BeginnerPhysical Security

Implement a clean desk policy and lock unattended screens automatically

A physical intruder who reaches an unlocked workstation has the same access as the authenticated user who left it. During Kevin Mitnick's penetration operations, unlocked terminals, discarded printouts, and papers left on desks were as valuable as any technical exploit. Implement: automatic screen lock after 5 minutes of inactivity (enforce via Group Policy/MDM), required badge-out to lock desks when leaving them, a prohibition on leaving sensitive documents visible on desks, and locked cabinets for paper records. Clean desk audits — periodic unannounced checks of workstation and desk areas — measure compliance without being punitive.

Tags

clean deskscreen lockphysical securityworkstationpaper records

More in Physical Security

All guides
intermediatefeatured

Install mantraps or badge-enforced turnstiles to eliminate tailgating

Training employees to challenge tailgaters helps, but research consistently shows 70–80% of people will hold a secure door open for a stranger who looks like they belong. The only reliable control is a physical barrier that permits exactly one person per badge swipe: a mantrap (an airlock with two doors where the first must close before the second opens) or a badge-enforced turnstile. These are standard in data centres and high-security facilities for exactly this reason. For areas that do not justify the cost of mantraps, tailgate detection sensors that alert security when multiple people pass a single badge read provide monitoring capability.

See: Tailgating Social StudyPhysical Security
beginner

Disable USB mass storage on all corporate workstations via Group Policy or MDM

The FIN7 criminal group mailed BadUSB drives disguised as Amazon packages and Best Buy gift cards to hotel and restaurant employees. 45% of people plug in USB drives they find — even when they know they should not. BadUSB devices emulate keyboards and automatically type commands; they bypass all file-based antivirus scanning because they deliver no files. Disable USB mass storage on all corporate workstations via Group Policy (Windows) or MDM profiles (macOS/Linux). If USB access is required for legitimate use cases, use endpoint security tools that allow USB device whitelisting by hardware ID rather than disabling USB entirely.

See: FIN7 BadUSB Mail DropPhysical Security
intermediate

Verify the identity of anyone claiming to service hardware — call their employer directly

ATM jackpotting attacks involve criminals dressing as ATM technicians to open ATM cabinets. The NSA TAO hardware interdiction involved intercepting Cisco equipment in transit and resealing packages. FIN7 mailed USB drives in Amazon packaging. Physical security of hardware requires verifying the identity of anyone who physically touches infrastructure equipment. Before allowing anyone access to a server room, network closet, or ATM cabinet, call the organisation they claim to represent using a phone number from your own records — not a number they provide. Require government-issued ID and a work order that you can verify.

See: ATM JackpottingPhysical Security