A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
There are three factors that should be analyzed for physical security threats and vulnerabilities for it’s systems. These are administrative (human-driven), environmental, and technical. The administrative side would be misuse of or unauthorized access of the system and it’s controls. Environmental would be weather/internal and external temperature/internal and external humidity levels, and related environmental events such as flooding, hurricanes, wildfires, etc. Technical would fall to things like power (voltage) and any possible interference such a electromagnetic. The reading from Vacca outlines polices that should be implemented to help combat these vulnerabilities. These can be summarized into who is accessing the company’s resources (perimeter defense), what are they doing with these resources (asset protection), and environmental monitoring both internally (temperature/humidity) as well as externally (natural disasters).
Hi Nicholas,
I like your summarization of the policies that should be implemented to combat physical security vulnerabilities. This covers a good amount of potential vulnerabilities in relation to physical security.
After a company’s physical security team analyzed physical security threats and vulnerabilities for its systems, some types of vulnerabilities the company focused on were related to the Environmental, Technical, and Human-caused physical threats. Some vulnerabilities related to these threats that the company should focus on are the following:
– Not minimizing risk by choosing a site that is not at high risk for natural disaster
– Store paper files and records in the IS area, instead store them in fireproof cabinets
– Records needed for reconstruction, not stored off site
– Didn’t have up-to-date duplicate of all programs
– Didn’t have a power off switch
– Didn’t have a contingency plan for use of equipment in case computer are destroyed
– Didn’t have smoke detectors and raised floors
– Didn’t have layout of water supply lines
– Didn’t have shutoff valves
– Didn’t UPS should be employed for each piece of critical equipment
– There were unauthorized insiders/employees that had access to equipment
– Security device controls the power switch
– There wasn’t a centralized location for all alerts and alarms
It is important for a company to not only protect against the threats, but also protect and mitigate the risk of the vulnerabilities.
The company focused on physical unauthorized access and system interferences. The remaining mitigation involves physical and environmental and equipment security. Physical and environmental would involve natural disasters that might cause data centers or other access to be halted. Equipment security typically refers to the technical aspects such as unauthorized access whether physical or digital.
Hi Matthew,
I would add potential power outages or technical interferences caused by malicious individuals as a potential vulnerability since it is also an important consideration that combines physical and environmental factors.
The company’s focus was on physical security threats and vulnerabilities, the assessment considered Environmental, Technical, and Human-caused vulnerabilities. Environmental vulnerabilities include natural disasters such as hurricanes and blizzards, fire, smoke, and water damage, temperature and humidity concerns and chemical, radiological and biological such as anthrax or ricin. Technical vulnerabilities include electricity such as outages, undercurrents or overcurrents, which can usually be addressed by ensuring an uninterrupted power supply (UPS) is in place and electromagnetic interference from machinery, fans or power cords which could cause interference with a system. The most challenging vulnerability to address is the human element or human caused physical threat which includes unauthorized access, theft, vandalism, and misuse of assets. Unauthorized access can encompass all entry points into the building such as main entrance, exits, attached parking garages, delivery bays, egress and fire exits, balconies, etc.
I agree with your summary and absolutely agree with the point you made about the most challenging vulnerability is the human element. I also haven’t thought about the radiological and biological vulnerabilities, but that is also a very good point that may easily be overlooked due to it isn’t usually high on the list or even mentioned as vulnerability.
Christa I like that you included chemical, radiological and biological related vulnerabilities. I then instantly thought of gamma rays. That was something I didn’t take into consideration originally but if you work for a company that regularly deals with these hazards it makes sense to incorporate them in your list of possible vulnerabilities. One that comes to mind immediately are nuclear power plants that leverage uranium. Nuclear radiation can act almost like an EMP.
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
A physical threat assessment would focus on two major categories: access and power. Access is the ability for someone to get from the public sidewalk to physical proximity to data storage and remove it (results in loss of confidentiality and availability). What prevents a person from walking out of the building with a hard drive, file folder, or workstation? Vulnerabilities to focus on would be those that allow access into the building and once inside, into more secure areas where data is stored. Mitigations to consider include fences, locks, cameras, guards, limited access areas, and other impediments to unauthorized access.
Power addresses a loss of availability due to power outage. This can be from a natural disaster, accident, or malicious action. One of the most common remediation to power outage is having an onsite backup generator or an offsite hot backup.
According to VACCA, “Human-Caused Physical Threats are more difficult to deal with than Environmental and Technical threats.” So, it is key for company to focus on threats such as unauthorized physical access, theft, vandalism, and misuse. As discussed by VACCA all these threats must be addressed thoroughly, because it involves humans and has the power to control and takeover everything, and human-caused threats are less predictable than other types of physical threats.
Hi Shepherd,
I agree that human-caused threats are more difficult to prepare for since there are more possibilities and room for manipulation. Environmental factors can be predictable and technical, although possible to manipulate by humans, can be prepared and mitigated easier than human-related risks.
Human caused physical threat are more difficult to deal with especially if the insider threat is malicious and they have access and authorization to key component of the IT infrastructure of the company.
I totally agree. Natural disasters can usually be prepared for and slightly mitigated. On the other hand, physical threats are expected but the company never knows at what time or how bad it will hit.
Physical security teams should focus on two types of vulnerabilities: human and environmental. Human vulnerabilities would be potential unauthorized access or the misuse of controls put in place. Environmental vulnerabilities would include if anything is susceptible to natural disasters and what precautions are in place to mitigate these threats. This can also include malicious threats by others that include environmental threats, such as a power outage or starting a fire.
Hello Kenneth,
I like that you also spoke about environmental vulnerabilities that involves natural disasters. So, it should be a focal point for organizations to identify a suitable location to run their business.
Physical security team should focus on human and environmental threat. Human error is inevitable therefore adequate controls should be put in place to mitigate the risk posed by human. However, some of these risks are non-malicious but they can lead to vulnerabilities that can be exploited. In addition to that every organization should have a preparedness mechanism to tackling issues relating to environmental hazards and disaster especially with regards to cooling systems in a bid to avoid corrosion. Technical threat should not be left out because it poses a physical threat to IT infrastructure a typical example is the electromagnetic discharge and obstruction.
I like that you mention often that human error is non-malicious, it’s often people with the best intentions can end up doing harm. A simple lapse in security-aware judgment, just trying to do the right thing and making an exception to policy (i.e. giving out a password, holding a door, etc) can open up a vulnerability and lead to a breach.
A company focusing on physical security threats and vulnerabilities would have to focus on a variety of things like technical components, access, human and environmental. Technical problems have to do with power access, and the availability of power, the security team would want to ensure backup power in the event of an outage as well as having the requisite safeguards in place in the event of a power surge. Access has to do with managing who has access to where the data is being stored and how that access is granted. Human threats have to do with human-based attacks, thefts, or misuse of data. Lastly, environmental threats have a lot in common with technical threats because they mostly pertain to natural disasters that can cause outages or damage to physical assets.
I agree with your summary and all of the vulnerabilities you have listed as what the company would focus on. I do think that it’s important to note that the human threats and vulnerabilities are the most difficult to protect against.
The company chooses to focus on a firewall’s susceptibility that might allow hackers to enter a computer network. Without particular procedures in place, the security of the organization system might be compromised. For instance, when the computer is linked to an insecure network, the lack of updates, inferior products, and unsolved development issues expose the organization to serious computer security risks.
Nicholas Foster says
There are three factors that should be analyzed for physical security threats and vulnerabilities for it’s systems. These are administrative (human-driven), environmental, and technical. The administrative side would be misuse of or unauthorized access of the system and it’s controls. Environmental would be weather/internal and external temperature/internal and external humidity levels, and related environmental events such as flooding, hurricanes, wildfires, etc. Technical would fall to things like power (voltage) and any possible interference such a electromagnetic. The reading from Vacca outlines polices that should be implemented to help combat these vulnerabilities. These can be summarized into who is accessing the company’s resources (perimeter defense), what are they doing with these resources (asset protection), and environmental monitoring both internally (temperature/humidity) as well as externally (natural disasters).
Kenneth Saltisky says
Hi Nicholas,
I like your summarization of the policies that should be implemented to combat physical security vulnerabilities. This covers a good amount of potential vulnerabilities in relation to physical security.
Jill Brummer says
After a company’s physical security team analyzed physical security threats and vulnerabilities for its systems, some types of vulnerabilities the company focused on were related to the Environmental, Technical, and Human-caused physical threats. Some vulnerabilities related to these threats that the company should focus on are the following:
– Not minimizing risk by choosing a site that is not at high risk for natural disaster
– Store paper files and records in the IS area, instead store them in fireproof cabinets
– Records needed for reconstruction, not stored off site
– Didn’t have up-to-date duplicate of all programs
– Didn’t have a power off switch
– Didn’t have a contingency plan for use of equipment in case computer are destroyed
– Didn’t have smoke detectors and raised floors
– Didn’t have layout of water supply lines
– Didn’t have shutoff valves
– Didn’t UPS should be employed for each piece of critical equipment
– There were unauthorized insiders/employees that had access to equipment
– Security device controls the power switch
– There wasn’t a centralized location for all alerts and alarms
It is important for a company to not only protect against the threats, but also protect and mitigate the risk of the vulnerabilities.
Matthew Stasiak says
The company focused on physical unauthorized access and system interferences. The remaining mitigation involves physical and environmental and equipment security. Physical and environmental would involve natural disasters that might cause data centers or other access to be halted. Equipment security typically refers to the technical aspects such as unauthorized access whether physical or digital.
Kenneth Saltisky says
Hi Matthew,
I would add potential power outages or technical interferences caused by malicious individuals as a potential vulnerability since it is also an important consideration that combines physical and environmental factors.
Christa Giordano says
The company’s focus was on physical security threats and vulnerabilities, the assessment considered Environmental, Technical, and Human-caused vulnerabilities. Environmental vulnerabilities include natural disasters such as hurricanes and blizzards, fire, smoke, and water damage, temperature and humidity concerns and chemical, radiological and biological such as anthrax or ricin. Technical vulnerabilities include electricity such as outages, undercurrents or overcurrents, which can usually be addressed by ensuring an uninterrupted power supply (UPS) is in place and electromagnetic interference from machinery, fans or power cords which could cause interference with a system. The most challenging vulnerability to address is the human element or human caused physical threat which includes unauthorized access, theft, vandalism, and misuse of assets. Unauthorized access can encompass all entry points into the building such as main entrance, exits, attached parking garages, delivery bays, egress and fire exits, balconies, etc.
Jill Brummer says
I agree with your summary and absolutely agree with the point you made about the most challenging vulnerability is the human element. I also haven’t thought about the radiological and biological vulnerabilities, but that is also a very good point that may easily be overlooked due to it isn’t usually high on the list or even mentioned as vulnerability.
Nicholas Foster says
Christa I like that you included chemical, radiological and biological related vulnerabilities. I then instantly thought of gamma rays. That was something I didn’t take into consideration originally but if you work for a company that regularly deals with these hazards it makes sense to incorporate them in your list of possible vulnerabilities. One that comes to mind immediately are nuclear power plants that leverage uranium. Nuclear radiation can act almost like an EMP.
David Vanaman says
A company’s physical security team analyzed physical security threats and vulnerabilities for its systems. What types of vulnerabilities did the company focus on?
A physical threat assessment would focus on two major categories: access and power. Access is the ability for someone to get from the public sidewalk to physical proximity to data storage and remove it (results in loss of confidentiality and availability). What prevents a person from walking out of the building with a hard drive, file folder, or workstation? Vulnerabilities to focus on would be those that allow access into the building and once inside, into more secure areas where data is stored. Mitigations to consider include fences, locks, cameras, guards, limited access areas, and other impediments to unauthorized access.
Power addresses a loss of availability due to power outage. This can be from a natural disaster, accident, or malicious action. One of the most common remediation to power outage is having an onsite backup generator or an offsite hot backup.
Shepherd Shenjere says
According to VACCA, “Human-Caused Physical Threats are more difficult to deal with than Environmental and Technical threats.” So, it is key for company to focus on threats such as unauthorized physical access, theft, vandalism, and misuse. As discussed by VACCA all these threats must be addressed thoroughly, because it involves humans and has the power to control and takeover everything, and human-caused threats are less predictable than other types of physical threats.
Kenneth Saltisky says
Hi Shepherd,
I agree that human-caused threats are more difficult to prepare for since there are more possibilities and room for manipulation. Environmental factors can be predictable and technical, although possible to manipulate by humans, can be prepared and mitigated easier than human-related risks.
Abayomi Aiyedebinu says
Hi Shepherd,
Human caused physical threat are more difficult to deal with especially if the insider threat is malicious and they have access and authorization to key component of the IT infrastructure of the company.
Matthew Stasiak says
I totally agree. Natural disasters can usually be prepared for and slightly mitigated. On the other hand, physical threats are expected but the company never knows at what time or how bad it will hit.
Kenneth Saltisky says
Physical security teams should focus on two types of vulnerabilities: human and environmental. Human vulnerabilities would be potential unauthorized access or the misuse of controls put in place. Environmental vulnerabilities would include if anything is susceptible to natural disasters and what precautions are in place to mitigate these threats. This can also include malicious threats by others that include environmental threats, such as a power outage or starting a fire.
Abayomi Aiyedebinu says
Hi Kenneth,
I agree with you organizations should have a preparedness mechanism in place to mitigate against environmental vulnerabilities that could happen
Shepherd Shenjere says
Hello Kenneth,
I like that you also spoke about environmental vulnerabilities that involves natural disasters. So, it should be a focal point for organizations to identify a suitable location to run their business.
Abayomi Aiyedebinu says
Physical security team should focus on human and environmental threat. Human error is inevitable therefore adequate controls should be put in place to mitigate the risk posed by human. However, some of these risks are non-malicious but they can lead to vulnerabilities that can be exploited. In addition to that every organization should have a preparedness mechanism to tackling issues relating to environmental hazards and disaster especially with regards to cooling systems in a bid to avoid corrosion. Technical threat should not be left out because it poses a physical threat to IT infrastructure a typical example is the electromagnetic discharge and obstruction.
Maxwell ODonnell says
I like that you mention often that human error is non-malicious, it’s often people with the best intentions can end up doing harm. A simple lapse in security-aware judgment, just trying to do the right thing and making an exception to policy (i.e. giving out a password, holding a door, etc) can open up a vulnerability and lead to a breach.
Maxwell ODonnell says
A company focusing on physical security threats and vulnerabilities would have to focus on a variety of things like technical components, access, human and environmental. Technical problems have to do with power access, and the availability of power, the security team would want to ensure backup power in the event of an outage as well as having the requisite safeguards in place in the event of a power surge. Access has to do with managing who has access to where the data is being stored and how that access is granted. Human threats have to do with human-based attacks, thefts, or misuse of data. Lastly, environmental threats have a lot in common with technical threats because they mostly pertain to natural disasters that can cause outages or damage to physical assets.
Jill Brummer says
I agree with your summary and all of the vulnerabilities you have listed as what the company would focus on. I do think that it’s important to note that the human threats and vulnerabilities are the most difficult to protect against.
Samuel Omotosho says
The company chooses to focus on a firewall’s susceptibility that might allow hackers to enter a computer network. Without particular procedures in place, the security of the organization system might be compromised. For instance, when the computer is linked to an insecure network, the lack of updates, inferior products, and unsolved development issues expose the organization to serious computer security risks.