Physical Security

Adventures in Auditing #2

While doing a PCI exam not long ago, I visited a company that was very proud of it’s security measures, and rightly so. They had done a lot of work to secure their environment.

Sometimes it’s the smallest things that we are so used to seeing that we stop “seeing” them. They become part of the background noise of everyday functions and escape our notice. Social engineers are masters of acquiring those functions and using them for the wrong reasons. For example, the building cleaners. Do they have keys to everything in order to clean your offices? What if they decide to clean out your data?

Corporate espionage agents have been known to offer cleaners $50.00 per bag of trash. Another point of easy cash is backup tapes.

When we walked into the tape storage room, I inquired, “Do you have an inventory of the tapes in this room? How often do you check that the inventory is all accounted for?” Nonplussed, the CIO replied that the door was secured and only he and one other IT person had the key, which was signed out in the Data Center whenever it was used. So they weren’t “bothering” to inventory the tapes in the room.

Looking down, I noticed that the wastebasket was empty, with a fresh plastic bag neatly wrapped around it. I said, “Do your cleaners have a key to this room?” “Why, yes,” the CIO replied blankly. Then comprehension dawned on his face.

Next day, a new policy was posted by the tape storage door: all trash receptacles were to be placed outside the door. The CIO informed me that the lock had been changed to the door, and inventories would be done monthly.

There are some companies that go the extra mile of encrypting tapes or requiring that their cleaning companies be bonded AND employees have an annual background check.

It’s expensive, but so is losing the company’s reputation to a building cleaner……

Remember the Lowest Common Denominator

I recently attended a seminar at a well known southwestern school on building an Incident Response Team. During the discussion about Team membership, management oversight of the Team and related responsibilities, I noticed that the membership of the Team and the Oversight Committee was lacking some critical input.

An area often overlooked, especially when being developed by those in the Information Technology field, is the aspect of physical security. The campus police and the maintenance department were the two members lacking in this particular seminar. When I brought up this issue, it was dismissed with the equivalent of: “Oh, them.”

(They may never be getting into their offices again, or have decent air conditioning. And keys? forget it.)

Considering an “IT event” to be the only worthy event included in the IRT criteria for action is truly shortsighted. Physical events such as a string of burglaries on campus, flooding or water damage can have just as much impact on communications as a network outage. Not to mention the idea that those events would be a great shield for someone intent on attacking the network. If the IRT is unaware of these events, they become ineffective.

Not only that. Bringing physical security to the common IRT table is important for those folks, as well. They may be unaware of events in the IT world that would impact on securing the overall physical environment. Having all parties educate each provides a unified response, and that’s a much better incident response overall.