2.3 Physical Countermeasures

Physical countermeasures almost make up an entirely distinct discipline in information security, but we can offer some high-level recommendations to consider when defending your own network.

When discussing the common technical countermeasure, we are often concerned with defending our network perimeter against a packet-based attack. That is, there are some "bad" packets outside our network that we want to make sure cannot get in. We typically use a firewall to stop these bad packets. Physical security commonly takes the same approach, but instead of dealing with packets, keeps out the "bad" people or other threats from our network.

The most common way of doing this is with locks, chains, guards, and cameras. These all fall into the category of perimeter control. Each one of these controls would be valuable in reducing any risk to our information that is related to someone gaining physical access to our resources. Like the technology we use in our network, these countermeasures will not guarantee the security of your facilities, but they will go a long way toward slowing down any intruder.

Beyond these common physical controls we can also apply physical controls to our network. This means functional areas of our network are separated from each other. The research and development network, for example, may be a physically separate network from our administrative and user networks. This may mean physically distinct on different hubs and switches with access controlled through a firewall, or an actual distinct network complete with its own DMZ and WAN links, each configured to reflect the particular security needs of the research and development network.

Data backups are also considered physical controls. To my chagrin, I will attest that I have seen customers keep their backups sitting on top of their server rack. This will help if the server crashes, but is of little use if a fire should strike. Data backups should be kept off-site, under lock and key, and in a fireproof location. Ensuring the physical integrity of the backups most certainly qualifies as a physical control.

The list of possible physical controls continues. Controlling the work environment so that only employees of a certain department have access to a particular work area would qualify, as would including controls on the user workstations themselves. A common control on the user workstations would be to remove the floppy disk drive and disable the USB ports to prevent users from easily attaching removable media to the devices. A great number of company secrets can slip out the door on a Zip drive securely tucked into a briefcase. Some companies even go so far as to search carryout articles such as duffle bags and briefcases.