4 Dimensional Physical Security
Requirement 9 of PCI DSS mandates that the Physical Security control measures must be appropriate, but what is appropriate?
Essential to this is understanding the intricacies of Physical Security surveys, to ensure that you are able to accurately evaluate appropriateness.
Therefore, when carrying out physical security reviews, it is important to ensure that you look for the weakest points and to never take things at face value.
Not everything may be as it appears!
Most secure areas contain high value or aggregated value assets and become the target of opportunist attackers or thieves and as a business, you need to ensure that the physical defences are adequate, before an attacker discovers that they are NOT!
Consequently, it is extremely important to regard a secure area (e.g. Secure Room, Data Centre, Contact Centre, etc.) as a 'Cube' and to assess each face separately, and to assess the appropriateness of the physical security measures based upon the point of least resistance. For example, the walls may be re-enforced yet if you were to take a look into the roof space (above the secure area), you discover that the robust walls only go upto the ceiling panels. This allows an attacker to bypass the overt physical security measures (Thick walls, Secure Door, Secure Lock, etc.) by entering the area through the ceiling space. The same applies for allowing the attacker to evade the CCTV surveillance and Perimeter Intrusion Detection Systems (PIDS).
Do you have Electronic Automated Access Control Systems (EAACS)? Did your installer understand the implications of siting the electronic magnetic locking mechanism correctly? If you can see the screws to the mounting plate, there's no need to gain access through the authentication access control part of the system. Instead, the attacker needs only to be armed with a suitable screwdriver to remove the mounting plate. The same applies to the use of clasp and hasp:
What about your door access?
Remember to check the integrity of the door frame and the accessibility of the door hinges. If you can exploit the integrity of the door frame or the hinges, your secure door is no longer secure and becomes an expensive piece of infrastructure that only provides lip service for security enhancement.
The same applies to push button locks, if you've not changed the manufacturer's default access code, or you're not periodically changing the combination, it won't be long before it is compromised:
If you're involved in PCI DSS compliance, these, do you think that these examples would be deemed to be appropriate under requirement 9.1?
Have you ever wondered why some physical security assurance reviews are carried out by assessors, carrying the 'Old School' clipboard (rather than a tablet device)?
This is a little known trick of the trade. When testing for acceptable apertures, how big is too big to be deemed as secure. As alluded to earlier, the integrity of the secure area is associated with the weakest point.
What about gaps around the internal cages, windows or ventilation ducts?
Could these gaps allow an intruder to gain unauthorised access?
The Physical Security element of the RAF Police Counter Intelligence course taught me that a A4 clipboard is not only helpful for securing A4 paper, when taking notes during the physical assessment, but also an extremely handy measure for identifying 'Person Passable' gaps. Many years ago the Department of Defense MILITARY HANDBOOK: DESIGN GUIDELINES FOR PHYSICAL SECURITY OF FACILITIES (MIL-HDBK-1013/1A), provided clear dimensions as to what is, and what is not, acceptable, for a person-passable opening. This just happens to be 96 square inches, so an A4 clipboard being a little larger than an A4 piece of paper (93 square inches), make this a far more convenient measuring tool. Saving the need for carrying a clipboard and measuring tape.
"An oldie, but goody!"
Consequently, if you are tasked to assess the physical layers of defence either at your organisation, or as part of your due diligence of your 3rd party suppliers, remember to evaluate each defensive layer, starting at the core working outwards to the perimeter. For example, if the intent is to slow ingress ensure that the anti-climb protection makes it more difficult to get in, rather than making it more difficult to get out (as applied to a prison).
Should the anti-climb protection point outwards or inwards? Or are you wanting to slow ingress and egress, through anti-climb protection that points inwards and outwards?
All of these are important considerations when designing or evaluating a secure facility to ensure that the physical security measures provide appropriate threat mitigation.