2.4: Detecting Physical Attacks
Essential Questions
- Why is a security camera that isn't being monitored still a useful detective control?
- How can a simple door sensor log help you detect a tailgating attack after the fact?
- What are the key considerations when deciding where to place a motion sensor versus a camera?
- How do stationary and patrolling security guards serve different detective functions?
- Why is it important to place cameras at all points of entry and exit?
- How can your own employees be your most effective "human sensors" for detecting unauthorized individuals?
Overview
Your work at Xtensr Research Labs is progressing. You've assessed the physical vulnerabilities of the new building and developed a plan to mitigate them with preventative controls like better locks and stronger policies. But your job isn't done. No preventative control is foolproof. A determined adversary might still find a way to bypass a lock or trick an employee. Therefore, the next critical layer in your defense-in-depth strategy is detection. You need to assume that a breach will happen and ensure you have the systems in place to spot it as quickly as possible.
Your manager now asks you to recommend a strategy for monitoring the facility. Where should you place cameras? Are motion sensors a good idea for the server room? How should the security guards patrol to be most effective? You need to think not just about preventing entry, but about detecting an intruder's presence and tracking their actions once they are inside. A fast and accurate detection capability is what separates a minor incident from a major catastrophe.
This lesson is all about the art and science of detection. You will learn about the primary detective controls used in physical security, including cameras, security guards, and motion sensors. We'll go beyond simply listing these controls and explore the strategic thinking behind their placement. You'll learn why a camera's field of view and a motion sensor's sensitivity are critical factors. Finally, you'll learn how to apply these detection techniques, using the data from these controls to identify a physical breach and support an effective incident response.
Identifying How Security Controls Detect Attacks (2.4.A)
Detective controls are the eyes and ears of your security posture. Their purpose is to alert you to a potential or actual security breach. While preventative controls are the walls, detective controls are the watchmen on those walls. Each type of control provides a different kind of information to help you build a complete picture of an incident.
Cameras are one of the most powerful detective controls. They provide a direct visual record of what is happening in a space. A live feed allows for real-time monitoring, enabling security personnel to respond to an incident as it unfolds. Just as importantly, the recorded footage serves as an invaluable source of evidence for after-the-fact investigations. Even if no one is watching the live feed, the recording can help you identify the attacker, reconstruct their timeline of actions, and determine the extent of the breach.
Security guards offer a dynamic and intelligent detection capability that technology alone cannot match. Guards can do more than just watch a fixed area; they can patrol, observe, and use their judgment to identify suspicious behavior that might not trigger an automated alarm. They can spot someone loitering near a secure entrance or notice when something just "doesn't look right." Their physical presence is also a powerful deterrent, but their primary detective function is to be an active, thinking sensor in the environment.
Motion sensors are simpler but highly effective controls. They detect movement within a specific area and trigger an alarm. These are ideal for spaces that should have no traffic during certain hours, like a server room or a records office after business hours. The alert they generate is a clear, unambiguous signal that something has crossed a threshold, prompting a security team to investigate further, often by checking the corresponding camera feed. Finally, never underestimate your employees. When properly trained, they can be the most effective detection system of all. They are familiar with their environment and are often the first to notice an unauthorized person or a suspicious object, acting as a network of human sensors.
Determining Effective Placement of Controls (2.4.B)
A security control is only as good as its placement. A state-of-the-art camera pointing at a blank wall is useless. The strategic placement of detective controls is crucial for creating a comprehensive monitoring net with no blind spots.
When placing cameras, the primary goal is to cover all critical areas, especially points of ingress and egress (entrances and exits). Every door leading into or out of the building, as well as entrances to sensitive internal areas like server rooms or executive offices, should be monitored. You must consider the camera's field of view to ensure there are no gaps in coverage. The angle is also important; a camera should be placed high enough to be difficult to tamper with but positioned to clearly capture faces, not just the tops of heads.
Motion sensors should be placed in areas where traffic is expected to be zero or minimal during specific times. Placing a motion sensor in a busy lobby during the day would generate a constant stream of false alarms, leading to "alert fatigue" where real alerts might be ignored. However, placing that same sensor in the lobby after hours, or in a rarely accessed server room, makes any alert a high-priority event worth investigating immediately.
The placement of locks is straightforward: they belong on every door, cabinet, or device that needs to be secured. For particularly sensitive areas, you might use an access control vestibule at the entry point. This physical control is a detective control in disguise; its design inherently prevents tailgating, and the associated logs can be used to detect unusual access patterns.
The deployment of security guards can be either stationary or patrolling. Stationary guards are best placed at choke points where all traffic must pass, such as the main building entrance or the access point to a secure lab. This allows for constant monitoring of a critical location. Patrolling guards, on the other hand, are more unpredictable for an adversary. Their random routes around the building's perimeter or through its hallways make it difficult for an attacker to know when they will be observed, creating time pressure and increasing the chance of detection.
An interactive "Security Design Simulator" named "2.4-camera-placement". The UI shows a 3D model of the Xtensr Labs floor plan. The learner is given a set number of cameras and motion sensors. They must place these devices in the 3D space. The tool then runs a simulation of an "intruder" attempting various entry paths. The learner gets a score based on how quickly their control placement detected the intruder. The tool provides feedback, like "Blind spot detected in the west hallway" or "Motion sensor in high-traffic area created too many false positives."
Xtensr Labs Floor Plan
Place security devices to detect intruders. Click on the floor plan to place the selected device type.
Applying Detection Techniques to Identify Attacks (2.4.C)
Having well-placed controls is only half the battle. You must also have a process for analyzing the information they provide to actually identify an attack. This involves correlating data from different sources and looking for patterns that indicate a breach.
The data from cameras is the most direct form of evidence. When a motion sensor alert is triggered for the server room at 2 AM, the first step for a security analyst is to immediately pull up the live feed from the camera in that room to visually verify the breach. After an incident, reviewing recorded footage allows the team to track the adversary's entire path through the facility, see exactly what they touched or stole, and potentially identify them. Modern systems can even use facial recognition software to automatically alert guards if an unauthorized or known malicious individual enters the premises.
Logs from electronic access control systems are another rich source of data. A security analyst can review the logs from a card reader on a sensitive door. If they see a pattern of a valid badge being used, followed immediately by the door sensor reporting that the door was held open for an unusually long time (e.g., 15 seconds instead of the usual 3), it is a strong indicator of a potential piggybacking or tailgating attack. This allows you to identify the compromised employee and provide them with additional training.
Combining these techniques creates a powerful detection capability. A motion detector provides the initial alert. A camera provides visual confirmation and evidence. Access control logs provide a timeline of entry. And well-trained employees and guards provide the human intelligence to tie it all together. By applying these techniques, you can move from simply having security gadgets to having a true security detection and response program.
A "Log Analysis Mini-Game" named "2.4-log-review". The UI presents a simplified access log for a secure door. The log shows timestamps, employee names, and "door open duration." Most durations are 2-3 seconds. The learner must scan the log and identify an anomalous entry where the duration is 20 seconds, and another where an access card was denied multiple times before a valid card was used. Clicking the anomaly reveals a message explaining that this could indicate a tailgating attack or a stolen card attempt.
Security Alert: Suspicious Activity Detected
Review the access log below and identify entries that may indicate security breaches. Look for unusual patterns such as extended door open times or multiple failed access attempts.
What to look for:
- ⢠Door open duration significantly longer than normal (2-3 seconds)
- ⢠Multiple denied access attempts followed by successful access
- ⢠Unusual access patterns or timing
| Time | Employee | Card ID | Door | Result | Duration (s) |
|---|---|---|---|---|---|
| 8:00:00 AM | James Wilson | CARD-7229 | Office Area | Granted | 3 |
| 8:10:00 AM | James Wilson | CARD-9243 | Main Entrance | Granted | 2 |
| 8:21:00 AM | David Park | CARD-4589 | Research Lab | Granted | 3 |
| 8:35:00 AM | Lisa Rodriguez | CARD-3925 | Storage Room | Granted | 3 |
| 8:42:00 AM | David Park | CARD-9663 | Server Room | Granted | 2 |
| 8:50:00 AM | Anna Martinez | CARD-8806 | Office Area | Granted | 2 |
| 8:57:00 AM | Tom Anderson | CARD-1245 | Server Room | Granted | 2 |
| 9:10:00 AM | Sarah Johnson | CARD-1120 | Research Lab | Granted | 2 |
| 9:23:00 AM | David Park | CARD-9488 | Main Entrance | Granted | 2 |
| 9:34:00 AM | Lisa Rodriguez | CARD-9996 | Server Room | Granted | 2 |
Selected 0 suspicious entries
Log Analysis Mini-Game
Analyze these logs of a secure and click on logs you find suspicious.
| Timestamp | Employee | Duration / Status |
|---|---|---|
| 08:00:01 | Alice | 2s |
| 08:01:15 | Bob | 3s |
| 08:02:30 | Carol | 2s |
| 08:03:45 | Dave | 3s |
| 08:04:12 | Eve | 20s |
| 08:05:00 | Mallory | Denied |
| 08:05:05 | Mallory | Denied |
| 08:05:09 | Mallory | Denied |
| 08:05:10 | Mallory | 3s |
| 08:06:20 | Oscar | 2s |
| 08:07:30 | Peggy | 3s |
Further Reading & Resources
- IFSEC Global: The basics of video surveillance systems
- Security Magazine: The role of the security guard in the 21st century
- Axis Communications: How motion detection works
- SANS Institute: An Overview of Physical Security