Physical Security: Skimping On The Puppy Dog Tails
The first 13 years of my career in the RAF Police had a strong focus on providing the physical security element of the RAF's protective security strategy:
Airfield Security Dog Patrols.
Deputy Security Shift Commander.
Security Shift Commander.
Aviation Security Operative.
However, it was not until I commenced the Physical Security component of the Counter Intelligence course, that I really started to appreciate the importance of being able to assess the appropriateness of the Physical Security measures.
The Physical Security element was delivered by an instructor who displayed a true passion for Physical Security and its importance. Now, this RAF Police instructor had an uncanny resemblance of 'Ned Flanders'.
Consequently, prior to the commencement of our very first lesson, the resident joker of the class had the awesome idea of changing all our name plates to characters from the Simpsons. You may find it hard to appreciate how difficult it was not to laugh when your instructor (looking like Ned Flanders) asks you a question, like this:
So, BART what do you think of........
It turns out that the instructor had never seen a single episode of the Simpsons!
Anyhow, once we had got past this hurdle, it turns out that this instructor was like 'Blackpool Rock' and if you had sliced him in two, he would have had the words Physical Security running right through his very being - He lived, slept and breathed the subject!
Physical Security Explained
What is Physical Security?
What is the purpose of Physical Security?
What is appropriate Physical Security?
Given that Physical Security is a requirement in both ISO/IEC 27001:2013 (Annex 11 controls) and PCI DSS v3.2.1 (Requirement 9), it would be useful to understand what can be deemed to be appropriate:
The CPNI describe the effective Physical Security as being:
Effective physical security of an asset is achieved by multi-layering the different measures, what is commonly referred to as ‘defence-in-depth’. The concept is based on the principle that the security of an asset is not significantly reduced with the loss of any single layer. Each layer of security may be comprised of different elements.
Whilst SANS describe it like this:
Physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on “technology-oriented security countermeasures” (Harris, 2013) to prevent hacking attacks. Hacking into network systems is not the only way that sensitive information can be stolen or used against an organization. Physical security must be implemented correctly to prevent attackers from gaining physical access and take what they want. All the firewalls, cryptography and other security measures would be useless if that were to occur. The challenges of implementing physical security are much more problematic now than in previous decades. Laptops, USB drives, tablets, flash drives and smartphones all have the ability to store sensitive data that can be lost or stolen. Organizations have the daunting task of trying to safeguard data, equipment, people, facilities, systems, and company assets. The company could face civil or criminal penalties for negligence for not using proper security controls. The objective of physical security is to safeguard personnel, information, equipment, IT infrastructure, facilities and all other company assets. The strategies used to protect the organization’s assets need to have a layered approach. It is harder for an attacker to reach their objective when multiple layers have to be bypassed to access a resource.
The commonality for both these descriptions is the application of sequential, multi-layered defences. With each layer getting progressively more robust the closer to the valued asset needing to be protected.
Think of it like the structure of an 'Onion':
The heart of an onion is protected by multiple layers, each layer is independent to each other and the outside layer provides a very superficial thin layer of defence (virtually the wrapping).
To meet the requirements for ISO/IEC 27001:2013 and PCI DSS, an organisation needs to ensure that these defensive layers provide appropriate protection:
PCI DSS Requirement 9 - Restrict physical access to cardholder data:
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.
ISO 27001 Annex A.11 - Physical and Environmental Security:
Annex A.11.1 is about ensuring secure physical and environmental areas. The objective in this Annex A control is to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities. It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification.
Consequently, the physical layers of defence must be commensurate with the perceived value (remembering to factor in the classification and aggregation principle) of the assets.
Something that my instructor was extremely passionate about was never taking anything at face value and to always look at the physical security measures from different angles.
It is rare that an intruder/attacker will try to gain unauthorised entry through the normal channels. Just because you think you have a robust and appropriate defensive layer does not always mean this will be the case and by looking at your defensive layers, much in the same way as your attacker might, may help you identify a vulnerability before your attackers gain the opportunity to exploit them.
Starting at the heart
Before you do anything else, you need to ensure that you have identified all the assets that you deem to be valuable to your organisation (the assets that will have the greatest impact on the business, in the event of a compromise of Confidentiality, Integrity or Availability).
Now, having achieved this, you can then start to score your defensive layers:
Containers and Security Locks. What security grade of lock and container have you directly wrapped around your valuable assets? Containers and the locking mechanism should be classified according to the level of security they offer (Remembering that the integrity of the container can be undermined by the fixing of the locking mechanism).
Rooms. The level of protection offered by a room will depend on the strength and structure of the walls, floor and ceiling/roof, the strength and quality of the door and its lock and the quality and protection given to any windows.
Buildings. Buildings should be rated according to their resistance to both forced and surreptitious attack. The method of construction, material used and the security of doors and windows should contribute to the overall assessment.
Control of Entry to Building, Area or Site Control of Entry. Control of entry should be exercised over a site, a building or buildings on a site or to areas or room within a building. The control may be either electronic, electro-mechanical, guard or receptionist control or physical barriers.
Guards and Alarm Systems. The employment of guards to protect buildings or sites provides a valuable deterrent to criminals and to those who might plan a covert attack. The guards' duties and the need and frequency of patrols will be decided by considering the level of threat and security systems or equipment that might be in place. Additionally, an Intrusion Detection System (IDS) can be used inside buildings in place of, or to assist site guards. To be effective an IDS will have a response force that will react in the event of an alarm condition. Alarm systems should be graded according to the level of security they offer.
Outer Perimeter. A perimeter fence forms a useful barrier and identifies the boundary of a protected or restricted area. The level of protection offered by a fence depends on its height, construction, the material used and any additional security features, used to increase its performance or effectiveness, such as fence-topping, Perimeter IDS, lighting or CCTV. The type of fence used on the perimeter of a site should reflect the type of threat (i.e. terrorist, criminal, saboteur, vandals). Fences should be graded according to the level of protection they offer.
Try creating a scoring matrix to measure the effectiveness of your layers of defence and assign yourself a minimum score that must be achieved for each layer.
Inner Core Layers (Mandatory - Sections 1 and/or 2, plus 3):
1. Container score: Container security (Grade 3) X Security lock (Grade 3) = Score of 9.
2. Room Score: Room security (Grade 2) X Security lock (Grade 2) = Score of 4.
3. Building Score: Building security (Grade 1) = Score of 1.
Minimum acceptable score = 8
Actual accessed score = 14 (9 + 4 + 1)
Outer Core Layers (Mandatory - Sections 4 plus 5):
4. Access Control Score: Control of entry (Grade 2) + Visitor Control (Grade 2) = Score of 4.
5. Guards & IDS Score: Guards (Grade 1) + IDS (Grade 0 (None)) = Score of 1.
Minimum acceptable score = 5
Actual accessed score = 5 (4 + 1)
Additional - Any Sections
6. Immediate dispersal/ parking/storage area: Inner Fence (Grade 1) X Inner Entry Control (Grade 1) + Random Inner Entry/Exit searches (Grade 0 (None)) + PIDS (Grade 0 (None)) + CCTV (Grade 1) + Lighting (Grade 0) = Score of 2.
7. Outer Perimeter: Outer Fence (Grade 1 (demarcation)) X Outer Entry Control (Grade 0 (None)) + Random Outer Entry/Exit searches (Grade 0 (None)) + PIDS (Grade 0 (None)) + CCTV (Grade 0 (None)) + Lighting (Grade 0) = Score of 0.
Minimum acceptable score = 4
Actual accessed score = 2 (2 + 0)
Mandatory - Sections 1 and/or 2, plus 3 = 8.
Mandatory - Sections 4 plus 5* = 5
Additional - Any Sections (6 +/or 7) = 4
* Section must achieve 1 point
As you can see by using a simple scoring matrix, you can assign values to the various physical security components and be able to facilitate a uniform assessment for the effectiveness of your physical security layers.
In the example, above you can clearly see that the Perimeter control layer did not meet the minimum acceptable levels, as the outer perimeter fence score was impacted through the lack of any control of entry and the inner control of entry did or the CCTV did not provide an effect audit capability.
Remembering that the effectiveness of the access control system is provides an integral contribution to the overall grading of a secure room (as do the structure of the door frame, the door, ceiling and floor), it is important that you assess the effectiveness of each contributing component.
Imagine a Mantrap/Airlock system that looks the part but has been incorrectly configured, so that it does not prevent 2 or more people passing through at the same time (e.g. The weight sensor is not correctly calibrated).
Do you ever test that this component is providing appropriate access control?
Is the integrity of the your ceiling/floors/windows/window frames equal to that of the walls, door, door frames and locks?
Could an attacker circumvent the secure room defences, by crawling through the ceiling/floor space to gain unauthorised access from above or below?
Hey, Diddly, Diddly there fellow protective security specialists and business leaders/owners. I hope that you have found this, investigation into the potential failings of Physical Security defences, interesting.
Physical security is an integral part of protecting those assets that you deem to be most valuable to your organisation (whether for compliance reasons or to provide business resilience).
However, through understanding how your physical security measures need to provide integrated layers of defence, where no control measures are undermined by an effective subsequent layer (the onion ring effect), you can help to ensure that your physical security increase your 5 Ds of Defence:
Deter; Detect; Delay; Disrupt; Divert
For this and further insights into the value of integration, why not get yourself a copy of my book to read?
More than 30 years Protective Security experience and knowledge compiled into a single resource - Extremely good value for money: