Physical Security

Author: Cody J., Inflow Software Engineer

When people talk about information or cyber security, they tend to focus on the computer-side of security, i.e. system vulnerabilities, malicious code, etc. One of the aspects that is either ignored or relegated to a different group of people is the physical side of information security. If someone can gain access to your physical computers or network, it doesn’t really matter how much you’ve spent on computer security. They will eventually get what they want and, frequently, much quicker than if they attacked via the network.

As mentioned previously, there can be whole divisions of workers dedicated to physical security, so this post will just highlight common areas of concern. The first thing people commonly associate with physical security are guards. While commonly used, the efficacy of guards can not only vary, but they can also be one of the most expensive types of physical security.

The main purpose of guards is to provide the human touch to security. They are able to make decisions based on the situation, unlike computerized systems that can only handle situations that are programmed into them. However, this flexibility also means that guards can be the weakest link in security.

It is human nature to want to help others. With social engineering, intruders can play on this aspect to manipulate guards into doing things that are contrary to security guidelines. For example, if a guard just visually looks at employee badges without a second means of authentication, a potential intruder could make a “good enough” copy of an employee’s badge and walk into the building. The truth is, very few guards inspect badges well-enough to identify if one is real or not.

Supplementing guards with electronics is a common practice. Electronics can include video cameras, motion detectors and other sensors, biometric and other authentication devices, etc. Obviously, the problem with electronics is ensuring they have power and can communicate to the “home base”, whether that is a server or a guard station.

In today’s environment of having everything connected to the Internet, cyber security is critical. If an intruder is able to access your security systems through the Internet, the systems can be manipulated remotely, allowing other intruders to physically access your premises. It can be as simple as cycling the power to an electronic lock as most locks are designed to fail open, i.e. if power is cut, the door unlocks to allow people to escape the building. If the door locks are connected to the Internet to allow remote control, a hacker could simply unlock a door remotely to allow an unauthorized individual to enter the building.

Companies frequently rely on cameras for security. The problem with this is that cameras don’t provide an immediate response, unless a guard is watching a monitor and is able to call someone else to investigate. Having a bank of monitors may not help, because a person can only watch one monitor at a time, so there is the possibility of missing something important on another monitor; plus, people get bored and have a tendency to stop paying attention after a few minutes.

Most cameras are connected to recorders so the tapes can be reviewed. Again, this doesn’t provide an immediate response to a situation; it is generally only useful as evidence for legal prosecution. However, it could be used for security training purposes, as well as identifying changes to security practices.

Maintaining control of physical documents is a key part of security. Dumpster diving is a legitimate threat to companies, as well as individuals. People will comb through garbage looking for useful information, whether it is financial information, employee lists, user manuals for software or equipment, etc. Information that is thrown out can be used in a number of ways:

For example, just by knowing what type of software or telecommunications equipment is being used by a company can tell a hacker what vulnerabilities to look for, what possible default accounts may still exist on the system, etc. Lists of employees can provide fodder for social engineering attacks, clues to user passwords, and other information.

Therefore, shredding sensitive and proprietary information is important. User manuals that are no longer needed should be returned to the vendor or destroyed in a manner that prevents them from being read.

Another thing to consider is segregating company-sensitive information on a separate network. This makes it less likely that information will “walk off” the premises and creates an additional security feature: custom printing. In this scenario, printers connected to the separate network have colored paper in them. Thus, whenever company-sensitive information is printed out, it is easily seen as such and less likely to walk out of the building. If the paper color used is difficult to copy from, then even if someone gets a printout of the original document, they can’t make a copy on plain paper to take with them.

Lighting and landscaping are important things to consider when planning physical security. While many companies have hedges and other plants close to the building, this can be considered a security issue because they provide an ideal location for potential intruders to hide from guards and cameras. Depending on the location, they can also provide an unobtrusive location for someone to attempt to enter the building or a place to stash items when leaving the building.

Lighting is an important part of security. Obviously, installing lights makes it easier for guards to see potential intruders as well as providing safety for employees. Paradoxically, not having lights may improve security as well.

Consider an office building where the office lights are kept on all the time. Nominally this is for security purposes, but realize that an intruder could appear to be a regular employee who is working after hours. On the other hand, if the lights were kept off, then it would be immediately evident if an intruder is moving around with a flashlight.

This could also occur outside the building. Security lighting provides potential intruders with plenty of opportunity to “case the joint” and enter a building through an unobserved entrance, without having to use a flashlight. If, on the other hand, lighting was not surrounding the building, intruders would have to provide their own light in order to attempt an entry, making it that much more obvious that something out of the ordinary was occurring.

Lighting, or the lack thereof, has little to no impact on security cameras. They can be purchased with low-light and infrared capabilities, so not having lighting won’t affect their ability to function. Combined with computer software to detect anomalies, it would be easy to identify unusual nighttime activity, such as flashlights moving around.

In summary, there is a lot more to physical security than many people consider. I haven’t talked about the varieties of locks available, man-traps, biometric authentication, etc., but when considering security for information systems, the physical is just as important as the electronic. If someone can walk away with your servers’ hard drives, having all the firewalls and patches in the world won’t do you any good.

At Inflow we solve complex terror and criminal issues for the United States Government and their partners, by providing high quality and innovative solutions at the right price through the cultivation of a corporate culture dedicated to being #1 in employee and customer engagement. We Make it Matter, by putting people first! If you are interested in working for Inflow or partnering with us on future projects, contact us here