What physical security risks are created by an organization’s implementation of a PHYSBITS solution? What mitigations would you recommend to lesson them?
PHYSBITS aims to leverage both IT security and physical security in tandem. The aim is to consolidate the two security types into a holistic approach in order to minimize the gaps that come with having them viewed/implemented separately. One of the largest physical security risks created by implementing PHYSBITS in my opinion is power outages. In a centralized system for physical and IT security. We are seeing states like Texas and California with power grid issues. Having redundancy is vital to keeping the centralized system active. This also piggy backs into temperature/humidity controls that are reliant off of electricity as well. Data centers require a very specific environment to operate effectively. To counteract the power outages and ensure redundancy as well as temperature/humidity controls, I would implement emergency standby generators and uninterruptable power supplies (UPS’s). Additionally, for the temperature issue, have chillers separate from the buildings HVAC that is dedicated to where IT hardware is stored that runs hot i.e. in data centers and networking closets.
Hi Nicholas,
I agree with your solutions of implementing redundancy through standby generators as well as separate HVAC systems in place. Having only a centralized solution where all systems rely on one power source will lead to a complete system failure in the event that the power source goes down for any number of reasons.
Implementing smarter technology to a system always comes with its own risks because there will always be new workarounds for breaching such a system, with our example being PHYSBITS. Almost all RFID chips can be taken and cloned if used around the wrong people or have been scouted beforehand. We can mitigate this by encrypting the chip and the information that it gives off so it can only communicate with devices that have the key to that encryption or even just by ensuring that each person that has an ID is using their own ID and not another person. Besides the technological aspect, people are prone to mistakes and could possibly lose their identification which is why it is crucial that guidelines are put in place to counteract such instances where an actor might intercept such a card and try and use it maliciously.
Smart cards are not just able to be cloned or spoofed, they are a single factor authentication. They can easily be stolen or found and used by someone other than the intended individual as authorization. They should always be paired with a second factor and compensating controls to ensure that they can;t be used by an unauthorized individual.
I completely agree Dave. Smart cards that leverage RFID’s are not only susceptible to cloning and replay attacks. They are a single source of access. Something you have should be coupled with something you know (pin/password) or something you are (biometrics) in order to minimize the risk that comes with losing or having the card stolen.
PHYSBITS connects physical security and IT security controls which can be a challenging task. There are a number of things to consider, but the overarching issue is related to physical access credentials. Some things to consider include what type of credential will be used for physical access, i.e. ID badge, pin, biometric data, token, combination of the aforementioned items, etc. In addition, which areas of the building that require physical access controls will need to be determined including restricted access. First roles and responsibilities need to be clearly defined related to provisioning of access and ongoing monitoring of access. Considerations should include the parameters that need to be in place for vacations or extended leaves, visitor and vendor management, employee transfers and terminations, and lost or stolen credentials. It is important that these are clearly defined because many times control gaps reside in handoff between departments, if more than one department is responsible, examples could include security, IT, Human Resources, individual departments, etc. Determining which individuals have access to which locations of the building and the physical premises and the type of access (24 hours & days a week, 9-5, etc.) is also critical. A strong building security policy, defined on boarding and off boarding procedures, and required access reviews at a pre-determined frequency can help mitigate some of these risks. If a security guard or police officer is not stationed at entrances and exits, anti-pass back and/or anti piggy backing technology can help reduce the risk of someone gaining access when they should not. Another important detective control is maintaining and reviewing audit logs. For example, if card reader access is used, swipe data can be analyzed to identify unusual or suspicious behavior.
Hi Christa,
You bring up a lot of good points regarding physical access controls, access management, and log management. Organizations need to be aware of potential flaws in their implementations of PHYSBITS solutions and how to mitigate the risks with these flaws. As such, implementing specific plans for scenarios involving employee leave and utilizing anti-piggy-backing technology are good examples of mitigations.
PHYSBITS is a solution to eliminate duplicating efforts and combine or address the risks related to physical security and IT security and support overall enterprise risk management needs. Some physical risks that are created when an organization implements PHYSBITS are card life cycle management, access card specifications, and audit trails. It typically takes more than 1 department working together and communicating in order for PHYBITS to be successful (e.g. HR and IT Security). The following are some security risks created by implementing a PHYBITS solution:
– Perimeter intrusion, occupancy, access methods, internal and external facility monitoring and
containment, authorization for users to access IT services for which they are entitled to
– Incompatibilities between building access hardware tokens and IT access tokens
– Forensic investigations struggle to relate physical access logs to IT access logs
– Log management not consistent, indicating logs might not be able to be used as evidence
– Costly, manual processes for new hires and contractors to get building access set up and
changed when needed
Some mitigation I would recommend are the following:
– Implement integrated user administration
– Integrate security monitoring and security reporting (i.e. physical access logs and IT access logs)
– Centralize user provisioning
– Using the compatible user tokens for both building access hardware and IT access
– Centralize and standardized policy management
– Integrate applications with the IT security processes (event management systems, vulnerability assessment systems, security management products)
Hi Jill,
I like your inclusion of utilizing user tokens for both building access and IT access. However, there is a potential risk for a single point of failure if the shared user token is stolen in some way. I would also implement multi-factor authentication in some way on top of a shared token as threat actors would have a more difficult time utilizing stolen credentials to access assets.
The implementation of PHYSBITS opens the opportunity to automate the user provisioning process. Some risks that come with implementing PHYSBITS are associated with technical and human risks. For example, technical threats such as power outages or some form of technical interference and human risks such as general misuse and theft may occur. In mitigating these threats, I would utilize a proper power backup system and follow procedures to secure assets from technical interferences. For the human risks, security awareness training helps to ensure proper usage of the PHYSBITS solution and helps to report and identify suspicious activity. Also, implementing multi-factor authentication as a part of the solution can help to mitigate risks related to credential or physical theft as a threat actor would require multiple pieces of information/identification.
I agree that MFA would be a valuable mitigation tool to help protect physical assets from unwarned access. Adding a second layer makes it that much more difficult for an attacker to gain access to data, further discouraging them from their attack.
The article lays out the importance of physical security within and enterprise organizations. According to the article, “physical security focuses on the protection of assets, personnel, and structures against potential assessed risks. In addition, managing the flow of individuals and assets into, out of or within a facility are extremely important aspects of physical security.” However, without proper coordination between physical and IT security, a lot of issues may arise. So, its key to every organization to ensure that all these flaws are addressed by reducing administrative overhead through automation of manual processes for provisioning and de-provisioning user and introduce other policies that may help to alleviate or protect the organization from the potential risks. One example about some risks that an organization may encounter is the use of smart card. Risk may come through lost/stolen card, improper usage.
PHYSBITS aimed to address something that we take for granted today: physical security and IT security need to work in parallel. For a long time, these were considered separate issues and often under very different bosses without good intercommunication and coordination. PHYSBITS was a way to integrate these two groups and leverage technology to make both stronger together than they were apart. Overall. this is a very positive step, but it has a few vulnerabilities. The first is that this is centralizing access control. This creates a potential single point of failure that is particularly vulnerable to loss of power. Smart cards have their own vulnerabilities, cloning, spoofing, theft, etc. In the event of a stolen or compromised smart card, the malicious actor has access to both the physical access and data access of that credential.
Hello David,
I totally agree with you with the notion that, the process of integrating Physical security and IT security leads the organizations to centralizing it’s access control. Once that happens, it leaves a wide room for a single point of failure. I still believe these two can be separated, but the communication between two areas must flow properly to avoid potential risks.
PHYSBITS is an integral part of the organization because it attempts to integrate physical security and IT security. The article opined that an effective security should coordinate physical and IT infrastructure as this will help organizations to reduce cost and improve security through provisioning, auditing and management of physical and IT resources. However, Human error is inevitable implementing the poses some risk for example using smart cards to gain entry has its own vulnerabilities which includes theft, cloning which can lead to unauthorized access and entry. In addition, tail gating is another vulnerability that could be exploited if a person forgets to close or lock the server room or are not aware that someone is tail gating them this human error could also be exploited. Some of these risks could be mitigated by using trap doors where one door closes before another one opens, real time CCTV that monitors entry and exit and ongoing activities, swap cards with pin and multifactor authentication can be used in addition to updating access control privileges and badges.
The physical security risks are lack of integration of building access and business process of the new hires, having previous employees. The one way we have access to buildings is physical id cards that lets us in the building. These badges can be easily accessed if because it can get lost and stolen. This should guard rails placed to make sure that once these cards are stolen or misplaced that no one would be able to use them to get into the building or access floors. I think employees should be held more heavily responsible if the employees are being careless about taking care of it. I also think after the employees leave the firm the cards should be collected back for security reasons in the future.
I completely agree Parmita. Sometimes it seems like the least obvious security measure can be breached for the most simple reason. Whether or not responsibility is held upon a workers hands for the accident is a very difficult situation because one person might lose it once by accident and another person might lose it five times so there needs to be a scale.
The aim of implementing PHYSBITS solutions is to combine and leverage both physical and IT security, combining the two creates a more well-rounded and practical security environment. While this union of the two is important, it does come with downsides. Primarily I see a lapse in coordination and policy for IT and physical security being one of them. Without proper coordination between the two departments, loopholes can form which a ripe for exploitation. To mitigate this risk, it would be paramount to centralize control to quickly coordinate security protocols and find flaws quickly instead of having to travel through multiple channels to convey the same message. A more concrete problem would be keycard access to physical locations, RFID tags can be spoofed, allowing potential attackers access to vulnerable areas. To mitigate this risk, the security department would have to constantly monitor who is going where and when, to flag suspicious behavior. Multifactor identification could be another layer of protection against these sorts of intrusions, an employee ID may be able to be spoofed, but having another layer of authentication would further prevent intrusion.
I think a part of the PHYSBITS concept is that physical and IT security should not longer be separate departments. They should be united under a single leader with unified and coordinating policies and procedures. The two groups overlap so much that they are stronger working together than they are working separately.
Following the adoption of a PHYSBITS system, an organization should take into account physical security risks that might occur, for instance, tailgating and Theft of identity. When someone who is not allowed to enter a certain place follows an individual allowed to enter the place, it is known as tailgating. Also, when people enter through an entrance and just the first person has to swipe a card or show identification, this will threaten the security of the organization (Ahola, 2020). People who are following the person who has swiped the card will certainly have no issue entering the premises. Therefore, it poses a risk if the individuals are not authorized. Theft of identity is when a person uses someone else’s card to pass through an entrance.
Mitigations for Physical Security Risks Created when Adopting PHYSBITS Systems
Educating the staff on physical security is a plan to end tailgating. This is far less dependable but much less expensive. It entails training staff members on the issue of physical security and distributing rules and regulations to be followed. The organization can also include instructions like avoiding holding the doors for people who are not allowed into the premises (Ahola, 2020). Additionally, the Organization ought to urge staff members to alert security officers about any instances of tailgating they observe.
Additionally, the organization should demand IDs or Pins to be scanned before entering an area that is restricted. Apart from IDs and Pins, the organization needs to ensure that every person visiting the premises is listed by giving them visitor cards. This way, they can easily know when someone new and unrecognized entered places that are not authorized.
Hi Samuel, SETA programs helps to sensitize employees about some of risk faced by the PHYSBITS for example tail gating, piggy backing and social engineering. If organizations can educate their employees regularly, they will be more informed.
Nicholas Foster says
PHYSBITS aims to leverage both IT security and physical security in tandem. The aim is to consolidate the two security types into a holistic approach in order to minimize the gaps that come with having them viewed/implemented separately. One of the largest physical security risks created by implementing PHYSBITS in my opinion is power outages. In a centralized system for physical and IT security. We are seeing states like Texas and California with power grid issues. Having redundancy is vital to keeping the centralized system active. This also piggy backs into temperature/humidity controls that are reliant off of electricity as well. Data centers require a very specific environment to operate effectively. To counteract the power outages and ensure redundancy as well as temperature/humidity controls, I would implement emergency standby generators and uninterruptable power supplies (UPS’s). Additionally, for the temperature issue, have chillers separate from the buildings HVAC that is dedicated to where IT hardware is stored that runs hot i.e. in data centers and networking closets.
Kenneth Saltisky says
Hi Nicholas,
I agree with your solutions of implementing redundancy through standby generators as well as separate HVAC systems in place. Having only a centralized solution where all systems rely on one power source will lead to a complete system failure in the event that the power source goes down for any number of reasons.
Matthew Stasiak says
Implementing smarter technology to a system always comes with its own risks because there will always be new workarounds for breaching such a system, with our example being PHYSBITS. Almost all RFID chips can be taken and cloned if used around the wrong people or have been scouted beforehand. We can mitigate this by encrypting the chip and the information that it gives off so it can only communicate with devices that have the key to that encryption or even just by ensuring that each person that has an ID is using their own ID and not another person. Besides the technological aspect, people are prone to mistakes and could possibly lose their identification which is why it is crucial that guidelines are put in place to counteract such instances where an actor might intercept such a card and try and use it maliciously.
David Vanaman says
Smart cards are not just able to be cloned or spoofed, they are a single factor authentication. They can easily be stolen or found and used by someone other than the intended individual as authorization. They should always be paired with a second factor and compensating controls to ensure that they can;t be used by an unauthorized individual.
Nicholas Foster says
I completely agree Dave. Smart cards that leverage RFID’s are not only susceptible to cloning and replay attacks. They are a single source of access. Something you have should be coupled with something you know (pin/password) or something you are (biometrics) in order to minimize the risk that comes with losing or having the card stolen.
Christa Giordano says
PHYSBITS connects physical security and IT security controls which can be a challenging task. There are a number of things to consider, but the overarching issue is related to physical access credentials. Some things to consider include what type of credential will be used for physical access, i.e. ID badge, pin, biometric data, token, combination of the aforementioned items, etc. In addition, which areas of the building that require physical access controls will need to be determined including restricted access. First roles and responsibilities need to be clearly defined related to provisioning of access and ongoing monitoring of access. Considerations should include the parameters that need to be in place for vacations or extended leaves, visitor and vendor management, employee transfers and terminations, and lost or stolen credentials. It is important that these are clearly defined because many times control gaps reside in handoff between departments, if more than one department is responsible, examples could include security, IT, Human Resources, individual departments, etc. Determining which individuals have access to which locations of the building and the physical premises and the type of access (24 hours & days a week, 9-5, etc.) is also critical. A strong building security policy, defined on boarding and off boarding procedures, and required access reviews at a pre-determined frequency can help mitigate some of these risks. If a security guard or police officer is not stationed at entrances and exits, anti-pass back and/or anti piggy backing technology can help reduce the risk of someone gaining access when they should not. Another important detective control is maintaining and reviewing audit logs. For example, if card reader access is used, swipe data can be analyzed to identify unusual or suspicious behavior.
Kenneth Saltisky says
Hi Christa,
You bring up a lot of good points regarding physical access controls, access management, and log management. Organizations need to be aware of potential flaws in their implementations of PHYSBITS solutions and how to mitigate the risks with these flaws. As such, implementing specific plans for scenarios involving employee leave and utilizing anti-piggy-backing technology are good examples of mitigations.
Jill Brummer says
PHYSBITS is a solution to eliminate duplicating efforts and combine or address the risks related to physical security and IT security and support overall enterprise risk management needs. Some physical risks that are created when an organization implements PHYSBITS are card life cycle management, access card specifications, and audit trails. It typically takes more than 1 department working together and communicating in order for PHYBITS to be successful (e.g. HR and IT Security). The following are some security risks created by implementing a PHYBITS solution:
– Perimeter intrusion, occupancy, access methods, internal and external facility monitoring and
containment, authorization for users to access IT services for which they are entitled to
– Incompatibilities between building access hardware tokens and IT access tokens
– Forensic investigations struggle to relate physical access logs to IT access logs
– Log management not consistent, indicating logs might not be able to be used as evidence
– Costly, manual processes for new hires and contractors to get building access set up and
changed when needed
Some mitigation I would recommend are the following:
– Implement integrated user administration
– Integrate security monitoring and security reporting (i.e. physical access logs and IT access logs)
– Centralize user provisioning
– Using the compatible user tokens for both building access hardware and IT access
– Centralize and standardized policy management
– Integrate applications with the IT security processes (event management systems, vulnerability assessment systems, security management products)
Kenneth Saltisky says
Hi Jill,
I like your inclusion of utilizing user tokens for both building access and IT access. However, there is a potential risk for a single point of failure if the shared user token is stolen in some way. I would also implement multi-factor authentication in some way on top of a shared token as threat actors would have a more difficult time utilizing stolen credentials to access assets.
Kenneth Saltisky says
The implementation of PHYSBITS opens the opportunity to automate the user provisioning process. Some risks that come with implementing PHYSBITS are associated with technical and human risks. For example, technical threats such as power outages or some form of technical interference and human risks such as general misuse and theft may occur. In mitigating these threats, I would utilize a proper power backup system and follow procedures to secure assets from technical interferences. For the human risks, security awareness training helps to ensure proper usage of the PHYSBITS solution and helps to report and identify suspicious activity. Also, implementing multi-factor authentication as a part of the solution can help to mitigate risks related to credential or physical theft as a threat actor would require multiple pieces of information/identification.
Maxwell ODonnell says
I agree that MFA would be a valuable mitigation tool to help protect physical assets from unwarned access. Adding a second layer makes it that much more difficult for an attacker to gain access to data, further discouraging them from their attack.
Shepherd Shenjere says
The article lays out the importance of physical security within and enterprise organizations. According to the article, “physical security focuses on the protection of assets, personnel, and structures against potential assessed risks. In addition, managing the flow of individuals and assets into, out of or within a facility are extremely important aspects of physical security.” However, without proper coordination between physical and IT security, a lot of issues may arise. So, its key to every organization to ensure that all these flaws are addressed by reducing administrative overhead through automation of manual processes for provisioning and de-provisioning user and introduce other policies that may help to alleviate or protect the organization from the potential risks. One example about some risks that an organization may encounter is the use of smart card. Risk may come through lost/stolen card, improper usage.
David Vanaman says
PHYSBITS aimed to address something that we take for granted today: physical security and IT security need to work in parallel. For a long time, these were considered separate issues and often under very different bosses without good intercommunication and coordination. PHYSBITS was a way to integrate these two groups and leverage technology to make both stronger together than they were apart. Overall. this is a very positive step, but it has a few vulnerabilities. The first is that this is centralizing access control. This creates a potential single point of failure that is particularly vulnerable to loss of power. Smart cards have their own vulnerabilities, cloning, spoofing, theft, etc. In the event of a stolen or compromised smart card, the malicious actor has access to both the physical access and data access of that credential.
Shepherd Shenjere says
Hello David,
I totally agree with you with the notion that, the process of integrating Physical security and IT security leads the organizations to centralizing it’s access control. Once that happens, it leaves a wide room for a single point of failure. I still believe these two can be separated, but the communication between two areas must flow properly to avoid potential risks.
Abayomi Aiyedebinu says
PHYSBITS is an integral part of the organization because it attempts to integrate physical security and IT security. The article opined that an effective security should coordinate physical and IT infrastructure as this will help organizations to reduce cost and improve security through provisioning, auditing and management of physical and IT resources. However, Human error is inevitable implementing the poses some risk for example using smart cards to gain entry has its own vulnerabilities which includes theft, cloning which can lead to unauthorized access and entry. In addition, tail gating is another vulnerability that could be exploited if a person forgets to close or lock the server room or are not aware that someone is tail gating them this human error could also be exploited. Some of these risks could be mitigated by using trap doors where one door closes before another one opens, real time CCTV that monitors entry and exit and ongoing activities, swap cards with pin and multifactor authentication can be used in addition to updating access control privileges and badges.
Parmita Patel says
The physical security risks are lack of integration of building access and business process of the new hires, having previous employees. The one way we have access to buildings is physical id cards that lets us in the building. These badges can be easily accessed if because it can get lost and stolen. This should guard rails placed to make sure that once these cards are stolen or misplaced that no one would be able to use them to get into the building or access floors. I think employees should be held more heavily responsible if the employees are being careless about taking care of it. I also think after the employees leave the firm the cards should be collected back for security reasons in the future.
Matthew Stasiak says
I completely agree Parmita. Sometimes it seems like the least obvious security measure can be breached for the most simple reason. Whether or not responsibility is held upon a workers hands for the accident is a very difficult situation because one person might lose it once by accident and another person might lose it five times so there needs to be a scale.
Maxwell ODonnell says
The aim of implementing PHYSBITS solutions is to combine and leverage both physical and IT security, combining the two creates a more well-rounded and practical security environment. While this union of the two is important, it does come with downsides. Primarily I see a lapse in coordination and policy for IT and physical security being one of them. Without proper coordination between the two departments, loopholes can form which a ripe for exploitation. To mitigate this risk, it would be paramount to centralize control to quickly coordinate security protocols and find flaws quickly instead of having to travel through multiple channels to convey the same message. A more concrete problem would be keycard access to physical locations, RFID tags can be spoofed, allowing potential attackers access to vulnerable areas. To mitigate this risk, the security department would have to constantly monitor who is going where and when, to flag suspicious behavior. Multifactor identification could be another layer of protection against these sorts of intrusions, an employee ID may be able to be spoofed, but having another layer of authentication would further prevent intrusion.
David Vanaman says
I think a part of the PHYSBITS concept is that physical and IT security should not longer be separate departments. They should be united under a single leader with unified and coordinating policies and procedures. The two groups overlap so much that they are stronger working together than they are working separately.
Samuel Omotosho says
Following the adoption of a PHYSBITS system, an organization should take into account physical security risks that might occur, for instance, tailgating and Theft of identity. When someone who is not allowed to enter a certain place follows an individual allowed to enter the place, it is known as tailgating. Also, when people enter through an entrance and just the first person has to swipe a card or show identification, this will threaten the security of the organization (Ahola, 2020). People who are following the person who has swiped the card will certainly have no issue entering the premises. Therefore, it poses a risk if the individuals are not authorized. Theft of identity is when a person uses someone else’s card to pass through an entrance.
Mitigations for Physical Security Risks Created when Adopting PHYSBITS Systems
Educating the staff on physical security is a plan to end tailgating. This is far less dependable but much less expensive. It entails training staff members on the issue of physical security and distributing rules and regulations to be followed. The organization can also include instructions like avoiding holding the doors for people who are not allowed into the premises (Ahola, 2020). Additionally, the Organization ought to urge staff members to alert security officers about any instances of tailgating they observe.
Additionally, the organization should demand IDs or Pins to be scanned before entering an area that is restricted. Apart from IDs and Pins, the organization needs to ensure that every person visiting the premises is listed by giving them visitor cards. This way, they can easily know when someone new and unrecognized entered places that are not authorized.
Abayomi Aiyedebinu says
Hi Samuel, SETA programs helps to sensitize employees about some of risk faced by the PHYSBITS for example tail gating, piggy backing and social engineering. If organizations can educate their employees regularly, they will be more informed.