Physical Security

Exam Objectives Covered — Domain 1 and Domain 2

This section maps to two specific objectives:

• →Obj 1.2 — Summarise fundamental security concepts: physical security controls and tools
• →Obj 2.4 — Given a scenario, analyze indicators of malicious activities: physical attacks against security controls

4 Physical Brute Force Attack Types

The exam tests recognition of physical brute force attack methods — know all four:

• →Forcible entry — breaking through doors, windows, or barriers using physical force
• →Tampering with security devices — disabling or manipulating cameras, sensors, or locks
• →Confronting security personnel — directly engaging or overpowering guards
• →Ramming a barrier with a vehicle — using a vehicle to breach perimeter controls (countered by bollards)

Physical Security — Outside-In Defence Model

Defence is layered from the perimeter inward. Exam scenarios may describe which layer was breached:

• →Perimeter — fencing, bollards, lighting
• →Building entry — access control vestibules, door locks, security guards
• →Internal access — badge systems, biometric locks, cipher locks
• →Data/equipment — logical controls, server room physical locks

Piggybacking vs Tailgating — The Key Difference

Piggybacking = authorized person knowingly lets someone in (consent present). Tailgating = unauthorized person slips through without the authorized person's knowledge (no consent). The access control vestibule mitigates both by enforcing one-person-at-a-time entry.

3 Security Functions of Fencing

The exam may ask what purpose a fence serves — know all three:

• →Visual deterrent — defines a boundary that unauthorized personnel should not cross
• →Physical barrier — prevents or significantly impedes unauthorized entry
• →Intruder delay — slows attackers, giving security personnel time to respond

Fence Attack Vectors and Countermeasures

Three ways attackers defeat fences, and the fix for each:

• →Climbing over — counter with increased height, electrification, or razor/barbed wire on top
• →Cutting through — counter with more robust materials (steel, concrete) or monitoring systems
• →Digging under — counter by extending the fence underground or burying mesh wire along the fence line

Fence vs Bollard — Different Threats, Different Controls

The exam tests which control addresses which threat type — they are not interchangeable:

• →Fence — protects large perimeters; counters unauthorized foot traffic and trespassing
• →Bollard — counters vehicular threats in a specific area; stops ramming and IED delivery vehicles

Bollard Attack Vectors and Countermeasures

Two ways attackers defeat bollards:

• →Direct vehicle impact — counter with bollards rated to appropriate ASTM crash standards (e.g. M30 P1)
• →Tampering or removal — counter by using permanent fixed installations rather than temporary/removable designs

4 Physical Brute Force Attack Types

The exam lists all four — know each type, its method, and its countermeasure:

• →Forcible Entry — breaking windows, doors, or fences to gain access
• →Tampering with Security Devices — forcing gates open, blinding cameras, smashing sensors/alarms
• →Confronting Security Personnel — distraction, assault, or weapons to overpower guards
• →Ramming a Barrier with a Vehicle — using a car or truck to breach fences, gates, or building walls

Forcible Entry — Targets and Countermeasures

Three common targets and their specific countermeasures:

• →Windows — use reinforced or laminated glass to resist shattering and glass cutting
• →Doors — weakest point is the lock; use deadbolt locks, solid core doors, and metal frames
• →Fences — susceptible to climbing, cutting, or ramming; use robust materials, electrification, buried mesh, or barbed wire

Tampering with Security Devices — Methods and Countermeasure

Three tampering methods and the one overarching defence:

• →Gates forced open — wedged or held open with an object to bypass access control
• →Cameras/sensors blinded — paint sprayed on lens, bright lights, or mirrors redirecting the field of view
• →Alarms/sensors smashed — physically destroyed to disable detection
• →Countermeasure: redundancy — multiple overlapping layers so compromising one does not disable all detection

Confronting Security Personnel — Countermeasures

Two core mitigations:

• →Rigorous training in conflict resolution and self-defence
• →Rapid communication capability — radio or panic button to call for backup and alert others of a breach

4 Categories of Surveillance Systems

The exam tests all four components — know each and what it provides:

• →Video Surveillance (CCTV) — real-time visual monitoring and recorded footage for post-incident review; detective control
• →Security Guards — flexible, can respond immediately, make judgment calls, and provide a visual deterrent
• →Lighting — enhances video quality, eliminates hiding spots, and deters attackers; motion-activated lighting serves as both deterrent and alert
• →Sensors — automated detection devices covering areas cameras and guards cannot continuously monitor

4 Sensor Types — Detection Method and Use Case

Know how each sensor detects and where it is best applied:

• →Infrared — detects body heat; best for low-light/dark environments
• →Pressure — detects weight on floor/mat; best for restricted access points
• →Microwave — detects movement via pulse reflection; covers large areas; high false alarm risk
• →Ultrasonic — detects movement via sound wave reflection; used in automated doors and indoor environments

Wired vs Wireless CCTV — Security Trade-off

Wired: physically cabled — more reliable, cannot be jammed. Wireless: Wi-Fi signal — easier to install but vulnerable to wireless interference and deliberate jamming attacks during physical intrusions.

Camera Placement Priorities

Always cover entrances and exits to critical infrastructure first:

• →Data centres — primary target for physical intrusion
• →Communications closets — network infrastructure access points
• →Building entrances and exits — lobbies, back doors, loading docks

CCTV = Detective Control

Cameras detect and record — they do not prevent entry. They support post-incident investigation and provide real-time alerting when integrated with motion detection or AI analysis. The exam classifies CCTV explicitly as a detective control, not a preventive one.

5 Methods Attackers Use to Bypass Surveillance

The exam tests attack types against physical security controls — know all five:

• →Visual obstruction — spray paint, foam, stickers, tape, or objects placed in front of the camera lens
• →Blinding sensors and cameras — high-powered flashlights or lasers aimed at the lens; heating a room to blind infrared sensors
• →Interfering with acoustics — loud music/sounds to drown out audio cues; jamming devices to disrupt microphone frequencies; white noise machines to mask sounds
• →Interfering with electromagnetics (EMI) — jamming wireless surveillance signals; targeting specific frequency bands (e.g. Wi-Fi); effective only against wireless systems
• →Attacking the physical environment — temperature manipulation to trick infrared sensors; cutting power (unplugging, tampering with power boxes, sabotaging transformers); physical wire cutting; arson (extreme, classified as criminal)

3 Countermeasures Against Surveillance Bypass

Modern systems include these protective measures — know what each counters:

• →Tamper alarms — alert security when cameras are physically interfered with
• →Backup power / UPS — counters power-based attacks that attempt to cut surveillance offline
• →Encrypted frequency hopping — counters jamming and eavesdropping on wireless surveillance signals

Acoustic vs EMI Attacks — Different Targets

Acoustic attacks target sound-based sensors (microphones, acoustic detectors) using noise, jammers, or white noise. EMI attacks target wireless communication signals between cameras and monitoring stations. Confusing the two will cost marks.

How an Access Control Vestibule Works — Step by Step

Process the exam may test as a scenario:

• →Person approaches and enters through the outer door
• →Outer door locks behind them — person is now trapped in the intermediate space
• →Identity or credentials are verified (badge, biometric, PIN, guard check)
• →If verification succeeds — inner door unlocks and access is granted
• →If verification fails — person remains in vestibule until security personnel intervene

Piggybacking vs Tailgating — Key Distinction

Both result in unauthorized access but differ in intent and awareness:

• →Piggybacking — authorized person knowingly (or negligently) allows the attacker in; involves social engineering or impersonation
• →Tailgating — authorized person is unaware; attacker sneaks through behind them without consent
• →Access control vestibules prevent both by physically allowing only one person at a time

3 Access Badge Technologies — Old to New

Know the three credential types embedded in access badges:

• →Magnetic strip — legacy; must be swiped through a reader; same technology as credit card backs
• →RFID — contactless; held near the reader; longer read range than NFC
• →NFC — contactless; very short range tap; used in modern badges and smartphones

Role-Based Badge Access and Audit Trails

Access badges are programmed per role — an employee may access their department but not others, even within the same building. Every badge scan is logged, creating an audit trail reviewable after a security incident.

Multi-Layer Physical Security Model

Access control vestibules work best when combined with: access badges (automated authentication), security guards (visual deterrent, verification fallback, visitor management, immediate response). Each layer compensates for the other's gaps.

Door Lock Types — Weakest to Strongest

Know each type, its mechanism, and its defeat time:

• →Padlock — pin and tumbler mechanism; defeated in ~15 seconds with a lock pick and tension wrench
• →Basic interior lock (bedroom/bathroom) — defeated instantly with a slender rod through the hole
• →Traditional key lock (front door) — defeated in 30–60 seconds using standard lock picking techniques
• →Electronic PIN lock — 8-digit PIN = 1 in 100 million guessing odds; supports per-user logging for audit/accounting
• →Wireless signal lock — NFC, Wi-Fi, Bluetooth, RFID; authentication via smartphone or access token
• →Biometric lock — fingerprint, retina, facial recognition; 'something you are'; supports per-user audit trail
• →Cipher lock — mechanical push-button combination; no electronics; high security; used in server rooms and network closets

FAR vs FRR — The Sensitivity Trade-off

Sensitivity and error rates move in opposite directions — always tested as a scenario:

• →Increase sensitivity → FAR decreases (fewer unauthorized people get in) but FRR increases (more authorized people get locked out)
• →Decrease sensitivity → FRR decreases (fewer authorized people rejected) but FAR increases (more unauthorized people accepted)
• →Goal: find the Crossover Error Rate (CER) — the balance point where FAR = FRR

3 Biometric Types — Factor Classification

All three are 'something you are' (inherence factor) — not 'something you have' or 'something you know':

• →Fingerprint — Touch ID on iPhone 5s through 8; embedded in laptops and door locks
• →Facial recognition — Face ID on iPhone 10+; measures distances between facial features
• →Retinal scan — used in high-security facilities; scans inside the eye

Multi-Factor Authentication on Door Locks

Electronic locks can combine factors for stronger access control:

• →PIN + fingerprint = something you know + something you are
• →Badge + PIN = something you have + something you know (standard turnstile/vestibule setup)
• →Both combinations satisfy MFA requirements for physical access control

Electronic PIN Lock — Audit Trail

Each user is assigned their own unique PIN. Every entry and exit is logged with user identity and timestamp, creating an audit trail for accounting and access review purposes — same accountability principle as access badges.

4 Steps of Access Badge Cloning

The exam may test recognition of each step in the attack sequence:

• →Scanning — attacker uses a portable RFID/NFC reader to capture badge data without physical contact; NFC range: 1–2 inches; RFID range: 2–10 inches
• →Data extraction — attacker extracts the authentication credentials (unique identifier or encrypted data) from the captured data; can be done offline after scanning
• →Writing to a new card or device — extracted data is transferred to a blank RFID/NFC card or stored on a device like a Flipper Zero for emulation
• →Using the cloned badge — attacker presents the clone to the reader and gains access as if they were the authorized employee

6 Countermeasures Against Badge Cloning

Know all six — the exam tests both the attack and its mitigations:

• →Advanced encryption — encrypt badge data with strong algorithms so captured data cannot be replicated without the key
• →Multi-factor authentication (MFA) — combine badge with a PIN, password, or biometric; a cloned badge alone is not enough to gain access
• →Regularly update security protocols — rotate encryption keys and authentication mechanisms to limit the usable lifespan of any cloned badge
• →User education — train staff to guard badge proximity, report suspicious behavior, and be aware of where they store their cards
• →RFID shielding wallets or sleeves — physical barrier that prevents passive scanning while the badge is stored
• →Monitor and audit access logs — detect anomalies such as simultaneous access attempts from the same badge in different locations (impossible travel)

Impossible Travel — Anomaly Detection for Cloned Badges

If a cloned badge is used while the original badge holder is in a different location, access logs will show the same badge used in two places at once. This 'impossible travel' pattern is the primary detection method for active badge cloning in the wild.

RFID vs NFC — Cloning Range Comparison

Both are clonable but differ in proximity required:

• →NFC — 1 to 2 inches standard range; up to ~4 inches with a stronger antenna
• →RFID — 2 to 10 inches standard range; up to ~20 inches with a stronger antenna
• →RFID is the higher risk for passive scanning attacks due to its longer read range