- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- Physical Security: Objectives and Overview
- Category: Physical Security
Author: Justin Kallhoff
Date Added: February 6th, 2007
Introduction
Hurricane Katrina, 9/11, and the Asian Tsunami have all increased awareness on the need for physical and environmental security. Businesses throughout the world now ask their information technology and risk professionals more questions, give them larger budgets, and set higher expectations to withstand unexpected interruptions.
Physical security is generally accepted as the most important, yet most often overlooked area of information security. Organizations might believe that because they have a guard at the front door and electronic key badges at entrances that they are protected. The domain of physical security involves much more than just protecting your perimeter. A common misconception is that physical security is an old-fashioned area of information security. With the proliferation of mobile devices, remote workers, terrorism, and natural disasters, physical security is more important now than ever before.
Safety First
The priority of physical security is similar to other areas of security--to ensure the "CIA triad" (confidentiality, integrity, and availability) of assets. The glaring and important difference with physical security versus other domains is that the number one priority of physical security is human safety. In other words, if your data center is engulfed in flames, your first and only priority should be to make sure that all humans are safe before saving an all-important database or back-up tapes.
Safety Threats
When calculating risk, we always need to consider the potential threats that apply to our organization and how vulnerable we are to those threats. Fires, floods, and natural disasters are obvious threats to physical security; however, every company is vulnerable to these threats. A common cause of interruptions, whether purposeful or accidental, is human behavior. If someone accidentally unplugs or turns off the wrong device, a hacker/cracker executes an exploit and unexpectedly crashes a server, an employee steals a device, and so on. In recent years, politically motivated threats, including terrorism, have increased in prevalence and can also be devastating to a physical environment.
Safety Training and Awareness
The best method to lower the risk associated with physical threats consists of training or education. Although it's impossible to prevent or predict earthquakes, tornadoes, and floods, it is not difficult to educate your staff on what to do if such unpredictable acts of nature do occur. If you prepare your people, you decrease your vulnerability to such threats.
Emerging Risks
Mobile Devices
The proliferation of mobile devices and people working outside of the traditional office is occurring at a fast pace. Devices continue to get smaller and more powerful and people expect to be able to perform any task they do from their desk at work from anywhere in the world. Although the efficiency gains with these new technologies is significant, there are also serious increases in risk that must be mitigated to ensure the confidentiality, integrity, and availability of your assets.
Mobile device security is a particularly difficult challenge because of the rate at which the technology is advancing. The market is competitive and financially lucrative; therefore, technologies get distributed to the masses without proper testing and research. When this model is followed, security is often an afterthought that is generally too late, instead of being integrated from the beginning.
Laptops and smart phones that have sensitive data; for example, corporate e-mail should be protected with encryption and strong authentication mechanisms. Depending on your environment, VPN technologies should also be considered for both mobile phones and laptops. There have already been many publicized incidents demonstrating the losses that organizations incur when assets containing sensitive data are lost or stolen. Anytime a device or data leaves the controlled environment, a whole new risk approach must be applied.
Human Error
In the current world landscape, we have to take into account the possibilities of things, such as terrorism and war, when we consider risks to our organizations. This is particularly important in metropolitan areas--where the most damage can be inflicted by a motivated individual or group. Although the potential for these types of events to impact your assets is hopefully low, the results can be devastating if proper planning and good practices aren't in place.
The National Archives & Records Administration in Washington states: "93% of companies that lost their data center for 10 days or more, due to a disaster, filed for bankruptcy within 1 year." These threats aren't specific to the physical buildings themselves; they can involve interruptions in your critical supply systems, including electricity, water, and communications. Having the appropriate action plans and good redundancy systems in place can help mitigate these rare but devastating risks.
USB Mass Storage
USB devices that hold gigabytes of data in a form factor equivalent to the size of single human finger are widely available and distributed. The potential for intellectual property loss has increased dramatically as a result of these devices. Now, individuals that want to steal mountains of data don't need to send it over a single wire, where logical controls might catch the loss, nor do they need to gain access to a CD writer, all they need is a single USB port on any machine on the local network. These devices also increase the likelihood of malware entering a private network because they often bypass a lot of the logical controls in place. This technology will continue to evolve and become more affordable, which increases the risks associated with these devices.
General Physical Security Practices
Defense-In-Depth
In physical security, like all security, the best approach is a layered defense. You should never depend 100 percent on a control to protect your critical assets.
Scenario #1: A guard is the only defense mechanism in place. Unfortunately, he falls asleep or takes an unscheduled break, and an intruder has the opportunity to walk right into your data center without being detected.
A better scenario is to have that an individual be required to possess a unique ID badge to enter the front door. Next, she is challenged by a guard, recorded on a camera, and then needs to have a separate unique key to enter the data center. In this example, there are four layers of defense to protect your assets.
Scenario #2: An employee can't afford a laptop, so he decides to take his company computer home to play his favorite video game. He gets distracted on the train or bus on the way home and forgets his bag containing the laptop. The laptop does not have any security controls in place and contains sensitive data.
There have been several instances similar to this presented in the mainstream media that ended up costing the organizations millions in way of financial loss and unknown loss of public confidence. If best practices were followed in this scenario, multiple layers would exist to prevent and discourage this individual from removing the laptop from the controlled environment. An acceptable use policy should be in place to stress the importance and ramifications of removing corporate property and sensitive data from the premises. The laptop should have multi-factor authentication and disk encryption enabled, so that in the event that it is lost or stolen, the data that existed on it is useless to others. If the environment were particularly sensitive, tracking devices could be placed in all mobile devices, and in the event that they travel an unacceptable distance from the office, an alarm is activated to notify security personnel.
Lesson learned: The more layers of defense you have in place, the less vulnerable you are to a threat. Also remember that you can have 10 layers of logical security controls protecting an asset and they can generally be circumvented quickly and easily if physical access is gained.
Practice Makes Perfect
Every organization should practice its evacuation and recovery procedures regularly and with seriousness. If the leaders of an organization take this practice and testing seriously, the entire organization is more likely to follow suit. In the event of an emergency, a trained and aware staff can increase the chances that you safely protect your employees.
Gaining an outside perspective can often shed light on things your personnel haven't thought about or had experience with. Hiring an independent review of your practices and procedures can help strengthen your security posture. Reputable organizations are available to attempt to infiltrate your environment. If a cup of coffee and a smile get them inside your doors, it's better to find out from the people you hired before it's someone that you didn't!
Geographic Redundancy
Ask yourself this question: "What is the purpose of having your back-up facility across town or even in the same state?" Some might say that it's best to have the same resources manage both locations. However, many of the most probable interruptions can likely impact both facilities if they are geographically too close. Natural events, such as earthquakes, tornadoes, hurricanes, and flooding, can all impact two facilities at the same time if they are too close to each other. Supply systems, such as communications and electrical outages, can just as easily be affected if facilities are too close.
Security Staffing
There has been a slow paradigm shift occurring in security over the past few decades. Physical security used to be seen as separate from information security. Until recently, different departments or leaders used to manage physical security and information security. These separate organizations didn't communicate or work together closely. Today, we are witnessing the integration of information security and physical security within many businesses. Highly skilled security professionals must understand all threat vectors today. Highly skilled and financially funded attacks generally employ a multitude of physical and electronic mechanisms to breach the security of their target. Making sure that your organization is comprised of individuals that understand these trends and topics can ensure that you are suited to keep your environment safe and stable.
Summary
Technology and data become more integrated and vital to the world economy everyday. Most organizations depend on information systems in at least some aspect of their business. Every organization needs to ask itself if it could survive with a prolonged interruption to its primary facilities. Physical and environmental security is still a critical area of concern and requires consistent budget and planning from the appropriate resources. By understanding the risks to your physical security, you can reduce them over time and be prepared should a risk ever turn into an incident.
References
Cole, E. SANS +S Training Program for the CISSP Certification Exam: Physical Security. Bethesda, Maryland: SANS, 2006.
Hansche, S., Berti, J., & Hare, C. Official (ISC)2 Guide to the CISSP Exam. New York: Auerbach Publications, 2004.
