Not all attacks on your organization's data come across the network. It's imperative that companies remember that maintaining an "iron-clad" network security program doesn't immunize them against the physical assault or theft of data and the networked resources that contain that data.
Attackers can be from outside organizations, but they can also be insiders — disgruntled or greedy employees or contractors. When attackers are able to physically access a system, they can wreak a world of havoc.
These attackers can often cause systems to fail, and they can compromise password-protected computers by using a removable "boot" disk to gain access. Secured routers will allow administrative privileges to anyone who interrupts their startup process. In addition, attackers can directly access networks by adding or rearranging the connections, and they can easily steal physical objects if they're already on the inside.
Given the trend toward smaller, more lightweight PC components, physical security is growing increasingly important. Let's look at how you can protect your organization and its data.
Not only should you implement a physical access control program in your company, but it's vital that you also strictly enforce the measures you apply. At minimum, these measures should address both personal access and information and equipment access.
Follow these guidelines for restricting personal access:
- Initiate a badge program that includes an employee picture, and color-code specific areas of access.
- Make it a policy to question anyone who doesn't have a visible ID badge.
- Escort, observe, and supervise guests for their entire visit.
- Don't allow anyone — including vendors, salespeople, etc. — to connect personal laptops (or any other computing device) to your network.
- Don't allow anyone to add hardware or software to computers without proper authorization.
- Watch out for "tailgaters." These people wait for someone with access to enter a controlled area (such as one with a locked door) and then follow the authorized person through the door. Tailgaters enter without using their own key, card key, or lock combination.
Follow these guidelines for protecting information and equipment access:
- Place monitors and printers away from windows and areas where unauthorized persons could easily observe them.
- Shred or otherwise destroy all sensitive information and media when it's no longer necessary.
- Don't leave documents unattended at fax machines or printers.
- Require all users to log off or power down workstations at the end of the working day.
- Lock up portable equipment (e.g., laptops, PDAs, media, memory sticks) out of sight in a safe storage place overnight.
- Don't allow the removal of computers or storage media from the work area or facility without ensuring that the person removing it has authorization and a valid reason.
- Provide locks or cables to prevent theft, and lock computer cases.
Physical access to corporate data by an unauthorized person is an assault on your organization's security. Once someone gains physical access to your data — whether it's a stolen laptop or lost documents or media — you become vulnerable to further attacks, not to mention a lot of bad publicity. Use these guidelines to take steps to prevent such a loss before it occurs.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.