Chapter 9. Physical Security

Physical security is often dealt with by the facilities department, especially in larger organizations; thus it is often beyond the remit of the information security team. The security team is responsible for identifying and analyzing possible threats and vulnerabilities and recommending appropriate countermeasures to increase the overall security of a department or the organization as a whole. Physical security is often a feature of regulatory compliance regimes and vendor assessment questionnaires, as well as materially impacting the security of the systems and data that you are tasked with protecting. For this reason, at least a high-level understanding of physical security approaches should be attempted. The physical security aspect should be included in any internal assessments, as well as being in scope for penetration tests.

Social engineering remains to this day a very effective way of accessing the inside of a network. It is within our nature to trust others at their word without verification. The goal of physical security is to prevent an attacker from attempting to mitigate these controls. As is the case with other aspects of information security, physical security should be applied as defense in depth. It is broken into two sections: physical and operational. Physical covers the controls like door locks and cameras, while operational covers employee access, visitor access, and training, just as some examples.

In this chapter you will learn ...