However, the following principles apply regardless of the approach you use: Most businesses don’t need, nor can they afford, that kind of physical protection of information assets.
The protection Henry encountered is not typical. His only option is trying a social engineering approach while hoping one of the security guards is open to a little negotiation… Protecting your organization Based on his analysis, Henry decides that he cannot make it through the various barriers and get back out again before being apprehended. Returning home, Henry reviews the controls implemented by the target organization. Ted explains that he regularly practices this process with his team and local law enforcement. The documented response plan includes locking down the facility, notifying the police, and positioning in-house guards at key locations. Further, whenever an intruder is detected, an incident response process is activated. If the visitor is on the access list, he or she is allowed into the target room when the guard momentarily deactivates the electronic lock securing the door.Īll activity in the building is recorded by human-monitored video cameras, with the output continuously sent to an offsite repository. Before entering the room containing the target, an individual must show the security guard identification which is compared to an access list. A security guard positioned in the building controls access by anyone not possessing a key card. Further, the only gate and the only door into the facility are always locked.
#Gap analysis questions windows
There are no unbarred windows into the building. Ted proudly explains how the target systems are protected. His social engineering ploy is successful, playing on the ego of the target’s security manager, Ted.
#Gap analysis questions how to
He represents himself as a security director interested in getting some ideas about how to secure his own facility. Henry makes an appointment with the security manager and visits the target the next morning. So far, he thinks he can make it as far as the front door, but he needs to know about the target’s incident response and internal controls. The next step is to see what security looks like inside the building. Henry packs up his notes containing his observations and heads home. So far, he has to defeat the lighting, the fence, and motion sensors before he gets to the front door. Henry has defeated these in the past, but it will add another several minutes to his attack. The target organization has installed motion sensors to detect anyone successfully breaching the fence. So, that might not be a problem if Henry can kill a light.Ĭloser examination of the area between the fence and the building, however, causes Henry to utter expletives not intended for mixed company. Security lighting around the property’s perimeter provides sufficient illumination for the external security cameras to pick up anything unusual occurring outside or on the fence. The wire cutters in his toolkit will take care of the chain link.īut Henry can’t just start hacking through the fence. This might be enough to keep out a casual attacker, but Henry has thousands of dollars waiting for him when he delivers the data inside the target building. As Henry approaches the property line, he sees an eight-foot fence topped with barbed wire. Although most of us do not need this level of physical protection, the following discussion about the graphic helps demonstrate the possible steps you can take.įor the purpose of this discussion, let’s walk through the assessment phase of a possible breach by Henry Hacker.
0 kommentar(er)
