Access Controls

Control Physical Access

Cybersecurity extends far beyond the realm of digital threats, encompassing the
physical security of facilities critical to an organization's operations. The essence of
physical security within cybersecurity lies in the protection of physical assets—ranging
from data centers to server rooms, media storage facilities, evidence storage rooms,
and even the intricate wiring closets that network an organization’s infrastructure. These
components are as crucial as any software or network protocol, for their compromise
can lead to significant data breaches, theft of intellectual property, or severe disruptions
in business operations.

Key Areas of Physical Security Focus:

● Data Centers: These are the heartbeats of any modern business, housing critical
servers, storage, and computing resources. The access to data centers must be
rigorously controlled to thwart any unauthorized entry, which could lead to theft,
data loss, or damage.
● Server Rooms: Often found in businesses lacking the infrastructure for a
full-scale data center, server rooms can grow organically and may lack robust
security controls. Their proliferation within different business units adds layers of
complexity to security management.
● Media Storage Facilities: These are critical for disaster recovery and business
continuity, housing backups of vital business information. The remote location of
these facilities often demands even higher security measures than the primary
sites to safeguard sensitive data.
● Evidence Storage Rooms: For organizations involved in digital forensic
investigations, securing the chain of custody for evidence is paramount. Secure
evidence storage rooms prevent tampering and ensure that evidence remains
admissible in court proceedings.
● Wiring Closets: An overlooked aspect, these closets are hubs for an
organization's network infrastructure. Securing these closets is essential to
 prevent unauthorized access that could lead to network eavesdropping or
breaches.

Strategies for Enhancing Physical Security:

1. Access Control: Implementing robust access control mechanisms ensures that

only authorized personnel can enter sensitive areas. This can range from
traditional locks and keys to advanced biometric systems.
2. Authentication of Individuals: Beyond simply controlling access, authenticating
the identity of employees, contractors, and visitors who enter secure facilities
reinforces security protocols.
3. Monitoring and Tracking: Utilizing surveillance cameras and visitor logs helps in
monitoring activities around sensitive areas and tracking the movement of
individuals within these facilities.
4. Physical Security Assessments: Regularly evaluating the security of all sensitive
locations allows for the identification of vulnerabilities and the implementation of
corrective measures.
5. Secure Cable Distribution Runs: Protecting the pathways of network cables from
tampering or unauthorized access is crucial for maintaining the integrity of an
organization's network.

In essence, the physical security measures adopted by an organization are foundational

to its overall cybersecurity posture. By diligently securing physical assets, cybersecurity
professionals not only safeguard the organization's tangible resources but also protect
the invaluable data and intellectual property that drive business success. This
multi-layered approach to security—blending physical safeguards with digital
defenses—is critical for building resilience against a spectrum of threats.

Physical Security Design

Key Principles of Designing for Physical Security:

1. Leverage Natural Surveillance:

 ○ Design facilities with visibility in mind, ensuring that there are clear lines of
sight to and from the building. Adequate lighting, strategic placement of
windows, and open spaces around perimeters enable both employees and
passersby to observe suspicious activities, thereby acting as a deterrent to
unauthorized entry.
2. Employ Natural Access Control:
○ Utilize architectural elements like gates, pathways, and barriers to guide
the flow of people into controlled entry points. This funnels all visitors
through designated areas where their access can be managed and
monitored, reducing the potential for unauthorized access to sensitive
areas.
3. Reinforce Territoriality Naturally:
○ Use signage, landscaping, fencing, and lighting to delineate clear
boundaries between public and private spaces. This territorial
reinforcement signals to potential intruders that they are entering a
controlled, monitored area, enhancing the psychological barrier to
unauthorized entry.
4. Integrate Physical Barriers:
○ Incorporate bollards, vehicle barriers, and fencing to prevent unauthorized
vehicle access and to protect pedestrian areas. These physical barriers
can be designed to blend with the aesthetic of the facility while providing a
strong deterrent and protection against vehicle-based threats.
5. Adopt Crime Prevention Through Environmental Design (CPTED):
○ CPTED principles focus on designing environments that naturally prevent
crime by promoting social control through environmental design. This
includes strategies to enhance visibility, control access, and assert
ownership over spaces, thereby reducing opportunities for criminal
activities.
6. Utilize Warning Signs and Surveillance Indicators:
 ○ Strategically placed signs indicating the presence of surveillance cameras,
security personnel, and restricted access areas serve as psychological
deterrents to potential intruders, making them think twice before
attempting unauthorized entry.

Implementing Design Strategies for Physical Security:

The implementation of these design strategies requires a collaborative approach

involving security professionals, architects, urban planners, and facility managers. By
incorporating physical security considerations into the early stages of facility design
and planning, organizations can create environments that naturally deter crime while
enhancing the overall security and safety of their premises.

Visitor Management
Managing visitor access to secured facilities is a critical component of an organization's
overall security strategy. Effective visitor control procedures not only safeguard
sensitive information and assets but also ensure the safety of employees and guests.
Here's an overview of best practices for managing visitor access:

Establish Clear Visitor Access Procedures

● Define Allowable Reasons for Visits: Clearly articulate the purposes for which
visitors may be granted access to the facility, ensuring these reasons align with
the organization's security and operational policies.
● Approval Levels: Specify the levels of approval required for different types of
visitors. This might vary based on the visitor's purpose, the areas they need to
access, and the duration of their visit.
 ● Unescorted Access: Identify if there are scenarios in which visitors may be
allowed unescorted access, and under what conditions. Define who is authorized
to make these decisions.
● Escort Requirements: Determine who is eligible to escort visitors within the
facility. Ensure that these individuals are trained on escort responsibilities and
aware of any areas that are off-limits to visitors.

Implement a Visitor Logging System

● Visitor Register: Maintain a detailed log of all visitor access, including the
visitor's name, the time of entry and exit, the purpose of the visit, and who
authorized the visit. This log can be a physical register or an electronic system,
depending on the organization's needs.
● Badge System: Require all visitors to wear identification badges prominently.
These badges should be easily distinguishable from employee badges to quickly
identify visitors.
● Escort Indicators: For visitors who require an escort, ensure their badges clearly
indicate this requirement. This helps employees identify unescorted visitors who
may be in restricted areas.

Monitor Visitor Activity

● Surveillance Cameras: Install cameras in areas where visitors are allowed, using
them as a deterrent against unauthorized activities and as a tool for incident
investigation. Always inform visitors about the presence of surveillance cameras.
● Regular Reviews: Periodically review visitor logs and surveillance footage to
identify any unusual patterns or security breaches. This also helps refine visitor
management policies over time.

Train Staff and Security Personnel

 ● Awareness and Training: Ensure that all staff, especially those tasked with
escorting visitors or approving visitor access, are trained on the visitor
management procedures. Regularly update this training to reflect any changes in
policies.
● Response Protocols: Train staff on how to respond to security incidents involving
visitors, including who to notify and how to safely manage the situation.

By implementing these practices, organizations can create a secure environment that

balances the need for accessibility with the imperative of safeguarding people,
information, and assets. Visitor management should be an integral part of the physical
security framework, with ongoing assessments to ensure the procedures remain
effective and aligned with the organization's security objectives.

Physical Security Personnel

Physical security personnel are a critical component of any comprehensive security
strategy. Their roles encompass not just the operational aspects of maintaining security
but also the human element, which is irreplaceable by technology alone. Here’s a
detailed look into the roles and responsibilities of physical security personnel and the
principles guiding their operations:

Human Judgment and Interaction

● Gatekeeping: Security personnel are often the first line of defense, responsible
for assessing and granting access to visitors based on established protocols.
This role requires a balance between being welcoming to guests and stringent in
security enforcement.
● Visitor Management: They manage visitor access, ensuring all visitors are
logged, provided with appropriate badges, and informed of the facility's security
 policies. This includes deciding which visitors can have unescorted access and
who needs to be accompanied at all times.

Deterrence and Authority

● Visible Security Presence: Uniformed guards serve as a deterrent to potential

security breaches by projecting a strong sense of security and authority. This
visibility is a critical aspect of physical security, as it can prevent incidents before
they occur.
● Armed Security: In certain high-risk environments, security personnel might be
armed. This decision is influenced by local regulations and the specific security
needs of the facility.

Technological Integration

● Robot Sentries: The advent of technology has introduced robot sentries into the
physical security domain. These robots can patrol areas, monitor for unusual
activities, and even challenge intruders, supplementing the efforts of human
security personnel.

Enforcement of Security Protocols

● The Two-Person Rule: This principle is implemented in highly sensitive

environments to prevent unauthorized actions. It comes in two variants:
○ Two-Person Integrity: Requires the presence of two authorized personnel
for accessing sensitive areas, reducing the risk of individual misconduct.
○ Two-Person Control: Demands the concurrent action of two individuals
for critical operations, such as launching a missile, ensuring a single
person cannot make unilateral decisions regarding sensitive actions.

Skills and Qualifications

 ● Training: Security personnel undergo rigorous training to prepare them for the
diverse challenges they might face, including emergency response,
communication skills, and the use of technology.
● Judgment: The ability to make quick, informed decisions is crucial, especially
when evaluating the legitimacy of access requests or responding to potential
threats.

Operational Flexibility

● Security personnel must adapt to varying situations, from routine access

management to emergency response scenarios. Their ability to switch roles and
take decisive action is key to maintaining the integrity of the security framework.

Communication

● Effective communication skills are vital for security personnel, not only for
interaction with visitors and employees but also for coordination during security
incidents. Clear, concise communication ensures that everyone understands their
roles and responsibilities during an emergency.

Physical security personnel play a multifaceted role in protecting an organization’s

assets, requiring a blend of interpersonal skills, judgment, and technical prowess. Their
presence not only enforces security measures but also reassures employees and
visitors of their safety within the facility.

Account Privilege and Management

In this section, you'll learn about the importance of managing user accounts and their
privileges to maintain security within an organization.
Key Concepts

1. Account Management: It's crucial to control who has access to what within an
organization. Account management involves several processes aimed at
ensuring that each user has appropriate access based on their role.
2. Job Rotation and Mandatory Vacation: These practices are not only beneficial for
employee development but also serve as security measures. Job rotation
reduces the risk of fraud by not allowing any one person to hold a position
indefinitely where they might exploit their role. Mandatory vacations, where
employees must take consecutive days off without access to corporate systems,
can also help uncover any fraudulent activities they might be hiding.
3. Standard Naming Convention: To simplify user identification and account
management, organizations should use a standard naming convention for user
accounts. A common method combines a user's first initial with their last name.
If duplicates occur, a unique number is appended.
4. Lifecycle of Account and Credentials:
○ Creation: When a new user joins the organization, they are granted access
to systems necessary for their role.
○ Modification: If a user's role changes or they need access to additional
systems, their entitlements are updated accordingly.
○ Re-certification: Regularly reviewing user access to ensure it's still
necessary for their current role helps minimize security risks.
○ Termination: When a user leaves the organization, their access must be
promptly revoked to protect sensitive information.

Important Notes for Beginners

● Account Management Tasks: These are vital for protecting an organization's data
and systems from unauthorized access or misuse.
● Security Benefits: Practices like job rotation and mandatory vacations are not
just operational policies but are designed with security in mind.
 ● Access Control: Understanding who has access to what and why is a
fundamental aspect of cybersecurity. Ensuring users only have access to what
they need helps reduce potential vulnerabilities.
● Account Lifecycle: Managing the lifecycle of an account from creation to
termination is crucial to maintain security. It prevents unauthorized access and
ensures that access rights are up to date.

In summary, account and privilege management is about ensuring the right people have
the right access at the right time. This module has introduced you to the basic concepts
and practices that underpin this critical area of cybersecurity. As you continue your
learning journey, keep in mind the importance of diligent account management in
safeguarding an organization's digital assets.

Account Monitoring
Effective account monitoring is crucial in preventing unauthorized access and ensuring
users have the appropriate level of access for their roles.

Understanding Permissions

1. Accurate Permissions: It's vital to ensure users have permissions that match
their job requirements while adhering to the principle of least privilege—giving
them only the access necessary to perform their duties. Incorrect permissions
can lead to security risks or hinder productivity.
2. Privilege Creep: This occurs when users accumulate permissions beyond what
their current role requires, usually after changing positions within the
organization. To combat this, perform regular audits of user accounts to adjust
permissions as necessary.
Regular Account Audits

Conducting regular audits involves reviewing all permissions assigned to user accounts
with their managers to confirm they align with the user's current role. Pay special
attention to users who have recently changed positions.

Unauthorized Use of Permissions

Detecting and preventing unauthorized use involves several strategies:

● Continuous Monitoring: Implement systems that continuously monitor for

unusual account activity, alerting administrators to potential security incidents.
● Impossible Travel Time Logins: Flag logins that occur from geographically
distant locations within a timeframe that's not physically possible, indicating
potential account compromise.
● Unusual Network Locations: Investigate when a user logs in from a network
segment different from their usual one.
● Logins at Unusual Times: Alert on logins during odd hours that deviate from the
user's normal activity pattern.
● Uncharacteristic Access Patterns: Monitor for atypical file access or unusually
high activity levels that may suggest data exfiltration attempts.

Enhancing Monitoring with Technology

● Geotagging: Enable geotagging to tag logins with geographic information, aiding

in identifying suspicious activity based on location.
● Geofencing: Implement geofencing by setting geographic boundaries and
alerting administrators when a device crosses these boundaries, providing an
additional layer of security.

Summary
Account monitoring is a foundational aspect of cybersecurity, ensuring that only
authorized users have access to sensitive information and systems. Through regular
audits, continuous monitoring, and leveraging technology like geotagging and
geofencing, organizations can significantly enhance their security posture. Remember,
the goal is not just to detect unauthorized access but also to ensure that legitimate
users have the access they need without unnecessary barriers to their work.

Provisioning and Deprovisioning

Managing user accounts effectively is a cornerstone of maintaining an organization's
security posture. Let's break down the essentials.

What is Provisioning and Deprovisioning?

● Provisioning: The process of setting up and configuring a new user account

when someone joins an organization. This includes creating login credentials and
setting up the correct level of access based on the person's role.
● Deprovisioning: The opposite process, where access is removed, and accounts
are deactivated or deleted when someone leaves the organization.

The Importance

Managing the lifecycle of user accounts is vital for several reasons:

1. Security: Ensures that only authorized individuals can access sensitive company
resources.
2. Compliance: Meets legal and regulatory requirements regarding data access and
privacy.
 3. Efficiency: Streamlines the management of user access, saving time and
resources.

Best Practices

1. Automate Where Possible: Utilize tools or systems that automate the

provisioning and deprovisioning process to minimize delays and errors.
2. Regular Audits: Periodically review user access levels to ensure they align with
current job functions and the principle of least privilege.
3. Immediate Action for Departures: Quickly deprovision accounts for individuals
who have left the organization, especially in involuntary or emergency
terminations, to prevent unauthorized access.
4. Clear Policies: Establish and communicate clear policies for both provisioning
and deprovisioning, including who is authorized to request and approve access
changes.

The Process

1. Onboarding (Provisioning):
○ Grant new users access to necessary systems and data based on their
role.
○ Provide authentication credentials and ensure understanding of access
controls and security policies.
2. Offboarding (Deprovisioning):
○ Remove access to all systems and ensure the user's data is handled
according to company policies and regulations.
○ Act quickly to deactivate accounts, particularly in sensitive terminations,
to protect against potential security threats.

Key Tools and Actions

 ● User Management Systems: Many environments, like Windows Active Directory,
offer tools to enable, disable, or delete user accounts.
● Scheduled Expiration: For planned departures, like retirement, set accounts to
expire on a predetermined date.
● Immediate Action: For immediate terminations, disable the account as soon as
the individual is notified to prevent retaliatory actions.

Conclusion

Effective account and privilege management, including timely provisioning and

deprovisioning of user accounts, is crucial for maintaining security and operational
integrity. By adopting best practices and utilizing available tools, organizations can
protect against unauthorized access and ensure that only the right people have the right
access at the right times.

Authorization
What is Authorization?

Authorization is the process that kicks in after a user successfully logs into a system
(authentication). It's all about permissions: determining what resources and data a user
can access or modify and what they're prohibited from doing.

The Principle of Least Privilege

A core principle underpinning authorization is the Principle of Least Privilege. This

principle dictates that users should only have the minimum level of access required to
perform their job functions. Why is this important?
 1. Mitigates Insider Threats: If a user becomes malicious, their ability to cause
harm is restricted to their access level. For example, an accountant typically
wouldn't have access to modify the company website.
2. Limits External Attackers: Should an external attacker gain access to a user's
account, they are constrained by that user's permissions, making it harder to
inflict widespread damage.

Types of Access Control Systems

When implementing authorization mechanisms, we encounter various types of access

control systems:

1. Mandatory Access Control (MAC): This is the most stringent form, where the
system itself dictates permissions, and users have no say in modifying these
permissions. Suitable for very secure environments but not commonly used due
to its rigidity.
2. Discretionary Access Control (DAC): Here, users have the flexibility to set
permissions on their files and resources. This type is widely used because it
balances security needs with operational flexibility.
3. Role-Based Access Control (RBAC): Instead of managing permissions for each
user individually, permissions are assigned to roles. Users are then assigned to
these roles, simplifying the management of permissions and making the system
easier to administer.

Choosing the Right System

Selecting the right access control system involves balancing security requirements with
the need for operational efficiency. Too lenient, and you risk security; too strict, and you
hinder productivity.

1. Assess Your Needs: Understand the specific security and operational

requirements of your organization.
 2. Simplicity vs. Security: Strive for a system that provides adequate security
without complicating routine tasks.
3. Adaptability: Choose a system that can adapt to changes in job roles,
responsibilities, and organizational structure.

Conclusion

Authorization is a critical aspect of cybersecurity, ensuring that users have the right
access to perform their roles without compromising security. Whether you're dealing
with MAC, DAC, or RBAC, the goal is to implement an authorization system that
supports both security and productivity. Understanding and applying the Principle of
Least Privilege will be your guiding light in achieving a balanced approach.

Project 5: SME Security Blueprint Design

Objective:

To create a detailed security blueprint for a fictional SME (Small to Medium Enterprises),
covering both cyber and physical security aspects. This plan will address risk
assessment, physical security measures, cybersecurity policies, and incident response
strategies.

Step 1: Define the Scope of the Project

● Identify the size and type of the fictional SME (e.g., a tech startup, a small
manufacturing company).
● List the key assets that need protection, including physical assets (office space,
equipment) and digital assets (data, software).
Step 2: Conduct a Risk Assessment

● Identify potential security threats (both physical and cyber) that the SME might
face.
● Assess the vulnerability of the SME's assets to these threats.
● Determine the potential impact of each threat on the SME's operations.

Step 3: Develop Physical Security Measures

● Design a layout for the SME's office space that incorporates principles of natural
surveillance, access control, and territorial reinforcement.
● Specify the types of physical barriers, security systems (e.g., alarms, cameras),
and access controls (e.g., keycard systems) that will be used.
● Develop policies for visitor management and employee access.

Step 4: Outline Cybersecurity Policies

● Create guidelines for password management, including complexity requirements

and change frequencies.
● Define user roles and access levels to ensure the principle of least privilege.
● Propose a system for managing account lifecycles (provisioning and
deprovisioning).

Step 5: Implement Monitoring and Response Plans

● Describe how the SME will monitor for security breaches, including the use of
surveillance for physical security and intrusion detection systems for
cybersecurity.
● Outline the incident response plan for different types of security breaches (e.g.,
break-ins, data breaches).
● Develop a communication plan for notifying relevant stakeholders in the event of
a security incident.
Step 6: Education and Training

● Plan regular security awareness training sessions for employees, covering both
cyber and physical security best practices.
● Create a schedule for drills and exercises to test the physical security measures
and incident response plans.

Step 7: Maintenance and Review

● Establish a schedule for regular reviews and updates to the security plan,
considering emerging threats and evolving technologies.
● Detail maintenance routines for security systems and software to ensure they
remain effective and up-to-date.

Step 8: Documentation

● Compile all the information, policies, plans, and procedures developed in the
previous steps into a comprehensive security blueprint document.
● Include appendices for quick-reference guides, emergency contacts, and a
glossary of terms.

Step 9: Presentation

● Prepare a presentation summarizing the key aspects of your security blueprint.

This could be intended for the SME's management, employees, or a class if this
project is part of coursework.

Step 10: Reflection

● Reflect on the process of creating the security blueprint. Identify any challenges
faced and how they were overcome.
 ● Consider what could be improved in the blueprint and how additional resources
or expertise might enhance the SME's security posture.

Resources

Project 5 Template