PHYSICAL SECURITY PRESENTATION

GROUP 4
MARANGE C (R1814123E) MUREWI A (1814315V)
TAVARWISA E (R176595P) ZISHIRI M (R191526P)
DZINGAI R (R1813742R) CHIWESHE P (R192731A)
MPARAMOTO S (R191062Q) MAPINDU G (R191678H)
 INTRODUCTION
Physical security is broadly defined as the use of
physical measures to protect valuables, information or
access to restricted resources (Goodrich and Tamassia,
2014).

It may also be called infrastructure security.

 Physical security protects information systems (ISs)
that house data and the people who use, operate and
maintain the systems.

It embodies all measures that should prevent all types of

physical access or intrusion that potentially
compromises logical security.
Overly, the role of physical security is to protect the
physical assets that support the storage and processing
of information.
 INTRODUCTION
Physical security involves two complementary
requirements.
Firstly, it must prevent damage to the physical
infrastructure that sustains ISs.
Secondly, it must prevent misuse of the
physical infrastructure that leads to the
misuse, damage, exfiltration of the protected
information.
Misuse of the physical infrastructure can be
accidental or malicious.
It includes vandalism, theft of equipment,
computing resources, data exfiltration and
unauthorized entry.
 PHYSICAL SECURITY CONCERNS OF
ORGANISATIONS

Source: Vacca (2017:966)

 PHYSICAL SECURITY CONCERNS
OF ORGANISATIONS
The central concern is the information or digital assets of
an organization.
The assets possessed by the firm provide value to the
organization.
The upper four items are supported by information assets.
In turn, the physical infrastructure is essential to providing
for storage and processing of these assets.
The lower four items in the figure namely storage and
transmission media, digital resources to send, receive,
write and read data, power, software, communication
services and humans and building with controlled assess
and environmental conditions are the concern of physical
security.
Not shown is the role of logical security, which consists of
software and protocol-based measures for ensuring data
integrity, confidentiality, availability and so forth.
 PHYSICAL SECURITY CONCERNS
OF ORGANISATIONS
 The role of physical security is affected by the
operating location of the IS.
 The operational location can be characterized as
static, mobile or portable. This presentation though
will focus on static systems that is, those that are
installed on fixed locations.
 A mobile system is installed in a vehicle, which
serves the function of a structure for the system.
 Portable systems have no single installation point
but may operate in a variety of locations, including
buildings, vehicles or in the open.
 The nature of the system’s installation determines
the nature and severity of the threats of various
types including fire, unauthorized access among
others.
 PHYSICAL SECURITY THREATS

 In order to ensure that prevention measures are

comprehensive, it is important for one to
understand the spectrum of threats to ISs.

 Threats can be categorized into the following

classes:
 Environmental threats.
 Technical threats.
 Human-caused threats.
 PHYSICAL SECURITY THREATS
• Environmental Threats

 Environmental threats encompass conditions in the environment

that can damage or interrupt the services of ISs and the data they
house.
 Off site, there may be severe region-wide damage to the public
infrastructure; in the case of severe hurricanes, it may take days,
weeks, or even years to recover from the event.

 Natural disasters are the source of a wide range of environmental

threats to data centers, other information processing facilities
and to humans or users. The risk assessment of various types of
natural disasters and taking suitable precautions mitigate the
catastrophic loss from natural disasters.

 Natural disasters include but not limited to tornados, hurricanes,

typhoons, floods, lightning, earthquakes etc.
•
 PHYSICAL SECURITY THREATS
• Technical Threats
• This category encompasses threats related to
electrical power and electromagnetic emission
(EMI).

• Human-Caused Threats
• Human-caused threats are more difficult to deal
with than the environmental and technical threats.
• They are less predictable than other types of
physical threats.
• Worse, human-caused threats are specifically
designed to overcome prevention measures and or
seek the most vulnerable point of attack.
 PHYSICAL SECURITY THREATS
• Human-Caused Threats can be categorised as:
• Unauthorized physical access. Unauthorized
physical access can lead to other threats such as
theft, vandalism or misuse.
• Theft. It includes theft of equipment and data
exfiltration. Eavesdropping and wiretapping also
fall into this category. Theft can be at the hands
of an outsider who gains unauthorized access or
by an insider.
• Vandalism. This threat includes destruction of
equipment and deletion of data.
• Misuse. Misuse is improper use of resources by
those who are authorized to use them and by
unauthorized persons.
 AUTHORISATION
• This is the determination of whether a user has
permission to access, read, modify, insert, or
delete certain data, or to execute certain
programs (Kizza, 2020).
• In particular, it is a set of access rights and
access privileges granted to a user to benefit
from a particular system resource.
• Authorization is also commonly referred to as
access permissions, and it determines the
privileges a user has on a system and what the
user should be allowed to do to the resource.
Access permissions are normally specified by a
list of possibilities.
 AUTHORISATION
• While access control consists of defining an
access policy for each system resource, the
enforcement of each one of these access
policies is what is called authorization.

• The implementation of mechanisms to control

access to system resources is therefore a must
for an effective access control regime.

• The process of authorization itself has

traditionally been composed of two separate
• processes namely authentication and access
control.
 AUTHORISATION
• Authentication deals with ascertaining that the
user is who he or she claims he or she is.

• Access control then deals with a more refined

problem of being able to find out “what a specific
user can do to a certain resource.”

• So authorization techniques such as the

traditional centralized access control use Access
Control Lists as a dominant mechanism to create
user lists and user access rights to the requested
resource.
 AUTHORISATION
• Authorization has three components: a set of objects
O, a set of subjects S, and a set of access
permissions A. The authorization rule is a function f
that takes the triple (s, o, a), where s € S, o € O, a € A
and maps then into a binary-value T, where T = {true,
false} as f: S × O × A → (True, False). When the value
of the function f is true, this signals that the request
for subject s to gain access to object o has been
granted at authorization level a.
• Modern authentication process is decentralized to
allow more system independence and give network
services providers more control over system resource
access.
• In distributed systems, it is hard and if not impossible
to manage all users and resources in one central
location. Additionally, many servers do not need to
know who the user is in order to provide services.
 AUTHORISATION
• The capability mechanism central in traditional
process, however, plays a central role here, providing
for decentralization of authorization through providing
credentials to users or applications whenever it
receives requests for resource access.

• Each user or application keeps a collection of

capabilities, one for each resource they have access
to, which they must present in order to use the
requested resource. Since every resource maintains
its own access control policy and complete proof of
compliance between the policy and credentials
collected from the user or application, the server
receiving the request need not consult a centralized
ACL for authorization
 AUTHORISATION MECHANISMS
• Discretionary Authorization
• This is a mechanism that grants access
privileges to users based on control policies that
govern the access of subjects to objects using
the subjects’ identity and authorization rules
(Kizza, 2020).
• These mechanisms are discretionary in that they
allow subjects to grant other users authorization
to access the data. They are highly flexible,
making them suitable for a large variety of
application domains.
• However, the same characteristics that make
them flexible also make them vulnerable to
malicious attacks, such as Trojan horses
embedded in application programs.
 AUTHORISATION MECHANISMS
• Discretionary Authorization
• The reason is that discretionary authorization
models do not impose any control over how
information is propagated, and once used, they
have been accessed by users authorized to do so.

• However, in many practical situations,

discretionary policies are preferred since they
offer a better trade-off between security and
applicability.
 AUTHORISATION MECHANISMS
• Mandatory Access Control

• Mandatory policies ensure a high degree of

protection in that they prevent any illegal flow of
information through the enforcement of
multilevel security by classifying the data and
users into various security classes.
• They are, therefore, suitable for contexts that
require structured but graded levels of security,
such as the military.
• However, mandatory policies have the drawback
• of being too rigid in that they objects in security
levels and are therefore applicable only to very
few environments. require a strict classification of subjects
and
 TYPES OF AUTHORIZATION SYSTEMS
• Centralized
• In centralized authorization, only one central
authorization unit grants and delegates access to
system resources.
• This means that any process or program that
needs access to any system resource has to
request from the one omniscient central
authority.
• Centralized authorization services allow you to
set up generalized policies that control who gets
• access to resources across multiple platforms.
• For example, it is possible to set an authorization
to a company’s web portal in such a way that
authorization is based on either functions or
titles.
 TYPES OF AUTHORIZATION SYSTEMS
• Decentralized
• This differs from the centralized system in that the
subjects own the objects they have created and are
therefore responsible for their security, which is locally
maintained.
• This means that each system resource maintains its own
authorization process and maintains its own database of
authorizations associated with all subjects authorized to
access the resource.
• Each subject also possesses all possible rights to
• access every resource associated with it. Each subject
may, however, delegate access rights to its objects to
another subject. decentralized
• Authorization is found to be very flexible and easily
adaptable to particular requirements of individual subjects.
• However, this access rights delegation may lead to the
problem of cascading, and cyclic authorization may arise.
 TYPES OF AUTHORIZATION SYSTEMS
• Implicit
• In implicit authorization, the subject is authorized
to use a requested system resource indirectly
because the objects in the system are referenced
in terms of other objects.
• That means that in order for a subject to access
a requested object, the access must go through
an access of a primary object.
• For example, a request to use a web page; the
page may have links connected to other
documents. The user who requests for
authorization to use the web has also indirect
authorization to access all the pages linked to
the authorized original page. This is therefore, a
level of authorization called granularity.
 TYPES OF AUTHORIZATION SYSTEMS
• Explicit
• Explicit authorization is the opposite of the implicit. It
explicitly stores all authorizations for all system objects
whose access has been requested.
 AUTHENTICATION
• Authentication is the process of validating the identity
of someone or something. It uses information provided
to the authenticator to determine whether someone or
something is, in fact, who or what it is declared to be.
• Authentication is the process of identifying users that
request access to a system, network or device.
• Access control often determines user identity according
to credentials like username and password.
• Other authentication technologies like biometrics and
authentication applications are also used to
authenticate user identity.
• User authentication is important in that it bars
unauthorized users from accessing sensitive
information.
• For example, User A may have access rights to
restricted areas that User B may not possess and thus
cannot get access to the restricted area.
 AUTHENTICATION MECHANISMS
• The user presents this password to the logon to prove that
he or she knows something no one else could know.
• Generally, authentication requires the presentation of
credentials or items of value to really prove the claim of
who you are. The items of value or credential are based on
several unique factors that show something you know,
something you have, or something you are.
• Something you know: This may be something you mentally
possess. This could be a password, a secret word known
by the user and the authenticator.
• Something you have: This may be any form of issued or
acquired self-identification such as SecurID, CryptoCard or
ActiveCard.
• Something you are: This is a naturally acquired physical
characteristic such as voice, fingerprint, iris pattern, and
other biometrics
 AUTHENTICATION MECHANISMS
• Password-based authentication
• Passwords are the most common methods of
authentication. Passwords can be in the form of a string of
letters, numbers, or special characters. For greater
protection, one needs to create strong passwords that
include a combination of all letters, numbers and
characters with most systems validating the password for
strength and meeting the system prescribed requirement.

•  However, passwords are prone to phishing attacks and bad

hygiene that weakens their effectiveness. An average
person has about 25 different online accounts, but only
54% of users use different passwords across their
accounts.
 AUTHENTICATION MECHANISMS
• Password-based authentication
• The truth is that there are a lot of passwords to remember.
As a result, many people choose convenience over security.
Most people use simple passwords instead of creating
reliable passwords because they are easier to remember.
• The bottom line is that passwords have a lot of
weaknesses and are not sufficient in protecting online
information. Hackers can easily guess user credentials by
running through all possible combinations until they find a
match
 AUTHENTICATION MECHANISMS
• Multi-factor authentication
• Multi-Factor Authentication (MFA) is an authentication
method that requires two or more independent ways to
identify a user. Examples include codes generated from the
user’s smartphone, Captcha tests, fingerprints, voice
biometrics or facial recognition. MFA authentication
methods and technologies increase the confidence of
users by adding multiple layers of security. MFA may be a
good defense against most account hacks, but it has its
own pitfalls. People may lose their phones or SIM cards
and not be able to generate an authentication code.
 AUTHENTICATION MECHANISMS
• Multi-factor authentication
• Multi-Factor Authentication (MFA) is an authentication
method that requires two or more independent ways to
identify a user. Examples include codes generated from the
user’s smartphone, Captcha tests, fingerprints, voice
biometrics or facial recognition. MFA authentication
methods and technologies increase the confidence of
users by adding multiple layers of security. MFA may be a
good defense against most account hacks, but it has its
own pitfalls. People may lose their phones or SIM cards
and not be able to generate an authentication code.
 AUTHENTICATION MECHANISMS
• Certificate-based authentication
• Certificate-based authentication technologies identify
users, machines or devices by using digital certificates. A
digital certificate is an electronic document based on the
idea of a driver’s license or a passport.
• The certificate contains the digital identity of a user
including a public key, and the digital signature of a
certification authority. Digital certificates prove the
ownership of a public key and issued only by a certification
authority.
• Users provide their digital certificates when they sign in to
a server. The server verifies the credibility of the digital
signature and the certificate authority. The server then
uses cryptography to confirm that the user has a correct
private key associated with the certificate.
 AUTHENTICATION MECHANISMS
• Biometric authentication
• Biometrics authentication is a security process that relies
on the unique biological characteristics of an individual.
Here are key advantages of using biometric authentication
technologies:
 
• a. Biological characteristics can be easily compared to
authorized features saved in a database.
• b. Biometric authentication can control physical access
when installed on gates and doors.
• c. Can be added into multi-factor authentication process.
• d. Biometric authentication technologies are used by
consumers, governments and private corporations
including airports, military bases, and national borders.
The technology is increasingly adopted due to the ability to
achieve a high level of security without creating friction for
the user.
 AUTHENTICATION MECHANISMS
• Biometric authentication

• Facial recognition
• Facial recognition matches the different face
characteristics of an individual trying to gain access to an
approved face stored in a database. Face recognition can
be inconsistent when comparing faces at different angles
or comparing people who look similar, like close relatives
or identical twins. Facial liveness like passive facial
liveness prevents spoofing.
 AUTHENTICATION MECHANISMS
• Biometric authentication

• Speaker Recognition
• Speaker Recognition also known as voice biometrics,
examines a speaker’s speech patterns for the formation of
specific shapes and sound qualities. A voice-protected
device usually relies on standardized words to identify
users, just like a password.
 AUTHENTICATION MECHANISMS
• Biometric authentication

• Finger Print Scanners

• Fingerprint scanners match the unique patterns on an
individual’s fingerprints. Some new versions of fingerprint
scanners can even assess the vascular patterns in people’s
fingers. Fingerprint scanners are currently the most
popular biometric technology for everyday consumers,
despite their frequent inaccuracies. This popularity can be
attributed to iPhones.
 AUTHENTICATION MECHANISMS
• Biometric authentication

• Eye or Iris Scanners

• Eye scanners include technologies like iris recognition and
retina scanners. Iris scanners project a bright light
towards the eye and search for unique patterns in the
colored ring around the pupil of the eye. The patterns are
then compared to approved information stored in a
database. Eye-based authentication may suffer
inaccuracies if a person wears glasses or contact lenses.
 AUTHENTICATION MECHANISMS
• Token-based authentication
• Token-based authentication technologies enable users to
enter their credentials once and receive a unique
encrypted string of random characters in exchange. You
can then use the token to access protected systems
instead of entering your credentials all over again. The
digital token proves that you already have access
permission. Use cases of token-based authentication
include RESTful APIs that are used by multiple frameworks
and clients.
 SOLUTIONS TO PHYSICAL SECURITY
 Site Access Control
 Employee Awareness Training
 Secure Network-Enabled Printers
 Building Secure Guest WiFi
 Accounting for Lost or Stolen Devices
 Locking Up Your Servers
 Implementing CCTVs
 Securing Your Backups
 Employee logbook.
 Security guard