There are a number of factors that need to be considered when designing, implementing, or reviewing physical security measures taken to protect assets, systems, networks, and information. They include understanding site security and computer security, securing removable devices and drives, access control, mobile device security, and identifying and removing keyloggers.
In a previous blog, we explored the basic concepts and key definitions of IT security.
Most businesses keep some level of control over who accesses their physical environment. There is a tendency when securing computer-related asset and data to only look at the virtual world. Large companies in a location with a data center often use badge readers and/or keypads to provide access to the building and any secure areas. Guards and logbooks are also used to control and track who is in the building. Final layers of security include keys for offices and desk drawers. Similar measures are taken in smaller offices, albeit usually on a smaller scale.
Remember that if someone can get physical access to a server where confidential data is stored, they can, with the right tools and enough time, bypass any security that the server may use to protect the data.
This multi-layered approach to physical security is known as defense-in-depth or a layered security approach. Securing a physical site is more than just putting a lock on the front door and making sure the door is locked. Physical security is a complex challenge for any security professional.
Security does not end with physical security. It is also important to look at protecting confidential information with technology based on authentication, authorization, and accounting including using rights, permissions, and encryption.
Understanding Site Security
Site security is a specialized area of the security discipline. This section introduces some of the more common concepts and technologies that are typically encountered when working in the security field.
Understanding Access Control
Before we jump into site security details, it’s important to understand what is meant by access control. Access control is a key concept when thinking about physical security. It is also a little confusing, because the phrase is frequently used when discussing information security. In the context of physical security, access control can be defined as the process of restricting access to a resource to only permitted users, applications, or computer systems.
There are many examples of access control that people encounter every day. These include closing and locking a door, installing a baby gate to keep a toddler from falling down a staircase, and putting a fence around a yard to keep a dog out of the neighbor’s flowers.
The difference between the access control practiced in everyday life and the access control encountered in the business world is the nature of what is being protected, and the technologies available to secure them. We will cover these topics in more detail through the rest of this article.
Figure 1 Example of a layered site security model
Site security deals with securing the physical premises. One of the fundamental concepts used when designing a security environment is the concept of defense in depth. Defense in depth is a concept in which multiple layers of security are used to defend assets. This ensures that if an attacker breaches one layer of defenses, there are additional layers of defense to keep them out of the critical areas of an environment.
A simple example of defense in depth in the “real world” is a hotel room with a locked suitcase. To get into a locked hotel room, a person needs to get the key lock to work. Once they are past the key, there is a deadbolt that must be bypassed. And once they are past the deadbolt, there is still the lock on the suitcase that must be breached.
There are several goals to keep in mind when designing a physical security plan.
Authentication Site security addresses the need to identify and authenticate people permitted access to an area.
Access Control Once a person’s identity has been proven and they have been authenticated, site security determines what areas they can access.
Auditing Site security also provides the ability to audit activities within the facility. This can be done through reviewing camera footage, badge reader logs, visitor registration logs, or other mechanisms.
For the purposes of this blog, we will break the physical premises into three logical areas:
- The external perimeter, which makes up the outermost portion of the location. This typically includes the driveways, parking lots, and any green space the location may support. This does not include things like public roads.
- The internal perimeter, which consists of any buildings on the premises. If the location supports multiple tenants, the internal perimeter is restricted to only the buildings that an employee can occupy.
- Secure areas, which are locations within the building that have additional access restrictions and/or security measures in place. These can include data centers, network rooms, wiring closets, or departments like Research and Development or Human Resources.
Understanding External Perimeter Security
The external security perimeter is the first line of defense surrounding an office. However, security measures in this area probably vary the most of any that we will discuss. When trying to protect a Top Secret government installation, the external perimeter security will consist of multiple fences, roving guard patrols, land mines, and all sorts of other measures that aren’t typically used in the corporate world. On the other hand, if an office is in a multi-tenant office park, the external perimeter security may consist of street lights. Most companies fall somewhere in between. Common security measures used for external perimeter security include the following:
- Security cameras
- Parking lot lights
- Perimeter fence
- Gate with guard
- Gate with access badge reader
- Guard patrols
One of the challenges associated with security cameras is that the security camera is only as good as the person monitoring it. Because monitoring cameras is a very expensive, resource-intensive undertaking, in most offi ce environments there will not be anyone actively watching the cameras. Instead, cameras are used after the fact to determine what happened, or who was responsible.
Test an organization’s camera playback capabilities regularly. Because cameras are almost always used to review events after the fact, ensure that the system is successfully recording the data.
Understanding the Internal Perimeter
The internal security perimeter starts with the building walls and exterior doors and includes any internal security measures with the exception of any secure areas within the building. Security features that can be used to secure the internal perimeter include the following:
- Locks (exterior doors, internal doors, office doors, desks, filing cabinets, and so on)
- Security cameras
- Badge readers (on doors and elevators)
- Guard desk
- Guard patrols
- Smoke detectors
- Mantraps (devices that control access, such as double-doors)
The key security measures implemented in the internal perimeter are utilized to divide the internal space into discrete segments. This is a physical implementation of the Principle of Least Privilege. For example, if the offi ce includes a Finance Department, Human Resources Department, and a Sales Department, it would not be unusual to restrict access to the Finance Department to only people who work in Finance. In general, Human Resources people don’t need to be wandering around the Finance area. These segregations may be based on fl oors, areas, or even a series of offices, depending on the offi ce layout.
Defining Secure Areas
Secure areas would include things like a data center, Research and Development Department, a lab, a telephone closet, a network room, or any other area that requires additional security controls not only from external attackers but also to restrict internal employee access. Secure area security technologies include the following:
- Badge readers
- Biometric technology (fingerprint scanner, retinal scanner, voice recognition, and so on)
- Security doors
- X-ray scanners
- Metal detectors
- Intrusion detection systems (light beam, infrared, microwave, and ultrasonic)
Smaller offices that are not occupied at night may take advantage of remote monitoring, and intrusion detection systems in their internal perimeter. Larger locations typically have some activities going on during nights and weekends, which makes use of these technologies more of a challenge.
Understanding Site Security Processes
While technology forms a signifi cant component when discussing physical security, the processes put in place to support the site security are just as critical. There should be processes at different levels of the site.
I n the external perimeter, there might be processes to manage entry to the parking lot through a gate or a process for how often the guards will do a tour of the parking lots. Included in those processes should be how to document fi ndings, how to track entry and exits, and how to respond to incidents. For example, the guard tour process should include instructions on how to handle an unlocked car or a suspicious person or, with the heightened awareness of possible terrorist attacks, how to handle an abandoned package.
In the internal perimeter, processes might include guest sign-in procedures, equipment removal procedures, guard rotation procedures, or details on when the front door is to be left unlocked. In addition, there should probably be processes to handle deliveries, how/ when to escort visitors in the facility, and even what types of equipment may be brought into the building. For example, many companies prohibit bringing personal equipment into the offi ce due to the risk that the employee could use their personal laptop to steal valuable company information.
In the secure area layer, there will generally be procedures for controlling who is permitted to enter the data center and how they will access the data center. In addition, you will have multiple mechanisms to ensure that only authorized people are granted access, including locked doors, biometric devices, cameras, and security guards.
Cameras are available on virtually every cell phone on the market today. To ensure that cameras are not used in a facility, plan on taking phones at the door or disabling the camera function.
Understanding Computer Security
Computer security consists of the processes, procedures, policies, and technologies used to protect computer systems. For the purposes of this article, computer security will refer to physically securing computers. We will discuss other facets of computer security throughout the rest of my blog.
In addition to all the measures we have discussed regarding physical security, there are some additional tools that can be used to secure the actual computers. Before we start discussing the tools, we need to differentiate between the three types of computers we will discuss:
Servers These are computers used to run centralized applications and deliver the applications across a network. This can be an internal network for large businesses or across the Internet for public access. The computer hosting a favorite website is an example of a server. Servers are typically conFigured with redundant capabilities, ranging from redundant hard drives to fully clustered servers.
Desktop Computers These computers are usually found in office environments, schools, and homes. These computers are meant to be used in a single location and run applications like word processing, spreadsheets, games, and other local applications. They can also be used to interact with centralized applications or browse websites.
Mobile Computers This category includes laptop, notebook, tablet, netbook computers, and smartphones. These are used for the same types of functions as the desktop computer but are meant to be used in multiple locations (for example, home and office). Due to their size, mobile computers are considered to be less powerful than desktop computers, but with the advances in microprocessor technologies and storage technologies, this gap is rapidly narrowing.
When securing a server, the first thing to consider is where the server will be located. Servers are typically significantly more expensive than a desktop or mobile computer and are used to run critical applications, so the types of security typically used with servers are largely location-based. Servers should be secured in data centers or computer rooms, which typically have locked doors, cameras, and other security features we have discussed earlier in the blog.
If a data center or computer room is not available, other options for securing server computers include the following technologies:
Computer Security Cable A cable that is attached to the computer and to a piece of furniture or wall.
Computer Security Cabinet/Rack A storage container that is secured with a locking door. Desktop computers are typically secured by the same types of computer security cables that can be used with server computers. Desktop computers are frequently used in secure office environments, or in people’s homes, and are not particularly expensive relative to other technologies. Most companies do not take extraordinary measures to protect desktop computers in their offices.
Mobile computers, due to their highly portable nature, have a number of technologies and best practices that can be leveraged to ensure they are not damaged or stolen.
Understanding Mobile Device Security
Mobile devices are one of the largest challenges facing many security professionals today. Mobile devices like laptops, PDAs (Personal Digital Assistants), and smartphones are used to process information, send and receive mail, store enormous amounts of data, surf the Internet, and interact remotely with internal networks and systems. When placing a 32 GB MicroSD memory card in a smartphone that a Senior Vice President can then use to store all the company’s Research and Development information, the impact to the company when someone grabs his phone can be staggering. As a result, the security industry makes available a number of technologies for physically securing mobile devices, including the following:
Docking Station Virtually all laptop docking stations are equipped with security features to secure a laptop. This can be with a key, a padlock, or both depending on the vendor and model.
Docking station security only works when the docking station is enabled and secured to an immovable object. It’s frequently just as easy to steal a laptop and docking station as it is to just take the laptop.
Laptop Security Cables Used in conjunction with the USS (Universal Security Slot), these cables attach to the laptop and can be wrapped around a secure object like a piece of furniture.
Laptop Safe A steel safe specifi cally designed to hold a laptop and be secured to a wall or piece of furniture.
Theft Recovery Software An application run on the computer that enables the tracking of a stolen computer so it can be recovered.
Laptop Alarm A motion-sensitive alarm that sounds in the event a laptop is moved. Some are also designed in conjunction with a security cable system so the alarm sounds when the cable is cut. PDAs and smartphones are typically more diffi cult to secure because they are a newer technology that has exploded in popularity. There are somewhat limited tools available for securing them. For now, confi gure a password to protect a PDA and phone, enable encryption, and remotely wipe a phone that is managed by an organization. Some of the devices include GPS components that allow users to track a phone or PDA.
Of course, there are some best practices (and, yes, these are based on common sense) that can be followed when securing laptops as well as PDAs or smartphones, including:
Keep your equipment with you. Mobile devices should be kept with you whenever possible. This means keeping mobile devices on your person or in your hand luggage when traveling. Keep mobile devices in sight when going through airport checkpoints.
Use the trunk. When traveling by car, lock the mobile device in the trunk after parking, if you are unable to take the mobile device with you. Do not leave a mobile device in view in an unattended vehicle, even for a short period of time, or left in a vehicle overnight.
Use the safe. When staying in a hotel, lock the mobile device in a safe, if available.
Using Removable Devices and Drives
In addition to mobile devices, another technology that presents unique challenges to security professionals is removable devices and drives. See Figure 2 for some examples of common removable devices.
Figure 2 Some examples of common removable devices
A removable device or drive is a storage device that is designed to be removed from the computer without turning the computer off. These devices range from the MicroSD memory card, which is the size of a fingernail and can store 32 GB (or more) of information, to an external hard drive, which can store up to 4 TB of data. CDs, DVDs, and USB drives are also considered removable drives, because they can be used to store critical data and are easily transportable.
These devices typically connect to a computer via a drive or by external communications ports like USB, Firewire, or, in the case of memory cards, through built-in or USB-based readers. These devices are used for a variety of purposes, including backing up critical data, providing supplemental storage, and transferring data between computers. In addition, applications can be run from USB drives. This storage is also used in music players like iPods and Zunes, as well as personal media players like the Archos and Creative’s Zen devices. There are three basic categories of security issues associated with removable storage:
The loss of the storage device is one of the most common issues people will encounter. USB drives are especially problematic in this regard. Typically the size of a pack of gum or smaller, these drives are often left in conference rooms, hotel rooms, or seat pockets on airplanes. The challenge is how to secure the gigabytes of data that is lost along with these drives. These devices can be protected with authentication and encryption. With Windows 7 and Windows Server 2008 R2, Microsoft released BitLocker To Go, which is used to protect data on mobile storage devices. Some companies may offer their own protection mechanism, such as IronKey. Of course, it is important to impress on users the value of these types of storage. Many users do not give a second thought to throwing a confidential presentation on a fl ash drive (a small drive based on fl ash memory) for a meeting. As part of the awareness efforts, educate users about the value of data and how easy it is to misplace these portable storage devices.
Theft is a problem with any portable piece of equipment. Many of the same measures discussed with respect to protecting mobile devices apply to these removable storage devices as well. For example, keep drives with you whenever possible. When this is not possible, secure drives in a hotel safe, locked desk drawer, or other secure location. Do not leave portable storage out where it can be easily removed from an accessible area. While the devices themselves are relatively inexpensive, the data on them can be irreplaceable or, worse, confidential.
The fi nal area where these types of devices present a security issue is in conjunction with espionage. Many of these storage devices come in very small form factors, which make them particularly well suited to espionage. Flash drives can be disguised as pens, watches, or even as part of a pocketknife. Even more challenging, a music player or smartphone can include multiple gigabytes of storage. Even if external drives and music players are banned, removing employee’s smartphones is virtually impossible. So how do you protect an environment from this type of security threat?
The key to this threat is not to try to defend the environment from the portable devices but instead to protect the data from any unauthorized access. This is where the Principle of Least Privilege is critical—ensure that employees can only access the data, systems, and networks they need to do their jobs so that keeping critical data off portable drives is much easier.
Some environments address the issues associated with removable storage by using hardware or software configurations to prohibit their use. While this can be an effective strategy, it is also an expensive, resource-intensive activity. There are a limited number of businesses where this can be effectively implemented.
A keylogger is a physical or logical device used to capture keystrokes. An attacker will either place a device between the keyboard and the computer or install a software program to record each keystroke taken and then use software to replay the data to capture critical information like user IDs and passwords, credit card numbers, Social Security numbers, or even confidential emails or other data. There are also wireless keyboard sniffers that can intercept the broadcast keystrokes sent between a wireless keyboard and the computer.
To protect against a physical keylogger, the best tool is visual inspection. Take a look at the connection between the keyboard and the computer. If there is an extra device in between, someone may be trying to capture keystrokes. This is especially important when working with shared or public computers, where attackers will utilize keyloggers to cast a wide net and grab whatever critical data someone might enter.
The best defense against a software keylogger is the use of up-to-date anti-malware software. Many software keyloggers are identified as malware by these applications. User Access Control and host-based firewalls can also be used to prevent a software keylogger from being installed.
To defend against a wireless keyboard sniffer, the best bet is to ensure that a wireless keyboard supports encrypted connections. Most of the current wireless keyboards will either operate in an encrypted mode by default, or at least permit users to conFigure encryption during installation.