Physical Security – CompTIA A+ 220-1002 – 2.1

If your network isn’t physically secure, then you can’t rely on digital security. In this video, you’ll learn about methods to security physical doors, data center cabinets, LCD screens, and more.

<< Previous Video: Basic Linux Commands Next: Logical Security >>

If you’ve ever entered a data center, you may have had to go through a mantrap. This is a very common form of physical security that allows you to manage who is able to move through a particular area at any particular time. A mantrap is usually a small area with two doors where only one person or very few people are able to move through at any particular time.

One common configuration with mantraps is that both doors are unlocked. And as soon as the first door is open, the other door locks. So you can only have one door open at any particular time. Or maybe all doors are locked. And as soon as one person is able to badge in and unlock that door, all of the other doors are prevented at that point from unlocking until that door closes behind that person.

The real key with the mantrap is you never have both doors open at the same time. There’s always going to be a controlled flow. And there may be times when you bring a number of people into the mantrap and then process them. You can check their ID, see what type of equipment they have with them, and make sure you know exactly who is going into the data center and who is leaving the data center.

There are many different ways to physically lock and unlock a door. The most common ways, of course, are with the conventional lock and key or with a deadbolt that’s used to be able to lock a door solidly in place. In environments where there may be many people going in and out of the door, you may be using an electronic lock, which doesn’t require a key. It may be entering a PIN number to be able to gain access to a room, for example.

Or it may be token-based entry, where you have a key fob or RFID tag associated with an access card, and that’s what you use to lock and unlock the door. Some organizations will employ biometric readers so they can check a fingerprint or a handprint to determine if you should gain access to a particular area. And very often, these access controls are combined together. You may be using a fingerprint with a PIN number into, what we call, multi-factor authentication, so that it’s not just one method the gains you access to a room but a combination of different methods working together.

Here’s the inside of an access card that has the RFID chip right in the middle, so that small dark chip that you see. The rest of this card is used as an antenna, which is able to passively receive power from the source, power the chip, and then be able to send information back. A similar technology is used with key fobs. These are usually attached to a key ring, and you would put the key fob up to the door to be able to unlock that door.

Some types of physical security involve token-based access, which means you need some type of device to provide a token or certificate to gain access to that resource. Smart cards, for example, are very commonly used with desktop and laptop systems that can be integrated with an ID card. And then you can insert that card into the computer or the door in order to gain access to those resources. These are often combined with a personal identification number, so you have to not only have the card but you have to know the secret number to go along with that card.

A USB token is another common way to provide token-based access. The certificate or token would go on the USB drive, and the USB drive would be inserted to gain access to the resource. There are also other types of hardware or software-based token generators. This one has a pseudo-random number that is created on the device. There’s also software-based token generators that are similar to this but they operate on a mobile phone app. And your phone itself may be an authentication device. You may receive a text message with a code, and you would insert that code into the authentication system.

A security guard is a physical person who’s in charge of allowing access to or from a particular area. The security guard is not only responsible for making sure that the physical area is protected but they can also be in charge of making sure that only employees are entering the building. It’s also common have guests check in at the security guard station to gain access to the building.

In many organizations, you’re provided with an ID badge that has your name and other information about your employment. This is a good way to check that people who are in the building are supposed to be there, so it’s very common that everybody is required to wear that ID badge at all times. It’s also common that guests are given a guest ID badge so that you can easily tell who is a guest and who’s an employee. And the security guard may be in charge of the access list. The access list is a list of people who are allowed in the building. And if somebody is not on the access list, the security guard would prevent them from entering.

Biometric authentication is validating a part of you. This might be your voice print or a fingerprint or some other type of physical representation of who you are. For example, the biometric system may be storing a mathematical representation of your fingerprint. It’s not really saving a picture of your fingerprint, but it has used an algorithm to determine how your fingerprint is designed, and it can then compare other fingerprints using that same algorithm.

Although we commonly change our passwords, it’s very difficult to change something biometrically. You’re not going to change a retinal scan or a fingerprint scan very easily. And therefore, you know that this particular type of authentication will always be connected with a certain person. Biometric authentication is getting better and better, but it’s still not foolproof. We tend to combine biometrics with some other type of authentication. So you may use a fingerprint and a personal identification number to gain access to a particular area.

One way to protect devices from being stolen is to physically tether them with a cable lock. You can use cable locks in an office environment or when you’re mobile to make sure that those devices stay exactly where you left them. Many of our mobile devices have reinforced notches on them, so you’re able to insert these types of cable locks, lock them in place, and be sure that those devices are not able to go anywhere else. These cables are thin, and they can be cut with the right type of equipment, so they’re not designed to be a long-term security solution. If you need to protect your mobile devices temporarily, you may want to consider using one of these cable locks.

Data centers or large rooms with usually many racks that store computing and networking equipment. And the people that enter the data center may only be responsible for some of those cabinets. There may be one group in charge of one set of cabinets and another group in charge of another. In order to provide security and separation for those cabinets, it’s very common to have locks on these data center cabinets to prevent unauthorized people from gaining access to the equipment inside.

Because of the limited amount of room in a data center, these racks are usually placed right next to each other. So having the locks allows you to keep everything close but also have everything protected. There’s usually ventilation provided on the top, the bottom, or the sides of the cabinets, so you can still have air flowing through but protect the contents inside of the cabinet.

Some organizations want to prevent any access to the USB interfaces on a computer. So there are physical locks that you can get to connect to these USB interfaces. These are usually secondary security devices that you would use in conjunction with disabling the interfaces in the BIOS of the computer. No lock is impenetrable, and no BIOS settings are permanent, so we know that we need to layer this security into what we call defense in depth– the more types of security in different layers, the more secure a device is going to be.

This is the USB lock itself that is currently connected to the insertion tool. You would insert this into a USB interface, and then disconnect the insertion device. And now that lock is permanently attached to the USB interface and you’re not able to plug any other USB devices into it. You have to have this special insertion key to be able to insert the device and then remove it from the USB interface without damaging the interface.

If you travel with a laptop, you may want to consider using a privacy filter. This is a filter you put over the screen of your laptop, and anyone who’s not sitting directly in front of the laptop simply sees a black screen. The filters themselves have a very narrow angle of view, so someone could be sitting next to you on an airplane but still not be able to see anything on your laptop screen. From a best practice perspective, it’s always a good idea to sit with your back to the wall or sit where no one’s able to see your screen when you’re using it. And if you are sitting somewhere, like a coffee shop or a flight where there’s a number of people who could see your screen, it’s always a good idea to have that privacy filter to protect from prying eyes.