Why Info-Security Hinges on Physical Security
In today’s era of mega-breaches with thousands to millions of lost customer records or the hacking-of-everything it is safe to assume that the logical security of devices becomes almost more important than the physical protection around those assets. While it is true that the logical (in-) security of devices renders “remote attacks” (via a protocol such as TCP/IP, Ethernet, Bluetooth, or CDMA, GSM, etc.) possible, there is still an important defense layer that surrounds your device: the physical security.
To provide a little anecdote: on a recent flight into Washington, I put my little book and magazine on the seat next to me during the flight, and my cellphone on top of it. When the plane landed, it was a pretty heavy bump, and I saw my cellphone dropping on the ground, then sliding very fast toward the cockpit.
It had crossed the entire plane up to the first class cabin. Someone found it, and since my device is encrypted, has a display PIN, and shows my owner information with my name and my home phone number, the flight attendant must have looked up my name quickly on the passenger list with my seat number to return my phone.
So, what does this little anecdote tell us? In my view, this provides reasons why you need to use seat belts and put things in the seat pocket in front of you, and that labeling and logical security are really important, too. Sometimes physical events can change your possession of something, and you need to be able to rely on those additional controls.
It is the combination of different types of controls (also often called “defense-in-depth”) that can make-or-break your protection.
Another example: I have also seen in my global endeavors data centers where these were in collocation or shared facilities with other companies. While the data center (DC) was physically and logically safeguarded, the cage around it was left open at the top and bottom so anyone could use the nearby standing ladder or the floor handles to open the raised floor and thereby intruding into the neighbor’s DC units. This alone was already risky enough, but within the DC(s) I found then the important logical controls like firewalls or other such choke points in a less-than-standard fashion: the siding of the firewall racks were taken off (to “solve” heat / cooling problems) so that the above intruder (or even people with otherwise authorized access to the DC cage) could easily put their hands or attacks against it.
In another setting I found cable trays wide open and accessible via a parking garage that was not protected against unauthorized third-party access – the main facility with the core backbone was vulnerable via a simply physical attack with an axe or something similar – millions of dollars-worth of equipment and data were at total risk here. I am not saying that all the logical controls wouldn’t be necessary – especially given the endless forms of new attack vectors and the daily increasing attack surface) – but my “lessons learned” are that you have to think things through completely, from the ground up, and that is starting at the physical level and then go upwards in the 10 layers of the security stack.
If you think this further, you will come to conclusion that that is why you need to have at least 60 miles of distance between redundant data center facilities, and that your DR (Disaster Recovery) and BCP (Business Continuity Plan) plan should be based on worst-case physical scenarios to cover your bases. Backups need not only be physically separated from the place of origin, but they need to be protected both physically and logically, otherwise, the attack against your "crown jewels” will happen against offsite assets, transport truck or the storage facility etc.
Hopefully the provided examples give enough reason to understand that physical security absolutely still matters. Now, let’s focus on the second aspect – the information (or logical) security piece.
Why does it still matter? Well, even if you would create a “Fort Knox” from a physical perspective around your assets, the reality is that every system that has communication channels (ports / protocols / input–output facilities etc.) open is vulnerable to logical attacks along that protocol or via the encapsulated data itself (this is why we have the current crisis, it is “system-immanent” so to speak, and it will remain for quite a long time.
So, in order to protect your assets, you need to employ logical controls, like gates and control points -think of protocol-aware firewalls, malicious code detection and response (Anti-Malware), intrusion detection / prevention systems (IDS/IPS), log monitoring, SIEM and correlation tools, data leakage prevention (DLP) and classification systems, network segmentation, compartmentalization (of virtualized environments), multi-factor authentication, strong and complex passwords, and other sophisticated tools like global cyber threat information and real-time intelligence or strong encryption (AES256 etc.) and hashing for integrity.
The key is that a fully crafted, well-designed security architecture, governed by clear and concise policies, run by a best-practices-oriented security operations, supported by sophisticated and well-educated / trained cyber intelligence specialists, used by alert and trained users, organizationally lead and managed by truly experienced CSOs / CISOs will strategically solve the security threat by design.
Security has to become a design-goal. No more programming, software- or hardware-developments, implementation projects, delivery programs, etc. without clear and upfront security requirements in the specifications and planning phase. It will take a generation or two, but it is possible. Let’s get started:
- Always check-out the configuration options around physical and logical security of your end user devices – and use those that suits your specific security risk posture and appetite.
- If you’re in control of data centers or similar critical equipment, build your physical (and logical) controls around it with an out-of-the-box-approach, that is, think like the attacker, not the engineer. Cages must be closed at the top and the bottom (through the raised floor), too.
- Where you can’t enforce physical security, use at least logical security – and vice versa – but the best is a combination of controls from both worlds.
- If you rely on a gate or a mantrap or similar, consider potential evasion measures like climbing over/digging under the fence in an out-of-sight area.
- If you use access control cards and scanners, be aware of their limitations – be it their insecure key handling/management, be it their unencrypted transmission, or be it the users handing their badge to someone else: do research, choose secure card readers and key management, and enforce physical security around badges and their handling.
- Rely on common sense more than on vendor hype – verify – verify – verify. Assign liability into contracts.
- Train and educate all users (at all levels in the corporation) about their duties and today’s sophisticated risks around the combination of physical and cyber-attacks.