Security+: Physical Security and Environmental Controls (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
In addition to IT security, physical security and environmental controls are also essential for the revival and survival of an organization. Physical security and environmental controls fall under the second domain (compliance and operational security) of the Security+ exam.
When someone designs a new facility, he/she must consider the environmental factors. The underlying concepts are essential in this regard.
HVAC stands for heating, ventilating, and air-conditioning. HVAC management is responsible for controlling temperature and humidity to provide indoor air quality and thermal comfort (satisfaction with the thermal environment). Ventilating involves oxygen replenishment, temperature control, and the removal of smoke, heat, odor, moisture, and carbon dioxide from the environment. For organizations, the humidity level should be kept between 40% and 60%.
Fire can be one of the dangerous elements in any organization. It often occurs when electrical equipment is improperly managed. For example, overheated systems or networking apparatus, or mismanaged power cables and power strips (distribution nodes) can lead to a fire disaster.
Early detection and suppression can significantly lessen the impact of fire on equipment and facilities. In the event of a fire, the following techniques must be used.
- Call emergency service provided by the organization or the state.
- Use fire extinguisher.
- Activate water-based systems, but never where most of the electrical equipment is installed because water may cause electrocution there.
- Never use elevators.
- Follow escape plan or evacuation guidelines .
Electromagnetic interference (EMI) shielding is essential for both power-distribution cables and network-communication cables. EMI shielding protects cables against incoming and outgoing emissions of electromagnetic frequencies. Shielding requires the proper use of EMI shielding gaskets and conductive silicones.
Hot and Cold Aisles
Hot and cold aisles are used in layout design to maintain optimum operating temperature for server racks and other computing apparatus in a large data center. The objective of the hot/cold aisle is to lower cooling costs and conserve energy by managing the airflow of the data center.
Environmental monitoring involves the regular audit of the environment within the facility. The audit is performed on important environmental factors, including temperature, humidity, smoke, dust, and other debris. More advanced factors can also be a part of the audit, such as biological, microbiological, radiological, and chemical detectors.
Temperature and Humidity Controls
As mentioned in the previous sections, temperature and humidity controls are a part of environmental monitoring and HVAC management.
Physical security is a prerequisite to overall security. The security professionals must use prevention, deterrence, and detection mechanisms to prevent physical security violations. Doing so requires the use of underlying physical security controls.
In addition to fences and walls, some other security mechanisms must be involved to prevent unauthorized entities into the secured facility. The gates and doors should be locked properly by using hardware locks, smart or electronic locks, and conventional locks that employ traditional metal keys so that only authorized workers can unlock them.
One of the popular electric locks is a biometric lock that requires the worker to present a biometric factor, such as hand, finger, or retina to the scanner. A person cannot enter a secured room unless his/her is biometrically verified.
Electronic access control (EAC) is another great mechanism that involves the smart cards or PIN codes. An EAC system uses electromagnetic means to keep a door close and allows only authorized entries.
A mantrap is a physical security access control system consisting of a small room with two sets of interlocking doors, one in the trusted entry and is the other in the exit door. The mantrap works in the following way:
- Someone enters into the mantrap.
- Both doors are
- The person uses an authenticated procedure to unlock the inner door. If access is denied, the security alarm rings and the unauthorized person is detained in the mantrap.
Video surveillance and closed-circuit television (CCTV) are used to record incidents inside or outside the secured environment. Security management installs surveillance cameras mostly on the entry and exit points to watch the movements of suspects. Other important monitory points include valuable resources and assets.
A camera must be connected to a storage media (hard drives or NVRAM) to store recorded videos. These videos can be used to track personnel movements, capture a suspect, or detect policy violations.
Fencing is defines a perimeter to differentiate between specifically protected and non-protected areas. It often involves concrete walls, barbed wires, chain-link fences, stripes painted on the ground, or invisible perimeters that include heat detectors and laser beams.
A proximity reader is a type of access card system. The worker is not required to insert a card physically. Instead, the proximity reader will sense the card if it is within a specified minimum distance. In addition, the proximity reader uses electromagnetic waves to sense the card.
Protecting entry or exit points requires surveillance cameras, security guards, and biometrically controlled doors. Surveillance cameras record every person who visits the secured facility. A list of all visitors should be created to help track down perpetrators and to verify all workers when an incident occurs.
Although lighting isn’t a strong deterrent, it can be used to discourage intruders, prowlers, and trespassers. For more effective results, lighting should be combined with CCTV, dogs, guards, or any other form of intrusion detection.
Signs are used to display safety warnings and to indicate security cameras. These are helpful in preventing minor violations and guiding people into adherence or compliance with safety precautions and rules.
Security guards are fundamental elements of physical security because all other security controls, whether active surveillance or detection mechanisms, rely on these guards to deter physical attacks and intrusions.
In addition to fencing (discussed in the previous section), barricades are used to control foot and vehicle traffic. A barricade is the first line of defense at critical facilities, including military bases, embassies, and nuclear facilities. Examples of barricades include tire shredders, bollards, large planters, and zigzag queues.
Biometrics is an authentication or identification mechanism used to provide authorized access to the secured environment.
Protected Distribution (Cabling)
Protected distributions are also referred to as protected distribution systems (PDSs). PDSs are used to protect cables against unauthorized access. PDSs use various techniques to protect cables, such as sealed connections, protective conduits, and periodic human audits.
Alarms are intrusion detection systems (IDSs) that are designed to detect intrusions, attacks, or breaches. IDSs ring an alarm when someone attempts to gain access to an unauthorized entry point. The alarm can be of various types, including deterrent alarms, repellent alarms, and notification alarms.
Alarms can also be categorized based on their locations. These categories include local alarm system, central station systems, and auxiliary station systems.
A motion detector is a device that observes movement in a particular area. There are many types of motion detectors, including passive audio, photoelectric, capacitance, wave pattern, heat-based, and infrared-based.
Control types are used to ensure that only authorized persons have access to the computing equipment and other resources. Many control types are discussed below.
Deterrent controls are meant to ensure compliance with security policies and warn a would-be attacker not to take unwanted actions. Safety warnings are examples of deterrent controls.
Preventive controls are deployed to block or thwart incidents from happening. Various type of preventive controls include IPSs, firewalls, antivirus software, security policies, CCTV, penetration testing, smart cards, alarm systems, mantraps, lighting, and so on.
Detective controls are deployed to detect or discover unauthorized or unwanted activities. A detective control operates when an event has taken place. For example, if an intrusion has occurred, the detective control is employed to detect it. There are many types of detective controls, including security guards, audit trails, honeynets or honeypots, IDS, and incident examinations.
Compensating or compensation controls are deployed to provide many options to other existing controls to assist in the enforcement of security policy. A compensating control can be used in place of another control or along with another control. For instance, the protection of PII is the responsibility of the organization. An audit reveals that a preventive control encrypts all PII data in the databases, but PII transmitted over the network is unencrypted. In this situation, the compensation control can be used along with preventive control to protect PII data while in transit.
Technical controls involve the hardware and software solutions used to control access and to provide protection for computing equipment and other resources in a secured environment. Examples of technical controls include encryption, firewalls, access control lists, IDSs, routers, and authentication methods.
Administrative or management controls are the rules and regulations described in the organization’s security policy. Among examples of administrative controls are hiring practices, security awareness training, data labeling and classification, background checks, policies, and procedures.
InfoSec Security+ Boot Camp
The InfoSec Institute offers a Security+ Boot Camp that teaches the information theory and reinforces that theory with hands-on exercises that help you learn by doing.
InfoSec also offers thousands of articles on all manner of security topics.