Not all attacks on your organisation's data come across the network. It's imperative companies remember that maintaining an "iron-clad" network security program doesn't immunise them against the physical assault or theft of data and the networked resources that contain that data. Nothing emphasises this point more than the recent identity-theft incidents at ING and the Department of Veterans Affairs, both of which began with the theft of a company laptop.
Attackers can be from outside organisations, but they can also be insiders — disgruntled or greedy employees or contractors. When attackers are able to physically access a system, they can wreak a world of havoc.
These attackers can often cause systems to fail, and they can compromise password-protected computers by using a removable "boot" disk to gain access. Secured routers will allow administrative privileges to anyone who interrupts their startup process. In addition, attackers can directly access networks by adding or rearranging the connections, and they can easily steal physical objects if they're already on the inside.
Given the trend toward smaller, more lightweight PC components, physical security is growing increasingly important. Let's look at how you can protect your organisation and its data.
Not only should you implement a physical access control program in your company, but it's vital also to strictly enforce the measures you apply. At a minimum, these measures should address both personal access and information and equipment access.
Follow these guidelines for restricting personal access:
- Initiate a badge program that includes an employee picture, and colour-code specific areas of access.
- Make it a policy to question anyone who doesn't have a visible ID badge.
- Escort, observe, and supervise guests for their entire visit.
- Don't allow anyone — including vendors, salespeople, etc — to connect personal laptops (or any other computing device) to your network.
- Don't allow anyone to add hardware or software to computers without proper authorisation.
- Watch out for "tailgaters". These people wait for someone with access to enter a controlled area (such as one with a locked door) and then follow the authorised person through the door. Tailgaters enter without using their own key, card key or lock combination.
Follow these guidelines for protecting information and equipment access:
- Place monitors and printers away from windows and areas where unauthorised persons could easily observe them.
- Shred or otherwise destroy all sensitive information and media when it's no longer necessary.
- Don't leave documents unattended at fax machines or printers.
- Make it a requirement that all users log off or power down workstations at the end of the working day.
- Lock up portable equipment (for example, laptops, PDAs, media, memory sticks) out of sight in a safe storage place overnight.
- Don't allow the removal of computers or storage media from the work area or facility without ensuring that the person removing it has authorisation and a valid reason.
- Provide locks or cables to prevent theft, and lock computer cases.
Final thoughts
Physical access to corporate data by an unauthorised person is an assault on your organisation's security. Once someone gains physical access to your data — whether it's a stolen laptop or lost documents or media — you become vulnerable to further attacks, not to mention a lot of bad publicity. Use these guidelines to take steps to prevent such a loss before it occurs.
Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Centre.
