Physical Thinking

For the most part people in the IT field are aware that security is important in many different areas. On our individual systems we install Anti-virus software. On our servers we run firewall software and setup authentication methods to only allow specific users access. On our switches we setup access control lists and VLANs, and on our routers we may set up PPP with CHAP instead of HDLC. There are many different way for things to be configured to get exactly what you want out of your technology. Lots of people understand the importance of learning how to get this functionality while still keeping your technology secure. But while you might have put hours of thought into your authentication methods and your firewalls to get them configured perfectly, did you accidentally forget to lock the door when you left? Or did you walk away from your desktop to get a cup of coffee without logging out?

Physical security is a very important part of security that many IT professionals overlook or don’t take as seriously as they should. As Robert L. Bogue said in Lock IT Down: Don’t overlook physical security on your network“.

“Computers are unavoidably vulnerable to physical attack. Routers allow their passwords to be reset, server software-based security can be easily bypassed, and user passwords can be cracked and stolen. All of this is possible with a reasonable amount of physical access to the system.”

So while you may have your technical security in place, also take the time to form and implement an effective physical security plan. It is important to secure all components of your network, although for the most part the question of cost comes into play and limits you. For example it could be a bad idea to keep Ethernet cables exposed as it may be possible for an attacker to tap into those cables to perform man in the middle attacks. For some cases fully securing all your Ethernet runs could be to costly and you may feel the money would be better used to install security specifically for your server rooms.

There are many different devices you can use for security and being an Information Technology person, you may not be the most qualified to develop a physical security plan. So don’t just ignore it, go find someone who is knowledgeable of that area to help. For the most part though the devices used for physical security are very technology based, so you should have a good shot at learning how to use and implement them. At a minimum you want your equipment under lock and key. Now days there’s better options than a simple key, with a key you may never know when someone used it, if they lost it, or if a copy was made. That is why a card access system might be better, you can keep track of who has accessed the locked area. Also you can make things easier by assigning that person access to multiple areas with one card instead of needing to carry around a ring of keys.

Also many bio metric authentication options are available, all with the purpose of locking people out who shouldn’t have access, and allowing the person who should have access in. Some of these options include:

  • Retina scanning
  • Iris scanning
  • Fingerprints
  • Hand geometry
  • Facial recognition
  • Signature verification
  • Voice authentication.

Any of these could possibly be a good option for you. But in real basic terms do what you can to keep people away from your equipment who shouldn’t have access, while letting those who need access in. These security steps are important even if you don’t think you will become the target of an attack. There is always the possibility you will be a target and you need to be prepared. But also sometimes there’s just the curious employee who decides to mess around and see what he can do. So put the security in place to stop him.

Everyone in the IT world gets taught to back up your files, you never know what could happen. But this brings us to another important point. Do those backups hold the same sensitive information your trying to secure? If they do then you need to make the security to get to those backups is just as good as the security to the devices holding the original data.

To finish things off, if you haven’t thought about this yet you probably need to start thinking more about security. Install video cameras! If you can’t keep them out with your security at least you have video evidence of what happened. Or if you did keep them out now you can see who tried to get in. Ideally you should have someone monitoring the video, to also possibly respond to an obvious unauthorized access attempt.

Advertisements

2 thoughts on “Physical Thinking

  1. I believe that a large reason that physical security is overlooked is because its expensive. A quick look online and I’m pulling up prices of $600 and more for just one fingerprint door lock, which might not even be intended for high security since I found it on amazon. Then for things like security cameras which have a lot of hidden costs behind them like installation, or having to hire another person just to monitor them. For a lot of companies it seems like they just can’t justify spending this money, that is until its too late and they’ve already been taken advantaged of.

    • It seems it would really depend on what your company is working with. If you have highly sensitive data then these high prices security options might be worth it because although they cost more there also the better security options. But then again if your running a small network at a local library or something of that nature it might not be worth it to use the expensive security devices, but physical security should still be considered. Maybe just go with the old fashion lock and key rather than nothing, and possibly get lower quality camera’s that don’t cost as much. You need to do the best you can with your budget rather than ignoring physical security because it costs to much.

Comments are closed.