January 8th, 2004, 11:19 AM
is physical security is needed as much as a firewall for a company
Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire
January 8th, 2004, 11:26 AM
Sure. If someone gets full access to a computer, then any firewall or other settings you have are useless. In addition, personal property is at risk. There are countless examples of con men convincing people they are someone else and walking out with hundreds of thousands of dollars in equipment (the most recent example was at Sydney Airport).
Does it mean you need to have armed guards and barking dogs? Well, maybe, maybe not. Remember to put the appropriate amount of security around what you need to protect. Some of the things to consider:
That's certainly not a full and complete list but I think you get the idea.
- Removable ceilings in the server room. Either put in a full ceiling or put the server room in a cage
- locked doors. Whether simple locks or more complicated punch key/swipe card varieties, there should be some on the appropriate places
- servers should be in cages and the boxes locked down (remove/disable floppy, cdrom/dvdrom, power switch, lock down BIOS, etc.)
- UPSes in place (blackouts, brownouts, etc. do happen)
- desks with locks
- filing cabinets with locks
- CCTV to monitor busy areas with a 72 hour tape, and have at least 3-4 tapes so you can rotate them through
- shredders that do crosscut at minimum
- disposing policy: how a company deals with getting rid of old equipment securely
- exiting policy: how a company deals with employees that are leaving
January 8th, 2004, 01:31 PM
MsMittens has a good list there. I'm going to add to it since physical security is somewhat of something I'm good at:
First, they should have a sign posted about no tresspassing. Also, putting locks on dumpsters is a great idea. Lock the dumpsters like you would a server room, as there is usually enough information thrown ou to break into anything inside the building. Floppy disks, zip disks, and media that has been recorded on, should be placed in a bin that has a spiked polling device to destroy all of them AFTER they have been formatted, and rewritten over. You can get software to write over data with 0s and 1s, and this should be used first, and then the disk destroyed. Norton Anti Virus 2001, the CD anyway, has a video on it showing how they get rid of disks that have been sent in to them with a large bin and spiked rolling device that I was talking about. That's where I got the idea.
security guards should be hired and be on site at all times. If anyone has ever tried to social engineer into a building, they will have to put more effort into it if there is suffiecient security.
If the building does tours for the public, make sure 2 security gaurds go with these people. That way when the social engineer says he has to go to the bathroom, another can stay with the corwd as the other takes him to the bathroom. This is an old trick I don't use often but it's easy as hell to say "I have to go pee" and then say you got lost looking for the bathroom and ended up in the server room, telco closet, or some toher machine stealing passwords.
Your company should have a very open policy to. Treat the workers well and with respect, and get to know them. the more communication between employees, management, and the CEO, the harder it is for a social engineer to walk in and say he was just hired, or meeting for an interview. All they have to do next is walk into a department, sit down at an empty desk, grab some manuals, and pretend he is working while he is stealing user log ins and passwords.
Usually this will actually work sadly, I'v yet to leave a building because I was kicked out. When the manager for that area asks you, all you have to say usually, is that you just started, name the CEO and say he knows but was busy and said my name will be on the cards by the end of the day, he was just busy and didn't have time. Also, whipping out a cell phone and calling a friend who has made a recording of what the CEO sounds like, and making them believe the CEO is telling them he knows about the new guy, works very well. Open communication between employees would make this VERY difficult to do. When the person has gotten the information they need, they can either leave during the lunch break, or say they are going to use the restroom and leave.
Also: A security guard should be outside the building watching for people. It's really not hard to take wire strippers or the equivelent, and then taking alligator clips and hooking up a lineman's set into their phone lines.
All of this is very important to remember. no matter how locked down your computers are, anyone with time, and the magic ability of bullshitting can easily get passed all of that.
You should also make all employees take a course from me in physical security. I need the money. Or at least pay someone else to teach them. It doesn't take much to call the company up, get a secretary having a bad day, and saying that for the cost of an interview for "secretery of the month" mag, that she will win 300 dollars and be published as one of the top secretarys. The interview ill of course seem like a regular interview.
People, when being interviewed, tend to remember the first part of the qestions, as they are in the "I'm being interviewed" mind set, and they remember the last few because it wasn't long ago, and when police/agents are asking her what the person said, they generally will remember the first few questions, and and the last few questions. So the time to try and sneak in a questionable question, is during the middle.
If you time it right, you'll usually get the information you want. Also, you could straight out have him or her give you their password and login name, easily, it's all in how you word the question. Saying "What is your password?" will not work obviously. But saying "Ok, now for another part in secretary mag, we want to know about how a company treats their secretarys, how are you treated?" After she replies, you sneak in "And how does your computer staff treat you? Do they make you change passwords to long gigantic horrible things?" And sometimes, this one will have her replying with "Well no, actually my password is my Husbands' name"
At this point she is still not giving out much, but it's easy to get that password now. "So mam, for the next part in our mag, we want to know about your familly. Readers like to see secreterys as hard working people and also raising a familly"
At this point you'v played an Ace, once she thinks someone wil appreciate her for being a hard working Mom and Wife, she will spill everything out. "So mam, do you have any children? What are they names of them? Oh that's very nice, we will be sure and print something about your little angels. Howabout your husband? Is he good with them? Oh good, what's his name? Oh what a good man Robert is"
This is easily trithful as most mags you read will say "Donna works at night, but when she's not typing TPS reports out, she likes to stay home with her little angels Jerry and Megan, and her Husband of 12 years, Robert".
Making it believable and wording it are all part of the game.
Hopefully someone will learn something from this. It's all trickery, and it's usually fun too. But for the people like me, who actually do this, don't ruin lives, have the fun with the challenge of getting the information, and don;t write it down, I don't, I like to go phishing in a catch and release pond.
January 8th, 2004, 01:34 PM
I find that earwax and snot on the Keyboard are effective to deter passing Keyboard cowboys.
January 8th, 2004, 01:41 PM
Everyone here has excellent replies to your question (especially boyle )..
But IMO it depends on what type of environment you are in...If you are in a work place, I would Password protect the bootloader (if NIX), because you don't want anyone walking up to your system and booting into runlevel 1...But if you live alone, and basically aren't bothered by anyone, then It might not be needed as much, but never lower thy defenses...But if you have a brother, uncle whatever working in IT and they are out to get you or something, then fine lol...Also I would lock the case in a steel cabinet and have a key to the box itself....Also on thinkgeek I saw retinal scanners you can use to login to your machine, don't know too much about it though...Hope we answered some of your questions...
This is not a sexist statement, but they say if the person on the other end hears a woman's voice, they will be more susceptible to give information
But if they hear a teenagers raspy voice chewing on a hot pocket or something, then they might get a little worried on who they are talking to...But then again it depends on the person i guess..Good Day all..
"Serenity is not the absence of conflict, but the ability to cope with it."
January 8th, 2004, 02:05 PM
Probably the simplest answer is that physical security should match and complement your computer software and hardware security effort. Now the hard part of this for most of us is that IDS, etc. is just plain fun!! I have a lot of security stuff on the computer side that the sensitivity and value of our systems really doesn't need, because it's pretty cheap and I enjoy fooling around with it. However, even our relatively pedestrian systems need some physical protection. (By the way, don't forget to provide appropriate physical security for critical backups !!!)
First, some background. Our office space has an intrusion alarm system that is activated when no one is here. We would have that even if there were no computers, since there is other valuable equipment here whose loss would more than offset the price ADT charges.
We have a number of offices with $1k to $2k sets of desktop and protable PCs, along with some scanners, printers, etc. that have an outside window accessable from ground level. I was able to add some glass-break sensors to the alarm system in those offices at minimal monthly charge to warn (but not prevent, of course) of a "smash-and-grab. I also made sure that the hallways approaching critical offices, such as server locations, have motion detectors. I also set a company policy that blinds must be closed when the offices are vacant to make it harder to target particular computers.
My servers are in locked rooms with true ceilings and solid doors, but no special wall construction. Keys are numbered and controlled. I use a regular office space, rather than a steel box, etc. to allow the office HVAC to mitigate heat buildup.
All this was of very minimal extra cost, since we configured for security when the office space was initially remodeled. While I know that a determined person could get in a steal a lot of stuff before the police response occurs, I think that the resources expended on security have been commensurate with the value of the computer systems and our need for availability -- we can tolerate a day or two of down time if need be while computers are replaced and data restored.
The right mix for others will vary, but the key is balance with regard to the expense of security vs. the need for systems and data. In some cases, the replacement cost of the systems is minimal compared to the impact of reduction in service for the time required for replacement. In other cases, such as ours, the cost of physical security has to be less than the cost of unscheduled replacement, since we can tolerate the loss in services that replacement entails.
January 8th, 2004, 03:39 PM
i think gore brought up a good point though... one of the most important parts of physical security is to be prepared for social engineers. there are a million tricks that i have used for one thing or another (not just computer related) you never know who you can trust, so it's best to train your people to know what to keep an eye out for, as well as keeping open lines of communication. make people suspicious of people they don't know... it's better to be safe then sorry
Learn like you are going to live forever, live like you are going to die tomorrow.
January 8th, 2004, 04:40 PM
Forget not the threat of insiders. This, too, is part of your physical security plan. Social engineering, keyboard cowboys, theft of equipment (and all that goes with it) is a very real threat, and frankly easier sometimes than being technologically savvy enough to invade a system via the network.
The idea was mentioned above to make sure you've got a good open policy with your employees, treat them with respect, and train them. This is spot-on - it'll help keep people from turning bad for spite. But, you also may want some background checking or monitoring if you work with any data that an agent-for-hire may find worthwile to exploit.
I believe CERT/CC and the US Secret Service are working together on a report about the 'insider threat', although it's not available just yet. We'd like to believe we work with and hire only trustworthy individuals, but that's just not the reality of the mater.
"Knowing is half the battle." - GI Joe
January 8th, 2004, 07:56 PM
Something I would add to the discussion, and a place where security is often forgotten is end user training.
Physical security (on the desktop side...MsMittens provided a good server/equipment security list), starts and often ends with the desktop user. You can't disable floppy drives and such on the desktop if it hampers user productivity. You can't make passwords SO complex that users have to write them down, or type too slow to allow shoulder surfers. And social engineering...
I think users need to be trained (and updated regularly) on safe security practices like locking your workstation when you get up (if you don't have network policy force a lock screen saver), not writing your password down, not allowing shoulder surfing, and how to be aware of possible social engineering attacks.
Back when I was doing some sys admin stuff, the big thing going around was phone calls claiming to be ATT or Local Carrier needing to test lines by having the user dial certain codes into the system...that would allow the incoming caller access to our outbound dial lines for free long distance.
Also, if you're a business, physical security should always cover your ISP/local carrier DMARK. Most will run the DMARK inside your building (and for a cost, whatever room you specify) so that it's secure. If you have an outside connection point, you have to have a way to secure it (like gore said...a walker and some gator clips can be an easy access point).
Also, if you're running wireless, you should limit your range to the INTERIOR of the building if possible. Don't allow access to spill out into the road, parking lot, or other floors (if you're in a large multi-tenant building).
That's all I have for now...
January 8th, 2004, 09:44 PM
I was going to reply here. But I think most of what I wanted to say has already been said. I really think somebody should maybe turn this thread into a tutorial. Maybe I will later