A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
In the example provided in our assigned reading, the redacted company focused on vulnerabilities related to unauthorized physical access and disruption of its systems. The resulting mitigating controls are physical and environmental security, equipment security, and general controls. Physical and environmental security controls seek to reduce unauthorized personnel from gaining access to offices and buildings. Equipment Security controls factor in possible physical destruction by natural disasters as well as unauthorized access to physical machines and data. Lastly, general controls account for potential social engineering and physical breaches of the organization.
One of my favorite topics is social engineering and I always find it interesting that companies often spend A LOT of time investing into implementing security controls for social engineering. I also find it just as interesting to see when company’s overlook social engineering attacks especially when considering that they’re priority is to protect information. In a lot of cases; social engineering is taken for granted and I feel like an organization could spend hours going down a rabbit hole discussing policy regarding the topic. One of the most dangerous types of attackers is somebody who knows how to work with an organization.
I believe that the vulnerabilities associated with authorized physical access and system outages reflect the need for companies to focus on threats and vulnerabilities in physical security. Physical security and human factors impact the implementation of security training and awareness programs, as human vulnerabilities can be potential unauthorized access or misuse of the controls the company has implemented. Companies also need to focus on the technical aspects of security.
Physical security teams should focus on vulnerabilities that stem from human-centered, technical, and environmental factors. The Vacca reading provides an example policy that outlines how a physical security team would control for these risks. This policy focuses on perimeter and equipment security in addition to general preventative controls.
The procedures detailed in the policy reduce the risk of unauthorized access to the facility, theft, and data loss e.g. clean desk policy. The policy also calls for monitoring of non-public areas consummate with the asset value they contain. The policy did not explicitly state the type of monitoring, but it’s fair to assume that this would include environmental vulnerabilities, e.g. temperature, humidity, etc.
In short, physical security teams need to focus on who’s accessing company assets (perimeter security), what they are doing with those assets (asset security), and monitoring their environment (fire detection, etc.).
Vulnerabilities that a company physical security team should focus on in terms of physical security should be environmental, technical, and human-caused.
Environmental vulnerabilities would be if the company were vulnerable to any natural disasters (tornadoes, hurricanes, floods, etc.) if they were to take place, and what precautions are currently set in place to help protect against those incidents if they happen. Technical vulnerabilities would be if the company was vulnerable to some sort of electrical outage or electromagnetic interference.
Human-caused vulnerabilities would be the potential unauthorized access or misuse of the controls that the company has put in place.
The company should focus on these three categories of threats, what they are vulnerable to, what protections are currently put in place to help protect those vulnerabilities, and how they can improve their security standing.
Hello Andrew,
This efficiently categorizes all the vulnerabilities that the physical security team should notice that could compromise an organization if exploited. In addition, this grouping adequately covers technical, operational, and management controls that serve as the basis for implementing confidentiality, Integrity, and availability.
Well-said that threats are people who are able to take advantage of security vulnerabilities to attack systems. Vandals, hacktivists, criminals, spies, disgruntled employees, etc. Vulnerabilities are weaknesses in a system that allow a threat to obtain access to information assets in violation of a system’s security policy.
The company focused on physical security and human factors, physical security, physical security and environmental factors, physical security/information security integration and physical security and financial factors.
Physical security and human factors talks about implementing a security training and awareness program to train employees of what they are supposed to do relating to information security. For example, a company must incorporate perimeter security. Surveillance cameras must be placed around the work area to prevent unauthorized people from accessing the building. Employees must identify and report any suspicious activities they witness to security personnel. Swiping cards, door looks must be scanned when accessing the building. This will also keep track of who enters the building in case a security incident happens.
Overall the physical team will analyze any physical treats and vulnerabilities that are important to the well functioning of an organization. Human is at the core of all those factors and if they are not properly trained on how to use and monitor the equipments, the company is exposed to malicious attacks.
Great job pointing out that humans are the common denominators for these mitigation factors. It is something that we have learned time and time again but if the employees are not properly trained or do not use and monitor the equipment then there will always be exposure to attacks. A company can have the latest and greatest technology but without a competent security team it means nothing.
Hello Ornella, well said.
“The overall objective of any physical security team should be to analyze any physical treats and vulnerabilities amongst others that are important to the healthy functioning of an organization. In addition, anything that would deter an organization’s security posture should be a point of focus.
I agree with you in regard to your analysis about physical security but you must understand in the same way that equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes. Ensuring complete physical security is impossible, especially in a larger organization.
Physical security is foundation of any security plan and fundamental to all security effort, cause of without proper physical security all software security, cyber security, user access security, network security are become vulnerable to various threats.
After analyzed physical security threats Company steal focus on unexpected or unenviable threats or possibilities to physical security. Most of the planning to protect against the threat possible such as Natural Disasters are source of various or wide range of environmental threats to data centers, information processing facilities and personnel, such as tornado, hurricane, earthquake, storms, flood etc.
But company should be focus on most vulnerable factor that is generated by human caused physical threat, human cause threat are less predictable to guess or identify, so that it become a most vulnerable threat to security.
If outsider intruder try to breach physical security then it not possible easily, but this attempt do internal employee then it can bypass all security mechanisms, internal employee can easily go restricted area and access to various system, hardware and network devices. He can also easily theft equipments, copy sensitive database, use various eavesdropping and wiretapping method to steal sensitive information. They are also performing destruction of equipment or database in some cases. So many times they can access improper use of resources which is unauthorized for him. Human cause physical threats are most vulnerable that’s why company need to more focus on it.
The company mainly focused on Physical and Environmental security. The organization highlighted boundary protection and wrote specific controls to be implemented such as identifying critical areas and manning them with alarms/personnel to isolate entry points from unauthorized intrusion. They have also wrote processes for who has access to the premises including separate processes for visitors. The company also highlighted environmental security by highlighting access control, securing equipment, conducting maintenance, and discussing sanitization of information. The company also implemented Clear Screen policy to require users to set their screen savors to automatical.ly turn on after 15 minutes – and also make it mandatory that they lock their computers while absent from their desk.
Overall the policy is targeted towards personnel; and is noted even where they mention environmental factors such as Equipment Sitting and Protection – the company should protect equipment from threats and hazards, and opportunity for unauthorized use.
You highlight an essential control within the organization’s physical security policy which is the sanitization of information. Physical security comes with its own set of challenges regarding privacy and confidentiality. Physical attacks like dumpster diving or shoulder surfing can reveal exposed sensitive information written on posted notes or files left out in the open that contain PII data. Ultimately, the risk is unauthorized access to information or systems and the vulnerability here is human error. Thanks for calling out this important control.
Good point that the policy is mainly targeted towards personnel. To add, at the end of the day, you can take all the precautions possible for an environmental hazard, and respond appropriately. When it comes to employees with malicious intent, as an example, you can never really prepare appropriately for what they may/may not do, because employees are unpredictable.
Well noted in your analysis but how about other factors should such as damage or loss caused by fire, flood, and sensitivity to temperature extremes. Ensuring complete physical security is impossible, especially in a well established company.
Social engineering point of entry would be one of the vulnerabilities of how well the organization has taught it’s own staff not to let anyone they don’t know inside of the building. Another focus would be if the security system can be breached and how many layers of security does a person need to bypass in order to get access..Lastly the maintenance and reliability of the security system plays a role in how often the system needs to update and how long it may take or what mitigations are there in case the security system is not functioning properly.
Good idea doing a summary of all the threats and vulnerabilities they will need to analyze. Companies must trained employees on how to not to hold the door to people behind them like you mentioned. They must have surveillance cameras, security guards at the front enforcing to swipe or show their ID card anytime people enter the building. For more security, they can also give codes to employees anytime they need to access a different building floor.
Wilmer,
Social engineering is a great point. It is a great test to see if an employee within the company knows to identify when they see a threat. For example- a phishing test. When a phishing test is sent to an employee’s email, a user clicks on it and that gets reported to management.
Wilmer, you make a solid point including social engineering as a relevant avenue for physical security that a company should understand how to mitigate. Despite all of the physical security mitigations in place, I think that a social engineering attack on a guard for example will ultimately have to come down to employee adherence to proper access policies in place in combination with training and awareness. No amount of physical security measures will surpass the required awareness employees should have to protect the organization from unauthorized personnel gaining access.
If a company is analyzing the physical security threats and vulnerabilities for its systems then they would be focusing on vulnerabilities that can be exploited by environmental, technical, and human-caused threats. An environmental vulnerability would be something that exposes a company to environmental threats such as natural disasters. If for example a company was in a region with frequent earthquakes and the server racks were not properly secured, then they could potentially move and fall over in the event of an earthquake taking place. A technical vulnerability in the context of physical security would have to do with electrical power and electromagnetic emissions. If a company does not have the proper generators or UPS devices put in place, then if there is a power outage or power surge, they expose their devices to shutting down or taking an over-voltage and damaging the parts. A human-caused vulnerability would be an avenue to exploit and overcome a prevention measure at a company. For example, if a company did not properly restrict the server area or the network closets, then an employee who should not have access would be able to enter these areas which could lead to threats of theft, vandalism, and misuse.
Thanks for sharing Ryan. On top of what you laid out I’d like to point out that communication and collaboration with network security is also crucial. In a lot of cases, a network security team may be interested in vulnerabilities that are identified by the physical security team because they too could pose adverse impacts to their processes. As an example I believe technical threats, such as the one you used, a network team would want be aware of this threat so that it could have controls, such as a load balancer to filter data to an additional data center resource, in place. This would help ensure that there are no control gaps between the two teams as well and it would ensure redundancies are in place to ensure the data can be recovered.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
A company’s physical security team focused on vulnerabilities involving how the data is being accessed and used. It’s important that they monitor how the data is being accessed and making sure that it is lawful and that unauthorized people aren’t getting ahold of private information. They also focus on making sure that people who have authorization to the data aren’t mishandling this information. These vulnerabilities are assessed by security monitoring and implementing security awareness programs including workshops on how to prevent threats as well as deal with them.
How data is accessed and used is imperative and having unauthorized access to private information is already a bad start in physical security. Good mention in applying security awareness workshops Michael. Educating staff and keeping them up-to-date on how serious threats are and steps to prevent them certainly keeps them one step ahead of the game or even further.
Good point on emphasizing about security awareness programs. All companies must develop a security education and training programs for employees or people within the company to guide them in their daily basis roles. They must have a security plan depending on the assets they have and each of them must be well protected. As we are talking about physical security, companies must come up with better plan on their surveillance cameras, swiping cards, checking people backgrounds etc..
The types of vulnerabilities that the company focused on during a physical security threat and vulnerability analysis probably are; authentication method(s) for physical entry, having security control hardware installed in all buildings and entrances to different departments within buildings, access logs and tracking for when users use their cards/credentials for access, and camera systems for all grounds/parking lots/buildings/rooms on the business property. One reason implementing PHYSBITS would be beneficial to a company is by including technical departments and rooms into the physical security threat/vulnerability analysis, threat prevention, and breach reaction and solution. I believe it is best if there is, maybe very small, overlap in physical and IT security
You make a good point in acknowledging that a company’s physical security team focuses on vulnerabilities involving authentication methods as well as hardware installation. Monitoring how the data is being accessed is important because you want to make sure that only authorized people are gaining access and that unauthorized people are obtaining private information. Implementing a security awareness program is a good option of risk mitigation to deal with these vulnerabilities.
There are three main categories for physical security threats. They are environmental threats, technical threats, and human-caused threats. Likewise there are many physical security controls that can be put in place to mitigate these threats, such as;
– Baricades / Bollards
– Access control vestibules
– Alarms
– Video surveillance
– Guards and access lists / Badge or ID
– Biometrics
– Door access controls
– Cable Locks
– Fencing
– Fire Supression
HI Joshua; great job in providing this list of mitigations to follow your explanation of physical security threats. I did not think of door access controls prior, but this can really help an organization in making sure unauthorized personnel are entering the premises via ‘doorholding’.
I thought it would be interesting to focus on some of the physical security measures that can be implemented to reduce risks. I also left out a few. Another that comes to mind are signs that can be implemented to keep people away from restricted areas.
Also there are different types of door access controls:
– Conventional (Lock and key)
– Deadbolt (Physical Bolt)
– Electronic (keyless, or pin) I see the pin one in the hospitals I work in all the time.
– Token Based (RFID badge, magnetic swipe card, or key fob)
– Biometric (Hand, fingers or retina)
– & Multi-factor (smart card and pin)
Hello Joshua,
That’s a great post. Those are some really good ideas for the physical security. However, for the door access control I would say the only best one would be biometric lock. As if its a lock with a key that is provided to a user then it would create a risk. Where if the user lost the key or give those keys to someone. If its a lock with pin then the user could share the pin with other users so I would say the best option would be biometric lock such where the user has to scan their finger to open the door.
Hi Vraj,
You make a good point. I wonder if it would log the person and time / date that they enter a room with a biometric lock. If so, this could be a way to hold a person accountable if any hardware was to go missing. Also seems as though this would be the case with the token Based (RFID badge, magnetic swipe card, or key fob) as well.
The electronic (pin) gets shared all around the enterprise. So a malicious worker could just write down the code and use it to gain access to the room later or after hours.
These are definitely good examples of physical security threat mitigations. To add to the list, more deterrent controls are spotlights and CCTV, and other physical security measures include mantraps, Faraday cages, and air gaps.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
The three main divisions of physical security the team would have looked at are environmental, technical, and human-caused threats. Environmental checks may have included assessing liquid ( most likely water) sources in reference to computing / electric equipment, checking for dust buildup in or around systems, monitoring temperatures to ensure fire prevention, and checking that no hazardous materials are nearby. Technical threats that the team probably checked for include proper voltages and electromagnetic interference. Lastly, the most obvious physical security checks are the human-caused threats, including but not limited to unauthorized physical access from outside personnel that could be the result of a successful social engineering attack that could lead to theft, vandalism and or misuse. All entrances should be secured against this via a form of physical access control, with the most secure areas containing layered forms of mitigation like an entrance log combined with a mantrap.
Physical security encompasses security measures designed to deny unauthorized access and protect assets from damage or harm (espionage, theft, or terrorist attacks).
When an organization focuses on physical security, the goal is to create programs to identify and mitigate vulnerabilities/gaps related to unauthorized physical access that could disrupt its mission-critical objectives.
Such security programs define the measures that protect organizations from loss caused by vulnerabilities like theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures.
As a result of identified vulnerabilities, mitigating controls would then be implemented to ensure physical and environmental security through security measures in a defined structure. These controls, if adequate, will deter or prevent unauthorized access to sensitive infrastructure, i.e., hardware, software, network, and human assets. Examples of physical controls are Closed-circuit surveillance cameras, Motion or thermal alarm systems, and Security guards.
Physical security measures are designed to protect buildings, and safeguard the equipment inside. In other words, they keep unwanted people out, and give access to authorized individuals. When a company’s physical security team analyzes threats and vulnerabilities, they have to first look at the three main categories of threats which are: environmental (tornado, hurricane, earthquake, etc.), technical (under/overvoltage, noise), and human-caused (unauthorized physical access, theft, vandalism). People and hardware can fall victim to weather, crime, and other types of dangers if not properly prepared. Access control, intrusion protection, alarm systems, surveillance cameras, employee awareness are ways to help mitigate risk.
Good point about people and hardware falling victim to weather crime and the other dangers, I think that gets lost sometimes. I also agree that security measures are designed to protect the building/assets and keep unwanted people out
Hello Christopher.
Well said. Concerning your statement that “People and hardware can fall victim to the weather, crime, and other types of dangers if not adequately prepared.” The physical security team should analyze every vulnerability/threat possible regardless of the nature or type. From the analysis of such, the appropriate controls can then be recommended/implemented for mitigation. Every exposure can crystalize into risk and, as such, should be adequately analyzed and mitigated.
Christopher,
You made great points. With surveillance cameras and key fobs, organizations have security guards and a sign in sheet on top of that to decrease the risk.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
Vulnerabilities the company should focus on include when looking at physical security include technical, environmental, and human-caused. Technical focus on electrical power where the amount of voltage is taken into consideration. Environmental looks at conditions within the environment that could potentially damage services housing data or equipment. Environmental factors can include fire, water damage, chemical, radiological, or biological hazards to name a few. Human-caused vulnerabilities focus on unauthorized physical access, theft of equipment, vandalizing equipment, or misuse of resources.
sources: Vacca, J. R. (2017). Computer and information security handbook.
The type of security the company needs to focus on out of Physical, Technical, and Administrative is Physicals. Based on the senior there could be any type of Physical security the company might be facing. There could be an unauthorized access to the building or to the secure area. There could be a possibility that there is an unauthorized access to the server or to the computer connected to the companies network. There could be an also possibility that their power line or internet connection out side of the building might not be secure from unauthorized person. As a result, I would say they need to focus on securing the physical security by implementing a lock on a door to prevent an authorized person from an secure area and other safeguards to protect their physical security.
The three types of vulnerabilities which can be focused on for a physical security threat assessment are technical, human, and environmental. Technical vulnerabilities encompass technological flaws such as an organization’s lack of an uninterrupted power supple (UPS), or the lack of filters/shielding against electromagnetic interference. Human vulnerabilities can include the lacking of perimeter security at a datacenter, or even employees putting post-it notes with passwords at their desks/workstations; these vulnerabilities lead for human threats to potentially infiltrate company systems. Lastly, environmental vulnerabilities tend to focus on the location of information systems; such as if a datacenter was placed in Key West, FL, which has an alarming hurricane/flooding rate.
The point you made about employees writing down their passwords on post-it notes is a very good point. It seems like something that is obvious to avoid to us, but at an old car dealership I used to work at (not even that long ago), there were many people who worked in the offices who would write their passwords on post-its and tape it to their computers. This was especially prevalent in older coworkers of mine, but not exclusively. I wish that I could look at this companies IT/IS policy and point some things out to my old boss, as car dealerships store a lot of critical data on their networks (credit pulls, bank accounts, titles, etc).
I really liked your example of the post-it notes. We hear the stories all the time, but you lived it! I bet the company spent significant money on firewalls, possibly VPN technology, maybe encryption and even PCI audit compliance. Yet at the very base of it was a post-it note with all the info someone needed to gain bona-fide system access. The only thing protecting that post-it note was physical/perimeter security – and at a public location like a car-dealership that would be relatively low. You would want the customers to come into the facility and look at the products (Cars!).
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
They broke it down into 3 types of vulnerabilities
Environmental threats-These are natural disasters such as Flooding, Lightning, Tornados, Hurricanes, Earthquakes
Technical threats- Power issues, Over Voltage, Under Voltage, Loss of Power and Electromagnetic Interference
Human-caused threats- Unauthorized access to the building or restricted areas of the building, Theft- stealing equipment or copying data that should be for business use only and shared with outside threats. Vandalism- destroying the building or building property, and the misuse of company resources
Physical security group within the organization should basically zeroed in on vulnerabilities that emanated from human-centered, technical, and environmental determinants. The article primarily gives an instance of policy that determines way and manner a physical security group would certainly curtail or contain these risks. This policy concentrates on perimeter and equipment security application in regard to general preventative control measures. The procedures and process stated in the policy minimize the risk of unauthorized access to the facility, and theft, and data loss would could derail successful operation of the organization . The policy also requires the organization to embark on monitoring of non-public areas consummate with the asset value they contain. The policy did not fundamentally state that the type of monitoring, but it’s absolutely normal to presume that this would entails environmental vulnerabilities. In that regard, physical security group need to pay attention on who have capacity to access to company assets such as perimeter security, with regard to how they would be able to access assets that is asset security and monitoring their environment to realize the protection of the information asset.
Threats are categorized into three categorifies, including environmental, technical, and human-caused, from a physical security team’s perspective. Examples of exterior environmental threats include inclement weather as well as natural disasters such as tornadoes and hurricanes, which can adversely affect operations of a data center. Data centers are also faced with interior environmental threats, such as inadequate flooding detection systems, which can also negatively impact the operations of a data center. The Vacca reading also notes that technical threats exist, such as insufficient electrical power supply, which could render a data center useless. Finally, the Vacca reading focused on human caused threats, including unauthorized access, theft, vandalism, and misuse.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
It is broken down into three categories:
Environmental, technical, and human causes. Environmental disasters can happen by natural disasters such as tornadoes, floods, and hurricanes. This is why it is extremely important for businesses to have a disaster recovery plan in place.
A technical vulnerability is a hacker accessing data to obtain information.
Additionally, human causes can occur by an employee granting unauthorized access.
When looking at at physical security threats from a security team’s perspective, threats can be classified in one of three – environmental technical, and human-caused vulnerabilities. Some examples of environmental threats could be natural disasters such as fires, floods, tornadoes, hurricanes, etc. Another example of environment threats, one that is not often talked about, could be the recognition of keeping hardware and other technology at the appropriate temperature. If a computer gets too hot, for example, it could be rendered useless. Because of this, it is appropriate to have an understanding of where your offices/data centers may be located and ensuring the ability to maintain these locations appropriately with a/c. Some examples of technical vulnerabilities the team may focus on are electrical power and electromagnetic interference. As far as electrical power, IS typically requires uninterrupted power at all times, and the risk of under voltage/over voltage is a threat the security team must always be ready for. Electromagnetic interference is also a concern because even the smallest of devices are capable of interrupting sensitive electronic equipment. The last risk for vulnerabilities are human-caused threats. These threats are difficult to deal with because they are unpredictable, and they are specifically designed to overcome prevention methods. Examples may include vandalism, theft, and unrestricted access.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
The company focused on the three main divisions of physical security: environmental, technical, and human-caused threats. Environmental are elements that come from the geography or climate of a location. Technical come from the choices made in designing systems and processes to support the operations of an organization. Lastly the human-caused threats are generally the most complex and difficult to deal with. The human caused threats are constantly shifting and are driven by very unpredictable things – people!
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
Companies need to focus on threats and vulnerabilities in physical security. Physical security and human factors influence the implementation of security training and awareness programs, as human vulnerabilities can be a potential unauthorized access or misuse of the controls the company has implemented. Employee permissions and security awareness need to be increased as one of the key factors in defending against vulnerabilities and securing the environment. For example, reducing unauthorized access to offices and buildings and increasing background checks and scope of authority monitoring for authorized personnel.
It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Some vulnerabilities to look at will be
• Natural events (e.g., floods, earthquakes, and tornados)
• Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
• Intentional acts of destruction (e.g., theft, vandalism, and arson)
• Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)
Office theft is not limited to material assets. These days data leakage may pose even more severe consequences, including loss of sensitive information, credit card details, intellectual property or identity theft. In some cases, former employees are responsible for data theft. However, cybercriminals can also jeopardize valuable information if it is not adequately protected.
The physical security lists threats and vulnerabilities as environmental, technical and human-centered threats. The team basically responsible of protecting people, property and physical assets from actions and event that could cause damage or loss. The team would consider environmental risks such as extreme temperatures, humidity, rain, lighting, natural events or human errors ( unauthorized access, social engineering, vandalism, misuse) and technical might be configurations, biometrics, camera system.
Per chapter 69 the physical security must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information. This includes vandalism, theft of equipment, copying of information or services and unauthorized entry. All of these are examples of physical security breaches due to the human factor. The company and their vulnerabilities are due to the lack of focus on the human element.
Physical security is a vital part of any security plan and is fundamental to all security efforts. Without it, information security, software security, user access security, and network security are considerably more difficult, if not impossible, to initiate. Physical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Some vulnerabilities to look at will be
• Natural events (e.g., floods, earthquakes, and tornados)
• Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
• Intentional acts of destruction (e.g., theft, vandalism, and arson)
• Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)
In the example provided in our assigned reading, the redacted company focused on vulnerabilities related to unauthorized physical access and disruption of its systems. The resulting mitigating controls are physical and environmental security, equipment security, and general controls. Physical and environmental security controls seek to reduce unauthorized personnel from gaining access to offices and buildings. Equipment Security controls factor in possible physical destruction by natural disasters as well as unauthorized access to physical machines and data. Lastly, general controls account for potential social engineering and physical breaches of the organization.
Hi Kelly,
One of my favorite topics is social engineering and I always find it interesting that companies often spend A LOT of time investing into implementing security controls for social engineering. I also find it just as interesting to see when company’s overlook social engineering attacks especially when considering that they’re priority is to protect information. In a lot of cases; social engineering is taken for granted and I feel like an organization could spend hours going down a rabbit hole discussing policy regarding the topic. One of the most dangerous types of attackers is somebody who knows how to work with an organization.
Hi Kelly,
I believe that the vulnerabilities associated with authorized physical access and system outages reflect the need for companies to focus on threats and vulnerabilities in physical security. Physical security and human factors impact the implementation of security training and awareness programs, as human vulnerabilities can be potential unauthorized access or misuse of the controls the company has implemented. Companies also need to focus on the technical aspects of security.
Physical security teams should focus on vulnerabilities that stem from human-centered, technical, and environmental factors. The Vacca reading provides an example policy that outlines how a physical security team would control for these risks. This policy focuses on perimeter and equipment security in addition to general preventative controls.
The procedures detailed in the policy reduce the risk of unauthorized access to the facility, theft, and data loss e.g. clean desk policy. The policy also calls for monitoring of non-public areas consummate with the asset value they contain. The policy did not explicitly state the type of monitoring, but it’s fair to assume that this would include environmental vulnerabilities, e.g. temperature, humidity, etc.
In short, physical security teams need to focus on who’s accessing company assets (perimeter security), what they are doing with those assets (asset security), and monitoring their environment (fire detection, etc.).
Vulnerabilities that a company physical security team should focus on in terms of physical security should be environmental, technical, and human-caused.
Environmental vulnerabilities would be if the company were vulnerable to any natural disasters (tornadoes, hurricanes, floods, etc.) if they were to take place, and what precautions are currently set in place to help protect against those incidents if they happen. Technical vulnerabilities would be if the company was vulnerable to some sort of electrical outage or electromagnetic interference.
Human-caused vulnerabilities would be the potential unauthorized access or misuse of the controls that the company has put in place.
The company should focus on these three categories of threats, what they are vulnerable to, what protections are currently put in place to help protect those vulnerabilities, and how they can improve their security standing.
Hello Andrew,
This efficiently categorizes all the vulnerabilities that the physical security team should notice that could compromise an organization if exploited. In addition, this grouping adequately covers technical, operational, and management controls that serve as the basis for implementing confidentiality, Integrity, and availability.
Well-said that threats are people who are able to take advantage of security vulnerabilities to attack systems. Vandals, hacktivists, criminals, spies, disgruntled employees, etc. Vulnerabilities are weaknesses in a system that allow a threat to obtain access to information assets in violation of a system’s security policy.
The company focused on physical security and human factors, physical security, physical security and environmental factors, physical security/information security integration and physical security and financial factors.
Physical security and human factors talks about implementing a security training and awareness program to train employees of what they are supposed to do relating to information security. For example, a company must incorporate perimeter security. Surveillance cameras must be placed around the work area to prevent unauthorized people from accessing the building. Employees must identify and report any suspicious activities they witness to security personnel. Swiping cards, door looks must be scanned when accessing the building. This will also keep track of who enters the building in case a security incident happens.
Overall the physical team will analyze any physical treats and vulnerabilities that are important to the well functioning of an organization. Human is at the core of all those factors and if they are not properly trained on how to use and monitor the equipments, the company is exposed to malicious attacks.
Hi Ornella,
Great job pointing out that humans are the common denominators for these mitigation factors. It is something that we have learned time and time again but if the employees are not properly trained or do not use and monitor the equipment then there will always be exposure to attacks. A company can have the latest and greatest technology but without a competent security team it means nothing.
Hello Ornella, well said.
“The overall objective of any physical security team should be to analyze any physical treats and vulnerabilities amongst others that are important to the healthy functioning of an organization. In addition, anything that would deter an organization’s security posture should be a point of focus.
I agree with you in regard to your analysis about physical security but you must understand in the same way that equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes. Ensuring complete physical security is impossible, especially in a larger organization.
Physical security is foundation of any security plan and fundamental to all security effort, cause of without proper physical security all software security, cyber security, user access security, network security are become vulnerable to various threats.
After analyzed physical security threats Company steal focus on unexpected or unenviable threats or possibilities to physical security. Most of the planning to protect against the threat possible such as Natural Disasters are source of various or wide range of environmental threats to data centers, information processing facilities and personnel, such as tornado, hurricane, earthquake, storms, flood etc.
But company should be focus on most vulnerable factor that is generated by human caused physical threat, human cause threat are less predictable to guess or identify, so that it become a most vulnerable threat to security.
If outsider intruder try to breach physical security then it not possible easily, but this attempt do internal employee then it can bypass all security mechanisms, internal employee can easily go restricted area and access to various system, hardware and network devices. He can also easily theft equipments, copy sensitive database, use various eavesdropping and wiretapping method to steal sensitive information. They are also performing destruction of equipment or database in some cases. So many times they can access improper use of resources which is unauthorized for him. Human cause physical threats are most vulnerable that’s why company need to more focus on it.
The company mainly focused on Physical and Environmental security. The organization highlighted boundary protection and wrote specific controls to be implemented such as identifying critical areas and manning them with alarms/personnel to isolate entry points from unauthorized intrusion. They have also wrote processes for who has access to the premises including separate processes for visitors. The company also highlighted environmental security by highlighting access control, securing equipment, conducting maintenance, and discussing sanitization of information. The company also implemented Clear Screen policy to require users to set their screen savors to automatical.ly turn on after 15 minutes – and also make it mandatory that they lock their computers while absent from their desk.
Overall the policy is targeted towards personnel; and is noted even where they mention environmental factors such as Equipment Sitting and Protection – the company should protect equipment from threats and hazards, and opportunity for unauthorized use.
Hi Michael,
You highlight an essential control within the organization’s physical security policy which is the sanitization of information. Physical security comes with its own set of challenges regarding privacy and confidentiality. Physical attacks like dumpster diving or shoulder surfing can reveal exposed sensitive information written on posted notes or files left out in the open that contain PII data. Ultimately, the risk is unauthorized access to information or systems and the vulnerability here is human error. Thanks for calling out this important control.
Kelly
Hey Michael,
Good point that the policy is mainly targeted towards personnel. To add, at the end of the day, you can take all the precautions possible for an environmental hazard, and respond appropriately. When it comes to employees with malicious intent, as an example, you can never really prepare appropriately for what they may/may not do, because employees are unpredictable.
Well noted in your analysis but how about other factors should such as damage or loss caused by fire, flood, and sensitivity to temperature extremes. Ensuring complete physical security is impossible, especially in a well established company.
Social engineering point of entry would be one of the vulnerabilities of how well the organization has taught it’s own staff not to let anyone they don’t know inside of the building. Another focus would be if the security system can be breached and how many layers of security does a person need to bypass in order to get access..Lastly the maintenance and reliability of the security system plays a role in how often the system needs to update and how long it may take or what mitigations are there in case the security system is not functioning properly.
Hi Wilmer,
Good idea doing a summary of all the threats and vulnerabilities they will need to analyze. Companies must trained employees on how to not to hold the door to people behind them like you mentioned. They must have surveillance cameras, security guards at the front enforcing to swipe or show their ID card anytime people enter the building. For more security, they can also give codes to employees anytime they need to access a different building floor.
Wilmer,
Social engineering is a great point. It is a great test to see if an employee within the company knows to identify when they see a threat. For example- a phishing test. When a phishing test is sent to an employee’s email, a user clicks on it and that gets reported to management.
Wilmer, you make a solid point including social engineering as a relevant avenue for physical security that a company should understand how to mitigate. Despite all of the physical security mitigations in place, I think that a social engineering attack on a guard for example will ultimately have to come down to employee adherence to proper access policies in place in combination with training and awareness. No amount of physical security measures will surpass the required awareness employees should have to protect the organization from unauthorized personnel gaining access.
If a company is analyzing the physical security threats and vulnerabilities for its systems then they would be focusing on vulnerabilities that can be exploited by environmental, technical, and human-caused threats. An environmental vulnerability would be something that exposes a company to environmental threats such as natural disasters. If for example a company was in a region with frequent earthquakes and the server racks were not properly secured, then they could potentially move and fall over in the event of an earthquake taking place. A technical vulnerability in the context of physical security would have to do with electrical power and electromagnetic emissions. If a company does not have the proper generators or UPS devices put in place, then if there is a power outage or power surge, they expose their devices to shutting down or taking an over-voltage and damaging the parts. A human-caused vulnerability would be an avenue to exploit and overcome a prevention measure at a company. For example, if a company did not properly restrict the server area or the network closets, then an employee who should not have access would be able to enter these areas which could lead to threats of theft, vandalism, and misuse.
Thanks for sharing Ryan. On top of what you laid out I’d like to point out that communication and collaboration with network security is also crucial. In a lot of cases, a network security team may be interested in vulnerabilities that are identified by the physical security team because they too could pose adverse impacts to their processes. As an example I believe technical threats, such as the one you used, a network team would want be aware of this threat so that it could have controls, such as a load balancer to filter data to an additional data center resource, in place. This would help ensure that there are no control gaps between the two teams as well and it would ensure redundancies are in place to ensure the data can be recovered.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
A company’s physical security team focused on vulnerabilities involving how the data is being accessed and used. It’s important that they monitor how the data is being accessed and making sure that it is lawful and that unauthorized people aren’t getting ahold of private information. They also focus on making sure that people who have authorization to the data aren’t mishandling this information. These vulnerabilities are assessed by security monitoring and implementing security awareness programs including workshops on how to prevent threats as well as deal with them.
How data is accessed and used is imperative and having unauthorized access to private information is already a bad start in physical security. Good mention in applying security awareness workshops Michael. Educating staff and keeping them up-to-date on how serious threats are and steps to prevent them certainly keeps them one step ahead of the game or even further.
Hi Michael,
Good point on emphasizing about security awareness programs. All companies must develop a security education and training programs for employees or people within the company to guide them in their daily basis roles. They must have a security plan depending on the assets they have and each of them must be well protected. As we are talking about physical security, companies must come up with better plan on their surveillance cameras, swiping cards, checking people backgrounds etc..
The types of vulnerabilities that the company focused on during a physical security threat and vulnerability analysis probably are; authentication method(s) for physical entry, having security control hardware installed in all buildings and entrances to different departments within buildings, access logs and tracking for when users use their cards/credentials for access, and camera systems for all grounds/parking lots/buildings/rooms on the business property. One reason implementing PHYSBITS would be beneficial to a company is by including technical departments and rooms into the physical security threat/vulnerability analysis, threat prevention, and breach reaction and solution. I believe it is best if there is, maybe very small, overlap in physical and IT security
Hello Michael,
You make a good point in acknowledging that a company’s physical security team focuses on vulnerabilities involving authentication methods as well as hardware installation. Monitoring how the data is being accessed is important because you want to make sure that only authorized people are gaining access and that unauthorized people are obtaining private information. Implementing a security awareness program is a good option of risk mitigation to deal with these vulnerabilities.
There are three main categories for physical security threats. They are environmental threats, technical threats, and human-caused threats. Likewise there are many physical security controls that can be put in place to mitigate these threats, such as;
– Baricades / Bollards
– Access control vestibules
– Alarms
– Video surveillance
– Guards and access lists / Badge or ID
– Biometrics
– Door access controls
– Cable Locks
– Fencing
– Fire Supression
HI Joshua; great job in providing this list of mitigations to follow your explanation of physical security threats. I did not think of door access controls prior, but this can really help an organization in making sure unauthorized personnel are entering the premises via ‘doorholding’.
Thanks Lauren,
I thought it would be interesting to focus on some of the physical security measures that can be implemented to reduce risks. I also left out a few. Another that comes to mind are signs that can be implemented to keep people away from restricted areas.
Also there are different types of door access controls:
– Conventional (Lock and key)
– Deadbolt (Physical Bolt)
– Electronic (keyless, or pin) I see the pin one in the hospitals I work in all the time.
– Token Based (RFID badge, magnetic swipe card, or key fob)
– Biometric (Hand, fingers or retina)
– & Multi-factor (smart card and pin)
So there are a lot of options!
Hello Joshua,
That’s a great post. Those are some really good ideas for the physical security. However, for the door access control I would say the only best one would be biometric lock. As if its a lock with a key that is provided to a user then it would create a risk. Where if the user lost the key or give those keys to someone. If its a lock with pin then the user could share the pin with other users so I would say the best option would be biometric lock such where the user has to scan their finger to open the door.
Hi Vraj,
You make a good point. I wonder if it would log the person and time / date that they enter a room with a biometric lock. If so, this could be a way to hold a person accountable if any hardware was to go missing. Also seems as though this would be the case with the token Based (RFID badge, magnetic swipe card, or key fob) as well.
The electronic (pin) gets shared all around the enterprise. So a malicious worker could just write down the code and use it to gain access to the room later or after hours.
These are definitely good examples of physical security threat mitigations. To add to the list, more deterrent controls are spotlights and CCTV, and other physical security measures include mantraps, Faraday cages, and air gaps.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
The three main divisions of physical security the team would have looked at are environmental, technical, and human-caused threats. Environmental checks may have included assessing liquid ( most likely water) sources in reference to computing / electric equipment, checking for dust buildup in or around systems, monitoring temperatures to ensure fire prevention, and checking that no hazardous materials are nearby. Technical threats that the team probably checked for include proper voltages and electromagnetic interference. Lastly, the most obvious physical security checks are the human-caused threats, including but not limited to unauthorized physical access from outside personnel that could be the result of a successful social engineering attack that could lead to theft, vandalism and or misuse. All entrances should be secured against this via a form of physical access control, with the most secure areas containing layered forms of mitigation like an entrance log combined with a mantrap.
Physical security encompasses security measures designed to deny unauthorized access and protect assets from damage or harm (espionage, theft, or terrorist attacks).
When an organization focuses on physical security, the goal is to create programs to identify and mitigate vulnerabilities/gaps related to unauthorized physical access that could disrupt its mission-critical objectives.
Such security programs define the measures that protect organizations from loss caused by vulnerabilities like theft, fire, flood, intentional destruction, unintentional damage, mechanical equipment failure, and power failures.
As a result of identified vulnerabilities, mitigating controls would then be implemented to ensure physical and environmental security through security measures in a defined structure. These controls, if adequate, will deter or prevent unauthorized access to sensitive infrastructure, i.e., hardware, software, network, and human assets. Examples of physical controls are Closed-circuit surveillance cameras, Motion or thermal alarm systems, and Security guards.
Physical security measures are designed to protect buildings, and safeguard the equipment inside. In other words, they keep unwanted people out, and give access to authorized individuals. When a company’s physical security team analyzes threats and vulnerabilities, they have to first look at the three main categories of threats which are: environmental (tornado, hurricane, earthquake, etc.), technical (under/overvoltage, noise), and human-caused (unauthorized physical access, theft, vandalism). People and hardware can fall victim to weather, crime, and other types of dangers if not properly prepared. Access control, intrusion protection, alarm systems, surveillance cameras, employee awareness are ways to help mitigate risk.
Hello Chris,
Good point about people and hardware falling victim to weather crime and the other dangers, I think that gets lost sometimes. I also agree that security measures are designed to protect the building/assets and keep unwanted people out
Hello Christopher.
Well said. Concerning your statement that “People and hardware can fall victim to the weather, crime, and other types of dangers if not adequately prepared.” The physical security team should analyze every vulnerability/threat possible regardless of the nature or type. From the analysis of such, the appropriate controls can then be recommended/implemented for mitigation. Every exposure can crystalize into risk and, as such, should be adequately analyzed and mitigated.
Christopher,
You made great points. With surveillance cameras and key fobs, organizations have security guards and a sign in sheet on top of that to decrease the risk.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
Vulnerabilities the company should focus on include when looking at physical security include technical, environmental, and human-caused. Technical focus on electrical power where the amount of voltage is taken into consideration. Environmental looks at conditions within the environment that could potentially damage services housing data or equipment. Environmental factors can include fire, water damage, chemical, radiological, or biological hazards to name a few. Human-caused vulnerabilities focus on unauthorized physical access, theft of equipment, vandalizing equipment, or misuse of resources.
sources: Vacca, J. R. (2017). Computer and information security handbook.
The type of security the company needs to focus on out of Physical, Technical, and Administrative is Physicals. Based on the senior there could be any type of Physical security the company might be facing. There could be an unauthorized access to the building or to the secure area. There could be a possibility that there is an unauthorized access to the server or to the computer connected to the companies network. There could be an also possibility that their power line or internet connection out side of the building might not be secure from unauthorized person. As a result, I would say they need to focus on securing the physical security by implementing a lock on a door to prevent an authorized person from an secure area and other safeguards to protect their physical security.
The three types of vulnerabilities which can be focused on for a physical security threat assessment are technical, human, and environmental. Technical vulnerabilities encompass technological flaws such as an organization’s lack of an uninterrupted power supple (UPS), or the lack of filters/shielding against electromagnetic interference. Human vulnerabilities can include the lacking of perimeter security at a datacenter, or even employees putting post-it notes with passwords at their desks/workstations; these vulnerabilities lead for human threats to potentially infiltrate company systems. Lastly, environmental vulnerabilities tend to focus on the location of information systems; such as if a datacenter was placed in Key West, FL, which has an alarming hurricane/flooding rate.
Lauren,
The point you made about employees writing down their passwords on post-it notes is a very good point. It seems like something that is obvious to avoid to us, but at an old car dealership I used to work at (not even that long ago), there were many people who worked in the offices who would write their passwords on post-its and tape it to their computers. This was especially prevalent in older coworkers of mine, but not exclusively. I wish that I could look at this companies IT/IS policy and point some things out to my old boss, as car dealerships store a lot of critical data on their networks (credit pulls, bank accounts, titles, etc).
-Mike
I really liked your example of the post-it notes. We hear the stories all the time, but you lived it! I bet the company spent significant money on firewalls, possibly VPN technology, maybe encryption and even PCI audit compliance. Yet at the very base of it was a post-it note with all the info someone needed to gain bona-fide system access. The only thing protecting that post-it note was physical/perimeter security – and at a public location like a car-dealership that would be relatively low. You would want the customers to come into the facility and look at the products (Cars!).
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
They broke it down into 3 types of vulnerabilities
Environmental threats-These are natural disasters such as Flooding, Lightning, Tornados, Hurricanes, Earthquakes
Technical threats- Power issues, Over Voltage, Under Voltage, Loss of Power and Electromagnetic Interference
Human-caused threats- Unauthorized access to the building or restricted areas of the building, Theft- stealing equipment or copying data that should be for business use only and shared with outside threats. Vandalism- destroying the building or building property, and the misuse of company resources
Physical security group within the organization should basically zeroed in on vulnerabilities that emanated from human-centered, technical, and environmental determinants. The article primarily gives an instance of policy that determines way and manner a physical security group would certainly curtail or contain these risks. This policy concentrates on perimeter and equipment security application in regard to general preventative control measures. The procedures and process stated in the policy minimize the risk of unauthorized access to the facility, and theft, and data loss would could derail successful operation of the organization . The policy also requires the organization to embark on monitoring of non-public areas consummate with the asset value they contain. The policy did not fundamentally state that the type of monitoring, but it’s absolutely normal to presume that this would entails environmental vulnerabilities. In that regard, physical security group need to pay attention on who have capacity to access to company assets such as perimeter security, with regard to how they would be able to access assets that is asset security and monitoring their environment to realize the protection of the information asset.
Threats are categorized into three categorifies, including environmental, technical, and human-caused, from a physical security team’s perspective. Examples of exterior environmental threats include inclement weather as well as natural disasters such as tornadoes and hurricanes, which can adversely affect operations of a data center. Data centers are also faced with interior environmental threats, such as inadequate flooding detection systems, which can also negatively impact the operations of a data center. The Vacca reading also notes that technical threats exist, such as insufficient electrical power supply, which could render a data center useless. Finally, the Vacca reading focused on human caused threats, including unauthorized access, theft, vandalism, and misuse.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
It is broken down into three categories:
Environmental, technical, and human causes. Environmental disasters can happen by natural disasters such as tornadoes, floods, and hurricanes. This is why it is extremely important for businesses to have a disaster recovery plan in place.
A technical vulnerability is a hacker accessing data to obtain information.
Additionally, human causes can occur by an employee granting unauthorized access.
When looking at at physical security threats from a security team’s perspective, threats can be classified in one of three – environmental technical, and human-caused vulnerabilities. Some examples of environmental threats could be natural disasters such as fires, floods, tornadoes, hurricanes, etc. Another example of environment threats, one that is not often talked about, could be the recognition of keeping hardware and other technology at the appropriate temperature. If a computer gets too hot, for example, it could be rendered useless. Because of this, it is appropriate to have an understanding of where your offices/data centers may be located and ensuring the ability to maintain these locations appropriately with a/c. Some examples of technical vulnerabilities the team may focus on are electrical power and electromagnetic interference. As far as electrical power, IS typically requires uninterrupted power at all times, and the risk of under voltage/over voltage is a threat the security team must always be ready for. Electromagnetic interference is also a concern because even the smallest of devices are capable of interrupting sensitive electronic equipment. The last risk for vulnerabilities are human-caused threats. These threats are difficult to deal with because they are unpredictable, and they are specifically designed to overcome prevention methods. Examples may include vandalism, theft, and unrestricted access.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
The company focused on the three main divisions of physical security: environmental, technical, and human-caused threats. Environmental are elements that come from the geography or climate of a location. Technical come from the choices made in designing systems and processes to support the operations of an organization. Lastly the human-caused threats are generally the most complex and difficult to deal with. The human caused threats are constantly shifting and are driven by very unpredictable things – people!
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
Companies need to focus on threats and vulnerabilities in physical security. Physical security and human factors influence the implementation of security training and awareness programs, as human vulnerabilities can be a potential unauthorized access or misuse of the controls the company has implemented. Employee permissions and security awareness need to be increased as one of the key factors in defending against vulnerabilities and securing the environment. For example, reducing unauthorized access to offices and buildings and increasing background checks and scope of authority monitoring for authorized personnel.
It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Some vulnerabilities to look at will be
• Natural events (e.g., floods, earthquakes, and tornados)
• Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
• Intentional acts of destruction (e.g., theft, vandalism, and arson)
• Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)
Office theft is not limited to material assets. These days data leakage may pose even more severe consequences, including loss of sensitive information, credit card details, intellectual property or identity theft. In some cases, former employees are responsible for data theft. However, cybercriminals can also jeopardize valuable information if it is not adequately protected.
The physical security lists threats and vulnerabilities as environmental, technical and human-centered threats. The team basically responsible of protecting people, property and physical assets from actions and event that could cause damage or loss. The team would consider environmental risks such as extreme temperatures, humidity, rain, lighting, natural events or human errors ( unauthorized access, social engineering, vandalism, misuse) and technical might be configurations, biometrics, camera system.
Per chapter 69 the physical security must prevent misuse of the physical infrastructure that leads to the misuse or damage of the protected information. This includes vandalism, theft of equipment, copying of information or services and unauthorized entry. All of these are examples of physical security breaches due to the human factor. The company and their vulnerabilities are due to the lack of focus on the human element.
Physical security is a vital part of any security plan and is fundamental to all security efforts. Without it, information security, software security, user access security, and network security are considerably more difficult, if not impossible, to initiate. Physical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Some vulnerabilities to look at will be
• Natural events (e.g., floods, earthquakes, and tornados)
• Other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
• Intentional acts of destruction (e.g., theft, vandalism, and arson)
• Unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)