2.7 Physical Security Controls

Question 1

protect vulnerable building areas. Security [this] act as both a physical and visual barrier. They are varied in their shapes, sizes, and designs. [this] and security [this] protect lives and property by creating a controlled traffic setting.
• Prevent access
– There are limits to the prevention
• Channel people through a specific access point
– And keep out other things
– Allow people, prevent cars and trucks
• Identify safety concerns
– And prevent injuries
• Can be used to an extreme
– Concrete barriers / bollards
– Moats

Answer 1

Barricades / bollards

Question 2

a defined space that provides security by using two or more doors, with each door able to operate independently, and that permits an officer to observe those who pass through the space.
• All doors normally unlocked
– Opening one door causes others to lock
• All doors normally locked
– Unlocking one door prevents others from being
unlocked
• One door open / other locked
– When one is open, the other cannot be unlocked
• One at a time, controlled groups
– Managed control through an area

Answer 2

Access control vestibules

Question 3

a system designed to detect intrusion, such as unauthorized entry, into a building or other areas such as a home or school.
• Circuit-based
– Circuit is opened or closed
– Door, window, fence
– Useful on the perimeter
• Motion detection
– Radio reflection or passive infrared
– Useful in areas not often in use
• Duress
– Triggered by a person - The big red button

Answer 3

Alarms

Question 4

• Clear and specific instructions
– Keep people away from restricted areas
– Consider visitors
• Consider personal safety
– Fire exits
– Warning signs
– Chemicals
– Construction
– Medical resources
• Informational
– In case of emergency, call this number

Answer 4

Signs

Question 5

the act of observing a scene or scenes and looking for specific behaviors that are improper or that may indicate the emergence or existence of improper behavior.
• CCTV (Closed circuit television)
– Can replace physical guards
• Camera features are important
– Motion recognition can alarm and alert when
something moves
– Object detection can identify a license plate or
person’s face
• Often many different cameras
– Networked together and recorded over time

Answer 5

Video surveillance

Question 6

concealing what would be an important facility behind what is normally seen in a particular area. If you’re in an industrial area this looks like a building that could be a warehouse, it might be a small workplace, or it could possibly be a data center. Of course, you wouldn’t put signs telling people that the data center is here and looking at this there doesn’t seem to be any type of visual cue that tells us that inside of this building is a data center.
• Conceal an important facility in plain sight
– Blends in to the local environment
• Protect a data center
– No business signs
– No visual clues
– Surround it with a water feature
– Install a guard gate
– Planters out front are bollards

Answer 6

Industrial camouflage

Question 7

Guards and access lists:
• Security guard
– Physical protection at the reception area of a
facility
– Validates identification of existing employees
– Provides guest access
• ID badge
– Picture, name, other details
– Must be worn at all times
• Access list
– Physical list of names
– Enforced by security guard
• Maintains a visitor log

Answer 7

Guards and access lists

Question 8

a person employed to protect a building against intruders or damage. They patrol and inspect property against fire, theft, vandalism, terrorism, and illegal activity. Their job is to monitor people and buildings in an effort to prevent crime.
• Two-person integrity/control
– Minimize exposure to an attack
– No single person has access to a physical asset
• Robot sentries
– Monitoring
– Rounds / Periodic checks
– An emerging technology

Answer 8

Guards

Question 9

the measurement and statistical analysis of people’s unique physical and behavioral characteristics. The technology is mainly used for identification and access control or for identifying individuals who are under surveillance.
• Biometric authentication
– Fingerprint, retina, voiceprint
• Usually stores a mathematical representation
of your biometric
– Your actual fingerprint isn’t usually saved
• Difficult to change
– You can change your password
– You can’t change your fingerprint
• Used in very specific situations
– Not foolproof

Answer 9

Biometrics

Question 10

digital security systems that ensure authorized access to your building. They ensure only authorized personnel are entering your building while keeping unauthorized personnel out.
• Conventional - Lock and key
• Deadbolt - Physical bolt
• Electronic - Keyless, PIN
• Token-based
– RFID badge, magnetic swipe card, or key fob
• Biometric - Hand, fingers or retina
• Multi-factor - Smart card and PIN

Answer 10

Door access controls

Question 11

a security cable with a lock which is used to attach Portable IT Equipment to a fixture. locks that can secure laptops, desktop computers, weapons, audio equipment, sporting equipment and much more.
• Temporary security
– Connect your hardware to something solid
• Cable works almost anywhere
– Useful when mobile
• Most devices have a standard connector
– Reinforced notch
• Not designed for long-term protection
– Those cables are pretty thin

Answer 11

Cable locks

Question 12

also known as USB condoms, restrict hackers from accessing your phone's data. With [these], the physical data lines that run through the cords in public charging kiosks, which hackers use to install malicious code on your phone or steal your data, are taken out of the equation.
• Don’t connect to unknown USB interfaces
– Even if you need a quick charge
– Prevent “juice jacking”
• Use a USB data blocker
– Allow the voltage, reject the data
• Use your power adapter
– Avoid the issue entirely

Answer 12

USB data blocker

Question 13

[this] that intended to deter or detect intrusions or other criminal activity occurring on a property or site. It can also be used to increase a feeling of safety. [this] is integral to crime prevention through environmental design.
• More [this] means more security
– Attackers avoid [this]
– Easier to see when lit
– Non IR cameras can see better
• Specialized design
– Consider overall light levels
– [this] angles may be important
– Facial recognition
– Avoid shadows and glare

Answer 13

Proper lighting

Question 14

the process of isolating a node of a computer cluster or protecting shared resources when a node appears to be malfunctioning.
• Build a perimeter
– Usually very obvious
– May not be what you’re looking for
• Transparent or opaque
– See through the fence (or not)
• Robust
– Difficult to cut the fence
• Prevent climbing
– Razor wire
– Build it high

Answer 14

Fencing

Question 15

designed specifically for protecting sensitive electronic equipment from a fire. With fast-acting suppression technology, these systems minimize the damage, clean-up, and downtime.
• Electronics require unique responses to fire
– Water is generally a bad thing
• Detection
– Smoke detector, flame detector, heat detector
• Suppress with water
– Where appropriate
• Suppress with chemicals
– Halon - No longer manufactured
– Destroys ozone
– Commonly replaced with Dupont FM-200

Answer 15

Fire suppression

Question 16

input devices that record data about the physical environment around it. [this] sends data to a microprocessor (computer). They do not make judgements, decisions or control any output devices. There are many types of [these] used in a variety of household, commercial and industrial applications.
• Motion detection
– Identify movement in an area

• Noise detection
– Recognize an increase in sound

• Proximity reader
– Commonly used with electronic door locks
– Combined with an access card

• Moisture detection
– Useful to identify water leaks

• Temperature
– Monitor changes over time

• Cards
- contactless credential whose dimensions are credit-card size. Its embedded integrated circuits can store (and sometimes process) data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

Answer 16

Sensors

Question 17

also known as a UAV (unmanned aerial vehicle), a [this] is a flying device that is controlled remotely by a user.
• Quickly cover large areas
– More than just one building
• More than physical security
– Site surveys, damage assessments
• On-board sensors
– Motion detection
– Thermal sensors
• Video evidence
– High resolution video capture

Answer 17

Drones

Question 18

grounded cages made of electrically conductive material that can completely block electromagnetic fields and signals. Air-gapped computers are those completely isolated from outside networks and signals. Air-gap setups commonly include [this].
• Blocks electromagnetic fields
– Discovered by Michael Faraday in 1836
• A mesh of conductive material
– The cage cancels the electromagnetic field’s
effect on the interior
– The window of a microwave oven
• Not a comprehensive solution
– Not all signal types are blocked
– Some signal types are not blocked at all
• Can restrict access to mobile networks
– Some very specific contingencies would need to
be in place for emergency calls

Answer 18

Faraday cage

Question 19

or triple-homed firewall, refers to a network architecture where a single firewall is used with three network interfaces. It provides additional protection from outside cyber attacks by adding a perimeter network to isolate or separate the internal network from the public-facing internet.
• Formerly known as a demilitarized zone (DMZ)
– An additional layer of security between the
Internet and you
– Public access to public resources

Answer 19

Screened subnet

Question 20

Wire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.
• [this]
– A physically secure cabled network
• Protect your cables and fibers
– All of the data flows through these conduits
• Prevent cable and fiber taps
– Direct taps and inductive taps
• Prevent cable and fiber cuts
– A physical denial of service (DoS)
• Hardened protected distribution system
– Sealed metal conduit, periodic visual inspection

Answer 20

Protected Distribution System (PDS)

Question 21

the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee).
• Physically secure the data
– As important as the digital security
• An important part of a security policy
– Not a question to leave unanswered
• Secure active operations
– Prevent physical access to the systems
• Secure offline data
– Backups are an important security concern

Answer 21

Secure areas

Question 22

a security measure that involves isolating a computer or network and preventing it from establishing an external connection. For example, an [this] computer is one that is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.
• Physical separation between networks
– Secure network and insecure network
– Separate customer infrastructures
• Most environments are shared
– Shared routers, switches, firewalls
– Some of these are virtualized
• Specialized networks require air gaps
– Stock market networks
– Power systems/SCADA
– Airplanes
– Nuclear power plant operations

Answer 22

Air gap

Question 23

• [this(a)] - designed to protect your confidential data against unauthorized access. A data [this(a)] is a data storage on your computer that you can lock or unlock using the password that only you know. You have to enter the password to modify the files stored in a locked data [this(a)].
– A secure reinforced room
– Store backup media
– Protect from disaster or theft
– Often onsite

• [this(b)] - similar to [this(a)], but can be completely freestanding and moveable.
– Similar to a vault, but smaller
– Less expensive to implement
– Space is limited - Install at more locations

Answer 23

Vaults and safes

Question 24

a layout design especially for data warehouses where huge servers and computing equipment are kept and data is stored. The purpose of [this] scheme is to manage air flow in data centers, consequently lowering the energy, cooling and management cost inside data centers.
• Data centers
– Lots and lots of equipment
– This equipment generates heat
• Optimize cooling
– Keep components at optimal temperatures
• Conserve energy
– Data centers are usually very large rooms
– Focus the cooling
– Lower energy costs

Answer 24

Hot and cold aisles

Question 25

[this(a)] - the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.
[this(b)] - the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities.

• Disposal becomes a legal issue
– Some information must not be destroyed
– Consider offsite storage
• You don’t want critical information in the trash
– People really do dumpster dive
– Recycling can be a security concern
– Physically destroy the media
• Reuse the storage media
– Sanitize the media for reuse
– Ensure nothing is left behind

Answer 25

Data destruction and media sanitization

Question 26

• Secure your garbage - Fence and a lock
• Shred your documents
– This will only go so far
– Governments burn the good stuff
• Burn documents - No going back
• Pulp the paper
– Large tank washing to remove ink
– Paper broken down into pulp
– Creates recycled paper

Answer 26

Protect your rubbish

Question 27

the process of rendering a device completely unusable.
• Shredder / pulverizer
– Heavy machinery, complete destruction
• Drill / Hammer
– Quick and easy - Platters, all the way through
• Electromagnetic (degaussing)
– Remove the magnetic field
– Destroys the drive data and renders the drive unusable
• Incineration - Fire hot.

Answer 27

Physical destruction

Question 28

a document that states receipt and destruction of confidential data. [these] are issued by service providers as a statement of the completion of the destruction of electronics, documents, hard drives, and other data containing media.
• Destruction is often done by a 3rd party
– How many drills and degaussers do you have?
• Need confirmation that your data is destroyed
– Service should include a certificate
• A paper trail of broken data
– You know exactly what happened

Answer 28

Certificate of destruction

Question 29

the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
• Purge data
– Remove it from an existing data store
– Delete some of the data from a database
• Wipe data
– Unrecoverable removal of data on a storage device
– Usually overwrites the data storage locations
– Useful when you need to reuse or continue using
the media

Answer 29

Sanitizing media

Question 30

the process of safeguarding digital information throughout its entire life cycle to protect it from corruption, theft, or unauthorized access. It covers everything—hardware, software, storage devices, and user devices; access and administrative controls; and organizations’ policies and procedures.
• July 2013 - UK National Health Service Surrey
– Provided hard drives to a 3rd-party to be destroyed
– Contained 3,000 patient records
– Received a destruction certificate, but not
actually destroyed.
– Sold on eBay. Buyer contacted authorities,
fined £200,000
• File level overwriting
– Sdelete – Windows Sysinternals
• Whole drive wipe secure data removal
– DBAN - Darik’s Boot and Nuke
– Physical drive destruction -
– One-off or industrial removal and destroy

Answer 30

Data security