Review the following summary points before proceeding to the “Review Questions” and “Exam Questions” sections at the end of this chapter to make sure you are comfortable with each concept. After completing the review, answer the review questions to verify your knowledge of the material covered in Part I.

Summary Points

• Security is the science, technique, and art of establishing a system of exclusion and inclusion of individuals, systems, media, content, and objects.
• Physical security is the science, technique, and art of establishing a system of exclusion and inclusion for tangible assets. In practice, this involves policies, practices, and steps aimed at combating theft, preventing physical damage, maintaining system integrity and services, and limiting unauthorized disclosure of information.
• Cybersecurity involves securing physical access to property, systems, and equipment ports while securing intangible assets including electronic, optical, and informational access to the system’s data and controls.
• Infrastructure security refers to physical security initiatives that are applied to providing security for the basic physical and organizational structures needed for the operation of an enterprise, organization, or society.
• Securing the outer perimeter involves controlling who can move (walk, drive, fly) across the physical or logical line that marks that perimeter. Examples of typical physical outer perimeters include property lines or the exterior walls of a building or complex.
• The inner perimeter typically involves physical barriers such as walls, doors, and windows—either exterior or interior depending on the context of the outer perimeter.
• The interior is the innermost level of security and consists of the interior of the building, office, cubicle, etc. that is surrounded by the inner and outer perimeters.
• Natural access control involves using natural design elements, such as structures and landscaping, to guide people as they enter and exit spaces.
• Territorial reinforcement employs structures, systems, and devices to prevent unauthorized entry and create a clear difference between what is public and private.
• Infrastructure security operation and management is based on three basic types of subsystems: access-control and monitoring systems; intrusion-detection and reporting systems; and video surveillance systems.
• Access control is the first major component of a physical security system. The first and most basic objective of any infrastructure security system is to deter potential intruders. This is the goal of access control. Intruders can’t damage, destroy, or steal what they can’t get to.
• A right is a legal privilege or permission granted to someone, or some group, by some recognized source of authority. This source can be a government, a legally recognized governmental agent, or a legally recognized owner of an asset.
• A person who has the right to access an asset is said to be authorized (by the recognized authority).
• Anyone who has not been given this right is labeled as unauthorized. When unauthorized people attempt to gain access to an asset they do not have rights to access, they become intruders.
• A key component that brings all three levels of security together is a well-designed security policy that states how security is implemented at each level.
• A cohesive access control policy at each security level provides authorized people with appropriate levels of access to selected assets, while inhibiting access to assets by people who are not authorized.
• Authentication is the process of determining that someone is who they say they are.
• Effective access control involves being able to control the ingress, egress, and regress to an asset based on authorization. In particular, limiting the access of unauthorized personnel to important assets is the most fundamental security objective.
• Multiple factors are involved in authentication:
  • Knowledge—Something that only the designated person should know (something you know)
  • Possession—Something that only the designated person should have (something you have)
  • Inherence—Something that only the designated person is (something you are)
  • Location—Somewhere you are

• Many physical authentication systems are based on single authentication factors that depend on possession.
• Intelligent authentication methods involve two-factor authentication (a process that requires two of the factors to grant authorization) based on knowledge and possession.
• False rejection or false negative failures are reports that produce an incorrect rejection of the individual, thereby locking them out of a facility or security area to which they should have access.
• False acceptance or false positive failures are reports that incorrectly authenticate the individual, which could provide access to equipment or data that this person should not be able to access. Of the two types of authentication failure, this is the most significant in that it could grant access to malicious people.
• Remote monitoring refers to monitoring or measurement of devices from a remote location or control room. In the security realm, this involves having external access to the security system through a communication system.
• Remote-access monitoring systems are used to notify supervisory security personnel when an unauthorized access is attempted.
• Because open and closed conditions are not the same as locked and unlocked conditions, a single sensor cannot differentiate between these two sets of conditions. A second or different type of sensor needs to be installed and monitored to perform this differentiation.
• Remote-access control is a design feature that manages entry to protected areas by authenticating the identity of persons entering those secured areas (security zone or computer system) using an authentication system located in a location other than the access point.
• Remote-control access is a design feature that works with remote-monitoring systems to monitor, control, and supervise doors, gates, and conveyances from a distance.
• A functional intrusion-detection and reporting system typically includes an intelligent control panel connected by wires or radio signals to sensors at various locations throughout a facility or organization.
• Each security controller model is designed to handle a specific number of programmable zones. A zone can be a single point of protection such as a motion detector, or multiple points can be combined into a single zone.
• Sensors are a class of input devices that convert physical activity into a signal that can be presented to the security controller. They are available in a variety of configurations including magnetic switches for doors and windows, acoustic detectors, vibration detectors, motion detectors, and glass-break detectors. Sensors protect the perimeter, selected outside areas, and the open spaces inside the facility.
• Physical-intrusion-detection systems typically include three basic types of output devices: visual notification, audible annunciators, and remote messaging.
• Two types of fire-detection sensors are available: heat detectors and smoke detectors. They operate by detecting heat rise or smoke in the home.
• Digital video recorders (DVRs) are the preferred technology for recording surveillance video.
• Motion detectors work by detecting the changes in the infrared energy in an area.
• The use of multiple physical security zones has several purposes. It allows the user to arm only portions of the system, such as the perimeter doors and windows, while bypassing the interior motion detectors in a specific zone.
• An IP camera can be viewed from anywhere in the world where Internet access is available.
• The two important specifications that influence the cost of cameras are light sensitivity rating (lux rating) and resolution.
• Surveillance cameras should not be used where there is a reasonable expectation of privacy by individuals.
• In addition to determining what specifications security cameras must possesses for a given role, it is equally important to map out a camera deployment strategy to maximize the surveillance investment.

Security Challenge Scenarios

In Chapter 1, you were asked to record your observations for the risk-assessment challenges presented there. At that point, you may have had little or no knowledge of the security tools and techniques required to secure the environments presented in those scenarios.

Now that you have read the first four chapters, complete the information requested in the following section and compare that information to the original assessments you generated in Chapter 1 to measure how much you’ve learned.

Professional Feedback

In this section, you will compare your observations to those of a working security specialist—in this case, Philip Craig, the founder of BlackByte Cyber Security—to improve your understanding of cybersecurity.

The Insights of a Practicing Professional

Practicing security professionals have a significant advantage when determining the most effective security solutions for many deployments very quickly. After repeatedly practicing the trade in the field, you too will be able to create certain models that will remain effective in the future.

Here is a time-proven approach that opens with three very basic questions that will position you to enter the initial assessment phase. Always ask your client:

1. What are we trying to protect?
2. Who are we trying to protect it from?
3. Why do we need to provide protection?

The first answer is always a physical thing (e.g., some material, component, product, etc.) that you can physically see, taste, touch, and smell. It may be a sensitive device or instrument in development or it may have a high monetary value. It also may be some material that has environmental sensitivity or that may be dangerous to the general public if protection methods are not utilized correctly.

The second answer is focused on a person (potentially an adversary).

The last answer could originate from a business need supporting the economic strength of the corporation or the requirement to follow a particular regulation. Needless to say, you can throw as many of your newly learned techniques as you can at the solution, but without the information you discern from asking these questions, you are wasting a significant amount of your time—and more importantly, your client’s money.

Let’s review your scenario. Consider the following construct:

• A building (containing multiple floors and spaces)
• An office environment (containing spaces for offices and cubicles)
• A cubicle (containing computing resources)

As you learned earlier, there are many physical and cybersecurity considerations. They exist in external, internal, and interior contexts with many attributes that influence the access to each. We will need to consider these influences and begin to provide physical and logical separations that are often called perimeters or demarcations.

Figure 5.1 represents a reliable model that provides a consistent approach for handling these considerations. For security purposes, we’re always concerned primarily with threats, so this threat-informed model will always apply.

Securing the Top Region

The items to deal with in the upper region of the threat-informed model include:

• Objectives: The adversary’s overall objective is to disrupt, destroy, or steal a target
• Target Sets: The assets that represent the best opportunity to upset, compromise, damage, or otherwise discontinue functions and/or operations of a system.
• Adversary: An agent who is determined to carry out a particular objective driven by MOI (motive, opportunity and intent). Each adversary attribute will govern the adversary’s overall decision-making process to determine what is necessary to reach an objective and complete a mission.

Securing the Middle Region

The activities called out in the middle region of the threat-informed model include:

• Credible Threat Scenarios: A set of activities, when scripted or arranged in a particular sequence, would have the highest success of achieving an attack objective. Therefore, you must concentrate your efforts on identifying all these scenarios.
• Analysis: Those activities (threat vector analysis, attack trees, consequences, and susceptibility analysis) that must be performed to evaluate the best, most likely, most effective, or most probable means of a potential attacker’s success in reaching an objective along with a description of the impacts of such success.
• Defined Threat Environment: The Defined Threat Environment represents the culmination of all the attributes associated with the topics above it in the “upper” and “middle” regions of the pyramid.

Securing the Bottom Region

The activities called out in the bottom region of the threat-informed model include:

• Security Strategies (Detect, Deter, Deny, Delay, Respond, Recover): Based on the defined threat environment, those strategies are formulated to ensure security functions to deter, detect, deny, delay, respond, and recover from an attack.
• Security Controls Cyber/Physical (Management, Operational, Technical/Guards, Gates, Locks): Mechanisms that are employed to ensure that the security strategies are effective.
• Risk Determination – Policy – Training – Audit and Compliance: The supporting programmatic elements necessary to document measures to determine the effectiveness of an overall security program.

All too often organizations are too quick to apply a comprehensive security policy and then build a program to ensure the policy is met. From a practicing security professional’s standpoint, that is completely backward from how it should be approached. However, at your first job, or on any new job, you’re going to likely step into an operational security program. It is important that you still take this approach or you’ll struggle with the reasons that decisions have already been made.

So now you’ve been given a means to understand what, who, and why, as well as a model to enable a good process to assess and evaluate the security environment, what is next? How can you tackle the task?

Tackling the Task at Hand

First, you need to establish your perspective. We’ll call it the “you are here” dot on a map of your environment. Two different perspectives are used: an outside-in and an inside-out. Picture a castle. In the days when castles were prevalent, they were actually giant fortified structures created to keep people out. This perspective is an “outside-in” perspective. The architects busily constructed methods that from an outside perspective protected their castles from being penetrated. Although many physical security methods still employ this perspective (and should), a more comprehensive approach is to use the “inside-out” perspective. This approach will ensure that the most interior areas are considered and you will be able to build a security posture using graded methods as you reach the most outer areas. This is called a graded approach. It allows security professionals to prescribe security controls as necessary so they don’t overprescribe them and amass excessive costs or expend unnecessary resources or effort.

What Am I Protecting?

Document the object, material, and property. It can be a box of diamonds or intellectual property like the Colonel Sanders Kentucky Fried Chicken recipe.

Who Am I Protecting My Asset From?

You play the adversary! From an inside-out perspective, start at the most interior area (cubicles) and look for any artifacts that could challenge your security controls.

Make sure you are familiar with and understand the physical pathways: from the cubicles to the office areas to the building itself. Look for both physical and cyber ingress and egress. Always think like an adversary (the top of our triangle).

Why Am I Providing Protection?

Is it the asset’s value? Is it a production process that could result in millions of dollars of lost revenue if disrupted? Is it some material that could cause challenge the safety of your employees or the public? Are there regulatory or other legal or contractually binding requirements?

Executing Your Plan

Prioritize and select the appropriate (necessary) security controls that will detect, deter, deny, delay, respond, and recover your security posture. Properly documented installation processes and procedures should be in place to help ensure that your security controls are properly installed.

Implement your plan as constructed. Make sure all physical and cyber methods are installed as required.

Check your implementation by procedure. When you are operational, there needs to be a method to constantly check to ensure that your security controls are effective. These controls usually range from simple internal email-phishing exercises, rattling doors and windows, to actually executing a combined cyber/physical challenge exercise constructed to test your response and mitigation capability.

Improve your posture as you execute periodic assessments and exercises that may expose any weaknesses and opportunities to provide corrective or augmented capabilities. Without this cycle, you’ll never be able to defend your operational budgets or get support from management.

There are hundreds if not thousands of ways to provide secure and trusted environments depending on the what, who, and why of any company or organization. The methods that are successful are those that you can defend with proper arguments that are well documented. Your future employer won’t just keep you around because you’re good, they’ll keep you around because you’re thorough.

Review Questions

The following questions assess your knowledge of the material presented in Part I.

1. _____________________ is the science, technique, and art of establishing a system of exclusion and inclusion for tangible assets.

   Answer: Physical security. In practice, this involves policies, practices, and steps aimed at combating theft, preventing physical damage, maintaining system integrity and services, and limiting unauthorized disclosure of information.

2. _____________________ is a report that incorrectly authenticates the individual, which could provide access to equipment or data that this person should not have.

   Answer: False acceptance or false positive failures

3. Define lux rating as it applies to surveillance cameras and describe the typical range of lux ratings for these devices.

   Answer: The amount of light required to obtain a reasonable video camera image is called the lux rating. Lux is a measure of the amount of light that falls on an object. One lux is approximately the amount of light falling on one square meter from one candle measured from one meter away. Typical camera ratings range between 0.5 and 1.0 lux.

4. Using natural design elements such as structures and landscaping to guide people as they enter and exit spaces is referred to as_____________________.

   Answer: Natural access control

5. Which type of security device is used for programming, controlling, and operating access control and management devices?

   Answer: Most intrusion-detection and reporting systems employ a keypad device for programming, controlling, and operating various access-control and management devices.

6. Which type of cameras provides the best resolution in low-light conditions?

   Answer: An IR camera. An infrared security camera has infrared LED lighting (light from a different region of the electromagnetic spectrum than we are normally used to seeing) installed around the outside of the camera lens. This lighting allows the camera to capture a good image in no light at all. With a little bit of light (called low light), the infrared camera can capture a picture that looks just like daytime.

7. Which type of image sensor is used in cameras designed to produce the highest quality images?

   Answer: CCD. The best surveillance cameras employ Charged Coupled Device (CCD) technology. They have high resolution, low-operating light requirements, less temperature dependence, and high reliability.

8. Describe the primary uses for keypads in security systems.

   Answer: Most intrusion-detection and reporting systems employ a keypad device for programming, controlling, and operating various access-control and management devices.

9. Describe the technologies used to report alarm conditions to key personnel or remote monitoring organizations.

   Answer: The most common remote notification systems involve the use of a telephone line by the intrusion-detection and reporting system’s control panel to automatically call a remote monitoring facility or key personnel when an alarm condition exists. Some systems employ a separate telephone dialer or a built-in dialer. However, a growing number of systems possess built-in cellular communications systems. Such systems provide additional dependability in that they can function even if the physical telephone lines are damaged.

10. _____________________ employs structures, systems, and devices to prevent unauthorized entry and create a clear difference between what is public and private.

    Answer: Territorial reinforcement

11. With_____________________, the condition monitoring system can record and signal each time a specific gate or door is unlocked (granting access) and what type of access was granted. Unlocked monitoring can also identify who was granted access.

    Answer: Unlocked condition monitoring

12. List the locations in which perimeter-area input sensors are typically placed in an intrusion-detection and reporting system.

    Answer: Perimeter-area inputs to the control panel typically include sensors at every perimeter opening including doors, windows, garage doors and windows, and doors to crawl spaces. Additional perimeter protection may include using sound, vibration, and motion-detector sensors to guard against entry through broken windows.

13. Which physical technique is used to create a physical security zone on a security controller?

    Answer: Logically group related sensors together to create a security zone. This is accomplished by connecting all of the related sensor switches (all sensors appear as switches to the security controller) together in a serial format that connects to a specific set of contacts on the controller’s panel.

14. List the four factors that are commonly employed in authentication systems.

    Answer: There are multiple factors that can be used to establish authentication: Knowledge—something you know, possession—something you have, inherence—something you are, and location—where you are.

15. Name the two major concerns associated with storing video surveillance information, particularly in larger enterprises.

    Answer: How much video needs to be stored? For how long does it need to be stored? The answers to these questions enable the organization to determine its storage capacity needs.

Exam Questions

1. Securing which of the following involves controlling who can move (walk, drive, fly) across the physical or logical line that marks this perimeter, such as property lines or the exterior walls of a building or complex?
   1. The interior space
   2. The inner perimeter
   3. The outer perimeter
   4. The primary zone

   Answer: C

2. Which of the following is not a subsystem involved in infrastructure security management?
   1. Access-control and monitoring systems
   2. Intrusion-detection and reporting systems
   3. Video surveillance systems
   4. Corporate cyber security policies

   Answer: D

3. Which of the following options represent physical barriers? (Select all that apply.)
   1. A locked door
   2. A receptionist
   3. An RFID badge reader
   4. A surveillance camera

   Answer: A and B

4. Which type of surveillance camera can be viewed from virtually anywhere in the world?
   1. A digital camera
   2. A digital IP camera
   3. An analog camera
   4. A hybrid camera

   Answer: B

5. From the following report types, which options would produce an incorrect rejection of the individual, thereby locking him out of a facility or security area to which he should have access? (Select all that apply.)
   1. False rejection
   2. False acceptance
   3. False negative failures
   4. False positive failures

   Answer: A and C

6. Which sensor detects a beam of light (visible or invisible) and responds to a change in the received light intensity?
   1. Microwave sensor
   2. Pressure sensor
   3. Motion sensor
   4. Photoelectric sensor

   Answer: D

7. Which lens enables you to view an entire room but with some distortion of the image?
   1. Fish-eye lens
   2. Telephoto lens
   3. Fixed-focal-length lens
   4. Varifocal lens

   Answer: A

8. Which of the following best describes the meaning of lux rating as it applies to surveillance cameras?
   1. Rating for the size of the camera lens
   2. Amount of light required for an acceptable image
   3. Resolution of the camera lens
   4. Specifies the color resolution of a camera

   Answer: B

9. Which of the following cameras provides the ability to maintain a degree of secrecy by using illumination that is outside of the visible light spectrum?
   1. CCD camera
   2. Infrared security camera
   3. Black-and-white camera
   4. Color camera

   Answer: B

10. Which of the following cameras features the best set of specifications for monitoring a 24/7 cash machine that must operate in both daytime and low-level night-time lighting conditions, while providing a high-resolution, detailed view to monitor the different banking functions the machine is used for?
    1. Camera 1 – 800 × 600 pixel resolution, 1.0 lux rating
    2. Camera 1 – 2240 × 1680 pixel resolution, 0.5 lux rating
    3. Camera 1 – 1024 × 768 pixel resolution, 0.75 lux rating
    4. Camera 1 – 1536 × 1180 pixel resolution, 0.9 lux rating

    Answer: D