Based in Denver, CO, Agile Ideation collects the thoughts and experiences of Ed Schaefer. His posts explore agile and devops related topics as he works to maximize team effectiveness and minimize waste through continuous learning, coaching and empowering teams.

Physical Security

Physical Security

Attackers

Out of all the risks to information systems the threats posed by attackers are some of the most common concerns. The ways in which an attacker could gain illicit access must all be evaluated and controlled. Many of these controls are also the most obtrusive. Multiple controls should be used in combination to deter, delay, detect and respond to prevent an attacker from gaining access. Deterrent controls may include gates and walls, security cameras, guards and identification badges. If these do not scare a potential attacker away they add an additional element to delaying the intruder. Additional delays including strong locks on doors compartmentalizing the building by clearance, electronic locks that are tied into an alarm system and time delayed doors can also be utilized. It is important to have additional security measures inside the facility in case an attacker were to gain access. Workstations must always be locked down with passwords and all drive bays and nonessential input ports should be disabled or restricted. Even this may prove insufficient if an attacker were to gain access posing as an IT employee fixing a computer or a messenger picking up a package as hardware could be physically removed. All machines must be locked down. Desktop towers must be immovable and sealed to prevent removal of a drive. Laptops are especially vulnerable and employees should be provided a lock to be used on and off the premises. This type of safety is especially important for servers. Some attackers may be more interested in destroying property than stealing it making measures from cages to specially designed and located rooms practical depending on the potential risk.

While attackers pose a serious threat they are not one of the seven major sources of physical loss according to Donn B. Parker. In his book Fighting Computer Crime the seven major sources of physical loss are:

  1. Extreme temperature: heat, cold
  2. Gasses: war gases, commercial vapors, humid or dry air, suspended particle
  3. Liquids: water, chemicals
  4. Living organisms: viruses, bacteria, people, animals, insects
  5. Projectiles: tangible objects in motion, powered objects
  6. Movement: collapse, shearing, shaking, vibration, liquefaction, flow waves, separation, slide
  7. Energy anomalies: electrical surge or failure, magnetism, static electricity, aging circuitry; radiation: sound, light, radio, microwave, electromagnetic, atomic

This makes sense as computers are very sensitive machines and are best maintained when kept in restricted, climate controlled rooms kept at the perfect temperature and humidity. Even in a controlled environment the number of things that can cause or create these sources is astronomical. Most often they present themselves as natural disasters or so called “acts of god”.

Natural Disasters

The damage an attacker can do is great, but the extensive number of risks posed by natural disasters creates an even greater threat that is often overlooked. Flooding is one very serious concern as it can destroy machinery, reduce computing power, overload circuits and even ruin the building itself (P., & Lawrence, 2007). Even in areas where natural flooding is not a concern a broken water main could happen at any time. Even more dangerous than water is fire as it often moves quicker poses a more immediate threat to human life (P., & Lawrence, 2007). Fire detection is important to ensure the proper response is deployed to suppress or extinguish the threat. This may include smoke and heat detectors. Though water is typically used to suppress a fire we have already seen how this can be a poor choice in combination with electronics. Restricting the fire and removing oxygen would work but is overly complex and expensive for many operations, so frequently sprinklers are used in combination with chemicals that will put out the flames. The vibrations caused by even the slightest tremor could cause a hard drive head to skip, ruining the disk, cause a machine to fall over or make a connector cable come loose. Lighting poses electrical threats, but so does a downed power line and even an exceptionally dry day. Uninterruptable power supplies and humidity controls or other anti-static measures are potential solutions, respectively.

So called “Acts of God”

            When a natural disaster strikes, hardware casualties are expected, but when hardware fails unexpectedly some purport it to be an “act of god”. It would be impossible to address everything in this category, but some are more common. Hard disk failures are not at all uncommon and a Google study examining hard drive failure trends suggests that other effects, such as manufacturing quality, may have a more substantial impact than usage or even heat (Pinheiro, Weber, & Barroso, 2007). Hardware can fail for what seems like no reason, making redundancy and backup of the utmost importance. Backups should be done frequently with both local and offsite copies to provide the fastest return to normalcy. A single backup is never enough if some disaster were to strike destroying the building, or simply erasing the data. Depending on the needs of the organization redundancy can exist not just for disks but for machines as well. For an organization needing to provide the highest possible continuous uptime, backup machines that can kick in when the primary machines fail may be a better solution than drive backups alone.

Employees

One of the most frequently overlooked threats to an organization, and an important part of physical security, revolves around the employees themselves. This area presents risks in a number of ways. The disgruntled employee may attempt to manipulate, erase or steal data. Many of the controls used to guard against intruders can help prevent these risks. Accidents prove a more substantial and highly common area of concern. Drinks can be spilled, machines unplugged, computers left unsecured, desks and offices unlocked. It can be a greater concern if passwords are written down, doors to secure areas left open or even if the wrong thing is thrown away.

 

Conclusion

Physical security covers so many different aspects within an organization it is easy to see how aspects can easily be overlooked. Additionally with so many areas of concern it may be too difficult or too costly to guard against every potential threat. It is important for a CISO to evaluate all threats to an organization and determine which pose the greatest risk and are the most likely, and these must be the first aspects that are secured. At the same time a CISO must be prepared by having contingency and backup plans prepared for even the most unlikely of scenarios.

Policy Comparison

Cryptology