what are some of the things that you need to consider when physically infiltrating a facility?

What is Physical Security?

Source: GAO

According to the security expert S. Harris, "physical security protects people, data, equipment, systems, facilities and company assets." She also enumerates various means through which this protection is managed: "site design and layout, ecology components, emergency response readiness, preparation, access control, intrusion detection, and power and fire protection." The emphasis of this writing is on concrete security through training of personnel based on a proper security sensation grooming program.

Justin Bonnema, a writer at the Security Sensation Company (SAC), points out that there are 3 domains of security:

1. Cyber (eastward.thou., figurer, network and information security; important tasks: encryption, data backups).
2. Man (due east.thou., employees, consultants, suppliers, partners and anyone in contact with your visitor, important tasks: prevention of social engineering scams).
3. Concrete (eastward.thousand., the wires, silicon, glass, and structures; of import tasks: locked doors, clean desks, situational awareness, shredding).

These domains are so intertwined that one small result in ane domain may tip the balance in the other two.

Without physical security controls in identify, most digital defenses could be rendered useless. Some workable solutions for most of the concrete security threats are alarm systems, mantraps, and concrete intrusion detection systems. People, non walls, however, are the first line of defense in the physical security prototype. One insider lonely tin can have out of the equation the thickest walls and every cutting-edge technology. Moreover, an IBM study established that human error is at the root of 95% of all security incidents.

Because nowadays the emphasis is on technical controls, many workers tend to neglect purely physical concerns in their ain department. Non practicing due diligence regarding all mandatory physical security requirements can be a justa causa for companies to be held criminally or monetarily liable. Leaving devices unattended is the easiest way to accept them stolen. Such devices that happen to contain personally identifiable information (PII) is an excellent illustration of a reason for initiating litigation confronting an organization on the grounds of negligence.

A scenario like this should non seem implausible: about 74,000 workers were included in data breach statistics due to laptop theft with unencrypted personal data. The phenomenon called Internet of things (IoT) is widening the spectrum of concrete security. Today and then many mobile devices exist that it comes as no surprise that they are an easy mark for experienced thieves.

Physical access to a company's IT systems will make hacking them much easier by all means. While hacking into access control smart cards, for example, is a potential manner in for any intruder, the primary focus of this writing is not-technical means to defeat physical security.

[Complimentary] Marine Lowlifes Campaign Kit

You don't need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. Y'all but need the right resources and a playbook.

[Download] Free Security Sensation Kit

II. Mutual Concrete Security Threats

Social Technology

Social engineering attacks casualty on human nature and good volition. A con artist tries to proceeds the trust of an inside person using charade techniques (e.g., impersonation or conniving beliefs such as false flattery). Additional human traits that social engineering attackers strive to exploit are: desire to provide help, a propensity to avowal, and full general lack of vigilance. In other words, social engineering attacks attempt to featherbed It and physical security controls past targeting humans.

With respect to concrete security, the goal of the assailant is to employ the social engineering assail as a stepping-stone to the organization's Information technology infrastructure or physical facility. By way of illustration, a malicious thespian could endeavor to infiltrate a particular building under the guise of a repair technician. In one case he achieves this goal, he tin choose and so to install a sniffer to capture all kinds of sensitive data.

Piggybacking and Tailgating

Piggybacking and Tailgating happen when someone who does not have access takes reward of some other person who has to infiltrate into a secure surface area.

Tailgating occurs when an intruder creeps into a protected zone with a person or a group of persons without their cognition. An case of this human action is when an intruder follows an unsuspecting employee. The employee unlocks a door to a secure surface area, but he is not observant of everything around him, and the intruder manages to set up his foot on the closing door and eventually to enter the restricted zone.

Piggybacking, on the other manus, happens when an intruder ("being given a piggyback ride") goes inside a security perimeter accompanied by a person who has admission and who is fully aware of the fact that he lets in another person. However, he usually does not recognize the intruder as such. Common examples of piggybacking are:

• When a security guard or employee gives access to an assaulter who claims to have forgotten his fundamental
• When an attacker disguises himself equally a technician and then convinces a security guard/employee to allow him come up in through a door that leads to a security surface area
• When an attacker approaches a door that leads to a security area, conveying a large, heavy-looking object, such as a big cardboard box, and politely asks a security guard/employee to open and agree the door for him

Dumpster Diving

The deed of going through the thrash of a given entity in search of data that might be helpful for refining strategies for a potential assail. Often what is establish in the dumpsters is combined with other information. Kevin Mitnick, for instance, once used company newsletters to inquire about the new hires, who will exist more inclined to requite out sensitive information to the "summit floor" out of a want to make a practiced first impression.

What are the about common types of intelligence the attackers are looking for when they ransack someone's garbage? By and large things like network configurations, access documents, discarded storage media, information on employees; all sensitive information that might be used in a social engineering scenario.

So many companies are careless nearly their litter and the garbage disposal procedure as a whole. Moreover, even nowadays, a great bargain of valuable information in organizations is beingness printed out, whether nosotros consider it in the context of proprietary or seemingly benign data. Workers even so chose to ignore the risks and dispose of of import business concern or employee documents past throwing them straight into the bin. This security lapse leads to a very basic only easily exploited vulnerability. Carelessness unremarkably comes at a great cost. CVS Caremark, the retail chemist's was subjected to a $2.25 million fine for poor physical security controls subsequently a thorough investigation past the Department of Health and Human being Services Office for Ceremonious Rights (HHS-OCR) and the Federal Trade Commission (FTC). The two institutions determined that CVS dumped sensitive objects, such as medication instruction sheets and prescription drug bottle labels, into public dumpsters.

Dumpster diving equally a nefarious activity is straight continued to the physical security of a sure corporation. It tests the ability of that corporation to restrict access of unauthorized persons to its thrash repository. Many organizations resort to special locked receptacles dispersed within the confines of organizations for their workers to safely discard sensitive or proprietary information. The receptacles work past the principle of post office mailboxes – you can place an item inside them, but you cannot have information technology dorsum in one case information technology is in there.

Every measure that finer blocks the admission to a company's dumpsters will exercise – shredders, locks, and encouraging employees to follow all disposal procedures, to name but a few. A cantankerous cut shredder is probably the virtually effective type of shredder since it volition turn the entire paper into miniature confetti-similar scraps.

However, these measures would be futile if a stringent sensation entrada does non accompany them to teach employees how to use and apply the measures.

Shoulder Surfing (example: peering over somebody else's shoulder to await at a visible password)

Sometimes con artists adopt to take the gamble to get closer to a targeted person to look over his shoulder and read what is written on the screen or find the keyboard as this person types. Screen filters placed over a monitor tin can deter prying eyes. Also, countersign masking – i.e., displaying asterisks instead of the actual password characters – is always a skilful idea. As to typing safely, simply type of import things such as passwords while you embrace your typing arm with the palm of your free hand. Other tips that may impede shoulder surfing: exercise not utilise corporate computers in public areas, sit with your back against the wall, angle your device or keyboard, and lean a bit toward the device or keyboard when you type something sensitive.

Physical Security Awareness Program

Importance

Most awareness programs tend to overlook physical security teaching for some reason or another. Physical security awareness, however, is essential in cases of some social technology attacks as well as educating employees virtually all-time security practices, such as upholding company policies, workstation locking, encryption of (mobile) devices & USB wink drives, and maintenance of a articulate desk (Come across the image below).

"Oh, security is not my responsibility, I'm not technical." Well, this excuse could non exist more wrong, considering security is everyone'southward responsibility, and, past extension, physical security is everyone's responsibleness. The duty of physical responsibility should not exist imposed simply on the security personnel since concrete security encompasses every person who inhabits sure corporate facilities. Hence, all employees should participate in such security awareness sessions.

One of the master objectives of every security sensation programme is to brainwash employees on reporting suspicious activities and behavior to the security staff, non to be security professionals themselves. The majority of workers have more than than enough duties, and nobody should expect from them to become versed security professionals, simply it is realistic to expect from them to sympathize the threat when they are taught about it and study it.

Tips

"Poor security awareness is the single biggest obstacle to defending confronting cyber-attacks. Moreover, poor security awareness training is rife," writes lexi , the author of .

Beneath are some best practices with respect to physical security awareness that may exist useful to you:

• Explicate the intersection with cyber security – After all, we are discussing physical security in the context of information technology. For that reason, the pregnant of the word 'physical' may transcend the traditional boundaries. Consider, for instance, a worker walking away from his desk. Locking or turning off his computer is a concrete security business since information technology has already been emphasized that one should "go along everything valuable under lock and cardinal."

http://www.lbmcinformationsecurity.com

• Make the content interesting, entertaining, and relevant to your staff. (Example: Keep your mobile phone with you at all times! (number b)) vs. Someone stole a mobile phone from a colleague of ours while he was refilling his Nutrition Dr. Pepper at Wendy's! He said he had left it on the table for similar 30 seconds but.) Information technology is appropriate to create your training plan in a more interactive way so that it will exist engaging to the employees also as educating. The security sensation training in many organizations comes down to merely going through a serial of outdated slides sent via email. Served in such a manner, the security awareness training becomes simply a mundane box ticking practise.
  Do non generalize. Bring things back to the individual level. Evoke trainees' emotional side – People tend to remember those things that may affect them personally, so make what is included in the concrete security awareness program more than about them.
• Repeat the basics every now then – Rehearse the cadre principles through numerous means: emails, phone calls, stickers, posters, ongoing training, etc.
• Perform penetration testing of your organization's physical security – This is every bit practical every bit it tin get. Have your arrangement tested by a existent would-exist invader. He can choose to test your employees virtually things mentioned in your physical security awareness plan and add fifty-fifty more than security-related challenges.
• To be effective, a security sensation program should go beyond compliance requirements.
• Again, stress the importance of physical security. Convince the people you lot will railroad train that physical security is a very important affair. If they view the training as a waste product of their time, it volition exist a waste of time, your time, money, and effort.

Reference List

Abernathy, R and Mcmillan, T. (2013). CISSP Cert Guide. Available at https://books.google.bg/books?id=TGYlDAAAQBAJ&pg=PT268&lpg=PT268&dq=information+memory+cissp&source=bl&ots=70xzZI3KMG&sig=fOqRJkXQvTjBiMrezfwVypJc8yw&hl=en&sa=10&ved=0ahUKEwi30qCau5HQAhVF0hoKHd7wAQEQ6AEIPzAH#v=onepage&q=data%20retention%20cissp&f=false (31/01/2017)

Bonnema, J. (2016). Nontechnical and Physical Security. Bachelor at http://www.thesecurityawarenesscompany.com/2016/07/07/nontechnical-and-concrete-security/ (31/01/2017)

Carthy, 1000. (2016). vii Essential Security Awareness Training Topics. Available at https://www.linkedin.com/pulse/7-essential-security-sensation-training-topics-mike-carthy (31/01/2017)

Cobb, Grand. (2016). Physical security. Available at http://searchsecurity.techtarget.com/definition/physical-security (31/01/2017)

Emory University. Information Security Awareness Message – Physical security. Available at http://it.emory.edu/security/security_awareness/physical_security.html (31/01/2017)

Gardner, B. & Thomas, Five. (2014). Building an Information Security Sensation Program: Defending Against Social Engineering science and Technical Threats. Available at http://world wide web.sciencedirect.com/science/book/9780124199675 (31/01/2017)

Gregg, M. CISSP Test Cram. Available at https://books.google.bg/books?id=2UzODAAAQBAJ&pg=PT74&lpg=PT74&dq=scoping+and+tailoring+privacy&source=bl&ots=Se48Y2tn1w&sig=RCtlfF8gBupaZgr08uj1OkSV-M0&hl=bg&sa=X&ved=0ahUKEwjrtcHDlu_PAhWGXRQKHTEBCFkQ6AEIPzAD#five=onepage&q=scoping%20and%20tailoring%20privacy&f=false (31/01/2017)

Hutter, D. (2016). Physical Security and Why Information technology Is Important. Available at https://www.sans.org/reading-room/whitepapers/concrete/physical-security-of import-37120 (31/01/2017)

InfoSec Establish (2014). Managing Physical Security: Role ane. Available at http://world wide web.business2community.com/travel-leisure/managing-concrete-security-part-ane-2-0926723 (31/01/2017)

InfoSight, Inc. Social Engineering & Concrete Security. Available at http://www.infosightinc.com/solutions/informational-services/social-technology.php (31/01/2017)

kellyk (2016). Designing Concrete Security Sensation Training (That Won't Be Forgotten in V Minutes). Available at https://www.tracesecurity.com/blog/designing-concrete-security-awareness-training-that-wont-exist-forgotten-in-five-minutes (31/01/2017)

LBMC Family of Companies (2014). Developing an Effective Security Awareness Program: Concrete Security, Countersign Security, and Phishing. Available at http://www.lbmcinformationsecurity.com/blog/developing-an-effective-security-awareness-plan-physical-security-password-security-and-phishing (31/01/2017)

lexi (2015). How to Develop Security Awareness Training That Works. Bachelor at https://world wide web.tracesecurity.com/blog/how-to-develop-security-awareness-grooming-that-works#.V9GQB_krJhF (31/01/2017)

Piran. G. Managing Concrete Security Systems & Data In A Multi-Building Campus. Available at https://us.sourcesecurity.com/news/articles/co-2784-ga.9150.html (31/01/2017)

Stewart, J., Chapple, M., Gibson, D. (2015). Certified Data Systems Security Professional Study Guide (7th Edition)

boissonneaultpary1949.blogspot.com

Source: https://resources.infosecinstitute.com/topic/tips-managing-physical-security/

Share this post