connected to a tamper-detecting sensor), so that any attempt to disable it is detected.

Protected distribution ensures that the cables are physically secure.  An intruder could physically penetrate a data cable and hijack a connection to a device such as a camera or a printer.  This is an unlikely scenario, but still possible and has been demonstrated.

Cables should be protected against damage.  They should be installed inside conduit and cable trays.

It is important to physically secure devices such as cameras and wireless access points (which can be hidden inside the ceiling space). 

Biometrics are used in combination with other devices to provide an additional layer of authentication.  These include

  • Facial recognition

  • Finger print reader

  • Voice recognition

  • Palm reader

  • Retinal scan

The biometric devices take a photograph of a human body part and then converts it into a mathematical model.  For example, a fingerprint reader understands the bumps and ridges on a fingerprint and compares their relative sizes.  There are many different algorithms and each one is different.

Not every scan is perfect.  Most biometrics have a false positive because of the algorithm.  The false positive rate is approximately 1 in 50,000.

A biometric reader does not (and cannot) create a pixel-by-pixel comparison of a person.  Imagine taking a photograph of your face 100 times.  Each photo will be slightly different.  The lighting, the reflection, the angle of your head, and the position of your hair will be slightly different each time.  The computer needs a way to understand that it is still you despite the changes.  It does so by, for example, measuring the distance between your eyes or the width of your lips.

A biometric reader is part of an access control system.  An access control system is used to track and restrict access to different buildings or rooms.  It typically has four parts

  • A card reader and/or biometric reader – this device is installed next to each doorway and scans user proximity cards or biometrics

  • A door lock – an electronic door lock that allows the door to be unlocked automatically.  This might be known as a door strike.

  • A controller – the controller connects to both the card reader and the electronic door lock.  When a user scans a card at a card reader, the card reader reports the user’s information to the controller.  The controller checks the time and decides whether the user is permitted to access that door at that particular time.  If the user is permitted, then the card reader sends a signal to the lock to unlock the door.

  • The wiring between the controller and the card reader.

The access control system can be wired as follows (depending on the make and model of the system)

  • The controller is connected directly to the network and power.  The controller powers the card reader and door lock.  The controller connects to each card reader and door lock via a proprietary cable.  The door lock and card reader communicate with the controller via the proprietary cable.  The controller may have a software program or web-based interface where it can be programmed.

  • The controller is connected directly to the network.  Each card reader and door lock are also connected to the network and receive power via PoE.  The card reader and door lock use the network to communicate with the controller.  They might be on a separate VLAN or on a separate physical network.

We might label each device with an asset tag.  The asset tag tells people that this device belongs to our company.  We would record this number in a central database.  If the device is lost or stolen, the thief will probably just remove the asset tag.

But more advanced devices such as Cisco Meraki Switches and Routers, computers, Android phones, Apple iPhones, etc. only work after they are activated through an internet server.  If the device is registered to a specific organization and then is lost or stolen, the organization can deactivate it.  When the device is reconnected to the internet, the thief will not be able to use it.

LoJack is a legitimate rootkit that comes preinstalled in the BIOS of some laptops.  If the laptop is lost or stolen and later connected to the internet, LoJack will report the location of the laptop to a server.  LoJack is designed to remain on the laptop even if its hard disk drive is erased or replaced.

There are physical devices that can connect to the system board of a router or switch and intercept the traffic on a binary level without detection.  These are complicated devices that are generally available only to nation-state actors, but it is important to protect the infrastructure anyways.  We can also use tamper detection methods to determine whether a device has been physically opened.  A tamper detection method might be as simple as a sticker that is damaged when peeled off.

Proper physical security can only be achieved through proper employee training

  • Employees should be trained to recognize and report unusual activity

  • Employees should be trained to challenge any individual they do not recognize, any individual attempting to tailgate through the mantrap or secure entry, and any individual who is not wearing an ID badge.

We might also have Locking Racks and Locking Cabinets.  When we have a small MDF or IDF and must share the space with other members of the organization then we should have all of our equipment stored in a locking cabinet.  For example, if our IDF is also a storage room, then we must have a locking cabinet so that unauthorized users do not accidentally or deliberately unplug or tamper with the equipment.

If the MDF or IDF is a separate room with separate keys or an access control system, then it is not always necessary to use locking racks.  Using open racks may be more cost effective.  If the organization is large, and many different departments have equipment in the MDF, and only specific people have access to each set of equipment, then we might use locking racks to enforce access.

In general, server racks come with cheap locks that are easily picked or broken.  You might consider purchasing racks or cabinets with combination locks or racks that accommodate external padlocks.   

Smart Lockers are becoming more popular.  A smart locker is a set of lockers that is connected to a computer system.  Each locker has an electronic lock that can be unlocked remotely.  Smart Lockers are being used for the following

  • Mail delivery and package delivery.  A user lives in an apartment building.  FedEx attempts to deliver a package but the user is not home.  FedEx leaves the package in a locker and provides the occupant with a code.  The occupant returns home and enters the code into the locker’s computer.   The locker’s computer unlocks the locker containing the user’s package.

  • Online purchase pick up.  A user places an order online at Home Depot.  Home Depot gathers the product and places it inside the locker, which is located outside the store.  The store provides the user with a combination that he can use to pick up his purchase.  The user visits the locker and enters a combination into the locker’s computer.  The locker’s computer unlocks the locker containing the user’s purchase.

  • Spare parts.  We might install a set of lockers in our office and fill them with spare parts such as RAM, ethernet cables, etc.  When a user requires a spare part, he visits the locker, and enters his credentials into the computer.  The computer opens a locker containing the spare parts that he requested.  The computer can keep track of which user took which item.

  • Key retrieval.  When our organization has many physical keys, we must identify a reliable way to keep track of all of them. 

    • Assign each key or set of keys to a different person.  This is a bad idea because if only one person has keys to a resource, and he is away, then nobody else will be able to gain access.

    • Leave keys with security.  Security keeps track of the keys.  When a user needs keys, the security guard verifies that the user is permitted to take them.  The security guard keeps track of the request in a log.

    • Use a key locker.  A smart key locker can contain locking compartments or hooks.  When a user needs keys to a specific resource, he logs in to the locker with a username/password combination or with an access control card.  The user can request a specific set of keys from the locker.  The locker verifies that the user is permitted access and either unlocks the correct set of keys or denies access.  The locker keeps track of each access attempt.  The locker also verifies when the user has returned the keys.

      A locker might be better than a security guard because it is automated and can keep track of hundreds of different keys.

Finally, it is important to destroy sensitive data.  The best method depends on the medium in which the data is stored, and whether the organization needs to reuse the media.  When it is time to recycle or sell a device that has reached the end of its life, we must make sure that all sensitive data has been removed.

Some people might be tempted to “factory reset” a device and call it a day.  The problem is that many modern devices are closed systems and so it is not always possible to determine how they operate or whether a factory reset procedure truly removes user data. 

For example, an iPhone encrypts all user data.  When the iPhone is reset, the iPhone does not actually wipe the user data; it just deletes the encryption key.  If something went wrong with this process or if an exploit is discovered later, it may be possible for a hacker to retrieve this key, and thus some of the user data.

When we know that a device stores user data on a hard disk drive or SSD, the best way to reset the device is to physically remove the hard disk drive and shred it.  We must be careful to ensure that the device only stored user data on that specific drive.

If the system is a closed system, such as an iPhone, then the only reliable way to erase the device is to physically destroy it.

Let’s look at how the government does it

  • Shred all paper documents to size of less than 5 mm x 5 mm or burn them at a temperature of at least 233 °C.  We might pulp the paper (convert them to paper fiber with a detergent) after shredding.

  • Smash all computer monitors to a size of less than 5 cm x 5 cm.  This applies to computer monitors that have images burned in to them

  • Degauss any hard disk drive or magnetic tapes.  If degaussing is not available, then you can burn them at a temperature of at least 600 °C.

  • Many hard disk drives are now hybrid (that is, they contain a magnetic portion and a solid-state portion).  The solid-state portion must be shredded to a size of less than 2 mm x 2 mm and the hard disk drive must be degaussed or burned.

  • After degaussing a hard disk drive, the physical platters must also be physically damaged.

  • CD’s, DVDs, and Solid State Drives must be burned at a temperature of at least 500°C, or shredded to a size less than 2 mm x 2 mm.