Physical System Access

Physical security is fundamental to the security of an information system. Physical access to a system is the most compromising of any access issues. With physical access, one can physically damage the system, remove data storage devices, and, in most cases, gain access to the system's operations. Physical access needs to be limited to those who have a need to physically access the systems and it must produce a record of who had physical access and when.

Numerous sites have been plagued with stolen equipment and, in many cases, it has been memory modules, CPUs, and other internal components which have been stolen. This illustrates a need for locks on the computer cabinets as well as auditable locks on the rooms which house the computer systems. These locks must be able to identify the individual who entered and exited the room. This is usually accomplished with individually issued access cards. Integration of physical security into information security can simplify the management, monitoring, and correlation of security events.

This decentralization of systems means that more than just the computer operations staff must be made aware of physical security. The users must understand the importance of locking up their floppies and printouts and logging off or locking up their computers. A proprietary report requires the same security whether it is printed or on a diskette or in your computer.

Mobile computing users who use portable computers must be aware that the theft of their computer compromises all the information on that computer. Many corporate spies have found it easier to steal a portable computer than to break into a company's computer to get the desired information.

^[53] Mello, Jr., John P., "Stop, Thief!," CFO Magazine , 1 October 1997.

Telecommuters, those employees who work from home, also add additional security issues, and they need the same level of security at home as they would have in the office.

Wireless communication adds a whole new area for hackers to exploit by eavesdropping without physical access. Cellular modems and wireless local area networks (LANs) have opened the doors to your data communication without a hacker having to physically attach to your network.

If your physical security procedures have not recently been reviewed, they should be. It is extremely important to review security procedures regularly to incorporate new equipment and technologies.

Network Equipment

The computer system extends beyond the physical box which contains it. The network to which it is connected also requires physical security for the network equipment and the junction points. Often network equipment is located in wiring closets which are shared with other functions, such as telephone equipment. The security of these areas are equally important to the security of the information system. Access to these closets are often given to repair personnel of other companies, such as telephone repairmen. This is why audited and monitored access is required. Unauthorized access to these areas enables a hacker to add unauthorized connections for eavesdropping or unauthorized access or to disable connections, causing disruptions in service.

Removable Media

Today, with tape backup technology allowing gigabytes of data to be stored on a tape that can fit into a shirt pocket, an entire data center's information can easily slip past normal physical security procedures. Much more attention than ever before must be paid to the sites that have removable media. With the decentralization of systems, removable media are everywhere.

Physical access precautions should be extended to anywhere there are removable media. Access to removable media devices allows a hacker to remove information from the system and the site without going through the network security which might otherwise detect it. Physical secure checkpoints are rarely adequate to detect the removal of information on removable media. The data density and physical size of tapes today make it easy to slip huge amounts of data past security checkpoints.

Once information is removed from the information system, the protection afforded by that information system, such as user authorizations and file permissions, does not apply. The information on removable media can be installed onto any system without regard to the security level or controls of that system.

Removable media are always a security issue. They create a porthole through which information can flow out of and into the system. Restricting the programs that can access these devices and the people who can run these programs will help limit this flow of information. Restricting the number of devices that have removable media and the number of people who have physical access to those devices will also help reduce the risk. Physical security will help limit this threat. So can appropriate labeling procedures.

It is wise to produce custom "company" labels that are specific to the classification of the data they will contain. When output devices are limited to a specific classification level, this can make for easy and rapid identification if the data are being handled correctly. In conjunction with a widespread employee security awareness program, this very simple concept can make a big difference in spotting inappropriate handling of information and having it reported .

System Backups

Backups can be both a blessing and a curse to the hacker as well as to the system manager. For a hacker, if gaining access to backups is easy, then accessing information from them may be easier than getting the same information from the system's disks. However, if the hacker's activity is logged and backed up, that may be just the evidence it takes to convict him. For you as a system manager, backups are your last safety net. You can never lose more data than that which has been created since your last good backup. When backups are stored off-site, you can recover from a physical disaster. However, if your backup and recovery policies are not sufficient, a hacker may be able to access your system's information from the backup or restore hacker code onto your system.

There is no bigger risk to your information systems than your system backups. Your entire system is on those tapes. If they are compromised, all the information contained on your system is compromised. Proper handling and storage of backups are critical to ensure the confidentiality and integrity of the information they contain. Nowhere are procedures more important than in the handling of removable media. Backups must be kept in a secure area. Anyone who has physical access to your backups can read them on another computer. If your backups are stored off-site, the transportation to and from the off-site storage must also be a secure process.

Procedures to request the mounting of backup media must be secure. This means a separate authentication of the requester. You need to understand the backup policy and procedures for your system, keeping in mind how they might be used by a hacker who plans to use your system to attack other systems or to plunder the information on your system.