2.7 - Importance of Physical Security Controls

Question 1

Barricades

Answer 1

• Prevents access (limits to the prevention)
• Channel people through a specific access point
• keep other things out
• identify safety concerns and prevent injury
• Ex: a construction zone could set up a barricade to protect pedestrians

Question 2

Bollards

Answer 2

• concrete cones
• specific type of barricade
• designed to stop large items from passing through an area
• allows people, prevents cars and trucks

Question 3

Moat

Answer 3

• Water feature that creates a natural barricade

Question 4

Access Control Vestibule

Answer 4

• All doors normally unlocked
• Opening one door causes other to lock
• The configuration of the doors is dependent on configuration
• (ex: one door unlocks then all other immediately lock)
• (ex: all doors are locked so if you unlock one no others can be unlocked)
• allows person controlling access to data center to manage persons in and out

Question 5

Alarms

Answer 5

• usually circuit based
• circuit is opened or closed
• useful on the perimeter
• a type of physical security
• ex: door or window alarm

Question 6

Motion detection

Answer 6

• Radio reflection or passive infrared
• ## useful in areas not often in use

Question 7

Duress

Answer 7

• Duress button is triggered by a person
• Ex: a big red button
• panic button calls for reinforcements

Question 8

Signs

Answer 8

• Need signs so people know what to expect from an area
• Clear and specific instructions
• Keep people away from restricted areas
• Consider visitors who don’t’ know area at all
• Ex: Fire exits, chemical / construction or medical resources (might be useful to add contact details in case of emergency)

Question 9

CCTV

Answer 9

• Close circuit television
• especially if it’s an environment only accessible from that single facility
• Can replace physical guards
• Camera features are important (ex: motion recognition tied to an alarm or object detection can identify a license plate or a face)
• often many cameras are tied to a single recording device

Question 10

Industrial camoflage

Answer 10

• Conceal an important facility in plain site
• blends into the local environment
• usually no signage, or visual cues
• often have a guard gate and water features or planters that are bollards

Question 11

Guards and Access lists

Answer 11

• One of the best security features are people
• physical protection at reception area
• validates ID of existing employees
• Provides guest access

Question 12

ID Badge

Answer 12

• Picture, name, details
• must be worn at all times
• enforced by security guard
• can swipe and adds to visitor log

Question 13

Guards

Answer 13

• 2 person integrity / control
• minimizes exposure to an attack
• No single person has access to a physical asset

Question 14

Robot sentry

Answer 14

• Emerging technology
• Replace humans with automated tasks and have the humans perform more important tasks

Question 15

Biometrics

Answer 15

• Biometric authentication
• usually stores a mathematical representation of something you are (not the actual picture of your finger print)
• fingerprint difficult to change or replicate
• powerful physical controls but not full proof, should be combined with something like a code for authentication
• Ex: fingerprint, retina, voice print

Question 16

Door access controls

Answer 16

• Conventional - Lock and Key
• Deadbolt - physical bolt
• Electronic - keyless, PIN
• token-based: RFID badge, key fob, magnetic swipe card (like a hotel)
• biometric
• multifactor (smart card / pin)

Question 17

Cable locks

Answer 17

• Temporary security
• can connect to almost anything (ex: locking laptop to desk)
• most devices like laptops have a standard connector that reinforces the notch
• not designed for long-term protection (cables are pretty thin)

Question 18

USB Data blocker

Answer 18

• A USB connector that only connects to the power line component of a USB to get around the issue of juice
  jacking
• prevents the data portion from connecting via the USB
• Normally, don’t want to connect to unknown USB interfaces, even if you need a quick charge
• Prevent “juice jacking” - could be transferring data
• probably just want to bring your own power adaptor

Question 19

Proper lighting

Answer 19

• More lightening = more security
• Non Infrared cameras see better in light
• Many kinds and types of lighting, make sure you consider overall light levels, angles (avoiding shadows / glare is important for face recognition)

Question 20

Fencing

Answer 20

• Good way to protect perimeter, but also might be an advertisement that there is valuable stuff
• transparent or opaque (see through fence or not) depending on your needs
• robust fences / tall / can add razor wire

Question 21

Fire suppression

Answer 21

• Electronics require unique response to fire (not water)
• Detection (smoke, flame, heat detector)
• Suppress with water, where appropriate (not with electronics)
• Electronics - used to use Halon (not manufactured anymore b/c it destroys the ozone). Commonly replaced with Dupont FM-200

Question 22

Sensors

Answer 22

• Motion Detection
• needed for areas not commonly monitored by people
• Noise detection
• proximity reader (commonly used for electronic doors plus access card)
• Water detection (leaks)
• Data centers (common to have a heat sensor)

Question 23

Drones

Answer 23

• some security teams use drones (quickly cover large areas)
• may not be used for constant security, but for specific purposes (like site surveys, or damage assessment)
• many include motion / heat sensor
• high resolution video capture

Question 24

Faraday cage

Answer 24

• method of signal suppression
• Blocks electromagnetic fields
• Discovered by Michael Faraday in 1836
• mesh of conductive materials, so that radio signals don’t get out (Ex: microwave door)
• not a comprehensive solution
• not all signal types are blocked, some aren’t blocked at all
• also remember if you’re blocking radio signals, you could be blocking people’s ability to call for help in an emergency

Question 25

Screened subnet

Answer 25

• If you’re working on an internal network and realize you need to provide something to the internet, you might use a screened subnet
• might not want people getting into internal network
• network that does have a controlled access usually from firewall and people can access resources in the screened subnet
• Formerly known as a DMZ (Demilitarized Zone)
• An additional layer of security between the internet and you
• Public access to public resources

Question 26

PDS

Answer 26

• Protected Distribution System
• Physically securing your cabled network (protect your cables and fibers) since all the data flows through these
• would prevent an attacker from installing a tap in the middle of your cables
• could prevent a DoS
• Common to have periodic audits to ensure no one can gain access to your networking infrastructure

Question 27

Secure areas

Answer 27

• Should be part of your security policy
• Goal, preventing people from getting to physical access to your systems
• Secure offline data (backups are an important security concern)

Question 28

Air gap

Answer 28

• Provides physical separation between networks
• Ex: b/n different customer networks or b/n secure and unsecure networks
• Specialized networks require airgaps (ex: stock market networks, power systems/ SCADA, Airplanes, Nuclear power plant operations)

Question 29

Vaults

Answer 29

• A secure reinforced ROOM
• Store backup media
• Protect from disaster or theft
• Often onsite

Question 30

Safe

Answer 30

• Similar to a vault, but smaller
• less expensive to implement
• Space is limited inside
• But you could install in many different locations

Question 31

Hot Aisles / Cold Aisles

Answer 31

• Data centers, the racks generate a lot of heat
• Optimize Cooling in data centers to keep components at optimal temperatures
• Conserving energy is really energy intensive (therefore it’s separated into cold and hot aisles as a way to try to keep down energy costs)
• Cold aisles blows area in one direction, sent through equipment (where it heats up), ventilation sends it back into the cold aisle

Question 32

Data Destruction

Answer 32

• Disposal can become a legal issue (some information cannot be destroyed), consider offsite storage
• Physically destroying drives usually a better idea

Question 33

Data Sanitation

Answer 33

• Sometimes you want to reuse storage media (but need to be properly sanitized) to make sure nobody can recover any information
• Purging vs Wiping (partial vs full)

Question 34

Protect your rubbish

Answer 34

• Make sure garbage security is facility
• behind a fence with a lock
• Shred documents (governments will burn the good stuff)
• If you really want to make sure, pulp the paper, remove the ink and recycle the paper back to pulp

Question 35

Physical destruction harddrives

Answer 35

• Might want to use a shredder/ pulverizer on a hard drive (involves heavy machinery)
• Or you can use a drill/ hammer to poke a hole in the hard drive (quick and easy)
• You can also incinerate your hard drives (companies do this and needs to be very hot)

Question 36

Degausser

Answer 36

• Electromagnetically destroying data by removing the magnetic field
• renders the drive unusable (removes configuration information)

Question 37

Certificate of Destruction

Answer 37

• Provides evidence by 3rd party that they were able to destroy everything and they include serial numbers in the documentation
• Usually if you’re pulverizing or burning your hardware you have to send it to a third party

Question 38

Purging Media

Answer 38

• Removing only a PORTIO of the data
• Ex: remove it from an existing data store or remove some data from the database

Question 39

Wiping Data

Answer 39

• UNRECOVERABLE (can never be restored) removable of data on a storage device
• Usually overwrites the data storage locations
• Useful when you need to reuse or continue using the media

Question 40

SDelete

Answer 40

• File level overwriting
• Available on Windows Sysinternals
• option for removing files

Question 41

DBAN

Answer 41

• Darik’s Boot and Nuke
• Whole drive wipe secure data removal
• popular utility to remove data