Skip to main content

Physical Access

Updated Jan 30, 2024 ·

Physical access controls

Physical access controls are tangible security measures designed to prevent, monitor, or detect direct contact with systems or specific areas within a facility.

Examples of Physical Access Controls

  • Security Guards
  • Fences
  • Motion Detectors
  • Locked Doors/Gates
  • Sealed Windows
  • Lights
  • Cable Protection
  • Laptop Locks
  • Badges
  • Swipe Cards
  • Guard Dogs
  • Cameras
  • Mantraps/Turnstiles
  • Alarms

Priority in Deployment

  • Biggest concern is the safety and security of personnel, followed by the protection of other physical assets belonging to the company.
  • Various physical access control mechanisms can be deployed to manage and monitor access to a facility, ranging from deterrents to detection systems. Each area requires distinct physical access controls, monitoring, and preventive measures.

Physical Security

  • Badge Systems and Gate Entry

    • Examples are Turnstiles, mantraps, remotely/system-controlled door locks.
    • Access control devices are assigned and activated
    • Include biometric characteristics in high-security environments.
    • System compares individual's badge against a verified database.
    • For card types: Bar code, magnetic stripe, proximity, smart, hybrid.

  • Environmental Design

    • Crime Prevention through Environmental Design (CPTED) focuses on passive design elements.
    • Directing flow, signaling authorized spaces, providing visibility to reduce the likelihood of criminal activities.

  • Biometrics

    • User's registered biometric code stored in the system or on a smart card.
    • User presents biometric data for comparison with the stored code.
    • High accuracy, potential expense, user discomfort, privacy concerns, device sanitization challenges.

  • Biometric Types

    • Physiological
      • Fingerprint, iris scan, retinal scan, palm scan, venous scan.
    • Behavioral
      • Voiceprints, signature dynamics, keystroke dynamics.

Securing Facilities

  • Fences

    • Structure that encloses an area using interconnected panels or posts.

    • Crafted with materials such as wood, metal, wiremesh, concrete, etc.

    • Visual deterrent, shows where property starts and ends.

    • Delays intruders, providing security personnel longer time to react.

  • Bollards

    • A bollard is a short post embedded into a street or sidewalk.

    • These posts are common in city and building designs

    • Boundary markings or protective barriers, redirecting vehicular traffic

  • Mantrap

    • A Mantrap is a small room with an entry door on one wall and an exit door on the opposite wall. One door of a mantrap cannot be unlocked and opened until the opposite door has been closed and locked. Mantraps are often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access.

  • Access Control Vestibules

    • Double-door system with two electroniccally-controlled doors that ensure only one door is open at any given time.
    • Like a mantrap, a security vestibule consists of a small space between two sets of doors, but it may be larger and more open.
    • It can serve multiple purposes, such as controlling foot traffic, reducing drafts, or creating a barrier for noise.
    • Prevents the following:

      • Piggybacking

        • Involves two people, with and without access, entering a secure area.
        • Intentionally allowing the second person to enter.

      • Tailgating

        • Unauthorized person closely follows someone with access without their knowledge and consent.

  • Door Locks
    • Padlocks
    • Simple pin and tumbler locks
    • Numeric locks
    • Wireless locks
    • Biometric locks
    • Cipher locks

Surveillance System

Organized strategy or setup designed to observe and report activities in a given area.

  • Security Guards

    • Security guards discourage individuals from attempting unauthorized access.
    • Acts as a visible deterrent against impersonation or tailgating.

  • Video/Cameras (CCTV)

    • Deter criminal activity.
    • Serve as forensic tools.
    • Centrally monitored for swift response.
    • Features:
      • Motion detection
      • Night vision
      • Facial recognition
      • Remote access
      • Pan-tilt-zoom (PTZ)

  • Lighting

    • Proper lighting is crucial for an effective surveillance system.
    • Well-lit areas can also deter criminals
    • Can be integrated with motion sensors - lights on when motion is detected.

  • Motion Sensors

    • Detect and respond to external changes in the environment.
    • Categories:
      • Infrared Sensors
      • Pressure sensors
      • Microwave sensors
      • Ultrasonic sensors

  • Integrated Sensors

    • Deployed in doors, gates, and turnstiles.
    • Strain-sensitive cables and vibration sensors.
    • Detect and respond to potential breaches.

Logging

This includes physical logs, such as sign-in sheets or electronic access system logs. It emphasizes the importance of logs in supporting business needs, compliance, and forensic investigations.

  • Log Protection

    • Essential for legal and business reasons.
    • Safeguarded against manipulation and unauthorized disclosure.

  • Review and Retention

    • Regular log review integral to the security program.
    • Established guidelines for log retention aligned with policy.

  • Log Anomalies

    • Identification of unusual occurrences crucial.
    • Key step in security issue detection during audits or routine monitoring.

  • Business and Legal Variances

    • Varying requirements for log retention.
    • Compliance influenced by legal guidelines and industry standards.

Alarm Systems

Alarm systems aim to promptly notify relevant authorities in case of unexpected events.

  • Basic Functionality

    • Commonly on doors/windows, designed to signal unexpected openings.
    • Simplest form alerts appropriate personnel when unauthorized access occurs.

  • Access Control

    • Authorized access (e.g., code/badge) does not trigger an alarm.
    • Unauthorized access (e.g., forced entry) activates the alarm.

  • Fire Alarm Systems

    • Activated by heat or smoke sensors.
    • Audible warnings safeguard lives and notify local response teams.

  • Emergency Response

    • Panic buttons serve as a quick alert mechanism.
    • When activated, alerts police or security personnel for immediate response.

Visitor Management Policy

A visitor management policy is a vital component of physical access controls, as it helps organizations track and manage visitor access.

  • Ensures legitimacy and monitors movements for facility and asset security.
  • Describe purpose of visits and explain visit approval authority.
  • Describe requirements for unescorted access and who may escort visitors.
  • Visits should be logged, e.g. signing on record book or electroniccally
  • Vistors must wear the visitor badge at all times while inside.
  • Reference: ISC2 Study Guide, Module 2, Physical Access Controls.

Choosing an Access Control System

The following are some considerations:

  • Performance is primary factor.
  • Includes control effectiveness, reliability, scalability, and compatibility.
  • Critical factor is the system's ability to perform its intended function effectively and reliably.

Example:

  • Choosing a biometric system for higher security performance despite complexity.
  • Simplicity and efficiency are secondary considerations.
  • Aesthetic appeal is irrelevant to the primary function of access control.

Primary consideration when choosing physical access controls:

  • While building, equipment, and network security matter, personnel security is the top priority.
  • Examples of Controls: Locks, security cameras, and security personnel.
  • Designed to safeguard both people and assets.
  • Security cameras and personnel to deter and respond to threats like theft, violence, and unauthorized access.

Reference: ISC2 Study Guide, Chapter 3, Module 2.

Site Assessment

  • Factors Considered

    • Sensitivity of protected information,
    • cost of scanners, and
    • impact on employees and operations.

  • Primary Consideration

    • The result of the site assessment.
    • This is a critical factor when implementing access controls for a physical site

  • Example

    • Biometric scanners installed based on sensitivity; needed for server rooms, executive offices, but not break rooms or supply closets.

  • Reference: ISC2 Study Guide, Chapter 3, Module 1.

Physical Attacks

  • Attacking with Brute Force

    • Forcible entry like disabling locks
    • Tampering with security devices
    • Confronting or attacking the security personnel
    • Ramming a barrier with a vehicle

  • Bypassing surveillance systems

    • Visual obstructions
    • Blinding sensors and Cameras
    • Interfering with acoustics
    • Electronic interference
    • Physical environment attack, e.g. causing fire

  • Access badge cloning

    • Refers to copying data from a badge to a blank device
    • Cloned badge can then be used to trick the system
    • How attackers clone badges:
      • Scanning
      • Data exfiltration
      • Writing to a new card
      • Using a cloned access badge