Creating a Physical Security Standard for Your Company
Cybersecurity is the pressing concern most organizations face when it comes to securing data, but not every hacker launches an attack from thousands of miles away; sometimes, the threat can walk right in through the front door to gain access to your IT system.
Adversaries are not shy about using a more direct approach, which is why an organization should not overlook its physical security plan. Generally speaking, physical security involves designing and operating physical security controls for premises, largely through implementing measures to discourage and sufficiently prevent unauthorized access, as well as measures to detect attempted or actual unauthorized access and activate an appropriate response.
Physical security is a key component in any organization's defense-in-depth approach to securing its IT environment. Insufficiently secured premises can lead to damage, theft, unauthorized access, or modification of IT assets.
One of the many resources available through a Trustwave Security Colony account is a step-by-step methodology to check if your organization is taking basic precautions.
Defending Against All Methods of Attack
Utilizing a defense in depth is a common practice for cybersecurity teams. Still, it's also important in the "real world," where an unlocked door or easily accessible computer can lead to disaster. Using 'layered' controls so that the compromise of any single control won't result in catastrophic failure or loss.
In cybersecurity, defense in depth tackles the security vulnerabilities that arise not just from hardware and software but also from human factors, given that security breaches are frequently a result of negligence or human mistakes. Classical safeguards for corporate networks, like antivirus software, firewalls, secure gateways, and virtual private networks (VPNs), undeniably retain their importance in a defense-in-depth approach.
Nonetheless, more advanced techniques, including the application of machine learning (ML) to identify irregularities in employee and endpoint behaviors, are currently being employed to establish the most robust and comprehensive defense strategy.
A hardened physical defense means manned entry points, locked doors, and alarmed gates at different levels of the perimeter is an example of such layers and using proven industry standards and frameworks where possible with this policy informed by ISO27001:2013 7 Physical and Environmental Security and COBIT.
The Unguarded PC as an Entry Point
A cyber threat actor is likely uninterested in gaining entry to a building just to steal something, this individual wants access to what is behind the curtain, and an easy way to obtain this is by using the target's own computer system.
This means an organization must use physical access controls to secure and segregate areas where systems and information are housed.
Here is a normal yet potentially dangerous scenario. A quick LinkedIn search finds the name of a person working at XYZ Inc. Armed with this name, a threat actor walks up to the reception area and says he has a lunch date with that employee, and could the receptionist point out where the person sits? If the receptionist does so, this supposed friend now has access to the following:
- The office space and its workstations
- DC/Server Rooms
- Wiring and Network closets
- Control Rooms and equipment
- IT Build and Storage Areas.
The moral of this story is the human element is not only weak when it comes to falling for phishing attacks, so teach everyone to always be on guard.
Protecting IT Equipment from Intruders
It's a bit of a no brainer, but often the obvious is easily overlooked. IT equipment must be stored securely. Staff who use laptops must take that device with them when they leave the premises or secure them using lockable drawers or cable locks. Other portable devices like mobile phones, tablets, USBs, and external hard drives must be locked away when not in use.
Even the ubiquitous printer, which is almost always connected to the network, should be placed in a controlled access area, away from spaces open to the public or visitors.
Information assets (computers, network devices) should never be removed from the premises without the device owner's explicit permission.
Combination locks, if used to store IT equipment, must meet the following requirements. Guess what? An old-fashioned combination lock is really no more than one more password-protected layer of defense.
So, just as users must regularly change network passwords, the same holds true for this style of lock. Buy locks with adjustable combinations, or simply buy a new lock when needed.
Network Ports and Wireless Access Points must be sufficiently obscured, so install them out of immediate sight. Leaving them exposed increases the risk of unauthorized devices or individuals accessing internal network resources. Another good move is to disable network ports in public areas and areas accessible to visitors.
IT equipment also must be protected from environmental hazards, interference, and disruption.
For example, staff should store IT equipment in a secure location where the risk from environmental threats and hazards is minimal. Segregate power and telecom cabling to protect from interference, and label cables clearly to avoid accidental damage.
Implement security/backup controls to protect equipment from disruptions caused by the failure of utilities (power, A/C, telecom, etc.). All data centers and critical operations areas must have appropriate controls to mitigate the risk of fire, water, heat, or power loss risks.
Let's Get Physical
Keeping equipment safe does not end there. Companies move, acquire new office space, or staff starts to work remotely. This activity means equipment will be moved about and must be transported securely.
When assets containing company information are physically handled and transported to and from different geographic locations, those assets must be protected in transit, and only handled by authorized persons during transport.
Device storage is also an issue. Even when unplugged and gathering dust in a closet, a computer retains its valuable information. So, any IT equipment that will be unused for an extended period must be properly secured.
Finally, staff must securely erase storage media such as hard drives, USB drives, or any device with on-board storage prior to disposal or re-use in accordance with the NIST 800 88 Revision 1 Secure Deletion and Disposal Standard.
It's imperative that an organization's information security posture encompasses not only digital defenses but also the physical security measures that safeguard its assets from real-world threats.
As the digital landscape evolves, adversaries seek vulnerabilities in both virtual and tangible domains.
Recognizing that data breaches can occur through physical means and cyberattacks, it becomes evident that a comprehensive defense strategy requires a multi-layered approach. Just as the principles of defense in depth are vital to cybersecurity, so are they integral to physical security.
By establishing robust access controls, employing industry standards and frameworks, and implementing best practices such as those outlined in ISO27001:2013 and COBIT, an organization can bolster its cyber and physical defenses.