Trusted SF Member
Joined: 14 Apr 2004
|Posted: Tue Sep 25, 2007 1:09 pm Post subject: Physical Security intro
This is a small article on Physical Security over all aspects , concerning LANs and where to pay attention while building a Security Plan.
Keep in mind that this is an intro so it does not cover all aspects thorougly. Furthermore , be a bit patient with me on Grammar and Syntax errors as English is not my native languange.
Thank you for reading this.
Physical plan and IT Security
Security in Information Technology is an advancing section which seems to attract more and more attention from companies and individuals who care about important digital data. Most of them though are missing a great part of the picture.
In the mind of most of the guys, when IT Security is mentioned, most they think, of software protection (e.g. Firewalls, AV, IDS , etc. ). The even more worrying part is that enough IT professionals are following the same pattern of thinking. However they are equally missing the greatest picture of IT security which is also including Physical protection.
Definition of Physical Protection.
The term “physical protection” stands as the header which includes a number of things , from physical access to machines to ways of checking identities, entries, disaster – recovery sites and so on.
If IT security can be characterized as the “shield” of a network, then you can say that physical plan is the “armor” behind it, on the defender’s body. It is not considered to be as an additional component, but as a basic plan to protect in full, network and data, according to the C.I.A principals. (Confidentiality-Integrity-Availability).
Physical security should start as a plan , from scratch. From drawings with architectures and Security consultants, considering backup procedures, disaster-recovery sites, premises protection from human and natural caused disasters and so on.
Typical steps of building a physical security plan.
The first step that will lead to a successful security plan is to design the appropriate plan on securing physical resources. That includes a lot of sub-contents like:
I. Network architecture.
II. Building architecture compliance with several security parameters.
III. DR (Data room).
IV. Disasters protection.
I-II. Network Architecture – compliance with security parameters.
Starting with architecture on both network and building plan , a Security Consultant is needed to provide the know-how on creating the appropriate measures to ensure the integrity of the IT resources and areas. For instance when you are building a map of floors and rooms on a new building you have to consider , things like physical location, ways of entry, glass and windows facing the interior of rooms , floor or roofs for cabling and so on.
Physical location is something to take under very serious consideration , as a place close to a cliff, airport, harbor or other area that has a high risk of a possible disaster or accident , might re-arrange the whole security plan regarding Integrity of resources and data. Entry and exits points are a possible backdoor that also need to be included in security planning , in order to have a proper control over the people , who are accessing the internal resources of your company’s network.
III. Data Room
DR is something that usually is left out of common security plans , even though I think that it should be taken very seriously. Data rooms which are not in a room or in a protected environment , have a weak spot. DR should be located preferably to the center of the company premises ,as to provide proper design ease in administrating and hard-wiring it to the rest of the LAN.
Data Room is the heart of the network and as in human body , it should be very well protected and centrally located. It is not wise to build a computer room in an area full of windows or leave it , out in the open where everyone can have access to it. It should also be equipped with proper air-conditioning for proper functional conditions.
IV. Disaster Protection
Disaster – recovery sites are a plus in security plan, especially when it comes to corporate networks of significant importance and data sensitivity (e.g. banks., government agencies, etc.). Since cost (among other things) is an issue here, most of the disaster recovery sites are designed to be able on supporting basic and essential services. They should not replicate an exact copy of the original network. This is a very important sollution of keeping in business the company’s network, if a sudden and major disaster strikes. (e.g. Earthquake, fire, flood).
First step in physical security is always something to pay much attention , in order to continue with appropriate settings for the rest of the plan on proper foundations.
Second stage is based upon building a policy which will safe keep all resources by using both human and software-hardware resources.
I. Creating security policy for accessing physical premises.
II. Creating security policy for monitoring resources and access to them.
III. Creating user and data accessing policies.
IV. Creating emergency procedures and assign roles.
I-II. Security policy for accessing and monitoring resources.
In most security plans, accessing company premises , is usually neglected by management and IT. This is a very big mistake, if someone considers that a foreign person can come into the company without proper authorization and create all sort of problems (e.g. stealing , hacking, social engineer,etc.).
In order to safeguard your physical location, a good solution is to build a proper monitoring and security policy , by relying on CCTV, security guards, biometric locks and procedures. This is to be done, ofcourse, upon a proper access control and identity management policy. A person who, will enter a building should never been left out of monitoring frame, otherwise no matter how strong software and hardware security is applied, your LAN could be turned into a “playground” for malicious objectives.
For instance a very good security policy for monitoring premises would contain , well configured alarm and a CCTV circuit which will be monitoring entrances and exit points of the building. There should also be a security guard who will check proper identification or help in case of a visitor coming in, or escort him if needed to the desk of the person he wants to go. Entrance and exit of the person should ALWAYS be done under escort and never let him/her alone wondering in or around the building.
I have been into buildings which were considered to be of “high sensitivity” but by the time I left my details (signature and name) at the door, I got a visitor’s card and that was it!!! I was in and could go around in this building where no one of course asked me what I was doing there, as I did follow the company policies by leaving my details at the door! You can imagine that I would be able to even plant an explosive mechanism or steal some papers left around on desks and leave unnoticed.
III. Creating User and Data accessing policies
Monitoring and Access control of the company resources (building and hardware) is always a major and very hard issue to solve. Users tend to forget or neglect procedures and security policies, especially if they are making their life, difficult. They only thing , they want to do, is their job and avoid taking a 10-20sec time to be authorized or identified while doing it. That is happening despite their understanding that this might compromise their data and job integrity. Security policies and locks like Passwords, magnetic cards, keys, punching working cards is only a way to verify that the person coming in or getting out is legally there. However this solution does not cover all aspects of internal physical access or illegal intrusion into unauthorized areas.
For instance Data Room should always be an off-limit area for users and visitors , considering the importance of things going on , in there. This usually includes visual contact if the DR is evaluated as “Secret” in confidentiality rank. To enforce such a policy an additional lock or a biometric feature should be installed at entrance of the protected Data Room. Only administrators, management and authorized personal should be able to access it based upon a certain access policy.
There is also a case where an intruder or internal user has access to an open or unprotected terminal. Most of the users go away for business or some other reason from their terminal at least twice a day for 10-20 mins’. At this period of time , a malicious person or even a partner who wants to harm or make fun of the person next to him, might access this terminal and trigger a security risk for your company’s LAN.A rule should be applied to all terminals , which should be protected with a password or a smartcard in their BIOS settings , so no one without proper license would be able to access it. An unprotected terminal could be a very dangerous backdoor to the existing security plan so be extra cautious about it. Train users applying this policy and in some cases be sure that you made this , very clear to the company’s staff.
A side point to this case is how to protect a notebook coming out of the company premises , which might be carrying enough data to attract a thief’s attention.(e.g. contracts, payroll account details , etc.)You should also protect those notebooks by enforcing software encryption on their HDDs and possibly a BIOS password in order to prevent any unauthorized data retrieval.
All of the above cases are the ideal parameters enforced in a company’s policy. But the question still remains, “will users comply with those policies, or will they continue to act as before”?
Human factor is the weakest link in the IT security chain. Users as mentioned before, do not want to spend time on complying to security procedures , although they need to feel secure and at some ways demand it. A security consultant’s job is to manage registration of certain usage policies ,and train staff in such a way that will make through the user’s mind and make it a part of working day actions. Company’s management team , IT administration and users should act as an equal and significant part on upholding these policies.
Multiple password entries with high complexity, encryption and policies on I&A (Identify and Authorize) for accessing resources are always a time consuming matter. A well designed security plan , needs to evaluate cost of these actions in working hours and money ,as to see this policy enforced and not get neglected or not used at all. Biometric Security feature, is something that helps a lot of users as they can use their unique anatomy characteristics instead of remembering numerous of complicated credentials and at the same time , gain enough seconds while using them , instead of following classical patterns (UAC).
Additional value to this plan would be to make a proper training , so there is a template of “user’s behavior” when he/she faces a person trying to gain data in a malicious way. A proper training example would be, to make a presentation of a call. In that phone call , someone will claim that he is a member of the outsourcing IT team asking for account or data details , from an unaware user.
Most people today are totally unaware and unprotected when a Social Engineer , is trying to extract data from them. They have no training and they end up giving significant and sensitive data away , even send them via email (e.g. phiscing attempts). All users and management should have proper training on Social Engineering and on how to treat remaining or destroyed documents , so there will be a total compliance on the physical security plan and eliminate as much as possible , attack attempts like trash diving or illegal copies getting out of the company premises.
Users as they represent the human factor , are considered to be of high risk and should be treated with the proper amount of attention , as to avoid future implications and possible fails in the Security plan. A simple user’s action can be the “lethal” backdoor for the whole LAN. Do not leave the human factor unattended.
IV. Creating emergency procedures and roles.
The worst scenario case. Disaster strikes and company or data is destroyed. In a company without planning, without proper IT support , the only result will be the following…… absolute and total havoc. There will be no real case to follow , a lot of downtime will occur which will result in a huge money loss and probably end up ,in a huge reputation impact for the company. Some managers tend to say that disasters are not every day issue. This is not true!
Hard drives fail, server tend to get hacked, even former users with negative history in the company but still holding valid credentials could do a lot of damage. Some time, even more than a physical disaster like a fire or flood could cause. If this happens and there is no clear scenario to follow, then the whole company will suffer a blow which might end up in a much more bigger problem than the one , managers can imagine. For instance it is widely known that a legal firm after the 9-11 attack on the Trade center, lost both resources and data as they never kept a proper emergency scenario in case of a disaster. Disaster sites, backup-restoration procedures and hierarchy of command center although they sound a bit “paranoid” to someone who is an owner of a 10-30 person company, are applicable even in his case.
A proper scenario based on his company needs and level of data sensitivity might be a ,future ,lifesaving “pillow” in case of a disaster.
Disaster recovery procedures and roles, is not a highly complicated procedure, but they are indeed a cost-effective case. In truth there is no classical template to follow while building such a case. You have to be aware of the persons who are involved in IT and Management handling of the company , configure a plan and then apply it , in such a way that will give a very good solution to the company ,in the worst case scenario.
Last edited by The_Real_Gandalf on Wed Jan 02, 2008 3:24 pm; edited 1 time in total