In this Chapter, you learned about physical security and social engineering. Physical security is as important as network security. Physical security works best when set up as a defense in depth. This means that you are layering one security mechanism on top of another. Therefore, you might have locked servers in a controlled access room protected by a solid core door. The facility that the servers are located in has controlled access with CCTV cameras throughout the facility. Even the building has good physical security, as it can only be entered through doors with mantraps. These layers make it much harder for someone to penetrate. The building perimeter can also be secured by adding fences, gates, and possibly guards.
Next, we looked at social engineering. Social engineering is a powerful attack tool, as it targets people, not technology. Social engineering can target employees directly or can use the computer to try and trick the employee. Social engineers use a variety of techniques to pry information from their victims. These include scarcity, authority, liking, consistency, social validation, and reciprocation.
Finally, we reviewed policies. After all, without policies, there is no controlling mechanism in place. Policies can reinforce physical security and help prevent social engineering. Policies detail what management expects and provides a general roadmap on how these items will be achieved. Policies also show management's commitment to support employees and what types of controls are put in place to protect sensitive information. Policies outline acceptable and unacceptable behavior and can be used to enhance physical, logical, and administrative controls.