Security

Protect corporate data with these physical security precautions

Not all attacks on your organization's data come across the network. Once someone gains physical access to your data, you become vulnerable to further attacks, not to mention a lot of bad publicity. Get some guidelines for locking down physical access.

Not all attacks on your organization's data come across the network. It's imperative that companies remember that maintaining an "iron-clad" network security program doesn't immunize them against the physical assault or theft of data and the networked resources that contain that data.

Attackers can be from outside organizations, but they can also be insiders -- disgruntled or greedy employees or contractors. When attackers are able to physically access a system, they can wreak a world of havoc.

These attackers can often cause systems to fail, and they can compromise password-protected computers by using a removable "boot" disk to gain access. Secured routers will allow administrative privileges to anyone who interrupts their startup process. In addition, attackers can directly access networks by adding or rearranging the connections, and they can easily steal physical objects if they're already on the inside.

Given the trend toward smaller, more lightweight PC components, physical security is growing increasingly important. Let's look at how you can protect your organization and its data.

Not only should you implement a physical access control program in your company, but it's vital that you also strictly enforce the measures you apply. At minimum, these measures should address both personal access and information and equipment access.

Follow these guidelines for restricting personal access:

  • Initiate a badge program that includes an employee picture, and color-code specific areas of access.
  • Make it a policy to question anyone who doesn't have a visible ID badge.
  • Escort, observe, and supervise guests for their entire visit.
  • Don't allow anyone -- including vendors, salespeople, etc. -- to connect personal laptops (or any other computing device) to your network.
  • Don't allow anyone to add hardware or software to computers without proper authorization.
  • Watch out for "tailgaters." These people wait for someone with access to enter a controlled area (such as one with a locked door) and then follow the authorized person through the door. Tailgaters enter without using their own key, card key, or lock combination.

Follow these guidelines for protecting information and equipment access:

  • Place monitors and printers away from windows and areas where unauthorized persons could easily observe them.
  • Shred or otherwise destroy all sensitive information and media when it's no longer necessary.
  • Don't leave documents unattended at fax machines or printers.
  • Require all users to log off or power down workstations at the end of the working day.
  • Lock up portable equipment (e.g., laptops, PDAs, media, memory sticks) out of sight in a safe storage place overnight.
  • Don't allow the removal of computers or storage media from the work area or facility without ensuring that the person removing it has authorization and a valid reason.
  • Provide locks or cables to prevent theft, and lock computer cases.

Final thoughts

Physical access to corporate data by an unauthorized person is an assault on your organization's security. Once someone gains physical access to your data -- whether it's a stolen laptop or lost documents or media -- you become vulnerable to further attacks, not to mention a lot of bad publicity. Use these guidelines to take steps to prevent such a loss before it occurs.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

9 comments
jeenasmith
jeenasmith

mostly people are worried about the security issues from the network but physical security of the bsuiness is also very important. those agencies which provides [url=http://www.mcmsecurity.com/industry-office-security.html]corporate security[/url] mainly includes front gate control, recording on site visitors and montering through CCTV cameras. so hiring this kind of agency can be beneficial for smooth running of the business.

check_here
check_here

Mike has simply brought up some precautions necessary to protect corporate data, and i can't but agree with him that these precautions are necessary where corporate data is of value against identified attacks. The use of biometrics and other technologies assists in ensuring that these precautions are not violated He provides more or less defensive actions to prevent theft or intrusion. All these precautions should be part of IT Policy which could be implemented at the system level to further prevent compromise. Implementation at the system level will enhance auditing and investigation of cases of suspicion or actual compromise.

grammarye
grammarye

Good article, though I'd like to see something about how to deal with WHEN physical items are stolen (e.g. USB drives, laptops, Blackberries) and limiting what an attacker can do after they stole that employee's car or bag etc. that happens to have that laptop with sensitive data on it, along with VPN access etc... However, it's worth noting the author's background - if you're working on literally secret data, defense, etc. then all of these measures and more are important. A pinch of salt is required in that these aren't all necessary in all circumstances. Not every business needs to pretend to be Fort Knox. For those that do, this guide is a good starting point.

ideallypc
ideallypc

Dudes, Stop thinking like geeks trying to add high tech solutions. The problem is that high tech never solves many global problems, it simply adds to the cost structure. Adding biometrics? Adding cameras? Who's going to administer and monitor this? It works for a while for building an IT Empire, but eventually it will crash because it's not free guys and rarely cost-justifiable! Think about using common sense and being smarter than the average weasel. Consider low tech things like requiring passwords for EVERYONE to be updated regularly - every 90 days. And when I say passwords, I mean secure passwords, not "Password" or "Skippy" (the pet dog!) or "Angela" (the bosses wife). Add group policies like requiring all USB Ports to be disabled at boot, all data to be stored on the server, all other I/O points disabled, the registry to be locked. Oh, here's a good one, LIMITED USERS! How about turning off the CD Drive's ability to burn? For that matter, why does everyone need a CD that autoloads a script when a CD is inserted? Does everyone really need to be able to copy an entire directory off to CD without anyone knowing about it?...if so, make sure that every departing employee has a non-revokable ID, remote access and password. Seriously, another good one is to require screen savers that kick in after 10 minutes - everyone! Does everyone need access to IM and Webmail? Again "What's the business purpose?" Go ahead and block the ports, the IPs and the hostnames of the 10 most common e-mail providers. That's pretty easy considering the telco/webco consolidation that is going on. Think about monitoring streaming as well...does Johnny really need to listen to the traffic report or surf report from Hermosa Beach? Does Janet really need to watch the web cam of her kid in high-tech daycare? Block the source and block the potential for web parasites hanging onto a free pass into the inside of your business network. Think of the bandwidth savings $$ - you just postponed the need for a new T1! Consider quarantining e-mail attachments; both inbound and outbound for review or automated or manual scanning before delivery. Block all executables. Always ask "What's the business purpose of this {fill in the blank}." How about disabling /self-destructing laptops or other portable devices that don't phone home regularly in a secure, human authenticated manner? Heck, if they show up later, simply dump the tested and reliable image back on them. Better yet, just pop in one of the many standardized hard drives you prepared for just such an occassion because you use standard equipment right? It takes 5 minutes tops to get the machine back on-line. Talk about impressive service for fixing an anticipated user error! And Blackberries too, why not use the controls that the folks at RIM and Microsoft have cooked up like password protection at start-up? Apply it as a non-option -wanna Blackberry, get used to the password feature. That seems like easy to do stuff! Then think virtual. If someone tries to connect to the network, validate the MAC address against an authorized table before granting access. That too is pretty simple, but rarely done. Oh, while you are at it, consider a separate and highly secure independent sub-net for visitors and guests that goes out only to the interet using only non-WEP WiFi. I'm not sure why they should have access to the whole network, but often do?? Thinking of visitors, seems they always forget to print before the visit, so dangle a USB cord from the back of the printers so that visitors can print that "oh so important" document(after they download the driver from the public internet or use the CD that is attached in the handy sleeve on the side of the printer for such fools) - most printers made since 2000 have a USB port and a network port and work with both, simultaneously just fine. An independent network for everyone AND everything that isn't approved to be on the business network with non-networked printing, that seems pretty secure. Add IT "follow-up" to port probes or other potential security breaches; especially if they come from within the network. Sometimes network topology map and station IDs helps here so control the physical connections and know where they are. Think of the savings by being smarter than your average geek, planning ahead and keeping costs down, and let the good ideas flow! That's how a geek gets promoted to a manager, not by building empires based on FUD. Plan well and thoroughly for the worst case, and remember that hardware is cheap, information is priceless!

mactaggart
mactaggart

It's important to include security cameras in this equations. At a minimum, you need to monitor all potential entrances and exits to the protected area, with sufficient resolution and frame rate to be able to clearly identify faces. From there, add cameras to monitor the interior. Have your CCTV provider integrate your card access and intrusion systems into the video recording, so that alarms, access denials and door openings are tagged and recorded as such.

jofert
jofert

Preventing unauthorized person to access is the first thing.So its good to use Biometric finger print scanner to login.

steve
steve

A few things to note: Screen savers done make a system anymore secure than not having one. I think you probably meant enable lock down after idle and require a password to unlock. MAC address administration is obtuse in small situations and practically unworkable in large configurations, unless the field is very static. Unfortunately that is no longer the case anymore. A better option and yes it is a bit more hi-tech is the use of 802.1x on wired and wireless. This allows control to be exerted at the port level. You could create a dump off for visitors (those who would not have the proper certificate in place ) to the Internet or even a black hole net. This allows every port to be wired up (simplifying administration on the physical plant) but allows the logical separation of the network. Whats an IT follow up? Any good network manager should already have monitoring, audit and control systems in place (SNMP, RMON, SNORT etc). This is a continuous process. Hardware is cheap BUT managing that hardware is not and thats the balance that has to be verified and validated at ever

grammarye
grammarye

If you happen to be working on defence secrets, or engaged in espionage, this would seem a reasonable level of security and auditing. For the average corporation extant from that world, what do cameras gain you aside from a reputation for voyeurism? Cameras don't remain hidden & secret even if initially designed that way - someone has to know where they are - external and internal threats will know where the cameras are, and if necessary to wear something over their face, adjust their appearance or quite simply not look at the camera. Would you propose they include night vision as well, since the obvious other solution to cameras is to turn off the lights and take a torch? In all important respects, it would seem to me that if there is a genuine need for physical security and access control of that level, well-paid security guards are a far more effective deterrent.

grammarye
grammarye

The trouble with biometrics is that they are absolutely useless for security by themselves (or at best, no better than anything else). Don't take my word for it, check out what the real security experts say about biometrics, e.g. Bruce Schneier, off the top of my head. They have the great feature of being almost unique (lets' be correct here, almost, not totally) and the absolutely awful feature of being irreplaceable. To put this in context, think about why anyone would ever advise you to change a password or door-code. So lets say I can place a convenient tapper or man-in-the-middle attack into a fingerprint reader used for access control (network, physical, doesn't really matter). Setting aside the numerous demonstrated physical attacks on such devices (fake fingers etc.) if I can gain electronic access to the device or its authentication channel, I can simply store and replay the appropriate signature. This is a classic attack, and really quite independent of the authentication technology. Put simply, biometrics are no better than any other single authentication mechanism, but with the added disadvantage that you can't change the code. Once your attacker has used their man-in-the-middle attack to steal all 10 of your fingerprints, you're screwed. You have no more to use. Now if you use biometrics as 'something you are' along with a password or 'something you know', in other words two-factor authentication, then there is some increase in security. However even two-factor has come under fire for suffering from other kinds of replay attacks, but that's another story. Don't make the mistake of thinking that replay attacks are confined to networks, either. Ultimately the circuitry of a fingerprint reader linked to an electronic door lock can be just as susceptible, which brings us nicely back to the main thrust of the article, which is limiting physical access.