7.02 Summarize various security measures and their purposes

Introduction 

Imagine you’re guarding a house, and you want to make sure only trusted people can enter and that your valuables are always safe from harm. Just like you’d use locks, fences, and cameras for physical security, various security measures in the digital world work similarly to protect important information and resources. This lesson will show you the "locks" and "barriers" in cybersecurity, helping you understand how to keep systems safe, manage who gets in, and solve security problems before they cause trouble. Whether it’s setting up stronger passwords, using firewalls, or managing mobile devices, knowing these measures helps you not only protect your own data but also assist others in securing theirs. 

Physical Access Control 

Physical security measures are used to control who can enter a building or restricted areas within the building, like a server room.

Perimeter Security 

Perimeter security helps protect the outside of a building or area using barriers and surveillance. Common perimeter security methods include:

  • Barricades and Fences: Used to keep unauthorized people away from the building. In high-risk areas, barriers like bollards or security posts can stop vehicles from approaching the building to prevent crashes or bomb threats. 

  • Security Fencing: Designed to be see-through so guards can spot any attempt to break in. Fencing should be strong (hard to cut) and tall (hard to climb), sometimes topped with razor wire

While fencing is effective, it can make the building look unwelcoming. Buildings that expect visitors or customers may prefer more discreet security measures. 

Access Control Vestibules 

Once past the perimeter, people should enter and leave the building through specific entry and exit points. Entry points might include separate doors for visitors and staff

A simple door has some security risks: 

  • More than one person can go through at once. 

  • Someone may hold the door open for another person. 

  • Unauthorized visitors might tailgate behind authorized employees.

To solve these issues, turnstiles or access control vestibules can be installed. An access control vestibule is an enclosed area where only one person can enter at a time, adding extra security. 

Magnetometers 

At building entrances, magnetometers (metal detectors) can be used to check for concealed weapons or other prohibited items. These are often used in places like airports and public buildings and can be walk-through or handheld.

Security Guards 

Security guards provide human protection at critical areas around a building. Their duties include: 

  • Monitoring checkpoints

  • Verifying IDs and controlling access. 

  • Logging who enters and exits. 

Security guards act as a visual deterrent and can use their judgment to spot and respond to potential security issues.

Lock Types Overview 

A door lock controls who can enter or leave a building or room without needing a security guard, depending on the risk of tailgating or piggybacking

Types of Door Locks 

Different door locks can be used depending on the security needs: 

  • Key-operated locks: A traditional lock that requires a key to operate the door handle. 

  • Electronic locks: These are operated by entering a PIN on an electronic keypad instead of using a key. 

  • Badge reader locks: These use a hardware token like a magnetic swipe card or a contactless smart card. More advanced systems use smart cards or key fobs with cryptographic features, which are much harder to clone than basic swipe cards.

Biometric Door Locks 

Biometric locks use physical characteristics, like fingerprints or eye patterns, to control access. Common types include: 

  • Fingerprint reader: Detects the unique pattern of a person’s fingerprint using a small capacitive cell. It's easy to use but can be affected by dirt or moisture, and there are hygiene concerns in shared areas. 

  • Palmprint scanner: This contactless scanner uses light to capture the pattern of veins and features in a person’s hand. It requires the user to make an intentional gesture for authentication. 

  • Retina scanner: Uses infrared light to scan the blood vessels in the eye. It’s one of the most accurate biometric systems, as the pattern of blood vessels remains the same throughout life. However, this method is expensive, intrusive, and can produce false negatives in people with diseases like cataracts.

General Issues with Biometric Locks: 

  • Privacy concerns related to capturing and storing personal information. 

  • Accessibility issues for people who may not be able to perform the necessary bio gesture. 

Equipment Locks 

Equipment locks are used to prevent unauthorized access to servers and network devices or to protect them from theft. Common types include: 

  • Kensington locks: These use a cable to secure laptops or other devices to a desk or pillar, making them harder to steal.

  • Chassis locks and faceplates: Prevent server covers from being opened, which can block access to USB ports and stop tampering with internal disks.

  • Lockable rack cabinets: Control access to servers, switches, and routers in network racks. These cabinets may use key-operated or electronic locks.

Alarms and Surveillance Overview 

When designing security for a building, it’s important to protect all potential entry points that could be misused, such as emergency exits, windows, hatches, and grilles. These areas can be secured using bars, locks, or alarms. Pathways like false ceilings and ducting should also be considered. 

Types of Alarm Systems 

There are three main types of alarm systems used to detect intrusion or unauthorized activity:

1. Circuit Alarms 

  • How they work: Circuit alarms activate when an electrical circuit is opened or closed. 

  • Triggered by: Events such as a door or window opening or a fence being cut. 

2. Motion Sensors 

  •  How they work: Motion-based alarms use detectors to sense movement in an area. 

  • Types of sensors

    • Microwave radio reflection (like radar). 

    • Passive infrared (PIR): Detects moving heat sources, like people. 

3. Proximity Alarms 

  • How they work: RFID tags and readers track the movement of tagged objects. 

  • Purpose: Used to detect if someone is trying to remove equipment

4. Duress Alarms 

  • How they work: Triggered manually by staff under threat. 

  • Examples

    • Wireless pendants or concealed sensors

    • Duress codes: Some entry locks can be programmed with a duress code, which opens the door but secretly alerts security that the user is under threat. 

Video Surveillance 

Video surveillance provides an additional layer of security to monitor entry points and secure areas. It can be used to observe perimeter gateways or areas inside the building. 

  • Types of surveillance

    • CCTV (closed-circuit television): An older system using wired cameras. 

    • IP cameras: Modern, internet-connected cameras. 

  • Surveillance systems can use motion detection or even facial recognition to alert security personnel about possible intrusions. 

Security Lighting 

Security lighting plays a key role in creating a sense of safety, especially at night or in enclosed spaces like parking garages. It also helps deter intrusions by making it harder to hide and easier to spot potential threats. 

  • Good lighting design should: 

    • Provide sufficient overall light levels

    • Light key surfaces or areas, such as entry points or areas where facial recognition might be used. 

    • Avoid creating shadows or glare, which can reduce visibility. 

Logical Security Controls Overview 

A security control is a method used to prevent, avoid, or minimize risks to personal or company property. For example, a firewall is a security control that manages network communications, only allowing traffic permitted by the system administrator.

Security controls can be grouped into three categories: 

  • Physical controls: Barriers like fences, doors, and locks that protect physical sites. 

  • Procedural controls: Processes and policies enforced by people, such as incident response plans and security awareness training. 

  • Logical controls: Digital or software-based protections, such as user authentication, antivirus software, and firewalls.

The AAA Triad

The AAA triad represents the core functions of a logical security system: 

  • Authentication: Verifies that each user or device is identified by an account and ensures only those with correct credentials can access the account. 

  • Authorization: Ensures that resources are only accessible to accounts with the proper permissions. Each resource has an access control list (ACL) that defines what users can do, such as read-only access or edit permissions. 

  • Accounting: Logs the details of when and by whom a resource was accessed.

Access Control Lists (ACL) 

An Access Control List (ACL) defines what permissions an account has for a specific resource. Each Access Control Entry (ACE) within the ACL identifies a subject (such as a user, computer, or service) and the permissions they have. 

  • Subjects can be identified by: 

    • MAC address, IP address, or port number for firewall rules. 

    • Security ID (SID) for users and groups in systems like Windows. 

Important note: SIDs are unique. Even if an account is deleted and then recreated with the same username, it will have a different SID, requiring permissions to be reassigned. 

Implicit Deny 

The principle of implicit deny means that unless there is a specific rule allowing access, any request will automatically be denied. This principle is often seen in firewall policies

  • Firewall rules are processed from top to bottom. 

  • If a request doesn’t match any rules, the default rule (deny) is applied, rejecting the request. 

Least Privilege 

The principle of least privilege ensures that users are only granted the minimum permissions necessary to perform their tasks. While this improves security, it can be challenging to implement because permissions must be carefully balanced to avoid creating too many access issues for users. 

Authentication Methods Overview 

In an access control system, user accounts are set up with permissions to access certain resources and, for privileged accounts, the ability to make system changes. To access an account, the user must authenticate by providing valid credentials, proving they are the rightful account holder. 

The security of the access control system depends on the credentials being usable only by the account holder. The format of these credentials is called an authentication factor. There are three main categories of authentication factors: 

  • Knowledge: Something you know (like a password). 

  • Possession: Something you have (like a smart card or smartphone). 

  • Inherence: Something you are (like a fingerprint). 

Multifactor Authentication (MFA) 

Using just one authentication factor can make systems less secure. For example, passwords can be shared, devices can be stolen, or facial recognition can be tricked with a photograph. 

Multifactor Authentication (MFA) makes authentication stronger by requiring the user to provide at least two different types of credentials. Common MFA technologies include 2-step verification and authenticator apps

2-step Verification 

2-step verification uses a soft token to verify that a login attempt is genuine. Here’s how it works: 

  1. The user registers a trusted contact method with the app (like an email or phone number). 

  • The user logs in with their password or biometric data

  • If the app detects a new device, location, or is set to always use 2-step verification, it sends a soft token (one-time password or OTP) to the registered contact method (via email, SMS, or a voice call). 

  • The user must enter the soft token within a certain time to complete the login. 

Mobile phone-based authentication showing one-time passwords.

Authenticator Applications 

An authenticator app (like Microsoft Authenticator) can be used for passwordless access or as part of two-factor authentication (2FA)

How it works: 

  • The authenticator app is installed on a trusted device (like a smartphone), which is protected by a screen lock (like a fingerprint).

  • The user registers the service or network with the authenticator app, usually by scanning a QR code and completing security checks. 

  • When the user tries to log in, the service generates a prompt on the authenticator. 

  • The user unlocks their device and approves the login. 

  • The authenticator either shows a soft token for the user to enter or directly communicates with the service to verify the login. 

Hard Token Authentication 

A hard token works like an authenticator app, but instead of running on a smartphone, it’s implemented in a smart card or USB drive

RSA SecurID token

A USB security token

How it works: 

  1. The hard token is first registered with the service or network. 

  2. To log in, the user connects the hard token (like plugging in the USB drive) and authorizes it using a password, PIN, or fingerprint

  3. The token sends its credential to the service, and the user gains access. 

Hard tokens are usually compliant with the Fast Identity Online (FIDO) version 2 standards. 

Windows Domains and Active Directory Overview 

A local account only works on the specific machine where it was created and can’t be used to access other computers. For example, if a user named David needs access to multiple computers in a workgroup, separate local accounts must be set up on each computer (like PC1\David and PC2\David). Even though the accounts can have the same name and password, David must still log in separately on each machine. Password changes are not synchronized between computers and must be updated manually. 

This setup doesn’t work well for large organizations. That’s why most businesses and schools use Windows domain networks, where a domain account can access multiple computers and resources in the domain. 

Domain Controllers (DCs) 

To set up a domain, you need at least one Windows Server configured as a Domain Controller (DC). A DC stores network information in a database called Active Directory (AD). This database contains information about users, groups, and computers

  • The DC manages authentication (logging users in) and ensures that accounts and permissions are managed centrally. 

  • Only Domain Admins can manage DCs and create accounts in the domain. 

  • This centralized model is scalable, secure, and can handle large networks effectively. 

Member Servers 

A member server is any server that’s part of the domain but does not store a copy of the Active Directory database. These servers provide services like: 

  • File and print sharing

  • Application servers (like Exchange for email or SQL Server for databases). 

Active Directory uses the Kerberos protocol to allow users to authenticate once and gain access to services across the domain using single sign-on (SSO)

Kerberos Protocol Process

Security Groups in a Domain 

A domain uses security groups to manage permissions efficiently. Instead of assigning permissions to each user individually, accounts are added to security groups, which then have permissions assigned to them. 

  • Domain Admins: Users in this group can sign in and manage any computer in the domain, including DCs. 

  • Domain Users: Users in this group have limited access and can only sign in to specific workstations, not DCs. 

All accounts and security groups are stored in the Active Directory database on the DC. You can create and modify these using the Active Directory Users and Computers management tool.

Organizational Units (OUs) 

An Organizational Unit (OU) is used to divide a domain into different sections for easier management. OUs allow you to delegate control to specific departments or locations. 

  • For example, you might create an OU for the Sales department, where the Sales manager has permission to add or delete user accounts and assign them to the Sales security group

  • Standard users in the Sales OU can only sign in to computers in the Sales OU and not on computers in other OUs. 

OUs help organize and control access in large organizations, allowing different administrators to manage different parts of the network.

Group Policy Overview 

A domain group policy is used to control computer settings and user profile settings across a network. This can include standard settings like Security Settings or custom settings created with Administrative Templates. Group Policy can also be used to automatically deploy software to computers in the domain.

Applying Group Policies 

Unlike local computer policies, domain group policy objects (GPOs) can be applied to multiple users and computers at once. This is done by linking a GPO to a domain or Organizational Unit (OU) in Active Directory (AD)

  • For example, you can link Sales GPOs to the Sales OU. This ensures the policies in the Sales GPO apply to every user and computer within that OU. 

  • A domain or OU can have multiple GPOs linked to it, and a system of inheritance determines the exact set of policies (called Resultant Set of Policies (RSoP)) that will apply to each computer or user.

Group Policy Command-Line Tools 

When updating or managing policies, two important command-line tools are commonly used: 

  • gpupdate: This tool applies new or changed policies immediately, rather than waiting for the normal refresh cycle (which usually happens every 90 minutes). 

    • You can use the /force switch to reapply all policies (both new and existing). 

    • The /logoff or /boot switches can be used to log off or reboot if required by the policy changes.

  • gpresult: This tool displays the RSoP for a specific computer or user account. 

    • Running this without any switches shows the current policies for the logged-in user and computer. 

    • You can use /s, /u, and /p switches to specify a host, user account, or password. 

Login Scripts 

A login script runs automatically when a user signs in, performing specific tasks or configurations. These scripts can be set up in a user’s profile or assigned through group policy

Common Uses of Login Scripts: 

  • Setting environment variables

  • Mapping drives to server-based folders. 

  • Connecting to printers or other shared resources. 

  • Ensuring that the client meets security requirements (for example, denying login if software is out of date). 

While many of these tasks can be handled by Group Policy, some organizations prefer to use login scripts for flexibility, while others rely entirely on GPOs. 

Mobile Device Management (MDM) Overview 

Mobile Device Management (MDM) is software used by companies to control and apply security policies to mobile devices. It can manage both company-owned devices and personal devices used by employees under Bring Your Own Device (BYOD) policies.

How MDM Works 

MDM software keeps track of device usage on the network and decides whether to allow the device to connect based on rules set by the administrator. 

Device Enrollment: When a mobile device is enrolled in the MDM system, the software can apply policies that control how the device is used. 

Policies Managed by MDM: 

  • App usage: Allows or restricts which apps can be installed or used on the device. 

  • Corporate data: Controls access to sensitive company data. 

  • Built-in functions: Restricts features like the video camera or microphone on the device. 

MDM software helps ensure that devices, whether company-owned or personal, follow the security policies set by the organization, making the network safer and more manageable. 

Summary: 

In this lesson, you’ve explored a wide range of security measures, each designed to protect both physical and digital assets. From perimeter security measures, such as barricades and surveillance, to more intricate systems like access control vestibules and biometric locks, these techniques ensure only authorized personnel have access to sensitive areas.

Logical security controls also play a crucial role in securing systems through authentication and authorization methods, ensuring user accounts are managed safely. Keep in mind that implementing these security measures helps protect organizations from both physical breaches and digital threats, strengthening overall security and reducing risks across the board. You've made great progress in understanding these key security strategies—keep it up!