3.9 Explain the importance of physical security controls.

Question 1

Lighting

Answer 1

Ensure that the facility has proper lighting and that entrances and exits are properly marked, well lit, and accessible. Be sure that the parking area, as well as the pathways to and from it, have adequate lighting to help keep employees and visitors safe when arriving or leaving the facility.

Question 2

Signs

Answer 2

Ensure that the facility has proper signage labeling all exits so that employees can locate the exits quickly during an emergency.

Signs are also posted to let people know where they are to stay out of a restricted area.

Question 3

Fencing/Gate/Cage

Answer 3

In highly secure environments, look at putting a fence around the perimeter of the property to deter intruders from trespassing. With a fence around the perimeter, you are forcing anyone who wants access to the facility to go through the main gates, where you implement security checks on everyone entering or leaving the facility.

The height of the fence you put in depends on what your goal is. If you are looking to deter a casual intruder, then you typically go with a fence that is 3 to 4 feet high. Keep in mind that a 4-foot fence is easy to climb, so if you are looking to deter a casual climber, then the recommended fence height is 5 to 7 feet. A determined intruder would have no problem figuring out how to climb a 7-foot fence, so to deter such an intruder, the recommended fence height is 8 feet plus three lines of barbed wire on top tilted at a 45-degree angle toward the intruder.

Question 4

Security Guards

Answer 4

When you implement the fence around the perimeter of the property, you will need to have a security gate with guards checking anyone entering or leaving the premises. The guards at the gate will verify that a visitor is expected at the facility and then typically give them a “visitor” ID badge to be worn at all times. Employees entering the facility will need to display their employee ID badge to get access to the facility. The ID badge will have the employee name and a photo of the employee.

The guard at the gate will monitor persons leaving the facility and try to ensure that equipment is not being stolen from the facility. Adding a security guard to your physical security plan has the added bonus that ** the guard can identify abnormal activity. ** I talked to one customer who said that if employees are leaving with a laptop or other computer equipment, the equipment is verified at the gate on the way out. The guard verifies the employee is allowed to leave with the equipment and makes them sign out the equipment. This is done to prevent internal theft of company assets.

Depending on the level of security required by your organization, you may have guards positioned throughout the facility ensuring that no security incidents occur. The guards should be trained to watch for ID badges on all persons walking through the facility and to question anyone who does not have an ID badge. At one customer’s facility where I was given a visitor badge and put it on, the gentleman who authorized me to be there said, “No, you have to attach it on your left side.” The organization strictly enforces that all personnel wear the badge in the same place so that security can easily see the badge.

Question 5

Alarms

Answer 5

Many security devices today such as locking systems,
proximity readers, and video surveillance equipment can trigger alarms. These alarms can also be sent to a mobile device as a notification alert.

Question 6

Safe

Answer 6

Each facility should have a safe where the organization secures important documents and assets to protect them from theft and from disasters such as a fire.

Question 7

Secure Cabinets/Enclosures

Answer 7

Many highly secure organizations have locked cabinets where they store sensitive material during off-hours. For example, in highly secure environments, removable drives are taken out of workstations and locked in a cabinet at night to control who has access to the contents of the drives.

Question 8

Protected Distribution/Protected Cabling

Answer 8

It is important to control access to cabling with a protected distribution system (PDS). A PDS controls physical access and monitors access, to physical cabling by running the cabling through a secure conduit. If a hacker can gain physical access to the cabling system, they can tap into the communication, so you want to ensure you control access to the cabling.

Question 9

Airgap

Answer 9

An airgap (or air gap) is an area that separates two different networks. For example, highly secure environments typically have a secret network that has no connections to the corporate network or LAN. This means an airgap exists between the secret network and other networks.

Question 10

Mantrap

Answer 10

No physical security discussion would be complete without discussing a mantrap. Earlier in the book, you learned that a mantrap is an area between two doors with the second door not opening until the first door is closed. This helps prevent piggybacking or tailgating which is when someone tries to slip in behind you after you have unlocked a door. The concept here is that you would not open the second door if someone you didn’t know entered the mantrap area.

Question 11

Faraday Cage

Answer 11

A Faraday cage is typically a room that prevents signals from emanating beyond the room. It includes electrical features that cause RF signals that reach the boundary of the room to be reflected back, preventing signal emanation outside the Faraday cage. A Faraday cage can also be a small enclosure.

In addition to preventing signals from emanating outside the room, a Faraday cage also provides shielding to prevent outside interference such as EMI and RFI from entering the room. At a very basic level, some elevators act as a Faraday cage (though I seriously doubt the designers were striving to do so). You might have stepped into an elevator and found that your cell phone stopped receiving and transmitting signals. The metal shielding around the elevator prevents signals from emanating out or signals such as the cell phone tower signal from entering the elevator.

On a smaller scale, electrical devices such as computers include shielding to prevent signals from emanating out and block interference from getting in.

Using a Faraday cage has become a popular practice in computer forensics to shield a component from sending or receiving a signal.

Question 12

Lock Types

Answer 12

One of the most popular methods of controlling access to a facility or room is to implement a locking system on the doors. Conventional locks are easy to pick and susceptible to a bump key attack. A bump key is a normal key that has been filed down to fit into a lock—the key is inserted into the lock and pulled out one notch. When the key is tapped, it causes the pins in the lock to align and then unlock the door. You can purchase pick-resistant locks (for a higher cost), which give you the added security that the lock will not be easily compromised, but most companies use electronic locking systems in today’s high-security environments.

The two common types of electronic locking systems are an electronic key system and an electronic combination lock.

With an electronic key system, employees are given a token device that has their access code encoded in it. When the employee swipes the token past the electronic sensor, the door unlocks.

With an electronic combination lock, employees type a PIN number into the lock to gain access. I have seen electronic keypads that do not have numbers on the buttons until you press the Start button. Once you press the Start button, the system randomly generates the placement of the numbers so that if someone watches your finger position, it will not help them guess the access code. The electronic combination locks are also known as cipher locks.

With either of the electronic locking systems, the organization can control which areas an employee has access to based on the access code. These systems can also log access, including the date and time that the employee accessed the facility or different areas of the facility.

Question 13

Biometrics

Answer 13

A common control used to control access to different areas of the building is biometrics. Highly secure environments may require a retina scan or fingerprint scan to enter a secure area of the building.

Question 14

Barricades/Bollards

Answer 14

An organization can use barricades or bollards to control access to different areas of the facility. For example, the front of the building could be protected from vehicles by a concrete barricade.

Question 15

Tokens/Cards

Answer 15

Some access systems use a physical token, or key fob, that employees carry with them and use to gain access to the facility or to a specific area of the facility. The access token is typically placed on the employee’s keychain and carried at all times.

Question 16

Environmental Controls

Answer 16

It is important to ensure that you have mechanisms in place to monitor environmental systems and that you include methods of detecting issues related to heat, humidity, and air quality. Monitoring temperature and humidity levels within the data center can allow you to detect failures in the HVAC system before your equipment starts overheating and failing.

Question 17

Environmental Controls - HVAC

Answer 17

Heating, Ventilation, and Air Conditioning (HVAC) is a system to provide or reduce heat, humidity, and outdoor air. The goal of the HVAC system is to provide climate control to help maintain quality conditions in the workplace.

The HVAC controls the temperature and the humidity within the building. This helps computer systems run optimally. The temperature in the building should be around 70 to 74 degrees Fahrenheit. If the temperature gets too warm, it could cause the systems to overheat and shut down. The humidity levels should be between 40 and 60 percent. If you have humidity levels less than 40 percent, then you could experience a lot of electrostatic discharge (ESD). ESD can destroy computer components and computer chips. Humidity levels above 60 percent can corrode computer components.

Question 18

Environmental Controls - Hot and Cold Aisles

Answer 18

To keep the systems cool in a data center, the racks are configured in a hot/cold aisles configuration. This configuration involves breaking the racks into rows with the fronts of the racks facing each other to create cold aisles, and the backs creating the hot aisles (hot air goes out the back of the racks). The HVAC airflow would be designed to take the warm air from the hot aisle and exhaust it outside, away from the data center, while bringing in new cool air in the cold aisle from the front of the racks.

Question 19

Environmental Controls - Fire Suppression

Answer 19

Here are some key points to think about when designing a fire detection solution:

You can configure the detection device to make the call to the fire department with a prerecorded message.

You should also have your fire detection solution shut down the HVAC because it could carry smoke through the ventilation system.

For the Security+ exam, you need to be familiar with the different classes of fires and what suppression method is used to extinguish each type of fire. The following is a quick rundown on the different classes of fires:

Class A
Class A fires are known as common combustible fires and include the burning of wood, paper, cloth, or plastic. To put out these fires, you should have a suppression method that uses water or soda-acid (Class A fire extinguisher).

Class B
Class B fires are considered liquid fires and include the burning of gas, oils, tars, solvents, and alcohol. With these types of fires, you cannot use water; instead, you must take the oxygen away by using CO2 or FM-200 extinguishers.

Class C
Class C fires include the burning of electrical components and equipment. In the past, these fires were extinguished with Halon gas, CO2, or a nonconductive extinguishing agent such as FM-200. Using Halon is no longer recommended because it is ozone depleting, but CO2 and FM-200 extinguishers are still used and can be used on Class B or Class C fires.

Class D
Class D fires include the burning of combustible metals such as magnesium and sodium and require a suppression method that uses dry chemicals.

Question 20

Cable Locks

Answer 20

Be sure to include cable locks, also known as lockdown cables, on any hardware that can be easily stolen, such as monitors, projectors, and laptops.

Question 21

Screen Filters

Answer 21

Organizations that work with sensitive data, such as medical information, should put screen filters (aka privacy filters) on their computer monitors to help keep the information displayed on them private by limiting the view from persons walking past the screens.

Question 22

Cameras (Video Surveillance)

Answer 22

A big part of physical security today deals with implementing closed-circuit television (CCTV) or other video-monitoring technologies. CCTV involves having video cameras set up to monitor areas of the facility and having that information sent to computer screens in a central security area where security personnel are monitoring for suspicious activity. CCTV monitoring systems are used to monitor and record activity within the facility and keep that video feed private to the organization.

Today’s monitoring systems are a little more advanced because the owner of the equipment can now connect to the camera from across the Internet to view the captured video live. Most monitoring systems today can also record the captured video to remote locations across the network such as to a central server

Question 23

Motion Detection

Answer 23

Today’s video-monitoring solutions have built-in motion detectors that allow the camera to only record after the system detects movement. This gives you the added benefit of saving disk space and not having to review hours of video that shows no activity

Question 24

Logs

Answer 24

To control access to the facility, an organization should have a central person managing keys and logging when keys are given out and when they are returned. More modern key management solutions require people to enter their user credentials to gain access to a subset of keys found within a safe. The system logs the time at which the keys are removed from the safe and the time at which they are placed back into the safe.

Question 25

Infrared Detection

Answer 25

A more advanced method is infrared detection. Infrared detectors sense infrared radiation, sometimes called infrared light, which effectively sees a difference between objects of different temperatures. As an example, a person is much warmer than objects in a room and easily stands out using an infrared detector. This can help eliminate false alarms by sensing more than just motion, but the motion from objects of different temperatures.

Question 26

Key Management

Answer 26

To control access to the facility, an organization should have a central person managing keys and logging when keys are given out and when they are returned. More modern key management solutions require people to enter their user credentials to gain access to a subset of keys found within a safe. The system logs the time at which the keys are removed from the safe and the time at which they are placed back into the safe.

Question 27

Bonus - Access Systems

Answer 27

An organization can control access to the facility with a number of methods known as access systems. Components that are part of an access system can be considered fail-safe or fail-secure. The following outlines their differences:

Fail-safe
A fail-safe device responds by not doing anything to cause harm when the failure occurs. For example, if a lock fails, it defaults to being unlocked so that people can enter or exit. This is also known as fail-open because the door will default to being open.

Fail-secure
A fail-secure device responds by making sure that the device is using a secure state when a failure occurs. For example, if a lock fails and it is a fail-secure lock, it will default to a locked state. This is also known as fail-close because the door will default to being locked and cannot be opened.