Physical defenses are often overlooked in information security practices. Since a physical room is surrounded by four walls, somehow the security of it is not at the forefront of our minds. No one can walk out of the Internet and physically unplug a system, so organizations that are perimeter-focused often never address their physical security vulnerabilities. Physical threats, however, can have the most drastic effect on an organization. Let's take a look at some physical threats and how the rules apply to them: Casual DamageOne place where I commonly see physical defenses failing is in the causal, everyday damage that occurs in an unsecured physical environment. Tripping over power plugs, dropping devices, overheating components, condensation, and other causal threats cause an incredible amount of damage to organizations every day. I have seen several organizations come to a screeching halt because someone tripped over a power plug, moved the wrong cable, or flipped the wrong breaker. Physical AttacksPhysical attacks occur when a hacker penetrates physical defenses to attack a server, device, network, or other object. Most physical attacks come from individuals who already have access to the premises, including employees and consultants. The problem with physical attacks is that most security devices fail when a hacker is able to physically access them. Secured routers will often allow administrative privileges by simply interrupting the boot process; servers can often be booted off a removable boot disk to gain access; networks can be accessed by adding or rearranging some of the wires; and, physical objects are subject to theft. With modern components becoming smaller and lighter, physically removing devices from the premises is becoming easier and easier. A successful physical attack can have immediate and dramatic impacts on an organization. A server that is exploited over the network may take several minutes to bring down; meanwhile, administrators have a chance to discover the attack. A physical attack, however, can immediately affect a device without warning. Natural DisastersWhile events like fires, floods, earthquakes, and the like are more rare, they do have the power to utterly devastate an organization beyond repair. Many companies have been driven out of business when they were caught unprepared in the face of disaster. Physical RulesAn organization's physical security practices should include each of the eight rules of security. Throughout most of this book, I have addressed the rules in terms of networking and system defenses, though each rule also applies to physical security. It would be a good idea to glance back at the rules and consider each in terms of physical security practices. Here are some of the most important rules and concepts when dealing with physical security defenses: Rule of Least PrivilegeObjects within an organization should be stored in secure areas where the Rule of Least Privilege can be enforced. Access into these areas should only be granted to those who require such access to perform their duties and who are capable of handling such access properly. This includes access to server rooms, wiring closets, utility boxes, and other sensitive areas. Physical security should include some form of access control mechanism such as a key-lock or combination device. The length to which an organization goes to protect an area should relate to the risks of the objects inside (as derived from the risk assessment process). A standard key-lock mechanism will suffice for some areas, whereas magnetic cards or biometrics may be required for others. Layering SecuritySecurity should start at the entrance to the property and become more and more restrictive as sensitive areas are approached. When applicable, gates and proximity security devices should be installed around the premises, thus creating an external chokepoint. If possible, access into the building should only be granted to those requiring access, for example, employees, customers, and vendors. Access beyond the common area should be limited strictly to employees and those escorted by employees. Finally, access to a server room should be limited to employees with special access privileges. A final layer of defense will often include locking cabinets for protecting groups of servers and devices. An attacker should have to go through several unauthorized areas before gaining access to a sensitive one. Layering should also be practiced within other forms of defense. Sensitive devices, for example, could be on personal UPSs, even when the entire room in which they reside is on its own alternate power source. When cameras are used, one camera should be watching the hallway or door while a separate camera monitors the internal area. Rule of SeparationIn accordance with the Rule of Separation, objects with different security needs and different physical vulnerabilities should be isolated from others. The simplest example of this is the organization that places the employee copy machine in the same room as sensitive servers and routers. Individuals who enter the room to make copies should not be granted physical access to the sensitive equipment. This also increases general foot traffic and the potential of someone tripping over a wire or causing other forms of casual damage. When planning or auditing any physical area, be sure to consider the following questions:
When we find ourselves in a situation where numerous individuals access a room and have no need to access the higher risk objects within the room, it may be a good indication that some objects should be moved or have their own lockable spaces within the room. Rule of Preventative ActionIt is important for organizations to take a proactive stance when working with physical security. Physical issues tend to occur without warning, and with sudden and merciless results. If we do not install a UPS before a power outage, there is no doubt that our devices will lose power.
Rule of Immediate and Proper ResponseManaging proper physical security normally involves a substantial amount of planning. If a fire breaks out, we don't want to be caught running around trying to figure out what to do. Nor do we want to be left wondering who is supposed to respond when the alarm goes off at 2:00 a.m. Plans for response to physical events need to co-exist with other physical plans, such as evacuation and site recovery. It is important that these plans be made part of a larger incident response plan for the organization. Your organization probably already has a course of action for fires and burglaries; this is the perfect place to add an information security plan. Here are some common plans that should include actions concerning information security response:
Training EmployeesEmployees are the greatest allies we can have when physically securing an organization. With proper training, employees are much more likely to witness unauthorized activities than the security staff. It is important that the employees feel confident in their understanding of what is authorized and what is not. The environment should promote the idea of questioning suspicious people and activities. Employees should be inspired to perform such actions, and to not take offense if they themselves are questioned. In general, it is much more difficult to physically infiltrate an area or perform unauthorized physical activities if local employees are properly trained. |