IntermediatePhysical Security

Treat physical security and cybersecurity as one discipline, not two

A physical intruder who reaches a networked terminal has bypassed all your digital access controls. A cyber attacker who needs to install a hardware implant (as NSA TAO did with Cisco routers) must overcome physical security first. The Stuxnet weapon crossed an air gap via a USB drive — a physical act. Verkada's camera breach exposed live footage inside Tesla, Cloudflare, and schools because a super-admin credential stored on the public internet could reach every camera simultaneously. Physical and cyber security teams must share threat models, incident response processes, and access control policies. A camera system is a cyber attack surface, not just a physical one.

Tags

physical-cyber convergenceIoT camerasholistic securityaccess controlthreat model

More in Physical Security

All guides
intermediatefeatured

Install mantraps or badge-enforced turnstiles to eliminate tailgating

Training employees to challenge tailgaters helps, but research consistently shows 70–80% of people will hold a secure door open for a stranger who looks like they belong. The only reliable control is a physical barrier that permits exactly one person per badge swipe: a mantrap (an airlock with two doors where the first must close before the second opens) or a badge-enforced turnstile. These are standard in data centres and high-security facilities for exactly this reason. For areas that do not justify the cost of mantraps, tailgate detection sensors that alert security when multiple people pass a single badge read provide monitoring capability.

See: Tailgating Social StudyPhysical Security
beginner

Disable USB mass storage on all corporate workstations via Group Policy or MDM

The FIN7 criminal group mailed BadUSB drives disguised as Amazon packages and Best Buy gift cards to hotel and restaurant employees. 45% of people plug in USB drives they find — even when they know they should not. BadUSB devices emulate keyboards and automatically type commands; they bypass all file-based antivirus scanning because they deliver no files. Disable USB mass storage on all corporate workstations via Group Policy (Windows) or MDM profiles (macOS/Linux). If USB access is required for legitimate use cases, use endpoint security tools that allow USB device whitelisting by hardware ID rather than disabling USB entirely.

See: FIN7 BadUSB Mail DropPhysical Security
beginner

Implement a clean desk policy and lock unattended screens automatically

A physical intruder who reaches an unlocked workstation has the same access as the authenticated user who left it. During Kevin Mitnick's penetration operations, unlocked terminals, discarded printouts, and papers left on desks were as valuable as any technical exploit. Implement: automatic screen lock after 5 minutes of inactivity (enforce via Group Policy/MDM), required badge-out to lock desks when leaving them, a prohibition on leaving sensitive documents visible on desks, and locked cabinets for paper records. Clean desk audits — periodic unannounced checks of workstation and desk areas — measure compliance without being punitive.

See: Kevin Mitnick Physical IntrusionPhysical Security