Physical security threats: Don't gift your data away

Information security pros may not think much about physical security, but they should all have a basic understanding of who should have access to their building, especially during the Christmas season.

Christmas may be the season of good will, but it's also the time when domestic crime rates soar. Physical crimes rates may rise only slightly, but this time of year is the perfect season for hackers wishing to gain access to businesses. Employees, including information security pros, need to have a basic understanding of physical security threats and who should enter and leave their office.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Let me explain what I mean by taking a moment to look at a typical company over the two-week Christmas period. Most staff will be on holiday for at least a few days during this period, so those at work will be doubling up, overseeing tasks that aren't normally theirs. Hopefully those at work will be in the Christmas spirit, happy, sociable, but not wanting to do too much work. Contracted services, such as office maintenance, cleaning and security guards, will be in a similar position, too. This means there will be a lot of new faces turning up at the premises, and many won't be familiar with day-to-day operations. Outside services, such as couriers firms, will also be using temporary staff or not sending "the regular guy." As you can see, this is the ideal scenario for someone to pose as a legitimate worker to gain entry to the building.

The entrances to your building are very much like port 80 on a firewall: you have to have them open for people to enter and leave, but in the same way a firewall monitors the network traffic passing through port 80, you need to control who comes in and out of your premises. Main entrances are often well guarded with external camera coverage, a reception desk and sign-in requirements for visitors. But what about side doors, particularly those used for taking a smoking break? A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee. All entrances should have some form of access control and CCTV coverage where possible, as they are often left unlocked as a convenience to the next member of staff.

There should also be some form of surveillance of the office car park. Employees often assume the car park is secure and leave cars unlocked with badges or other sign-in credentials and office documents inside. They need protecting as do other external resources. Generators, for example, need to be securely caged. It is a key piece of equipment in your business continuity and disaster recovery plans. You don't want anyone to be able to tamper with it or cut the power as part of a denial-of-service attack or as a diversionary tactic to gain entrance to the building, where someone could then have an opportunity to steal valuable data.

Making sure your physical defences are in place is only one aspect of physical security. Physical security threats need to be addressed with behaviour-based strategies. Technology makes it simpler than ever for a hacker to pose as someone with a legitimate need for access. It's easy to just pop into a copy shop and produce a business decal for a vehicle or jacket that looks genuine, for example. As part of their social engineering preparation, hackers will have prepared answers to obvious questions from guards and other staff. They can often find out who will and won't be in the office on certain days by searching through social networking sites such as Facebook and Twitter and so can sound very convincing, referring to real people and corporate events.

Will physical security integrators work with IT departments?

A reader asks our expert Neil O'Connor, "How do you foresee the IP-enabled physical security changing the market?"
To combat such situations companies need to run a social engineering awareness campaign. Employees, including infosec pros, need to know what to look for and what's expected of them if they think someone or something is suspicious. It's very important to get the message across that it's not that the company doesn't trust the people within the organisation, but that they need to be wary of people they don't know. A good angle to take is to compare the office to their home. Nobody is going to just let a stranger walk into his or her own house, for example, and it should be the same at work.

At Christmas, more than ever, the arrival of any unexpected personnel or services, such as plant care, waste removal and cleaning services, should be treated with immediate suspicion. Nobody should be allowed access without being signed in by an authorised employee, no matter what he or she says or claims. Preferably security will be able to confirm with suppliers any changes to their normal personnel and hours of service prior to the holiday period so guards will know who and what to expect.

This is the kind of behaviour companies need to inject into their corporate culture as security is ultimately rooted in employees' behaviour. A survey by Cisco Systems Inc. last year that looked at how behaviour (not technology) affected the risk and security of data found many employees still breach security rules. A Deloitte Inc. survey of more than 100 companies found 75% cited human error as the leading cause of security failures.

The statistics show that a lot needs to be done still to change people's approach to protecting their work environment. One tactic could be to publish a monthly newsletter on current security threats and issues, reporting security metrics showing the cost benefits of improved security. For example, put a monetary value on fewer incidents or shorter recovery times. Important security memos should go out under the CEO's name, and other top executives should attend security Q&A meetings. You may also want to consider Red Team testing your building's security, using both cyber and physical means to covertly gain access to a company's critical systems and find out where any security gaps lie.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Read more on Security policy and user awareness