Physical security: The overlooked domain

As few as 15 years ago, if you mentioned security to someone in the business world, they would immediately think about alarm systems, badge readers and door locks. Some years back, I visited the Equifax Atlanta data center, entry to which required a retina scan and practically an act of Congress. Today, the focus is on logical security — threat management, breach detection, intrusion prevention, etc. With the threats we face today from all over the world, logical security is very important. Physical security has unfortunately been relegated to the realm of secondary concerns.

In the world of CISSP certification, physical/environmental security has historically been one of the nine domains. As of 2015, it was combined with another domain that includes other items, further evidence of its diminishing importance in the minds of many security experts. I would suggest, however, that physical/environmental security is still of vital importance to information security, and is dangerous to overlook.

While it would seem easier for someone to breach your network in order to steal critical data and information, physical theft cannot be overlooked. These thefts may involve actual information, or just items such as manuals or a phone list to be used for social engineering purposes. In the early days of phone phreaking, for example, systems were breached as a result of hackers stealing manuals from Dumpsters.

Another concern related to physical security is the insider threat — an employee or contractor helping themselves to your information for financial gain. While these too often involve a breach of systems, they can easily involve physical security lapses, since these individuals are rightfully in your building in the first place. The 2014 U.S. State of Cybercrime Survey, a joint effort by Pricewaterhouse Coopers, Carnegie Mellon University, CSO magazine and the U.S. Secret Service, reported that “Only 49% of companies have a plan to address and respond to insider security threats — even though 32% of the same companies agree that crimes perpetrated by insiders are more costly and damaging than those committed by outsiders.” If insiders can walk into your data center and grab a removable hard drive, they have no need to break into your servers.
Finally, physical security is important to protect your most important assets: your employees. Many of the key aspects of physical security also protect your people. Beyond the value of human life, your business would be hard-pressed to operate without your employees.

Given the diminishing focus on physical security, I think a review of some key exposures in this domain is warranted.

The open lobby

This is one of my pet peeves in the physical security realm — the ability for an intruder to walk into a company lobby and straight through to the inside of the facility. Companies with open lobbies often rely on a receptionist to be the gatekeeper, but receptionists can get busy and distracted. A few weeks ago, I visited a company with an open lobby. Had the receptionist been distracted, and with the few people walking in the halls, I could have easily made it through the building to the unlocked data center. A locked door between the lobby and inside of a facility is very important.

The unlocked data center

This takes us to another key deficiency — the unlocked data center. Someone with physical access to a system can do many things that a network intruder could not. I helped a church blank the local admin password on a PC this week, something I could only do with hands-on access to the system. If you have a data center of any size, it needs to be securely locked, with access restricted to those with a need to be there.
Poorly secured doors

Systems requiring a proximity card for entry are now quite common, and with good reason. They provide tight granularity of access control for individual doors and a detailed audit trail. They are important, and should be used more than they are. That being said, they are not the answer to tight access control that many think, given the ease with which access information can be captured and used by bad actors. One of my customers recently described an audit by a major corporate customer that included an attempt to capture badge data using inexpensive, off-the-shelf hardware and software. The auditor arrived 30 minutes early and rode up and down the elevators with arriving employees. After 30 minutes, the auditor had captured enough data to easily enter almost any office in the building. I discussed this threat, and the options for badge encryption in a recent article.

Lack of surveillance

Cameras are very inexpensive today, and yet they can do double duty, not only detecting possible threats in progress, but allowing for forensic review of incidents. What a bargain! And yet, surprisingly few companies use them, and many that do, install and ignore them. Cameras should be installed at all entry points to a facility, and in key areas such as data centers and telecom closets. The video should be recorded and retained, with a live monitor placed on the desk of someone who can keep an eye on it.

The good news is that intrusion alarms are in very common use today. There is much opportunity for improvement, however. Many smaller offices in multitenant buildings do not bother with them, because a guard is often present in the lobby. If you refer to the badge paragraph above, you will realize just how easy it can be for someone to get into such a building. Further, these offices often share a common wall with other tenants. You don’t have to watch many home improvement shows to realize just how easy it is to get through drywall. You need an intrusion system, and you need one supporting unique codes for each individual for audit trail purposes.

The bottom line: It is appropriate to pay attention to logical security threats, but overlook physical security at your own peril.