Lesson 21 Explaining Physical Security Flashcards
Physical access
Physical access controls are security measures that restrict and monitor access to specific physical areas or assets.
industrial camouflage
industrial camouflage to make buildings and gateways protecting high-value assets inconspicuous, or create high-visibility decoy areas to draw out potential threat actors.
proximity reader
proximity reader to detect the presence of a physical token, such as a wireless key fob or smart card.
turnstile
turnstile (a type of gateway that only allows one person through at a time)
mantrap
mantrap is where one gateway leads to an enclosed space protected by another barrier
Card cloning
Card cloning—this refers to making one or more copies of an existing card.
A lost or stolen card with no cryptographic protections can be physically duplicated.
Skimming
Skimming—this refers to using a counterfeit card reader to capture card details, which are then used to program a duplicate.
ie) Skimmers installed on ATM machines.
Malicious USB charging cables and plugs
Malicious USB charging cables and plugs -
A device may be placed over a public charging port at airports and other transit locations.
USB data blocker can provide mitigation against these juice-jacking attacks by preventing any sort of data transfer when the smartphone or laptop is connected to a charge point
Alarm Systems and Sensors
Circuit
Circuit—a circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm.
This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit.
Alarm Systems and Sensors
Motion detection
Motion detection—a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room.
The sensors in these detectors are either microwave radio reflection (similar to radar) or passive infrared (PIR), which detect moving heat sources.
Alarm Systems and Sensors
Noise detection
Noise detection—an alarm triggered by sounds picked up by a microphone.
Modern AI-backed analysis and identification of specific types of sound can render this type of system much less prone to false positives.
Alarm Systems and Sensors
Proximity
Proximity—RFID tags and readers can be used to track the movement of tagged objects within an area.
This can form the basis of an alarm system to detect whether someone is trying to remove equipment.
Alarm Systems and Sensors
Duress
Duress—this type of alarm is triggered manually by staff if they come under threat.
AI and machine learning smart physical security:
Motion recognition
Motion recognition—the camera system might be configured with gait identification technology.
This means that the system can generate an alert when anyone moves within sight of the camera and the pattern of their movement does not match a known and authorized individual.
AI and machine learning smart physical security:
Object detection
Object detection—the camera system can detect changes to the environment, such as a missing server, or an unknown device connected to a wall port.
AI and machine learning smart physical security:
Robot sentries
Robot sentries—surveillance systems (and in some cases weapon systems) can be mounted on a wholly or partially autonomous robot
AI and machine learning smart physical security:
Drones/UAV
Drones/UAV—cameras mounted on drones can cover wider areas than ground-based patrols
air gapped
air gapped host is one that is not physically connected to any network.
Such a host would also normally have stringent physical access controls, such as housing it within a secure enclosure, validating any media devices connected to it, and so on.
An air gap within a secure area serves the same function as a demilitarized zone. It is an empty area surrounding a high-value asset that is closely monitored for intrusions. As well as being disconnected from any network, the physical space around the host makes it easier to detect unauthorized attempts to approach the asset.
vault
vault is a room that is hardened against unauthorized entry by physical means, such as drilling or explosives.
protected distribution system (PDS)
protected distribution system (PDS) - physically secure cabled network. There are two principal risks:
- An intruder could attach eavesdropping equipment to the cable (a tap).
- An intruder could cut the cable (Denial of Service).
A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection.
Faraday Cage
Faraday Cage - install communications equipment within a shielded enclosure. The cage is a charged conductive mesh that blocks signals from entering or leaving the area.
hot aisle/cold aisle arrangement
hot aisle/cold aisle arrangement -
Servers are placed back-to-back not front-to-back, so that the warm exhaust from one bank of servers is not forming the air intake for another bank
Fire suppression systems
Fire suppression systems work on the basis of the fire triangle.
The fire triangle works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn.
Removing any one of those elements provides fire suppression (and prevention)
Wet-pipe sprinklers
Wet-pipe sprinklers work automatically, are triggered by heat, and discharge water.
Wet-pipe systems constantly hold water at high pressure
There are several alternatives to wet-pipe systems that can minimize the damage that may be caused by water flooding the room.
- Dry-pipe—these are used in areas where freezing is possible; water only enters this part of the system if sprinklers elsewhere are triggered.
- Pre-action—a pre-action system only fills with water when an alarm is triggered; it will then spray when the heat rises. This gives protection against accidental discharges and burst pipes and gives some time to contain the fire manually before the sprinkler operates.
- Halon—gas-based systems have the advantage of not short circuiting electrical systems and leaving no residue. The use of Halon has been banned.
- Clean agent—alternatives to Halon are referred to as “clean agent.” As well as not being environmentally damaging, these gases are considered nontoxic to humans. The gases both deplete the concentration of oxygen in the area and have a cooling effect. CO2 can be used too, but it is not safe for use in occupied areas
Media sanitization and remnant removal
Media sanitization and remnant removal
erasing data from hard drives, flash drives/SSDs, tape media, CD and DVD ROMs before they are disposed of or put to a different use. Paper documents must also be disposed of securely.
Data remnants
Data remnants can be dealt with either by destroying the media or by purging it (removing the confidential information but leaving the media intact for reuse).
One approach to sanitization is to destroy the media, rendering it unusable. There are several physical destruction options:
- Burning—incineration is an effective method for all media types, so long as it is performed in a furnace designed for media sanitization. Municipal incinerators may leave remnants.
- Shredding and pulping—most media can be shredded. Pulping the shredded remains with water or incinerating them provides an extra measure of protection.
- Pulverizing—hitting a hard drive with a hammer can leave a surprising amount of recoverable data, so this type of destruction should be performed with industrial machinery.
- Degaussing— exposing a hard disk to a powerful electromagnet disrupts the magnetic pattern that stores the data on the disk surface. Note that SSDs, flash media, and optical media cannot be degaussed, only hard disk drives.
Files deleted from a magnetic-type hard disk
Files deleted from a magnetic-type hard disk are not erased. Rather, the sectors are marked as available for writing and the data they contain will only be removed as new files are added.
standard method of sanitizing an HDD
The standard method of sanitizing an HDD is called overwriting.
This can be performed using the drive’s firmware tools or a utility program. The most basic type of overwriting is called zero filling, which just sets each bit to zero.
Single pass zero filling
Single pass zero filling can leave patterns that can be read with specialist tools.
A more secure method is to overwrite the content with one pass of all zeros, then a pass of all ones, and then a third pass in a pseudorandom pattern
Secure Erase (SE) command
Secure Erase (SE) command. This command can be invoked using a drive/array utility or the hdparm Linux utility.
On HDDs, this performs a single pass of zero filling.
On SSDs, the SE command marks all blocks as empty. A block is the smallest unit on flash media that can be given an erase command.
Instant Secure Erase (ISE)
Instant Secure Erase (ISE)
HDDs and SSDs that are self-encrypting drives (SEDs) support another option, invoking a SANITIZE command to perform a cryptoerase.
With an SED, all data on the drive is encrypted using a media encryption key.