A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
Typically, many physical security vulnerabilities depend on a number of factors including but not limited to: the size of the building, number of buildings or sites, number of employees, location and number of building entrance and exit points, and the placement of the data centers and other confidential information. If a company’s physical security team analyzed physical security threats and vulnerabilities for its system, I could infer that they would focus on human-caused threats and technical threats the most. Human-caused threats involve unauthorized physical access, theft, and misuse. Some examples of vulnerabilities involved are: no access controls on doors or the use of traditional keys that can be duplicated with no accountability, software and backup media lying around, sensitive information being thrown away in trash cans rather than being shredded or placed in a shred container, systems accessible via the network with the default user ID and password. While an organization may have physical security guards and cameras, they should also enforce a security policy to follow. Due to possible threats / vulnerabilities / failures in physical enforcement, organizations may rely on technology to keep them protected by putting a lot of faith in encryption and authentication technologies; in reality, companies often remain vulnerable because encryption can not correct underlying vulnerabilities. An organization can only truly rely on data encryption and authentication to provide reliable security if all parties including the sender and receiver are physically secure.
Various factors depend on which the company can focus their vulnerabilities on, but I believe the most unpredictable ones are the Human-caused vulnerabilities and companies should focus on it first.
According to the textbook, Human-caused threats are more difficult to deal with than the environmental and technical threats discussed so far. Human-caused threats are less predictable than other types of physical threats. Worse, human-caused threats are specifically designed to overcome prevention measures and/or seek the most vulnerable point of attack.
We can group such threats into the following categories:
Unauthorized physical access: Those who are not employees should not be in the building or building complex at all unless accompanied by an authorized individual. Not counting personal computers and workstations, IS assets such as servers, mainframe computers, network equipment, and storage networks are generally housed in restricted areas. Access to such areas is usually restricted to only a certain number of employees. Unauthorized physical access can lead to other threats such as theft, vandalism, or misuse. Theft: This threat includes theft of equipment and theft of data by copying. Eavesdropping and wiretapping also fall into this category. Theft can be at the hands of an outsider who has gained unauthorized access or by an insider. Vandalism: This threat includes destruction of equipment and destruction of data. Misuse: This category includes improper use of resources by those who are authorized to use them, as well as use of resources by individuals not authorized to use the resources at all.
As you mentioned, various factors depend on which the company can focus their vulnerabilities on. Unfortunately most companies probably do not have the resources to focus on or address all of them at once. For that reason, I would start by determining the likelihood of each threat by using a scale of 1 (least likely) to 5 (most likely) so that threats can be grouped to suggest where attention should be directed. Then, I believe it would be useful to prioritize threats. The goal here is to determine the relative importance of the threats as a guide to focusing resources on prevention. The formula recommended to use when prioritizing threats is: Importance = Likelihood x (Direct cost x Secondary Cost).
I agree with you. Human operations are more likely to cause loopholes, such as trailing, vandalism, theft, etc. Human control is very important, but physical security vulnerabilities caused by natural factors are still the subject of concern. For example, the community environment of the company’s address determines whether the company should install more rigid fences around it.
The security team of the company identified the business security management as an area susceptible to security challenges, vulnerabilities and threats which spans the control of its user provisioning, policy management, auditing, security reporting, log management and system monitoring areas. By supporting the company’s overall enterprise system security process with PHYBITS Framework – the integrated control of security management process is a consolidated approach considered where it gives the physical Security Management controls over (card issuance and revocation, access device monitoring, access violation handing, journal management, emergency access process) from the IT Security Management control which supports the protection of the (firewalls and VPNs, antivirus & vulnerability management, intrusion detection and prevention, User Access management, and Backup and Recovery). PHYBITS control normalizes the vulnerabilities and threats areas of the system.
I think the company should focus on the existence of a vulnerability which is a major contributing factor for calculating the probability of risk. If an asset has a vulnerability that can be exploited by a threat, then the risk to that asset is much higher when compared to an asset that does not have the same vulnerability.
I think companies should focus on access control, monitoring, and security testing.
Access control should start from the security boundary. The fence outside the building should also be equipped with video surveillance and access control systems (including parking lots and other external buildings). The access control system can use advanced locks, access control cards, biometric authentication, and authorization.
The monitoring system includes motion detection, thermal sensor alarms, smoke alarms, etc. These sensors should be directly connected to the alarm system to allow the sensors to trigger the alarm without any human intervention. At the same time, a camera should be used to display the situation in real time. The monitoring system should allow cloud control or wireless access, and managers can obtain real-time reports and use mobile devices to monitor.
Safety testing is also important. Even if there are more equipment and security consultants, but no practice to test security and the ability to respond to hazards, then companies still cannot compensate for these security vulnerabilities. Companies should use simulation exercises to test whether the security system still has loopholes.
Elizabeth Gutierrez says
Typically, many physical security vulnerabilities depend on a number of factors including but not limited to: the size of the building, number of buildings or sites, number of employees, location and number of building entrance and exit points, and the placement of the data centers and other confidential information. If a company’s physical security team analyzed physical security threats and vulnerabilities for its system, I could infer that they would focus on human-caused threats and technical threats the most. Human-caused threats involve unauthorized physical access, theft, and misuse. Some examples of vulnerabilities involved are: no access controls on doors or the use of traditional keys that can be duplicated with no accountability, software and backup media lying around, sensitive information being thrown away in trash cans rather than being shredded or placed in a shred container, systems accessible via the network with the default user ID and password. While an organization may have physical security guards and cameras, they should also enforce a security policy to follow. Due to possible threats / vulnerabilities / failures in physical enforcement, organizations may rely on technology to keep them protected by putting a lot of faith in encryption and authentication technologies; in reality, companies often remain vulnerable because encryption can not correct underlying vulnerabilities. An organization can only truly rely on data encryption and authentication to provide reliable security if all parties including the sender and receiver are physically secure.
Shubham Patil says
Various factors depend on which the company can focus their vulnerabilities on, but I believe the most unpredictable ones are the Human-caused vulnerabilities and companies should focus on it first.
According to the textbook, Human-caused threats are more difficult to deal with than the environmental and technical threats discussed so far. Human-caused threats are less predictable than other types of physical threats. Worse, human-caused threats are specifically designed to overcome prevention measures and/or seek the most vulnerable point of attack.
We can group such threats into the following categories:
Unauthorized physical access: Those who are not employees should not be in the building or building complex at all unless accompanied by an authorized individual. Not counting personal computers and workstations, IS assets such as servers, mainframe computers, network equipment, and storage networks are generally housed in restricted areas. Access to such areas is usually restricted to only a certain number of employees. Unauthorized physical access can lead to other threats such as theft, vandalism, or misuse. Theft: This threat includes theft of equipment and theft of data by copying. Eavesdropping and wiretapping also fall into this category. Theft can be at the hands of an outsider who has gained unauthorized access or by an insider. Vandalism: This threat includes destruction of equipment and destruction of data. Misuse: This category includes improper use of resources by those who are authorized to use them, as well as use of resources by individuals not authorized to use the resources at all.
Elizabeth Gutierrez says
Hi Shubham,
As you mentioned, various factors depend on which the company can focus their vulnerabilities on. Unfortunately most companies probably do not have the resources to focus on or address all of them at once. For that reason, I would start by determining the likelihood of each threat by using a scale of 1 (least likely) to 5 (most likely) so that threats can be grouped to suggest where attention should be directed. Then, I believe it would be useful to prioritize threats. The goal here is to determine the relative importance of the threats as a guide to focusing resources on prevention. The formula recommended to use when prioritizing threats is: Importance = Likelihood x (Direct cost x Secondary Cost).
Yangyuan Lin says
Shubham
I agree with you. Human operations are more likely to cause loopholes, such as trailing, vandalism, theft, etc. Human control is very important, but physical security vulnerabilities caused by natural factors are still the subject of concern. For example, the community environment of the company’s address determines whether the company should install more rigid fences around it.
Oluwaseun Soyomokun says
The security team of the company identified the business security management as an area susceptible to security challenges, vulnerabilities and threats which spans the control of its user provisioning, policy management, auditing, security reporting, log management and system monitoring areas. By supporting the company’s overall enterprise system security process with PHYBITS Framework – the integrated control of security management process is a consolidated approach considered where it gives the physical Security Management controls over (card issuance and revocation, access device monitoring, access violation handing, journal management, emergency access process) from the IT Security Management control which supports the protection of the (firewalls and VPNs, antivirus & vulnerability management, intrusion detection and prevention, User Access management, and Backup and Recovery). PHYBITS control normalizes the vulnerabilities and threats areas of the system.
Shubham Patil says
Oluwaseun,
I think the company should focus on the existence of a vulnerability which is a major contributing factor for calculating the probability of risk. If an asset has a vulnerability that can be exploited by a threat, then the risk to that asset is much higher when compared to an asset that does not have the same vulnerability.
Yangyuan Lin says
I think companies should focus on access control, monitoring, and security testing.
Access control should start from the security boundary. The fence outside the building should also be equipped with video surveillance and access control systems (including parking lots and other external buildings). The access control system can use advanced locks, access control cards, biometric authentication, and authorization.
The monitoring system includes motion detection, thermal sensor alarms, smoke alarms, etc. These sensors should be directly connected to the alarm system to allow the sensors to trigger the alarm without any human intervention. At the same time, a camera should be used to display the situation in real time. The monitoring system should allow cloud control or wireless access, and managers can obtain real-time reports and use mobile devices to monitor.
Safety testing is also important. Even if there are more equipment and security consultants, but no practice to test security and the ability to respond to hazards, then companies still cannot compensate for these security vulnerabilities. Companies should use simulation exercises to test whether the security system still has loopholes.