Version: 1.0.2Physical security
- The protection of all assets of an organization from all sorts of threats and attacks.
- Helps in
- Preventing unauthorized access to the system
- Preventing any kind of data manipulation and theft
- Protecting the system against malicious activities such as espionage, damage and theft
- Protecting employees and preventing social engineering attacks
- Categories
- Natural or environmental threats
- E.g. flood, fire, earthquake, dust
- Man-made threats
- See also Physical security | Social engineering
Types of physical security controls
Preventive controls
- Implemented before a threat event to reduce or avoid its impact.
- Includes access control mechanisms to prevent access
- Can be technical e.g.
- Firewalls
- Authentication systems.
- Can be administrative e.g.
- 📝 Can be physical e.g.
- Fire extinguishers
- Doors e.g.
- Mantrap
- Also known as air lock, sally port or access control vestibule
- Has two doors, each door requiring a separate form of authentication to open
- Turnstile
- Also known as a turnpike, baffle gate, automated gate
- Allows one person to pass at a time, can enforce one day direction
- Can require a a coin, a ticket, a pass, or similar
- E.g. in train stations
- Bollard
- Sturdy, short, vertical post
- Used for control road traffic and posts
- Allows to prevent ram-raiding and vehicle-ramming attacks.
- 🤗 Used initially for mooring boats
Static electricity
- Low humidity can cause a buildup of static electricity.
- Leads to corrosion of the components could.
- 💡 Keep humidity level between 45% and 55%.
- Grounding systems help
- E.g. antistatic wrist straps are designed to ground people appropriately
- Provides somewhere for any latent static electricity generated to flow.
Detective controls
- In place to let you know when something has happened or is happening.
- Detects violations and intrusion attempts for investigation.
- E.g. • audit trails and logging • alarm systems • sensors • video surveillance • motion detectors.
Deterrent controls
- Also known as deterrence controls
- Warns intruders to stay away
- E.g. signs showing • "Be aware of the dog" • "Under surveillance" • "Authorized personal only"
Recovery controls
- Used after violation has happened to restore the system to its persistent state
- E.g. backup systems and disaster recovery
Compensation controls
- Do not prevent attacks, used when everything else fails
- Goal is to restore everything back to normal
- E.g. when there's power shortage you need a grid, alternative energy backing: generators, batteries..
Physical security measures
- Secure premises and company surroundings
- Secure the reception area
- Lock servers and workstations when not in use
- Lock devices such as modems, removable media, and fax machines when not in use
- Implement access control
- Regularly maintain computer equipment
- Prevent wiretapping
- Monitor the environment by checking the humidity and temperature
- Positive pressure is great at keeping contaminants (e.g. dust, dirt) out of the data center