Physical Security

ELI5: What is Physical Security?

Physical security is all the real-world stuff that keeps bad people away from your computers and buildings — fences around the property, locks on the doors, cameras watching the hallways, and guards checking who comes in. Even the best password in the world won’t help if someone can just walk up to a computer and steal it. That’s why protecting the actual building and the equipment inside it is just as important as protecting what’s on the screen.

Overview

Physical security encompasses the tangible controls that protect an organization’s facilities, hardware, and personnel from unauthorized physical access, theft, damage, and environmental threats. It forms the outermost layer in a defense-in-depth strategy and is often the first line of defense against both external intruders and insider threats.

Key Concepts

• Bollards — short vertical posts preventing vehicle ramming attacks
• Fencing — perimeter barriers; height determines deterrence level (3ft = deterrent, 6ft = hard to climb, 8ft+ = serious security)
• Access control vestibules (mantraps) — dual-door chambers allowing only one door open at a time; prevents tailgating
• Security guards — human element providing judgment-based access control
• Video surveillance (CCTV) — continuous monitoring and recording of facility areas
  • PTZ cameras (Pan-Tilt-Zoom) for active monitoring
• Access badges — RFID or smart card-based identification for building entry
• Lighting — well-lit areas deter criminal activity; critical for CCTV effectiveness
• Sensors:
  • Infrared — detects body heat
  • Pressure — detects weight on floor surfaces
  • Microwave — detects movement via microwave signals
  • Ultrasonic — detects movement via sound waves
• Locks — mechanical (key), electronic (keypad), biometric (fingerprint)
• Cable locks — physically secure laptops and equipment
• privacy screens — prevent shoulder surfing
• Secure areas — server rooms, data centers, wiring closets; require restricted access
• Environmental controls — fire suppression (wet pipe, dry pipe, clean agent), HVAC, humidity control
• Faraday cage — blocks electromagnetic signals; prevents eavesdropping and signal leakage
• USB data blocker — device that blocks data pins on USB connections, allowing only power (prevents juice jacking)
• Juice jacking — attack using compromised USB charging stations to steal data or install malware
• FM-200 — clean agent fire suppression system safe for use around electronic equipment; replaces older Halon systems
• Protected Distribution System (PDS) — hardened conduit system for securing network cabling against tapping or interception
• Data destruction methods — overwriting, degaussing (using magnetic fields to erase), physical destruction (shredding, incineration)
• Purging vs. sanitization — purging removes data so it cannot be reconstructed; sanitization makes media suitable for reuse

Exam Tips

Remember

Access control vestibule (mantrap) = prevents tailgating. Bollards = prevents vehicle attacks. Faraday cage = prevents electromagnetic eavesdropping. Know which physical control maps to which threat.

Fire Suppression

Wet pipe = always has water, fastest response. Dry pipe = water held back by valve, for cold environments. Clean agent (FM-200, Halon replacement) = safe for electronics in data centers.

Connections

• Forms the outermost layer of defense-in-depth security strategy
• Prevents physical social engineering attacks like tailgating (see social-engineering)
• Protects embedded-systems-security devices that may be deployed in exposed locations
• Environmental controls support resilience-and-redundancy goals for facility uptime
• Access badges and biometrics tie into authentication as physical identity verification

Practice Questions

Q-Bank: Physical Security (4 Questions)

Q1. After a social engineering assessment reveals that unauthorized individuals frequently follow employees through the main entrance, which physical control should an organization implement FIRST to address this specific vulnerability?

A. CCTV cameras at all entrances B. Access control vestibule (mantrap) C. Biometric fingerprint scanners D. Increased perimeter lighting

Show Answer B. Access control vestibule (mantrap)

An access control vestibule (mantrap) is a dual-door chamber that allows only one door to be open at a time and admits one person per authentication — it directly prevents tailgating. CCTV cameras record activity for review but do not physically prevent unauthorized entry. Biometric scanners strengthen authentication but do not prevent someone from following an authorized person through a single door. Increased lighting deters criminal activity in outdoor areas but does not address the tailgating problem at building entrances.

Q2. A data center manager needs to select a fire suppression system for a room containing critical servers and networking equipment. Which system type is BEST suited to protect the electronics?

A. Wet pipe system B. Dry pipe system C. Clean agent system (FM-200) D. Sprinkler with pre-action valve

Show Answer C. Clean agent system (FM-200)

Clean agent systems like FM-200 suppress fire without leaving residue or water, making them safe for electronics in data centers and server rooms. Wet pipe systems always contain water and would damage electronic equipment. Dry pipe systems still release water when activated — they just hold it back with a valve for cold environments. Pre-action sprinklers also ultimately release water and are designed to prevent accidental discharge, not to protect sensitive electronics.

Q3. A government facility needs to prevent adversaries from intercepting electromagnetic emanations from classified workstations. Which physical security measure BEST addresses this threat?

A. Privacy screens on monitors B. Cable locks on all equipment C. Faraday cage around the secure room D. Infrared motion sensors

Show Answer C. Faraday cage around the secure room

A Faraday cage blocks electromagnetic signals from entering or leaving an enclosed space, preventing eavesdropping on electromagnetic emanations from electronic equipment. Privacy screens prevent shoulder surfing (visual eavesdropping) but do not block electromagnetic signals. Cable locks prevent physical theft of equipment but do not address signal emanation. Infrared motion sensors detect physical movement for intrusion detection and have nothing to do with electromagnetic shielding.

Q4. A facility security officer is evaluating perimeter fencing options for a high-security compound. What is the MINIMUM fence height recommended for deterring a determined intruder?

A. 3 feet — basic deterrent B. 6 feet — difficult to climb C. 8 feet or higher — serious security D. 4 feet — standard commercial height

Show Answer C. 8 feet or higher — serious security

Fencing standards indicate that 8 feet or higher provides serious security appropriate for high-security facilities and deters determined intruders. A 3-foot fence is only a basic deterrent marking boundaries. A 6-foot fence is difficult to climb but may not deter a determined intruder at a high-security compound. A 4-foot fence is not a standard security classification and provides minimal deterrence.

Scenario

See case-physical-security for a practical DevOps scenario applying these concepts.