Tweet
An important topic to consider when building an overview of an organization is the facility itself. A determined attacker may be able to breach the physical barrier and gain access to the facility and allow him to steal equipment or data and possibly even perform vandalism or sabotage. The first type of controls that an attacker is likely to encounter are those that line the perimeter of an organization. It is important to assess to those structures and controls that extend in and around assets or facilities of the organization. All controls and structures in place should provide protection in the form of either delaying or deterring an attacker. There is always a possibility that a determined attacker may successfully bypass the countermeasures in the first layer of defense so additional layers of defense should provide valuable detection and deterrent functions. High resolution cameras and light also makes it harder for an intruder to gain access without being discovered.
When constructing new buildings or facilities, the physical security must be taken into account in the early stages. If this is not possible an thorough site survey should be executed to assess the current defenses in place. Consider natural geographic features that may assist an attacker in staying covert, items such as natural boundaries and fences or walls around the site. Common physical controls placed at the perimeter can include many types of physical barriers that physically and mentally deter the attacker. If there is a risk that the facility may be breached by a truck driving through the defenses such as a door or window, bollards may be an important control to implement. Bollards are metal or rock barriers designed to prevent a vehicle-based attack. This may seem drastic but it happens quite often that a robber uses a stolen car to ram a window or door of a jewelry store to gain access. This kind of attack is not very subtle but it is not meant to be.
These include but are not limited to the following
A popular term is Defense In Depth which uses the concept of layering more than one control and it is a way to delay an attack rather than stop an attack. These controls can be physical, administrative or technical in nature. Administrative controls include policies and procedures and how you recruit, manage and fire employees. This includes least privilege, separation of duties, rotation of duties. Technical controls include methods such as encryption, firewalls, IDS devices. When doing a site survey to verify or improve physical controls, the organization should strive for a minimum of three layers of defense.
The first layer is the building perimeter and are in place to delay and deter an attack and include fences, gates, bollards but it is important that these controls does not reduce visibility of CCTV equipment or guards. Shrubs should be 18-24 inches away from all entry points and hedges should be cut to be at least 6 inches below the level of all windows.
The second layer of defense is the building exterior and includes the roof, walls, floor, doors and ceiling of the building. Any opening 18 feet or less above the ground should be considered a potential point of entry and should be secured if greater than 96 square inches.
The third layer of defense is the interior controls including locks, safes, containers, cabinets, interior lighting and even policies and procedures that cover what controls are placed on computers, laptops, equipment and storage media. In a facility hosting a datacenter, equipment should not be above second floor because a fire might make them inaccessible. Also, equipment such as servers, storage systems should not be placed in a basement as they may be subject to flooding. Defense in depth is also known as Concentric Circles of Protection with the protected asset in the center.
When constructing new buildings or facilities, the physical security must be taken into account in the early stages. If this is not possible an thorough site survey should be executed to assess the current defenses in place. Consider natural geographic features that may assist an attacker in staying covert, items such as natural boundaries and fences or walls around the site. Common physical controls placed at the perimeter can include many types of physical barriers that physically and mentally deter the attacker. If there is a risk that the facility may be breached by a truck driving through the defenses such as a door or window, bollards may be an important control to implement. Bollards are metal or rock barriers designed to prevent a vehicle-based attack. This may seem drastic but it happens quite often that a robber uses a stolen car to ram a window or door of a jewelry store to gain access. This kind of attack is not very subtle but it is not meant to be.
These include but are not limited to the following
- Fences
- Gates
- Doors and mantraps
- Locks
- Walls, ceilings and floors
- Windows
A popular term is Defense In Depth which uses the concept of layering more than one control and it is a way to delay an attack rather than stop an attack. These controls can be physical, administrative or technical in nature. Administrative controls include policies and procedures and how you recruit, manage and fire employees. This includes least privilege, separation of duties, rotation of duties. Technical controls include methods such as encryption, firewalls, IDS devices. When doing a site survey to verify or improve physical controls, the organization should strive for a minimum of three layers of defense.
The first layer is the building perimeter and are in place to delay and deter an attack and include fences, gates, bollards but it is important that these controls does not reduce visibility of CCTV equipment or guards. Shrubs should be 18-24 inches away from all entry points and hedges should be cut to be at least 6 inches below the level of all windows.
The second layer of defense is the building exterior and includes the roof, walls, floor, doors and ceiling of the building. Any opening 18 feet or less above the ground should be considered a potential point of entry and should be secured if greater than 96 square inches.
The third layer of defense is the interior controls including locks, safes, containers, cabinets, interior lighting and even policies and procedures that cover what controls are placed on computers, laptops, equipment and storage media. In a facility hosting a datacenter, equipment should not be above second floor because a fire might make them inaccessible. Also, equipment such as servers, storage systems should not be placed in a basement as they may be subject to flooding. Defense in depth is also known as Concentric Circles of Protection with the protected asset in the center.