What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
A big advantage of implementing PHYSBITS is the opportunity to automate the user provisioning process from an IT and physical security perspective. While it does provide more accurate and consistent access provisioning from a controls perspective, it also creates new risks to the environment and the organization. In most cases and from the ones I’ve seen in my experience there is no crossover between IT and physical security security. Typically, users will swipe an access card or enter a pin code in order to access the building. From there, the user will walk to their workstation and type in their credentials at their computer in order to perform their daily job duties. In the current situation, a bad actor could technically gain unauthorized physical access by obtaining or stealing an existing employees key card. However, the same bad actor would also require access to a computer as well as credentials for an active user account in order to access to IT resources within the premises. The PHYSBITS implementation suggests that organizations should use a consistent authentication mechanism for accessing physical and IT resources. Once PHYSBITS is implemented and physical and IT security access is combined, organizations need to understand that if one of these are compromised then so is the other. In my initial example, physical access was compromised but IT security was not. With PHYSBITS, this second safeguard is no longer effective since physical and IT security are tied together via one uniform authentication mechanism. To mitigate this risk, I think some kind secondary level of verification, similar to MFA, should be implemented as users are trying to access IT resources after they have physically been granted access.
Convergence is a double edged sword. I agree that MFA is a good option to help mitigate the risk. I also think anomaly detection and regular auditing will also help to address this.
I agree with you on your power loss as a technical risk which could be mitigated through the use of generators to sustain the flow of electricity throughout but you must understand in the same way that under certain conditions, a network component shutting down can cause current fluctuations in neighboring segments of the network leading to a cascading failure of a larger section of the network. which may affect the organization’s ability to use generator as back-up.
MFA is a great mitigation option that can be used, as it would be very simple to implement in a security system where a 6 digit pin can be delivered to your phone every 30 seconds like an RSA token would be used for remote users accessing a company’s intranet network via vpn.
I agree that MFA is a good option as pointed out by Bryan. One thing to consider is that having an MFA option that sends to your phone adds another variable to your threat considerations. It could open the company up to a whole new vector of attack such as SIM swapping and smishing.
I really like your suggestion about a secondary level of verification for accessing different things. I know that some computers issued by the government require a specific key card to access and possible require biometrics as well. I also like how you pointed out that if an individual were able to steal the physical key card, they would have access to everything (the office, computers, etc).
Hello Andrew, very well said. To further concur with Bryan’s position, I would like to state that regardless of the technical controls in existence, two inherent risks come to mind when using technical controls to ensure physical security, namely access compromise and card loss or breach.
PHYSBITS utilizes smart cards for access and identity management. While this provides a uniform approach to onboarding individuals and granting access to an organization’s resources, it can also introduce new risks. Smart cards can expand an organization’s attack surface area. For example, smart cards that utilize RFID technology can be exploited by motivated attackers via replay attacks and tag cloning. To prevent such attacks, physical security would need to work in tandem with information security to ensure that each tag has a private key and strong cryptography with the identity management server (Burmester and de Medeiros, 2021).
Additionally, lost or stolen smart cards can present a privacy concern for the organization. A proper policy must be in place to outline the proper protocols for reporting the lost card and immediate access disabling to prevent unauthorized use.
Burmester, M. and de Medeiros, B., 2021. RFID Security: Attacks, Countermeasures and Challenges. [online] Cs.fsu.edu. Available at: [Accessed 3 October 2021].
Thanks for sharing Kelly. A policy certainly needs to be established to inform users on how to report a lost or stolen card. Furthermore, the policy or perhaps the location of the policy needs to be communicated to employees within the organization to ensure they are aware of its existence. Due to the critical nature of these smart cards, I believe it might make sense to include and touch on the policy, or it’s location, in some kind of organizational training and awareness program, which we discussed in detail in unit 5.
Hello Kelly,
Well said. The PHYSBITS approach Is based on the infusion of technical controls to achieve physical security. Due to its high reliance on access cards/card swipes for physical access, two inherent risks immediately come to mind, namely card theft and destruction as the most prominent. Any other risk, I believe, would only be technical or administrative.
PHYSBIT solutions provide organizations with value as well as risk by converging physical and IT security. The value stems from consolidation and provides a holistic view of security, reduction of overhead costs, and streamlined processes. The risks also stem from consolidation and include human-centered, technical, and environmental risks. Converged systems may have more risk for the cascading effects of vulnerabilities than independent systems.
Human error presents a risk when implementing a PHYSBIT solution. Combining physical and IT access through a central system can amplify mistakes during the account provisioning process. For example, a typo in an employee requisition form could result in a user being over permissioned access to sensitive IT areas. This can be mitigated through audits at the time of account creation and at regular intervals during the year.
Power loss is a technical risk with a PHYSBIT solution. This can be mitigated by using uninterruptible power supplies (UPS) and other back-up power solutions, e.g. generators. Redundancy planning is an important consideration when planning mitigation strategies for physical risk. This is even more important when physical and IT security systems are converged via a PHYSBIT solution.
Humidity, temperature, and other environmental factors are also risks to consider. Technology requires specific environmental conditions to function. Excessive heat or humidity could cause components of the PHYSBIT ecosystem, e.g. security camera servers, to stop working. Environmental monitoring will help to mitigate this risk and allow for security teams to address issues as they happen.
Great point about audits at the time of account creation. I believe that could eliminate problems down the road when it comes to users being given improper access
Matthew,
Not a lot of people would think temperature would be an additional risk to think about. For example, when I perform a walkthrough of a business’s data center, I have to make sure the temperature is room temperature. In case of an emergency, some organizations spend money on water censored floors in their data center.
Hello Mathew,
I agree with you in regard to your analysis on PHYSBIT solution but when approaching a physical security plan, either for an existing area or new-build, it’s essential to have an understanding of common physical security threats and vulnerabilities, and how the different types of physical security threats should be approached. Different types of physical security threats can be addressed within every stage of the design, implementation and maintenance of the area and that would certainly help the company where to achieve its objective.
I agree with you on your power loss as a technical risk which could be mitigated through the use of generators to sustain the flow of electricity throughout but you must understand in the same way that under certain conditions, a network component shutting down can cause current fluctuations in neighboring segments of the network leading to a cascading failure of a larger section of the network. which may affect the organization’s ability to use generator as back-up.
PHYSBITS provides an approach in integrating IT security into physical security. According to the article, “It focuses on the protection of assets, personnel and structures against potential assessed risks. Physical security is very important in creating an organization as it prevents unauthorized people from sneaking into restricted areas of a building and breaking into a secure data center. Examples of physical security risks and solutions would be:
Theft of documents or data. Many organization spend money in buying the most sophisticated software or implementing new IT controls by installing an antivirus, firewalls or encryption on their servers. They sometimes forget or neglect physical security which gives access to unauthorized people to navigate through the server and steal important data. To prevent this risk, robust physical security controls must be implemented. An IT background check should be implemented for new hires as sometimes malicious threats come internally. Give the right access to certain people and implementing multi factor authentications will also prevent this risk.
Another example is to have paper or sensitive information lying near your workstation at the office or near the printers including personal passwords or other private information falling into someone who is not supposed to see them. To prevent this risk, an organization must create a security education and training awareness program understandable to all users within the company. The program will include policies educating employees to clear their desktop area and putting away all sensitive documents at the end of their shift. It will also include the implementation of the access control from unaccounted visitors to enter the workplace.
Another example is be to hold the door for unauthorized people behind you when entering your work building. This is called tailgating. To reduce this risk, an organization must provide a physical security training to employees. This training will teach or guide employees not to leave the door open for people they do not recognize. It will also encourage employees to report any tailgating scenes they witness to security personnel.
I like how you point out that organizations can spend a ton of money on software and security trainings, but potentially neglect physical security, which is arguably the easiest for an attacker to exploit. Physical security is just as important as other security controls that an organization has in place, and should be treated as such.
Well Said, Ornella, and Andrew.
In support of your position, I also believe that physical security is most important because every breach recently known to man starts from a compromise or the lack of physical controls. If physical security is adequately implemented, technical controls are more effective in mitigating both adversarial and erroneous occurrences. While most organizations allocate most of their budgets to software and technological controls, organizations should prioritize physical security.
When implementing a PHYSBITS solution, some potential physical security risks are technical and human-caused threats. Technical threats such as power outages or interference could lead to the PHYSBITS solution not working properly, and human-caused threats such as misuse and theft may occur as well. To mitigate these risks, I would recommend following proper procedure to protect against electrical outages and electromagnetic interference (having backups, etc.) for technical threats. To help mitigate against the human-caused threats, I would recommend security awareness training for the staff that will be working against the PHYSBITS solution to prevent misuse, and reporting any suspicious activity to protect against theft.
I agree with your assessment that a power outage is a reasonable risk to a PHYSBITS program. For example, if all access locks to a building are electronic, say via a smart card reader, a power outage could impact the quality of this control. Even if the electronic locking system had a fail-over switch to remain locked due to a power outage, this could present safety concerns during an emergency for individuals inside the building. Like the OSI model for information security, it is always good to inspect the hardware and power supplies for causes of service interruption. Thanks for sharing your thoughts.
Andrew,
A power outage is a good risk. While we are thinking ways that include electricity, what can be used instead? Some business’s use a manual number pad to enter in their own password in case a power outage would ever occur.
When organization implement of PHYSBITS solution that time some physical risk are created, but that is difficult to protect with security devices and equipment but using mitigation method we protect it better way. Intentionally and unintentionally human cause mistake risk are generated and it become vulnerable to various attack, many time find out authorized employees allow un-authorized person into the secure environment unknowingly. Such as in server room specific two or three employee have access or authentication but after access authorize door employee forget to lock it proper way that time third person take advantage and use opportunity to take access secure area with help of authorized employee privilege. It becomes one of the common risks for various organizations.
To mitigate this threat organization go for the man-trap doors mechanism which allow a close one door before open another one, implement several security like biometric security or proximity sensors with automated email service CCTV live footage facility at the time of attack.
Use current employee badge to access secure zone with proper privilege, it common threat for the bypass secure and authentication mechanism with help of current employee badge or they are also create duplicate copy of secure badge using various smart way to gather authorized access badge which is allow very easily to anyone using badge to access server room, datacenter, electricity room or other as per badge authentication.
To mitigate this type of threat immediately apply multifactor authentication method, where swap card and pin number must be recommended as well as periodically update the badge.
I agree that multifactor authentication could help mitigate threats and also bolster an organizations level of security. Either a pin on the employees personal device or some form of biometrics would go a long way towards having a safer and more trustable PHYSBITS solution.
There are several problems that arise from the implementation of an PHYSBITS solution. There are also a lot of advantages a PHYSBIT solution could provide to physical security if they are converged properly as well. Sadly, I have not seen this case in many of the organizations I have worked for that use some kind of biometric card and automated access. For starters; it relies a lot on the end user to be following their due diligence and protecting the factors that lead into authentication. Such as Computer Access Cards (CACs) or different credentials which often leads to lost or stolen personal information or cards. Another problem that occurs as well is that PHYSBITS does have an impact on the operational environment since Security has to implement proper Access Control to user rights assignments and add active auditing measures. For example, when users are added to new projects or new hires are introduced to the onboarding processes to the company. Often when PHYBITS is implemented it requires a lot of documentation and paperwork to manage when transferring people to new projects. This can create an overhead nightmare for management if it becomes mismanaged – and depending on the size of the organization it often does. Often this means that some users end up with physical access to facilities that they previously left or no longer are working on. And essentially; they would bypass physical security completely as they would appear authorized in their record.
There are more problems PHYSBITS introduces but I will highlight the mitigations for the above discussion. For starters; providing security awareness training AS WELL as weekly reminders that your access card should be on you at all times even when simply leaving your desk for five minutes. I can’t stress enough how much this reduces the liklihood of someone losing their badge. There should also be easy-to-contact resources in the event end users do forget their access badge so that privileges can be revoked to the card immediately. End users should be informed that not only is it their responsibility to ensure that the card doesn’t go missing – but in the event that it does it is their responsibility to report it as well. As the consequences could be substantial to the organization. Secondly, although the goal is to have physical security integrated with PHYSBITS; access to the system should be verified with the Information System Owner at a defined frequency to ensure physical access to the system is only authorized to appropriate personnel. This should be reviewed even if there is not any personnel turnover or activity between projects; and more often not this is usually established in Access Control Policy.
As with any topic in both physical security and IT security, human error is one of the most prominent contributors to loss. I like how your response mentioned this multiple times and in multiple different contexts/examples – like losing a badge, or mismanagement of documentation that outlines access privileges (both physical and technical) and how this can create a headache for an organization (as well as a security threat).
I agree that implementing a PHYSBIT solution can be both beneficial and detrimental in different ways, and that if it is done, it must be done carefully and with strict policy.
With PHYSBITS being implemented in an organization for physical security there can be many risks. It would be putting all your balls into one basket, if an organization gets hacked not only information. business data can be shared but possibly passcodes and user access list can too. With any information as sensitive to breaking into a physical building brings more risks into the picture. A mitigation around this is to use both passcode and a physical RFID card. Another example that can be used is what if the network goes down, so does the physical security of the organization as well. Mitigation for this would be an offsite server that can support the necessities for the organizations operations and security. Overall it might facilitate the process between IT and physical security but there will be more at risk if a system is breached..
Great examples. Either of those situations could occur and with enabling passcodes and RFID cards you could mitigate the situations, but at the end of the day, it may be easier from a risk perspective to separate IT and physical security.
Good examples and yes IT security and Physical Security must be implemented together. For example, If unauthorized people enter the building without them being checked in and access any systems and steal the data, then it’s the company fault. To mitigate this risk, they must come up with a security education training awareness to guide the educate the employees on the do’s and don’t relating their physical security plan.
PHYSBITS is an association between physical and IT security to support overall risk management needs and provides a data model for the combination of physical and IT security. An example of physical security risk is shoulder surfing, which is looking over someone’s shoulder to get information. One way to mitigate this is by having a computer privacy screen for your monitor so that it becomes very difficult for anybody to try and steal private information. Also, when you’re finished with your laptop, keep it with you or lock it up securely before you step away even for a brief period.
Using a privacy screen as well as locking your device are both easy, every day things that can go a long way as far as risk mitigation goes. Along with these steps that the user can take, the security team can also take part in mitigation by implementing security monitoring, security awareness training, and asking all employees to authenticate two-step verification passwords.
The physical security risks that are created when an organization implements a PHYSBITS solution, like most of the IT security risks overall, fall under the category of risk that arises due to human error. Because of this marriage of physical and IT security when implementing a PHYSBITS solution, the organization is opening itself to more potential attack vectors due to the additional control systems. For example, a company can implement the use of smart cards at their organizations for using the computers and network at the company and for access to buildings. An employee could potentially leave their smart card in a situation where it is stolen from them, or they lose it out in public. A bad actor can use this smart card to gain information about the employee and the company which can be a helpful tool for social engineering, or they can use the card for physical access to the building. To mitigate a risk such as this the company will need a clearly defined policy and procedure when it comes to how the smart cards should be used and for reporting for when they have been lost or stolen. That way the physical access for the card can be shut down and a new one can be issued in a timely manner.
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
When an organization implements a PHYSBITS solution, some of the physical security risks created consist of errors due to human fault or choice as well as technical risks. Human errors can consist of fraud, vandalism, theft of information, and a wrongful use of private data. Technical risks that can be created through the implementation of PHYSBITS include power outages and old equipment running its course. In order to lessen these security risks, some mitigation steps we can take include security monitoring, increased security awareness training, two-step verification for passwords gaining access to secure data, and backup generators in the case of power outages
Hello Michael,
That are definitely a good example of human error as well as technical error. Those mitigation steps are great as well. The two-step verification is one of the best one as it requires to have types of authentication for user to login. If the user password is being compromised then the attacker would still not be able to log in to the users account. Also, connecting the server or any devices to a backup battery would be helpful as well in the event when there would be a power outage for a short time.
Physical Security Bridge to IT Security (PHYSBITS) by OSE is a vendor-neutral approach to collaboration between physical security and IT security that supports all enterprise risk management requirements.
While physical security focuses on potential threats to assets, systems, personnel, and structures, information security focuses on users’ access rights to services and applications. PHYSBITS, however, provides the link between these two security-related aspects of physical and information security.
While physical security focuses on assets, systems, personnel, and structures and their potential threats, network and information security focus on users’ access rights to resources, services, and applications to ensure continuous business activities.
PHYSBITS provides the link between these two security-related aspects of physical and information security and meets this focus through the Physbits framework based on realized cases that have been proven in practice.
PHYSBITS is implemented in real life using technical infrastructure to manage physical security. This is a smart card-based physical access system, i.e., swipe cards to control physical access to secure locations like data centers and server rooms, etc.
Even though the PHYSBITS approach encompasses several procedural consequences, card theft and compromise are the most potential physical risks inherent in the PHYSBITS system. Secondly, the human factor cannot be left out; whether malicious or erroneous, it will always result in one level of physical risk or the other.
However, smart cards are almost impossible to duplicate or forge when adequately designed and implemented, and data chips cannot be appropriately modified (e.g., passwords, biometric authentication cryptographic access keys). Therefore, if system implementations have an effective security policy and incorporate the necessary security services provided by smart cards, organizations and ID holders can have a high degree of confidence in the integrity of the ID information and the secure, authorized use.
One potential physical security risk that is created by an organizations implementation of a PHYSBITS solution is if non-IT security personnel have access to computers or server rooms. For example, if a physical security employee or contractor had access to a the storage server room, even if it was only the head of physical security, this individual could exploit the system for working for a criminal group or foreign entity, or just for financial gain. This may sound far-fetched, but in the case of government and large international companies servers, it is still at least a slight risk. Due to this example, PHYSBITS almost directly collides with a zero-trust approach to information security, due to the likely access of IT resources for at least one or more physical security employees.
A mitigation that I would recommend to lessen this physical security risk is having one or two IT security employees accompany any physical security employees or contractor who needs to access IT rooms/resources for any reason. I would also have cameras in all server rooms and strict logging policy and tracking. I would not allow any physical security employee access to server rooms, especially because there is not an everyday need for them to be in there unaccompanied. I would also have a separation of physical security permissions and technical security permissions, such as having different badges or authentication methods for front doors and for computer logon.
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
While the PHYSBITS solution sounds helpful and could theoretically have good practical usage, it could also be viewed to be rather dangerous from a physical security standpoint. Having one access card integrated with the access to IT systems could potentially result in a huge risk for the organization if it were to end up in the hands of an unauthorized user for example. One solution although it could add cost, could be a security guard stationed at card reader locations who can verify the picture on the id matches the person requesting access. Another issue that could arise is during the access rights and roles definitions; if anything is entered incorrectly or not updated in the cases where the employee either loses the card, leaves the organization, etc. – this could create one potential issue where the card may still have access rights when it should not. This could also present the issue if the credentials are stored on the card, where an intruder who gains access to the card could also access IT systems from an authorized user. One type of mitigation could be a form of redundant access controls that are required in combination with the card credentials.
Hi Antonio. I agree with you; this PHYSBIT recommendation can be a double-edged sword in securing an organization. I like your idea of having a security guard monitor access points; but human error is a commonality unfortunately. I suggested biometrics as a mitigation measure, but I think having that security guard in addition to biometrics (and the FOB card) might be the most promising solution.
Yeah it is definitely best to have more mitigation measures if possible. Layering the biometrics with the security guard significantly reduces the risk of attack. The more layered a company can make their security posture increases security, but maybe at the expense of convenience. It is something that each organization needs to consider and decide what is best for them.
As others and the article has said there are benefits to combining physical security and IT security, such as cost related to onboarding and streamlining employee and building access. A smart card is a common example of PHYSBITS. I’ve personally seen organizations integrate smart cards for onboarding employees and enabling their building access, everything co-existing in one card. This process saves a lot of time and money and even streamlines the process for employees. However, if the card were to get lost, damaged, or a natural disaster event (power outage due to a storm) occurred to the building, the employees would no longer have access to the building or their workstations. In the event the card was lost or stolen from an employee, the threat actor would have full access to the building as well the employee’s work and any confidential information that particular individual had access to. To mitigate this you would essentially have to separate the physical from the technical. Keeping access to the building or really any hardware (data centers, storage units) separate from the smart card would greatly reduce the risk. Role-based access controls could be applied to the smart card so employees could have access to all their necessary software without having to manually provide credentials each time. The company I am familiar with using the smart card approach only provided desktops to the employees so they could not take their work home with them, but with the pandemic, they decided to create a portal where individuals would enter in their smart card code on their personal computers and have virtual access to their office workstations.
One of the PHYSBITS control that I have noted was the Smart Card (Access Card) for the entering the building or office. This is one of the control that introduces the risk within the organization. Access Cards are issued during hiring process. Which could be also used as a ID for the employees as well. It could introduces the risk if the user has lost the card and doesn’t report it on time. This could allow an unauthorized person access to the facility.
The safeguards that could be implemented to mitigate this risk is having a security guard available at the door to verify if the person using the card to access belong to the one that is using it. Companies could also use pin along with the access card as a mutli-factor authorization. Companies could also disable the use of the access card for entering after work hours.
Very good security measures you suggested Vraj. One, or the other, or all safeguards would do companies justice as proper protections, especially with multi-factor authentication.
I like the smart card example, its a common practice many of us are familiar with, but at times we do lack to see the risk involved on the IT and well as the physical side. Whether that’s losing the card or denial of access to the building combining IT and physical security practices come with risk that may or may not outweigh the use cases.
The biggest concern I noted when reviewing the PHYSBITS data model was identity access management (IAM). Although it does make perfect sense to integrate network/information security with physical security, the concept of having a single badge granting access to both physical and virtual systems poses a severe risk to information security. If an employee’s access card for physical security is stolen, the thief can only do so much (as long as their company has proper security measures such as multi factor authentication supporting the usage of badge access cards). This same concept is instilled with an employee’s PIV card, for instance, being stolen; since the hacker needs physical access to an employee’s device in order to breach the system. However, when these access tokens are combined to one card, the loss of said card poses a massive liability and gives hackers free reign as insiders.
Asides for the separation of badge and network access cards, another mitigation measure can be the implementation of biometrics. Say that a hacker does access a combined access card; if access to the organization’s data center and/or computers requires biometrics such as finger print scans, the stolen card is rendered useless.
Great point about biometrics. These would provide an additional factor of authentication when accessing restricted areas. They cannot be duplicated and are specific to the individual which makes them a compelling mitigation.
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
Physical Security Bridge to IT Security (PHYSBITS) is a concept of enabling collaboration between physical and IT security to support overall enterprise risk management needs.
One physical risk example of this is, in my building, there is a physical guard at the door and it is required that every person who enters the building either swipe or tap their ID card at the guard station to gain access to the building. Recently the organization has added an App that allows employees to tap their cell phones instead of their ID cards at the guard station to get building access. Now, yes this does come in handy if someone forgets their physical ID card, however it adds an extra physical security risk for building access by giving a threat an extra option to target. Now a persons ID Card and cell phone could be stolen to gain building access, and when someone is using a cell phone to tap in the guard is not going to be looking for a physical ID for the person because it will be assumed that person is using their cell phone because they forgot their physical ID. One way to mitigate this would be to still require the person gaining access to the building to still show the picture on their phone to be certain it is in fact the correct person. In terms of using ID cards to access workstations it should be required that the user still need a password even though they have their ID card, to access the system.
I like your example! BYOD (Bring Your Own Device) opens such a can of worms that supplementary controls are required. You touch on a few – present a photo to ensure the phone was not stolen or cloned. All in order to add a level of convenience to the end user experience! This begs the question of how ‘easy’ should security be?
This is one of the better examples I’ve read especially because it takes away the social aspects of security. At my current organization the guards always check for IDs. For cell phones; it can become much more difficult as these are not physical indicators. Often times Security just see’s the badge and waves a thumbs up (which is technically easily exploitable). With this in mind; I would imagine stricter policy would have to be in place for security to scrutinize the use of cell phone ID’s and badges more often.
Very good security measures you suggested Vraj. One, or the other, or all safeguards would do companies justice as proper protections, especially with multi-factor authentication.
PHYSBITS provides a data model for the integration of physical and
IT security. Converging these security environments fundamentally offer solutions security gaps that fall between these two different security parameters and helps protect organizations against multifaceted security threats and vulnerabilities that has propensity to derail the security gains in the organization. Because these two industries manage largely different categories of security,
converging the two together and addressing their various aspects of security will demand an increased industry effort to achieve that feat.. While security can be gradually improved and advanced, a whole outlook of organizational security is increasingly appeared to be difficult to assess without a comprehensive data model as a working guideline and basis for a standard. This model is intended to be the foundation for a series of specifications that
should geared towards on the individual parameters of security and define the interoperability standards that basically form a more complete security management system and process.
It is therefore meant that the arrangements of these standards be both flexible and extensible. In addition, its contents should be mapped to applicable industry standards and be specified to enable Web services and other implementations of the interfaces, as well as XML data formats.
The PHYSBITS implementation requires that organizations should make use a realistic authentication mechanism to determine physical and IT resources. PHYSBITS is implemented and physical and IT security access is added then organizations require to understand that if one of these are breached . And so is the other. If physical access was breached but IT security was not. With PHYSBITS, this second protection is no more effective since physical and IT security are grouped together through realistic one form of authentication system. To reduce this risk, I am of notion that this kind secondary deal of confirmation and authorization is absolutely essential and it is basically similar to MFA, should be implemented as users are trying to gain access to IT resources after they have physically been allowed access to those facilities.
Authentication systems and management tools that are Open Security Exchange – PHYSBITS compliant will be able to integrate into an overall enterprise architecture for provisioning,
monitoring, auditing and managing physical and IT security systems.
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lessen them?
It depends on the PHYSBITS implementation. The spec calls for a combination of something you have and something you know – that is a powerful combination and difficult to spoof. However, most implementations seem to be based on what you have or on what you know – but less frequently on the combination of the two. Most badge access systems to buildings are what you have (an access badge), but seldom require any kind of supplemental input (what you know eg pin code or p-word). On the other hand most system access systems require a password or pin code (what you know) but seldom something you have. Multi-Factor Authentication is beginning to change that for system access. MFA requires you to know something and to have something (access to a registered SMS receiver or an authenticator program etc).
As a result the strongest solutions are to implement a full PHYSBITS solution – requiring both ‘something you have’ AND ‘something you know’.
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mutations would you recommend to them?
According to the article, “PHYSBITS is a vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs.”
There are several security risks that come with PHYSBITS. As the article mentions, key management. If an organization does not monitor this carefully and grants administrative access to appropriate admins, this can result in a terrible manner. It is extremely important for companies to review this.
Additionally, a person can “tailgate” an admin who has a key fob. For example, a person can follow an employee who is granted access into the data breach center. In my work experience, to reduce tailgating, there are security guards who check and monitor who goes in and out of restricted areas. They also create a sign in log on top of security.
Although tailgating or management not monitoring who does or doesnt have access, an employee who has access, can lose their key card or have it stolen. While security guards would be a great idea to monitor who goes in and out, it would also cost an organization more money.
I agree with you that while tailgating or managers do not monitor who has access or does not have access, employees who do have access may lose their key cards or have them stolen. There is also the potential for employees with access to create negligence leading to risk. To prevent this risk, strong physical security controls must be implemented. Perform IT background checks on new hires, as sometimes malicious threats can arise internally. Providing the correct access to those with privileges and implementing multiple authentication will also prevent and mitigate risk
PHYSBITS is a convergence of both physical security and information security. Physical security focuses on assets, systems, personnel and structures. Information security typically focuses on the authorization of users, their access rights to resources, services and applications to ensure continuous business activities. Physical security and information security are closely related security aspects, and the PHYSBITS framework tries to bridge the gap between the two. Unfortunately, the implementation of a PHYSBITS solution contribute to new risks that can and should be mitigated.
The Physical Security Bridge to IT Security, better known as PHYSBITS, was developed by the Open Security Exchange, and it is best defined as “a vendor-neutral approach to collaboration between physical security and IT security that supports all enterprise risk management requirements. ” When looking at the PHYSBITS Framework, I really do not see any way that a PHYSBITS approach does not increase functionality in comparison to typical security. For example, look at entrance to a data center. This data center may have cameras, security guards, require keycard access, etc. None of this matters if somebody with ill motives is able to obtain a key card. The security guard more than likely won’t question somebody if it appears that they have access, and any evidence caught by a video camera may be too late. Now , introduce PHYSBITS, and add another, second level of security to the mix. Instead of swiping a security card, the user may also have to enter a pin that only they would know. Obviously in order to implement a combined psychical and IT security there will be difficulties. For example, the framework states that a “lack of integration of building access and business processes for new hires, and de-provisioning terminated staff — potentially causing security exposures” and “costly, manual processes for new hires and contractors to get building access set up and changed when their access needs to be changed”. These are issues that may provide difficulties at first, but with proper training and control implementation they can be overcome. PHYSBITS is the way of the future in order to create a completely integrated corporate archietecture.
Organizational implementation of PHYSBITS solutions can create physical security risks due to human uncontrollability. It has the advantage of automating the user provisioning process from both an IT and physical security perspective. However, because PHYSBITS utilizes smart cards for access and identity management, a centralized system that combines physical access with IT access can magnify errors in the account provisioning process, and it leads to errors. Lost or stolen smart cards can create privacy issues for the organization. In addition, technical risks exist simultaneously, and theft of files or data is often the result of powerful hackers and inadequate monitoring and defense systems of their own. I believe that the probability of risk can be limited and controlled through multiple authentications and user permissions. Once PHYSBITS is implemented and physical and IT security access is combined, one is compromised while the other is compromised. Measures for regular checks and increased monitoring can help mitigate this risk.
When an organization implement of PHYSBITS solution that time some physical risks are created, but that is difficult to protect with security devices and equipment but using mitigation method, we cover it better way. Intentionally and unintentionally, humans cause mistake risk is generated, and it becomes vulnerable to various attacks. Many times, it finds out authorized employees allow the unauthorized person into the secure environment unknowingly. Such as in server room-specific, two or three employees have access or authentication, but after entry authorizes door employee to forget to lock it properly the way that third-time person take advantage and use the opportunity to take secure admission area with the help of licensed employee privilege. It has become one of the common risks for various organizations.
@Zijian, a comprehensive access control system is designed to: permit only authorized persons and vehicles to enter and exit; detect and prevent the entry of contraband material ;detect and prevent the unauthorized removal of valuable assets; and provide information to security officers to facilitate assessment and response.
PHYSBITS is a way to approach enterprise risk management needs by integration of physical security and IT security while supporting data model. It helps the organization to reduce the administrative overhead through automation or enhanced security through combined view of environments. Although PHYSBITS provides more effective reporting and investigation, it might create some additional risks. The risks might occur includes: new hires & terminated staff potentially causing security exposures, getting into building for set up, monitoring systems that do not provide situation awareness, lack of consistent standards for log management.
Solutions addressed on the article:
-Managing areas
-Perimeter intrusion
-Occupancy
-Access methods
-Internal external facility monitoring
To choose the right physical security measures and apply them appropriately, it is important to first conduct a risk assessment, such as described in the ASIS General Security Risk Assessment Guideline. The risk assessment, accompanied by an understanding of physical security measures provided by this guideline, makes it possible—either alone or with the help of security consultants or vendors—to select and implement appropriate physical security measures to reduce the assessed risks to a level acceptable by the organization. IT and network security focus on authorization for users to access IT services to which they are entitled and helps ensure business continuity. These resources can include roles on a network; permissions to a database; drive space allocations; email access; Internet/extranet and intranet access; and remote access privileges. An effective security policy addresses both physical and IT security. In almost every large enterprise, physical and IT security are present but are not often coordinated, or organizationally or operationally functional.
Bryan Garrahan says
A big advantage of implementing PHYSBITS is the opportunity to automate the user provisioning process from an IT and physical security perspective. While it does provide more accurate and consistent access provisioning from a controls perspective, it also creates new risks to the environment and the organization. In most cases and from the ones I’ve seen in my experience there is no crossover between IT and physical security security. Typically, users will swipe an access card or enter a pin code in order to access the building. From there, the user will walk to their workstation and type in their credentials at their computer in order to perform their daily job duties. In the current situation, a bad actor could technically gain unauthorized physical access by obtaining or stealing an existing employees key card. However, the same bad actor would also require access to a computer as well as credentials for an active user account in order to access to IT resources within the premises. The PHYSBITS implementation suggests that organizations should use a consistent authentication mechanism for accessing physical and IT resources. Once PHYSBITS is implemented and physical and IT security access is combined, organizations need to understand that if one of these are compromised then so is the other. In my initial example, physical access was compromised but IT security was not. With PHYSBITS, this second safeguard is no longer effective since physical and IT security are tied together via one uniform authentication mechanism. To mitigate this risk, I think some kind secondary level of verification, similar to MFA, should be implemented as users are trying to access IT resources after they have physically been granted access.
Matthew Bryan says
Convergence is a double edged sword. I agree that MFA is a good option to help mitigate the risk. I also think anomaly detection and regular auditing will also help to address this.
kofi bonsu says
I agree with you on your power loss as a technical risk which could be mitigated through the use of generators to sustain the flow of electricity throughout but you must understand in the same way that under certain conditions, a network component shutting down can cause current fluctuations in neighboring segments of the network leading to a cascading failure of a larger section of the network. which may affect the organization’s ability to use generator as back-up.
Wilmer Monsalve says
MFA is a great mitigation option that can be used, as it would be very simple to implement in a security system where a 6 digit pin can be delivered to your phone every 30 seconds like an RSA token would be used for remote users accessing a company’s intranet network via vpn.
Ryan Trapp says
Hi Wilmer,
I agree that MFA is a good option as pointed out by Bryan. One thing to consider is that having an MFA option that sends to your phone adds another variable to your threat considerations. It could open the company up to a whole new vector of attack such as SIM swapping and smishing.
Andrew Nguyen says
Hey Bryan,
I really like your suggestion about a secondary level of verification for accessing different things. I know that some computers issued by the government require a specific key card to access and possible require biometrics as well. I also like how you pointed out that if an individual were able to steal the physical key card, they would have access to everything (the office, computers, etc).
Thanks for sharing your thoughts!
Best,
Andrew
Olayinka Lucas says
Hello Andrew, very well said. To further concur with Bryan’s position, I would like to state that regardless of the technical controls in existence, two inherent risks come to mind when using technical controls to ensure physical security, namely access compromise and card loss or breach.
Kelly Sharadin says
PHYSBITS utilizes smart cards for access and identity management. While this provides a uniform approach to onboarding individuals and granting access to an organization’s resources, it can also introduce new risks. Smart cards can expand an organization’s attack surface area. For example, smart cards that utilize RFID technology can be exploited by motivated attackers via replay attacks and tag cloning. To prevent such attacks, physical security would need to work in tandem with information security to ensure that each tag has a private key and strong cryptography with the identity management server (Burmester and de Medeiros, 2021).
Additionally, lost or stolen smart cards can present a privacy concern for the organization. A proper policy must be in place to outline the proper protocols for reporting the lost card and immediate access disabling to prevent unauthorized use.
Burmester, M. and de Medeiros, B., 2021. RFID Security: Attacks, Countermeasures and Challenges. [online] Cs.fsu.edu. Available at: [Accessed 3 October 2021].
Bryan Garrahan says
Thanks for sharing Kelly. A policy certainly needs to be established to inform users on how to report a lost or stolen card. Furthermore, the policy or perhaps the location of the policy needs to be communicated to employees within the organization to ensure they are aware of its existence. Due to the critical nature of these smart cards, I believe it might make sense to include and touch on the policy, or it’s location, in some kind of organizational training and awareness program, which we discussed in detail in unit 5.
Olayinka Lucas says
Hello Kelly,
Well said. The PHYSBITS approach Is based on the infusion of technical controls to achieve physical security. Due to its high reliance on access cards/card swipes for physical access, two inherent risks immediately come to mind, namely card theft and destruction as the most prominent. Any other risk, I believe, would only be technical or administrative.
Matthew Bryan says
PHYSBIT solutions provide organizations with value as well as risk by converging physical and IT security. The value stems from consolidation and provides a holistic view of security, reduction of overhead costs, and streamlined processes. The risks also stem from consolidation and include human-centered, technical, and environmental risks. Converged systems may have more risk for the cascading effects of vulnerabilities than independent systems.
Human error presents a risk when implementing a PHYSBIT solution. Combining physical and IT access through a central system can amplify mistakes during the account provisioning process. For example, a typo in an employee requisition form could result in a user being over permissioned access to sensitive IT areas. This can be mitigated through audits at the time of account creation and at regular intervals during the year.
Power loss is a technical risk with a PHYSBIT solution. This can be mitigated by using uninterruptible power supplies (UPS) and other back-up power solutions, e.g. generators. Redundancy planning is an important consideration when planning mitigation strategies for physical risk. This is even more important when physical and IT security systems are converged via a PHYSBIT solution.
Humidity, temperature, and other environmental factors are also risks to consider. Technology requires specific environmental conditions to function. Excessive heat or humidity could cause components of the PHYSBIT ecosystem, e.g. security camera servers, to stop working. Environmental monitoring will help to mitigate this risk and allow for security teams to address issues as they happen.
Jason Burwell says
Hello Matthew,
Great point about audits at the time of account creation. I believe that could eliminate problems down the road when it comes to users being given improper access
Victoria Zak says
Matthew,
Not a lot of people would think temperature would be an additional risk to think about. For example, when I perform a walkthrough of a business’s data center, I have to make sure the temperature is room temperature. In case of an emergency, some organizations spend money on water censored floors in their data center.
kofi bonsu says
Hello Mathew,
I agree with you in regard to your analysis on PHYSBIT solution but when approaching a physical security plan, either for an existing area or new-build, it’s essential to have an understanding of common physical security threats and vulnerabilities, and how the different types of physical security threats should be approached. Different types of physical security threats can be addressed within every stage of the design, implementation and maintenance of the area and that would certainly help the company where to achieve its objective.
kofi bonsu says
I agree with you on your power loss as a technical risk which could be mitigated through the use of generators to sustain the flow of electricity throughout but you must understand in the same way that under certain conditions, a network component shutting down can cause current fluctuations in neighboring segments of the network leading to a cascading failure of a larger section of the network. which may affect the organization’s ability to use generator as back-up.
Ornella Rhyne says
PHYSBITS provides an approach in integrating IT security into physical security. According to the article, “It focuses on the protection of assets, personnel and structures against potential assessed risks. Physical security is very important in creating an organization as it prevents unauthorized people from sneaking into restricted areas of a building and breaking into a secure data center. Examples of physical security risks and solutions would be:
Theft of documents or data. Many organization spend money in buying the most sophisticated software or implementing new IT controls by installing an antivirus, firewalls or encryption on their servers. They sometimes forget or neglect physical security which gives access to unauthorized people to navigate through the server and steal important data. To prevent this risk, robust physical security controls must be implemented. An IT background check should be implemented for new hires as sometimes malicious threats come internally. Give the right access to certain people and implementing multi factor authentications will also prevent this risk.
Another example is to have paper or sensitive information lying near your workstation at the office or near the printers including personal passwords or other private information falling into someone who is not supposed to see them. To prevent this risk, an organization must create a security education and training awareness program understandable to all users within the company. The program will include policies educating employees to clear their desktop area and putting away all sensitive documents at the end of their shift. It will also include the implementation of the access control from unaccounted visitors to enter the workplace.
Another example is be to hold the door for unauthorized people behind you when entering your work building. This is called tailgating. To reduce this risk, an organization must provide a physical security training to employees. This training will teach or guide employees not to leave the door open for people they do not recognize. It will also encourage employees to report any tailgating scenes they witness to security personnel.
Andrew Nguyen says
Hey Ornella,
I like how you point out that organizations can spend a ton of money on software and security trainings, but potentially neglect physical security, which is arguably the easiest for an attacker to exploit. Physical security is just as important as other security controls that an organization has in place, and should be treated as such.
Thanks for sharing your thoughts!
Best,
Andrew
Olayinka Lucas says
Well Said, Ornella, and Andrew.
In support of your position, I also believe that physical security is most important because every breach recently known to man starts from a compromise or the lack of physical controls. If physical security is adequately implemented, technical controls are more effective in mitigating both adversarial and erroneous occurrences. While most organizations allocate most of their budgets to software and technological controls, organizations should prioritize physical security.
Andrew Nguyen says
When implementing a PHYSBITS solution, some potential physical security risks are technical and human-caused threats. Technical threats such as power outages or interference could lead to the PHYSBITS solution not working properly, and human-caused threats such as misuse and theft may occur as well. To mitigate these risks, I would recommend following proper procedure to protect against electrical outages and electromagnetic interference (having backups, etc.) for technical threats. To help mitigate against the human-caused threats, I would recommend security awareness training for the staff that will be working against the PHYSBITS solution to prevent misuse, and reporting any suspicious activity to protect against theft.
Kelly Sharadin says
Hi Andrew,
I agree with your assessment that a power outage is a reasonable risk to a PHYSBITS program. For example, if all access locks to a building are electronic, say via a smart card reader, a power outage could impact the quality of this control. Even if the electronic locking system had a fail-over switch to remain locked due to a power outage, this could present safety concerns during an emergency for individuals inside the building. Like the OSI model for information security, it is always good to inspect the hardware and power supplies for causes of service interruption. Thanks for sharing your thoughts.
Kelly
Victoria Zak says
Andrew,
A power outage is a good risk. While we are thinking ways that include electricity, what can be used instead? Some business’s use a manual number pad to enter in their own password in case a power outage would ever occur.
Mohammed Syed says
When organization implement of PHYSBITS solution that time some physical risk are created, but that is difficult to protect with security devices and equipment but using mitigation method we protect it better way. Intentionally and unintentionally human cause mistake risk are generated and it become vulnerable to various attack, many time find out authorized employees allow un-authorized person into the secure environment unknowingly. Such as in server room specific two or three employee have access or authentication but after access authorize door employee forget to lock it proper way that time third person take advantage and use opportunity to take access secure area with help of authorized employee privilege. It becomes one of the common risks for various organizations.
To mitigate this threat organization go for the man-trap doors mechanism which allow a close one door before open another one, implement several security like biometric security or proximity sensors with automated email service CCTV live footage facility at the time of attack.
Use current employee badge to access secure zone with proper privilege, it common threat for the bypass secure and authentication mechanism with help of current employee badge or they are also create duplicate copy of secure badge using various smart way to gather authorized access badge which is allow very easily to anyone using badge to access server room, datacenter, electricity room or other as per badge authentication.
To mitigate this type of threat immediately apply multifactor authentication method, where swap card and pin number must be recommended as well as periodically update the badge.
Andrew Nguyen says
Hi Mohammed,
I agree that multifactor authentication could help mitigate threats and also bolster an organizations level of security. Either a pin on the employees personal device or some form of biometrics would go a long way towards having a safer and more trustable PHYSBITS solution.
Thanks for sharing your thoughts!
Best,
Andrew
Michael Duffy says
There are several problems that arise from the implementation of an PHYSBITS solution. There are also a lot of advantages a PHYSBIT solution could provide to physical security if they are converged properly as well. Sadly, I have not seen this case in many of the organizations I have worked for that use some kind of biometric card and automated access. For starters; it relies a lot on the end user to be following their due diligence and protecting the factors that lead into authentication. Such as Computer Access Cards (CACs) or different credentials which often leads to lost or stolen personal information or cards. Another problem that occurs as well is that PHYSBITS does have an impact on the operational environment since Security has to implement proper Access Control to user rights assignments and add active auditing measures. For example, when users are added to new projects or new hires are introduced to the onboarding processes to the company. Often when PHYBITS is implemented it requires a lot of documentation and paperwork to manage when transferring people to new projects. This can create an overhead nightmare for management if it becomes mismanaged – and depending on the size of the organization it often does. Often this means that some users end up with physical access to facilities that they previously left or no longer are working on. And essentially; they would bypass physical security completely as they would appear authorized in their record.
There are more problems PHYSBITS introduces but I will highlight the mitigations for the above discussion. For starters; providing security awareness training AS WELL as weekly reminders that your access card should be on you at all times even when simply leaving your desk for five minutes. I can’t stress enough how much this reduces the liklihood of someone losing their badge. There should also be easy-to-contact resources in the event end users do forget their access badge so that privileges can be revoked to the card immediately. End users should be informed that not only is it their responsibility to ensure that the card doesn’t go missing – but in the event that it does it is their responsibility to report it as well. As the consequences could be substantial to the organization. Secondly, although the goal is to have physical security integrated with PHYSBITS; access to the system should be verified with the Information System Owner at a defined frequency to ensure physical access to the system is only authorized to appropriate personnel. This should be reviewed even if there is not any personnel turnover or activity between projects; and more often not this is usually established in Access Control Policy.
Michael Jordan says
Hi Michael,
As with any topic in both physical security and IT security, human error is one of the most prominent contributors to loss. I like how your response mentioned this multiple times and in multiple different contexts/examples – like losing a badge, or mismanagement of documentation that outlines access privileges (both physical and technical) and how this can create a headache for an organization (as well as a security threat).
I agree that implementing a PHYSBIT solution can be both beneficial and detrimental in different ways, and that if it is done, it must be done carefully and with strict policy.
-Mike
Wilmer Monsalve says
With PHYSBITS being implemented in an organization for physical security there can be many risks. It would be putting all your balls into one basket, if an organization gets hacked not only information. business data can be shared but possibly passcodes and user access list can too. With any information as sensitive to breaking into a physical building brings more risks into the picture. A mitigation around this is to use both passcode and a physical RFID card. Another example that can be used is what if the network goes down, so does the physical security of the organization as well. Mitigation for this would be an offsite server that can support the necessities for the organizations operations and security. Overall it might facilitate the process between IT and physical security but there will be more at risk if a system is breached..
Dhaval Patel says
Hi Wilmer,
Great examples. Either of those situations could occur and with enabling passcodes and RFID cards you could mitigate the situations, but at the end of the day, it may be easier from a risk perspective to separate IT and physical security.
Ornella Rhyne says
Hi Wilmer,
Good examples and yes IT security and Physical Security must be implemented together. For example, If unauthorized people enter the building without them being checked in and access any systems and steal the data, then it’s the company fault. To mitigate this risk, they must come up with a security education training awareness to guide the educate the employees on the do’s and don’t relating their physical security plan.
Christopher Clayton says
PHYSBITS is an association between physical and IT security to support overall risk management needs and provides a data model for the combination of physical and IT security. An example of physical security risk is shoulder surfing, which is looking over someone’s shoulder to get information. One way to mitigate this is by having a computer privacy screen for your monitor so that it becomes very difficult for anybody to try and steal private information. Also, when you’re finished with your laptop, keep it with you or lock it up securely before you step away even for a brief period.
Michael Galdo says
Hello Christopher,
Using a privacy screen as well as locking your device are both easy, every day things that can go a long way as far as risk mitigation goes. Along with these steps that the user can take, the security team can also take part in mitigation by implementing security monitoring, security awareness training, and asking all employees to authenticate two-step verification passwords.
Ryan Trapp says
The physical security risks that are created when an organization implements a PHYSBITS solution, like most of the IT security risks overall, fall under the category of risk that arises due to human error. Because of this marriage of physical and IT security when implementing a PHYSBITS solution, the organization is opening itself to more potential attack vectors due to the additional control systems. For example, a company can implement the use of smart cards at their organizations for using the computers and network at the company and for access to buildings. An employee could potentially leave their smart card in a situation where it is stolen from them, or they lose it out in public. A bad actor can use this smart card to gain information about the employee and the company which can be a helpful tool for social engineering, or they can use the card for physical access to the building. To mitigate a risk such as this the company will need a clearly defined policy and procedure when it comes to how the smart cards should be used and for reporting for when they have been lost or stolen. That way the physical access for the card can be shut down and a new one can be issued in a timely manner.
Michael Galdo says
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
When an organization implements a PHYSBITS solution, some of the physical security risks created consist of errors due to human fault or choice as well as technical risks. Human errors can consist of fraud, vandalism, theft of information, and a wrongful use of private data. Technical risks that can be created through the implementation of PHYSBITS include power outages and old equipment running its course. In order to lessen these security risks, some mitigation steps we can take include security monitoring, increased security awareness training, two-step verification for passwords gaining access to secure data, and backup generators in the case of power outages
Vraj Patel says
Hello Michael,
That are definitely a good example of human error as well as technical error. Those mitigation steps are great as well. The two-step verification is one of the best one as it requires to have types of authentication for user to login. If the user password is being compromised then the attacker would still not be able to log in to the users account. Also, connecting the server or any devices to a backup battery would be helpful as well in the event when there would be a power outage for a short time.
Olayinka Lucas says
Physical Security Bridge to IT Security (PHYSBITS) by OSE is a vendor-neutral approach to collaboration between physical security and IT security that supports all enterprise risk management requirements.
While physical security focuses on potential threats to assets, systems, personnel, and structures, information security focuses on users’ access rights to services and applications. PHYSBITS, however, provides the link between these two security-related aspects of physical and information security.
While physical security focuses on assets, systems, personnel, and structures and their potential threats, network and information security focus on users’ access rights to resources, services, and applications to ensure continuous business activities.
PHYSBITS provides the link between these two security-related aspects of physical and information security and meets this focus through the Physbits framework based on realized cases that have been proven in practice.
PHYSBITS is implemented in real life using technical infrastructure to manage physical security. This is a smart card-based physical access system, i.e., swipe cards to control physical access to secure locations like data centers and server rooms, etc.
Even though the PHYSBITS approach encompasses several procedural consequences, card theft and compromise are the most potential physical risks inherent in the PHYSBITS system. Secondly, the human factor cannot be left out; whether malicious or erroneous, it will always result in one level of physical risk or the other.
However, smart cards are almost impossible to duplicate or forge when adequately designed and implemented, and data chips cannot be appropriately modified (e.g., passwords, biometric authentication cryptographic access keys). Therefore, if system implementations have an effective security policy and incorporate the necessary security services provided by smart cards, organizations and ID holders can have a high degree of confidence in the integrity of the ID information and the secure, authorized use.
References:
https://www.itwissen.info/en/physical-security-bridge-to-IT-security-PHYSBITS.html#gsc.tab=0
https://www.securetechalliance.org/resources/lib/Physical_Access_Report.pdf
Michael Jordan says
One potential physical security risk that is created by an organizations implementation of a PHYSBITS solution is if non-IT security personnel have access to computers or server rooms. For example, if a physical security employee or contractor had access to a the storage server room, even if it was only the head of physical security, this individual could exploit the system for working for a criminal group or foreign entity, or just for financial gain. This may sound far-fetched, but in the case of government and large international companies servers, it is still at least a slight risk. Due to this example, PHYSBITS almost directly collides with a zero-trust approach to information security, due to the likely access of IT resources for at least one or more physical security employees.
A mitigation that I would recommend to lessen this physical security risk is having one or two IT security employees accompany any physical security employees or contractor who needs to access IT rooms/resources for any reason. I would also have cameras in all server rooms and strict logging policy and tracking. I would not allow any physical security employee access to server rooms, especially because there is not an everyday need for them to be in there unaccompanied. I would also have a separation of physical security permissions and technical security permissions, such as having different badges or authentication methods for front doors and for computer logon.
Antonio Cozza says
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
While the PHYSBITS solution sounds helpful and could theoretically have good practical usage, it could also be viewed to be rather dangerous from a physical security standpoint. Having one access card integrated with the access to IT systems could potentially result in a huge risk for the organization if it were to end up in the hands of an unauthorized user for example. One solution although it could add cost, could be a security guard stationed at card reader locations who can verify the picture on the id matches the person requesting access. Another issue that could arise is during the access rights and roles definitions; if anything is entered incorrectly or not updated in the cases where the employee either loses the card, leaves the organization, etc. – this could create one potential issue where the card may still have access rights when it should not. This could also present the issue if the credentials are stored on the card, where an intruder who gains access to the card could also access IT systems from an authorized user. One type of mitigation could be a form of redundant access controls that are required in combination with the card credentials.
Lauren Deinhardt says
Hi Antonio. I agree with you; this PHYSBIT recommendation can be a double-edged sword in securing an organization. I like your idea of having a security guard monitor access points; but human error is a commonality unfortunately. I suggested biometrics as a mitigation measure, but I think having that security guard in addition to biometrics (and the FOB card) might be the most promising solution.
Ryan Trapp says
Hi Lauren,
Yeah it is definitely best to have more mitigation measures if possible. Layering the biometrics with the security guard significantly reduces the risk of attack. The more layered a company can make their security posture increases security, but maybe at the expense of convenience. It is something that each organization needs to consider and decide what is best for them.
Dhaval Patel says
As others and the article has said there are benefits to combining physical security and IT security, such as cost related to onboarding and streamlining employee and building access. A smart card is a common example of PHYSBITS. I’ve personally seen organizations integrate smart cards for onboarding employees and enabling their building access, everything co-existing in one card. This process saves a lot of time and money and even streamlines the process for employees. However, if the card were to get lost, damaged, or a natural disaster event (power outage due to a storm) occurred to the building, the employees would no longer have access to the building or their workstations. In the event the card was lost or stolen from an employee, the threat actor would have full access to the building as well the employee’s work and any confidential information that particular individual had access to. To mitigate this you would essentially have to separate the physical from the technical. Keeping access to the building or really any hardware (data centers, storage units) separate from the smart card would greatly reduce the risk. Role-based access controls could be applied to the smart card so employees could have access to all their necessary software without having to manually provide credentials each time. The company I am familiar with using the smart card approach only provided desktops to the employees so they could not take their work home with them, but with the pandemic, they decided to create a portal where individuals would enter in their smart card code on their personal computers and have virtual access to their office workstations.
Vraj Patel says
One of the PHYSBITS control that I have noted was the Smart Card (Access Card) for the entering the building or office. This is one of the control that introduces the risk within the organization. Access Cards are issued during hiring process. Which could be also used as a ID for the employees as well. It could introduces the risk if the user has lost the card and doesn’t report it on time. This could allow an unauthorized person access to the facility.
The safeguards that could be implemented to mitigate this risk is having a security guard available at the door to verify if the person using the card to access belong to the one that is using it. Companies could also use pin along with the access card as a mutli-factor authorization. Companies could also disable the use of the access card for entering after work hours.
Christopher Clayton says
Very good security measures you suggested Vraj. One, or the other, or all safeguards would do companies justice as proper protections, especially with multi-factor authentication.
Dhaval Patel says
Hi Vraj,
I like the smart card example, its a common practice many of us are familiar with, but at times we do lack to see the risk involved on the IT and well as the physical side. Whether that’s losing the card or denial of access to the building combining IT and physical security practices come with risk that may or may not outweigh the use cases.
Lauren Deinhardt says
The biggest concern I noted when reviewing the PHYSBITS data model was identity access management (IAM). Although it does make perfect sense to integrate network/information security with physical security, the concept of having a single badge granting access to both physical and virtual systems poses a severe risk to information security. If an employee’s access card for physical security is stolen, the thief can only do so much (as long as their company has proper security measures such as multi factor authentication supporting the usage of badge access cards). This same concept is instilled with an employee’s PIV card, for instance, being stolen; since the hacker needs physical access to an employee’s device in order to breach the system. However, when these access tokens are combined to one card, the loss of said card poses a massive liability and gives hackers free reign as insiders.
Asides for the separation of badge and network access cards, another mitigation measure can be the implementation of biometrics. Say that a hacker does access a combined access card; if access to the organization’s data center and/or computers requires biometrics such as finger print scans, the stolen card is rendered useless.
Matthew Bryan says
Great point about biometrics. These would provide an additional factor of authentication when accessing restricted areas. They cannot be duplicated and are specific to the individual which makes them a compelling mitigation.
Jason Burwell says
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
Physical Security Bridge to IT Security (PHYSBITS) is a concept of enabling collaboration between physical and IT security to support overall enterprise risk management needs.
One physical risk example of this is, in my building, there is a physical guard at the door and it is required that every person who enters the building either swipe or tap their ID card at the guard station to gain access to the building. Recently the organization has added an App that allows employees to tap their cell phones instead of their ID cards at the guard station to get building access. Now, yes this does come in handy if someone forgets their physical ID card, however it adds an extra physical security risk for building access by giving a threat an extra option to target. Now a persons ID Card and cell phone could be stolen to gain building access, and when someone is using a cell phone to tap in the guard is not going to be looking for a physical ID for the person because it will be assumed that person is using their cell phone because they forgot their physical ID. One way to mitigate this would be to still require the person gaining access to the building to still show the picture on their phone to be certain it is in fact the correct person. In terms of using ID cards to access workstations it should be required that the user still need a password even though they have their ID card, to access the system.
Richard Hertz says
I like your example! BYOD (Bring Your Own Device) opens such a can of worms that supplementary controls are required. You touch on a few – present a photo to ensure the phone was not stolen or cloned. All in order to add a level of convenience to the end user experience! This begs the question of how ‘easy’ should security be?
Michael Duffy says
This is one of the better examples I’ve read especially because it takes away the social aspects of security. At my current organization the guards always check for IDs. For cell phones; it can become much more difficult as these are not physical indicators. Often times Security just see’s the badge and waves a thumbs up (which is technically easily exploitable). With this in mind; I would imagine stricter policy would have to be in place for security to scrutinize the use of cell phone ID’s and badges more often.
Christopher Clayton says
Very good security measures you suggested Vraj. One, or the other, or all safeguards would do companies justice as proper protections, especially with multi-factor authentication.
kofi bonsu says
PHYSBITS provides a data model for the integration of physical and
IT security. Converging these security environments fundamentally offer solutions security gaps that fall between these two different security parameters and helps protect organizations against multifaceted security threats and vulnerabilities that has propensity to derail the security gains in the organization. Because these two industries manage largely different categories of security,
converging the two together and addressing their various aspects of security will demand an increased industry effort to achieve that feat.. While security can be gradually improved and advanced, a whole outlook of organizational security is increasingly appeared to be difficult to assess without a comprehensive data model as a working guideline and basis for a standard. This model is intended to be the foundation for a series of specifications that
should geared towards on the individual parameters of security and define the interoperability standards that basically form a more complete security management system and process.
It is therefore meant that the arrangements of these standards be both flexible and extensible. In addition, its contents should be mapped to applicable industry standards and be specified to enable Web services and other implementations of the interfaces, as well as XML data formats.
The PHYSBITS implementation requires that organizations should make use a realistic authentication mechanism to determine physical and IT resources. PHYSBITS is implemented and physical and IT security access is added then organizations require to understand that if one of these are breached . And so is the other. If physical access was breached but IT security was not. With PHYSBITS, this second protection is no more effective since physical and IT security are grouped together through realistic one form of authentication system. To reduce this risk, I am of notion that this kind secondary deal of confirmation and authorization is absolutely essential and it is basically similar to MFA, should be implemented as users are trying to gain access to IT resources after they have physically been allowed access to those facilities.
Authentication systems and management tools that are Open Security Exchange – PHYSBITS compliant will be able to integrate into an overall enterprise architecture for provisioning,
monitoring, auditing and managing physical and IT security systems.
Richard Hertz says
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lessen them?
It depends on the PHYSBITS implementation. The spec calls for a combination of something you have and something you know – that is a powerful combination and difficult to spoof. However, most implementations seem to be based on what you have or on what you know – but less frequently on the combination of the two. Most badge access systems to buildings are what you have (an access badge), but seldom require any kind of supplemental input (what you know eg pin code or p-word). On the other hand most system access systems require a password or pin code (what you know) but seldom something you have. Multi-Factor Authentication is beginning to change that for system access. MFA requires you to know something and to have something (access to a registered SMS receiver or an authenticator program etc).
As a result the strongest solutions are to implement a full PHYSBITS solution – requiring both ‘something you have’ AND ‘something you know’.
Victoria Zak says
What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mutations would you recommend to them?
According to the article, “PHYSBITS is a vendor-neutral approach for enabling collaboration between physical and IT security to support overall enterprise risk management needs.”
There are several security risks that come with PHYSBITS. As the article mentions, key management. If an organization does not monitor this carefully and grants administrative access to appropriate admins, this can result in a terrible manner. It is extremely important for companies to review this.
Additionally, a person can “tailgate” an admin who has a key fob. For example, a person can follow an employee who is granted access into the data breach center. In my work experience, to reduce tailgating, there are security guards who check and monitor who goes in and out of restricted areas. They also create a sign in log on top of security.
Although tailgating or management not monitoring who does or doesnt have access, an employee who has access, can lose their key card or have it stolen. While security guards would be a great idea to monitor who goes in and out, it would also cost an organization more money.
Dan Xu says
I agree with you that while tailgating or managers do not monitor who has access or does not have access, employees who do have access may lose their key cards or have them stolen. There is also the potential for employees with access to create negligence leading to risk. To prevent this risk, strong physical security controls must be implemented. Perform IT background checks on new hires, as sometimes malicious threats can arise internally. Providing the correct access to those with privileges and implementing multiple authentication will also prevent and mitigate risk
Joshua Moses says
PHYSBITS is a convergence of both physical security and information security. Physical security focuses on assets, systems, personnel and structures. Information security typically focuses on the authorization of users, their access rights to resources, services and applications to ensure continuous business activities. Physical security and information security are closely related security aspects, and the PHYSBITS framework tries to bridge the gap between the two. Unfortunately, the implementation of a PHYSBITS solution contribute to new risks that can and should be mitigated.
Alexander William Knoll says
The Physical Security Bridge to IT Security, better known as PHYSBITS, was developed by the Open Security Exchange, and it is best defined as “a vendor-neutral approach to collaboration between physical security and IT security that supports all enterprise risk management requirements. ” When looking at the PHYSBITS Framework, I really do not see any way that a PHYSBITS approach does not increase functionality in comparison to typical security. For example, look at entrance to a data center. This data center may have cameras, security guards, require keycard access, etc. None of this matters if somebody with ill motives is able to obtain a key card. The security guard more than likely won’t question somebody if it appears that they have access, and any evidence caught by a video camera may be too late. Now , introduce PHYSBITS, and add another, second level of security to the mix. Instead of swiping a security card, the user may also have to enter a pin that only they would know. Obviously in order to implement a combined psychical and IT security there will be difficulties. For example, the framework states that a “lack of integration of building access and business processes for new hires, and de-provisioning terminated staff — potentially causing security exposures” and “costly, manual processes for new hires and contractors to get building access set up and changed when their access needs to be changed”. These are issues that may provide difficulties at first, but with proper training and control implementation they can be overcome. PHYSBITS is the way of the future in order to create a completely integrated corporate archietecture.
Dan Xu says
Organizational implementation of PHYSBITS solutions can create physical security risks due to human uncontrollability. It has the advantage of automating the user provisioning process from both an IT and physical security perspective. However, because PHYSBITS utilizes smart cards for access and identity management, a centralized system that combines physical access with IT access can magnify errors in the account provisioning process, and it leads to errors. Lost or stolen smart cards can create privacy issues for the organization. In addition, technical risks exist simultaneously, and theft of files or data is often the result of powerful hackers and inadequate monitoring and defense systems of their own. I believe that the probability of risk can be limited and controlled through multiple authentications and user permissions. Once PHYSBITS is implemented and physical and IT security access is combined, one is compromised while the other is compromised. Measures for regular checks and increased monitoring can help mitigate this risk.
zijian ou says
When an organization implement of PHYSBITS solution that time some physical risks are created, but that is difficult to protect with security devices and equipment but using mitigation method, we cover it better way. Intentionally and unintentionally, humans cause mistake risk is generated, and it becomes vulnerable to various attacks. Many times, it finds out authorized employees allow the unauthorized person into the secure environment unknowingly. Such as in server room-specific, two or three employees have access or authentication, but after entry authorizes door employee to forget to lock it properly the way that third-time person take advantage and use the opportunity to take secure admission area with the help of licensed employee privilege. It has become one of the common risks for various organizations.
Bernard Antwi says
@Zijian, a comprehensive access control system is designed to: permit only authorized persons and vehicles to enter and exit; detect and prevent the entry of contraband material ;detect and prevent the unauthorized removal of valuable assets; and provide information to security officers to facilitate assessment and response.
Miray Bolukbasi says
PHYSBITS is a way to approach enterprise risk management needs by integration of physical security and IT security while supporting data model. It helps the organization to reduce the administrative overhead through automation or enhanced security through combined view of environments. Although PHYSBITS provides more effective reporting and investigation, it might create some additional risks. The risks might occur includes: new hires & terminated staff potentially causing security exposures, getting into building for set up, monitoring systems that do not provide situation awareness, lack of consistent standards for log management.
Solutions addressed on the article:
-Managing areas
-Perimeter intrusion
-Occupancy
-Access methods
-Internal external facility monitoring
Bernard Antwi says
To choose the right physical security measures and apply them appropriately, it is important to first conduct a risk assessment, such as described in the ASIS General Security Risk Assessment Guideline. The risk assessment, accompanied by an understanding of physical security measures provided by this guideline, makes it possible—either alone or with the help of security consultants or vendors—to select and implement appropriate physical security measures to reduce the assessed risks to a level acceptable by the organization. IT and network security focus on authorization for users to access IT services to which they are entitled and helps ensure business continuity. These resources can include roles on a network; permissions to a database; drive space allocations; email access; Internet/extranet and intranet access; and remote access privileges. An effective security policy addresses both physical and IT security. In almost every large enterprise, physical and IT security are present but are not often coordinated, or organizationally or operationally functional.