1.2 - Physical Security
Understand the common forms of physical security controls that can protect an organisation's assets.
Learning Objectives
Understand fundamental security concepts:
- Physical security
- Bollards
- Access control vestibule
- Fencing
- Video surveillance
- Security guard
- Access badge
- Lighting
- Sensors
- Infrared
- Pressure
- Microwave
- Ultrasonic
What is Physical Security?
As discussed in our post about Types of Security Controls, Physical Security is a category of security controls that aim to limit physical access and risk to our assets.
Why is Physical Security Important?
Organisations often place the majority of their Cybersecurity focus on the fancy technical controls, however, physical security is just as important if not more so due to the fact that if attackers can gain physical access to your systems it will be much easier for them bypass any of your technical controls. Therefore physical security is one of the most important lines of defence against these attackers.
Types of Physical Security Controls
There are many different types of physical security controls that you could implement but we shall be taking a look at the most common types that are also a part of exam specification for Comptia Security+.
Bollards
Bollards are short and sturdy vertical posts that stick out of the ground like those shown in Figure 1 below. They are dug deep into the ground and are often made out of steel or reinforced concrete to act as a form of protection against accidents or intentional attacks involving large vehicles. However they do not prevent all physical access as they are spaced apart to allow smaller vehicles such as bicycles or pedestrians to pass.
Some bollard installations are mechanically controlled and can be raised and lowered into and out of the ground as needed. They are usually placed at secure access points or at road junctions to control traffic and access into an area.
There has also been a recent rise in civilian installation of bollards at their home addresses to prevent thieves stealing their vehicles out of their garages and driveways.
Access Control Vestibule
Access Control Vestibules(ACV's), also known as a Mantrap, is an enclosed area consisting of a set of doors to access the ACV and a second set of doors leading to a highly secure area which cannot be opened until the first set of doors are locked. This is designed to only allow authorised personnel to access the secure area without allowing attackers to try and "piggyback" their way in behind them.
ACVs are commonly implemented at high security facilities such as Banks or Government buildings. An example diagram of an Access Control Vestibule can be seen in Figure 2 below.
As seen in the image, the second door is locked and cannot be opened until the first door is locked and closes off the entrance from an insecure area. A window with a guard booth can also be seen. This would be an implementation of a Manual ACV in which a guard must manually unlock the second door once the subject enters the first door and the door is closed behind them. There will also often be metal detectors and other guards within the ACV room to search the subject before the control guard unlocks the second door.
For extra security, cameras and microphones can be installed to remotely instruct the subject on what to do while the guards can be safely off-site so that they cannot be targeted in an attack and be forced to grant access to unauthorised individuals.
There are also Automatic versions of Access Control Vestibules in which no guards are involved but often different unlocking mechanisms are required for each door. For example a physical key or key code may be required for the first door but the second door may require biometric keys such as fingerprints or iris scans.
Lesser secure versions are also commonplace at locations like corporate offices. These are much smaller and usually an automatic cylindrical glass pod. All you usually need is to scan your employee badge to open the first half of the mantrap pod which is only big enough for one person and then once you are inside and the first door automatically closes and the second door will open allowing you to enter the facility.
Fencing
Fences are a barrier, railing, or other upright structure that enclose an area of ground to prevent or control access.
Fencing is the most common way to protect and secure a physical site. They act as an extra set of walls surrounding the perimeter of the site grounds instead of allowing direct access to the walls of the building.
Fences can be made out of different materials such as wood, metal and wire but they can also have different accessory features. Fences can be spiked or have barbed wire to prevent climbing in or out of the site. Some fences can be transparent or be opaque and completely block all sight for privacy. Some are also electrified with a high voltage, as seen in Figure 3 below, to deter and stop anyone who may attempt to touch or climb it.
Fences deter attackers by making it physically harder to pass or scout the premises. Highly secure facilities will often have multiple layers of fences that are taller than usual and have all the extra features such as Barbed or Razor wire and High Voltage applied for maximum security.
Video surveillance
Video Surveillance is another common form of a physical security control with Closed Circuit Television(CCTV) being the most well known. CCTV is the use of video cameras to transmit a video signal privately to a specific place such as a security room as opposed to broadcast television in which the signal is transmitted openly.
This allows a small team of security guards to be able to monitor multiple locations at once, therefore reducing the number of security staff an organisation would need to cover a large facility. These video surveillance cameras often record footage to be able to investigate any criminal activities after they have occured. An organisation would have their own policy to define how long they retain CCTV footage while also following local data laws and regulations.
Security Guards
While other physical controls may decrease the amount of security guards needed to secure a building, trained security guards can never be fully replaced. On top of being needed to monitor those other controls such as the CCTV, they are also needed where human interaction is required such as at reception to confirm the identity and grant access to employees and visitors.
They are also needed to take action and make decisions where other controls cannot. Such as to respond to and investigate any alerts raised by the technical controls, many of which will be false positives, which cannot be done by other non human controls.
The presence of security guards alone can also act as a better deterrent than any other physical control. However guards are also human and therefore can be prone to human error or to becoming an insider threat.
Access badges
As mentioned earlier, access badges can be used as a key for Mantraps to enter secure facilities. This is usually done by either a Magnetic stripe or a Radio Frequency ID(RFID) card that stores unique data that can be read when swiped or scanned to the relevant card reader.
However they often also have Pictures, Names and other details on them which would help security guards to identify someone using a stolen access badge. Organisations often have policies in place where these access badges must be worn at all times which would further help those with stolen badges get spotted or those who have infiltrated the building by other means get caught as they would not be wearing a badge.
These badges also allow for logging of employee movement whenever the cards are scanned to access parts of the building. This allows for the logs to be reviewed for suspicious activity or during investigations to find out who was where in the building and at what time.
Lighting
Lighting is often overlooked as a physical security control but it is just as much of a deterrent to an attacker as any other control. Attackers will avoid well lit areas as it will be much easier to be seen by security and also by any cameras that don't have infrared capabilities.
Motion based lighting also helps identify where people are active and can alert security to a presence that is not where it's supposed to be. They can also help save on an organisation's energy bills and environmental impact.
Choosing the correct lighting for different parts of the facility is important. Some areas may need constant lighting while others may only need lighting while staff are present. The placement, angle and bulb of the lights are also important to consider as to not leave shadowed or dark areas and to not have a too low or high intensity at the wrong angle which may cause visual discomfort to staff, passerbys or others in the area.
Lighting also help staff and others feel safe while in and around the building which is an additional bonus.
Sensors
There are multiple types of sensors that can be implemented to detect different physical qualities and raise alarms.
Infrared
These sensors detect infrared radiation which is emitted by all objects and living beings with a temperature above absolute zero(-273.15 °C).
These sensors are commonly used in motion detection systems and automatic lights as they can detect movement in a defined area by sensing changes in infrared radiation caused by the movement of people or objects. They are also used in night vision cameras as infrared can be captured in the dark unlike visible light.
Pressure
Pressure sensors detect changes in pressure or force applied to their surface. These can be used to detect unauthorised access or tampering with doors, windows, or other entry points. For example, pressure-sensitive mats can be placed under carpets or doormats to detect footsteps or weight changes when someone steps on them. Pressure sensors can also be integrated into electronic locks or safes to detect attempts to force them open. Additionally, they can be used in perimeter security systems to detect when someone climbs over a fence or attempts to breach a barrier.
Microwave
Microwave sensors emit microwave signals and detect the time taken for the signals to be reflected off the surroundings and back to the sensor. This is known as echo time and can be used to calculate the distance of the surrounding stationary objects and establish a baseline. When any motion in the sensors' detection zone occurs it will lead to a change in this baseline echo time and therefore movement has been detected.
These microwave motion detection systems are similar to those that use infrared sensors, however microwave sensors have some advantages such as a longer detection range, higher sensitivity, not needing a direct line of sight and the ability to penetrate certain materials like glass or thin walls.
Ultrasonic
Ultrasonic sensors work by transmitting sound waves that are above the audible range for humans to hear and measuring the time it takes for the signals to reflect back. Using this time measurement and the speed of sound(343 m/s) it is possible to calculate the distance of the object that the wave reflected off. Therefore similar to microwave sensors, these sensors can also detect motion by detecting changes in the time of reflected waves caused by moving objects but are more commonly used specifically for proximity detection.