Security Think Tank: Physical security should be replicated in cyber world

The rapid rise in cyber espionage highlights the need to rethink data security strategies to improve protection of intellectual property. But what is the best way of doing that?

Snooping on a person or company is not new, it is just that the internet age has brought an added dimension: the cyber thief.

The old techniques of safeguarding one’s possessions - and that includes information and intellectual property (IP) - are still valid. 

Examples include properly vetting new staff by taking up references, checking out the CV etc; ensuring staff are happy and cared for as disgruntled employees pose one of the bigger threats in this computer and internet age; escorting visitors; operating a clear-desk policy for unattended desks; ensuring the physical security of sites, building, offices, storage facilities (including filing cabinets etc) is fit for purpose, properly maintained and used appropriately.

But these seemingly "motherhood and apple pie" techniques have their parallel in the cyber world. The clear-desk policy translates to powering off a PC outside of office hours (where practical) and having a password-protected screen lock that kicks in after a reasonably short period of inactivity (say, five minutes).

Physical security translates to electronic security, and that is where many companies are not doing a sufficiently good job, mainly out of ignorance. The computer, like the car, needs to be maintained and used properly to get the best out of it.

So, in the world of electronic security, what are we looking at?

Starting at the internet and working our way in, we have the firewall. Is one installed? Is it running the latest version of its software? And is it configured appropriately and maintained? For example, was the rule set installed for a test removed, and are the rule sets as minimalist as possible and consistent with being able to operate the company?

Associated with the firewall we may have a demilitarised zone (DMZ) where email gateways and web servers would be installed. Are any servers on the DMZ security patched to the latest level? Have unused services been removed? If you do not use FTP, then none of the DMZ servers should have that application. This is a case of removing the unused application or service, not merely disabling it. 

While on the firewall and DMZ it is fair to say that any service that is offered to the internet should be from servers running on the DMZ and not from servers running within the main company network.

Moving on and into the company's network, all servers and network infrastructure devices such as Ethernet switches should be running a supported version of software and be security patched up to date. 

Servers should also be running antivirus or similar anti-malware software and that should likewise be maintained fully up to date and these statements equally apply to the servers and devices in the DMZ and of course to PCs connected to the network - remember that Windows XP, like Server 2003, is close to its end of life.

Modern operating systems have firewall capabilities and these should be used, not to replace the internet firewall but to supplement it and add a defence-in-depth dimension. 

All users should have a unique logon to the network and for people with system administration duties, they should have two unique logons - one for “normal” users for day-to-day tasks, and one with higher privilege for the actual system administration work. Passwords should be system enforced for complexity and lifetime, for example: eight printable characters, 90-days life, and cannot reuse recent passwords.

The whole issue of bring your own device, use of personal USB memory sticks and so on, is a whole separate subject.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection