When we think about cybersecurity assessment and hardening, it’s obvious to think about vulnerabilities in software or hardware. Do any of the encryption technologies we deploy have backdoors or are easily crackable? How secure are our authentication vectors and credentials? Are all of our operating systems and applications patched? Are our wireless routers susceptible to man-in-the-middle attacks? Do those USB ports need to be enabled or disabled? How’s our BYOD (bring your own device) policy? Are our web servers easily DDoSable? Is it safe for us to upload some sensitive data to our cloud network? Can we protect our systems from fileless malware attacks?
Those are all very important matters to concern yourselves with as you think about security hardening. But don’t forget your physical security, too! It’s an easy area to overlook, but the physical manifestation of your networks and computer systems may constitute a massive cyber attack surface. Instead of providing a “how to” on a particular software application, this time I’ll show you how to acquire the right mindset for thinking about physical security. It may not be sexy like cryptography or biometric authentication, but you don’t want a malicious outsider to physically wander around your computers!
What is physical security?
All of the data that we in the information security field work so hard to protect has a physical manifestation somewhere. You are reading this as data that was sent to your client device from one of Peerlyst’s web servers, which is indeed on a physical computer. The client device you’re reading this on right now is a smartphone or tablet which is in your hand, or a PC which is at your desk, or a web browser on your “smart” refrigerator which is in your kitchen. If that’s you, thanks for remembering to read my latest Peerlyst post as you wait for your coffee to brew.
It’s very important to secure the purely digital ways of accessing your computers and your data, such as over an internet connection. But if I was a cyber attacker and I could physically touch your computer in whichever form it’s in, I’d have a major leg up on my cyber attacking competition!
So, physical security pertains to everyone who uses any sort of computer regardless of how traditional or novel its form factor is.
When I’m out and about, I’ve got to watch where my phone is. When my Android phone is idle, I must authenticate into it with a four digit pin number in order to access its various functions and decrypt its data storage. I have a way of remotely locating and disabling my phone if it gets lost. The SD card in my phone would be worthless to an attacker if they can’t crack the encryption I put on it. But above all of that, the most important thing is for me to know where my phone physically is. When I travel with it, it’s never out of my sight.
From an enterprise perspective, there’s a lot more to consider. Chances are that you have datacentres. You could have some on your own premises or on third-party cloud servers or some sort of hybrid combination. You likely have office networks with many client machines, some servers, and some dedicated networking devices such as firewalls. It’s also likely that removable media is used in your network. Do you permit BYOD? If so, do your employees physically watch the phones and tablets they may have sensitive company data on, both inside and outside of the workplace? Do your employees put company data on optical discs, USB sticks, SD cards, small external hard drives? Those removable devices must be physically secured as well. I’d hate for your sensitive documents to be left on an SD card in a McDonald’s washroom for a curious janitor to try loading into their own machine.
How to think about physical security
It would be a great idea for you to have your network periodically penetration tested by a trustworthy third party. If they are good pentesters, they will assess your buildings’ physical security with as much care as when they run network vulnerability scanners on your IPs. But you shouldn’t leave all of the thinking about your physical security to outside or inside red, blue, or purple teams. Your IT staff should consider your physical security every day.
My my! That’s quite a lovely biometric scanner on your server room door! But it’s not much good if I can easily unscrew the door from its hinges. Why was the door installed so poorly?
Alright, so your server room door is now very difficult to physically attack, and you even have a regularly watched CCTV camera on it. But there’s a grate that’s accessible from the parking lot side of your building. I managed to break the grate off, and now I’m crawling through your building’s ducts like Bruce Willis in Die Hard. Ah ha! I found a way into your server room during your off hours! Now I can remove some curious looking HDDs, tuck them into my Emily the Strange backpack, crawl back through the ducts, and run off to my home with your very sensitive corporate financial data.
Hey, I managed to make friends with one of your clerical staff! I convinced her to hang out at a bar with me. She was very conscientious about taking her drink with her to the washroom. But she left her phone with me. I emailed some of your company’s very interesting spreadsheets to myself through the email client on her phone. Then I wiped her phone’s copy of the record of that sent email. I had time to put her phone down exactly as she left it in time for her to return to the bar.
Physical security in a nutshell
The first step to thinking about the physical security of your data is to think about the physical locations of the computers which contain your data.
Some computers are unlikely to physically move very much, such as the rackmount servers in your datacentre. For those sorts of computers, you must focus on making sure that only authorized people can put their bodies into your datacentre. Watch your ducts! Watch your vents! Watch your doors! Watch for people who may impersonate your staff! Watch to make sure that unauthorized parties cannot acquire your staff’s keycards and the like.
All of the same considerations also apply to your office networks. Make sure no unauthorized parties can enter your office space. Physical security staff should make sure they only allow employees, executives, and third parties who have been specifically authorized. Try many ways to physically sneak into your office areas and see if you can get caught by a human being.
Can you monitor all of the removable media and mobile devices that your staff may have sensitive company data on? Is that a risk that you’re willing to take? Have you trained your staff on how to watch the physical security of their own devices?
Do any of your staff or contractors work from home? Maybe you should require them to use desktop PCs instead of laptops that they can carry with them. Or maybe there should be a way to physically lock the laptops while they’re out and about. Do they also make sure to watch the physical security of their homes?
Does your company contract third party cloud services? Ask them how they watch the physical security of your corporate data.
Never underestimate your company as a cyber attack threat. It’s better to be safe than sorry. You should think of your networks as being a target for Ocean’s Eleven or Ocean’s Thirteen or Ocean’s Eight even if you’re just a dental practice in a strip mall. You should think of all of the really clever ways cyber attackers could acquire physical access to your computers and removable media, but you should also think about all of the really dumb ways too. Did you leave a DVD by the water cooler? Oops.
This “how to” is just an introduction to the topic of physical cybersecurity. But hopefully now I’ve got you thinking with the right mindset.
“Knowing is half the battle!”