Emerging Tech optimize

10 physical security measures every organization should take


This information is also available as a PDF download.

Every general computer networking class teaches the OSI and/or DoD networking models, and we all learn that everything begins at the bottom, with the physical level. Likewise, when it comes to IT security, physical security is the foundation for our overall strategy. But some organizations, distracted by the more sophisticated features of software-based security products, may overlook the importance of ensuring that the network and its components have been protected at the physical level.

In this article, we'll take a look at 10 of the most essential security measures you should implement now, if you haven't already done so.

#1: Lock up the server room

Even before you lock down the servers, in fact, before you even turn them on for the first time, you should ensure that there are good locks on the server room door. Of course, the best lock in the world does no good if it isn't used, so you also need policies requiring that those doors be locked any time the room is unoccupied, and the policies should set out who has the key or keycode to get in.

The server room is the heart of your physical network, and someone with physical access to the servers, switches, routers, cables and other devices in that room can do enormous damage.

#2: Set up surveillance

Locking the door to the server room is a good first step, but someone could break in, or someone who has authorized access could misuse that authority. You need a way to know who goes in and out and when. A log book for signing in and out is the most elemental way to accomplish this, but it has a lot of drawbacks. A person with malicious intent is likely to just bypass it.

A better solution than the log book is an authentication system incorporated into the locking devices, so that a smart card, token, or biometric scan is required to unlock the doors, and a record is made of the identity of each person who enters.

A video surveillance camera, placed in a location that makes it difficult to tamper with or disable (or even to find) but gives a good view of persons entering and leaving should supplement the log book or electronic access system. Surveillance cams can monitor continuously, or they can use motion detection technology to record only when someone is moving about. They can even be set up to send e-mail or cell phone notification if motion is detected when it shouldn't be (such as after hours).

#3: Make sure the most vulnerable devices are in that locked room

Remember, it's not just the servers you have to worry about. A hacker can plug a laptop into a hub and use sniffer software to capture data traveling across the network. Make sure that as many of your network devices as possible are in that locked room, or if they need to be in a different area, in a locked closet elsewhere in the building.

#4: Use rack mount servers

Rack mount servers not only take up less server room real estate; they are also easier to secure. Although smaller and arguably lighter than (some) tower systems, they can easily be locked into closed racks that, once loaded with several servers, can then be bolted to the floor, making the entire package almost impossible to move, much less to steal.

#5: Don't forget the workstations

Hackers can use any unsecured computer that's connected to the network to access or delete information that's important to your business. Workstations at unoccupied desks or in empty offices (such as those used by employees who are on vacation or have left the company and not yet been replaced) or at locations easily accessible to outsiders, such as the front receptionist's desk, are particularly vulnerable.

Disconnect and/or remove computers that aren't being used and/or lock the doors of empty offices, including those that are temporarily empty while an employee is at lunch or out sick. Equip computers that must remain in open areas, sometimes out of view of employees, with smart card or biometric readers so that it's more difficult for unauthorized persons to log on.

#6: Keep intruders from opening the case

Both servers and workstations should be protected from thieves who can open the case and grab the hard drive. It's much easier to make off with a hard disk in your pocket than to carry a full tower off the premises. Many computers come with case locks to prevent opening the case without a key.

You can get locking kits from a variety of sources for very low cost, such as the one at Innovative Security Products.

#7: Protect the portables

Laptops and handheld computers pose special physical security risks. A thief can easily steal the entire computer, including any data stored on its disk as well as network logon passwords that may be saved. If employees use laptops at their desks, they should take them with them when they leave or secure them to a permanent fixture with a cable lock, such as the one at PC Guardian.

Handhelds can be locked in a drawer or safe or just slipped into a pocket and carried on your person when you leave the area. Motion sensing alarms such as the one at SecurityKit.com are also available to alert you if your portable is moved.

For portables that contain sensitive information, full disk encryption, biometric readers, and software that "phones home" if the stolen laptop connects to the Internet can supplement physical precautions.

#8: Pack up the backups

Backing up important data is an essential element in disaster recovery, but don't forget that the information on those backup tapes, disks, or discs can be stolen and used by someone outside the company. Many IT administrators keep the backups next to the server in the server room. They should be locked in a drawer or safe at the very least. Ideally, a set of backups should be kept off site, and you must take care to ensure that they are secured in that offsite location.

Don't overlook the fact that some workers may back up their work on floppy disks, USB keys, or external hard disks. If this practice is allowed or encouraged, be sure to have policies requiring that the backups be locked up at all times.

#9: Disable the drives

If you don't want employees copying company information to removable media, you can disable or remove floppy drives, USB ports, and other means of connecting external drives. Simply disconnecting the cables may not deter technically savvy workers. Some organizations go so far as to fill ports with glue or other substances to permanently prevent their use, although there are software mechanisms that disallow it. Disk locks, such as the one at SecurityKit.com, can be inserted into floppy drives on those computers that still have them to lock out other diskettes.

#10: Protect your printers

You might not think about printers posing a security risk, but many of today's printers store document contents in their own on-board memories. If a hacker steals the printer and accesses that memory, he or she may be able to make copies of recently printed documents. Printers, like servers and workstations that store important information, should be located in secure locations and bolted down so nobody can walk off with them.

Also think about the physical security of documents that workers print out, especially extra copies or copies that don't print perfectly and may be just abandoned at the printer or thrown intact into the trash can where they can be retrieved. It's best to implement a policy of immediately shredding any unwanted printed documents, even those that don't contain confidential information. This establishes a habit and frees the end user of the responsibility for determining whether a document should be shredded.

Summary

Remember that network security starts at the physical level. All the firewalls in the world won't stop an intruder who is able to gain physical access to your network and computers, so lock up as well as lock down.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

11 comments
isaac_helgens
isaac_helgens

If you're looking at offsite colo you could find a secure data center like Wikia did with USSHC. www.USSHC.com

robo_dev
robo_dev

1) Disable unused ports, especially in conference rooms or lobby areas. Look for ethernet jacks in shipping areas or other hidden areas. An intruder could plug in a Wireless access point and hack away from his car. 2) Consider implementing network access control (NAC) or mac-address based port security. Besides rogue wireless access points, the consultant who plugs his netgear router into the lan for a demo in the conference room (with dhcp server enabled), or the geek who plugs in his wireless accesss point can shut down your network or open your network to the world. 3) Got wireless networking? Assuming that all the security features are enabled, are the devices secure? If somebody can stand on a chair and do a 'factory reset' of the device, there goes the security.

LiamE
LiamE

Dont forget to set a policy regarding decommisioning old PC's.

walldorff
walldorff

There's more equipment which can be placed in the secured server room: 1. Power supply: Install a external power supply, such as a generator, which automatically starts up when the power supply in the server room fails. 2. Telephone system Be sure all the cental telephone equipment is also in the secured server room. A hacker with access to the telephone lines can do damage. 3. Alarm system The same goes for the alarm system. Many alarm systems work together with the telephone system to alert people. Tampering with this equipment can be fatal. Maybe it's worth also thinking about all other central (and maybe vital) controls, such as controls for climate management (airco and heating). Think about what YOU would do to bring damage to a company. Roland

TBBrick
TBBrick

Don't for get the haldon fire extinguisher for the server room

Nodisalsi
Nodisalsi

1. Training. Train staff about security issues: password selection, social engineering tactics, email phishing; then this will make it close to impossible for an outsider to intrude. I also urge a policy of vetting new or temporary staff, and carrying out further disclosure checks where sensitive data is retained by the bureau. 2. Trash. A policy of shredding all expired or temporary documents with senstive information on them. Deploy specially marked bins throughout the bureau which should be emptied daily - with the (pre)shreds stored in a locked room.

shahidah3
shahidah3

How about backup that reside in other organization (outsourcing). How to ensure the security of data that have been backup?

jlafitte
jlafitte

[pre]There's more equipment which can be placed in the secured server room: 1. Power supply: Install a external power supply, such as a generator, which automatically starts up when the power supply in the server room fails.[/pre] You mean an uninterruptable power supply (UPS). A generator would be an unacceptable fire and carbon monoxide risk in the server room. [pre]2. Telephone system Be sure all the cental telephone equipment is also in the secured server room. A hacker with access to the telephone lines can do damage.[/pre] There will have to be a point at which the telephone service enters the [i]building[/i], let alone the server room. Even if you don't deal with a telco, you'll have to have VoIP hardware connecting either to a cable outside the server room or a cable going to your satellite link with Hughes or whoever your connectivity provider is. [pre]3. Alarm system The same goes for the alarm system. Many alarm systems work together with the telephone system to alert people. Tampering with this equipment can be fatal.[/pre] Even residential alarm systems have cellular phone backup in case someone cuts the POTS (plain old telephone service) line to the subscriber's home. So THAT's plausible. Come to think of it, if your business uses streaming offsite backup, THAT can also serve as at least an alternate monitoring channel. [pre]Maybe it's worth also thinking about all other central (and maybe vital) controls, such as controls for climate management (airco and heating).[/pre] Perhaps there should be a separate, locally-controlled zone in the climate control system for the server room. It doesn't make sense from either a convenience or a workplace safety standpoint to put all the controls for the climate control for the entire building in an area inaccessible to all but a select few employees. [pre]Think about what YOU would do to bring damage to a company.[/pre] Ever see the movie [i]China Syndrome[/i]? Putting all the controls for a building in a tightly secured room sounds like a recipe for a disaster if one of the chosen few with access to that room suddenly becomes disgruntled. Especially if that person were conversant with how ALL of the systems worked. No, if I really wanted to damage a company, I'd put an egotistical little schvantz in charge of it and let him fire all the people who got him his business after they landed his first multi-million dollar contract for him so he could hire people who looked nicer. No technical ability required at all. :-) In fact, technical ability is a minus in this respect - if you really want to damage a company, fill it with office-jobbing glad-handers and back-stabbing wankers who look nice in suits. I've seen it work very well, indeed. Took a promising small business from doing better than a million per year net to nonexistence. And it couldn't have happened to a nicer bunch of folks.

robo_dev
robo_dev

FM-200 is the modern equivalent.

Dr Dij
Dr Dij

new device for fire fighting that very quickly absorbs oxygen in the server room. Kind of a reverse of the oxygen generators on planes. This stops fires cold. And I recall it doesn't need to even get all the oxygen, just below a certain percent.