A.21. Keeping Physical Security Meaningful

It is difficult to overstress the importance of physical security. Physical security is controlling who can and cannot gain physical proximity to assets. It is a form of access control: defining who has access where and who doesn't. Without physical access control, there is no security. Every technological security control can be overcome with the right tools or enough time. Even cryptography will fail eventually. Brute-force attacks are always successful, given enough time. But time itself is becoming an ever smaller relative value with the onset of massive parallel distributed processing. For example, with the services of distributed.net or its competitors, 10,000 computing hours can be harnessed in an hour of real time.

Two of the scariest issues today in terms of physical security are bootable portable OSs and hardware-based keystroke loggers. A bootable portable OS on a CD, a DVD, or a USB drive can fully bypass any OS-enforced security because they don't allow the host OS to load! Without the host OS, no security is actually being enforced. In fact, the only security remaining is file- or drive-based encryption. Thus, an attacker can make copies of encrypted files and then take them elsewhere to break the encryption at their leisure.

Hardware-based keystroke loggers are another security nightmare. As mentioned earlier, these gadgets are available for under $100 and are designed to be unobtrusive to even the most observant of users. A few seconds to plant, a few seconds to extract days later, and presto! The attacker now has possession of your password-based logon credentials and anything else you might have. Your only protections are multifactor authentication and strong physical security.

To prevent the compromise of technological security, you must use good physical security. As an employee of any organization, it is part of your job to be aware and be suspicious.

To assist with the physical security of the company's facilities, here are some suggestions:

• Make sure that every time you unlock and open a door, you then close and relock it before you walk away.

• If you discover an unlocked door that should be locked, report it immediately.

• If you discover that a door's locking mechanism has been damaged or tampered with, report it immediately.

• If you discover a door propped open when it should be closed and locked, report it immediately.

• Regularly take notice of whether windows are closed and locked; report any changes.

• Regularly look at the security cameras in the area, and report any changes to their direction, whether they become obstructed, or if they become damaged.

• Get to know the faces of as many of your fellow employees as possible so you can spot outsiders or intruders.

• If you see any suspicious activity, especially by personnel you do not recognize, report it.

• Don't hold open locked doors that require each person to self-authenticate.

• Never allow anyone into a secured environment who does not have their authentication credentials, even if you think you know them.

• Keep your keys, smart cards, and other access devices under your complete control at all times, especially when away from work.

• Never grant access to a secured area to anyone who is not specifically authorized to be in that area, including your family and friends.

• Don't help strangers if it involves violating company security procedures; it could be a social engineering attack attempt.

• Regularly check the inspection tags on fire extinguishers, detectors, and sprinkler systems, and report any expired tags.

• Never install equipment or computer hardware, especially wireless devices, without specific written authorization.

• Watch for roof leaks, window leaks, or bathroom overflows and report them.

• Avoid touching computer equipment or electronic devices until you have grounded yourself; static electricity can build up in any low-humidity environment, not just during the winter.

• Don't run any device that might overheat and start a fire.

• Never store or place combustible materials near electronic equipment, especially near electrical distribution points or heat exhaust fans.

Reporting actual malicious activity will be rewarded and encouraged. However, if you become the squeaky wheel and most of your reports turn out to be false positives, you may get a reprimand or a strong encouragement to mind your own business. So, be sure that what you are reporting is worth reporting and that you're not just being a nosy neighbor.