Physical Security Controls (week 7)

Photo Credit: Microsoft studios, security-cameras-for-a-business

There is a huge emphasis on protecting data in the Security industry but what about the physical elements that aid in the storage, processing and transmission of these data? In this post we will discuss how Physical Security should not be taken for granted when planning for Information Security within an organization. The logical systems cannot exist if there are no hardware components in place. Even in cloud setups where an organization’s data is 100% stored on the cloud, the business still has to have some hardware on premises that enables them to access this data. If a physical breach were to occur where an attacker gained access to the hardware components that interact with the logical environment, the damage might be irreversible.

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism (Rouse, 2005). Physical security entails the controls or steps taken to limit or deny physical unauthorized access to a building, its facilities, the resources within the building, and the information stored there.

There are different types of Security Controls:

Directive controls – these are the administrative controls intended to guide or advise the employees on how to conduct themselves when using the systems or when they are in the business premises.

Preventive controls – these are the steps taken to stay ahead and hopefully stop any actions that may be in contrast with the controls in place. Example would be locked doors and windows.

Deterrent controls – these involved the use of notices and warnings of consequences to security violations. Example would be having CCTV's installed in every room

Detective controls – these are the controls that aid in identifying, monitoring and potentially reacting to security violations. Examples would be security alarms, motion sensors, heat sensors etc. 

Corrective controls – these are the controls designed to react to the detection of an incident in order to resolve and prevent any future re-occurrence.  

Recovery controls – these are the controls used to restore the system/operation back to its normal state after an actual incident occurs.

Different security measures can be implemented to protect against physical threats and they fall under different security controls as described above. These measures can include:

Protecting the premises: the entry and exit points should be evaluated to ensure there are sufficient controls in place for security. Interior partitions like walls, ceilings and floors should be secure enough to prevent any breaches. Man-traps and Turnstiles can be used to prevent piggy backing attempts. Surge protectors and UPS systems should be in place to guard against power related threats, whether inadvertent or planned. Fire suppression systems should be in place and fire extinguishers should be easily accessible in case of a fire emergency.

Locked rooms: the server room or data center is perhaps the most critical of all rooms and should always be located in a central area and access to it should be restricted to only authorized personnel. Locked doors should be used and if possible, 2 factor authentication should be enforced. Surveillance cameras should be installed to monitor activity to and from the data center. If there is a need to have outsiders in the room, like vendors and maintenance staff, access should only be allowed with the presence of an escort.

Other critical devices like switches, hubs, routers should also be locked. Gone are the days where the network equipment like cables were all stashed in the same closet as the janitor’s ‘tools of trade’. If you don’t secure these devices, an attacker can impersonate the cleaning crew and walk into the closet and simply plug into the network and cause havoc.

Secure workstations and laptops: docking stations should have the capability to lock down laptops when users step away from their desks. Workstations should also be secured and the case should be protected using case locks. This will prevent attackers from opening up the computer towers and removing the hard drive.

Laptops and handhelds should be encrypted and bio-metric readers should be used for access. In case of a loss, the organization should be able to remotely wipe out the data on it.

Removable media capability should also be disabled to prevent attackers and rogue employees from downloading information without authorization.

Protecting backups: most organizations plan for the production environment and ensure that security controls are in place to protect this environment, but what about the DR site or their backups? Organizations need to ensure that their backup tapes and/or disks cannot be stolen. These backups usually have the same information that can be found in the production environment, if security controls are lax in this environment, attackers will definitely choose this easier route.

Protecting non-critical devices: even the basic devices and elements like printers, fax machines, phones, trash bins need to be protected. Attackers can gain information through dumpster diving and the organization needs to secure the bins and have locked shred bins which are located in secure areas within the building. Only approved reputable vendors should be used to dispose of the old data (if the company outsources this service). This should also apply to the disposal of the hardware like hard disks and decommissioned appliances.

Another area to look at when it comes to physical security is the undefined perimeter. With more employees working remotely and organizations having sales reps working on the road, the organization needs to account for the physical protection of those devices by having logical controls in place. Policies should be enforced as a guide to help employees adhere to best practices that can help minimize the potential for losses. Employees should not leave their laptops and other documents in visible places in their cars. The business should have a way of remotely wiping the data on the devices like smart phones if they are reported stolen. Hard drives should be encrypted to avoid the exposure of information to unauthorized individuals.  

Conclusion

Just as with logical security measures, physical security controls should adopt the security in-depth approach when being implemented. Just having CCTV’s or security guards on site is not an enough deterrent to an attacker attempting to break in. If they are adamant at breaching the perimeter, they will find a way. Different controls need to be adopted and they can act as complements to each other. If one has gaps, another control can cover that gap. For example, having locked doors with 2 factor authentication requirements to unlock the room and also a security guard or even a receptionist at the entrance can be a better deterrent to an attacker as opposed to simply having locked doors and cameras at the front door.  

References:

Covington, R. C. (2015, June 23). Physical security: The overlooked domain.
     Retrieved January 31, 2016, from ComputerWorld website:
     http://www.computerworld.com/article/2939322/security0/
     physical-security-the-overlooked-domain.html 

Rouse, M. (2005, December). Physical security. Retrieved January 31, 2016, from
     TechTarget website: http://searchsecurity.techtarget.com/definition/
     physical-security 

https://microsoftstudios.com/hololens/wp-content/uploads/sites/4/2015/12/security-cameras-for-a-business.jpg?w=693