Interface Technical Training

CompTIA Security+ An Approach Toward Physical Security

For many IT professionals, Security+ is their first exposure to planning facility security.   Comprehensive, layered security is always the best solution. With unlimited resources you can place cameras everywhere, key or card access systems at every door, signage throughout a facility, frequent training and user education, security guards, secured guest and public meeting areas, or even remodel a building with the latest security features.  Given limited resources, the placement of security features can be a challenge.

For instructor-led learning classes, see our complete CompTIA training schedule.

The defense in depth model (shown below), identifies physical security as the secondary layer of security. Physical security includes all of the elements necessary to secure a business site.

The CompTIA SY0-401 objectives provide the following list of physical security controls.

When making decisions regarding the selection and placement of physical controls, four control types should be considered in succession from the outermost to inner most locations of the business facility.

  1. Deterrent controls are designed to dissuade an attacker from attempting the attack and should be placed at the outermost perimeter(s) of the business facility.
  2. Detective controls are intended to identify an attack or incident in progress (including incidents eventually identified as false alarms). Detective systems typically record violations, sound alarms, and/or notify security personnel though do not commonly result in automated responses or actions. Controls within the detective category may include logs files that are manually audited after an incident rather than detecting the incident during the attack. Detective systems are typically placed on the exterior of the building, or target the entry and exit points throughout the building. Entry and exit points may include transitions between building zones.
  3. Preventive controls are intended to prevent an incident from doing harm to or creating a loss of business assets. Remember that employees are a critical asset rather than focusing solely on information technology systems and data storage. Preventive systems typically include a detective element that results in automated reaction of a preventive nature.  Doors with fail safe, fail open, or fail closed mechanisms would be included in the preventive controls list.
  4. Compensating and corrective controls limit the damage that occur as a result of an incident, though do not directly prevent the incident from happening.

The real world seldom mimics the ideal. Test candidates that rely on their experience or exposure to physical security controls may struggle to place physical controls in the ideal location when prompted on the exam.

Although real world scenarios do not always accommodate the perfect layout of a facility, Security+ exam scenarios are designed to afford ideal implementations. For instance, the data center or server room should always be placed in the centermost portion of the facility, with solid walls, floors, and ceilings other than HVAC access. Central placement of the data center protects the most important data components (the core of the defense in depth model).  In the real world, placement of the data center or server racks is often an afterthought that follows the placement of office spaces. Although glass windows and doors make for an excellent promotional display of a company’s technology, they are considered to weaken security rather than a control that allows attack detection.  When you are asked about facility layouts on the Security+ exam, always place the datacenter within the core of the building. Consider employee safety and security over employee comfort and convenience.

Deterrent controls include fencing, barriers, video surveillance, proper lighting, on premise security officers, and signage. Place as many of these as possible exterior to the building.

Detective controls include alarm inducing systems (smoke, fire, door sensors, motion detection, glass breakage, pressure plates and door magnets), access lists and sign-in sheets, and potentially a guard monitored sign-in desk. Video surveillance systems may be used for detection, though are slightly weighted toward deterrent use on the exam.  Door access controls that include identification or authentication systems, including keyed access and proximity card readers are considered detection systems. The use of door access controls commonly separate public areas from employee accessible areas of the facility.

Prevention controls include hardware locks, mantraps, and biometric systems. These solutions effectively dramatically reduce the opportunity for attackers to acquire business assets. Specialized server racks are also considered a prevention control. Examples of the latter include seismically braced racks, enclosed power and data distribution runs, and locking cabinets.  Vaults and safes are also considered prevention controls.

Remembering that incidents include natural and accidental system or business disruption, compensating and corrective controls are more commonly associated with response to related outages. Examples include UPS, component redundancy, and generators.

In addition to controls listed within the SY0-401 objectives, you also need to consider placement and configuration of wireless access points to prevent war-driving, access to Wi-Fi Protected Setup (WPS) pins, and unauthorized connection by authorized visitors.

There are several specialized physical controls whose placement is predicated upon their purpose rather than classification:

When you encounter a question about the placement of physical security controls, start either from the perimeter and work your way inside, or the core of the building and work your way to the outside. Place your specialized controls based upon building layout.

This approach will serve you well on the exam and in the real world.

I look forward to seeing you in the classroom, or online!

Steven Fullmer
Interface Technical Training Staff Instructor

Steve teaches PMP: Project Management Fundamentals and Professional Certification, Windows 10, and CompTIA classes in Phoenix, Arizona.