Chapter 5
IN THIS CHAPTER
Understanding why physical security is an important part of cybersecurity
Understanding the basics of physical security for data and electronic devices
Identifying what needs protection
Reducing physical security risks
You may be tempted to skip this chapter — after all, you are reading this book to learn about cybersecurity, not physical security.
But, please don’t.
Seriously.
Certain aspects of physical security are essential ingredients of any cybersecurity program, whether formal or informal. Without them, all of the policies, procedures, and technical defenses can prove to be worthless. In fact, just a few decades ago, the teams responsible for protecting computers and the data housed within them focused specifically on physical security. Locking a computer in a secured area accessible by only authorized personnel was often sufficient to protect it and its contents. Of course, the dawn of networks and the Internet era, coupled with the mass proliferation of computing devices, totally transformed the risks. Today, even computers locked in a physical location can still be accessed electronically by billions of people around the world. That said, the need for physical security is as important as ever.
This chapter covers elements of physical security that are necessary in order to implement and deliver proper cybersecurity. I cover the “what and why” that you need to know about physical security in order to keep yourself cyber-secure. Ignoring the concepts discussed in this chapter may put you at risk of a data breach equivalent to, or even worse than, one carried out by hackers.
Physical security means protecting something from unauthorized physical access, whether that access is by man or by nature. Keeping a computer locked in an office server closet, for example, to prevent people from tampering with it is an example of physical security.
The goal of physical security is to provide a safe environment for the people and assets of a person, family, or organization. Within the context of cybersecurity, the goal of physical security is to ensure that digital systems and data are not placed at risk because of the manner in which they’re physically housed.
I hope that you’re not storing highly sensitive classified files in your home. If you are, you had better know a lot more about information security than is taught in this book. Also, because removing classified information from its proper storage location is often a serious crime, I suggest that you get yourself a good lawyer.
Before you implement a physical security plan, you need to understand what it is that you have to secure. You likely possess more than one type of electronic device and have data that varies quite a bit in terms of the level of secrecy and sensitivity that you attach to it. Step 1 in implementing proper physical security is to understand what data and systems you have and determine what type of security level each one demands.
In all likelihood, your computer devices fall into two categories:
Stationary devices, such as desktop computers, networking equipment, and many Internet of Things (IoT) devices, such as wired cameras, are devices that don’t move from location to location on a regular basis.
These devices can, of course, still be stolen, damaged, or misused, and, therefore, must be adequately protected. Damage need not be intentionally inflicted — early in my career I helped troubleshoot a server problem that began when a nighttime custodian unplugged an improperly secured server from its uninterruptible power supply in order to plug in a vacuum cleaner. Yes, seriously. As it is imperative to secure stationary devices in the locations in which they “live,” you must inventory all such devices. Securing something that you do not know that you possess is difficult, if not impossible.
Mobile devices are computerized devices that are frequently moved. Laptops, tablets, and smartphones are all mobile devices. In some ways mobile devices are inherently more secure than stationary devices — you likely always have your cellphone with you, so that device not sitting at home unwatched for long periods of time as a computer may be.
That said, in reality, experience shows that portability dramatically increases the chances of an electronic device being lost or stolen. In fact, in some ways, mobile devices are the stuff of security professionals’ nightmares. The “smartphone” in your pocket is constantly connected to an insecure network (the Internet), contains highly sensitive data, has access tokens to your email, social media, and a whole host of other important accounts, likely lacks security software of the sophistication that is on desktop computers, is frequently in locations in which it is likely to be stolen, is often out of sight, is taken on trips that cause you to deviate from your normal routine, and so on.
Review what data your devices house. Think of the worst-case consequences if an unauthorized person obtained your data or it leaked to the public on the Internet. No list of items to search for can possibly cover all possible scenarios, but here are some things to think about. Do you have
These items will need to be protected against cyberthreats, as described in multiple later chapters. But the data stores in which they reside also need to be protected physically, as described in the next section.
In order to adequately physically protect your technology and data, you should not attempt to simply deploy various security controls on an ad hoc basis. Rather, it is far better to develop and implement a physical security plan — doing so, will help you avoid making costly mistakes.
In most cases, physically securing computing systems relies on applying a well-known established principal of crime prevention, known as Crime Prevention Through Environmental Design (CPTD), that states that you can reduce the likelihood of certain crimes being committed if you create a physical environment that allows legitimate users to feel secure, but makes ill-doers unconformable with actually carrying out any planned problematic activities.
Understanding this high-level concept can help you think about ways to keep your own systems and data safe. Three components of CPTD as they apply in general to preventing crime include access control, surveillance, and marking:
You know your own environment. By applying these concepts you can improve the likelihood that unauthorized parties will not attempt to gain unauthorized access to your computers and data.
You can use many techniques and technologies to help secure an object or facility. How much physical security you implement for a device depends heavily on the purpose for which it is being used and what types of information it houses.
Here are some examples of methods of securing devices — based on your tolerance level for risk and your budget, you may choose variants of all, some, or none of these techniques:
Of course, you should not consider the preceding list to be comprehensive. But, if you think about how you can apply each of these items to help keep your devices safe within the context of a CPTD approach, you will likely benefit from much greater odds against an “unfortunate incident” occurring than if you do not. (For more on CPTD, see the earlier section “Creating and Executing a Physical Security Plan.”)
Such advice may sound obvious; sadly, however, a tremendous number of devices are stolen each year when left unattended, so you can be sure that the advice is either not obvious or not followed — and, in either case, you want to internalize it and follow it.
In addition to watching over your phone, tablet, or laptop, you should enable location broadcasting, remotely triggerable alarms, and remote wipe — all of which can be invaluable at quickly reducing the risk posed if the device is lost or stolen. Some devices even offer a feature to photograph or video record anyone using a mobile device after the user flags it as stolen — which can not only help you locate the device, but can also help law enforcement catch any thieves involved in stealing it.
According to most experts, the majority of information-security incidents involve insider threats — meaning that the biggest cyber risk to businesses are posed by their own employees. Likewise, if you share a home computer with family members who are less cyber-aware, they may pose the greatest risk to your cybersecurity. You may take great care of your machine and be diligent with cybersecurity every single day, but if your teen downloads malware-infected software onto the device on even a single occasion, you may be in for a nasty surprise.
One critical rule from “the old days” that rings true today — even though it is often dismissed as outdated due to the use of technologies such as encryption — is that anyone who can physically access a computer may be able to access the data on that computer.
This rule is true even if encryption is utilized, for at least two reasons: Someone who accesses your device may not be able to access your data, but that person can certainly destroy it and may even be able to access it due to one or more of the following reasons:
On that note, if your computer contains files that you do not want your children to have access to, do not share your computer with your children. That may seem like obvious advice, but you would be amazed at how often it is ignored for financial reasons. (Why should I buy a second computer for my children when I already have a perfectly good computer at home?)
18.189.186.167