Physical Security Review
Depending on the organization physical security countermeasures will vary. A government agency such as the Department of Defense may have armed guards at the door of the building. Many organizations are not in the position of breaching national security so armed guards are not a necessity. In many cases a receptionist greets any new visitors and makes the appropriate arrangements for an on-site visit. Let's review some physical security countermeasures for the server room, as well as laptops and desktops.
Server Room Protection
Access Control Cards -
These are tied to a specific user and must be swiped in order to gain access. The downside is that they can be stolen and used without authorization and they are really expensive to implement.
Biometrics -
Uses a physical characteristic such as a fingerprint or retina to identify a user. Due to the cost of implementing this solution, as well as employee privacy issues, biometrics has not been widely accepted yet.
User Awareness -
User awareness is by far the most important aspect to security. The Kingston City Council discovered this when they hired a consultant to perform a social engineering test on their users. The consultant gained access to the server room by simply telling the users that he was sent to service the UPS.
Laptop/Desktop Protection
User Awareness -
Employees need to be made aware that strangers cannot be in the office without an escort. Awareness programs should encourage all employees to confront and ask an unidentified individual if they need any assistance.
Laptop Locks -
These cables are physically connected to the laptop, which are then connected to a desk. A key is required to unlock the cable and, although these cables can be cut, implementing them on easily removable devices such as laptops may deter an attacker from actually making the effort.
OS Hardening -
USB ports and CD-R/DVD-R drives should be disabled on all laptops/desktops so that files cannot be easily copied and stolen by a malicious user wandering around in the office.
Rings Approach to Physical Security in Depth
One way to consider an architecture to implement in depth is the rings approach to physical security. The rings are:
Ring 1 - Areas on the perimeter of the business building
Ring 2 - Immediate area around the business building/environmental (fire, floods, moisture, power)
Ring 3 - Internal location of the business building
Ring 4 - Human factors