Photo Credit: Microsoft studios, security-cameras-for-a-business |
There is a huge emphasis on protecting data in the
Security industry but what about the physical elements that aid in the storage,
processing and transmission of these data? In this post we will discuss how
Physical Security should not be taken for granted when planning for Information
Security within an organization. The logical systems cannot exist if there are
no hardware components in place. Even in cloud setups where an organization’s
data is 100% stored on the cloud, the business still has to have some hardware
on premises that enables them to access this data. If a physical breach were to
occur where an attacker gained access to the hardware components that interact
with the logical environment, the damage might be irreversible.
Physical security is the protection of personnel,
hardware, programs, networks, and data from physical circumstances and events
that could cause serious losses or damage to an enterprise, agency, or
institution. This includes protection from fire, natural disasters, burglary, theft,
vandalism, and terrorism (Rouse, 2005). Physical security entails the controls
or steps taken to limit or deny physical unauthorized access to a building, its
facilities, the resources within the building, and the information stored there.
There are different types of Security Controls:
Directive controls – these are the administrative
controls intended to guide or advise the employees on how to conduct themselves
when using the systems or when they are in the business premises.
Preventive controls – these are the steps taken to
stay ahead and hopefully stop any actions that may be in contrast with the
controls in place. Example would be locked doors and windows.
Deterrent controls – these involved the use of notices
and warnings of consequences to security violations. Example would be having CCTV's installed in every room
Detective controls – these are the controls that aid
in identifying, monitoring and potentially reacting to security violations. Examples would be security alarms, motion sensors, heat sensors etc.
Corrective controls – these are the controls designed
to react to the detection of an incident in order to resolve and prevent any
future re-occurrence.
Recovery controls – these are the controls used to
restore the system/operation back to its normal state after an actual incident
occurs.
Different security measures can be implemented to
protect against physical threats and they fall under different security controls
as described above. These measures can include:
Protecting
the premises: the entry and exit points should be
evaluated to ensure there are sufficient controls in place for security. Interior
partitions like walls, ceilings and floors should be secure enough to prevent
any breaches. Man-traps and Turnstiles can be used to prevent piggy backing
attempts. Surge protectors and UPS systems should be in place to guard against
power related threats, whether inadvertent or planned. Fire suppression systems
should be in place and fire extinguishers should be easily accessible in case
of a fire emergency.
Locked
rooms: the server room or data center is perhaps the most
critical of all rooms and should always be located in a central area and access
to it should be restricted to only authorized personnel. Locked doors should be
used and if possible, 2 factor authentication should be enforced. Surveillance cameras
should be installed to monitor activity to and from the data center. If there
is a need to have outsiders in the room, like vendors and maintenance staff,
access should only be allowed with the presence of an escort.
Other critical devices like switches, hubs, routers
should also be locked. Gone are the days where the network equipment like
cables were all stashed in the same closet as the janitor’s ‘tools of trade’.
If you don’t secure these devices, an attacker can impersonate the cleaning
crew and walk into the closet and simply plug into the network and cause havoc.
Secure
workstations and laptops: docking stations should have the
capability to lock down laptops when users step away from their desks. Workstations
should also be secured and the case should be protected using case locks. This will
prevent attackers from opening up the computer towers and removing the hard drive.
Laptops and handhelds should be encrypted and bio-metric readers should be used for access. In case of a loss, the
organization should be able to remotely wipe out the data on it.
Removable media capability should also be disabled to
prevent attackers and rogue employees from downloading information without
authorization.
Protecting
backups: most organizations plan for the production
environment and ensure that security controls are in place to protect this
environment, but what about the DR site or their backups? Organizations need to
ensure that their backup tapes and/or disks cannot be stolen. These backups
usually have the same information that can be found in the production
environment, if security controls are lax in this environment, attackers will definitely
choose this easier route.
Protecting
non-critical devices: even the basic devices and elements like
printers, fax machines, phones, trash bins need to be protected. Attackers can
gain information through dumpster diving and the organization needs to secure
the bins and have locked shred bins which are located in secure areas within
the building. Only approved reputable vendors should be used to dispose of the
old data (if the company outsources this service). This should also apply to
the disposal of the hardware like hard disks and decommissioned appliances.
Another area to look at when it comes to physical
security is the undefined perimeter.
With more employees working remotely and organizations having sales reps
working on the road, the organization needs to account for the physical
protection of those devices by having logical controls in place. Policies should
be enforced as a guide to help employees adhere to best practices that can help
minimize the potential for losses. Employees should not leave their laptops and
other documents in visible places in their cars. The business should have a way
of remotely wiping the data on the devices like smart phones if they are reported
stolen. Hard drives should be encrypted to avoid the exposure of information to
unauthorized individuals.
Conclusion
Just as with logical security measures, physical
security controls should adopt the security in-depth approach when being
implemented. Just having CCTV’s or security guards on site is not an enough deterrent
to an attacker attempting to break in. If they are adamant at breaching the
perimeter, they will find a way. Different controls need to be adopted and they
can act as complements to each other. If one has gaps, another control can
cover that gap. For example, having locked doors with 2 factor authentication
requirements to unlock the room and also a security guard or even a receptionist
at the entrance can be a better deterrent to an attacker as opposed to simply
having locked doors and cameras at the front door.
References:
Covington, R. C. (2015, June 23). Physical security:
The overlooked domain.
Retrieved January 31, 2016, from ComputerWorld website:
http://www.computerworld.com/article/2939322/security0/
physical-security-the-overlooked-domain.html
Retrieved January 31, 2016, from ComputerWorld website:
http://www.computerworld.com/article/2939322/security0/
physical-security-the-overlooked-domain.html
Rouse, M. (2005, December). Physical security.
Retrieved January 31, 2016, from
TechTarget website: http://searchsecurity.techtarget.com/definition/
physical-security
TechTarget website: http://searchsecurity.techtarget.com/definition/
physical-security
https://microsoftstudios.com/hololens/wp-content/uploads/sites/4/2015/12/security-cameras-for-a-business.jpg?w=693