Review the following summary points before proceeding to the “Review Questions” and “Exam Questions” sections at the end of this chapter to make sure you are comfortable with each concept. After completing the review, answer the review questions to verify your knowledge of the material covered in Part I.
In Chapter 1, you were asked to record your observations for the risk-assessment challenges presented there. At that point, you may have had little or no knowledge of the security tools and techniques required to secure the environments presented in those scenarios.
Now that you have read the first four chapters, complete the information requested in the following section and compare that information to the original assessments you generated in Chapter 1 to measure how much you’ve learned.
Identify:____________________________________________________
Protect: ____________________________________________________
Detect: _____________________________________________________
Respond: ___________________________________________________
Recover: ____________________________________________________
Identify:___________________________________________________
Protect: ___________________________________________________
Detect: ____________________________________________________
Respond: __________________________________________________
Recover: ___________________________________________________
In this section, you will compare your observations to those of a working security specialist—in this case, Philip Craig, the founder of BlackByte Cyber Security—to improve your understanding of cybersecurity.
Practicing security professionals have a significant advantage when determining the most effective security solutions for many deployments very quickly. After repeatedly practicing the trade in the field, you too will be able to create certain models that will remain effective in the future.
Here is a time-proven approach that opens with three very basic questions that will position you to enter the initial assessment phase. Always ask your client:
The first answer is always a physical thing (e.g., some material, component, product, etc.) that you can physically see, taste, touch, and smell. It may be a sensitive device or instrument in development or it may have a high monetary value. It also may be some material that has environmental sensitivity or that may be dangerous to the general public if protection methods are not utilized correctly.
The second answer is focused on a person (potentially an adversary).
The last answer could originate from a business need supporting the economic strength of the corporation or the requirement to follow a particular regulation. Needless to say, you can throw as many of your newly learned techniques as you can at the solution, but without the information you discern from asking these questions, you are wasting a significant amount of your time—and more importantly, your client’s money.
Let’s review your scenario. Consider the following construct:
As you learned earlier, there are many physical and cybersecurity considerations. They exist in external, internal, and interior contexts with many attributes that influence the access to each. We will need to consider these influences and begin to provide physical and logical separations that are often called perimeters or demarcations.
Figure 5.1 represents a reliable model that provides a consistent approach for handling these considerations. For security purposes, we’re always concerned primarily with threats, so this threat-informed model will always apply.
The items to deal with in the upper region of the threat-informed model include:
The activities called out in the middle region of the threat-informed model include:
The activities called out in the bottom region of the threat-informed model include:
All too often organizations are too quick to apply a comprehensive security policy and then build a program to ensure the policy is met. From a practicing security professional’s standpoint, that is completely backward from how it should be approached. However, at your first job, or on any new job, you’re going to likely step into an operational security program. It is important that you still take this approach or you’ll struggle with the reasons that decisions have already been made.
So now you’ve been given a means to understand what, who, and why, as well as a model to enable a good process to assess and evaluate the security environment, what is next? How can you tackle the task?
First, you need to establish your perspective. We’ll call it the “you are here” dot on a map of your environment. Two different perspectives are used: an outside-in and an inside-out. Picture a castle. In the days when castles were prevalent, they were actually giant fortified structures created to keep people out. This perspective is an “outside-in” perspective. The architects busily constructed methods that from an outside perspective protected their castles from being penetrated. Although many physical security methods still employ this perspective (and should), a more comprehensive approach is to use the “inside-out” perspective. This approach will ensure that the most interior areas are considered and you will be able to build a security posture using graded methods as you reach the most outer areas. This is called a graded approach. It allows security professionals to prescribe security controls as necessary so they don’t overprescribe them and amass excessive costs or expend unnecessary resources or effort.
Document the object, material, and property. It can be a box of diamonds or intellectual property like the Colonel Sanders Kentucky Fried Chicken recipe.
You play the adversary! From an inside-out perspective, start at the most interior area (cubicles) and look for any artifacts that could challenge your security controls.
Make sure you are familiar with and understand the physical pathways: from the cubicles to the office areas to the building itself. Look for both physical and cyber ingress and egress. Always think like an adversary (the top of our triangle).
Is it the asset’s value? Is it a production process that could result in millions of dollars of lost revenue if disrupted? Is it some material that could cause challenge the safety of your employees or the public? Are there regulatory or other legal or contractually binding requirements?
Prioritize and select the appropriate (necessary) security controls that will detect, deter, deny, delay, respond, and recover your security posture. Properly documented installation processes and procedures should be in place to help ensure that your security controls are properly installed.
Implement your plan as constructed. Make sure all physical and cyber methods are installed as required.
Check your implementation by procedure. When you are operational, there needs to be a method to constantly check to ensure that your security controls are effective. These controls usually range from simple internal email-phishing exercises, rattling doors and windows, to actually executing a combined cyber/physical challenge exercise constructed to test your response and mitigation capability.
Improve your posture as you execute periodic assessments and exercises that may expose any weaknesses and opportunities to provide corrective or augmented capabilities. Without this cycle, you’ll never be able to defend your operational budgets or get support from management.
There are hundreds if not thousands of ways to provide secure and trusted environments depending on the what, who, and why of any company or organization. The methods that are successful are those that you can defend with proper arguments that are well documented. Your future employer won’t just keep you around because you’re good, they’ll keep you around because you’re thorough.
The following questions assess your knowledge of the material presented in Part I.
Answer: Physical security. In practice, this involves policies, practices, and steps aimed at combating theft, preventing physical damage, maintaining system integrity and services, and limiting unauthorized disclosure of information.
Answer: False acceptance or false positive failures
Answer: The amount of light required to obtain a reasonable video camera image is called the lux rating. Lux is a measure of the amount of light that falls on an object. One lux is approximately the amount of light falling on one square meter from one candle measured from one meter away. Typical camera ratings range between 0.5 and 1.0 lux.
Answer: Natural access control
Answer: Most intrusion-detection and reporting systems employ a keypad device for programming, controlling, and operating various access-control and management devices.
Answer: An IR camera. An infrared security camera has infrared LED lighting (light from a different region of the electromagnetic spectrum than we are normally used to seeing) installed around the outside of the camera lens. This lighting allows the camera to capture a good image in no light at all. With a little bit of light (called low light), the infrared camera can capture a picture that looks just like daytime.
Answer: CCD. The best surveillance cameras employ Charged Coupled Device (CCD) technology. They have high resolution, low-operating light requirements, less temperature dependence, and high reliability.
Answer: Most intrusion-detection and reporting systems employ a keypad device for programming, controlling, and operating various access-control and management devices.
Answer: The most common remote notification systems involve the use of a telephone line by the intrusion-detection and reporting system’s control panel to automatically call a remote monitoring facility or key personnel when an alarm condition exists. Some systems employ a separate telephone dialer or a built-in dialer. However, a growing number of systems possess built-in cellular communications systems. Such systems provide additional dependability in that they can function even if the physical telephone lines are damaged.
Answer: Territorial reinforcement
Answer: Unlocked condition monitoring
Answer: Perimeter-area inputs to the control panel typically include sensors at every perimeter opening including doors, windows, garage doors and windows, and doors to crawl spaces. Additional perimeter protection may include using sound, vibration, and motion-detector sensors to guard against entry through broken windows.
Answer: Logically group related sensors together to create a security zone. This is accomplished by connecting all of the related sensor switches (all sensors appear as switches to the security controller) together in a serial format that connects to a specific set of contacts on the controller’s panel.
Answer: There are multiple factors that can be used to establish authentication: Knowledge—something you know, possession—something you have, inherence—something you are, and location—where you are.
Answer: How much video needs to be stored? For how long does it need to be stored? The answers to these questions enable the organization to determine its storage capacity needs.
Answer: C
Answer: D
Answer: A and B
Answer: B
Answer: A and C
Answer: D
Answer: A
Answer: B
Answer: B
Answer: D