Building Defense in Depth

A layered defense is all about defense in depth. With the defense-in-depth approach, each layer has its own defensive mechanisms. Physical security controls are the first line of defense and should be designed so that the breach of any one defensive layer will not compromise the physical security of the organization. CCTV cameras, mantraps, card keys, RFID tags, lighting, guards, dogs, and locks are but a few of the layers of physical security that can be added to build a defense-in-depth defense.

Perimeter Controls

The best way to control premises security is to use fences, gates, and bollards. The amount of control depends on the way in which you deploy these defenses. A 4-foot fence will deter only a causal trespasser, but an 8-foot fence will keep out a determined intruder. Adding a barbed-wire topping is another effective security measure. If you are trying to keep employees in, you should point the barbed wire in. If you are trying to keep the bad guys out, you should point the barbed wire out. Table 2.1 provides more details. If you are really concerned about who's hanging around the perimeter of your facility, you might consider installing a perimeter intrusion and detection assessment system (PIDAS). This special fencing system has sensors to detect intruders. The downside is that a stray deer or grizzly bear might also trigger an alarm.

Table 2.1. Fence Heights



34 feet high

Will deter only casual trespassers.

67 feet high

Considered too tall to easily climb.

8 feet high

Should deter a determined intruder. Three strands of a topping of barbed wire should be pointed out at a 45° angle.

Bollards are another means of perimeter control. Made of concrete or steel, they are used to block vehicular traffic or protect areas where pedestrians might be entering or leaving buildings. After 9/11, these devises have continued to advance far beyond the standard steel poles of the past. Companies now make bollards with electronic sensors to notify building inhabitants that someone has rammed or breached the bollards. Although fences act as a first line of defense, bollards are a close second because they can deter individuals from ramming a facility with a car or truck. Figure 2.1 shows an example of a bollard.

Figure 2.1. Bollards.


Not all of the perimeter controls you might consider building into a new facility design have to look like concrete and steel. Have you ever noticed those majestic ponds located next to many corporate headquarters? Well, don't be lulled into believing they were placed there as a community beautification project. They are merely a form of a barricade or barrier. They are also useful in case of fire because they can serve as an additional water source. Access controls are a critical piece of premise security that can be either natural, such as a body of water, or structural, such as a fence.

Other perimeter-control mechanisms (such as cameras, mantraps, card keys, RFID tags, lighting, guards, dogs, locks, and biometric access controls) are used to monitor the flow of people and personnel. Just as networks use chokepoints, so should physical security controls. Each of these is explained in more depth next.

CCTV Cameras

These devices are effective for surveillance of entrances and critical access points. If employees are not available to monitor live, activity can be recorded and reviewed later. These devices are detective in nature: They don't prevent a crime, but they alert you to one after the fact. If you are considering CCTV systems, worker privacy and blind spots must also be considered.


Mantraps are used to control the flow of individuals into and out of sensitive areas. Turnstiles can also be used to control the flow of individuals into or out of an area. Both are effective in preventing one of the most common types of security breaches: piggybacking. Piggybacking, or tailgating, is the act of bypassing authentication by relying on someone else's credentials. It's commonly attempted at parking lot checkpoints or at controlled-entry points where badges or pin codes are required.

Card Keys

Card keys are another widely used form of access control. These keys can be separated into two broad categories: dumb cards and smart cards. Dumb cards are those that contain no electronics. You can find these in use at many different organizations. An individual's photo is used to verify a person's right to be in a particular area. These photo ID cards are really just a form of identity badge.

The second type of card key could be considered a smart card. Smart cards are much more powerful than the photo card key. Smart card keys can make an entry decision electronically. These devices can be configured in several different ways. Some require only that the user get close to the access-control device. These proximity readers don't require the user to physically insert the card. Others require user activation and, as such, might require the user to input a key code.

What makes these devices particularly high-tech is that they can be part of a total enterprise access-control system. Earlier versions of these cards were field-powered and contained the power supply and electronics onboard. Newer versions are being sold that can act as transponders or purely passive devices. Table 2.2 shows the various types of card keys.

Table 2.2. Card Key Types

Type of Card


Active electronic

Can transmit electronic data

Electronic circuit

Has an electronic circuit embedded

Magnetic stripe

Has a stripe of magnetic material

Magnetic strip

Contains rows of copper strips


Contains a laser-burned pattern of encoded dots

Photo card

Contains a facial photograph of the card holder


Radio Frequency Identification (RFID) Tags

Radio Frequency Identification (RFID) tags are another emerging trend in the field of physical access control. The U.S. military recently conducted trials to test the possibilities of using RFID tags to control vehicle traffic at military locations. RFID tags are extremely small electronic devices composed of a microchip and an antenna. These devices send out small amounts of information when activated.

An RFID tag can be designed in one of several different ways:

  • Active Active tags have a battery or power source used to power the microchip.
  • Passive These devices have no battery. They are powered by a RFID reader, which generates an electromagnetic wave that induces a current in the RFID tag.
  • Semipassive These hybrid devices use a battery to power the microchip, but transmit by harnessing energy from the reader.

Some of these devices are less than half the size of a grain of rice, so their placement possibilities are endless. The Federal Drug Administration (FDA) has approved an RFID tag that will be used to prevent the possibility of wrong-site, wrong-procedure, and wrong-patient surgeries. Government officials have advocated that these devices become standard issue for firefighters, police officers, and emergency rescue individuals because their jobs place them in situations in which their identification could be lost or destroyed. Expect to see innovation in this product in the coming years.


Lighting is a commonly used form of perimeter protection. Some studies have found that up to 80% of criminal acts at businesses and shopping centers happen in adjacent parking lots. Therefore, it's easy to see why lighting can be such an important concern. Outside lighting discourages prowlers and thieves. The National Institute of Standards and Technologies (NIST) states that, for effective perimeter control, buildings should be illuminated 8 feet high, with 2-foot candle power.

Companies need to practice due care when installing exterior lights. Failure to adequately light parking lots and other high-traffic areas could lead to lawsuits if an employee or visitor is attacked. Just as too little light can be a problem, too much light can lead to a less secure environment. Glare and overlighting can cause problems by creating very dark areas just outside the range of the lighted area. In addition, neighboring businesses or homes might not appreciate residing in such a bright, overlit area. Therefore, exterior lighting involves the balance of too little light versus too much light. Some common types of exterior lights include these:

  • Floodlights
  • Streetlights
  • Searchlights


Guards can offer the best and worst in the world of protection. Although our increased need for security has driven the demand for more guards, they are only human and their abilities vary. Technology has also driven our need for security guards. As we get more premise control equipment, intrusion-detection systems, and computerized devices, additional guards are required to man and control these infrastructures.

Unlike computerized systems, guards have the ability to make a judgment call and think through how they should handle specific situations. This is called discernment. Just having them in a facility or guarding a site provides a visual deterrence. Guards can also be used in multiple roles so that they can monitor, greet, sign in, and escort visitors.

Before you go out and hire 20 new guards, however, you should also be aware that guards do have some disadvantages. Guards are expensive; they also make mistakes, could be poorly trained, and may sleep on the job, steal company property, or even injure someone.


Dogs, much like guards, have been used to secure property throughout time. Although they can be trained and could be loyal, obedient, and steadfast, they are sometimes unpredictable and could bite or harm the wrong person. Because of these factors, dogs are usually restricted to exterior premise control and should be used with caution.


Locks are one of the most effective and widely used theft deterrents. Locks come in many types, sizes, and shapes, and are one of the oldest forms of theft-deterrent mechanisms: Locks have the highest return on investment. Locks have been used since the time of the Egyptians. It's important to select the appropriate lock for your designated area. Different types of locks provide different levels of protection.

Preset Key Locks

These are easy to install and use. They require a key to open and are sold as latches, cylinders, and deadbolts.

Mobile Security Locks

Employees who are issued laptops should be given a laptop-locking device. Although data security is important, the security of the device should also be considered; it takes only a moment for someone to remove a laptop or other mobile device. This type of lock can help protect physical assets and signal to employees your concern that devices issued to them should be protected.

Although locks are important to use to secure laptops, it's also important to use encryption because the data is most likely worth more than the hardware.


Programmable Cipher Locks

Programmable locks can use keypads or smart locks to control access into restricted areas. One shortcoming with a keypad device is that bystanders can shoulder-surf and steal pass codes.

To increase security and safety, some of the following items should be considered to make locks more robust:

  • Visibility shields These are used to prevent bystanders from viewing the combination numbers that are entered into keypad locks.
  • Hostage alarms These are useful in financial institutions or areas where money transactions take place. They allow employees to silently alert the authorities.
  • Delay alarms These are useful to alert security that security doors have been held open for long periods of time.
  • Master key locks This is nothing new for those of us who have spent time in hotels. This option allows a supervisor or housekeeper to bypass the normal lock and gain entry.

Biometric Access Controls

Biometric controls are discussed extensively in Chapter 4, "Access-Control Systems and Methodology." Because they are used for premise control, however, they should be mentioned here. The fascinating thing about biometric controls is that they are based on a physiological attribute or behavioral characteristic of the individual. As an example, one consulting job I had was with a large state agency that took security seriously. This agency had implemented a magnetic strip card control and a biometric finger sensor on the server room doors. This form of two-factor authentication worked well to ensure that the person entering the server room was given access. These are some of the primary types of biometric systems:

  • Finger scan
  • Palm scan
  • Hand geometry
  • Retina scan
  • Iris scan
  • Facial scan

Server Placement

Even with good perimeter control, you must determine where to place high-value assets such as servers and data centers. I once saw a data center that was located outside the company break room. You had to literally walk through the data center to get to the break room. It's not a good idea to have a data center with uncontrolled access or in an area where people will congregate or mill around. Well-placed data centers should not be placed on the top floor of a building because a fire might make it inaccessible. Likewise, you wouldn't want the data center located in the basement because it would be prone to flooding.

A well-placed data center should have limited accessibility, typically no more than two doors. A first-floor interior room is a good location for a data center.

The ceilings should extend all the way up past the drop ceiling, and the access to the room should be controlled. Look for things such as solid-core doors that are hinged to the inside. Additional controls should be used to ensure that unauthorized equipment is not allowed into the data center. Your goal is to make it as hard as possible for unauthorized personnel to gain access to this area. If individuals can gain physical access to your servers, you have no security.

Intrusion Detection

This section discusses intrusion-detection systems (IDS) used in the physical realm. These IDS systems are used for detecting unauthorized physical access. You might have seen IDS sensors around windows or attached to doors and not even realized what they were. Those are two of the most popular types of IDS systems used. These systems can detect the breakage of glass or the opening of doors. Overall, these systems are effective in detecting changes in the environment. Some common type of IDS sensors include these:

  • Photoelectric These devices use infrared light and are laid out as a grid over an area. If the grid is disturbed, the sensor will detect a change. These changes will trip an alarm so that someone can be notified of a potential breach in security.

    When you encounter intrusion-detection questions on the actual exam, take the time to distinguish whether the question is referencing physical intrusion-detection systems or logical intrusion-detection systems.

  • Motion detectors You have probably seen this type of sensor on one of the many security lights sold commercially. Motion detectors can be triggered from audio, wave pattern, or capacitance. Audio detectors are triggered by sound, wave patterns detect movement, and capacitance detectors detect motion by a change in capacitance within the sensing device.
  • Pressure sensitive These devices are sensitive to weight. Most measure a change in resistance to trigger the device. Pressure mats are an example of this type of technology.

Sometimes organizations choose not to use IDS systems because they can produce false positives. Every time there is an alarm, someone must respond and determine whether the event is real. If the IDS has not been tied to a backup power supply, someone can bypass it by killing the power, which could be another problem. There is also the issue of cost. Before these systems are deployed, a risk assessment should be performed to determine the true value of these devices to the organization.

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author


We Want to Hear from You!



The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics


Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2

CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: