The last chapter of the architecture and design section covers physical security. Probably the most interesting chapter of the bunch (aside from embedded systems) but… don’t get your hopes up too much.
There’s a lot to be said for software-based security. The reason that physical security is important is because if someone has physical access to your systems, many of your digital controls no longer matter.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Like I said, don’t get your hopes up. A lot of this chapter covers building-level designs. Important, but probably not what most of us got into CS for.
Proper lighting is important (external and internal to the building). Lighting allows activities, particularly unauthorized ones, to be observed and responded to more easily.
Signs provide information and visual security clues. For example, signs can alert employees to the fact that an area is restricted, or that doors should remain closed.
Fencing isn’t a new concept to any of us. It’s a physical barrier around property. This can exist outside (fences around the organization’s property, barbed wire, anti-scale fencing). It can also exist inside to provide a means of restricting entry into an area where different security policies apply. An example is putting servers in a cage with a controlled gate.
Fences also fall under the category of barricades. Barricades include walls, fences, gates, doors and bollards. Bollards are posts that stop vehicle traffic but allow foot traffic. Consider having windows into server rooms or other areas so that people’s activities aren’t hidden. Still, these windows should not allow shoulder surfing.
Security guards are a great security measure, because they’re both visible to potential attackers, and are directly responsible for security. Make sure that your guards receive some network training, too. They should be familiar with social engineering attacks, and also be able to discern weird behavior, like computers rebooting all at once, or people in the parking lot with electronic equipment.
Alarms alert people to abnormal conditions. You want to make sure that alarms are tuned to provide only accurate and useful alerts.
Safes are another security measure. Contrary to popular belief, they are designed to impede authorized access, not necessarily stop it entirely.
One step down from safes are secure cabinets and enclosures. This is a solution where the contents don’t need the security level of a safe, or if you have too much volume to store in a safe.
Cables running between systems also need to be protected. Protected cabling helps prevent physical damage and the resulting communication failures that come with it.
Air gap has been covered in previous chapters. It’s a physical and logical separation of a network from all other networks (make sure USB drives don’t break this rule!)
Also mentioned in a previous chapter are mantraps. It’s a way of preventing tailgating by having two doors into a space that you can’t hold open at the same time. Both doors require an access card or token, so if someone does not have one, they will get stuck in between the doors.
Another social engineering attack is shoulder surfing. You can use screen filters to narrow the angle of viewability to a screen.
Faraday cages are a means of protecting against electromagnetic interference (EMI). EMI is electrical disturbance to a circuit due to the circuit’s reception of electromagnetic radiation. This can become an issue in server rooms, where there’s lots of equipment and cabling. There are standards to reduce EMI through board design and shielding. You can also use Faraday cage, which is an enclosure made of conductive material that is grounded. This prevent outside signals from getting in, and vice versa. The book briefly mentions TEMPEST. 👀
Locks are a well-known security measure. If you’ve been to an infosec conference, you’ve likely tried a “lock-picking village.” Engineering tolerances in most locks make them vulnerable to picking. High-security locks are made to be resistant to picking, drilling, bumping, and so on. They also have mitigations against duplicating keys (this is known as key control).
Laptops and other valuable devices should be locked inside a desk when not in use, or secured with lockdown cables. These cable locks are a simple way of securing portable equipment to furniture or other fixtures.
Organizations likely want to limit building entry to authorized people only.
They can do this through biometrics, which is “the measurement of biological attributes or processes with the goal of identification of a party possessing the features.” This includes fingerprints, retina or iris scans, face geometry, hand geometry, and so on. Biometrics aren’t foolproof, and will likely need updates to people’s information as they age and change.
You can also use access tokens or cards. Physical keys can be difficult to manage. Tokens and cards can be provisioned quickly, and revoked remotely if needed.
Keeping track of what keys exist, who they belong to, and what they have access to is known as key management.
There are a number of environmental controls to consider. You want information to be confidential, but you also want it to be available.
This means, among other things, controlling the temperature and humidity of server rooms through HVAC systems. This is often done with a system of hot and cold aisles, where exhaust fans all face one aisle and intake fans face another aisle.
Fire suppression is also very important. This doesn’t necessarily stop the fire to begin with, but provides some mitigation against the fire spreading throughout a facility. Commonly, water is used, but of course, electronics don’t like water. There are other systems that use CO2, argon, inergen, and FE-13. The book goes into a lot of detail about fire extinguishers. The TL;DR is “don’t use the common ABC fire extinguisher on fires involving flammable metals.”
Along with fire suppression, you should also have fire detection. Fire detection works via ionization, photoelectric (detection of smoke), heat detection and flame (infrared) detection.
If an intruder has made it into your building, how would you know? You can detect intruders using cameras, motion detection and infrared.
CCTV, or closed-circuit television, is fairly standard, but require a multiplexer and other video processing. IP-based cameras are easier to use as standalone units. However, since they’re network connected, they are prone to network-based attacks. They should be kept on a separate network so that attacks to cameras do not take down the rest of a system.
You can also use motion detectors to monitor low-traffic areas for signs of activity. This is often done through infrared (heat) detection. Because you’re looking at differences in temperature, you can see people via infrared detection, even if it’s dark outside.