Going On Site
Local hackers will often take a field trip to their target's facility. They may appear in a tour of the facilities, or
late hours going through
, or walk right in. Hackers have skirted physical security through a variety of guises. They have impersonated delivery people, telephone workmen, and office equipment repairmen: "I'll have to take this computer into the shop." A hacker news
has even given information on how to get a job as a janitor so the hacker can get uninterrupted,
access to an entire building.
Today the low price of "
, video capture and printers ” has made it affordable for any hacker to produce very convincing company IDs. Quite often companies use PCs and software that are easily affordable to the public to create their official IDs. So, common identifiers may be too common. An ID on someone who acts as if he belongs is not enough to be certain that he does belong.
Every day there are people in your physical building who are not your
. You often don't know who they are or if they should be there. Companies have planted people with
to gather information, as in this example:
The growth of wireless technology, in both commercial and personal networks, has opened new avenues of attack. These are often installed without consideration of where the signals may be going. Hackers with a laptop computer and a wireless network interface can drive down the street and find unsecured wireless networks. They can use these networks to sniff data or to get unauthorized access. Many hackers are just looking for free Internet access, but if the wireless network is an internal network, your company could well be exposed.
It has been a well documented fact that armed with a wirelessequipped laptop and antenna, hackers have no shortage of victims around London. But security firm I-sec recently demonstrated that using an empty Pringles tube as an antenna could boost the hacker's chance of picking up a wireless signal by as much as 15 per cent. Apparently the hollow tube shape combined with a tinfoil
makes the empty crisps tin ideal for
During a half-
drive around the
of London, almost 60 wireless networks were picked up. Around 40 of these had no security ” a hacker would be able to use the company's bandwidth any way he
, as well as browse the internal network. According to I-sec, the face of the Pringle man might not be the only household item in a hacker's arsenal. Objects from coffee tins to old satellite dishes have also been used to pick up wireless signals.
Middleton, James, "Pringles: The Latest Hacker Tool," vnunet.com, 8 March 2002.
Dumpster diving is the
given to scrounging through the trash, since it often requires diving into a trash dumpster. A great wealth of information is thrown away by many organizations. This information can be in the form of computer printouts that may contain sensitive information; used carbon printer
that can be unwound so all that was printed can be read; used media, that can still be read even if all the data were deleted or the disks reformatted; and computer manuals that not only contain information about the system but also quite often contain notes written in the margins by the users of these manuals. This information can be about the systems that are being used, proprietary or confidential information that was disposed of improperly, or even passwords written in the margins of
This information is thrown away because people don't think of the consequences. Sometimes when a person quits or is transferred, all the material that was in his or her office is sent to the trash. In many cases, no one reviewed the material to see if it contained any confidential information.
You need to create an appropriate disposal policy. This policy should address all aspects of data disposal and should be part of a data handling policy. Data classification, access, storage, backup, and removal will also be included. It will define where data of specific classifications can be stored, and how this media, if it is removable media, disk, or tape, are to be labeled, handled, and disposed of. These procedures will vary, depending on the classification or sensitivity of the data. Information classification and handling procedures are important, regardless of the format of the information. They should apply uniformly, regardless of whether the information is on the computer, printed on paper, or on a marker board or drafting table. A marker board in an executive board room is no less susceptible to compromise than a piece of paper on a secretary's desk.
Information exists in most offices in physical forms. This information is often left lying around on desks, or unlocked in file
policies exist to solve this problem, not to have clean desks. Whiteboards containing business plans and meeting notes are often left for the cleaning crew to erase. Company information decorates the walls of cubicles. In the
office environment, utilized by many companies, oral communications can be easily overheard. This includes telephone conversations.
With the greater distribution of information, physical security becomes even more important. When all the computers and information were in the data center, physical security was easy: It was localized. Now there is sensitive information on departmental servers and PCs on everyone's desktops and information is walking around inside laptop computers. So physical security and security control are much more complicated.
Computers must be secured from both access and theft. A survey
that most of the laptop computers that were stolen in airports were not random thefts, but were stolen for the information they contained. Almost any security measure can be
if the hacker can get physical access to the computer system.