ISP Exam PDF
Document Details
Uploaded by Deleted User
Tags
Related
Summary
This document provides an overview of networking concepts. It covers various aspects of network security and discusses common vulnerabilities and mitigation strategies, including network planning and design.
Full Transcript
Table of Contents TCP/IP model................................................................................................ 1 Operation security (5 step process)............................................................... 4 CIA Triad.............................................................
Table of Contents TCP/IP model................................................................................................ 1 Operation security (5 step process)............................................................... 4 CIA Triad........................................................................................................ 9 Social engineering....................................................................................... 11 Human security............................................................................................ 13 Control examples......................................................................................... 14 Security attacks(4 types)............................................................................. 14 Accountability, Auditing, Logging, Compliance............................................ 15 Application security...................................................................................... 21 Input validation............................................................................................. 25 Techniques used to launch client server attacks......................................... 25 TCP/IP model 1. Physical layer manages the physical connection between devices, including the transmission and reception of raw bitstreams over a physical medium (like cables, fibre optics, or wireless signals). 2. Data link layer handles the physical transmission of data over a network and to ensure that the data reaches its destination on the same local network. 3. Network layer handles the movement of packets across different networks and ensure that they reach their intended destination. 4. Transport layer is crucial for managing how data is transmitted between applications on different devices. 5. Application layer is responsible for managing communications between networked applications and providing the necessary services to ensure that data is properly formatted, transmitted, and received. Network security Purpose Application security focuses on protecting applications from vulnerabilities that can be exploited by malicious actors. Common Vulnerabilities and Attacks Injection Attacks: o SQL injection: Exploiting vulnerabilities in SQL queries to manipulate databases. o Command injection: Executing arbitrary commands on the server. Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to steal user data or hijack sessions. Cross-Site Request Forgery (CSRF): Tricking users into performing unintended actions on a web application. Session Hijacking: Stealing a user's session token to gain unauthorized access. Insecure Direct Object References: Exposing sensitive information through URLs or other parameters. Security Misconfigurations: Improperly configured servers, databases, and applications. Sensitive Data Exposure: Storing or transmitting sensitive data without adequate protection. Mitigating Application Security Risks Input Validation and Sanitization: o Validate all user input to prevent malicious data from being processed. o Sanitize input to remove harmful characters and code. Secure Coding Practices: o Follow secure coding guidelines and standards. o Use a secure coding framework to enforce best practices. o Conduct regular code reviews and vulnerability assessments. Strong Authentication and Authorization: o Implement strong password policies and multi-factor authentication. o Enforce least privilege principles to limit user access. Secure Session Management: o Use strong session tokens and secure session cookies. o Implement session timeouts and regular session expiration. Data Protection: o Encrypt sensitive data both at rest and in transit. o Implement data loss prevention (DLP) measures to prevent unauthorized data transfer. Regular Security Testing: o Conduct penetration testing to identify vulnerabilities and assess the effectiveness of security controls. o Use vulnerability scanning tools to identify and fix security flaws. Web Application Firewalls (WAFs): o Protect web applications from attacks by filtering and blocking malicious traffic. Intrusion Detection and Prevention Systems (IDPS): o Monitor network traffic for signs of intrusion and take action to prevent attacks. Operation security (5 step process) Internet management Steps 1. Network Planning and Design: o Define network goals and objectives. o Design network topology and architecture. o Select appropriate hardware and software components. 2. Network Implementation: o Install and configure network devices. o Configure network protocols (TCP/IP, DNS, DHCP). o Test network connectivity and performance. 3. Network Monitoring and Management: o Monitor network performance and identify potential issues. o Troubleshoot network problems. o Update and maintain network devices and software. 4. Network Security: o Implement security measures to protect the network from threats. o Configure firewalls, intrusion detection systems, and other security tools. o Educate users about security best practices. Applications 1. Network Management Tools: o SNMP (Simple Network Management Protocol): Used to monitor and manage network devices. o RMON (Remote Monitoring): Provides detailed network performance monitoring. o Nagios: Open-source network monitoring tool. o Zabbix: Open-source network monitoring tool. 2. Network Configuration Tools: o Cisco Configuration Professional (CCP): Configures Cisco network devices. o Juniper Junos Space: Configures Juniper network devices. 3. Network Security Tools: o Firewalls: Filter network traffic to prevent unauthorized access. o Intrusion Detection Systems (IDS): Detect and alert on network intrusions. o Intrusion Prevention Systems (IPS): Prevent attacks by blocking malicious traffic. o VPN (Virtual Private Network): Encrypts network traffic to secure remote access. 4. Network Analysis Tools: o Wireshark: Packet analyser for network troubleshooting and security analysis. o NetFlow: Collects network traffic flow data for analysis. 5. Network Automation Tools: o Ansible: Automates configuration management and deployment tasks. o Puppet: Configuration management tool for automating infrastructure. o Chef: Configuration management tool for automating infrastructure. By effectively managing and securing networks, organizations can ensure reliable and efficient communication and data transfer, while mitigating potential security risks. CIA Triad Confidentiality Definition: Confidentiality ensures that sensitive information is only accessible to authorized individuals and systems. This involves implementing measures to prevent unauthorized access, disclosure, or interception of data. Confidentiality refers to the ability to prevent unauthorised users from accessing private data. Confidential data may be protected by the use of strong passwords and PIN codes, and by ensuring that the physical devices on which such data is stored are appropriately secured. Key Practices: Encryption: Encrypting data to ensure it cannot be read if intercepted. Access Controls: Using permissions and authentication mechanisms to restrict access to authorized users. Data Masking: Hiding sensitive data, such as masking credit card numbers in reports Encryption converts sensitive information or data into a secret code to prevent unauthorized access. Integrity Integrity ensures that the data remains accurate, consistent, and unaltered during storage, transmission, or processing. This principle is crucial for maintaining the trustworthiness of Information. Integrity refers to the ability to prevent unauthorised changes from being made to existing data, and to reverse any unauthorised changes that may have been made. Data integrity can be protected by implementing read/write restrictions or by placing restrictions on file access. Key Practices: Hashing: Generating a unique hash for data, allowing verification of its integrity. Checksums and CRCs: Verifying data integrity during transmission through checksums. Version Control: Keeping track of changes in data to prevent unauthorized modifications. Availability Availability ensures that information and resources are accessible to authorized users when needed. This principle focuses on minimizing downtime and maintaining operational continuity. Non-availability may be due to internal causes such as power outages or file corruption, or to external causes such as denial of-service attacks. Key Practices: Redundancy: Implementing redundant systems and backups to ensure data is available even in case of hardware failure. Disaster Recovery Plans: Preparing for and recovering from data breaches, natural disasters, or other incidents that may disrupt access to information. Regular Maintenance: Performing regular updates and maintenance to prevent system failures. The Parkerian Hexad The Parkerian Hexad (Parker, 1998) extends the CIA Triad by adding three related principles: possession (or control), authenticity and utility. Parker also employs a slightly different definition of integrity, which for him refers to data that remains completely unchanged from its previous state; whereas the CIA Triad allows authorised changes to be made. Possession Possession (or control) refers to the physical storage of data on media such as disk drives or magnetic tapes. If a disk drive crashes or a magnetic tape is lost, and if no backup of that data exists, then you will no longer have possession of the corresponding data. Refers to the physical possession or control of information or the medium in which it is stored. It's possible for information to be confidential but not in the possession of the person who owns or controls it. Authenticity Authenticity refers to having the ability to verify the source of a particular item of information, such as an email message. Ensuring that information is genuine and from a legitimate source. Authenticity guarantees that the data, messages, or documents are what they purport to be and that the source can be verified. Utility Utility refers to the usefulness of an item of data. Utility is measured in terms of degree (slightly useful/extremely useful) and not in binary terms (yes/no). Ensuring that information is useful and has value to the intended users. Utility relates to the usability of data in its intended context, meaning that it must be in a format and condition that can be used as intended. The utility is on a spectrum (less to most useful) and is not binary (yes/no) Social engineering Social Engineering: Manipulating individuals into divulging confidential information or performing actions that compromise security. Social engineering attacks occur when cybercriminals manipulate victims into taking or omitting specific actions, such as disclosing sensitive data or disabling security checks. One typical example of social engineering is phishing. OPSEC assists enterprises here by spreading awareness on spotting and preventing such attacks. Social Engineering Types Pretexting: Deceiving individuals by impersonating a trusted person or organization. Phishing: Sending fraudulent emails or messages to trick recipients into revealing sensitive information. Spear Phishing: A targeted form of phishing that attacks specific individuals or organizations. Tailgating: Physically following authorized individuals into restricted areas. Mitigation Strategies Regular Security Awareness Training: o Educate employees about social engineering tactics, phishing attacks, and weak password practices. o Conduct regular training sessions to reinforce security awareness. o Use interactive training methods, such as simulations and quizzes. Strong Password Policies: o Enforce complex password requirements, including a mix of characters, numbers, and symbols. o Encourage the use of unique passwords for different accounts. o Implement password managers to securely store and manage passwords. Access Controls: o Limit access to sensitive information and systems based on the principle of east privilege. o Implement multi-factor authentication to add an extra layer of security. o Regularly review and update access permissions. Phishing Simulations: o Conduct periodic phishing simulations to test employees' awareness and response. o Analyse the results to identify areas for improvement in training and policies. Incident Response Plan: o Develop and implement a comprehensive incident response plan to address security breaches. o Have a clear process for reporting and responding to incidents. Human Behavior Awareness: o Encourage employees to be cautious of unsolicited requests, even if they appear to be from trusted sources. o Teach employees to verify information independently, such as by calling a known number or checking official websites. o Promote a culture of security awareness, where employees are encouraged to report suspicious activity. By implementing these strategies, organizations can significantly reduce their vulnerability to social engineering attacks and protect their valuable assets. Human security Human-Introduced Threats Weak Passwords: Employees often choose easy-to-guess passwords. Physical Security Oversights: Leaving workstations unattended and unlocked. Social Engineering: Manipulating individuals to gain unauthorized access. Insider Threats: Malicious actions by employees or contractors. Mitigating Human Risk Factors Strong Password Policies: Enforcing complex password requirements. Security Awareness Training: Educating employees about security best practices. Access Controls: Limiting access to sensitive information and systems. Social Engineering Awareness Training: Teaching employees to recognize and avoid social engineering tactics. Incident Response Planning: Having a plan in place to respond to security incidents. Sources of Human Information for Social Engineering Human Intelligence (HUMINT): Gathering information through direct interaction with people. Open-Source Intelligence (OSINT): Collecting information from publicly available sources, such as social media, public records, and online forums. By understanding and addressing the human element in security, organizations can significantly reduce their risk of cyberattacks and data breaches. Control examples Physical controls are used to prevent or deter unauthorised access; examples include security cameras and locked doors. Administrative controls refer to processes and procedures that are implemented in order to reduce or avoid risk. For example, you may have an information security policy plus supporting documentation showing how this policy has been implemented. Technical controls use technical measures to manage risk, such as intrusion detection systems and firewalls. Security attacks(4 types) There are four different types of security attack: interception, interruption, modification and fabrication. Furthermore, security attacks can be carried out on ‘data at rest’ (e.g. data that is stored on a hard drive) or ‘data in motion’ (e.g. data that is in the process of being transferred from one computer to another via email). Interception attacks allow unauthorised users to access confidential data and/or software applications and can be difficult to detect. Interruption attacks prevent authorised users from accessing information assets, either temporarily or permanently. Such attacks may affect the integrity as well as the availability of data. Modification attacks result in unauthorised changes being made to the content of affected files. This could compromise the availability, integrity and/or confidentiality of the file contents. Fabrication attacks generate random data, fake email communications or additional processes that serve no useful purpose. Such attacks affect the integrity of the system and may also impact its availability. Accountability, Auditing, Logging, Compliance Accountability The principle of accountability requires individuals who have access to your resources to be held responsible for their actions and to adhere to the rules that govern the use of those resources. In order to determine accountability, you need to refer back to the identification, authentication and authorisation rules that are associated with a particular individual. Holding people accountable is an important factor in preventing security breaches: it enables non-repudiation, it deters people from abusing organisational resources, and it helps to detect and prevent intrusions. Accountability in Information Security refers to the principle that individuals and organizations must be held responsible for their actions and decisions related to the management and protection of information. This includes ensuring that users, administrators, and other stakeholders are accountable for their roles in maintaining the confidentiality, integrity, and availability of data. Holding people accountable is an important factor in preventing security breaches: it enables non repudiation, it deters people from abusing organisational resources, and it helps to detect and prevent intrusions. Non-repudiation implies that you have sufficient evidence to be able to prove who was responsible for a particular activity or occurrence. Deterrence implies that people will be more likely to follow rules governing the use of resources, if they know that their actions are being monitored. Intrusion detection and prevention tools monitor organisational systems and alert technical staff to unusual or undesirable activities. To determine accountability, you need to refer to the identification, authentication and authorisation rules that are associated with a particular individual. When evidence is collected for use in a legal dispute, it is important for the chain of custody to remain unbroken. A tracking system allows the original evidence to be tracked, monitored and reported. Concepts Audit Trails: Keeping detailed records of user activities to ensure actions can be traced back to specific individuals or systems. Access Controls: Assigning and managing permissions so that only authorized individuals can access sensitive information. Security Policies: Establishing clear guidelines and expectations for how information should be protected and ensuring that these policies are followed. Monitoring and Reporting: Continuously monitoring systems and networks for security breaches and reporting any suspicious activities. Enforcement: Ensuring that violations of security policies are addressed and that there are consequences for failing to adhere to security standards. Auditing Internal auditing is the process of reviewing organisational records to ensure that rules governing the use of corporate resources have been complied with. In large organisations, external audits may be performed to ensure that your organisation meets statutory financial and regulatory requirements. Organisations may also conduct audits of software licenses and of websites that are frequently visited by employees. A computer log generates a history of the digital activities that have occurred within a specific system. Monitoring usually involves reviewing computer logs in order to identify unusual activities, usage patterns or traffic volumes. An assessment audit searches for vulnerabilities in the system in order to resolve any potential or existing problems. A separate field of auditing is IT auditing, which deals specifically with IT controls. Regulatory Compliance Organisations need to comply with externally imposed rules and regulations that may affect their internal systems and processes. Compliance refers to an organisation’s adherence to the rules and regulations that govern a particular industry, including the information that is typically handled within that industry. In this context, compliance is a business need, not an issue of technical security. Regulatory compliance requires adherence to the laws governing the industry in which your organisation operates. The demonstration of regulatory compliance is based on regular audits and assessment. Industry compliance involves adherence to practices that are not mandated by law, but are essential for organisations operating within a particular business context. For example, organisations must comply with the standards that have been defined for processing credit card transactions. Control Examples Physical, administrative and technical controls are used to support compliance with standards and regulatory requirements. Physical controls are used to prevent or deter unauthorised access; examples include security cameras and locked doors. Administrative controls refer to processes and procedures that are implemented in order to reduce or avoid risk. For example, you may have an information security policy plus supporting documentation showing how this policy has been implemented. Technical controls use technical measures to manage risk, such as intrusion detection systems and firewalls. The primary controls used to mitigate risk within a particular environment are referred to as key controls. The failure of a key control will usually affect an entire process, and it is unlikely that another control will be able to compensate for this failure. Compensating controls are used as a (less effective) substitute for impractical or unfeasible key controls. Maintaining compliance relies on a four-step process that includes monitoring existing controls, reviewing their effectiveness, documenting and analysing the review results, and reporting on the overall state of controls in the organisation. Legal Compliance Relevant legislation must be taken into account when evaluating compliance. The Sarbanes-Oxley Act (SOX) of 2002 is definitely relevant to South African organisations. SOX regulates financial data, operations, and assets for publicly held companies, and includes specific requirements related to the gathering, retention and storage of electronic records. In South Africa, we have specific legislation that needs to be complied with: POPIA: Governs the lawful processing of personal data to protect individual privacy. ECTA: Provides legal recognition for electronic communications, transactions, and signatures. Cybercrimes Act: Defines and addresses various cybercrimes, including hacking and cyber fraud. RICA: Regulates the interception of communications and requires the retention of certain communication data. King IV Report: Offers guidelines on corporate governance, including IT governance and cybersecurity. NCPF: Outlines South Africa's national cybersecurity strategy and response to cyber threats. CPA: Protects consumer rights in electronic transactions and against unfair trade practices. The Sarbanes-Oxley Act (SOX) of 2002 is definitely relevant to South African organisations, which regulates financial data, operations, and assets for publicly held companies, and includes specific requirements related to the gathering, retention and storage of electronic records. Compliance Frameworks Compliance frameworks make it easier for organisations to ensure compliance across a number of unrelated regulations. Use of a tried and tested framework also simplifies the audit process, since it facilitates the auditor’s understanding of the program controls that have been implemented. Some internationally accepted compliance frameworks and standards are listed below. Standards promulgated by the International Organisation for Standardisation (ISO): ISO/IEC 27000: Information security management systems – Overview and vocabulary. ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements. ISO/IEC 27002: Code of practice for information security controls Special publications issued by the US National Institute of Standards and Technology (NIST): SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems. SP 800-53: Security and Privacy Controls for Federal Information Systems and Organisations. Compliance in the Cloud encompasses several different models that offer differing levels of control over the computing environment. Organisations are able to choose the most appropriate configuration for their needs, based on their business requirements. Infrastructure as a Service (IaaS) provides access to virtual servers and storage. The cloud provider is responsible for risks associated with the host servers and the networks that connect those servers. Platform as a Service (PaaS) provides prebuilt servers such as database and web servers. The cloud provider is responsible for the security of the server infrastructure, as well as server configuration, backup and maintenance. Software as a Service (SaaS) provides access to specific applications or software suites. The cloud provider is responsible for the security of the servers and accompanying infrastructure including software applications. Some cloud providers allow clients to audit the security of their cloud environment, subject to certain conditions such as the timing and frequency of audits. Other cloud providers may share the results of their own annual external audit with their clients. Application security Often, application and data vulnerabilities are not a result of poor network design, but rather insecure coding practices. Key defences include proper input validation, strong user authentication, and authorization mechanisms. Sensitive data should always be encrypted, either at rest or in transit. Common software development vulnerabilities include buffer overflows, race conditions, input validation attacks, and various authentication, authorization, and cryptographic attacks Common attacks Web applications are particularly susceptible to various types of attacks. Client-side attacks typically work by embedding malicious links within a web page hosted on the client’s machine. When users click these links, hidden code is executed, potentially compromising the system. Server-side attacks are often enabled by weaknesses such as insufficient input validation, improper user permissions, the use of default directory names and structures, and the presence of outdated backups containing source code. Databases, which frequently store sensitive information like personal and financial data, are prime targets for attackers. Common vulnerabilities within databases stem from insecure network protocols used for communication, a lack of appropriate user credentials, poor SQL coding practices, and privilege escalation through SQL injection Common mitigations To mitigate these risks, several security tools are available. Sniffers monitor network traffic patterns, while web application analysis tools search for insecure configurations and vulnerabilities. "Fuzzers" test applications by attempting to induce failures or unexpected behaviors. Specialized vulnerability assessment tools play a crucial role in identifying and evaluating security weaknesses, and vendors typically provide guidance on how to address these issues. Vulnerability assessments usually include three main steps: mapping and discovery, scanning for vulnerabilities, and overcoming cloud-specific challenges. Penetration testing is another critical approach for identifying potential weaknesses and involves a five-step process: scoping, reconnaissance (gathering information), discovery of vulnerabilities, exploitation of identified weaknesses, and finally, reporting the findings Purpose Application security focuses on protecting applications from vulnerabilities that can be exploited by malicious actors. Common Vulnerabilities and Attacks Injection Attacks: o SQL injection: Exploiting vulnerabilities in SQL queries to manipulate databases. o Command injection: Executing arbitrary commands on the server. Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to steal user data or hijack sessions. Cross-Site Request Forgery (CSRF): Tricking users into performing unintended actions on a web application. Session Hijacking: Stealing a user's session token to gain unauthorized access. Insecure Direct Object References: Exposing sensitive information through URLs or other parameters. Security Misconfigurations: Improperly configured servers, databases, and applications. Sensitive Data Exposure: Storing or transmitting sensitive data without adequate protection. Mitigating Application Security Risks Input Validation and Sanitization: o Validate all user input to prevent malicious data from being processed. o Sanitize input to remove harmful characters and code. Secure Coding Practices: o Follow secure coding guidelines and standards. o Use a secure coding framework to enforce best practices. o Conduct regular code reviews and vulnerability assessments. Strong Authentication and Authorization: o Implement strong password policies and multi-factor authentication. o Enforce least privilege principles to limit user access. Secure Session Management: o Use strong session tokens and secure session cookies. o Implement session timeouts and regular session expiration. Data Protection: o Encrypt sensitive data both at rest and in transit. o Implement data loss prevention (DLP) measures to prevent unauthorized data transfer. Regular Security Testing: o Conduct penetration testing to identify vulnerabilities and assess the effectiveness of security controls. o Use vulnerability scanning tools to identify and fix security flaws. Web Application Firewalls (WAFs): o Protect web applications from attacks by filtering and blocking malicious traffic. Intrusion Detection and Prevention Systems (IDPS): o Monitor network traffic for signs of intrusion and take action to prevent attacks. By understanding these vulnerabilities and implementing strong security measures, organizations can significantly reduce the risk of application security breaches and protect their valuable assets. Input validation Input validation ensures that the input submitted to an application is in the expected format. When input validation is absent, unusual input characters might cause an application to crash, or could even affect the functioning of the operating system. Input validation refers to the process of ensuring that any data entered by users (or external sources) is properly checked before being processed by the system. It aims to ensure that inputs are within the expected format, type, and range, protecting applications from attacks such as SQL injection, cross-site scripting (XSS), or buffer overflows. Without proper input validation, attackers can inject malicious data into the system, potentially compromising its security. Effective input validation involves sanitizing and verifying all user inputs against predefined rules, using techniques such as whitelisting, regex patterns, and escaping characters. Techniques used to launch client server attacks Cross-site scripting incorporates code written in a scripting language into a web page or other media. When a user views the web page or media, the embedded code is executed. Three main types of XSS: 1.Stored XSS (Persistent XSS): The malicious script is permanently stored on the target server, for example, in a database or a comment field. When a user requests the content, the server sends the script back, and it is executed in the user’s browser. 2.Reflected XSS (Non-persistent XSS): The malicious script is part of a URL or request that the attacker sends to the victim. When the victim clicks the link or takes action, the server reflects the script back, and it gets executed by the browser. 3.DOM-based XSS: The vulnerability occurs when the website’s JavaScript modifies the DOM (Document Object Model) without proper validation or escaping. This allows attackers to inject malicious scripts directly into the page's DOM Cross-site request forgery relies on a link located on a web page, that will execute automatically when the web page is opened, and initiate an activity on another web page where the user is currently authenticated. CSRF, also known as XSRF or Session Riding, is a type of attack where an attacker tricks a user into performing actions on a website where the user is authenticated, without their knowledge or consent. How it works: The victim is logged into a website (e.g., a bank account). The attacker sends the victim a malicious link or embeds a hidden request on a page they control. When the victim clicks the link or visits the attacker's page, the browser sends a request to the trusted website (where the user is authenticated), performing actions such as transferring money or changing settings. The trusted website sees the request as legitimate because it comes from the user’s authenticated session Prevention of CSRF: CSRF tokens: Generate unique, unpredictable tokens for forms or requests and validate them on the server side. SameSite cookie attribute: Helps restrict how cookies are sent with requests originating from external sites. Requiring re-authentication for sensitive actions (like financial transactions) Clickjacking tricks users by linking a malicious control to an apparently innocent button on a web page. Clickjacking is an attack where an attacker tricks users into clicking on something different from what they perceive, potentially leading them to execute unintended actions. The attacker may use transparent layers or hidden frames to overlay malicious content, causing users to click on elements like buttons or links without realizing it How it works: 1. The attacker creates a website with a hidden iframe containing a trusted site (such as a social media platform, bank, or web app). 2. The user is presented with seemingly harmless content, but when they click on something, they are actually interacting with the hidden content in the iframe. 3. As a result, the user may unknowingly “like” a post, transfer money, or perform some action on the hidden site Prevention of Clickjacking: X-Frame-Options header: Ensures that the page cannot be embedded in iframes from other domains. DENY: Prevents the page from being displayed in a frame entirely. SAMEORIGIN: Allows the page to be displayed only if the frame is from the same domain. Content Security Policy (CSP) frame-ancestors directive: Specifies which sources are allowed to embed the page. UI Redressing techniques: Developers can ensure that users are interacting with visible, intended elements Physical security Identifying physical threats and security controls Physical Security Measures are intended (purpose) protect people, equipment, and data storage facilities from physical threats. All relevant security threats should be identified in order for appropriate controls to be implemented. Examples of physical threats include extreme temperatures, gases, liquids, living organisms, projectiles, movement, and energy anomalies. The physical security controls that are put in place to counter these threats may have a deterrent, detective and/or preventive function. Deterrent controls are intended to discourage potential intruders from trying to gain access to your property, whether physical or digital. Detective controls monitor and report physical intrusions, or undesirable events such as a smoke alarm going off. Preventive controls such as locks, electric fences or guard dogs, make it difficult for an intruder to enter a building or other business premises. Business continuity plans ensure that the business will continue to function despite disruptions that interfere with normal business processes. Disaster recovery planning anticipates the possible impact of an unforeseen disaster and lays out the steps that should be followed if a disaster occurs.