Physical Area Controls
We’ve already introduced the idea of physically stealing a laptop or mobile device, but there are many other attacks that depend on physical access. For example, protected information can be extracted from a computer by simply booting the computer from a DVD or USB thumb drive. To do that, you need physical access to the computer. Simply having a few minutes of physical access can allow many attacks that may be very difficult to prevent or detect. To avoid these types of attacks, it is important to protect the physical access to your computers and devices as well as remote access to them.
When looking at the overall security stance of an organization, you have numerous controls to use, each for a different reason. In the physical world, the first controls that someone wishing to cause harm is likely to encounter are those that line the perimeter of an organization. This perimeter is much like the moat or walls around a castle, designed to provide both a deterrent and a formidable obstacle in the event of an attack. When assessing an organization, pay attention to those structures and controls that extend in and around the organization’s assets or facilities. Every control or structure observed should provide protection either to delay or deter an attack, with the ultimate goal of stopping unauthorized access. Although it is possible that, in some cases, a determined attacker will make every effort to bypass the countermeasures in the first layer, additional layers working with and supporting the perimeter defenses should provide valuable detection and deterrent functions.
During the construction of new facilities, the security professional should get involved early to give advice on what measures can be implemented. It is more than likely, however, that the security professional will arrive on scene long after the construction of facilities has been completed. In these cases, a thorough site survey should be conducted with the goal of assessing the current protection offered. If tasked with performing a site survey, do not overlook the fact that natural geographic features can and do provide protection as well as the potential to hide individuals with malicious intent from detection. When surveying an existing facility, consider items such as natural boundaries at the location and fences or walls around the site. Common controls placed at the perimeter of the facility can include many types of barriers that will physically and psychologically deter intruders:
Fences
Perimeter intrusion detection and assessment systems (PIDASs)
Gates
Bollards
Fences
Fences are one of the physical boundaries that provide the most visible and imposing deterrent. Depending on the construction, placement, and type of fence in place, it may deter only the casual intruder or a more determined individual. As fences change in construction, height, and even color, they also can provide a psychological deterrent. For example, consider an 8-foot iron fence with thick bars painted flat black; such a barrier can definitely be a psychological deterrent. Ideally, a fence should limit an intruder’s access to a facility as well as provide a psychological barrier.
Depending on an organization’s needs, the purpose of erecting a fence may vary from stopping casual intruders to providing a formidable barrier to entry. Fences work well at preventing unauthorized individuals from gaining access to specific areas, but they also force individuals who have or want access to move to specific chokepoints to enter the facility. When determining the type of fence to use, it is important to get an idea of what the organization may need to satisfy the goals of the security plan. Take a look at TABLE 4-1, which contains a sampling of fence types and the construction and design of each. Fences should be 8 feet high or greater to deter determined intruders.
TABLE 4-1 Fence types. |
|||
|---|---|---|---|
|
|||
Perimeter Intrusion Detection and Assessment Systems (PIDASs)
In situations where a single fence fails to provide sufficient security, it is possible to layer other protective systems. For example, a perimeter intrusion and detection assessment system (PIDAS) can be used. This special fencing system works as an intrusion detection system (IDS) in that it has sensors that can detect intruders. Although these systems are expensive, they offer an enhanced level of protection over standard fences. In addition to cost, the downside of these systems is that it is possible that they may produce false positives from environmental factors, such as stray wildlife, high winds, or other natural events.
Gates
Fences are an effective barrier, but they must work in concert with other security measures and structures. A gate is a chokepoint, or a point where all traffic must enter or exit the facility. All gates are not created equal, however, and if you select the incorrect one, you won’t get proper security. In fact, choosing the incorrect gate can even detract from an otherwise effective security measure. A correctly chosen gate provides an effective deterrent and a barrier that will slow down an intruder, whereas an incorrectly chosen gate may not deter anyone but the casual intruder. UL (Underwriters Laboratories) Standard number 325 describes gate requirements. Gates are divided into the following four classifications:
Residential, or Class I—These gates are ornamental in design and offer little protection from intrusion.
Commercial, or Class II—These gates are of somewhat heavier construction and fall in the range of 3 to 4 feet in height.
Industrial, or Class III—These gates are in the range of 6 to 7 feet in height and are of heavier construction, including chain-link construction.
Restricted Access, or Class IV—These gates meet or exceed a height of 8 feet and are of heavier construction—iron bars, concrete, or similar materials. Gates in this category can include enhanced protective measures, including barbed wire.
Bollards
Bollards are devices that can take many forms, but the goal is the same: to prevent entry into designated areas by vehicles. To get an idea of a location where bollards would be ideal and how they function, consider an electronics superstore such as Best Buy. In this case, lots of valuable merchandise is present. Someone could very easily back a truck through the front doors after hours, load up on merchandise, and drive away quickly before law enforcement arrives. In the same situation, the placement of heavy steel posts or concrete barriers would stop a vehicle from even reaching the doors. Many companies use bollards to prevent vehicles from going into areas in which they are not permitted. Bollards, which can be concrete or steel, block vehicular traffic or protect areas where pedestrians may be entering or leaving buildings. Although fences act as a first line of defense, bollards are a close second because they can deter individuals from ramming a facility with a vehicle.
Bollards can come in many shapes, sizes, and types. Some are permanent, whereas others pop up as needed to block a speeding car from ramming a building, or ram-raiding. Ram-raiding is a type of smash-and-grab physical attack in which a heavy vehicle is driven through the windows or doors of a closed shop, usually one selling electronics or jewelry, to quickly rob it.