Sec+ preparation #10 (physical security)

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Resilience and Physical Security

If a hacker can physically access to the physical site. It is game over. This part is really important.

Physical security ways:

  • Hardware locks

    • Conventional Locks

      • Easily picked locks and keys easily duplicated

      • Control and distribution of keys can be a problem

    • Pick-resistant locks

      • Higher cost

      • Harder to pick and keys not as easily duplicated

      • Distribution and control still a problem

    • Electronic Combination Lock

      • A keypad for a combination

      • Also called a cipher lock (can be in exam)

    • Electronic key systems

      • Cards encoded with access code

      • Magnetic cards can be duplicated or compromised

      • Smart Card would be a better choice

        • RFID cards
  • Video Surveillance

    • Analyze your requirement

    • Estimate width of area to be monitored

    • Is there a need for zooming

    • What are the weather conditions if used outside?

    • How do you maintain capability?

      • Many building shuts all light off at the end of the day. So maybe you need night vision?
    • You need to protect the cameras so that it cannot be easily hacked. Intruders may see passwords entered in keypads through cameras if they are easily hackable.

  • Fencing and walls

    • Bollard - it prevents attack with moving object. Such as vehicle loaded with explosives

      Illustration of bollard:

    • Fences must be a proper height

      • 1.5 meter height fence will deter casual trespasser

      • Secure areas uses 2.5+ meters height of the fence

      • Perimeter Intrusion Detection and Assessment System (known as PIDAS fencing)

      • Fences must be regularly inspected

  • Proximity Readers

  • Access List

  • Security guard

    • Most efficient physical security control, but also the most expensive

    • Guard can enforce security policy

    • Can prevent Piggybacking or Tailgating attacks

    • Guard must be well trained

    • Can do patrols at random intervals

  • Passive monitoring

Physical access logs

  • Fortress mentality

    • Check to see everybody who comes and leaves

    • Good method is that there is only one door through which you can come and leave

  • Use logging features (check when people come and go)

  • Ensure guards are well trained

ID Badges

  • Great for authenticating users

  • Sometimes combines with smart cards

  • They are very cheap and very efficient

Door Access Systems

Physical Tokens

  • Type II authentication factor

Could be:

  • Metal Keys

  • Smart Card

  • Magnetic Card

  • Photo ID

  • Synchronous or Asynchronous tokens

  • Biometrics

Site selection

  • Select your data center location carefully

  • Get familiar with the building code

  • Investigate who are your neighbors

  • What is the crime rate in the area

  • Talk to you insurance company

  • What about logistics for ambulance, firefighters and stuff like that.

1
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jonas Satkauskas
Jonas Satkauskas