Physical security

Access control vestibule

A type of security that aim to provide access to a controlled group of people, some will have locked door others wont, some will have one door opened and another door locked, they all aim to control access and only provide access to the correct people.

Badge reader

Come in many types magnetic, RFID, or NFC, can be used for many applications including time clocks, security guard patrols, door access, etc.

Video surveillance

CCTV, can be use to replace physical guards, cameras can have object detection which can identify a license plate or face. Often many cameras will be networked together, they can provide motion detection and use radio reflection or passive infrared. Commonly found in areas that are not often in use.

Alarm systems

Useful on the perimeter

Motion sensors

Identify motion without a camera.

Door locks

Come in all shapes and sizes, conventional, deadbolt, electronic, PIN, token-based, RFID badge, biometric, etc.

Equipment locks

Data center hardware is usually managed by different groups, racks can be installed together, enclosed cabinets with locks.

Guards

Bollards

A type of device use to funnel people or vehicles, can be used as a safety measure.

Fences

Key fobs

RFID key, replaces a physical key, commonly used for door lock. proximity operation and contactless

Smart cards

Certificate based authentication, something you have, usually requires additional factors, integrated card reader, built into the laptop, external reader, USB connected.

Keys

Rarely used, use a key cabinet, formal check in’/check out

Biometrics

Usually stores a mathematical representation of your biometric, difficult to change, used in very specific situations not foolproof

lighting

Magnetometers

passive scanning, detects metal objects

Principle of least privilege

rights and permissions should be set to the bare minimum, applications should run with minimal privileges. Limits the scope of malicious behavior.

ACL

used to allow or deny traffic, also used for NAT, QoS, etc. commonly on the ingress/egress of a router interface, ACL evaluate on certain criteria, source/destination IP, TCP/UDP port numbers, ICMP, also used in OS, allow/deny access to the filesystem

MFA

Email filtering

Unsolicited email needs to be stopped at the gateway before it reaches the user, can be on sited or cloud based. scan and block malicious software, executables, known vulnerabilities, phishing attempts, other unwanted content

Hard token

physical devices i.e. key fobs, card that generate OTPs or time based OTP

Soft token

software applications installed on device like a smartphone

SMS

text messaging, login factor can be sent via SMS to a predefined phone number, provide username and password, phone receives an SMS, input the SMS code into the login form, security issues exist, phone number can be reassigned to a different phone, SMS messages can be intercepted, SMS spoofing.

Voice call

A phone call provides the token, similar disadvantages to SMS, phone call can be intercepted or forwarded, phone number can be added to another phone.

Active directory

Login script automate a series of tasks during login, can be assigned to a specific user, group, or OU. associate the script with a group policy. Domain the name associated with this related group of users, computers and resources, each domain has a name, domain controllers store this central domain database, active directory is the service that manages this directory, often referenced when troubleshooting, is this computer on the domain, can you rest the domain password Group policy/updates manage the computers or user with group policies, local domain policies group policy management editor, a central console, login scripts, network configuration (QoS), security parameters Organizational units keep the database organized, users, computers, create your own hierarchy, countries, states, buildings, departments, etc. apply policies to an OU, can be very large i.e. domain users, or a specific group i.e. marketing, north America Home folder assign a user home folder to a network folder, avoid storing files on the local computer, when added to the user profile the directories are automatically created and proper permissions are assigned Folder redirection some users and apps use the windows library folders, redirect the folders to a network share, this is often paired with the offline files feature security groups create a group, assign permissions to the group, set the rights and permissions to the group, add users to the group, there are built in groups i.e. users, guest, remote management users, event log readers, save time avoid confusion and mistakes