Chapter 44 Β· Helper 1

Glossary

Key terms for physical attacks β€” brute force entry, RFID cloning, environmental attacks, and the physical access controls designed to counter them.

Physical Attack
A security attack that involves direct physical interaction with hardware, facilities, or supporting infrastructure rather than exploiting software vulnerabilities or network access. Physical attacks bypass digital defenses by circumventing the assumption that the attacker is remote. An attacker with physical access to a server can take full control of it β€” booting from external media, removing drives, resetting OS authentication β€” regardless of how hardened the operating system is.
Physical Brute Force
A physical attack that overcomes a security barrier through direct force rather than technical bypass or credential theft. Examples: forcing a door open, breaking a window, levering a door frame, removing hinges from an outward-opening door. Physical brute force targets the weakest point in the physical perimeter β€” which may be the wall, window, or frame beside the secured door rather than the lock itself. Testing physical security requires actually attempting forced entry simulations, not just inspecting locks.
RFID (Radio Frequency Identification)
A wireless technology that uses radio waves to transmit a unique identifier from a tag (embedded in a card, badge, or key fob) to a compatible reader. Widely used in physical access control systems β€” an RFID badge is held near a reader to unlock a door. RFID readers and tags communicate wirelessly; the tag cannot distinguish between an authorized reader (the door lock) and an unauthorized one (an attacker's cloning device). This wireless nature is the fundamental vulnerability exploited by RFID cloning attacks.
RFID Cloning
An attack in which a device reads the data broadcast by a legitimate RFID access badge and copies it to a blank card, creating a functional duplicate. RFID cloning devices are commercially available for under $50 and clone a badge in seconds. The attack is invisible to the victim β€” the badge stays in their pocket or on their lanyard; they experience nothing. The cloned card grants identical access to every door the original badge unlocks. There is no log entry, no alarm, and no detection unless MFA is required.
Access Badge / Key Fob
Physical credentials used in RFID-based access control systems. An access badge (card-format) or key fob (compact device) contains an RFID transponder that broadcasts a unique identifier when within range of a compatible reader. They are the "something you have" factor in physical access control. Because they can be cloned or stolen, they should be combined with a second factor (PIN, biometric) for secure access control. Loss of a badge should trigger immediate deactivation in the access control system.
Multi-Factor Authentication (MFA) for Physical Access
Physical access control that requires more than one factor to authenticate entry. An access reader requiring both a badge (something you have) and a PIN (something you know), or a badge and a fingerprint scan (something you are), cannot be defeated by a cloned badge alone. MFA is the primary defense against RFID cloning: the attacker may duplicate the card, but cannot produce the PIN or biometrics needed to complete the authentication. Physical access MFA commonly uses keypad readers, biometric scanners, or mobile authenticators alongside the RFID card.
Environmental Attack
A physical attack that targets the environmental systems supporting IT infrastructure rather than the computers themselves. Environmental attacks exploit the dependency of data centers on stable power, controlled temperature, appropriate humidity, and functional fire suppression. By disrupting any of these conditions, an attacker can take down systems without ever bypassing server room access controls. Environmental targets are often secured at a lower standard than the server room because organizations focus security investment on the obvious target (servers) rather than the supporting infrastructure.
Power Attack (Environmental)
An environmental attack targeting the electrical infrastructure supporting a data center. Interrupting power by sabotaging the electrical distribution panel, cutting feeds, or manipulating power systems causes an immediate system outage. Electrical panels are often located in utility rooms with lower physical security than the server room. Uninterruptible Power Supplies (UPS) and backup generators provide resilience against accidental outages but may also be targeted directly. Monitoring power infrastructure access is a critical component of data center physical security.
HVAC (Heating, Ventilation, and Air Conditioning)
The environmental control systems that maintain proper temperature and airflow in facilities. For data centers, HVAC is critical: servers generate intense heat and require continuous cooling to operate. Without adequate cooling, servers reach thermal protection thresholds and begin throttling, then shutting down automatically. An attacker who disrupts HVAC β€” by disabling cooling systems, manipulating thermostat settings, or physically damaging HVAC equipment β€” can cause a data center shutdown without touching a single server. HVAC management systems are frequently networked, creating both physical and network-layer attack surfaces.
Humidity Control
The management of moisture levels in the air within a data center or equipment room. Excess humidity causes condensation on circuit boards, leading to short circuits and corrosion. Insufficient humidity creates conditions for electrostatic discharge (ESD), which can instantly damage sensitive electronic components. Both extremes are hardware risks. Environmental monitoring should track humidity alongside temperature, and alerts should trigger when readings deviate from the acceptable range before hardware damage occurs.
Electrostatic Discharge (ESD)
The sudden transfer of static electricity between objects at different electrical potentials β€” for example, a person who has built up a static charge walking across a dry floor and touching a server chassis. ESD can instantly destroy sensitive semiconductor components inside servers, switches, and storage devices. Low-humidity environments increase ESD risk. Data center floors often use anti-static materials, and personnel handling hardware wear ESD wrist straps grounded to equipment racks. Humidity control that maintains approximately 40–60% relative humidity significantly reduces ESD risk.
Fire Suppression System
Safety infrastructure designed to detect and respond to fire in a facility. Data centers typically use gaseous suppression agents (inert gases such as argon or nitrogen, or chemical agents) rather than water sprinklers, because water destroys electronic equipment. Fire suppression systems can be triggered manually (pull handles), automatically by smoke/heat detectors, or through the suppression control system. An attacker who triggers the suppression system β€” by creating false smoke, pulling a manual handle, or compromising the control system β€” causes a data center shutdown without physical access to any server. Accessing and triggering fire suppression is a denial-of-service vector.
Man-Trap (Entry Control Vestibule)
A physical access control mechanism using two sequential locked doors: the first door must be authenticated and closed before the second door can be opened. Man-traps prevent tailgating (piggybacking through a door on someone else's access) and ensure that each person entering a secured area is individually authenticated. The space between the two doors is monitored β€” usually with cameras and weight sensors. Man-traps are common at data center entrances because they eliminate the most common bypass of single-door access control: walking in behind an authorized person.
Tailgating / Piggybacking
A physical access attack in which an unauthorized person gains entry to a secured area by following closely behind an authorized person as they open a door, before the door closes. Tailgating exploits social norms (holding a door open for someone) and the hesitation of authorized employees to confront or question someone behind them. Defenses include man-traps, turnstiles, security awareness training (employees should challenge anyone without a visible badge), and security guards at entry points. Tailgating is distinct from RFID cloning β€” it requires physical co-location at the moment of entry.