Chapter 5: Physical and Operational Security


Overview

If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

–Law #3 of the Ten Immutable Laws of Security

One of the least expensive, yet most productive, ways to improve your computer and network security involves studying the physical and operational environments that your computers inhabit. The reason that strengthening physical and operational security gives you more bang for the buck is simple: if an attacker can get physical access to a machine, he or she can do any number of things, ranging from stealing the entire machine to planting Trojans to using them to mount attacks on other systems. Fortunately, restricting that access is easy and cheap, and physical security measures are generally straightforward. Operational security changes require a little more work, because they usually involve changing people’s habits and the culture surrounding information disclosure. However, over time these efforts can pay off, too. This chapter presents an overview of some of the physical security measures used in places like nuclear weapons facilities, U.S. Army bases, and large corporate data warehouses; you can pick and choose the ones that make sense for you to apply.

Note

Interestingly enough, many of the principles you first read about in Chapter 1, “Security Buzzwords,” also apply to physical security: authentication, auditing, and access control are the linchpins of effective physical security. You’ll probably see other parallels as well.

The key principle of physical and operational security is defense in depth. You cannot assume that any single measure, like a locked door or an alarm system, will stop a determined intruder, especially if he or she is an employee. Instead, your7 security capability comes from having multiple security layers in series, all of which an attacker must penetrate to gain access to a system. These layers should be designed as if each was the only one you had, and you should ask yourself whether the design and implementation of each layer is sufficient to stop the kinds of attacks it protects against. For physical threats, your defensive layers include physical security, environmental security, and access control; different kinds of threats result in a different set or configuration of security layers.




Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net