What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
According to the referenced article, PHYSBITS is “vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs.
There are several consequences: · Incompatibilities between building access hardware tokens and IT access tokens · Trend analysis and specific forensic investigation struggle to relate physical access logs to IT logs. Lack of consistent standards for journal and IT log management, indicating that logs may not be of evidentiary quality · Monitoring systems do not provide a situational awareness of coordinated physical and IT attacks · Costly, manual processes for new hires and contractors to get building access set up and changed when their access needs to be changed · Lack of integration of building access and business processes for new hires, and deprovisioning terminated staff — potentially causing security exposures.
I would also add the employee related risks which are more dangerous. For example: Former employees can use their credentials to enter a company’s facilities. This is possible if their access rights were not terminated right after they left an organization. Such an intrusion may be undetected at the time when it takes place.
Physical thefts are not limited to material assets. These days data leakage may pose even more serious consequences including loss of sensitive information, credit card details, intellectual property or identity theft. In some cases, former employees are responsible for data theft. However, cybercriminals can also jeopardize valuable information if it is not properly protected.
To mitigate this risk, it is important to identify your vulnerabilities and mitigate them. Consider all the possible access points and make sure that you can detect an intruder and intercept him or her before they reach an intended target. Implement access control at various levels from parking lots to server rooms to make an intrusion harder to organize. Keep track of security events to analyze minor vulnerabilities. Conduct risk assessment on an annual basis. Deny the right of access to the employers that were fired right after they left the company. Make sure that information security best practices are adopted within your organization. Implementing role-based access control is essential to information security. Do not leave valuable assets and sensitive information in a place that can be easily reached. Also, it is crucial that employees are given security training on timely basis.
You made a lot of great points regarding the consequences of this approach, and we both mentioned employee related risks that are typically overlooked. Your response provided me with a better understanding of how the vendor-neutral approach could be problematic when working with third parties. A company is only as secure as their weakest link so if vendors are not following safety guidelines then that is a huge vulnerability to consider. It could be useful to implement a class or lessons related to physical security risks so that they are aware of these dangers and make use of better security practices.
Hi Shubham,
Your answer explains the cogent and important areas where sensitive (leaked) information of a company can make them targets to unforeseen threats and vulnerabilities perhaps if exposed to a malicious intent user. Company’s already are implementing the PHYBITS framework for effective security solutions.
Two physical security risks that should be considered after an organization’s implementation of a PHYSBITS solution are tailgating or piggybacking, and an estranged employee getting access to physical equipment by using a current employee’s badge or through other means. Tailgating is when an unauthorized person follows an authorized person into a secure or restricted area without the consent of the authorized person. On the other hand, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area; this happens more often that we think because our human nature is to be polite and hold the door for someone without considering if they actually belong in that given place. Unfortunately, people do not always have the best intentions and this can be problematic. Organizations should at least require pins or IDs to scan when entering a restricted area, but a greater security measure may be investing in mantrap security doors or having security verify someone’s identity through camera before unlocking the door. With reference to estranged employees that attempt to regain access to the facility, there is a great possibility that they could attempt to compromise the integrity of the system. If company’s plan on using pins to gain entry, they should consider updating it annually; it is the same idea of changing your lock once you move into a new place so that the previous owner does not have access to your home. With that being said, multi-level authentication should be implemented in order to better secure an organization.
Hi Elizabeth, your answer to this question points and explain Tailgating and it is important that employees and other staff of any organization should be vigilant and they should try as much possible to know who isn’t part of the employee stack. Also, as company’s are planning to use Pins and other biometrics for access, the Biometrics Information Privacy Act should be a guide for implementing this security procedures.
Hi Elizabeth,
I like your detailed explanation. Also, I very much agree with what you said “our human nature is to be polite and hold the door for someone without considering if they actually belong in that given place”. This is a very common problem, including in our school, I once saw students who did not belong to Temple enter the Pearson Hall basketball hall by trailing. I think organizations can use revolving door to ensure that everyone can let the revolving door pass one person through one ID card swipe.
Open Security Exchange – PHYBITS is a framework which intends to supports organizations with data model, security control measures, auditing, use cases and best practices for access card selection, revocation and log management for its business objectives and goals. This framework supports the integration of physical security and IT Security to leverage on the possibility Authentications for protections of assets, managing the flow of individuals on infrastructure and network access, also managing areas pertinent to vulnerabilities, perimeter intrusion. It helps to improve business continuity through limiting employee’s access and also business user’s privilege(s) access assigned to their designated functions with ID identifications, Digital captures, other means to mitigate the risks to the overall enterprise system security implementation. Converging on these security environments addresses security gaps that fall between two different security disciplines and help protect organizations against multifaceted security threats by using authentication systems and management tools.
It identifies the areas susceptible to security challenges, risks, threats and vulnerabilities with ex-employee of the organization gaining access using their created credentials to gain access to the company’s infrastructure and network system. This framework remedies all possible security breaches that may arise using digital captures for authenticating a use and verifying the data in the database.
As you mentioned in your response ex-employee gaining access to the system is a very common security challenge that cannot be ignored. In my past work experience, I was an infrastructure admin for my project and we had to manage over 200 users in our account, it was always a challenge to keep up with the inactive users, so we come up with this solution of creating a PowerShell script, which disabled the user accounts if they were inactive for 30 days or more. This way we were able to automate this process and not rely on human error.
Shubham, I agree with your views about the difficulty in having to manage the inactive users on the metric of security compliance amongst over 200 users in a company’s facilities. As the Infrastructure Administrator, putting a functional scripts to checkmate the inactive states of the user accounts is also a quick swift measures to keep security arm updated and secure.
Great man…
According to the PHYSBITS framework, I think organizations can divide mitigation measures into internal and external.
The focus of internal physical security management measures is to protect the physical security, including the functional integrity of tangible assets, personnel, and infrastructure. Enterprises should pay attention to area management, surrounding invasion, occupation, and access methods. Both the internal and external monitoring facilities of the building should be perfect. Such as iron fences, infrared detection of intrusion, cameras, guards, automatic doors, alarms, and access cards. Physical security management should retain data for the IT Security Management Department to review historical records to ensure that the information of personnel entering and exiting is correct, and whether there are threats to the surrounding environment can be queried and recorded through historical records.
External physical management measures are aimed at external suppliers. Suppliers’ employees responsible for the company should have their own physical access tokens and each access registration record (paper or electronic version). Employees should be equipped with badges to confirm their identity at any time.
When an employee leaves, the company should ensure that the employee’s access rights will be cancelled or blocked.
Lin,
I quite agree that the mitigation techniques could be segregated into the internal and external measures spreading the security functionality to privileged players on the PHYBITS framework for both the internal and external players to monitor their facilities and perimeter securities of the building. My conclusion about both Internal and External measures would be that both have to use the PHYBITS implemented approach for their security infrastructures.
Shubham Patil says
According to the referenced article, PHYSBITS is “vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs.
There are several consequences: · Incompatibilities between building access hardware tokens and IT access tokens · Trend analysis and specific forensic investigation struggle to relate physical access logs to IT logs. Lack of consistent standards for journal and IT log management, indicating that logs may not be of evidentiary quality · Monitoring systems do not provide a situational awareness of coordinated physical and IT attacks · Costly, manual processes for new hires and contractors to get building access set up and changed when their access needs to be changed · Lack of integration of building access and business processes for new hires, and deprovisioning terminated staff — potentially causing security exposures.
I would also add the employee related risks which are more dangerous. For example: Former employees can use their credentials to enter a company’s facilities. This is possible if their access rights were not terminated right after they left an organization. Such an intrusion may be undetected at the time when it takes place.
Physical thefts are not limited to material assets. These days data leakage may pose even more serious consequences including loss of sensitive information, credit card details, intellectual property or identity theft. In some cases, former employees are responsible for data theft. However, cybercriminals can also jeopardize valuable information if it is not properly protected.
To mitigate this risk, it is important to identify your vulnerabilities and mitigate them. Consider all the possible access points and make sure that you can detect an intruder and intercept him or her before they reach an intended target. Implement access control at various levels from parking lots to server rooms to make an intrusion harder to organize. Keep track of security events to analyze minor vulnerabilities. Conduct risk assessment on an annual basis. Deny the right of access to the employers that were fired right after they left the company. Make sure that information security best practices are adopted within your organization. Implementing role-based access control is essential to information security. Do not leave valuable assets and sensitive information in a place that can be easily reached. Also, it is crucial that employees are given security training on timely basis.
Elizabeth Gutierrez says
Hi Shubham,
You made a lot of great points regarding the consequences of this approach, and we both mentioned employee related risks that are typically overlooked. Your response provided me with a better understanding of how the vendor-neutral approach could be problematic when working with third parties. A company is only as secure as their weakest link so if vendors are not following safety guidelines then that is a huge vulnerability to consider. It could be useful to implement a class or lessons related to physical security risks so that they are aware of these dangers and make use of better security practices.
Oluwaseun Soyomokun says
Hi Shubham,
Your answer explains the cogent and important areas where sensitive (leaked) information of a company can make them targets to unforeseen threats and vulnerabilities perhaps if exposed to a malicious intent user. Company’s already are implementing the PHYBITS framework for effective security solutions.
Elizabeth Gutierrez says
Two physical security risks that should be considered after an organization’s implementation of a PHYSBITS solution are tailgating or piggybacking, and an estranged employee getting access to physical equipment by using a current employee’s badge or through other means. Tailgating is when an unauthorized person follows an authorized person into a secure or restricted area without the consent of the authorized person. On the other hand, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area; this happens more often that we think because our human nature is to be polite and hold the door for someone without considering if they actually belong in that given place. Unfortunately, people do not always have the best intentions and this can be problematic. Organizations should at least require pins or IDs to scan when entering a restricted area, but a greater security measure may be investing in mantrap security doors or having security verify someone’s identity through camera before unlocking the door. With reference to estranged employees that attempt to regain access to the facility, there is a great possibility that they could attempt to compromise the integrity of the system. If company’s plan on using pins to gain entry, they should consider updating it annually; it is the same idea of changing your lock once you move into a new place so that the previous owner does not have access to your home. With that being said, multi-level authentication should be implemented in order to better secure an organization.
Oluwaseun Soyomokun says
Hi Elizabeth, your answer to this question points and explain Tailgating and it is important that employees and other staff of any organization should be vigilant and they should try as much possible to know who isn’t part of the employee stack. Also, as company’s are planning to use Pins and other biometrics for access, the Biometrics Information Privacy Act should be a guide for implementing this security procedures.
Yangyuan Lin says
Hi Elizabeth,
I like your detailed explanation. Also, I very much agree with what you said “our human nature is to be polite and hold the door for someone without considering if they actually belong in that given place”. This is a very common problem, including in our school, I once saw students who did not belong to Temple enter the Pearson Hall basketball hall by trailing. I think organizations can use revolving door to ensure that everyone can let the revolving door pass one person through one ID card swipe.
Oluwaseun Soyomokun says
Open Security Exchange – PHYBITS is a framework which intends to supports organizations with data model, security control measures, auditing, use cases and best practices for access card selection, revocation and log management for its business objectives and goals. This framework supports the integration of physical security and IT Security to leverage on the possibility Authentications for protections of assets, managing the flow of individuals on infrastructure and network access, also managing areas pertinent to vulnerabilities, perimeter intrusion. It helps to improve business continuity through limiting employee’s access and also business user’s privilege(s) access assigned to their designated functions with ID identifications, Digital captures, other means to mitigate the risks to the overall enterprise system security implementation. Converging on these security environments addresses security gaps that fall between two different security disciplines and help protect organizations against multifaceted security threats by using authentication systems and management tools.
It identifies the areas susceptible to security challenges, risks, threats and vulnerabilities with ex-employee of the organization gaining access using their created credentials to gain access to the company’s infrastructure and network system. This framework remedies all possible security breaches that may arise using digital captures for authenticating a use and verifying the data in the database.
Shubham Patil says
Oluwaseun,
As you mentioned in your response ex-employee gaining access to the system is a very common security challenge that cannot be ignored. In my past work experience, I was an infrastructure admin for my project and we had to manage over 200 users in our account, it was always a challenge to keep up with the inactive users, so we come up with this solution of creating a PowerShell script, which disabled the user accounts if they were inactive for 30 days or more. This way we were able to automate this process and not rely on human error.
Oluwaseun Soyomokun says
Shubham, I agree with your views about the difficulty in having to manage the inactive users on the metric of security compliance amongst over 200 users in a company’s facilities. As the Infrastructure Administrator, putting a functional scripts to checkmate the inactive states of the user accounts is also a quick swift measures to keep security arm updated and secure.
Great man…
Yangyuan Lin says
According to the PHYSBITS framework, I think organizations can divide mitigation measures into internal and external.
The focus of internal physical security management measures is to protect the physical security, including the functional integrity of tangible assets, personnel, and infrastructure. Enterprises should pay attention to area management, surrounding invasion, occupation, and access methods. Both the internal and external monitoring facilities of the building should be perfect. Such as iron fences, infrared detection of intrusion, cameras, guards, automatic doors, alarms, and access cards. Physical security management should retain data for the IT Security Management Department to review historical records to ensure that the information of personnel entering and exiting is correct, and whether there are threats to the surrounding environment can be queried and recorded through historical records.
External physical management measures are aimed at external suppliers. Suppliers’ employees responsible for the company should have their own physical access tokens and each access registration record (paper or electronic version). Employees should be equipped with badges to confirm their identity at any time.
When an employee leaves, the company should ensure that the employee’s access rights will be cancelled or blocked.
Oluwaseun Soyomokun says
Lin,
I quite agree that the mitigation techniques could be segregated into the internal and external measures spreading the security functionality to privileged players on the PHYBITS framework for both the internal and external players to monitor their facilities and perimeter securities of the building. My conclusion about both Internal and External measures would be that both have to use the PHYBITS implemented approach for their security infrastructures.