physical-security.md

Physical security

• The protection of all assets of an organization from all sorts of threats and attacks.
• Helps in
  • Preventing unauthorized access to the system
  • Preventing any kind of data manipulation and theft
  • Protecting the system against malicious activities such as espionage, damage and theft
  • Protecting employees and preventing social engineering attacks
• Categories
  • Natural or environmental threats
    • E.g. flood, fire, earthquake, dust
  • Man-made threats
    • E.g. Terrorism, wars, explosions, dumpster diving and theft, vandalism.
• See also Physical security | Social engineering

Types of physical security controls

Preventive controls

• Implemented before a threat event to reduce or avoid its impact.
• Includes access control mechanisms to prevent access
• Can be technical e.g.
  • Firewalls
  • Authentication systems.
• Can be administrative e.g.
  • Security policies
• 📝 Can be physical e.g.
  • Fire extinguishers
  • Doors e.g.
    • Mantrap
      • Also known as air lock, sally port or access control vestibule
      • Has two doors, each door requiring a separate form of authentication to open
    • Turnstile
      • Also known as a turnpike, baffle gate, automated gate
      • Allows one person to pass at a time, can enforce one day direction
      • Can require a a coin, a ticket, a pass, or similar
      • E.g. in train stations
  • Bollard
    • Sturdy, short, vertical post
    • Used for control road traffic and posts
    • Allows to prevent ram-raiding and vehicle-ramming attacks.
    • 🤗 Used initially for mooring boats

Static electricity

• Low humidity can cause a buildup of static electricity.
  • Leads to corrosion of the components could.
  • 💡 Keep humidity level between 45% and 55%.
• Grounding systems help
  • E.g. antistatic wrist straps are designed to ground people appropriately
  • Provides somewhere for any latent static electricity generated to flow.

Detective controls

• In place to let you know when something has happened or is happening.
• Detects violations and intrusion attempts for investigation.
• E.g. • audit trails and logging • alarm systems • sensors • video surveillance • motion detectors.

Deterrent controls

• Also known as deterrence controls
• Warns intruders to stay away
• E.g. signs showing • "Be aware of the dog" • "Under surveillance" • "Authorized personal only"

Recovery controls

• Used after violation has happened to restore the system to its persistent state
• E.g. backup systems and disaster recovery

Compensation controls

• Do not prevent attacks, used when everything else fails
• Goal is to restore everything back to normal
• E.g. when there's power shortage you need a grid, alternative energy backing: generators, batteries..

Physical security measures

• Secure premises and company surroundings
• Secure the reception area
• Lock servers and workstations when not in use
• Lock devices such as modems, removable media, and fax machines when not in use
• Implement access control
• Regularly maintain computer equipment
• Prevent wiretapping
• Monitor the environment by checking the humidity and temperature
• Positive pressure is great at keeping contaminants (e.g. dust, dirt) out of the data center