One of the problems with offices is that you can get into them because by design you have to actually go to work.
—Chris Nickerson
The interesting thing about physical security is that some security folks write it off as not my problem. We too can be victims of the Someone Else’s Problem effect. In 2016, the California Attorney General reported that 22% of all reported breaches came from physical theft and loss. Physical security problems were second only to malware. As much as we IT security geeks would like to distance ourselves from physical security problems, it’s something we need to address.
The good news is that comparatively speaking, physical security is easier to get a handle on than most other IT security domains. This is because of two big reasons. The first is that physical security is a thing that human beings can tangibly examine and test, as opposed invisible and multifaceted world of technology. The second is that we humans have been dealing with physical security challenges as far back as we’ve been human. It’s a mostly solved problem, we just need to apply the appropriate controls and make sure that they remain working.
Getting a Handle on Physical Security
As with applying any control, the first thing you should think about is the risk to scoped assets. When you look at the assets, the primary ones in your scope are likely going to be the data center, server rooms, wiring closets, and portable media. You use the majority of your physical security controls to protect those. From there, you move out and look at the surrounding office areas with their laptops, workstations, and open network connections. Finally, you can move your attention to the outer physical perimeter: the office suite, the floor, the building, or the campus.
Many organizations have multiple office locations, sometimes in different countries, which can make securing the premises a challenge. This is where scope comes into play again. Maybe you don’t need to protect all of your offices because you only have data centers in scope for a handful of them. You may have locations based on the logistics or business needs, but the physical security is weak. For example, shared offices within another organization or open buildings with a lot of temporary workers. These are the kinds of places where you want to pull back scope to exclude them, and then build a perimeter to protect the rest of the organization. In effect, you treat these out-of-scope zones as untrustworthy or as the outside. This is just like the scope barriers in the electronic world, but now in the physical. This could mean having different key and visitor access requirements when people move from an untrustworthy area into a scoped protected one. It’s at this perimeter entrance where you can place additional surveillance cameras. Perhaps you have controls for both, just stronger controls in the scoped areas. Sometimes you can have several levels of increasingly controlled zones as you move closer to the core scoped assets. Think of the difference in physical security layers in a bank: between the bank lobby, behind the teller line, and finally the bank vault. The scoped area should have less foot traffic than the un-scoped, so additional controls shouldn’t be much of a hassle.
Physical Risk Assessments
When you look at physical security risks and where to put controls, you should carefully examine the existing practices. How do people enter and exit the facility? If you walk the process yourself, you can review yourself and spot where things might break down. How do visitors enter the facility? Does someone have to do something to let them into the facility (unlock a door), or is the visitor supposed to check in at a desk as they pass down a hall into the rest of the office? I call this the honor system of physical security, because only the rule-abiding visitors check-in; the scofflaws blaze by into the facility, often unnoticed if the entry is busy. Are strangers challenged once inside the building and wandering around?
When looking at door locks, remember that these are controls based on technology and technology is complex and can fail. Table 19-1 shows some technological vulnerabilities with physical security that you should be aware of .
Table 19-1. Physical Controls and How They Can Be Defeated
Physical Control | Can Be Defeated By |
|---|---|
One-way fire exits | Tape over the lock bolt, door propped open with a small wad of paper |
One-way entrance doors that unlock via Infrared beam on the inside | Sliding a stick under the door and tripping the sensor1 |
Keyed entrance locks | Lock-picks, bump keys2, forcing the lock cylinder |
Proximity card reader door locks | RFID duplicator3 |
Combination code door locks | Nearby hidden camera placed by attacker to record code |
Beyond doors, you have walls. When looking at physical security, consider the strength and coverage all six walls of a room. This means don’t forget the floor and ceiling. Many server rooms and data centers have drop ceilings and raised floors that may not fully block access from areas beyond the secured perimeter. I have also seen secured areas where the doors are heavy and thick, but the walls are just drywall nailed on to the studs. If a wall is weak enough to be easily broken through, then make sure that it’s in a high-visibility area so that at least attackers call attention to themselves. This is also the reason why outside walls should be clear of vegetation and hiding places for would-be burglars and snoops .
Speaking of visibility, be sure to consider the security of your scoped facilities after hours. While some places have guards or personnel on site 24/7, other places become abandoned after business hours. What would happen if an intruder attempted a break-in after dark? Would any alarms be raised? Another question to ask is when the last person leaves, do they have a checklist to follow to make sure that all the entrances and windows are actually locked (remember the tape-on-the-door-lock trick) and the burglar alarm is armed?
Physical Security Policy
Before getting into the details of the physical security controls, you should set the ground rules with a physical security policy. From this policy, you can see the controls, standards, and training that is needed.
Sample Physical Security Policy
ORGANIZATION will protect its facilities, offices, equipment, and media from unauthorized physical access, tampering, or damage. The Security department, the IT department, and the Office Manager will share responsibility for managing the physical security of ORGANIZATION’s facilities, offices, computing systems, and media. To help meet this goal, theORGANIZATIONwill:
Control access to its offices, server rooms, and wiring closets with self-locking entrances.
All authorized employees and contractors of ORGANIZATION will wear photo-id badges.
The rooms containing IT equipment, network wiring, or media will be designated as secure facilities and must use keyed entrance locks.
Secure facilities will be physically segregated within ORGANIZATION and require high-level of keyed access to enter.
ORGANIZATION will deploy detection tools such as card access logs, video surveillance cameras, and alarms to control access to secure facilities.
The IT department will have the responsibility for controlling visitors into secure facilities and tracking the visitor’s name, organization, and reason for visiting.
Visitors in the secure facilities will be escorted and supervised at all times.
Visitor escorts will prohibit visitors in the secure facilities from bringing or removing media or IT equipment without inspection or approval.
The front desk reception will have the responsibility for authorizing visitor access into the facilities, assigning visitor badges, verifying, and tracking visitor information including name, organization, and reason for visiting.
ORGANIZATION employees or on-site contractors will be instructed and trained to supervise visitors and report unsupervised visitors.
ORGANIZATION will use physical and IT security controls to ensure the protection of portable computing devices and media. These controls can include laptop encryption, laptop cable locks, and media safes.
ORGANIZATION will track and monitor portable media containing confidential information and properly dispose of them when no longer needed.
Co-location and Cloud service providers engaged by ORGANIZATION to manage IT systems used by ORGANIZATION will adhere to these standards.
Co-location service providers engaged by ORGANIZATION will use an authorized access list to the facilities. Service provider will track formal authorizations from ORGANIZATION for changes to the access list.
The IT and Security department will share responsibility for managing co-location facility access and ensure that only authorized individuals are on the access list.
Personnel Security
An anthropologist named Robin Dunbar proposed that a human can only comfortably maintain a relationship with around 150 people.4 This seems like a good limit to the members of an organization where you begin to lose track of who’s authorized to be onsite. At a few hundred personnel, employees can no longer recognize other employees and you have the danger of unauthorized personnel wandering around the corridors of your office. Therefore, for larger organizations, it is prudent to have all authorized personnel wear badges. These badges should be difficult to duplicate and recognizable at a distance. Badges can also include a photo of the bearer to help identify the badge holder. Badges aren’t a perfect control because a determined attacker can just counterfeit one; but badges are still useful in spotting opportunistic intruders.
Visitor Security
Staff should have guidance on how to handle visitors and strangers wishing to enter the facility. These visitor procedures should be included in the security awareness training that all staff receive. They should be instructed not to let strangers into the office or let them tailgate behind authorized persons unlocking doors. Visitors should remain outside or in a controlled waiting area until the purpose of their visit can be determined. For example, if Mary Sue is coming to visit Bobby Joe, she should remain in the lobby until Bobby Joe comes out to meet her and escort to where they plan to meet. Under no circumstances should visitors or unaccompanied strangers be allowed to roam around looking for someone’s office or meeting room. In more secure environments, visitors should be formally signed into a register with their name, affiliation, and purpose of visit. Their identity can be verified with government photo-id and they can be issued a temporary visitor badge. Visitor badges can be printed with the valid date. Some sophisticated badges are chemically treated to slowly change color over the day to indicate they are invalid .
Staff should also be trained to challenge unrecognized or unbadged strangers found inside the facilities. This challenge can be as simple as telling staff to approach the person and say, “I don’t recognize you. Can I help you with something?” If the staff person feels uncomfortable or senses danger, they should disengage and report the stranger to the office manager or the security department immediately. When escorting visitors or strangers, staff should be instructed not to take their eyes off them until someone has taken the handoff or they’ve exited the secure area.
Training
Naturally, some people will find all of these procedures a hassle or awkward to do. Since you’re creating policies and procedures and planning to be audited, you should either make the procedures representative of the culture of the environment. If you don’t, you will have to work persistently to ensure that they are enforced.
One way to train people is to conduct random drills. Have a colleague wander around the office without a badge to see if he is stopped by staff. If so, have the “fake stranger” escorted to the security department, where you reward the staff person with a free coffee card or some other prize. Publish overall results so that employees know that this is going on, but don’t shame individuals. You can also engage people’s self-interest with training by telling them that part of the purpose of these procedures is to cut down on office thefts. There are occasional purse-and-phone thieves who wander through offices, stealing whatever they see lying around, which is usually people’s personal belongings. This tends to get people’s attention more than protecting the corporate assets .
Security in the Offices
As stated in the sample policy, the best way to handle the front door is lock it all the time and require someone come up and open it for visitors. Always locked doors imply that authorized personnel have keys to let themselves in. Having keys means you need to keep track of who has what keys. People also need to be trained to report lost keys in a timely manner. This is where electronic key cards are handy, as you can quickly invalidate a lost or stolen key without having to call a locksmith. Always locked doors should also have auto-closers on them and door prop alarms, especially for doors that are low traffic or in low visibility areas.
Clean Desk Policies
Even with all the visitor policies and locked doors, one should always assume breach. Attackers could get in via social engineering and mistakenly allowed access through deception. Given that, how do you prevent confidential information from walking out the door? This is where a clean desk policy comes in. As the name says, the ideal policy is for all desks to be clean of all papers and drawers locked when someone is not there. Not only is this the most secure way but it is also the easiest to audit. If you told people to remove only the papers with confidential information from their desk, how could you ever verify this without reading every single paper you find? We are in the fourth decade of the so-called “paperless office,” so maybe this is a realistic goal in your organization. This also means that you need to ensure that all staff has access to locking drawers and cabinets, and that someone has the master key in case of emergencies. Be aware that the clean desk can apply to more than papers, as things like laptops, portable drives, and mobile devices should also be put away when someone leaves the desk .
Similarly, computer screens that could display confidential information need to be positioned so that they are not easily read from outside windows or by visitors. There are special privacy screen overlays available, which prevent shoulder surfers from seeing anything but a blur. Only someone sitting directly behind a monitor can see clearly. Staff should also be instructed to clean off white-boards and dispose of meeting materials in conference rooms when done. Not only is this secure, but it also looks much more professional.
Obvious security mistakes like taping password notes to monitors or walking away from a logged in session should be discouraged through training and reminders from security personnel. One training practice is to leave parking tickets for offenders and small prizes for good behavior on random office checks.
Devices like paper shredders or shred bins should be made available so that staff has a simple and easy way of doing the right thing with confidential documents. As a perk, some organizations even allow employees to bring confidential documents from home in to be shredded, as long as it’s reasonable.
Screen Saver Lockouts
In event that people forget to log out of their systems and leave for the day, most modern operating systems offer an automated screenlock after a certain amount of inactivity on the computer. The industry standard is 10 or 15 minutes5 for a password-protected screen-obscuring screen saver to activate on an unattended system. Users should be encouraged to log-off fully at the end of the day .
Network Access Controls
To prevent attackers plugging unauthorized devices into the organization’s network, there is a network security system called Network Access Control (NAC). The NAC system authenticates and tracks every authorized device on the network. When a new device is detected, the NAC system automatically shunts their connection, usually via VLAN, to a network of limited access until their validity can be established. These systems are very handy to prevent the office visitor who plugs their laptop in and infects the whole network with malware they didn’t know they had. The downside is that NAC systems are not simple or cheap to implement, but they may be worth deploying in some environments that need that level of control .
Secured Facilities Controls
Secure facilities, like server rooms, need to have stronger security controls than the general office environment. They should have their own locked door that requires a different key than the main office door. This may sound obvious but I have seen server rooms in offices separately only by a fabric curtain. Secured facilities should also have their own visitor sign-in procedures with rules regarding what equipment can be allowed in or out of the room. You do not want random vendors sticking their USB drives, possibly full of malware, directly into your servers.
Access to secure facilities should be based on least privilege and extremely limited. There should be a formal procedure that tracks changes to the access list and list should be subject to periodic review. Photography within secure facilities should be prohibited and the secure facilities should be kept out of public building directory listings. It’s likely that despite all of this, building maintenance personnel may have access to the room anyway. Be sure to work with your landlord to ensure that they only enter the room when accompanied by organizational staff, unless it’s an extreme emergency.
Racks and Cages
Within the room, the ideal would be having all racks and cages also locked just in case someone does make into the room. This isn’t always feasible, but you can look at locking the racks and cages with your most sensitive equipment and connections. As with the door locks, the keys to the racks should be tracked and reviewed. Since there are no door prop alarms on racks on cages, you need to drill staff about leaving doors unlocked and unattended. These are examples of things that auditors double-check and write up a finding about.
Cameras
In addition to all the locks and visitor procedures, a video surveillance camera recording all entries and exits into the secure facilities is also prudent and a PCI DSS audit requirement. A good place to position your camera is inside the secure facility facing the door. This way when the door opens, you can get a full body picture of whoever is entering. Motion sensors can also trigger video recording and e-mail an alarm. Remember that video surveillance is technology and thus prone to occasional failures and glitches. Assign someone to review the camera and footage on a periodic basis to make sure that it is capturing what you think it should capture. You need to retain your video logs for at least 90 days .
Alarms
Secure facilities can also have alarms. Some surveillance camera systems can have schedules so that they alarm when detecting motion during certain times. You can also install door prop alarms. If you have alarms, make sure that you have assigned responsibility and procedures to respond to them. An unattended e-mail box full of motion sensor alarms is not doing anyone any good .
Guards
If you have the resources, then you can have physical guards patrolling your facilities. Sometimes the building management company already has guards that you can leverage as part of your security program. You should make sure that you have a good working relationship with the guards and that they understand your security requirements and goals. This is especially true if the guards are not hired directly by your organization. Reviewing the guards and building management security capabilities should be part of your risk assessment. In addition, if the guards are external to your organization, then you need to review their security and general processes as described in Chapter 23, which focuses on third-party security. Lastly, you need to make sure that the guards know what to do and who to contact if an incident occurs. Supplying them with your phone number is insufficient; they should have an escalating call list of numbers to contact.
Environmental Controls
Since computers don’t react well to heat or water, it’s common to have environmental controls in server rooms. These include heating ventilation and air conditioning (HVAC) systems to control temperature and humidity. These HVAC controls should be tied to alarms, so that if there is a problem in the middle of the night, someone is alerted immediately (instead of waiting until the morning shift discovers a room of overheated and ruined equipment).
Media and Portable Media Controls
It’s a safe bet to assume that anything small enough to be carried off, will be. This includes print outs, laptops, mobile phones, backup tapes, flash drives, isolinear optical chips, hard drives, floppy disks, and workstations. There are numerous cases of major breaches being attributed to the loss or theft of these kinds of devices. Sometimes these devices are mistakenly thrown away without the information being rendered unreadable. All of these kinds of mishaps are so easy to prevent, yet so devastating, that it is likely that you will look negligent and/or stupid if it happens to you. So don’t let it happen.
When it comes to managing media with confidential data, the first thing to do is know what you have. This means assigning responsibility for keeping an inventory to track things like backup tapes and external drives. A security standard defining the protection requirements for this media should be published as well as procedures for media handling. Minimum physical security standards for off-site transport and storage of backup tapes need to be developed, as this is where many accidents occur. Procedures for handling drives and systems sent out for repair should also be established. You do not want a critical server full of credit card numbers shipped off to the local computer repair shop without first removing the drive or ensuring proper security at the repair depot. One idea is to color code the media and systems that contains scoped data, so that it is physically easy to spot when drives or equipment are taken out of the secure facilities (see Chapter 23 for a discussion on ensuring security at external repair depots).
Media Destruction
When it comes time to get rid of equipment and media, the data needs to be rendered completely unreadable. Dumpster diving by attackers looking for accidentally thrown away confidential information is a real threat. Furthermore, you do not want classified information sitting around on old laptops donated to charity. There are data-erasure software applications that can erase and write zeros to make it very difficult to recover data from a disk. Even more secure are media-shredding companies that physically turn a hard drive into metal splinters and provide you with a certificate of destruction. Some even come on-site to do the destruction to ensure that the sensitive data never left the premises .
Laptop Controls
As thousands of laptop computers are stolen each day6, users should be educated on how to protect their portable devices. This can be part of the security awareness training and should include basic tips like:
Don’t leave laptops unattended in a vehicle, especially in plain view.
Don’t leave your laptop unattended in public places like coffee shops.
Be vigilant at airport security checkpoints; keep an eye on your laptop when it emerges from the X-ray machine.
Don’t check your laptop in with your luggage when flying; keep it with you.
Carry your laptop in a nondescript bag.
If your laptop is lost, report it to the security department and the police immediately .
In addition, you can have laptop security standards that include engraving or affixing tags to the laptops to assist in their recovery. There are laptop anti-theft software agents that can track or remote wipe laptops or mobile phones when reported stolen. One of the best controls is laptop encryption . In fact, any media or device containing confidential information that can crooks can carry away should be encrypted .
Convergence of IT and Physical Security Controls
A large number of modern physical security controls are network-ready, which means they can generate meaningful log data as well as allow remote administration. This includes door locks, surveillance cameras, motion sensors, and temperature sensors. Some organizations keep these systems segregated in order to prevent an IT attack from escalating into physical penetration. However, other organizations are converging their physical and IT security controls to gain greater prevention, detection, and response capabilities. For example, key card logs can be cross-referenced with user logins. This could trigger an alert when the system sees user login to a machine in a building that never saw a key card entry login. Either the user tailgated in off someone else’s card or that’s not him. Some converged systems can take this a step further and not allowing a network login to occur until a user has physically carded into the building. Convergence can also provide security administrators with a single interface to manage user access. It can be very powerful to have a single interface to review (and revoke) all user permissions .
Footnotes
5 PCI DSS 3.2 control objective 8.1.8 states that “If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.”