Security Laboratory
- Security Laboratory: IT Managers - Safety Series
This series of papers discusses the IT Manager's complex roles in establishing workplace and enterprise security.
Safety and the Computer Security Manager - February 14th, 2007
Evacuation roles - April 18th, 2007
Physical Security - January 25th, 2007
Physical Security
January 25th, 2007
By Peter Giannoulis and Stephen Northcutt
Summary: Physical access control is just as
important to your information security architecture as password
policies and firewalls. Protecting your critical infrastructure with
physical security can be a daunting task.
Physical security breaches can result in more issues for an organization than a worm attack. Loss of data, temporary loss of availability by shutting systems down, or longer term loss of availability by bomb or arson are all things to consider when implementing physical security.
With the advent of easily concealable USB drives, or iPods for that matter, the issue of physical security is becoming more important than it was in the past. “Pod Slurping” is becoming the newest threat to data. An iPod could be pre-configured to launch a program called sleep.exe when it's inserted into a system. Sleep.exe will begin copying files from a system at alarming speeds; roughly 100MB of data can be copied in one minute.[1]
The protection of laptops and desktops is often overlooked; laptops in particular. According to a study performed in 2004 the total percentage of laptops in the United States accounted for roughly 29% of user devices. IDC predicts that the total percentage of laptops will increase to 50% by the end of 2008.[2] What's to stop a malicious individual from grabbing a few laptops and walking out of your office while your users were out to lunch? These sorts of attacks happen all of the time. Fortunately for some, laptops are cheaper nowadays and easy to replace, but the data that resides on them may not be, as was discovered by Emory Healthcare. Emory Healthcare hired a consultant firm to provide services for them. One of Emory Healthcare's laptops was stolen from the consulting firm's office. Over 38,000 patient records were compromised.[3]
Physical Security Protection
Depending on the organization physical security countermeasures will vary. A government agency such as the Department of Defense may have armed guards at the door of the building. Many organizations are not in the position of breaching national security so armed guards are not a necessity. In many cases a receptionist greets any new visitors and makes the appropriate arrangements for an on-site visit. Let's review some physical security countermeasures for the server room, as well as laptops and desktops.
Server Room Protection
- Access Control Cards - These are tied to a specific user and must be swiped in order to gain access. The downside is that they can be stolen and used without authorization and they are really expensive to implement.[4]
- Biometrics - Uses a physical characteristic such as a fingerprint or retina to identify a user.[5] Due to the cost of implementing this solution, as well as employee privacy issues, biometrics has not been widely accepted yet.
- User Awareness - User awareness is by far the most important aspect to security. The Kingston City Council discovered this when they hired a consultant to perform a social engineering test on their users. The consultant gained access to the server room by simply telling the users that he was sent to service the UPS.[6]
Laptop/Desktop Protection
- User Awareness - Employees need to be made aware that strangers cannot be in the office without an escort. Awareness programs should encourage all employees to confront and ask an unidentified individual if they need any assistance.
- Laptop Locks - These cables are physically connected to the laptop, which are then connected to a desk. A key is required to unlock the cable and, although these cables can be cut, implementing them on easily removable devices such as laptops may deter an attacker from actually making the effort.[7]
- OS Hardening - USB ports and CD-R/DVD-R drives should be disabled on all laptops/desktops so that files cannot be easily copied and stolen by a malicious user wandering around in the office.[8]
Rings Approach to Physical Security Defense in Depth
One way to consider an architecture to implement defense in depth is the rings approach to physical security.[9] The rings are:
- Ring 1 - Areas on the perimeter of the business building
- Ring 2 - Immediate area around the business building/environmental (fire, floods, moisture, power)
- Ring 3 - Internal location of the business building
- Ring 4 - Human factors
A similar approach is offered by the Open Security Exchange. In thinking about physical security controls, there are really four areas to consider: the architecture of the facility, including perimeter boundaries and doors; security operations, including security policies, procedures and incident response guidelines; personnel, including monitoring and access control; and electronic devices, including sensors, turnstiles, surveillance systems and strong authentication technologies.[10]
Summary
Without strong physical security an organization can spend thousands of dollars on anti-virus, firewalls, and intrusion prevention systems only to have confidential data stolen by a careless error. Protect your critical infrastructure. When physical security fails the only protection we have left is encryption.
Peter Giannoulis, GSEC, GCIH, GCIA, CISSP, is an information security consultant in Toronto, Ontario, Canada, as well as a Technical Director for the GIAC family of certifications.
1. http://www.sharp-ideas.net/pod_slurping.php2. http://www.csoonline.com/read/070104/laptop.html
3. http://www.consumeraffairs.com/news04/2007/01/emory_laptop.html
4. http://articles.techrepublic.com.com/5100-22_11-1041309-2.html
5. http://www.sans.org/reading_room/whitepapers/physcial/1325.php?portal=177b7b889ec1154293b227573c96f5d0
6. http://seclists.org/isn/2006/Oct/0105.html
7. http://www.tryten.com/products/Laptop-Lock.htm
8. http://www.technibble.com/physical-security-considerations-data-extraction/
9. http://www.sans.org/reading_room/whitepapers/physcial/1447.php
10. http://www.hurwitz.com/index.php?option=com_content&task=view&id=181&Itemid=68