3.2 - Physical Security

3.2 - Physical security 

 

Key Terms: 

    • National Institute of Standards and Technology (NIST) - An institute that publishes and standardises security controls and assessment procedures to protect information systems. 
    • Bump key – A key cut to the number nine position with some of the front and shank removed. 
    • Scrubbing – A lock picking method where the internal pins are pushed down with calculated pressure. 
    • Lock shim – A thin and stiff piece of metal that is used to open a padlock. 

 

Prevention 

It is much easier to prevent an attack than to recover from one. Prevention is a way of securing a system to make it harder to access. This can prevent attacks from occurring. Most attackers look for easy targets to exploit so, with prevention measures in place, a business will be less of a target. 

 

Detection 

If a breach does occur, a business must be able to identify it almost immediately. The business must also find out when it occurred, the point of entry, which systems were accessed and if anything was taken or damaged. 

 

Recovery 

Once a breach happens, a business needs to be able to recover quickly and secure any vulnerabilities that caused it to happen. They can do this by looking through company policy, system security profile and access points. Then, any damage or stolen components should be fixed/replaced. 

 

Defence in Depth 

This is the idea of layering defences so if an attacker breaches one layer, they are faces with another line of defence. This greatly increases the overall security if an organisation. 

 

Types of Security 

    • Perimeter – Like a fence or wall, it prevents attackers from reaching inside the organisation. It can also include guards and CCTV cameras. Authorised people must be able to access the facility so, an entry point must be set up with a gate. This gate must be secured by an authenticator such as a card reader or biometric scanner. 
    • Access – Used to regulate access to the facility itself. An example of access security is a card reader on a door. However, card readers can be breached by card cloning, emulation or card theft. It can also be breached by tailgating, a technique where an attacker follows an authorised individual inside. To prevents this, employee education, turnstiles and mantraps are used. 

 

Physical Security Attacks 

There are many types of physical security attacks: 

    • Theft – Thefts of devices and hardware can cause major security risks to company data and system access. 
    • Vandalism – Usually these attacks are due to revengeful means. It is a purposeful damage to property. 
    • Destruction – Similar to vandalism however, it includes a complete eradication of a company’s assets, losing them a lot of money. 
    • Man-made disaster – A human-made attack on a business. 
    • Natural disaster – A natural attack on a business such as an earthquake or wildfire. 
    • Utility loss 
    • Equipment failure 

 

Lock Bypassing 

    • Bump key – A bump key is cut to the number 9 position, the lowest possible cut. The key is inserted into the lock, then the attacker strikes the back of the key, so the lock pins jump and allow the door to be unlocked. 
    • Lock picking – A way of manipulating the lock pins to open a door. The attacker will need a tension wrench and a pick to successfully pick a lock. There are many methods to pick locks. Scrubbing involves holding the lock with the tension wrench whilst the pins are scraped with the pick to push them into the position. 
    • Lock shim – A small thin piece of metal that can be inserted into a padlock or latch. 

 

Physical Attacks 

    • Cold boot attack – A hacker breaks into the facility and extracts data from RAM that is still available before the system is powered off. 
    • Badge cloning – Many companies use badges that contain RFID chips to open locked doors. The door lock scans the badge to verify the identity of the person trying to get in. However, RFID chips are easily cloned and can be made in seconds. A hacker will need an RFID reader, a real company card and a blank, writeable RFID card. The attacker should read the data on the real card using the reader and write it onto the blank card. This can all be done with a tool called a Flipper Zero, a small penetration testing device. 
    • BIOS access – The hacker changes the boot order of a PC so that they can bypass the installed OS and gain access to the machine. 

 

NIST 

The National Institute of Standards and Technology (NIST) have released a publication called the “NIST SP 900-53" which contains a list of security controls and assessment procedures an organisation should implement to protect themselves against attackers. 

Comments

Post a Comment

Popular posts from this blog

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

Useful Core A Acronyms

  Useful core A acronyms     NGO – Non governmental organisation   KPI – Key performance indicator   USP – Unique selling point   CRM – Customer relationship management   Saas – Software as a service   CAB – Change advisory board   SMARTER – Specific, measurable, accurate , realistic, time-bound, evaluate, re-evaluate   IPO – Intellectual property office   RCD – Registered community designs   UCD – Unregistered community designs   TNA – Training needs analysis   PRR – Post project reviews   COBC – Code of business conduct   BCS – British computing society   ML – Machine learning   CVS – Computer vision syndrome   RSI – Repetitive strain injury   DSE – Display screen equipment   HSE – Health and safety executive   ODD – Optical disk drive   RPM – Revolutions per minute   CPU – Central processing unit   RAM – Random access memory   EMI – Electromagnetic inter...
Read more