Perform a physical security gap analysis

Physical security is not optional. Tom Olzak demonstrates, from an intruder's perspective, what an organization should consider when conducting a physical security gap analysis.

When we speak of information security, we generally focus on technical or administrative controls. In fact, most organizations separate physical security from the IT security team, making it someone else's problem.  This is fine until a breach occurs because of weak or non-existent physical security controls.

Performance of a physical security gap analysis should be part of every information security manager's agenda, even if someone else has overall control of locks and fences.

Why physical security is important

"Officially" physical security includes fire suppression systems, alternate power sources, and backups.  However, I am putting them aside and focusing instead on fences, locks, and supporting controls that delay the advance of a human attacker toward a target.  Within this context, the purpose of a physical security gap analysis is to determine whether the controls in place are sufficient to:

  1. Delay an intruder
  2. Detect an intruder
  3. Result in the apprehension of an intruder

Without these controls, a criminal doesn't have to break through a firewall or intrusion prevention system to get to your data.  He or she only has to walk up to a desktop or server and help themselves.  And none of the technical or administrative controls you have in place will stop a skilled attacker with physical access to your systems.  (See Open door? Game over.)

Physical security controls

Again, the objective of physical security is to delay and detect an intruder so that intervention by security guards or law enforcement is possible. What controls you use depend on:

  • Sensitivity of the target
  • Whether you have security guards on site
  • Proximity to law enforcement and related response time
Figure A is a model to deploy physical security for a highly sensitive target. Although most of us do not need this level of physical protection, the following discussion about the graphic helps demonstrate the possible steps you can take.

Figure A

For the purpose of this discussion, let's walk through the assessment phase of a possible breach by Henry Hacker.  As Henry approaches the property line, he sees an eight-foot fence topped with barbed wire.  This might be enough to keep out a casual attacker, but Henry has thousands of dollars waiting for him when he delivers the data inside the target building. The wire cutters in his toolkit will take care of the chain link.

But Henry can't just start hacking through the fence.  Security lighting around the property's perimeter provides sufficient illumination for the external security cameras to pick up anything unusual occurring outside or on the fence.  So, that might not be a problem if Henry can kill a light.

Closer examination of the area between the fence and the building, however, causes Henry to utter expletives not intended for mixed company. The target organization has installed motion sensors to detect anyone successfully breaching the fence. Henry has defeated these in the past, but it will add another several minutes to his attack. So far, he has to defeat the lighting, the fence, and motion sensors before he gets to the front door.

Henry packs up his notes containing his observations and heads home. The next step is to see what security looks like inside the building. So far, he thinks he can make it as far as the front door, but he needs to know about the target's incident response and internal controls.

Henry makes an appointment with the security manager and visits the target the next morning. He represents himself as a security director interested in getting some ideas about how to secure his own facility. His social engineering ploy is successful, playing on the ego of the target's security manager, Ted.

Ted proudly explains how the target systems are protected. There are no unbarred windows into the building.  Further, the only gate and the only door into the facility are always locked. A security guard positioned in the building controls access by anyone not possessing a key card. Before entering the room containing the target, an individual must show the security guard identification which is compared to an access list. If the visitor is on the access list, he or she is allowed into the target room when the guard momentarily deactivates the electronic lock securing the door.

All activity in the building is recorded by human-monitored video cameras, with the output continuously sent to an offsite repository. Further, whenever an intruder is detected, an incident response process is activated. The documented response plan includes locking down the facility, notifying the police, and positioning in-house guards at key locations. Ted explains that he regularly practices this process with his team and local law enforcement. Response times are very, very short.

Returning home, Henry reviews the controls implemented by the target organization. Based on his analysis, Henry decides that he cannot make it through the various barriers and get back out again before being apprehended. His only option is trying a social engineering approach while hoping one of the security guards is open to a little negotiation…

Protecting your organization

The protection Henry encountered is not typical. Most businesses don't need, nor can they afford, that kind of physical protection of information assets. However, the following principles apply regardless of the approach you use:

  1. Use barriers (i.e. fences, walls, locks, etc.) to discourage an attack or to delay intruders. Make sure delay time is longer than response time.
  2. Implement detection controls to identify an intrusion as quickly as possible.
  3. Plan, document, and practice an intrusion response process.  Practice is critical.  Every second spent trying to decide what to do cuts into your delay time, shifting the advantage to the intruder.

A physical security gap analysis must take into consideration risk and the organization's appetite for risk.  However, any business with information classified greater than "public" should regularly assess its ability to prevent physical access to critical systems and network components.


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks