Protecting the physical assets of a company is just as important as protecting the digital information. Physical security refers to protecting buildings and the assets and people in it. The same methods that apply to information security apply to physical security. First, the assets and their vulnerabilities, threats, and risks must be identified, and then the appropriate access controls and other safeguards can be implemented. Common threats concerning physical security measures are unauthorized intruders and employees, theft and damage to equipment, fire and water, severe weather, cold and heat, and electromagnetic interference (EMI). The corresponding risks – the likeliness of one of these threats actually becoming an incident – usually cannot be eliminated entirely. The main goal is to reduce the risks and make your facility a less attractive target.
Physical access controls are the first line of defense. Why would a hacker try to penetrate a firewall and crack authentication systems when he can just walk into the company’s building and steal an entire server instead? Physical access controls should be in place to control access to office buildings and other facilities, the rooms in it, as well hardware, network media, and data storage media. The exact type of and need for access controls differs a lot per organization. A military base or government agency obviously requires a more advanced multi-layered security system then the average dot com organization.
Thieves are opportunist. Unless someone is targeting your company in particular, they are most likely to go for the easier targets, those that lack proper physical security. Visible physical security measures can be both a physical and a psychological barrier. Proper lighting inside and outside the building, cameras, security guards, or a sign that says: “Trespassers will be shot” makes a potential intruder at least think twice before entering the premises. The most common example of a physical barrier is of course a wall. Walls, as well as floors, ceilings, and roofs, are used to create interior and exterior perimeters. They provide protection against the forces of nature and intruders, and allow different security zones to be established within a building. Some organizations take it a step further, and establish a secure perimeter around the building. The most common form of perimeter security is fencing, often combined with several rows of barbed wire. Fences are often used merely to deter a potential attacker, but there are several enhancements that can turn a fence into a serious means of protection. For example, vibration sensors can be attached to the fence and sound an alarm when someone tries to climb over or cut through it. The ground below the fence can be replaced by concrete blocks to prevent an intruder from digging under the fence.
Another deterrent physical barrier, that is easy and inexpensive to implement, is lighting. Thieves often strike in the darkness of the night, hence a well-lit building and perimeter will discourage many of them. Cameras and security guards will easier detect an intruder who does intrude the premises when the proper lighting is present. Cameras, such as the commonly used Closed Circuit TV (CCTV) systems, and security guards add an additional layer of security. Cameras do not directly prevent an intrusion, but can detect it. Intrusion detection, by a camera or security guard for example, allows a response to keep the damage of the intrusion to a minimum and possibly apprehend the perpetrator.
In addition to providing the obvious protection against intruders, fences, walls and other physical barriers force people to use an entrance, such as a door or gate. Locks, guards and other security systems can control access thru these entrances. Locks come in many shapes and sizes and knowing the different types is beyond the scope of CompTIA’s Security+ exam. Something mentionable about locks in general is the difference between fail-safe and fail-secure. A digital lock that requires an access code as a ‘key’ requires a power source. Fail-secure means that if the lock fails, i.e. by cutting off the power, it should lock and still be secure. Fail-safe locks unlock when the power fails. Someone in the organization should be responsible for issuing and managing keys and keeping a log with legitimate key holders. Keys should not be shared with others and only the person who issues the keys should be allowed to order duplicates. Extra security measures should be implemented for server rooms and other restrictive areas. Only authorized IT personnel should be allowed to enter the server room and have physical access to servers, routers, and other networking and storage equipment. By using electronic keys, authorized personnel can be granted access to different facilities and areas and identify themselves with the personalized key.
In smaller and medium-sized building, the receptionist or door attendant usually knows and can identify all of the employees by face. In a large facility or office complex with many employees and possible different companies, as well as in high secure facilities in general, other types of identification and authentication can be necessary. A very common type of identification is the use of ID badges that employees must show to a security guard or scan at an electronic key reader. The latter can be used at the main entrance, but also to provide access to different areas and rooms in the facility. Military and other facilities that must be highly secure can use biometrics to authenticate personnel before allowing access. Biometrics are covered in more detail in chapter 3. Authentication. In addition to employees, a facility often receives visitors such as clients, business partners, and other guests. Visits must be announced and authorized in advance. Ideally, the visitor should wait at the entrance or in a waiting room until the host can personally identify the visitor and escort him or her to the destination inside the facility.
As I mentioned in the Attacks chapter, social engineering attacks are common in the world of physical security as well. The two most common attacks, which we have all seen in the movies, are diversion and impersonation attacks. Diversions can be anything from a highly attractive individual to a senior in a wheelchair faking a heart attack. The goal is to draw away the guards’ attention from the actual intruder. Impersonation attacks involve an intruder who is pretending to be someone with a legitimate reason for visiting. For example, a repairman, pizza delivery guy, or even a security guard. This usually involves using a fake ID in addition to wearing the right outfit.
A common trick to gain unauthorized access to a facility is piggybacking. This refers to pretending to be accompanying another person or group entering the building. A mantrap can prevent such an intrusion by ensuring that when a single person is authenticated, only a single person actually enters the building. A mantrap is basically a small room with two doors. When the employee or visitor passed the first door and is inside the mantrap, a security guard or other authentication method can be used to determine whether the second door should be opened and access granted.
Instead of avoiding intrusion detection systems and alarms, an attacker may try to have the systems turned off by the owner by causing false alarms. For example, by throwing stones from a distance towards motion detection systems causing an alarm to sound every 10 minutes for an hour, the owner or a security guard may end up turning off the system and assume the system needs repairing. This is also known as a “cry wolf” attack.
Just as people prefer to live in a safe neighborhood, organizations often take the quality of the neighborhood and the neighbors into consideration when choosing a location for an office or other facility. Statistics about population, crime rate, and proximity of competitors can play an important role. As with anything in the realm of security, choosing the location with security in mind is often a trade off between safety and accessibility. You can go a couple of miles underground and do the Area 51-thing in the middle of a desert, but that’s often not within the budget and your employees probably want to get home in time for dinner. In many cases, a company looking for a new office will worry more about the price vs. office and parking space when choosing a location, rather than considering security a serious factor in every aspect. In other cases, it is more obvious; a military base or secret research facility deserves an entirely different approach.
Some organizations want to make sure they are visible others don’t. But for most office buildings, it is important to be visible and to be in a populated area, preferably in or near a big city. In addition to considering the threats in a certain environment, the environment itself can provide some degree of security. An attempt to intrude a building in a highly populated area is more likely to be noticed by someone and therefore a less attractive target. Highly secure facilities that are located in areas that are more rural can benefit from the landscape. For example, hills and mountains can reduce visibility and rivers deserts can be used as a natural physical barrier.
Another aspect of the environment is the interior of the building. Temperature and humidity levels must be at a convenient level for the people inside the building, but also for the electronic equipment. The latter requires different temperature and humidity levels to operate properly and extend their lifespan. Heating is usually not required in server rooms and data centers. As the equipment itself produces a lot of heat already, proper ventilation and air conditioning systems need to be installed to keep the areas cool and keep the humidity level at an acceptable level. If the humidity level is too high, it can lead to corrosion and rust. When the humidity level is relatively low, chances of static electricity damaging electronic equipment increase. Heat redraws moisture from the air, resulting in lower humidity. Proper airflow, fans, and air conditioning is essential to prevent damage by the environment itself. Servers and other vital equipment in data centers often contain environmental sensors that monitor chips and the interior. In an ideal situation, these sensors are connected to a central monitoring station and are combined with additional environmental sensors in the room itself. The central station should be able to notify administrators by pager, email or other means of communication.
Physical security also pertains to the network media. An attacker may be able to compromise confidentiality, integrity, and availability of information by tapping into network media, or eavesdropping on signals that leak from the network media. This is obviously an extra challenge when using wireless networks. To plug-in to a wired network, the attacker would have to get inside the building a plug-in a network cable in a wall socket or directly into a hub or switch. A wireless network however, may be accessible from outside the building if it is not designed properly. Carefully considering the locations of wireless access points by conducting a thorough site survey can reduce the risk of an attacker gaining unauthorized access to a wireless network from outside the building. Additionally, shielding on windows and in walls can aid in restricting emission of signals to a certain area.
Smoke and fire alarms can be stand-alone battery-operated devices that are useful primarily when there are people around that need to be evacuated and can call the Fire Department. More advanced smoke alarms can be wired to a central system that controls a sprinkler system and can notify the Fire Department automatically. Fire and heat can be devastating to electronic equipment and storage media, but a water sprinkler can do a lot of damage too. Electrical fires, such as in a server room or data center, require a special suppression method. Instead of using water, a substance such as Carbon Dioxide (CO2) or Halocarbon should be used for suppression of electrical fires, also referred to as Class C fires. The C classification means the suppression substance is non-conductive. In addition to notification and fire suppression, some systems provide other active responses such as automatic shutdown of electrical systems and extraction of smoke and/or oxygen from the room.
Regular inspection of the fire alarms and suppression systems is just as important as using the right tools in case of a fire. Also ensure employees are prepared for emergencies by practicing fire evacuation drills regularly. Evacuation plans should be available to all employees and visitors of a building and clearly describe how to get to the nearest exit point in case of a fire.