Physical Defenses

Previous page
Table of content
Next page

Physical defenses are often overlooked in information security practices. Since a physical room is surrounded by four walls, somehow the security of it is not at the forefront of our minds. No one can walk out of the Internet and physically unplug a system, so organizations that are perimeter-focused often never address their physical security vulnerabilities. Physical threats, however, can have the most drastic effect on an organization. Let's take a look at some physical threats and how the rules apply to them:

Casual Damage

One place where I commonly see physical defenses failing is in the causal, everyday damage that occurs in an unsecured physical environment. Tripping over power plugs, dropping devices, overheating components, condensation, and other causal threats cause an incredible amount of damage to organizations every day. I have seen several organizations come to a screeching halt because someone tripped over a power plug, moved the wrong cable, or flipped the wrong breaker.

Physical Attacks

Physical attacks occur when a hacker penetrates physical defenses to attack a server, device, network, or other object. Most physical attacks come from individuals who already have access to the premises, including employees and consultants. The problem with physical attacks is that most security devices fail when a hacker is able to physically access them. Secured routers will often allow administrative privileges by simply interrupting the boot process; servers can often be booted off a removable boot disk to gain access; networks can be accessed by adding or rearranging some of the wires; and, physical objects are subject to theft. With modern components becoming smaller and lighter, physically removing devices from the premises is becoming easier and easier.

A successful physical attack can have immediate and dramatic impacts on an organization. A server that is exploited over the network may take several minutes to bring down; meanwhile, administrators have a chance to discover the attack. A physical attack, however, can immediately affect a device without warning.

Natural Disasters

While events like fires, floods, earthquakes, and the like are more rare, they do have the power to utterly devastate an organization beyond repair. Many companies have been driven out of business when they were caught unprepared in the face of disaster.

Physical Rules

An organization's physical security practices should include each of the eight rules of security. Throughout most of this book, I have addressed the rules in terms of networking and system defenses, though each rule also applies to physical security. It would be a good idea to glance back at the rules and consider each in terms of physical security practices. Here are some of the most important rules and concepts when dealing with physical security defenses:

Rule of Least Privilege

Objects within an organization should be stored in secure areas where the Rule of Least Privilege can be enforced. Access into these areas should only be granted to those who require such access to perform their duties and who are capable of handling such access properly. This includes access to server rooms, wiring closets, utility boxes, and other sensitive areas. Physical security should include some form of access control mechanism such as a key-lock or combination device. The length to which an organization goes to protect an area should relate to the risks of the objects inside (as derived from the risk assessment process). A standard key-lock mechanism will suffice for some areas, whereas magnetic cards or biometrics may be required for others.

Layering Security

Security should start at the entrance to the property and become more and more restrictive as sensitive areas are approached. When applicable, gates and proximity security devices should be installed around the premises, thus creating an external chokepoint. If possible, access into the building should only be granted to those requiring access, for example, employees, customers, and vendors. Access beyond the common area should be limited strictly to employees and those escorted by employees. Finally, access to a server room should be limited to employees with special access privileges. A final layer of defense will often include locking cabinets for protecting groups of servers and devices. An attacker should have to go through several unauthorized areas before gaining access to a sensitive one.

Layering should also be practiced within other forms of defense. Sensitive devices, for example, could be on personal UPSs, even when the entire room in which they reside is on its own alternate power source. When cameras are used, one camera should be watching the hallway or door while a separate camera monitors the internal area.

Rule of Separation

In accordance with the Rule of Separation, objects with different security needs and different physical vulnerabilities should be isolated from others. The simplest example of this is the organization that places the employee copy machine in the same room as sensitive servers and routers. Individuals who enter the room to make copies should not be granted physical access to the sensitive equipment. This also increases general foot traffic and the potential of someone tripping over a wire or causing other forms of casual damage.

When planning or auditing any physical area, be sure to consider the following questions:

  • Who are the individuals that will need access to objects within the area?

  • What is the highest risk level of the objects within the area?

  • Of the people accessing the room, how many need access to the highest risk objects?

  • Of the people accessing the room, how many are trusted to be around the highest risk objects?

When we find ourselves in a situation where numerous individuals access a room and have no need to access the higher risk objects within the room, it may be a good indication that some objects should be moved or have their own lockable spaces within the room.

Rule of Preventative Action

It is important for organizations to take a proactive stance when working with physical security. Physical issues tend to occur without warning, and with sudden and merciless results. If we do not install a UPS before a power outage, there is no doubt that our devices will lose power.

  • Put objects in racks An object of any importance should be mounted in a rack or some other dedicated container. If objects must be placed on the floor, a table, or a shelf, make sure that the platform is steady, that cables can be properly secured, and that there is adequate ventilation and protection from dust and static. Racks and other containers should be secured to the floor to prevent them from tipping over.

  • Organize and secure cables Cables should be organized and labeled. Misplaced cables can have a profound effect on security. During an emergency, a cable may need to be moved, in which case, tracing the cable's end-points will waste precious time or result in the wrong cable being moved. Furthermore, cables should be secured and removed from plain sight. They should preferably be tucked away in the ceiling, under the floor, or alongside a rack to avoid accidental tripping, pulling, or excessive wear and tear.

  • Install fire prevention Fires in server rooms are tricky issues since spraying water on electronic components will usually do about as much damage as fire itself. Areas where devices are stored, including server rooms and wiring closets, should incorporate some form of waterless fire protection, preferably incorporated during the original construction of the area. FM-200 extinguishers, for example, should be available in the event of a fire.

Rule of Immediate and Proper Response

Managing proper physical security normally involves a substantial amount of planning. If a fire breaks out, we don't want to be caught running around trying to figure out what to do. Nor do we want to be left wondering who is supposed to respond when the alarm goes off at 2:00 a.m.

Plans for response to physical events need to co-exist with other physical plans, such as evacuation and site recovery. It is important that these plans be made part of a larger incident response plan for the organization. Your organization probably already has a course of action for fires and burglaries; this is the perfect place to add an information security plan. Here are some common plans that should include actions concerning information security response:

  • Natural disaster plans such as fire, tornado, earthquake, and flood

  • Plans for extended power outages

  • Plans for unauthorized access and physical alarm response

  • Plans for disaster recovery and relocation

Training Employees

Employees are the greatest allies we can have when physically securing an organization. With proper training, employees are much more likely to witness unauthorized activities than the security staff. It is important that the employees feel confident in their understanding of what is authorized and what is not. The environment should promote the idea of questioning suspicious people and activities. Employees should be inspired to perform such actions, and to not take offense if they themselves are questioned. In general, it is much more difficult to physically infiltrate an area or perform unauthorized physical activities if local employees are properly trained.


Previous page
Table of content
Next page
Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Interprocess Communications in Linux: The Nooks and Crannies
Qshell for iSeries
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Ruby Cookbook (Cookbooks (OReilly))
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy