General security

Physical access control

Adrian Stolarski
August 11, 2020 by
Adrian Stolarski

How many managers think that it makes no sense to spend money protecting information that can be reconstructed? What can really happen?

Theoretically, anything and everything from the abuse of workers (through natural disasters and industrial espionage) to terrorist attacks. Is our company is prepared for this? 
Imagine the scenario, 2am, nobody is around to hear the sound of breaking glass and quick steps. The next day, the first employee appears at work and calls the police after spotting the mess. According to police, it was a random act of vandalism.
 Two weeks later the president convenes a meeting; it turns out that the local newspaper is running a story about your product, and has just revealed that the project has gone millions of dollars over budget. It turned out that a random act of vandalism was really an act of industrial espionage. The intruder had attacked a bootable distribution of Linux operating system and copied the files that belong to the victim company.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Of course, this situation could have been prevented if there were appropriate procedures in place. In practice, anyone who has physical access to a computer can take over your system in seconds. Therefore we will discuss some physical security procedures to try and minimize the risk of attack by introducing appropriate access controls. Each access control has three aspects: physical, administrative, and technological development.

Physical security schema

Work on physical security mainly focuses on the physical protection of information, buildings, personnel, installations, and other material resources. Additionally, physical security covers issues related to processes prior criminal activities, espionage, and terrorism. What factors can develop into the biggest direct threats?

  • Staff - dismissal, strikes, illness.
  • Sabotage and vandalism.
  • Hardware failures.
  • Natural disasters - tornadoes, earthquakes, floods, and tsunamis.
  • Man-made disaster - terrorism, arson, bombings.
  • Loss of access to electricity, air, and water.

Once we know what threatens us personally, we can begin to consider the best methods of protection. For example, in the case of a power outage, you should have a backup generator to maintain the critical elements of the system, and lighting for employees as well as a backup phone system. If there is a hardware failure, having certain spare parts on hand can be incredibly useful, as can having a well-designed service contract. In addition, it is a good idea to familiarize yourself with the industrial-safety laws of the country in which you're operating.

Physical access controls are mechanisms that are designed to minimize the risk of injury. A simple example is a good fit on the door lock, which will discourage many potential thieves. The installation of biometric sensors, such as iris scanning or fingerprint recognition, can make even the most determined intruder falter while trying to gain access to a guarded place. Sometimes all that is needed to resolve the issue is a mechanism to provide enough time to contact the appropriate authorities. But the door is not the only object that should be closed.

We should consider closing off access to laptops, desktops, and servers. Like many employees, I just do not know when an intruder enters the building, and then runs away unrecognized with a laptop under his arm. Such situations happen very often.

 More and more companies are taking the precaution of removing all drives from individual computers to prevent the use of USB, COM, LPT theft, and instituting additional BIOS password protection just to prevent employees from installing personal software, gaining unauthorized access, and ultimately, participating in theft. One possible scenario to tighten security is to use the terminal server and a bootable Linux distribution. Also excluded are DHCP, preventing problems with spyware, malware, or viruses usual.

Another security challenge is to protect sensitive data from systems interceptors using electromagnetic waves that allow hackers to decode data and recreate it in a safe place. You can protect yourself by using special construction materials and absorbing materials for shielded computer enclosures. 

Another important element is to protect the building itself. The ideal solution is to create a front desk staffed by individuals who have had appropriate training in security and protection. After the September 11 attacks, I think everyone is concerned about the appropriate level of training for his or her own staff security guards. I will not elaborate here any further on building construction, but it is important to mount biometric sensors, motion detectors, and alarms that will active when walls are breached. In addition, it seems like a good option, to install high-powered moving lighting systems that will respond to any attempt to breach the walls. If a thief tries to break through a fence or wall, a sharp beam of light will target the intruder's eyes and create a perfect silhouette of the person,.

Unfortunately, in every company there are people whom we trust, that might one day endanger other employees. Employees' safety should always be a priority. At the same time, we must remember that the human factor is able to break down almost anything, even the most intelligently designed security system. In addition, research shows that the most common types of attack are internal attacks, caused by disgruntled, or even angry employees.

 That is why we also need to make an effort to properly train staff to be able to react in any emergency—not only in the case of natural disasters, but also when technology is attacked through a mechanism that was socially engineered. Training of this type should never be a one-time event, but should be repeated at regular intervals, i.e. every quarter.

Apart from purely theoretical knowledge, training should also include practical knowledge. Role-playing scenarios that illustrate a specific situation can be a good idea.

 Personnel inspections should be treated as a preventive measure in every company. Before hiring a person, it is a good idea to check references and other important information—such as whether a person has a police records or is wanted by the government for any reason. Surely this will allow you to determine whether a worker can become a potential threat in the future.

In addition, from time to time, individual interviews with staff may occur, and during these talks, we can be informed of planned changes or job rotations. Most certainly regular interviews will prevent unethical actions from both sides and any accidental damage.

If an employee leaves the company, he or she should be literally escorted out of the company, shortly after returning the any and all company equipment. This will prevent the sabotage attempt made by a former employee.

Above all else, it is critical to have alternate power sources and access to television security systems. If unauthorized individuals try to access the company, television systems will certainly allow individual intruders to be recognized and to have his or her actions recorded. Some systems also have built-in motion sensors and heat detectors. Once activated, an alarm signal is sent from these detectors. Installing a good CCTV system also provides many other benefits. I met with companies in the insurance industry and leaned that premiums could be reduced if a similar system monitoring was installed.

Another factor to consider is equipment failure. This is an inevitable scenario. Therefore, do not ask if a component will go down, ask when it will go down.

Many component manufacturers only consider an estimated time of repair and an estimated time between failures.

 However, another crucial element is the system backup. It is a necessity—any backup data should be stored in at least two different places to offer protection in the event of a disaster or failure.

Most companies currently use a method called data vaulting, which consists consisting of data compression, encryption, and storage of a remote, secure location. This technique is required in all safety planning, as well as in many forms of insurance. Companies also use RAID technology, which increases fault tolerance and limits downtime.

Now for the power. In addition to the electrical wires hidden from prying human eyes, we should also ensure access to a stabilized energy source. In this way we prevent the risks associated with excess energy (breakdown, voltage spikes) or deficient (low voltage or current, no power). This can be done using the UPS devices. Unregulated energy sources can also cause damage to electronic components, data loss, and faulty network connections.

Of course, we do not focus only on the energy supplied from the power plant. In addition to the standard cable from the power plant, you can also install windmills, solar panels, backup generators to collect excess energy, and additional power generators such as diesel generators. 

Nor should we forget that the computer network also operates on the basis of power law: 0 means that there is no pulse, and 1 that the pulse is generated. Thus, a combination of interconnected computers results in an electric circuit.

The number 0 represents the voltage to 0 volts, and a voltage of 3 to 5 volts, so the information in the format 111 001, means the following tension - 3,3,3,0,0,3. Under ideal conditions, the signal flow should proceed without interruption.

 Hence the importance of proper grounding, which allows the dissipation of excess energy. Without proper grounding voltage spikes will occur, resulting in frequent failures. Thus, properly installed ground wire provides a sufficiently low resistance and a sufficient capacity to protect the system before the emergence of a dangerously high voltage level. Sometimes even a single outlet with a damaged cord or bulb screwed in badly can cause the grounding wires not to work.

Sometimes it is the entire buildings that need multiple grounds, which often is a huge problem, because the potential of the various electrical circuits will never be equal.

 There is another important issue: If you have a separate computer system with a grounded network, you will witness the rise of an electric circuit. And remember that the current always runs from the negative charge of the positively charged system. This situation could, of course, effectively disrupt the digital signal and cause network failure, damage to the transmitted data, and even damage computer components.

The EMP weapon—Total cost: 50 Euro

Another cause of interference is radio frequency interference and electromagnetic interference. These disturbances are associated with the work of high-frequency devices that use a third phase. They act almost like a bomb capable of generating electromagnetic pulses, which are used to destroy all kinds of electronics.

 In the network cables always cause interference. This is due to the fact that when someone creates the electrical wiring of buildings, future computer networks are never taken into account. Therefore, when planning network infrastructure and maintenance, it is best to hire an engineer or a professional networking company which designs computer networks.

 Once we have an idea of the dangers, we can begin to design protection.

On the regulatory side, placing items in the right places is called adequate care, and implementation of policies, procedures, and controls is called proper accuracy. If both of these factors are properly adhered to, it certainly will help reduce consequences in the case that a real threat is detected.

But the main purpose of a security plan is not to hamper the company, but to provide adequate levels of security. Behind every action and policy is the dictate that the company should remain safe for users.

In addition, the management company should endorse a safety plan at some point. Here are the elements that should be considered:

- Accurate definition of objectives and their impact on the existing security policy.

- List of known hazards and risk analysis.

- Education of board of directors on issues of technology.

- Implementation of overt and covert methods of control.

- The introduction of training in information security.

- Control of all the weak points in order to maintain compliance with security policy introduced.

Once everything is ready, we must create the most accurate list of threats. The reason for this is not only to classify and code any and all threats, but also to help create a budget for our security policy. Presenting a security policy using both codes and detailed descriptions of inventory costs will help convince the board of the validity of the idea. Once we get acceptance of our idea, we should begin to educate upper management in the techniques used in our safety plan

. After this operation, we should proceed to further steps and start educating all employees.

Each person in the company should know how the security policy will affect his or her work. If for example, in the case of fingerprint readers, employees should know what to do in the event of failure. You should also inform people about the zones, and properly guard them. If you catch an employee deliberately crossing through a guarded area, you should of course, punish that employee.

Suppose that our staff is trained. What do we have left to do? Well, fitness tests should be performed on each system as a whole and each subsystem. The ideal solution would be to carry out fire drills, partial power failures (or complete power failures), and to hire a person to specifically try to break into the premises.

This is the slow end of this article—we already discussed a few basic techniques that will allow a little more security in your organization. But you should remember to craft effective solutions that encourage use. This guarantees that the decision makers in the organization will support your work and then you will not have any problems with the implementation of all your arrangements. Remember that all employees must be aware that they are responsible for complying with the security plan. The rules governing all elements described in the article:

• http://www.hhs.gov/ocr/hipaa/ - HIPAA.

• http://www.sec.gov/rules/pcaob.shtml - SOX.

• http://www.ftc.gov/privacy/glbact/ - GLBA.

Here's a sample safety plan:

This document really proves to be very useful when planning a security strategy especially during one of the most difficult steps—the costs of protection should be evaluated when considering the amount of capital to be invested.

Here is a quick Cheat Sheet which includes the elements of a proposed policy:

  • Access control:
    • Security staff
    • The quality of lighting inside and outside the building
    • The quality of the fence
    • The massive doors at the entrances
    • Locks on the doors
    • Biometric solutions
    • CCTV
  • Power Problems:
    • Alternative energy sources
    • Replacement telephone network
    • The availability of spare parts
    • Support for producers and service
    • Ground
  • Security infrastructure:
    • BIOS password for all machines
    • No external access to terminals employees
    • Protection equipment such as TEMPEST
    • Equipment for backup of digital data
    • Physical security of computer network
  • The human factor:
    • Emergency procedures
    • Separation of duties and privileges

In addition, this Cheat Sheet should include all current control mechanisms, including burglar and fire alarm systems. It should give us a solid foundation in the design of security system.

An example of physical security policy:

First Introduction
—The implementation of security policies through an unprotected company should not disrupt the existing culture of openness, trust and unity of the company. The purpose is to protect the unprotected businesses, employees, and partners against illegal or harmful activities. 
Effective security is a collective effort that consists of the participation and support of every employee and any unsecured partner companies. Each of the employees is responsible for understanding the guidelines and acting in harmony with them.

Second Target
—The purpose of this policy is to ensure the physical security of the unsecured company. These rules are intended to protect workers and the company itself.

Third Object—
This policy applies to employees (temporary and permanent), subcontractors, consultants, and guests in unsecured business Sp. Ltd., including the staff of other entities.

Fourth Policy—The general rules for gaining access to the buildings of the company makes up the first level of physical security. Staff will be authorized using an identification card. Guests and visitors must register at reception and receive a temporary badge or card, and remain under the care of the employee while on company premises.
 When considering access to sensitive areas: badges, cards or other electronic forms of identification must be worn by employees can be scanned repeatedly. Additional access control will be introduced in server rooms,
 warehouses, laboratories, testing and other areas where data is kept.

Being in a guarded area and inappropriately using the authorization of another person is strictly prohibited. It is forbidden to stay in the guarded area when refusing to show identification documents. 
Physical security also includes detailed planning of the facilities in such a way that closed or isolated areas do not interfere with fire protection systems and emergency exits.
 Businesses fencing consists of fence type PIDAS and will also be monitored by the external tracking systems (due to poor lighting).

Cameras and other electronic monitoring systems (or multi-authentication systems) are the basic means of controlling access to guarded areas. Data from the authentication systems and monitoring equipment should be archived for at least 7 years, according to local regulations. 
Information systems will have an external backup of your data in the case of both man-made and natural disasters .

Fifth Violations—Any employee that violates the rules of this document may be held liable to disciplinary action, including immediate termination of service.

Sixth Definitions— Tracking - the collection, analysis and data archiving. End - end of the process

Seventh History of Changes.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

And that is the end of the article. I promise the next discuss the phenomenon known as social engineering, and several other issues related to the building of reasonable security policies in our organizations. Greetings!

Adrian Stolarski
Adrian Stolarski

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.