- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- Physical Security Threats
- Category: Physical Security
Author: Justin Kallhoff
Date Added: March 30th, 2007
1. Introduction
One of the most important steps in any risk management strategy is to identify the threats to your organization. A threat is defined as an event (for example, a tornado, theft, virus infection), the occurrence of which can have an undesirable impact on the well-being of an asset. The objectives of physical security are to ensure the confidentiality, integrity, and availability of assets. The fourth and always most important objective is the safety of the people in any environment. The primary purpose of this paper is to specifically focus on threats that put those objectives at risk.
Physical security, the most-often overlooked portion of security, has been brought to the forefront of many organizations in the past 5 years. The attention can be credited mostly due to worldwide, multiple catastrophic events in that same time frame. Although some are man-made, many of the most widespread and destructive are the result of Mother Nature.
It is the responsibility of all individuals within the organization to ensure that it is prepared for any physical or environmental interruptions. However, the ultimate responsibility falls on the top-level leadership to maintain proper levels of planning, testing, and oversight. By identifying and understanding the threats to physical security, organizations can more effectively overcome interruptions, thereby lowering the organization's risk to unknown events.
2. Threat Categories
Generally, four categories based on causation threaten physical security: nature/environmental, supply systems, man-made, and political. Let's take a more in-depth look at each category with examples.
Nature/Environmental
These include anything caused or created by Mother Nature or the result of natural occurring phenomenon. Many examples of naturally occurring events can threaten physical security, including but not limited to the following:
- Hurricanes
- Tornadoes
- Wind
- Earthquakes
- Snow/ice
- Floods
- Humidity
- Static Electricity
- Extreme Temperatures
- Dust/dirt
- Lightning
- Avalanches/slides
- Volcanoes eruptions
- Fire supply systems
These include the critical infrastructure and utilities that most organizations depend on for daily operations, including but not limited to power, water, and communications providers.
Man-Made
Humans are the most common threat to physical security, generally because of negligence. We spend the most money and effort in defending against these types of physical threats. Man-made threats consist of a wide array of possibilities; some examples include hackers/crackers, theft, fire, human error (hitting the wrong button, unplugging the wrong cord, and so on), mechanical/electrical malfunction, explosions, vibration, spills, malicious code, radio frequency interference, fraud, intruders, magnetism, toxic chemicals, pollution, overloaded electrical outlets, and many more.
Political Events
With governments, politics, and religion comes power struggles that can sometimes lead to violence. We have witnessed many of these unfortunate struggles that continue to occur worldwide. Bombings, strikes, terrorism, riots, espionage, wars, and so on all can have considerable effects on the security of an organization and its capability to operate normally.
3. Emerging Threats
The physical security environment is quickly becoming more complex and more difficult to protect for several reasons:
- The number of individuals working outside the traditional office space is dramatically increasing. A startling survey of remote workers was published on cisco.com at: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_white_paper0900aecd8054581d.shtml
- The number of people carrying powerful mobile communication devices with sensitive information is growing quickly. The devices commonly lack many of the standard security implementations that normal devices are subjected to. Several surveys about mobile device security have been performed; the results highlight the problem:
- Twenty-two percent of survey respondents lost a PDA in the past year; of those, 81 percent did not employ protective measures such as personal identification numbers (PINs) or encryption.
- Thirty-seven percent of PDAs have sensitive information on them, including account numbers, corporate data, and passwords.
- Only 40 % of respondents to one survey reported the mobile device theft to the police.
- The number of workers utilizing laptops instead of desktops continues to grow quickly. The pattern requires an extra effort in protecting the data residing on these devices.
- USB mass storage technology makes data theft more feasible and difficult to detect or deter.
- Social engineering is becoming more prevalent as attacks become more diverse and multidisciplined.
- We are witnessing an increase in politically motivated attacks. Organizations realizing the potential damage that can be waged through the Internet have become highly motivated and profitable.
- Identity theft is at the forefront of many organizations that store large amounts of consumer data. The problem has gained a lot of traction because of the potential financial gain from obtaining large amounts of sensitive, private information. This problem crosses into the physical security area in the protection and disposal of media including paper.
According to a report published by The Alliance for Enterprise Security Risk Management (AESRM),One company indicated that individual identity records are worth $60 on the black market, and one backup tape full of these records can be worth more than $1 million. Enterprises must ensure that this information is physically secure. This is possible only if physical and information security reaches across their functional domains to work together with the goals of the business in mind.
- Corporate espionage is becoming increasingly popular as companies look to gain an advantage on competitors. Penetrating competitors' IT infrastructure can be a huge advantage when sensitive documents regarding upcoming products and financial data can be obtained.
As technology evolves and the security landscape changes, security professionals must stay abreast of the current trends and continually learn how to adjust their posture to keep their risk levels to a minimum.
4. Prioritizing Threats
Time and money are always limited resources when trying to create a solid security posture. Being asked to prioritize security can be a daunting task. Threats are widespread and they constantly evolve. A common approach to gaining insight into the most important threats to your organization can be identified through performing a simple business impact analysis (BIA).
Here is a simple example:
Source: http://www.cccure.org/Documents/HISM/images/10-01.jpg
Note: Rank each impact based on 4 = high to 1 = low. Rank each resource based on 4 = weak resources available to 1 = strong resources available.
An important thing to remember when prioritizing threats is that the most probable aren't necessarily the most covered in the popular media. Information security (IS) management polls continue to reveal that insider threat, due to disgruntled employees or dishonest employees, is the number one risk to the security of computing resources. Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage, and accidents are caused by a company's employees. Another 15% to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5% to 8% is done by external people; yet the press and management focus mostly on them. By focusing on the most probable threats, you can quickly lower your organization's risk dramatically.
5. Bottom Line
Threats to physical security are diverse in nature and if they occur can be devastating to the livelihood of an organization. Technology continues to become more integrated into everything we do, particularly within our critical infrastructure. The more dependent we become on technology, the more important it becomes that we take the appropriate actions to make them resistant to all threats.
Organizations owe it to their employees, customers, investors, and such to take security seriously and invest in the appropriate technology and people. Those that do not, put everyone involved at risk for a single incident to cause irreparable damage to their livelihood. Due diligence in considering physical threats is a vital responsibility of the entire organization from top to bottom that should not be overlooked or placed low on the priority list.
References
Hansche, S., J. Berti C. Hare. Official (ISC)2 Guide to the CISSP Exam. New York, NY: Auerbach Publications, 2004.
Cole, E. (2006). SANS +S Training Program for the CISSP Certification Exam: Physical Security. Bethesda, Maryland: SANS.
Cisco Corporation. (2006). Understanding Remote Worker Security: A Survey of User Awareness vs. Behavior. Retrieved from the World Wide Web February 15, 2007: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_white_paper0900aecd8054581d.shtml
The Alliance for Enterprise Security Risk Management (AESRM). (2005, November 8). Convergence of Enterprise Security Organizations.
Krause, M., Tipton, H. Information Security Management Handbook. New York, NY: Auerbach Publications, 2003.
