Security Laboratory: IT Managers - Safety Series
This series of papers discusses the IT Manager's complex roles in establishing workplace and enterprise security.
Other Related Articles in Security Laboratory: IT Managers - Safety Series
Peter Giannoulis and Stephen Northcutt
Physical security breaches can result in more issues for an organization than a worm attack. Loss of data, temporary loss of availability by shutting systems down, or longer term loss of availability by bomb or arson are all things to consider when implementing physical security. This is a survey article, for more in-depth information please consult the references, they are in the order they are used.
With the advent of easily concealable USB drives, or iPods for that matter, the issue of physical security is becoming more important than it was in the past. "Pod Slurping" is a significant threat to data. If you query a search engine for "steal data USB" you will find a number of approaches.
The protection of laptops and desktops is often overlooked; laptops in particular. According to Statistica, laptop usage compared to desktop has been increasing since 2010 and their 2019 projection is 121 million desktops compared to 170.4 million laptops. They also project tablet use to continue to decrease after the tablets will replace PCs hysteria of 2013 when more tablets were sold than laptops. Not only are these mobile devices subject to theft, but Android, Windows and Mac also have the ability so synchronize files across all devices: PC, laptop, tablet, smartphone. If one of them is lost, it is a potential portal into all of them.
Physical Security Protection
Depending on the organization physical security countermeasures will vary. A government agency such as the Department of Defense may have armed guards at the door of the building. Many organizations are not in the position of breaching national security so armed guards are not a necessity. In many cases a receptionist greets any new visitors and makes the appropriate arrangements for an on-site visit. Let's review some physical security countermeasures for the server room, as well as laptops and desktops.
Server Room Protection
- Access Control Cards - These are tied to a specific user and must be swiped in order to gain access. The downside is that they can be stolen and used without authorization and they are really expensive to implement.
- Biometrics - Uses a physical characteristic such as a fingerprint or retina to identify a user. Due to the cost of implementing this solution, as well as employee privacy issues, biometrics has not been widely accepted yet.
- User Awareness - User awareness is by far the most important aspect to security. Programs like Securing The Human are becoming as crucial as anti-virus.
- User Awareness - Employees need to be made aware that strangers cannot be in the office without an escort. Awareness programs should encourage all employees to confront and ask an unidentified individual if they need any assistance.
- Laptop Locks - These cables are physically connected to the laptop, which are then connected to a desk. A key is required to unlock the cable and, although these cables can be cut, implementing them on easily removable devices such as laptops may deter an attacker from actually making the effort.
- OS Hardening - USB ports for drives and CD-R/DVD-R drives should be disabled on all laptops/desktops so that files cannot be easily copied and stolen by a malicious user wandering around in the office. NOTE: there is still the problem of USB devices that are programmable keyboards.
Rings Approach to Physical Security Defense in Depth
One way to consider an architecture to implement defense in depth is the rings approach to physical security. The rings are:
- Ring 1 - Areas on the perimeter of the business building
- Ring 2 - Immediate area around the business building/environmental (fire, floods, moisture, power)
- Ring 3 - Internal location of the business building
- Ring 4 - Human factors
A similar approach is offered by the Open Security Exchange PSIM. In thinking about physical security controls, there are really four areas to consider: the architecture of the facility, including perimeter boundaries and doors; security operations, including security policies, procedures and incident response guidelines; personnel, including monitoring and access control; and electronic devices, including sensors, turnstiles, surveillance systems and strong authentication technologies.
Without strong physical security an organization can spend thousands of dollars on anti-virus, firewalls, and intrusion prevention systems only to have confidential data stolen by a careless error. Protect your critical infrastructure. When physical security fails the only protection we have left is encryption.
References: all links active as of 12/22/15