Physical security is a multifaceted and wide-ranging topic. To cover all aspects and best practices of physical security adequately would easily fill the pages of an entire book. The goal of this chapter is to address everyday physical security topics, concepts, and practices as they relate to the day-to-day security practitioner with a network security background. Not covered in this chapter are areas such as executive protection and counterterrorism.
Classification of assets is the process of identifying physical assets and assigning criticality and value to them in order to develop concise controls and procedures that protect them effectively. These asset categories have inherent and common characteristics that allow you to establish baseline protective measures by category. The classification of corporate physical assets will generally fall under the following categories:
• Computer equipment Mainframes, servers, desktops, and laptops
• Communication equipment Routers, switches, firewalls, modems, PBXs and fax machines, etc.
• Technical equipment Power supplies, air conditioners
• Storage media Magnetic tapes, DATs, hard drives, CD-ROMs, Zip drives
• Furniture and fixtures
• Assets with direct monetary value Cash, jewelry, bonds, stocks
Value and business criticality of assets should be assessed and documented. For critical assets, the minimum criteria that should be included in your matrix include: depreciative value, initial cost, replacement cost, asset owner, vendor, version, serial number (if applicable). This information can normally be gleaned from business continuity and disaster recovery documentation. If you don’t have a DRP or BCP yet, this will help quite a bit when the inevitable time comes to draft it. “Low/Medium/High,” “Not Important/Important/Critical,” or a similar numerically based scoring and weighing system can be used effectively to assign protection priorities to assets.
A physical security vulnerability assessment, much like its information security counterpart, relies upon measurements of exposure to an applicable risk. An asset must already be classified, and its value to an organization quantified. Once this is accomplished, a simple walk-through should be performed as a starting point to identify potential areas of physical security laxness. For example, is that network connection in the company reception area active? If so, is it getting an IP address via DHCP? Is it segmented on a VLAN? Identify the problem, but also assess what (if any) business need justifies its existence. If a legitimate business need does not exist, or the risk exceeds any potential return, it’s a liability for that condition to exist and it should be remediated. Four main areas should be a part of any physical vulnerability assessment: buildings, computing devices and peripherals, documents, and records and equipment. Your mileage may vary, depending on various factors.
Take a walk around the building and look for unlocked windows and doors. Check for areas of concealment/obstruction such as bushes/shrubs directly beneath windows. Check for poor lighting conditions. Are you able to tailgate into the building behind someone without being challenged? Can you walk in through an unattended loading dock entrance? Once inside, are you challenged for identification? Are building passes displayed prominently and collected after the visit is concluded?
Verify lockdown and accessibility of systems and peripherals. Unattended systems should be logged off or have their screens locked. For servers, the bare minimum criteria that apply are these:
• Critical servers should be placed in a locked room. Due to space or business limitations, it may not always be possible to place all of your servers in a locked room. One example of this might be product test or development environments. In situations such as these, logical isolation of systems may suffice. Bear in mind that if this method is used, it is imperative that mitigating controls, such as data and network segmentation from critical data, be maintained at all times.
• The case must have a physical lock.
• The BIOS should be password protected with a complex password.
• System booting from floppy/CD drives should be disabled in the system setup.
• The monitor and keyboard should face so that neither is visible to anyone else except from the keyboard. You don’t want someone watching when an administrative password is typed in.
• Unused modems should be removed or disabled.
• Tools should be stored separately, preferably locked up.
• Limit the number of people with access to the server room, and document their access. Place a sign-in sheet inside the door, or electronically track access with a proximity card reader or biometric entry control.
Documents should already be classified as part of your data classification and information owner matrixes and policies. Look for Confidential or “Eyes Only” documents lying around, Post-it notes with passwords and credentials, documents not collected from print jobs and faxes, and documents in the trash or recycle bin that should have been shredded. Take a walk around and see if you can successfully “shoulder-surf” confidential or restricted information. People will generally assume that you don’t care about what they are reading. This is a dangerous assumption. Case in point: As I was commuting into Manhattan on the ferry this morning, a woman sat down next to me and proceeded to work on a confidential legal document concerning a corporate lawsuit settlement. She occasionally looked over to read my newspaper, and I returned the favor by shoulder-surfing her document as well. If I were a competitor to her company, that information would undoubtedly have been very useful. If I had a dime for every occurrence of this nature on public transportation, I’d be a very rich man. Take the time to educate your employees on corporate espionage techniques such as this, and ensure that they understand the consequences to what may seem like a harmless situation at the time.
The category of records and equipment deserves the same consideration as any other crucial asset. No matter how dependent we become as a society upon electronically storing and processing records, there will always be the file cabinet containing paper records. Records differ slightly from documents in that records encompass anything of record. Employee timesheets, receipts, accounts payable/receivable, etc., are all forms of records. Make sure records are locked up when not in use and are accessible to only those authorized to access them. Equipment items such as faxes, printers, modems, and copiers and other equipment have their own security recommendations, depending upon their use and location. Does your CEO leave his Blackberry or PIM device unattended in the cradle with his office door wide open when he goes to lunch? In this situation, even though his workstation may be locked, his e-mail is still accessible.
As they say in real estate, “Location is everything.” When it comes to physical security this particular saying hits close to home. According to Marene Allison, Director of Corporate Security for Avaya, “The most important consideration for choosing a secure site location is survivability, not cost. There are lots of low-cost sites in areas that experience hurricanes, tornadoes, and floods and areas that have high crime indexes. You want a site that has backup power, pumps, and security guards, but you only want to test them, not keep putting them into use. The more you have to use the backup, the greater chance it will eventually fail. Remember, even if the site does not go offline when the backup kicks in, you will have to respond to the emergency. Low cost up front does not always translate into low cost to keep it running 24×7.” There are many security considerations for choosing a secure site location, only a few of which are:
• Accessibility
• To the site
• From the site (in the event of evacuation)
• Lighting
• Proximity to other buildings
• Proximity to law enforcement and emergency response
• RF and wireless transmission interception
• Construction and excavation (past and present)
Let’s discuss each consideration briefly to address applicability to common business environments.
Accessibility of the site is typically the first consideration, and with good reason. If a site is located too remotely to be practical, usability and commutability are affected. However, by the same token, if it is accessible easily to you, it probably is to others also. Conversely, consideration for potential evacuation must also be considered. For example, bomb threats, fires, anthrax mailings, and SARS are potential catalysts for evacuation.
Proper lighting, especially for companies with 24×7 operations, should be evaluated and taken into consideration. Threats to employee safety, as well as the potential for break-ins, are more common under poor lighting conditions. Establish from the outset as many physical barriers between your business environment and undesirable people and circumstances as practical. Mirrored windows or windows with highly reflective coatings should face north-south rather than east-west to avoid casting sun glare into trafficked areas.
Know who your neighbors are. For instance, sharing a building with a branch of law enforcement would be considered less of a risk than sharing a building with “XYZ Computer Ch40s Klub.” The closer the proximity to other buildings and companies, the higher the probability is for a physical security incident to occur. Also consider the fact that whatever problems an adjacent or connected building might have could potentially become your problem as well.
Another consideration is the location’s relative proximity to law enforcement and/or emergency response units. If the area has a history of crime, but you’ve chosen the site anyway, consider the possibility that the incident may not get a response within a framework that you consider ideal. Similarly, if an emergency service unit were to be called to respond to an incident at this location, consider what the impact would be for any delay and if this latency in response would be justified.
As wireless networking becomes more prevalent, especially in metropolitan areas, wireless hacking and hijacking become more of a threat. Other “airborne” protocols that should be taken into consideration include radio frequency devices, cordless phones, cell phones, PIMs, and mobile e-mail devices. Test drive for existing protocols with scanners, and avoid heavily trafficked frequency ranges wherever possible. Using encryption for sensitive traffic is an absolute must.
Construction and excavation can take your entire network and communications infrastructure down with one fell swoop of a backhoe’s bucket. Take a look at past construction activities in the area, and the impact (if any) that they had on the immediate vicinity. Town or city records will usually provide the information you need regarding any construction/excavation/demolition, both past and present. Make it a point to ask people in the vicinity about power/telecom outages.
Recently, over 50 million people in the northeastern United States suffered a power blackout. Power was out in New York City alone for nearly two full days (Figure 5-1).
FIGURE 5-1 The Blackout of 2003, viewed from space
This blackout stretched from the eastern U.S. as far west as Detroit, Michigan, and as far north as Ottawa, Canada. At the time of this writing, the causes are not yet fully known, but losses are well into the billions of dollars.
There are many different considerations that must be taken into account when securing your assets with physical security devices. A few of them are
Locks aren’t just for doors anymore. Anything of value that is capable of “growing legs and wandering away” should have a lock or be secured in a location that has a lock. Your physical security vulnerability assessment probably came across a few unsecured laptops, MP3 players, jewelry, keys, and other assorted items. Lock the device up and make it a point to educate the asset owner on the importance of securing the item.
Check for locked doors where applicable; you’ll be surprised at the results. Make sure the lock on the door functions correctly and can withstand sufficient force. A broken or nonfunctioning lock is only slightly better than no lock at all. File cabinets containing sensitive information or valuable equipment should be kept locked when not in use. The keys to these should also be kept out of common reach.
Laptops at the office, when not in transport, should be physically locked to the desk or in the docking station. Cable locks are a relatively small price to pay to ensure the laptop (and company information) doesn’t fall into the wrong hands. Laptop theft is at an all-time high; most disappear right under the nose of the owner. One second it’s here; the next, it’s gone. Be especially wary when traveling. For example, whenever going through a metal detector at the airport, keep your eye on the laptop bag at all times. Don’t be afraid to tell the screener to stop the conveyor until you can get to it. If possible, transport your laptop using a bag that does not resemble a computer bag, such as those that resemble backpacks. In some areas, traveling with a computer bag is equivalent to taping a note on the side that says “Steal Me.” Operating system security and software safeguards are only as good as the physical security protecting access to the device. If someone has unlimited physical access to a system, half the battle is already over. From there, it’s only a matter of time before these safeguards are overcome. One example of this is using a Linux boot disk to reset a Windows Administrator account password.
All of these areas should have common access controls, as they all perform a similar function. Make sure these rooms are kept locked. If automatic entry tracking mechanisms are not in use, ensure an access log is kept.
Entry controls have their own security considerations that will undoubtedly vary with your security plan and business needs.
Typically, one of the first things done at any company is to provide ID badges. Building and/or employee identification should be displayed at all times, and a challenge should be presented whenever needed. Far too often, I’ve seen situations where an individual becomes friendly with the security guard, and eventually the guard just waves them through. What happens when that guard doesn’t receive notification that the employee is no longer with the company? Unfortunately, in most cases, the former employee is waved through as if he still worked there. This situation has explosive implications associated with it.
Biometric devices have come a long way in the past several years and continue to gain traction both in the entry control market and the network authentication market. A biometric device is classified as any device that uses distinctive personally identifiable characteristics or unique physical traits to positively identify an individual. There are many types of biometric devices, and use will be dictated by the situation. Some of the more common ones include: fingerprint, voice, face, retina, iris, handwriting, hand geometry, and keystroke dynamics. For entry control, the most commonly deployed biometric technologies are fingerprint and hand geometry devices.
People always seem to make the best deterrents. But guards are not there merely as a deterrent. Here’s what the New York State Department of Labor says a security guard’s responsibilities include: “A security guard is employed by an organization, company, or agency to patrol, guard, monitor, preserve, protect, support, and maintain the security and safety of personnel and property. Security guards deter, detect, and report infractions of organizational rules, policies, and procedures. Security guards help limit or prevent unauthorized activities, including but not limited to trespass, forcible entry or intrusion, vandalism, pilferage, theft, arson, abuse, and/or assault.” A security guard is not just a person but also a resource. Accordingly, guard placement, number, and use will be dictated by business requirements and needs. Background checks should be done for all security guards, and appropriate licenses and clearances obtained wherever applicable.
Physical Intrusion Detection, much like it’s information counterpart, requires forethought, planning and tuning to obtain optimal effectiveness. Some considerations for Physical Security Intrusion Detection are:
CCTV is in use just about everywhere. Placement should be thought out with financial and operational limitations in mind. Some possible initial areas for device placement include: high-traffic areas, critical function areas (such as parking structures, loading docks, and research areas), cash handling areas, and areas of transition (such as the hallway leading from a conference room to a sensitive location). Ensure that the cabling used for CCTV devices is not readily accessible, in essence making it easy for someone to tap into transmissions. Lighting will also play a critical role in the effectiveness of the camera. If you are considering the use of a wireless CCTV setup, take into account that anything transmitted through airwaves was also meant to be received.
Alarms should be tested at least monthly, with a test log being kept. Entry doors and exits should be fitted with intrusion alarms. A response plan should be in effect with everyone who will be responding to an incident knowing exactly what their roles and responsibilities are. Duress alarms should also be taken into consideration for areas that require them.
A mantrap is an area designed to allow only one authorized individual entrance at any given time. These are typically used as an antitailgating mechanism and are most commonly used in high-security areas, cash handling areas, and data centers.
System logs can be an indication that someone was physically present at a system. Bear in mind that quite a few privilege escalation exploits require a system restart in order to execute. Some things to look for in the system logs that might indicate physical access to a system include:
• Short or incomplete logs
• Logs missing entirely
• Strange timestamps
• Logs with incorrect permissions or ownership
• System reboots
• Services restarting
There are many physical security considerations that should coincide with your data security goals. Both physical and data security are centered on the protection of assets, so some concepts apply directly to both worlds. Common sense, forethought, experience, and clear, logical thinking are an essential part of any security plan.
Craighead, Geoff. High-Rise Security and Fire Life Safety, Second Edition (Butterworth-Heinemann, 2003)
Fennelly, Lawrence J. Effective Physical Security, Second Edition (Butterworth-Heinemann, 1997)
Matchett, Alan R. CCTV for Security Professionals (Butterworth-Heinemann, 2000)
Roper, C.A. Physical Security and the Inspection Process (Butterworth-Heinemann, 1996)
Here are some additional security references available only on the Web:
ASIS International
www.asisonline.org/
National Institute of Standards and Technology, Publication 800-18
http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.doc
Physical Security Checklist
www.tecrime.com/0secure.htm