Going On Site

Local hackers will often take a field trip to their target's facility. They may appear in a tour of the facilities, or spend late hours going through refuse , or walk right in. Hackers have skirted physical security through a variety of guises. They have impersonated delivery people, telephone workmen, and office equipment repairmen: "I'll have to take this computer into the shop." A hacker news group has even given information on how to get a job as a janitor so the hacker can get uninterrupted, unsupervised access to an entire building.

Today the low price of " color technologies" ” scanners , video capture and printers ” has made it affordable for any hacker to produce very convincing company IDs. Quite often companies use PCs and software that are easily affordable to the public to create their official IDs. So, common identifiers may be too common. An ID on someone who acts as if he belongs is not enough to be certain that he does belong.

Every day there are people in your physical building who are not your employees . You often don't know who they are or if they should be there. Companies have planted people with competitors to gather information, as in this example:

Drive-by Sniffing

The growth of wireless technology, in both commercial and personal networks, has opened new avenues of attack. These are often installed without consideration of where the signals may be going. Hackers with a laptop computer and a wireless network interface can drive down the street and find unsecured wireless networks. They can use these networks to sniff data or to get unauthorized access. Many hackers are just looking for free Internet access, but if the wireless network is an internal network, your company could well be exposed.

^[44] Middleton, James, "Pringles: The Latest Hacker Tool," vnunet.com, 8 March 2002.

Dumpster Diving

Dumpster diving is the term given to scrounging through the trash, since it often requires diving into a trash dumpster. A great wealth of information is thrown away by many organizations. This information can be in the form of computer printouts that may contain sensitive information; used carbon printer ribbons that can be unwound so all that was printed can be read; used media, that can still be read even if all the data were deleted or the disks reformatted; and computer manuals that not only contain information about the system but also quite often contain notes written in the margins by the users of these manuals. This information can be about the systems that are being used, proprietary or confidential information that was disposed of improperly, or even passwords written in the margins of user manuals.

This information is thrown away because people don't think of the consequences. Sometimes when a person quits or is transferred, all the material that was in his or her office is sent to the trash. In many cases, no one reviewed the material to see if it contained any confidential information.

You need to create an appropriate disposal policy. This policy should address all aspects of data disposal and should be part of a data handling policy. Data classification, access, storage, backup, and removal will also be included. It will define where data of specific classifications can be stored, and how this media, if it is removable media, disk, or tape, are to be labeled, handled, and disposed of. These procedures will vary, depending on the classification or sensitivity of the data. Information classification and handling procedures are important, regardless of the format of the information. They should apply uniformly, regardless of whether the information is on the computer, printed on paper, or on a marker board or drafting table. A marker board in an executive board room is no less susceptible to compromise than a piece of paper on a secretary's desk.

Snooping

Information exists in most offices in physical forms. This information is often left lying around on desks, or unlocked in file cabinets . Company clean desk policies exist to solve this problem, not to have clean desks. Whiteboards containing business plans and meeting notes are often left for the cleaning crew to erase. Company information decorates the walls of cubicles. In the open office environment, utilized by many companies, oral communications can be easily overheard. This includes telephone conversations.

Desktop Computers

With the greater distribution of information, physical security becomes even more important. When all the computers and information were in the data center, physical security was easy: It was localized. Now there is sensitive information on departmental servers and PCs on everyone's desktops and information is walking around inside laptop computers. So physical security and security control are much more complicated.

Computers must be secured from both access and theft. A survey reported that most of the laptop computers that were stolen in airports were not random thefts, but were stolen for the information they contained. Almost any security measure can be overcome if the hacker can get physical access to the computer system.