Chapter 15

Understanding the Importance of Physical Security Controls

This chapter covers the following topics related to Objective 2.7 (Explain the importance of physical security controls) of the CompTIA Security+ SY0-601 certification exam:

  • Bollards/barricades

  • Access control vestibules

  • Badges

  • Alarms

  • Signage

  • Cameras

    • Motion recognition

    • Object detection

  • Closed-circuit television (CCTV)

  • Industrial camouflage

  • Personnel

    • Guards

    • Robot sentries

    • Reception

    • Two-person integrity/control

  • Locks

    • Biometrics

    • Electronic locks

    • Physical locks

    • Cable locks

  • USB data blocker

  • Lighting

  • Fencing

  • Fire suppression

  • Sensors

    • Motion detection

    • Noise detection

    • Proximity reader

    • Moisture detection

    • Cards

    • Temperature

  • Drones

  • Visitor logs

  • Faraday cages

  • Air gap

  • Screened subnet (previously known as demilitarized zone)

  • Protected cable distribution

  • Secure areas

    • Air gap

    • Vault

    • Safe

    • Hot aisle

    • Cold aisle

  • Secure data destruction

    • Burning

    • Shredding

    • Pulping

    • Pulverizing

    • Degaussing

    • Third-party solutions

In a facility, nothing is more important than keeping your workforce safe from any and all potential injuries. When heavy machinery operates in close proximity to your employees, damage prevention products should always be leveraged to offer total warehouse protection.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 15-1 lists some of the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 15-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Access Control Vestibules

1–2

Cameras

3

Personnel

4–5

Locks

6–7

Sensors

8

Secure Areas

9

Secure Data Destruction

10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following access controls allows security guards to view visitors prior to access engagement and entry?

  1. Access control vestibule

  2. Bollard

  3. Barricade

  4. Guard station

2. Which of the following helps control access in and out of a facility?

  1. Fencing and guard gates

  2. Bollards and barricades

  3. Access control vestibules

  4. Signage and dogs

3. Which motion detection method uses infrared or laser technology as its primary method?

  1. Radar detection

  2. Optical detection

  3. Object detection

  4. Proximity detection

4. What sort of guard can patrol an area 24/7/365 with very little downtime?

  1. Patrol cars

  2. Reception desk

  3. Armed guards

  4. Robot sentries

5. The reception desk plays a critical role in physical security controls of most companies. How do receptionists accomplish such a critical role?

  1. They greet visitors with a smile and ask their names.

  2. They place visitors in a vestibule until they provide ID.

  3. They provide visitors with a tracking beacon.

  4. They verify the identity of visitors, contact the employees being visited, and hold guests until they are picked up.

6. Which type of lock uses a fingerprint to unlock a device?

  1. Cable lock

  2. Key lock

  3. Multifunction lock

  4. Biometric lock

7. Which lock type requires a skeleton key?

  1. Warded/lever lock

  2. Skeleton door

  3. Master lock

  4. Cyclone dutch

8. Which type of sensor can read when something is nearby?

  1. Moisture

  2. Noise

  3. Proximity

  4. Temperature

9. Which place can you safely and securely have people working inside?

  1. Safe

  2. Crate

  3. Vault

  4. None of these answers are correct.

10. Which secure data destruction method is best for hard drives and other forms of magnetic media?

  1. Burning

  2. Degaussing

  3. Rivets

  4. Pulverizing

Foundation Topics

Bollards/Barricades

A bollard is a standalone post, typically steel, short, and sturdy and anchored in a hard surface such as concrete (see Figure 15-1). This low-profile, post-shaped deterrent is built with the purpose of blocking vehicle movement from certain directions, while allowing for full pedestrian movement. Bollards are designed to withstand high impacts and deflect potential blows away from the object or area they are in place to protect.

A photograph shows a concrete platform area with several bollards placed along the edge.

FIGURE 15-1 Bollards

Various bollard types offer different levels of protections. There is a rating system for the standards by which these bollards and barriers are judged. The standards are based on perpendicular impact at a certain speed (K), with the highest rating indicating the strongest protection, such as a vehicle ramming this bollard/barrier at a higher speed.

Antiram bollards are security bollards that prevent vehicles from crashing through them. There are different levels of antiram bollards. K4, K8, and K12 ratings offer various levels of protections against different size vehicles.

Safety bollards give a warehouse or distribution center a path/road definition, diverting traffic and intrusions. If traffic flow matters in your warehouse, these bollard types matter; they also are used inside warehouses to protect people, goods, and equipment.

Architectural and landscaping bollards offer a similar function. They may differ in that they are more focused on aesthetics than function, though function is still achieved.

Barricades or barriers are just like guardrails (see Figure 15-2). Typically used as a material-handling solution, they offer more linear protection than bollards. Barriers prevent both people and vehicle movement across a large area. They are typically constructed of steel or concrete and are designed with the goal of protection.

A photograph shows several barricades placed across a road, with no gap between them.

FIGURE 15-2 Barricade

Barriers are used to protect wide stretches of racking and walls in a facility. They are mounted to the floor, with a small amount of space between the barriers and protected assets in case of impact. They also are used at the ends of racks and to protect utilities, around machines and conveyors, and anywhere you want to designate and segregate a space. Guardrail barriers are typically painted a highly visible yellow color and can be used to define the working areas in a facility.

Access Control Vestibules

Security vestibules are an excellent access control addition to any facility protection plan. These are purpose-built entries with panels built from prefabricated composite or metal and are used as a way for companies to control the traffic flow in their facilities, providing security with a clear view of those entering. The vestibule is configured to ensure one of the doors to the entrance is always closed, which also reduces the hot/cold air that escaping from the building. These vestibules are especially useful for companies or buildings with high traffic if a door is opened frequently. In much the same way, vestibules can boost a facility’s security, as illustrated in Figure 15-3.

A simulation of glass vestibule is shown.

FIGURE 15-3 Access Control Vestibule

Access control vestibules provide a buffer zone to the entrance of a facility, as well as an additional layer of physical security and access control. Because they use interlocking doors, a trap is created; both sets of doors cannot be opened at a single time. With the vestibule/trap entry being monitored and controlled at all times, your security team can ensure the person attempting to enter the building has the clearance to do so. Security vestibules can also incorporate additional security measures into the design, such as PIN pads or badge scanners, depending on your facility’s needs.

Badges

An access badge is a credential used to gain entry to an area having automated access control entry points. Entry points may be doors, turnstiles, parking gates, or other barriers. Access badges use various technologies to identify the holder of the badge to an access control system. The most common technologies are proximity readers, barcodes, smart cards, and various biometric devices. Magnetic strip cards are fading from use. The access badge contains a number that is read by a card reader. This number is usually called the facility code, and it is sent to an access control system—a computer system that makes access control decisions based on information about the credential. If the credential is included in an access control list, the access control system unlocks the controlled access point. The transaction is stored in the system for later retrieval; reports can be generated showing the date/time the card was used to enter the controlled access point.

A reader radiates a one- to five-inch electrical field around itself. Cards use a simple LC circuit. When a card is presented to the reader, the reader’s electrical field excites a coil in the card. The coil charges a capacitor and in turn powers an integrated circuit. The integrated circuit outputs the card number to the coil, which transmits it to the reader. The transmission of the card number happens in the clear; it is not encrypted. With basic understanding of radio technology and of card formats, proximity cards can be hacked.

A smart card or integrated circuit (IC) card is a physical electronic authorization device that is used to control access to a resource. It is typically a credit card–sized plastic card with an embedded IC chip, as illustrated in Figure 15-4. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, finances, mobile phones (SIM), public transit, computer security, schools, and health care. Modern credit cards have this IC built in for stronger protection. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations.

A photograph of a Simcard revealing the side with the chip.

FIGURE 15-4 Smart Card

Alarms

Alarms are the most basic definition of any security system. They are literally a means or method by which something is secured through a system of interworking components and devices. In this instance, we’re talking about facility security systems, which are networks of integrated electronic devices working together with a central control panel to protect against burglars and other potential intruders.

A typical security alarm system includes

  • A control panel, which is the primary controller of a security system

  • Door and window sensors

  • Motion sensors, both interior and exterior

  • Wired or wireless security cameras

  • A high-decibel siren to draw attention

  • A premises sign and window stickers

Alarms provide greater protection when they are tied into the badge and control systems. If unauthorized cards or users try to gain access to a room or facility that they are not authorized to be in, the alarm can be silent and warn the security desk or can be audible and warn these persons that their presence has been noticed.

Signage

Security sign placement provides an extra layer of security in addition to an active security system. When it comes to deciding what type of security measures you want to take, the first step is assessing your property type and risk of loss. If you are protecting a private property, even a vague sign referencing a security system is usually enough to deter break-ins and burglaries. After all, thieves are looking to get in and out as quickly as possible. Having signs around a facility indicating surveillance can be an effective way to deter impulsive burglars. Strategically placing signs near back entrances and easy-access windows helps improve overall safety. Thieves will check for unlocked doors and windows first, trying to avoid breaking glass or making too much noise. Seeing a sticker that indicates an alarm will sound off once opened instills fear and is likely to send the perpetrators away. Even a “beware of dog” sign has been proven to deter potential threats, regardless of whether a dog is actually present. Beyond security signage at a facility, other signage provides direction and guidance for staff and visitors, ensuring expectations are clear and identifying the repercussions for failure to abide by those signs, as illustrated in Figure 15-5.

A trespassing signage is shown.

FIGURE 15-5 Signage

Cameras

As mentioned in Chapter 13, “Implementing Cybersecurity Resilience,” security cameras can triple your monitoring area from a single point to many. In the physical security world, access control is used to restrict access by unauthorized personnel to a property, building, or room. IP video cameras are a type of digital video camera used for surveillance; they differ from analog closed-circuit television (CCTV) cameras by being able to send and receive data over a computer network or via the Internet.

There are two types of IP cameras: centralized and decentralized. Centralized cameras require a central network video recorder (NVR), whereas decentralized cameras have built-in recording functionality and store video locally on flash memory, network attached storage (NAS), or hard disk drives.

Other components that are features of security cameras include

  • Motion recognition: Newer cameras and software can recognize that something moved or changed position relative to its surroundings or the surroundings of the object. The two principal methods by which motion can be electronically identified are optical detection and acoustic detection. Infrared or laser technology is primarily used for optical detection. Optical detectors convert incoming optical energy into electrical signals. The two main types of optical detectors are photon detectors and thermal detectors. Photon detectors produce one electron for each incoming photon of optical energy. The electron is then detected by the electronic circuitry. Motion detection devices, such as passive infrared (PIR) motion detectors, have a sensor that detects a disturbance in the infrared spectrum. Once detected, a signal can activate an alarm or a camera that can capture an image or video of the motion and start recording the event.

  • Object detection: Certain cameras and their systems can evaluate and detect objects and the world around them. By constantly scanning and evaluating a specific area, a system can be trained to classify objects and detect when a change has taken place. A lot of newer facial recognition systems now have this capability, and although this newer field is still being developed, there are a lot of applications. When evaluating an area, You Only Look Once (YOLO) is the fastest method and therefore most-used real-time object detection system. Basically, it applies a single process to the full image, dividing it into regions. Then the network predicts bounding boxes and probabilities for each region; this allows the system to make comparisons with previous items (trained) on the system.

Closed-Circuit Television (CCTV)

Closed-circuit television (CCTV) is mainly an older analog technology, where you build out a coaxial cable network and connect cameras to the cable. All cables lead back to a distribution system and then to a DVR and security monitors. One of the issues with CCTV is that it requires you to build a completely separate network, one that may be alongside your IP (data) network. In industrial plants, CCTV equipment may be used to observe parts of a process from a central control room—for example, when the environment is not suitable for humans. CCTV systems may operate continuously or only as required to monitor a particular event.

Newer CCTV can use digital video recorders (DVRs), which provide recording for hours to many years, with a variety of quality and performance options and extra features like motion detection. Most CCTV systems are being replaced by IP camera networks although they are still being called CCTV; the concept behind CCTV is that it is a surveillance tool. Cameras, whether they are real or dummy, provide a deterrent from attackers because they are fearful of being recorded and later prosecuted. Placing cameras at egress and ingress spots around facilities ensures security guards are able to attend to issues that may be missed by the cameras, and they provide backup and evidence for solving crimes.

Industrial Camouflage

The goal of industrial camouflage is to deceive the view of the viewers, in an attempt to provide them with either a blended image where the surrounding scenery and the camouflaged structure appear as one, or to have them believe the structure is something else entirely. For example, roofs are planted with grass or even with small shrubs that match their surroundings; placing trees strategically provides even better concealment and natural irregularity of light and shadows.

During World War II, after the attack on Pearl Harbor, the Lockheed plant put in place an extremely elaborate visual deception to convince planes at 5,000 feet or greater to see fields and houses, by painting parking lots various colors of green and by scattering fake house roofs around the top of the plant, along with camouflage chicken wire and painted feathers. In modern times, military forces wear clothing and machinery with camouflage patterns. Likewise, data centers surround their premises with trees, bushes, and other vegetation and implement low-profile security measures around the perimeter to blend in with the surroundings.

Personnel

The people a company hires are its number one asset; they are also included among the company’s other lines of defense. Hiring the right people goes beyond assessing their capabilities, expertise, and ingenuity. Being loyal to a company may be a thing of the past, but companies must build programs to educate employees about protecting their jobs by protecting the company’s intellectual property. Hiring guards, sentries, and reception desk personnel who put security first is a must; they all act together to offer the following security benefits:

  • Guards: Among a company’s first lines of defense/offense are security guards. Guards who are deployed at ingress/egress points can reduce tailgating, verify the identity of scanned ID cards, and ensure that property does not leave the premises. Guards patrol the internal and external building space and ensure unauthorized persons are apprehended or removed.

  • Robot sentries: Robot sentries act as 24/7/365 guards, continuously monitoring and alerting on differentials. They report anything out of the ordinary to the security desk/office, where the security team can deploy additional personnel to address any potential breach or other issues. Robots help extend the monitoring capabilities of security guards by having an always-watchful eye.

  • Reception: The reception desk places a friendly face in front of visitors, essentially a buffer zone keeping strangers from accessing anyone in the company. Receptionists vet the people attempting to gain access to the facility or particular employees. They do this in a number of ways—first by checking IDs, next by verifying with the employees, and also by providing visitor badges. These visitor badges alert employees as to where these persons are or are not supposed to be. Receptionists contact the appropriate person to verify visitors are indeed in the facility for a meeting, for example, and keep the visitors at the registration desk until they are picked up by the employee meeting with them. This line of defense prevents unknown people, including potential attackers, from roaming the halls and accessing employees’ desks, equipment, and other critical parts of the building.

  • Two-person integrity control: Integrity controls usually include an escort who is assigned to a particular person doing work in a high-risk area, such as a data center, where a single person can cause massive amounts of damage in a few minutes. One of the two people is there as an observer (or escort); this person monitors the one performing the work and ensures that person is performing work exactly as described in the change request. The monitor can also question any variance and can stop the implementer if he or she feels that person is not following guidelines and will report any variance or unusual or suspicious activity immediately to supervisors.

Locks

Locking all doors, windows, and ingress/egress points of a facility is not only good advice for business but also for homes. Open doors, windows, and gates are an invitation for mischief. Security computer cables can lock laptops, projectors, and other assets so that they cannot be removed from the facility. By locking portable and expensive assets, you make them unmovable, thereby protecting them from being taken and protecting the data on those devices. The following options are available for locks:

  • Biometrics: Covered in earlier chapters in greater detail, biometrics provide a unique way of making sure people are who they say they are by monitoring/matching human characteristics such as a fingerprint, retina, or voice. Biometric controls and locks add to the security-layered approach to physical security controls.

  • Electronic locks: These locks usually have a magnetic strike plate and are energized to keep the magnet engaged until authorization is given to disengage, thereby releasing the magnetic hold. Most newer electronic locks—even those for homes—now require a PIN code, a fingerprint, a retina scan, or an ID badge. Electronic locks can be configured to report when opened or closed and who accessed them and when. They can also be controlled by a security desk so that access is denied until the appropriate identity is confirmed.

  • Physical locks: These locks have been around for hundreds of years; they can have digital codes, tumblers, keys, or sliding dials with numbers. Locks have levers and interior notches to correspond with the ward (notch); these are called lever or warded locks. They protect the front door of many businesses; they even protect your home. These locks vary in style, type, and capability. Many of them are trivial to pick, so anyone with basic lock-picking skills can easily pick most of them. Newer, anti-lock-picking locks with complex tumblers and drop-down pins ensure these locks are nearly invincible.

  • Cable locks: These locks are typically deployed to attach secure items to stable, heavy equipment in a room; that is, something that is not easily removed. You could use a computer cable lock that connects a laptop computer to a desk or a projector to its cart or stand. Cable locks have been used to lock bikes to bike stands or fences for a very long time. Although these devices don’t stop determined thieves, they do slow them down and could allow enough time for another monitoring/deterrent system to kick in.

USB Data Blockers

Anywhere there is intellectual property or data classified at a high level, you will find that computers have their USB ports disabled, or they are enabled to support only a keyboard and mouse. In the past we have seen where newer attack tools can mimic a mouse or keyboard; fortunately, many companies and government agencies are utilizing security device lockdown software called data blockers that can detect the emulation USB device that has been placed in the device and can promptly disable usage, as well as report the exploit to the security operations center (SOC). USB data blockers ensure people, employees, visitors, and attackers are unable to steal data with a USB thumb drive from a corporate computer by disabling the USB function.

Another type of USB data blocker is a USB charge-only device. These are not the same as the other blockers. USB charge-only cables and devices are typically used to protect a user’s phone or personal items from being attacked by a back-end system that is capable of reading the device input and running an attack to exploit the device to steal data. These USB data blockers or charge-only cable/devices have several pins removed so that data is unable to traverse the USB cable. You may see these free charging stations at airports, hotels, and office lobbies. If you have the appropriate cable or device (charge only), then you can feel safe to use it; otherwise, it is always best to use a normal power plug. These USB data blockers have also been called USB condoms.

In a typical attack that has been successfully executed many times, an attacker drops backdoored USB drives in a common area, parking lot, or break room. When someone picks up the USB drive and inserts it into a system, it automatically launches and installs malware.

Lighting

Lighting inside and outside a building can provide various levels of protection and safety for employees and the facility. Knowing there is lighting everywhere can also serve as a deterrent for potential attackers because it’s possible for cameras to pick up any movement. Planning is required to design and deploy lighting appropriately to ensure there are no dark spots and to provide safety for employees and the facility.

Building lighting and autosensing light switches can provide safety and visibility as well as reduce power requirements. Newer lighting is direct current (DC) based; because lights are now mostly LED based and do not require 110V, they can operate on 5V. As a result, entire DC power distribution systems have been developed.

Employee and visitor parking lot lighting is vital to the safety of your employees and guests. You must ensure that lights in these areas overlap sufficiently to avoid dark spots or shadows. Having higher-power lighting at ingress and egress spots that are on separate controls and can be used during attacks or emergencies provides highly visible paths to certain spaces.

Fencing

Physical access controls consist of the systems and techniques used to restrict access to a security perimeter and provide boundary protection. One of the major defenses includes fencing and fence-monitoring systems. Fencing is usually the first line of defense at the perimeter of a property. Therefore, deploying the right fence for the right level of protection is important. Today’s fences include crash barrier bollards and control lines to ensure that a rushing vehicle cannot pass. Fence-line trembler devices can alert the security desk to motion on the fence. When this approach is combined with other visible methods, such as CCTV, the threat is visible immediately and the impact of the threat is reduced.

Pedestrian barriers should include controlled entry and exit points, locked gates, turnstiles, and electronic access control systems. Fencing can be as simple as wood or chain link or even brick, steel, or wrought iron. Remember, the stronger the fence material, the less likely it will be broken or traversed by criminals. Some safety fences are even made of vinyl and plastics to dissuade people from entering areas that are dangerous or under construction, but you need to ensure signage is appropriate.

Fire Suppression

A fire suppression system is an engineered group of units that are built to extinguish fires through the application of a substance. Most commonly, a fire suppression system has built-in components that detect fires at the beginning stages through heat, smoke, and other warning signals. These are attached to an alarm system that will alert you when the fire has been detected and initiate steps for action to further suppress the fire. Most fire suppression systems automatically release a substance to extinguish the fire after the detection and/or alert. The most common clean agents used to suppress fires are FM200 and Novec 1230; these chemicals do not destroy components like water does.

Most fire suppression systems have a manual application release. It is important to secure this button behind an easy-to-reach-and-activate plastic flip-up wall-mounted box. This setup ensures that the person pressing the button is doing so consciously and not by accidently bumping into it.

When fire suppression systems are triggered, they are usually tied to power cut-off processes, which turn down power at the same time. This reduces chances of the fire continuing to burn while sourced by a device with power, and of someone inadvertently getting electrocuted. Class C fires (energized electrical equipment, electrical fires, and burning wires) are put out using extinguishers based on carbon dioxide. For Class A fires (trash, wood, and paper), water decreases the fire’s temperature and extinguishes flames. For Class B fires (flammable liquids, gases, and greases), foam extinguishes flames. Class D fires involve combustible metals such as magnesium, titanium, and sodium. The two types of extinguishing agents for Class D fires are sodium chloride and a copper-based dry powder.

Sensors

The deployment of sensors is a cost-effective way to enhance and extend monitored areas. They are capable of sensing and monitoring for everything from window and door openings by attackers, to water and gas leaks, to motion detection and much more. Every organization deploys them in some manner. When used in conjunction with other deployed security measures, they can add an extra level of security in a reasonable manner. Many sensors enhance protections by providing notification/alerting for components; they include

  • Motion detection: Motion detection sensors are a linchpin of any security system because they detect when someone is in a location that is not expecting to see motion. These detectors use passive infrared to detect motion and then send an alert to the alarm system or security desk.

  • Noise detection: Noise detection or sound sensors can be anything from glass break sensors to room monitor sensors. If sound is detected where it is not expected, that sound is converted into an electronic signal and then sent to an alarm or alerting system to notify the appropriate security person.

  • Proximity reader: A proximity reader or prox card reader, typically an RFID reader, reads a prox card by placing it near (within proximity of) the reader. The reader sends energy in the form of a field to the card, which powers up the card, allowing the proximity reader to read the information stored on the prox card. Prox cards are used as part of an access control system, and when tied to other verification systems like video, proximity readers can help provide a layered approach to providing physical access to facilities.

  • Moisture detection: Moisture detection systems look at water and humidity under the floor in data centers or in other critical spaces to provide early warning of a leak, flood, or some other release that could cause substantial damage to life and property.

  • Cards: As previously mentioned, badges, ID cards, and access cards are all part of access control systems, making sure that the appropriate person has access to the right place, and unauthorized persons are immediately identified and removed.

  • Temperature: Temperature sensors are placed in data centers, racks, and throughout buildings. In data centers and racks, they ensure equipment doesn’t overheat and cause catastrophic failure of critical assets. In some parts of the building, they work with the HVAC system to ensure it is not too cold or too hot for employees.

Drones

Drone security starts with physical security controls, controlling access to the Drone control systems with protected door access. Authentication methods need to ensure proper access to not only the systems that control the drones but also to the campus, building, and room where the controls are housed. Organizations can put into place drone detection, monitoring, flight restrictions, and jamming to ensure only authorized drones are allowed on or near the facility. You can also set up geofencing on company drones to ensure that they don’t drift outside restricted space. To operate a drone, you are required to register with the Federal Aviation Administration (FAA) and abide by all laws and public safety rules. Drones can be programmed, automated, and configured to patrol the perimeter of your facility, freeing up security guards and giving you a much wider, broader, and higher field of view than a single security guard could ever cover.

Visitor Logs

A visitor logbook has many benefits that your organization can use to its advantage. Although some might consider a log “just another inconvenience,” when used properly, a visitor log can help protect both your organization and your guests and provide other valuable information. Whether they are paper or digital visitor logs is a matter of preference, although one has obvious advantages over the other. Numerous visitors pass through the average workplace on any given day. Customers, clients, delivery personnel, family, job candidates, and more—they all stop in for various reasons and may stay for only a few minutes or for most of a day. The primary benefits include the following:

  • Security: These logs provide access control and heightened overall security that maybe perceived or real.

  • Emergency preparedness: The logs enable you to know who is onsite and ensure they are counted in assembly areas.

  • Analytics: Data of comings and goings can be valuable for a number of reasons.

Visitor logs are part of an effective visitor management system, and visitor management often starts with access control. To be truly effective, organizations should control the visitor registration process by requiring all visitors to enter through one specific entrance. This restriction further prevents unauthorized access to the building by visitors who have not been vetted in any way. One entrance is also more user friendly; guests know exactly where they are supposed to be and so do security guards and employees.

Faraday Cages

A Faraday cage is an enclosure used to block electromagnetic fields. A cage or shield can be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials.

A Faraday cage operates because an external electrical field causes the electric charges within the cage’s conducting material to be distributed so that they cancel the field’s effect in the cage’s interior. The Faraday phenomenon is used to protect sensitive electronic equipment such as RF receivers from external radio frequency interference (RFI) during testing or alignment of the device. They are also used to protect people and equipment against actual electric currents such as electrostatic discharges and lightning strikes, since the enclosing cage conducts current around the outside of the enclosed space and none passes through the interior. Faraday cages can shield the interior from external electromagnetic radiation if the conductor is thick enough and any holes are significantly smaller than the wavelength of the radiation. Companies have found placing expensive critical equipment in racks that are Faraday purposed provide an extra layer of protection from free-range electromagnetic discharge or radiation. Faraday cages/rooms are spaces that are completely enclosed by one or more layers of a metal mesh, perforated sheet metal, or fence-like material. The metal layers are grounded to dissipate any electric currents generated from external or internal electromagnetic fields, and thus they block a large amount of the electromagnetic interference.

Air Gap

Air gap, or “gapping,” refers to the concept that there is a gap of air or no connection between the computer and other networks. Because the computer isn’t directly connected to the network, it can’t be attacked through the network. So, to compromise this type of computer, hackers have to “cross the air gap,” which means they need to be physically sitting down in front of the computer. An air-gapped computer system has no physical connection to other computers, networks, or unsecured systems. As security administrator, you should consider disabling ports and enforce a policy of not using USB thumb drives. This way, you can reduce the likelihood of a virus or data theft.

Screened Subnet (Previously Known as Demilitarized Zone [DMZ])

In computer security, a screened subnet or demilitarized zone (DMZ), often referred to as a perimeter network, is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a screened subnet is to add an additional layer of security to an organization’s local area network (LAN). An external network node can access only what is exposed in the screened subnet, while the rest of the organization’s network is protected by firewalls. The screened subnet functions as a small, isolated network positioned between the Internet and the private network.

Protected Cable Distribution

The purpose of a protected cable distribution system, also called a protective distribution system (PDS), is to deter, detect, and/or make difficult physical access to the communication lines carrying data and/or voice communications. In data centers, this can mean specifically hardened rooms that are separate and apart from other rooms, and access control measures are in place to ensure appropriate monitoring and access.

In a hardened protected cable distribution, the data cables are installed in a carrier constructed of electrical metallic tubing (EMT), ferrous conduit or pipe, or rigid sheet steel ducting. All connections in a hardened system are permanently sealed around all surfaces with welds, epoxy, or other such sealants. If the hardened carrier is buried underground, to secure cables running between buildings, for example, the carrier containing the cables is encased in concrete.

Secure Areas

Secure areas are sites or spaces where you handle sensitive information or shelter/store valuable IT equipment and personnel to achieve business objectives. In the context of physical security, the term site means buildings, rooms, or offices that host all the services and facilities (electricity, heating, air conditioning). This falls under ISO 27001, which involves physical security and keeping secure areas secure. The following components of secure areas help enhance the capabilities of these areas:

  • Air gap: As previously mentioned, air-gapped computer systems have no physical connection to other computers, networks, or unsecured systems. Why would you need an air-gapped computer? Say you want to work on sensitive business documents or financials without the risk of malware, ransomware, or keyloggers (any attacks done over Internet networks). In this case, you can simply set up an offline computer that is not connected to the Internet.

  • Vault: A bank vault is a secure space to store money, valuables, records, and documents. In a secure space, a vault is intended to protect contents from theft, unauthorized use, fire, natural disasters, and other threats, much like a safe. Vaults are typically much larger than safes and can even house entire data centers.

  • Safe: A safe is a device or type of housing that is capable of storing valuable information, such as files, tapes, money, and the like. It is intended for short-term storage of company assets. A fireproof safe is recommended for business because it is capable of withstanding small fires.

  • Hot aisle: A hot aisle/cold aisle is a layout design for server racks and other computing equipment in a data center. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing air flow. In its simplest form, hot aisle/cold aisle data center design involves lining up server racks in alternating rows with cold air intakes facing one way and hot air exhausts facing the other. The rows that the heated exhausts pour into are called hot aisles. Typically, hot aisles face air conditioner return ducts.

  • Cold aisle: The rows composed of rack fronts are called cold aisles. Typically, cold aisles face air conditioner output ducts. A containment system can be used to isolate hot aisles and cold aisles from each other and prevent hot and cold air from mixing. Containment systems started out as physical barriers that simply separated the hot and cold aisles with vinyl plastic sheeting or Plexiglas covers; now they are almost like complete rooms enclosing the hot aisle and cold aisle.

Secure Data Destruction

An organization’s security starts at the purchasing of equipment, systems, and services and ends with the removal and destruction of those items. You may have heard of someone purchasing a server off the Internet only to find the original owner didn’t erase the data. Companies must create and put into practice a data destruction policy. It is not enough to erase data from hard drives of servers or workstations; recovery programs can still get at that data. A “shred-all” policy is one of the most critical steps you can take toward total information security; it means a companywide commitment to shredding all data and documents on a regular basis. Standardizing data and document destruction procedures enables your organization to align its governance policy and regulations with its information security goals and needs:

  • Burning: One of the best methods in documentation destruction is fire. Without taking very extreme measures, recovering data from ashes is nearly impossible.

  • Shredding: One of the most cost-effective methods for bulk paper destruction is shredding. Shredders are able to malform paper into multiple strips with jagged edges. Similarly, hard drives and other magnetic media can be shredded via large industrial shredders.

  • Pulping: Paper also can be shredded and then reduced to pulp. After the paper has been broken down into pulp, the fibers are separated, washed, and screened to remove fiber bundles. Then the water is pressed out. After the pulp is dried, it can be made into recycled paper. Because all the ink letters from the paper have been removed, documents cannot be recovered.

  • Pulverizing: Pulverizing grinds and/or reshreds paper to make it impossible to recover. Documents and storage media are fed into a pulverizer that uses hydraulic or pneumatic action to reduce the materials to loose fibers and shards. One disadvantage to this service is that it is very costly, and only a few commercial disposers use this method; however, it does guarantee complete data destruction.

  • Degaussing: Degaussing is the process of reducing or eliminating a magnetic field (or data) stored on tape and disk media such as computer and laptop hard drives, disks, reels, cassettes, and cartridge tapes. By using the right degausser, you can guarantee that your information will no longer be retrievable. A degausser creates a magnetic field of an intensity that erases and corrupts the layout/form of the data on magnetic media.

  • Third-party solutions: There are a number of third-party secure document and electronic media destruction and disposal services. They typically have large facilities and commercial machinery to manage large volumes of documents and media. These organizations securely transport your documents to their facilities, where they can shred, pulp, or pulverize. Depending on your contract, you may receive large trash receptacles where people can drop their documents. These containers are locked and are picked up and exchanged on a regular basis.

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 15-2 lists a reference of these key topics and the page number on which each is found.

Table 15-2 Key Topics for Chapter 15

Key Topic Element

Description

Page Number

Section

Bollards/Barricades

370

Section

Access Control Vestibules

372

Section

Badges

373

Section

Alarms

374

Section

Signage

374

Section

Cameras

375

Section

Closed-Circuit Television (CCTV)

376

Section

Industrial Camouflage

377

List

Personnel

377

List

Locks

378

Section

USB Data Blockers

379

Section

Lighting

380

Section

Fencing

380

Section

Fire Suppression

381

List

Sensors

382

Section

Drones

382

Section

Visitor Logs

383

Section

Faraday Cages

383

Section

Air Gap

384

Section

Screened Subnet (Previously Known as Demilitarized Zone [DMZ])

384

Section

Protected Cable Distribution

385

List

Secure areas

385

List

Secure data destruction

386

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

bollard

barricade

access control vestibules

motion recognition

object detection

closed-circuit television (CCTV)

industrial camouflage

guards

robot sentries

reception

two-person integrity/control

biometrics:

electronic locks

physical locks

cable locks

USB data blocker

fire suppression

Faraday cage

air gap

screened subnet

protected cable distribution system (PDS)

hot aisle

cold aisle

pulping

pulverizing

degaussing

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. What are badges used for in physical security controls?

2. What purpose does signage serve in controlling security in a building or factory?

3. What does industrial camouflage accomplish in today’s business and industrial environment?

4. How does two-person integrity/control ensure systems and corporate data integrity are accomplished?

5. What sensors provide access to an area?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.220.62.183