Physical security is the outermost layer of cybersecurity defense, and when it fails, most digital protections fail with it. An adversary holding a laptop in their hands can bypass passwords, encryption, and firewalls in ways a remote attacker cannot.
The unit builds adversarial thinking by walking through how a real attacker scopes a target, manipulates people, slips past doors, and exploits weak spots in a building before ever touching a keyboard.
Foundational cybersecurity concepts get established here and reused everywhere else: the CIA triad (confidentiality, integrity, availability), risk assessment, security controls, and defense in depth.
Social engineering is treated as the connective tissue between human behavior and physical breach. Tactics like pretexting, authority, urgency, and familiarity show up in phishing emails and at reception desks alike.
Risk is framed as a structured calculation, not a gut feeling. Likelihood multiplied by severity, scored quantitatively or qualitatively, drives every mitigation decision an organization makes.
Once a risk is identified, organizations choose among four responses: avoid, transfer, mitigate, or accept. Cost effectiveness shapes which controls actually get deployed.
Detection matters as much as prevention. Cameras, motion sensors, badge logs, and alert employees all contribute to catching breaches that prevention controls miss.
Placement of controls (where a guard stands, where a camera points, where a motion sensor triggers) determines whether those controls actually work or just create noise.
Later units on networks, devices, and data assume mastery of the vocabulary and risk-management mindset built here.
Key Concepts and Terms
Social engineering: Psychological manipulation that tricks a target into taking an action the adversary wants, such as opening a door or sharing a password.
Pretexting: Inventing a believable reason or backstory to justify contact with a target, often paired with other social engineering tactics.
OSINT (open source intelligence): Information freely available online or in public records, gathered during reconnaissance to profile a target.
Command and control (C2): A communication channel an adversary uses to send instructions to a compromised device and receive stolen data back, often via a remote access trojan (RAT).
Risk: The condition that exists when a threat can exploit a vulnerability to compromise an asset. All three elements must be present.
Asset: Anything of value to an organization, including data, intellectual property, hardware, money, physical facilities, and reputation.
Threat vs. vulnerability: A threat is the source of potential harm (an adversary, a hurricane); a vulnerability is the weakness that lets the threat cause damage.
Residual risk: The leftover risk after avoidance, transference, and mitigation have been applied, which the organization consciously accepts.
CIA triad: Confidentiality, integrity, and availability, the three principles every security control is designed to protect.
Defense in depth: A layered strategy that stacks human, physical, network, device, application, and data controls so that one failure does not equal total compromise.
Piggybacking: An adversary convinces an authorized person to let them through a controlled door, often by carrying boxes or claiming to be maintenance.
Tailgating: An adversary slips through a controlled door behind an authorized person without that person knowing.
Shoulder surfing: Watching (or recording) a user enter credentials or view sensitive information.
Dumpster diving: Searching a target's discarded trash for useful information like printouts, sticky notes, or hardware.
Card cloning: Copying the credentials stored on an authorized user's access badge to forge an identical one.
Access control vestibule: A small enclosed space with two interlocking doors that forces one person through at a time, blocking tailgating and piggybacking.
UPS (uninterruptible power supply): A battery-backed power source that keeps a device running during a short outage, often paired with generators for longer outages.
Clean desk policy: A managerial rule requiring employees to clear sensitive documents and lock devices before leaving a workstation.
Adversaries and Their Motivations
Adversaries are categorized by skill, motivation, and access, and the right defenses depend on which adversary is realistic for a given organization.
Script kiddies use off-the-shelf tools they do not understand, often chasing recognition or quick money.
Hacktivists pursue political or social causes, such as defacing a corporate webpage to publicize illegal fishing practices.
Insider adversaries already hold legitimate credentials and may act out of greed, revenge, or recruitment by an outside party.
Cyberterrorists target civil infrastructure (power grids, water treatment) to disrupt regions or nations.
Transnational criminal organizations deploy ransomware and resell stolen intellectual property at scale.
Social engineering tactics are the levers adversaries pull on human targets.
Authority: impersonating a CEO or relaying "orders from the boss."
Intimidation: threatening firing, fines, or legal action.
Consensus: claiming "everyone in your department already approved this."
Scarcity: "only three spots left, respond now."
Familiarity: pretending to know a coworker or family member.
Urgency: imposing a tight deadline to short-circuit careful thinking.
The Phases of a Cyberattack
Attacks unfold as a sequence of phases, though not every phase appears in every attack.
Reconnaissance: gathering OSINT such as LinkedIn employee lists, public domain records, and social media posts.
Initial access: getting a first foothold, typically through a phishing email or stolen credentials.
Persistence: installing a RAT or rootkit so access survives reboots and password changes.
Lateral movement: escalating privileges and pivoting from a low-level account to a domain administrator.
Taking action: exfiltrating customer records, encrypting files for ransom, or destroying data.
Evading detection: wiping log files and deleting malware artifacts to cover tracks.
Physical access can collapse multiple phases at once, since plugging in a malicious USB drive can grant initial access, persistence, and lateral movement simultaneously.
Risk Assessment and Management
Risk assessment quantifies two factors for each vulnerability: likelihood of exploitation and severity of damage.
Likelihood depends on target value, exploit difficulty, and adversary motivation and skill.
Severity is measured in financial loss, operational disruption, and reputational damage.
Results can be quantitative (a 7 out of 10, or a projected $10,000 annual loss) or qualitative (low, medium, high, severe).
Documentation should list the asset, its value, likely threats, specific vulnerabilities, projected impact, likelihood, and a final rating.
Once assessed, every risk is handled in one of four ways.
Avoid: stop the risky activity entirely (only possible if the activity is not mission-critical).
Transfer: shift the burden to an insurer or third party.
Mitigate: install controls that reduce likelihood or impact.
Accept: acknowledge the residual risk because absolute security is impossible.
Mitigations are prioritized by severity and cost; a $50,000 control to prevent a $5,000 loss fails the cost-effectiveness test.
Security Controls and Defense in Depth
Every control supports at least one principle of the CIA triad.
Most physical attacks blend social engineering with opportunism.
Piggybacking: an attacker carrying a large box smiles at an employee who holds the door.
Tailgating: an attacker slips behind a badged employee unnoticed.
Shoulder surfing: watching a colleague type a password in a coffee shop, sometimes recorded by a phone camera.
Dumpster diving: pulling discarded org charts, account statements, or labeled hard drives from trash bins.
Card cloning: scanning an RFID badge from a few feet away and writing the data to a blank card.
Physical access enables attacks that bypass technical controls entirely.
Plugging in a hardware keylogger between keyboard and computer.
Inserting a USB drive that auto-loads malware.
Physically stealing or destroying a hard drive, server, or laptop.
Cutting power at the breaker panel to force a system into an unsafe restart state.
Risk ratings for physical vulnerabilities scale with sensitivity and exposure.
High: an unlocked server room storing customer data off an unmonitored hallway.
Moderate: a receptionist's networked PC with open USB ports in a public lobby.
Low: unattended laptops without cable locks in a badge-only office, holding no sensitive data.
Protecting and Monitoring Physical Spaces
Managerial controls set the human expectations that technical and physical controls rely on.
Security awareness training teaches employees to spot phishing, refuse to badge in strangers, and protect devices.
Workstation security policies require locking screens, using privacy filters, and following clean desk rules.
Tiered policies impose stricter rules in areas handling more sensitive data.
Physical controls deter, delay, and detect intruders.
Perimeter: fences, gates, and bollards stop vehicles and force foot traffic to controlled entry points.
Entry: card readers log who enters and when, while access control vestibules and turnstiles force single-person passage.
Interior: locks on server cabinets, disabled USB ports, and cable locks on laptops protect individual devices.
Power resilience: UPS units cover short outages; generators sustain entire facilities during prolonged ones.
Detection controls require thoughtful placement to be useful.
Cameras belong at points of ingress and egress, angled to capture faces, and protected from tampering. Facial recognition can flag unauthorized individuals in real time.
Motion sensors work best in low-traffic zones like server rooms; placing them in busy hallways floods alerts with false positives.
Stationary guards anchor chokepoints like main lobbies; patrolling guards cover perimeters and create unpredictability for attackers.
Badge log analysis can reveal piggybacking by flagging doors that stayed open longer than normal.
Detection is most effective when controls are layered: a motion sensor triggers an alert, a camera verifies the breach, a guard responds, and badge logs reconstruct the timeline afterward.
