83-10-15 Physical Security Previous screen Tom Peltier Payoff All computer or information security programs begin with protecting the physical environment. With the advent of workstations, laptops, and telecommuting, providing adequate physical security has become a major challenge. This article examines current techniques for securing the entire enterprise most cost effectively, including the latest developments in biometrics. Introduction Before any controls can be implemented into the workplace, it is necessary to assess the current level of security. This can be accomplished in a number of ways. The easiest one is a “walk-about.” After hours, walk through the facility and check for five key controls: · Office doors are locked. · Desks and cabinets are locked. · Workstations are secured. · Diskettes are secured. · Company information is secured. Checking for these five key control elements will give you a basic understanding of the level of controls already in place and a benchmark for measuring improvements once a security control system is implemented. Typically, this review will nearly show a 90% control deficiency rate. A second review is recommended 6 to 9 months after the new security controls are in place. This article examines two key elements of basic computer security: physical security and biometrics. Physical security protects your organization's physical computer facilities. It includes access to the building, to the computer room(s), to the computers (mainframe, mini, and micros), to the magnetic media, and to other media. Biometrics devices record physical traits (i.e., fingerprint, palm-print, facial features, etc.) or behavioral traits (signature, typing habits, etc.). A Brief History In the beginning of the computer age, it was easy to protect the systems; they were locked away in a lab and only a select few “wizards” were granted access. Today, computers are cheaper, smaller, and more accessible to almost everyone. During the mid-twentieth century, the worldwide market for mainframe computer systems exploded. As the third-generation systems became available in the 1960s, companies began to understand their dependence on these systems. By the mid– to late- 1970s, the security industry began to catch up, with Halon fire suppression systems, card access, and RACF and ACF2. In the final quarter of the century, mainframe-centered computing was at its zenith. By 1983, the affordable portable computer began to change the working landscape for information security professionals. An exodus from the mainframe to the desktop began. The controls that had been so hard won in the previous two decades were now considered the cause of much bureaucracy. Physical security is now needed in desktops. For years, Previous screen conventional thinking was that a computer is a computer is a computer is a computer. Controls are even more important in the desktop or workstation environment than in the mainframe environment. The computing environment is now moving from the desktop to the user. With the acceptance of telecommuting, the next challenge will be to apply physical security solutions to the user-centered computing environment. With computers on every desk connected via networks to other local and remote systems, physical security needs must be reviewed and upgraded wherever necessary. Advances in computer and communications security are not enough; physical security remains a vitally important component of an overall information security plan. Where to Focus Attention Before implementing any form of physical security, it may be helpful to conduct a limited business impact analysis (BIA) to focus on existing threats to the computer systems and determine where resources can best be spent. It is very important to consider all potential threats, even unlikely ones. Ignore those with a zero likelihood, such as a tsunami in Phoenix or a sandstorm in Maui. A very simple BIA could be diagramed as shown in Exhibit 1. A Business Impact Analysis Example An unlimited number of threats can be of concern to your organization. Any number of high-likelihood threats can be identified. First consider those threats that might actually affect your organization (e.g., fire, flood, or fraud). Three elements are generally associated with each threat: · The agent. The destructive agent can be a human, a machine, or nature. · The motive. The only agent that can threaten accidentally and intentionally is human. · The results. For the information systems community, this would be a loss of access or unauthorized access, modification, or disclosure or destruction of data or information. The focus of physical security has often been on human-made disasters, such as sabotage, hacking, and human error. Don't forget that the same kinds of threats can also occur from natural disasters. Natural Disasters and Controls Fire A conflagration affects information systems through heat, smoke, or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major, and catastrophic. Controls. Previous screen Install smoke detectors near equipment. Keep fire extinguishers near equipment and train employees in their proper use. Conduct regular fire evacuation exercises. Environmental Failure This type of disaster includes any interruption in the supply of controlled environmental support provided to the operations center. Environmental controls include clean air, air conditioning, humidity, and water. Controls. Since humans and computers don't coexist well, try to keep them separate. Many companies are establishing command centers for employees and a “lights-out” environment for the machines. Keep all rooms containing computers at reasonable temperatures (60-75 degrees Fahrenheit or 10-25 Celsius). Keep humidity levels at 20% to 70% and monitor environmental settings. Earthquake A violent ground motion results from stresses and movements of the earth's surface. Controls. Keep computer systems away from glass and elevated surfaces. In high-risk areas, secure the computers with anti-vibration devices. Liquid Leakage A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Controls. Keep liquid-proof covers near the equipment and install water detectors on the structural floor near the computer systems. Lightning An electrical charge of air can cause either direct lightning strikes to the facility or surges due to strikes to electrical power transmission lines, transformers, and substations. Controls. Install surge suppressers, store backups in grounded storage media, install and test Uninterruptible Power Supply (UPS) and diesel generators. Electrical Interruption A disruption in the electrical power supply, usually lasting longer than one-half hour, can have serious business impact. Controls. Previous screen Install and test UPS, install line filters to control voltage spikes, and install anti- static carpeting. The Human Factor Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage and accidents are caused by companys' own employees. Another 15% to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5% to 8% is done by external people, yet the press and management focus mostly on them. The typical computer criminal is a non-technical authorized user of the system who has been around long enough to locate the control deficiencies. When implementing control devices, make certain that the controls meet the organization's needs. Include a review of internal access, and be certain that employees meet the standards of due care imposed on external sources. “Intruders” can include anybody who is not authorized to enter a building, system, or data. The first defense against instruders is to keep them out of the building or computer room. However, because of cost-cutting measures in the past two decades, very few computer facilities are guarded anymore. With computers everywhere, determining where to install locks is a significant problem. To gain access to any business environment, everybody should have to pass an authentication and/or authorization test. The three ways of authenticating users involve something: · That the user knows (a password). · That the user has (a badge, key, card, or token). · Of their physiognomy (fingerprint, retinal image, voice). Locks In addition to securing the campus, it may be necessary to secure the computers, networks, disk drives, and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from many vendors. Many organizations use cables and locks. Security cables are multi-strand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture. Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slot and lock out any other diskette from the unit. They can prevent unauthorized booting from diskettes and infection from viruses. Cryptographic locks also prevent unauthorized access by rendering information unreadable to unauthorized personnel. Encryption software does not impact day-to-day operations while ensuring the confidentiality of sensitive business information. Crypographic locks are cost-effective and easily available. Tokens As human security forces shrink, there is