Why physical security (and InfoSec!) still matter

In the current era of mega-(should I say giga-?) breaches with tens to hundreds of millions of lost customer records and the hacking-of-everything, it is safe to assume that the logical security of devices becomes almost more important than the physical protection around those assets. While it is true that the logical (in-)security of devices renders "remote attacks" (attacks that are carried out against the system from another location than where the device is located, i.e. via a communication channel with a protocol such as TCP/IP, Ethernet, Bluetooth, or CDMA, GSM, etc.) possible, there is still an important defense layer that surrounds your device: the physical security.

[Culture clash: How physical security is impacted by cultural norms]

To provide a little anecdote: a little while ago I took a flight into Washington and the seat beside me in the back of the airplane was empty (yes, that still occurs despite all the overbooking and other tantalizing measures of the airliners) I set my little book and magazine there during the flight, and my cell phone on top of it. Then, when the plane landed and touched ground, it was a pretty heavy bump, and the pilot really hit the thrust reversal and hit the brakes, so much, that I needed to stretch my arm against the seat back in front of me. During the initial bump I saw my cell phone drop to ground and when the full deceleration took place, the cell phone slid very fast towards the cockpit. I was looking under the seat(s) in front of me, but couldn't find it. Then, a friendly stewardess came up to me smiling with my cell phone in her hands, asking if it was mine and I was quite happy to say yes.

My phone had crossed the entire plane up to the first class cabin where someone found it, and since my device is encrypted, has a display PIN, and shows my owner information with my name and my home phone number (should someone find it and intend to give it back), that likely helped the stewardess look up my name and seat number on the passenger list, hence the quick resolution to my almost lost device.

So, what does this little anecdote tell us? In my view, it provides reasons why you need to use the physical seat belts, why you should put upwards your tray tables during takeoff and landing and bring forward your seat back, why to put your belongings in the seat pocket in front of you (and not elsewhere), and that labeling and logical security are really important, too. Sometimes physical events can change your possession of something making it necessary for you to rely you need to rely on those additional controls.

It is the combination of different types of controls (also often called "defense-in-depth") that can make-or-break your protection.

[5 innovations that make video surveillance more effective]

Another example: I have also seen in my global endeavors data centers where these were in collocation or shared facilities with other companies. While the DC was physically and logically safeguarded, the cage around it was at the top and bottom open (so anyone could use the near-by standing latter or the floor handles (to open the raised floor) and thereby allowing anyone with access to the collocation site to easily intrude into the neighbor's DC units. This alone was already risky enough, but within the DC(s) I found then the important logical controls like firewalls or other such choke points in a less-than-standard fashion: the siding of the firewall racks were taken off (to "solve" heat / cooling problems) so that the above-mentioned intruder (or even people with otherwise authorized access to the DC cage) could easily put their hands or attacks against it.

Lastly, in another setting I discovered cable trays wide open and accessible via a parking garage (which was not protected against unauthorized 3rd party access) the main facility with the core backbone was vulnerable via a simply physical attack with an axe or something similar all the other spent millions of dollars were at total risk here. I am not saying that all the logical controls wouldn't be necessary (in fact, they are needed and even more than that, given the endless forms of new attack vectors and the daily increasing attack surface) but my "lessons learned" are that you have to think things through completely from the ground up, starting at the physical level and then go upwards in the ten layers of the security stack.

[Avoiding burnout: Ten tips for hackers working incident response]

If you think this further, you will come to conclusion that that is why you need to have at least 60 miles (~100 km) of distance between redundant data center facilities, and that your DR and BCP plan should be based on worst case physical scenarios to cover you bases. Backups need not only be physically separated from the place of origin, but they in addition need to be protected both physically and logically (otherwise, the attack against your potential crown jewels will happen against the offsite-transport truck or the storage facility etc.).

Hopefully the provided examples give enough reason to understand that physical security absolutely still matters. Now, let's focus on the second aspect the information (or logical) security piece.

Why does it still matter?  Well, even if you would create a "Fort Knox" from a physical perspective around your assets, the reality is that every system that has communication channels open (ports/protocols/input/output facilities, etc.) is vulnerable to logical attacks along that protocol or via the encapsulated data itself (this is why we have the current crisis, it is "system-immanent" so to speak, and it will remain for quite a long time.

So, in order to protect your assets, you need to employ logical controls, like gates and control points. Think of protocol-aware firewalls, malicious code detection and response (anti-malware); intrusion detection/prevention systems (IDS/IPS); log monitoring; SIEM and correlation tools; data leakage prevention (DLP) and classification systems; network segmentation; compartmentalization (of virtualized environments); multi-factor authentication; strong and complex passwords; and other sophisticated tools like global cyber threat information and real-time intelligence, or strong encryption (AES256 etc.) and hashing for integrity.

[Major security flaws threaten satellite communications]

The key is that a fully crafted, well-designed security architecture, governed by clear and concise policies, run by a best-practices-oriented security operations, supported by sophisticated and well-educated / trained cyber intelligence specialists, used by well-aware and trained users, organizationally lead and managed by truly experienced CSOs / CISOs, will strategically solve the security threat by design. Security has to become a design-goal. No more programming, software- or hardware-developments, implementation projects, delivery programs, etc. without clear and upfront security requirements in the specifications and planning phase. It will take a generation or two, but it is possible. Let's get started!

Join the CSO newsletter!

Error: Please check your email address.

Tags infosecsecurityphysical security

More about DLPIPS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael S. Oberlaender

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts