Tweet
Physical security is the primary security boundary for assets in the physical world and involves the protection of such assets as personnel, hardware, applications, data, and facilities from fire, natural disasters, robbery, theft, and insider threats. A fairly common problem with physical security is that it is easily overlooked in favor of the more publicized technical issues. Corporations do so at their own risk considering nontechnical attacks can be carried out with little or no technical knowledge. If security is focused only on technical details there is a increased risk that the organization miss protection of physical assets. Threats like vandalism or theft seems to be out of scope or out of budget. If an attacker does not find a way to penetrate the infrastructure he might turn physical access including dumpster diving, tailgating and other techniques. A determined attacker will put the location under surveillance and observe traffic patterns, cameras and defective security controls to determine the best way to gain access.
Simple Controls
Many controls can be in place to protect and preserve the physical security of an organization and sometimes the presence of visible controls may be enough to stop the attack. Some controls are designed to be a deterrent and even though an attacker is able to penetrate the location he may choose to not do so. One of the most basic controls that can protect physical interaction with a device, system or facility is the use of passwords as they can protect a system from being physically accessed or from being used to access a network.
Passwords and Physical Security
Even though passwords are not the first thing you think of when considering physical security but they are in the primary line of defense. Of course passwords has to be implemented and used in the correct manner to be an effective defense. Organizations of all types have to enforce strong password policies and management guidelines in order to have the end users choose strong passwords. Even media reporting on huge leaks does not make end users change passwords by themselves, or even pick a strong password in the first place. A password should not include any personal information, be shorter than eight characters, be changed regularly, be complex passwords and there should be a limit of logon attempts before the account should be locked. Using two-factor authentication is more common today and even though it is an extra layer of security, it has an economical impact.
Locked Screens
In the past it was common to find an unattended and unlocked computer and use it to gain access to the target network. In some cases, the system would be left logged in and unlocked. Maybe the user only intended to be away for a few moments but a short moment may be enough time for a prepared attacker to compromise the system. A user should always lock the screen when leaving the computer and the organization should have a policy in place to lock screens after a short period of time if no activity occurs on the system. An option could be to also use two-factor authentication using an item such as a smart card, RSA token or similar.
Warnings
A useful mechanism for protecting or defending a system is the use of a warning banner. It may be a deterrent but it is also important in case of a successful attack. If the attacker is greeted by a Welcome message, how should he know he is not allowed to be there. At least some young kinds some years ago penetrated an institution and the banner said something like Welcome and that was what allowed the kids to avoid punishment when they were sued by the institution. It is important that the banner warns the user that the user is entering a restricted network and if no prior permission is in place, the user should log off immediately.
Many variations exists but the content seems to be more or less the same. Here is a banner from SolarWinds Thwack community:
************************************************** **********************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without
authorization, or in excess of their authorization, are
subject to having all their activity on this computer
network system monitored and recorded by system
personnel. To protect the computer network system from
unauthorized use and to ensure the computer network systems
is functioning properly, system administrators monitor this
system. Anyone using this computer network system
expressly consents to such monitoring and is advised that
if such monitoring reveals possible conduct of criminal
activity, system personnel may provide the evidence of
such activity to law enforcement officers.
Access is restricted to authorized users only.
Unauthorized access is a violation of state and federal,
civil and criminal laws.
************************************************** ************************
Remember that physical security is not just about defending the organization from outsiders, but to a high degree from insiders.
Simple Controls
Many controls can be in place to protect and preserve the physical security of an organization and sometimes the presence of visible controls may be enough to stop the attack. Some controls are designed to be a deterrent and even though an attacker is able to penetrate the location he may choose to not do so. One of the most basic controls that can protect physical interaction with a device, system or facility is the use of passwords as they can protect a system from being physically accessed or from being used to access a network.
Passwords and Physical Security
Even though passwords are not the first thing you think of when considering physical security but they are in the primary line of defense. Of course passwords has to be implemented and used in the correct manner to be an effective defense. Organizations of all types have to enforce strong password policies and management guidelines in order to have the end users choose strong passwords. Even media reporting on huge leaks does not make end users change passwords by themselves, or even pick a strong password in the first place. A password should not include any personal information, be shorter than eight characters, be changed regularly, be complex passwords and there should be a limit of logon attempts before the account should be locked. Using two-factor authentication is more common today and even though it is an extra layer of security, it has an economical impact.
Locked Screens
In the past it was common to find an unattended and unlocked computer and use it to gain access to the target network. In some cases, the system would be left logged in and unlocked. Maybe the user only intended to be away for a few moments but a short moment may be enough time for a prepared attacker to compromise the system. A user should always lock the screen when leaving the computer and the organization should have a policy in place to lock screens after a short period of time if no activity occurs on the system. An option could be to also use two-factor authentication using an item such as a smart card, RSA token or similar.
Warnings
A useful mechanism for protecting or defending a system is the use of a warning banner. It may be a deterrent but it is also important in case of a successful attack. If the attacker is greeted by a Welcome message, how should he know he is not allowed to be there. At least some young kinds some years ago penetrated an institution and the banner said something like Welcome and that was what allowed the kids to avoid punishment when they were sued by the institution. It is important that the banner warns the user that the user is entering a restricted network and if no prior permission is in place, the user should log off immediately.
Many variations exists but the content seems to be more or less the same. Here is a banner from SolarWinds Thwack community:
************************************************** **********************
WARNING: This system is for the use of authorized clients only.
Individuals using the computer network system without
authorization, or in excess of their authorization, are
subject to having all their activity on this computer
network system monitored and recorded by system
personnel. To protect the computer network system from
unauthorized use and to ensure the computer network systems
is functioning properly, system administrators monitor this
system. Anyone using this computer network system
expressly consents to such monitoring and is advised that
if such monitoring reveals possible conduct of criminal
activity, system personnel may provide the evidence of
such activity to law enforcement officers.
Access is restricted to authorized users only.
Unauthorized access is a violation of state and federal,
civil and criminal laws.
************************************************** ************************
Remember that physical security is not just about defending the organization from outsiders, but to a high degree from insiders.