Maximum Mac OS X Security - page 16

Chapter 2. Thinking Secure: Security Philosophy and Physical Concerns

IN THIS CHAPTER

• Physical System Vulnerabilities

• Server Location and Physical Access

• Server and Facility Location

• Physical Access to the Facility

• Computer Use Policies

• Physical Security Devices

• Network Considerations

Although this book concentrates primarily on security issues at a software level, physical security is still an important issue, especially if you have or will have a publicly accessible computer or network. Publicly accessible machines are just as prone ”or perhaps even more prone ”to physical attack than they are to remote attacks. This chapter addresses issues involving machine location and physical access, physical security devices, physical network considerations, and network hardware. These issues primarily apply to administrators attempting to secure one or more machines as a job function.

Physical security issues also frequently compound network security threats. Network security often uses unique machine identifiers as partial security credentials. This works well if it forces an attacker to try to fake a valid machine's identifying characteristics. Unfortunately, it often tempts the attacker to simply steal a valid machine from which to launch his attacks. No application of encryption, virtual private networks (VPNs), or one-time-password tokens can protect your network against illegitimate access by the guy who's just nabbed your CEO's laptop off the carry-on rack on the plane. According to Kensington (http://www.kensington.com/html/1355.html), 57% of network security breaches occur through stolen computers, so it only makes sense to take physical security at least as seriously as you take network security.

If you're interested in the security of only your own Macintosh, much of this will be of only cursory interest to you. Keep in mind, however, that Unix administrators are fairly well paid, and that there aren't going to be many people out there capable of doing the job of administrating a Mac OS X system. A world of Linux security experts cut their teeth banging on Linux boxes in their basements, and Apple has just created the opportunity for a world of OS X security experts to find their place in the workplace as well. If you've the inclination, the clever ideas you bring from thinking about issues like these just might land you a place in that market.

In addition to securing your system against people breaking it, walking off with bits of it, or blocking you from using it through physical or electronic means, it's important to address an additional security issue: the issue of "social" security problems. Users are human beings, and despite the best algorithmic protection, and the best physical barriers, if your system has users other than yourself, they will find ways to reduce the utility of your system purely through poor behavior. Unless you encourage them to do otherwise , and have policies in place to prevent them from becoming disruptive, "poor behavior" can have a significant impact on the usability of your system. Although no written policy can prevent users from behaving badly , the lack of a written policy can prevent you from acting to stop it when it happens.

In general, you will find most of the discussion in this chapter to really be a matter of common sense, but there are a lot of issues to think about, and remembering to think about them all without a list requires uncommon persistence. We strongly encourage you to consider the issues discussed here and try to put yourself in the mind of a mischievous or malicious individual. Consider your facility, and how you would go about trying to access data, disrupt use, or otherwise make inappropriate use of your hardware. What's the most disruptive thing you can think of doing to your system? If you can think of it, so can someone else who wants to cause trouble for you. The level to which these possible avenues of attack should be of concern to you will be entirely dictated by your individual situation and the needs of your system. Consider the discussion here as raw material from which to make a plan that fits your own unique needs.