Jul 31 2007

3 Steps to Keep Physical Threats in Check

Take steps to keep physical threats in check.

While all security measures play a part in corporate and personal computing systems, physical security is perhaps most crucial for overall system security. We’re all careful to lock doors when we leave critical areas unattended, and we’re strict about granting access even when we are in attendance. Nevertheless, there are better tactics to bolster security when it comes to your desktop or notebook computer.

Separating the physical from the virtual is perhaps shortsighted. “Physical security is an information security problem, and vice versa,” says Kevin Beaver, CISSP, from Principle Logic. “Just ask the millions of people whose sensitive information has been compromised due to the lack of physical security controls.”

It’s easy to completely control the physical security of a building or data center by breaking into a NetBotz or similar system using the default user name and password through an unsecured wireless network, Beaver says.

Ensuring that your data is secure translates into maintaining physical security. Yet after you make sure you have kept your physical data safe, your “brick-and-mortar” attributes should be attended to as well.

Take a Walk

Physically taking in your surroundings is a good first step to building security. According to Gary Hinson of www.NoticeBored.com, “Walkabouts are a fabulous way to review your physical security arrangements on a regular basis.” In going for a walk around your premises, your data center manager, information security manager, and health and safety manager might find a broad range of potential security issues, such as broken fences, unlocked doors, faulty air conditioning/heating units and weak (or dead) UPS batteries. “The walkabouts are preferable to stuffy management meetings, and everyone gets to be hands-on.”

Eye in the Sky

Most security-minded companies acknowledge a need for surveillance through the entire workday, or even on a 24 x 7 basis. Today’s surveillance equipment is more affordable than ever, and companies are realizing prompt returns on these investments. Not only can the company keep an eye on outside threats, but it can also monitor insiders. Keep in mind, however, there are legal issues to consider before installing surveillance equipment — especially if you expect to record and archive activities. It’s best to iron out any issues before your company invests in any such apparatus.

Knowing they’re under such scrutiny acts as a powerful deterrent to workers who would otherwise be tempted to steal from the company — whether in the form of material goods or in wasting working hours on personal pursuits. There are plenty of surveillance options available, and if you’re interested in using Internet protocol, Cisco’s Video Surveillance IP camera is an option. As explained by Cisco, “an IP camera digitizes and compresses video before transmission and uses the IP to transfer video streams to network-connected storage and viewing systems.” The beauty of this scheme is the viewing systems can be situated anywhere your company sees fit, and the camera does the digitizing and compression (unlike with analog cameras, which can be connected to a network only with an outside encoder for digitizing and compression).

Notebook Security

Notebook computers require extra security because they allow workers to leave the secured office with potentially sensitive information. According to Ken M. Shaurette, CISSP, CISA, CISM, you need to “speak to laptop security and the mobile physical security aspects that come with it.”

Boldly tag notebooks with your organization’s name or logo to deter theft. Internal components also can be etched with the company name and address to hamper their resale. Much like automobile antitheft mechanisms, tracking devices attached to notebooks can check in regularly to a tracking center using a traceable signal.

But, because an ounce of prevention is worth a pound of cure, you also can secure your notebook with simple locking cables or by using biometrics. Kensington makes a lock that attaches to the security slot found in most contemporary notebooks. Like the lock and chain that secured your bike when you were a child, this carbon steel cable and lock will prevent “notebook nabbing” and even comes in a retractable version for added convenience.

Other companies, such as Belkin and Targus, also have similar cable/lock products. In fact, Targus makes a product called Defcon 1, which incorporates a cable, motion sensor and alarm. If you’re still not comfortable, there are biometric fingerprint readers used for authentication and access control, and they can be attached to just about any notebook via the ubiquitous USB port. While they won’t keep your notebook from being stolen, unless they act as a deterrent, they will keep your stored data unusable.

We know that encryption, antivirus and authentication methods go a long way toward safeguarding our systems, but the bottom line is that no amount of that kind of security will make a difference if your system is physically taken from your possession. Securing your systems and devices physically leads to improved overall comprehensive system security throughout your organization.

Douglas Schweitzer, A+, Network+, iNet+, CIW, is an Internet security specialist and author of several information security books.