Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
 

Security Disciplines for Objective 1: Support

1-2. Physical Security

Description

Computer systems and networks are vulnerable to physical attack; therefore, procedures should be implemented to ensure that systems and networks are physically secure. Physical access to a system or network provides the opportunity for an intruder to damage, steal, or corrupt computer equipment, software, and information. When computer systems are networked with other departments or agencies for the purpose of sharing information, it is critical that each party to the network take appropriate measures to ensure that its system will not be physically breached, thereby compromising the entire network. Physical security procedures may be the least expensive to implement but can also be the most costly if not implemented. The most expensive and sophisticated computer protection software can be overcome once an intruder obtains physical access to the network.

Purpose

This section identifies potential physical threats to facilities, hardware, software, and sensitive information. This section also recommends best practices to secure computer systems from physical intrusion.

Principles

  • Identify potential physical threats to departmental computer systems and networks.
  • Establish policies and procedures to thwart potential physical threats.
  • Conduct audits to monitor employee compliance with department policies and procedures.

Policies

An organization should consider including the following physical security policies in the organization’s overall security policy:

  • Identify unauthorized hardware attached to the department computer system—make routine checks of system hardware for unauthorized hardware.
  • Limit installation of hardware and software owned by employees on department desktop workstations.
  • Identify, tag, and inventory all computer system hardware.
    • Conduct regular inspections and inventories of system hardware.
    • Conduct unscheduled inspections and inventories of system hardware.
  • Implement policies that instruct employees/users on how to react to intruders and how to respond to incidents in which an intrusion has been detected.

Best Practices

Physical security practices should address threats due to theft, vandalism, and malicious internal or external staff.

  • Theft—Theft of hardware, software, or data can be expensive due to the necessity to restore lost data and the cost of replacing equipment and software. Theft also causes a loss of confidence in the department that may have compromised the network.
  • Vandalism—Vandalism in most cases is not directed at compromising a system or network so much as it is the senseless destruction of property. Both external and internal perpetrators may pose a vandalism threat. Low morale in an organization may be the underlying reason for vandalism caused by internal perpetrators. The actual threat to a network posed by vandalism is difficult to assess because vandalism is generally not motivated by a conscious effort to compromise a network. Like theft, vandalism can be expensive due to the necessity to replace damaged equipment and software.
  • Threats Posed by Internal and External Staff—Internal and external intruders may attempt to manipulate or destroy IT equipment, accessories, documents, and software. The potential of damage caused by the manipulation of intruders increases the longer they remain undetected, thereby increasing their knowledge of the system and their ability to wreak havoc on a network. The threats may include unauthorized access to sensitive data and outright destruction of data media or IT systems.

    Internal staff may attempt to modify privileges or access unauthorized information, either for their own purposes or for others. This may result in system crashes or breaches in other areas of the network opened up through configuration errors.

    Temporary workers, contractors, and consultants represent a unique security threat in that they are generally not subject to the same background checks as a department’s full-time employees, but they may be granted the same high level of access to the system and network. Contractors and consultants will sometimes know the applications and operating systems running on the network better than department employees. Temporary employees should be closely scrutinized until a level of trust can be established. Consulting firms and contract agencies should be questioned about their hiring policies and standards. Cleaning staff may also cause threats either by theft of system components or from using the system improperly, such as by accidentally detaching a plug-in connection, allowing water seepage into equipment, or mislaying or discarding documents as trash.

    An intruder may attempt to masquerade as or impersonate a valid system user by obtaining a false identity and appropriating a user ID and password. Someone may be misled about the identity of the party being communicated with for the purpose of obtaining sensitive information. An intruder can also use masquerading to connect to an existing connection without having to authenticate himself, as this step has already been taken by the original participants in the communication.

    Social engineering can be used by internal or external intruders to access sensitive information. Intruders act like department staff and use keywords during conversations to obtain information. “Sounding” occurs by telephone when intruders pose as staff, as in the following examples:
    • A staff member who must urgently complete an assignment but has forgotten his password.
    • An administrator who is attempting to correct a system error and needs a user password.
    • A telephone technician requesting information, such as a subscriber number or modem configurations and settings.

Applying the following physical security measures mitigates these threats.

  • Identification of Unauthorized Hardware Attached to a System—Establish policies to limit employees from attaching unauthorized hardware to the office system. Unauthorized hardware includes computers, modems, terminals, printers, and disk or tape drives. The policies should also restrict software that employees may load onto the office system. Implement policies regarding opening unidentified e-mail attachments and downloads off the Internet.

    Perform monthly audits of all systems and peripherals attached to the network infrastructure. Make random inspections of equipment to search for unauthorized attached hardware to the network. Identify missing or misplaced hardware. Search and identify any unauthorized hardware attached to the network.

    Inspect computers and networks for signs of unauthorized access. Search for intrusion or tampering with CDs, tapes, disks, paper, and system components that are subject to physical compromise by damage, theft, or corruption.
  • Protection Against Break-In—Intruders choose targets by weighing the risk and effort versus the expected reward. Therefore, all measures implemented to prevent break-ins should increase the risk to the intruder of being caught. The possible measures for protection against break-ins should be adapted to each specific situation. Protect doors or windows by adding security shutters. Add additional locks or security bars. Add additional lighting inside and outside the building. Seek advice from police and security professionals. When planning physical security measures, care must be taken to ensure that provisions relating to fire and personal protection (e.g., regarding the serviceability of escape routes) are not violated. Staff must be trained on the antiburglary measures that are to be observed.
  • Entry Regulations and Controls—A fundamental but frequently overlooked aspect of sound internal security is the physical restrictions placed on access to systems and networks. Having good physical security in place is a necessary follow-up to whatever office building security an organization may have in place. Know who is entering department offices at all times, and ensure all secure computing areas are locked and access restricted. Network security measures can be rendered useless if an intruder can bluff his way past the entrance security; walk into a computer room; and take diskettes, tapes, or servers.

    Strangers, visitors, craftsmen, and maintenance and cleaning staff should be supervised. Should the need arise to leave a stranger alone in an office, the occupant of that office should ask another staff member to supervise or request the visitor to wait outside the office. If it is not possible to accompany outsiders, the minimum requirement should be to secure the personal work area: desk, cabinet, and computer. The requirement for this measure must be explained to the staff and should be made part of department policy and training.

    Control entry into buildings and rooms housing sensitive equipment. Security measures may range from issuance of keys to high-tech identification systems. When implementing policies for entry regulation, consider the following:
    • The area subject to security regulations should be clearly defined.
    • The number of persons with access should be reduced to a minimum.
    • Authorized persons should be mutually aware of others with access authority in order to be able to recognize unauthorized persons.
    • Visitors should only be allowed to enter after the need to do so has been previously verified.
    • The permissions granted must be documented.
    • Access should be limited by locked rooms/entrances, physical zones, and identification badges.
    • A record must be kept of accesses.
    • Challenge protocols should be added.
  • Entrance Security Staff—Establishment of an entrance control service has far-reaching, positive effects against a number of threats. However, this presupposes that some fundamental principles are observed in the performance of entrance control. Entrance security staff must observe and/or monitor all movements of persons at the entrance. Unknown persons must prove their identity to the entrance security staff. Before a visitor is allowed to enter, a check should be made with the person to be visited. A visitor must be escorted to the person to be visited or met by the latter at the entrance. Security staff must know the office employees. In case of termination of employment, security staff must be informed of the date from which this member of staff is to be denied access. A visitor log should be kept to document access. The issuance of visitors’ passes should be considered. The job duties of security staff should be designed specifically to identify their tasks in support of other protective measures, such as building security after business hours, activation of the alarm system, and checking of outside doors and windows.
  • Alarm System—An alarm system consists of a number of local alarm devices that communicate with a control center through which the alarm is triggered. If an alarm system covering break-ins, fire, water, and gas is installed and can be expanded at reasonable cost, surveillance provided by this system should include, at a minimum, the IT core areas (such as server rooms, data media archives, and technical infrastructure rooms). This will enable threats such as fire, burglary, or theft to be detected in good time so that countermeasures can be taken. To ensure that this is the case, it is imperative that the alarms be sent on to an office that is permanently staffed. It is important that this office have the expertise, equipment, and personnel required to respond to the alarm. The guidelines of the organization concerned for connection to the respective networks should be considered here.
  • Security of Windows and Doors—Windows and outward-leading doors (e.g., balconies, patios) should be closed and locked whenever a room is unoccupied. Instructions to close windows and outside doors should be issued, and regular checks should be made to see that windows and doors are closed by occupants after leaving the rooms.

    The doors of unoccupied rooms should be locked. This will prevent unauthorized persons from obtaining access to documents and IT equipment. It is particularly important to lock individual offices when located in areas accessible by the public or where access cannot be controlled by any other means. Staff should be instructed to lock their offices when they leave, and random checks should be made to determine whether offices are locked when their occupants leave.

    In an open office, where cubicles dominate and it is not possible to lock individual offices, employees should lock away their documents in their desks, and a secure desktop workstation policy should be implemented (additional information on formulating this policy can be found later in this section).
  • Unauthorized Admission to Rooms Requiring Protection—If unauthorized persons enter protected rooms, damage may be caused by intentional and unintentional acts. After an unauthorized intrusion, office routines may be disrupted in order to search for damage, theft, and unauthorized or missing hardware/software. Intentional or unintentional damage to systems may be caused by temporary help who are employed to substitute for cleaning staff. Temporary help may accidentally clean workstations and sensitive equipment with solutions or by methods damaging to hardware.
  • Identification of Secure Rooms—Secure rooms such as the server room, computer center, data media archives, and air conditioning unit should not be identified on office locator boards or by name plates affixed to the room door. Identifying these sensitive areas enables a potential intruder to prepare more specifically and thus have a greater chance of success.
  • Location of Secure Rooms in Unexposed Areas of Buildings—Secure rooms should not be located in areas exposed to view or potential danger. They also should not be located on the first floor of buildings that are open to view by passersby or that are exposed to attack or vandalism. First-floor rooms are more likely to be easily observed or exposed to breaking and entering. Rooms or areas requiring protection should be located in the center of a building, rather than in its outer parts.
  • Inspection Rounds—The effectiveness of any measure will always be commensurate to the enforcement of that measure. Inspection rounds offer the simplest means of monitoring the implementation of measures and the observance of requirements and instructions.

    Inspection rounds should not be aimed at the detection of offenders for the purpose of punishing them. Rather, controls should be aimed primarily at remedying perceived negligence at the earliest possible moment, such as by closing windows or taking documents into custody. As a secondary objective, security breaches can be identified and possibly avoided in the future. Inspection rounds should also be made during office hours to inform staff members about how and why pertinent regulations are being applied. Thus, they will be perceived by all persons concerned as a help rather than a hindrance.
  • Proper Disposal of Sensitive Resources—Sensitive information not properly disposed of may be the source of valuable information for persons seeking to do harm. An intruder, competitor, or temporary staff can gain valuable information in a low-tech manner by simply going through trash for discarded paperwork that might contain sensitive information. At a minimum, shred all papers and documentation containing sensitive company information, network diagrams, and systems data to prevent a security breach by those who might seek information by rummaging through trash. Employees should be advised against writing down user IDs or passwords.

    In the case of functioning media, the data should be overwritten with random patterns. Nonfunctioning data media, such as CDs, should be destroyed mechanically.

    The recommended disposal of material requiring protection should be detailed in a specific directive and in training; adequate disposal facilities should be provided. This includes storage devices and media (i.e., floppy and hard disks, magnetic tapes, and CDs/DVDs). If sensitive resources are collected prior to their disposal, the collected material must be kept under lock and be protected against unauthorized access.

Secure Desktop Workstations—The first line of defense in physical security is to secure desktop workstations. Effective training in the organization’s policies and procedures to secure desktop workstations should be a significant part of network and information security strategy because of the sensitive information often stored on workstations and their connections. Many security problems can be avoided if the workstations and network are appropriately configured. Default hardware and software configurations, however, are set by vendors who tend to emphasize features and functions more than security. Since vendors are not aware of specific security needs, new workstations must be configured to reflect security requirements and reconfigured as requirements change.

Remote Workstations—There is usually a higher risk of theft at home because homes are usually not protected to the same extent as the workplace. Workstations at home are accessible to family members and visitors who may intentionally or unintentionally manipulate business-related data on the workstation, if data is not properly protected. Inadvertent or intentional manipulation affects the confidentiality and integrity of the business-related information, as well as the availability of data and IT services on the workstation. Appropriate procedures should be implemented to achieve a degree of security comparable with that prevailing on office premises.

  • Suitable Configuration of a Remote Workplace—It is advisable to assign a secure room for use as a workplace at home. Such a workplace should at least be separated from the rest of the premises by means of a door.

    IT equipment intended for professional purposes should be provided by the employer, and the use of these services for private purposes should be prevented by formal policies. Employees who work at home should be questioned regularly or periodically as to whether their workplace complies with security and operational requirements.
  • Theft of a Mobile IT System—Laptop or mobile IT systems create a greater risk of theft or damage. Due to the inherent nature of a mobile system, it will often be removed from the confines of a secure office. Therefore, policies should be implemented to safeguard mobile IT systems.
  • Suitable Storage of Business-Related Documents and Data Media— Business-related documents and data media at the home workstations must only be accessible to the authorized employee, and when they are not in use, they must be kept in a locked location. A lockable desk, safe, or cabinet must be available for this purpose. At a minimum, the lock must be capable of withstanding attacks using tools that are easy to create or purchase. The degree of protection provided by the drawer should be appropriate to the security requirements of the documents and data media contained therein.

Reference

  • Federal Agency Security Practices. National Institute of Standards and Technology Web site. Available at http://csrc.nist.gov/fasp/.