In the years that I’ve been working with computers, I’ve always found physical security to be one of the most overlooked areas of IT security. Physical security refers to the act of controlling physical access to your network computers and components. Even in the smallest organizations, physical security is vitally important. Without it, you risk theft, damage, and unauthorized modifications to the servers.
In this Daily Drill Down, I’ll explain why physical security is so important and what you can do to evaluate and enhance your existing physical security.
Making the case for physical security
Insiders perform the vast majority of security breaches. It’s much easier to hack a system from inside a company than from outside because you don’t have to pass through the company’s perimeter defenses (usually firewalls). Hacking a system is easier still if you can gain physical access to it. Many hacker tools exist that will allow even amateurs with minimal networking experience to hack a server within minutes if they can get physical access to it.
Most of the time, when people think of internal security breaches, they tend to think of big corporations as being the only ones that are vulnerable. However, I’ve seen internal security breaches occur in both big and small companies. In fact, less than a month ago, I had to travel 500 miles to fix a system for a friend who worked for a company that employed only six people. An irate employee had trashed the payroll database. If this company had put the proper security in place, the irate employee would never have had access to the database. After all, the employee was a truck driver, not an accountant or an IT person.
A specific example of lax physical security
Before deciding to go freelance, I was the CIO for a chain of hospitals. Although the company employed thousands of people, there were only about 20 employees at the main office. My first day on the job, I was given a tour of the main office. I was horrified to learn that the main server, which contained payroll and financial databases for all of the hospitals, resided in a glass room with no door. What made the situation more of a nightmare was that the server console was left logged in at all times. Even worse, every employee logged in to their workstation as the administrator.
When I asked about the situation, I was told that no one in the building other than me had any computer experience at all. A consultant had set up the system and given each user just enough information to do his or her job. When I asked why the server was in an exposed location and constantly logged in, I was told that the main network printer was attached directly to the server and that the server was left logged in because that was the only way to monitor the print queue.
Needless to say, I got a locking door, moved the printer, changed the administrator password, set everyone up with his or her own account, and showed everyone how to access the print queues without logging in to the server and without being logged in as an administrator. Some users were unhappy with the changes, but they needed to be done.
I’ve always tried not to use a strict approach to network management. Because of this, I thought long and hard about whether physical security was really necessary in this organization. After all, if the users truly knew only enough to do their jobs, what was the harm of leaving the server in an exposed location? I came to the conclusion that even in an organization such as this, physical security was absolutely necessary for several reasons.
The first reason for implementing physical security was to prevent damage to the server. In this particular organization, many employees made a habit of working directly at the server console. I wasn’t nearly as worried about the employees accidentally erasing files as I was worried about the fact that they ate, drank, and smoked while using the server console. I decided to implement physical security to prevent physical damage.
The second reason for implementing physical security was to control access to the server. Prior to my arrival, the organization relied on a fly-by-night consulting firm for all of its IT needs. Employees from the consulting firm would frequently come by, do something to the server, and then leave without anyone ever questioning what was done. In fact, I was employed for several weeks before I realized that the consulting firm was continuing to make server adjustments without my knowledge or consent. I couldn’t fire the firm because the woman who owned the consulting firm was best friends with the owner of the company that I worked for, but I could lock the door to the computer room. Doing so would force the consultants to come and see me before touching the servers.
Another reason I deemed physical security to be of importance in this organization was to prevent theft. Although the company had never experienced a computer theft incident, the server cost $30,000 and the information on the hard drives was worth millions. I didn’t want to see this server just disappear.
Still another reason for physical security was that although none of the employees knew anything about computers, it was possible for them to learn. If an employee watched how one of the consultants accessed and modified the system, the employee could try to duplicate the steps that the consultant had taken, resulting in damage or in the theft or modification of sensitive information.
Physical security techniques
Obviously, most organizations are nothing like the places I've just described. In most organizations, the need for physical security is a given, and the trick is to determine the areas of the greatest physical vulnerabilities so that something can be done about them. In the sections that follow, I’ll share with you some security tricks that I’ve learned over the years.
I’m not going to ramble on and tell you more reasons why the server should be kept behind a locked door. You already know why. What I am going to tell you is that not all door locks are created equal. There are four basic types of locks that I’ve seen companies use on computer room doors: key locks, combination locks, keycard locks, and biometric locks. Each of these locks has advantages and disadvantages. Out of all of them, though, I recommend using keycard locks.
Key locks are probably the most common type of lock. However, anyone with basic lock-picking skills can get past a key lock relatively easily. Sure, no one is going to pick a lock in the middle of the day, but if someone were to come in to the office at 3:00 A.M., he or she could have the run of the office and pick away. Because I wasn’t sure how easy it was to get past a key lock, I read several articles on the Internet about lock-picking and then tried my luck on a few different locks. Lock-picking takes a little practice but is pretty easy when you get the hang of it (although I’ve yet to try a deadbolt).
In my opinion, combination locks are the worst possible solution for protecting a computer room. Combinations are too easy to guess. Furthermore, people tend to write them down or verbally tell the combination within an earshot of others. There are electronic combination locks that incrementally increase the amount of time that you must wait between each try. For example, if you guess the combination incorrectly the first time, there is a two-second delay before you can try the combination again. After the next incorrect guess, the delay goes to four seconds, and then eight seconds, 16 seconds, and so on. Although these locks are great for preventing brute-force cracks, they do nothing to protect your computer room from someone who overheard the combination.
Biometric locks are probably a good solution, but they tend to be expensive. Furthermore, much of the biometric technology is still new and relatively unproven.
Keycard locks are my favorite option for a number of reasons. First, there are several types of keycard locks, but many of them have the cardholder’s identity encoded on the card’s magnetic strip. The card readers are linked to a central computer that keeps track of card scans. Therefore, if someone who isn’t authorized to access the computer room door tries to use his or her card to get in anyway, the computer logs the fact that the person tried to get in. An e-mail alert can then be sent to the security coordinator and to the person’s supervisor.
Of course, these systems also log successful entry into the room. So if something was amiss, you could see which tech was in the room at 3:00 A.M. yesterday. I love keycard locks because they create an audit trail. However, there are other things that make these locks superior.
Most keycard locks are designed in a way that the card reader blocks physical access to the locking mechanism. This means that someone can’t usually pick a keycard lock without completely disassembling it. This brings up another good point: Regardless of which type of locking mechanism you use, you should make sure that the screws holding the door knob (or the lock) are mounted on the inside of the door. Furthermore, the door hinges should also be accessible only from inside the room. Otherwise, someone could use a hammer and screwdriver to remove the door hinges and completely bypass the door’s lock.
One of the biggest physical security recommendations that I’ve always made to my clients is to disconnect any unused network jacks. In the past, my way of thinking was that someone could find an unused network jack, plug a laptop into it, and then run a protocol analyzer on the laptop and steal authentication packets as they flow across the network. Today, this argument isn’t quite as valid as in the past because protocols such as IPSec encrypt TCP/IP packets, making it difficult to steal authentication packets. Using IPSec virtually eliminates the chance of someone stealing a password or using a replay attack to gain access to unauthorized resources.
I still think it’s important to disconnect any unused network jacks, though, for a couple of reasons. First, although a protocol analyzer would be fairly useless to a hacker if you’re running IPSec, someone could still connect a laptop to a spare network jack in some faraway corner of the building and attempt to hack your network.
A more important reason is to prevent the introduction of rogue wireless access points. I recently spoke to someone who worked for a large company. The company’s official policy was that wireless networking wasn’t allowed because of the security risks it created. One of the company’s managers was computer-savvy and used wireless networking at home. The manager wanted to be able to wirelessly connect his laptop to the network while at the office, but the corporate policy prevented him from doing so.
After doing some thinking, the person realized that access points only cost $100; so he went out and bought an access point. Since there was a spare network jack in his office, he simply attached the access point to the network and was in business. The big problem with this wasn’t that wireless networking is insecure—there are ways of securing it. The problem was that the person didn’t bother to enable security on his access point. Therefore, the company had a policy against wireless networking, but it nonetheless had a wireless network that it didn’t even know existed and that wasn’t even using WEP encryption—much less any other security feature.
Wireless networking security
Disconnecting unused network jacks is a start when it comes to preventing unauthorized wireless access points. The problem is that many access points have built-in, four-port Ethernet switches. This means that someone could easily plug an access point into his or her existing network connection and then plug the wired PC directly into the access point. Even so, disconnecting unused network jacks is still a good idea.
I won't dive into a discussion about wireless networking security because most of it doesn’t really have anything to do with physical security. (You can find out more about securing wireless networks by reading the Daily Drill Down “Design a secure wireless LAN.”) Even so, there is a specific physical issue involved in wireless security that I need to address: how to keep the signal from physically leaving the building and being accessible to someone on the street or in the parking lot.
There are several structural things you can do to reduce the leakage of wireless signals. Some building materials, such as plaster and stucco, employ metal mesh underpinnings that can block or reduce wireless signals. Some companies are developing wallpaper that’s designed to block wireless signals from leaving the building. Unless you're ready to rewallpaper your office, however, I recommend getting an access point with adjustable power settings. Many of the newer access points allow you to control the signal strength. With a little tinkering, you can actually create a wireless network in which your access point’s signal doesn’t leave the building.
Physical security plays a huge role in your network’s overall security. Without physical security, none of your security policies and procedures even matter because they can be bypassed so easily.