1. Physical Security Controls
In this video, we’re going to be talking about physical security and a whole variety of different physical security controls that we can apply with securing our systems, networks and people. Now, let’s I always start out physical security. Whether I’m teaching a Security Plus, I’m teaching a CISSP or even an A plus class. I always start out with a saying that goes like, there is no security without physical security. As It. Folks. We don’t think of physical security too much. When most It people think of security, we think of firewalls, IDs systems, antiviruses updates, but we don’t actually think about door locks. We don’t think about security guards. We don’t think about alarms, right? We don’t think about camera systems. These are things that we’re going to have to keep in mind as we manage our overall security programs within our businesses. Keep in mind, I don’t care how good your firewall is. If I can just walk into the organization and pick up your computer and walk back out with the data. You don’t have much security, do you? So we need to ensure that our systems are secure.
And in this section, we’re going to be looking at a bunch of variety of different physical security controls. Okay, so let’s get started. I have a whole bunch of them that I want to talk about, and we’ll talk about what they can stop and what you need to know about your exam. Okay, so the first one up, one good control we can have is Bollards and barricades. So here’s what these are. So I have a little bit of a link here that we can take a look at. And this is what these are. Now, you’ve probably seen these Boulers in front of buildings and you’re wondering, well, what is it that these things do? What this can do is stop cars from running into your building. These things go way down into the earth and they’re very strong and sturdy, and they can help stop cars from coming in and hitting your building. And they come in a variety of different strengths. This is just the sleeves, by the way.
These are not the actual bollards themselves. If you’re wondering how are they so cheap, well, here you go. Different types of sleeves that they have, but here’s the real bold arts themselves and how expensive these are going to be. Okay, the other thing here you’re going to have that I want you guys to know for your exam is a man trap. By the way, barricades. Barricades will be used to stop traffic coming in. You can see these on when there’s a show going on, there’s all types of barricades, so you can’t go into certain places.
Now what I want to show you guys is a man trap. So here’s an example of a man trap. And man traps are basically double doors, all right? So what a man trap is, you basically have two doors with an authentication system in the middle. Now why you need man trap is because of two things, something called piggybacking and tailgate in all these terms for your exam. So let’s talk about piggybacking. You’re walking through a door and you see somebody coming behind you. So you hold the door for them. That person is not supposed to be in that building, but you just let them in.
That’s piggyback in tailgating is when you’re walking through a door and the door didn’t completely shut behind you and you didn’t even realize that somebody was walking behind you and they walked right in with you. Now you didn’t realize it versus the piggyback in which you did. You actually let them in in the tailgate and they just caught the door before it was closed. The way to stop these things is going to use man traps. Now man traps are double doors. So basically you walk into it’s generally a space, a confined space. You walk into this door and there’s another door on the opposite end. Now in the middle of it, it’s going to have some kind of authenticator, which means you can put a smart card, a biometric, even a security guard checking your ID. And once you’re authenticated in the trap, per se, then you can exit out on the next door.
So this is generally how they work. Man traps are great security devices, so we can ensure that tailgate and piggybacking and only authorized personnel get into your physical space. Now the other thing here we have are going to be badges. Badges. You’re walking around touch that, security guards walking around with badges. Badges will let people know the authority of that particular person know that that’s a security guard. But badges are also going to be used to get into certain areas that may need certain badging alarms. Well, alarms is physical security 101. You guys probably have alarms on your house. You have alarm on windows. You have alarm on doors.
That way when the alarm system is set, anyone that opens these doors open these windows, you will be able to tell us the alarm system will go off. Another thing you want to have is signage. So having a variety of different signs throughout your organization letting visitors know where to go. So you can have a sign that says restricted area employees only or authorized personnel only. You have a sign that says visitor areas only. Signage is going to be really important throughout, maybe because they could be hazard equipment, hazard materials, or even think of like a wet floor sign where it could be hazardous for people to walk there. To signage throughout your organization is very important for keeping people safe and keeping our authorized personnel out.
The other thing here we’re going to have is going to be cameras. Now the cameras themselves and combined with CCTV, closed circuit television, these are camera systems that we’re going to have that monitors our entire environment. And a lot of systems comes with many cameras where security guards are constantly monitoring them and when it’s hard to monitor them, you may have cameras that does these things. Motion recognition and object recognition. So motion recognition, my cameras do this and all of our locations, just a general things. So what motion recognition does is the camera system can actually detect when there is motion and it starts to record.
If you have a high definition camera, like a 4K camera, you don’t want it recording all the time. That thing will generate a lot of data, filling up your hard drives very, very fast. 4k footage is a large amount of footage, so large in terms of megabytes, so you don’t want that. So what you can do is set the camera to do motion. So the camera has motion sensors on it. When the camera detects motion, it turns on, it starts recording. When there’s no motion, it turns back off.
The other one that’s mentioned is object detection. Object detection is going to be done with artificial intelligence that’s built into camera systems. What object detection means is that it can detect certain objects, such as humans moving about the place. So in stores nowadays, you may have an object detection camera system that can detect where the humans are and where they’re moving and how they’re moving and how long they spend in the store. You can also have object detection, detect certain objects that you may want to keep an eye on. This is mostly done with artificial intelligence that can actually look at the camera footage and detect the objects within the actual footage itself.
Another thing you may have is industrial camouflage. This is camouflage gear that you can wear to blend into the environment. Think of more like military gear there, okay? When it comes to personnel, security guards is one of the most important and one of the best security controls you can have. There’s nothing better than having a security guard that can monitor the environment and even scare people off and even stop intruders from getting in or stop these from getting out of your environment. Security guards needs to be well trained and they need to follow all the policies within the organization. The other thing you have is a robot sensors.
These are going to be robots that can greet people. Now there are robots like this already that exists. Receptions have to be trained to know who to allow in and who to allow and who not to allow in. They should have an entry log of who should be coming in and out. Another thing you’re going to have is what’s known as two person integrity control. Two person integrity control allows two people to do one particular task. That way one person doesn’t have the power to do the entire task themselves. What happens is when one person is able to do a task that all by themselves, there is a probability that they can commit fraud. Two person control will break this up. So one person break the task into two. That way, it’s harder for one person to commit fraud all by themselves. They would have to collude together to do this.
This is a form of what’s known as separation of duties. Separation of duties, for example, in two person control is when you would have okay, one person can write the check, and the same person will reconcile the bank account. If that’s me, I can write a fraudulent check to myself and no one will ever know because I’m going to verify it myself. But if it was a two person control, one person, I’m going to write it. Another person verifies the bank account. Now we’re breaking the task into two. For me to commit fraud, it’d be a lot harder because I need to convince that guy to go along with the fraud with me. Okay, so these are a variety of different physical security controls that you may see appear on your exam. Just know what they are. They’re not going to bombard you with specific questions about it, but it shouldn’t be too difficult for your exam.
2. Other physical security controls
In this video, I’m going to be talking about some additional physical security things that we should know for exam, that can include sensors, visitor logs, faraday cages, DMZs, and different types of secure areas. So let’s get into it quite a lot here to get through. Let’s knock them out pretty quickly. Now, once again, I got to remind you for your exam, you’re not taking a physical security exam. You just need to know what these things are for your exam.
Not in depth, just know what they are. So let’s knock them out quickly. Okay? So throughout the physical environment, you’re going to have a variety of different sensors that can detect different things. For example, alarm systems may have motion detections on it or noise detector. That way they can detect if there is an intrusion happened. Most of them are motion detectors, so if I’m moving around back and forth, the detector can come on and detect me. The alarm system will go off. Some of them can even detect noise. Proximity readers are used to read proximity cards, like credit cards or smart cards to allow people to get in and out. There’s even sensors to detect moisture. If there’s too much moisture in the air, or if some places getting flooded, the alarm could also go on. Now, as I mentioned here, proximity readers can read certain types of cards.
Certain types of cards that are used to get into different locations would be like a smart card that you can use to get in and out of locations. Another sensor you have is going to be temperature sensors. So this is going to be important because in server rooms, you don’t want to place getting too hot. If it does, the air system should cool it down very quickly, or it should set off some kind of alarm in case the air conditioning system is broken or the HVAC heating, ventilation and acid, or the HVAC system is broken so administrators can go and take actions immediately.
Drones or UAVs. What these are going to be are systems that you can use to monitor the external environment. Drones have cameras on them and they’re able to see down over an environment. Some buildings have drones that are permanently put up there. They come up, and now we need it to be charged and they’re replaced quickly, so they always have a physical view of all that’s happening around the area. As people come in and out of your environment, you want to make sure that you have visitor logs. So visitor logs are going to be two things. Number one, visitor logs you can have pre made ahead of time. So if we have ten visitors coming in that day, you have a log of these ten people should be allowed. And here are their names. When they show up, you check their ID. You also have visitor log that you just keep a track of who’s coming in and out. Even if they’re not premade.
Another thing you have is going to be a Faraday cage. This is a term that you may see pop up on your exam here. A Faraday cage is basically a device that allows you these are proximity cards. I was going to show you guys that. Let’s take a look at Faraday cages. So Faraday cages are basically these large enclosures that stops all electrical signals from coming in and out. So Faraday cages, they got a couple of examples here. You know what, I saw a good one on the images here. I thought I had saved it, but I did not. Here’s a good example. This is a Faraday cage.
So remember, if you put things into Faraday cages, there will be no EMI electromagnetic interference. There will be no Emanation of signals coming in and out of these devices. You guys want to hear something crazy? There are technologies out there that can capture the radiation coming out of my monitor and recreate my screen. Electromagnetic radiation, ferret a cages are ways that to stop these particular things from happening. They shield them with something called tempest based technology. But remember, when you put something in a Faraday cage, there’s no signal coming in and out of that system at all. So Faraday cages, even though they’re not that popular, they are used in military systems. A system that is considered air gap is a system that’s completely disconnected from your network, has no connection to your network.
One thing to do with air gap systems, you can put like ICS systems on air gap, which means no connection to your network. And you also will have and you want to protect your physical cable distribution. Now, protected cable distribution systems, what this is, is you’re going to have to protect where your network cables are running so they’re shielded and no one can gain access to them. DMZ. Now, DMZ, most It folks know DMZ as a section of your network that’s off your network, where you allow public services. This is where you put your web server, where you would put your email relay service. Basically a public access space. So DMZ can also be a physical part of your network. Where you do put doesn’t have to be a logical thing.
It could be a physical part of your network where you would put your actual physically accessible servers like your web server or email service. Now, when it comes to secure areas, we have things where what can we do to secure items in our secure areas? Well, a vault, so is a good thing to do. Vaults and safes that you can use in order to secure those particular devices. So you could put example, what would you put in a safe? Backup, tapes, installation media. You’d put in vaults and safes. Now, I do want to mention this thing called hot aisles and cold aisles. And this is how they design data centers.
So I got a good picture of one here. Here we go. This guy had just gone to Google, and I had just typed hot aisles in data centers, and I found this great image here that really illustrates that for us. So when they’re building these data centers, all of these racks and racks and racks of machine, they have to know how to cool them. So the coal aisle is pushing up cool air. The racks and the machines are sucking into the cool air. But as they suck in the cool air, they, of course, warm it up at all the components being very hot in the machines.
Then it’s exhaust out into the hot aisles. And then there are some kind of air intake systems where it sucks into where it sucks up this hot air, cools it down, pushes it back out. So this is the flow of the air here. So, remember, coal isles is just where you would get the cold air the machines are sucking in, and then it’s exhausting out this hot air that it didn’t get picked up, cooled, and it starts the circulation process again. It’s really how that works. Okay, so these here are some good physical security controls. Make sure to review some of these things, because some of these terms, such as hot isle or cold island, ferride cage, may appear on your exam.
3. Locks and Fencings
In this video we’re going to be talking about some additional physical security controls that we need to know for exam in particularly locks, USB locks, lighting and different fence heights that we need to know for example. Let’s take a look. Okay, so the first thing we’re going to talk about is locks. Now I’m assuming you all know what locks are, right? Locks that you have on your door. Now I’m going to show you a variety of different locks here that our exam wants us to know such as a biometrics lock and an electronic locks. Now biometrics locks are becoming more and more popular for our exam.
In fact, I was looking at one and I was telling my wife earlier that I should get one of these. Here is a biometric fingerprint lock and the way this thing works is it’s basically just a deadbolt that uses rechargeable batteries in it and you charge this by connecting a power bank to it to charge it. And basically you put your thumbprint to log in and basically it opens up the bolt for you. So I thought that this here was a pretty cool lock that you can put in on your house or put in secure areas. So biometrics lock would be using some form of biometrics authentication. The other one you have is no is what’s known as an electronic lock. Electronic locks. Here’s a biometric electronic lock. And electronic lock means that it’s using electricity to power up the lock, not just battery that is in there. Electronics locks are very popular.
You have them in all different types of business settings, not so much so as you would in home settings. Now locks are generally physical, okay? Locks are generally going to be physical as they’re physical devices that you touch and feel. A logical lock is software that you use to secure data. So the opposite of physical would be logical. So logical locks would be like encryption or firewalls that we use to secure data. Versus physical locks would be things like we just see here, like these biometrics lock. The other thing we should be familiar with is going to be a cable lock. Now a cable lock, where is my cable lock? Here we go. So a cable lock, here’s an example of this.
This is a laptop cable lock and basically what this does is this basically has an end that plugs into your laptop as you can see there and it locks into the laptop. So I have my laptop right here that we’re going to take a look at. So this laptop has the ability to be cable lock and that goes a little hole right there, make this big screen. This one has a little hole right there that these cable locks would go into them and it locks directly in there. Now you can tell because it actually has a little lock icon on it.
So these cable locks are very good to use because then no one can steal your laptop right off of your desk. Also, you have cable locks that can connect to desktops, even monitors, so people can steal your physical equipment. Okay, the other thing here I want to mention is something called a USB data blocker. Now, here’s an example of one of these things, a USB data blocker. Here we go. USB data blocker. So the way this works is let’s say you have your phone. You have your phone and you want to plug it into a computer. But the problem with this is to charge it. The problem that would happen here is if there’s malware on the computer or malware on the phone, it can infect each other. So if there’s malware on the computer, we can infect it and we can then steal data off of people’s phone. So one of the things we could do is to get one of these devices and you notice it’s only $6. Oops, I forgot to show you. I’m sorry, with that. Here we go. Sorry, with that. This is a USB data blocker. So what this is, like I said, it’s basically a little USB stick. Looks like a little USB stick. And you can see how it looks there when it’s connected. So basically you would plug this into your computer. You would plug a USB to charging cable for this into there. And what it does is that it allows you to charge. You can see in this diagram, you could see that in the standard one, they have more Pins in there versus the data blocker doesn’t have any Pins for data, it just has Pins to charge.
So I could take this, I could plug it into my computer, I can then charge my phone with it. And what would happen is going to be I’ll charge the phone, but no data can be transferred between the computer and the phone and vice versa. So this is a great little device to do. If you’re walking around with your phone and you’re using it to charge your phone on different devices, this would be a great thing to have. That way people can’t hack the data off your phone when connected to a computer. Okay, lighten. When it comes to physical security, one of the things you must have is lighten. You must have the correct lights if you don’t have light. Sometimes camera cannot detect an intrusion. Sometimes thieves can hide in areas where there’s no lighting.
So you got to have the correct illumination to illuminate areas when it gets dark so you could see what’s happening. Remember, if you kill the visibility of a security guard or cameras, they become pretty useless at that point. Lastly, here I want to talk about is fences. So there’s a wide variety of fences and the industry has come up with what is known as fence heights. Now, I don’t know if your exam is going to go in and actually these particular fence heights. But these were pretty standard numbers when it came to how high fences should be. Now for example, a fence is three to 4ft could deter casual trespassers. Six to 7ft is considered too tall to climb easily. Now the good secure fences will generally be 3ft with three strands of bob wire is generally good. Fence is a good fence height with good security. Remember, fences is going to help to define your area.
It’s going to help to stop and troops from getting in your area. You’re going to have to make sure that the fences are correctly heighted. In other words, they’re an adequate height. You don’t want a fence that’s 2ft tall, so you just walk right over it. You want a fence that can deter people. And especially if you have the 8ft with the three strands of barbed wire. This would be a fence that could really deter people. A fences really can’t stop a determined truth. If you’re really determined to get through to break through a fence, you have chainlink fences, different utilities that you can use to cut the fence. Okay. But this is fencing. It really does help to set the boundaries around your area.
4. Fire Suppression
In this video, we’re going to be talking about fire suppression. Now in particularly, we’re going to be talking about fire extinguishers. Now you should be familiar with the extinguishers, the rating on them, and basically what type of fires they can out for your exam. So fire extinguishers, I think you know what that is, right? I extinguishes fire. But these fire extinguishers basically come in different ratings. For example, A is common combustionable. B is liquid, c, electrical. And D is now the metals. Now let’s take a look at some extinguishers. And then we’ll go back here to this chart. I’m going to go here to Google fire extinguisher raiden I’m going to take a look at.
And you’ll notice that when you get a fire extinguisher, you’ll notice that they have a particular raiden on it. Like, here’s a great picture of that. So you look at the fire extinguisher, it’s telling you that this is a dry chemical fire extinguisher. And then it has a big ray in on it. So what you want to do is you want to be able to know what these raidens are. Now remember, fire can kill people. So we need to understand what these raidens would actually mean.
So I have a little table here we should take a look at. So if an extinguisher is a class A, like that one we saw was an ABC, it was an ABC. This one here can basically extinguish common combustible fires. That would be like wood, paper, cloth, plastic, or some examples. The suppression method is generally water, soda, acid, or dried powder. Then you have a class B. This is generally a liquid fire, petroleum, oil, alcohol. This is CO2 or soda acid. Then you have a class C electrical fire for electrical equipment. This here could also a suppression method here would be some kind of oxygen removable system. And then D has flammable metals. This is generally for dried powder. Sodium, potassium are different forms of metals there. Now, one of the things that we have here is an easy way to help memorize these extinguishers. So when somebody says to me, well, Andrew, what’s A, B? What’s? A C? What’s a d. What’s an a? Look a is Ash right? So if you burn common combustion, it turns to ash. If you burn liquid, it will boil. For B, electrical is current and metals will dent.
Okay? So that’s an easy way to remember on that. Let’s do a quick quiz. So which extinguisher outs electrical fire? ABCD. So remember, electrical is current. So that’s a C, right? Which extinguisher does common combustible? So if you burn common combustible, it turns to A for ash. If you burn liquid, then that will boil. So that’s B and metals will dent. So that’s all right. Pretty easy way to remember that. Just review that. Make sure you know these for your tests.
5. Secure data destruction
In this video, I’m going to be talking about data destruction. Now, first of all, before we get into that, we got to talk about where is data stored? Data in businesses today are basically going to be stored in two places. You’re either going to be storing data in digital storage, which is more than likely going to be things on hard drives, USB sticks, DVDs. Are you going to store data in physical? Physical data storage is on paper. So when we talk of data destruction, we got to consider both destroying data in both form, physical and digital. Now there’s a couple of things here to remember.
The topic really is about data remnants. It’s in logical data storage. Like on a hard drive, when you delete the data, it’s not actually gone. In fact, the data is still there. If you have a file on your desktop and you click on it and you press delete, it’s not deleted, it’s still there. What it did is that it marked the sector as read, writeable. Until you really overwrite that data, it’s technically still there. So what happens is you want to physically destroy the media. And this is a popular thing to do in businesses. A lot of businesses will shred hard drives or degauss them.
And then for paper, you can also burn hard drive. I’ll show you guys an interesting YouTube video on that one. Well, I’ll show you where to find that. But when it comes to paper, you can shred them, you can pulp them, turn them back into liquid chemicals. But let’s get into this. Let me show you what I mean. So first of all, let’s get into this. The first thing is burning. So if it’s paper, you can burn paper incinerated. And you can even incinerate hard drive. Now, this is not something that’s very popular, but I did find a here’s a YouTube video. And we’re not going to watch a YouTube video here in Glasgow, but I did find a YouTube video where they take drives, shredded hard drives and materials. They put it into a chamber and then they burn it. Basically. Here’s a giant chamber. You can see it burns the hell out of it, burning it down completely. So they burn solid state DVDs, rams, cell phones and other media and equipment that they can burn. So incinerate them and when they’re done, they actually give you a certificate of disruption, being that certified that they have killed and deleted the data completely. When it’s burned, there’s no coming back anymore.
The other thing you can do is shredders. So you guys may have seen in different office stores, you can do shredding. This is going to be for paper. So you could shred paper, but you can also shred hard drives. This is something that most people don’t know, but big organizations do it all the time. Here are hard drive shredders and they look like big copy machines. So in these things that look like big copy machines.
Basically, you put the drives in, they have rollers within the machines themselves. And when they’re done, they take the hard drive like we have here and turn it into little parts. There’s a great way to eliminate data completely. I saw an interesting one here. Hold on 1 second. I mean, look at this. Look at this one. This one is look how shredded that is. That’s really shredded. I mean, you could never recreate that. Look at that one. That one is so shredded you could probably eat that and still lives like dust. I recommend that you probably could. The other thing here is pulpin. So this is basically going to be used for paper. It’s shredded to the point with a chemical that basically turns it liquid, that basically turns it into liquid polarizes. This you can do with hammers and physical destruction of the media. Although I think Shredder hard drive would be better.
The other one I want you guys to know for your exam in particular is something called a degosser. Here is a hard drive degaur. Now, a degausser is basically a device that you put the drives into. Now, this only works on magnetic media. This here you would use. You put the drive in and it would basically run a giant magnet across the debacle I’m the drive. How fast? 7 seconds it takes to do this. It’s not super expensive for an organization. And if you’re wondering do we do this? Yes. Because to meet a whole bunch of laws like the General Data Protection Regulations, GDPR, PCI, HIPAA Compliance, and important laws we’ll talk about later in the class, to meet this, you would use this device. Now, this is a big magnet that they run across the hard drive.
If you’re wondering how big is the magnet? Well, the device isn’t very large, but it weighs £34, which is quite heavy for a device that is just that small. Remember, it’s not a very big device. Look at that. It has a hard drive in there. Now, keep in mind that the Gaussers don’t work against non magnetic media. They’re not going to work against a solid state hard drive, a DVD or a USB stick. You would only use this for magnetic media, which is generally disheartendrives and tape media. Okay? The other one. Here I have is third party solutions. So third party solutions. This is when you hire external companies to do this for you. Companies like Iron Mountain and different types of businesses are out there to do this for you, in which case they would shred documents and they would have services to shred hard drives also. Okay? So very important you should expect expect to see maybe a couple of these things on your exam, especially the Shredder, the hard drives or the Gaussian is a pretty popular topic for your exam.