Physical information security

June’s security awareness and training topic is an interesting blend of traditional physical/site security and cybersecurity, with just a touch of health and safety to spice things up.

Hot on the heels of May’s module about working off-site, this month we’re exploring the risks and controls applicable to physical information assets such as:

• ICT devices e.g. servers, laptops, phones, network cables, microwave dishes;
• Hardware security devices and controls e.g. keys, staff passes, cryptographic key-fobs, walls, fences/barriers, turnstiles, locks/padlocks, smoke detectors, fire and flood alarms …;
• Information storage media e.g. hard drives, USB sticks, tapes, papers;
• Information communication and display devices e.g. screens, management panels, annunciators, modems;
• People – particularly “knowledge workers” employed for their intellectual capacity, expertise and skills, implying a business need to ensure their health and safety.

Physically securing information assets is just as important as the logical security controls (cybersecurity) normally considered. Adversaries with physical access to ICT devices may be able to defeat/reset the logical security controls, power down or damage them, substitute or simply make off with them. 

Card skimmers fitted to bank ATMs are an example of a physical threat to information - namely the card data and PIN codes used to authenticate card holders.

Crime investigators sometimes employ physical techniques to obtain forensic evidence from devices and media recovered from the scenes of crime, so it’s not all bad news!

The physical harm that can impact information includes:

• Theft or loss by insiders, intruders/burglars, thieves, industrial spies, vandals and saboteurs;
• Tailgating or physical intrusion, allowing intruders to observe, copy, steal, replace or damage information assets (both physical and digital) on-site;
• Damage - criminal or accidental such as fires, floods, storms, lightning, static electricity, voltage surges and power cuts, electromagnetic disturbances and radio interference, mold;
• Mechanical/electronic failure or obsolescence, ICT equipment prematurely becoming unreliable, intermittent or failing completely, especially if it has been stored or used under adverse physical conditions such as high temperatures, vibration or corrosive atmospheres;
• Subversive hardware e.g. covert surveillance using microphones and cameras built -in to many IT devices, installation of bugs and wireless network taps;
• Interception, compromise and failure of both wired and wireless networks;
• Compromise of technological security controls e.g. reset device to factory defaults, replace firmware or hack the hardware, disable security controls, and copying/cloning/counterfeiting of inadequately secured authentication devices (such as credit cards and passports);
• Illness, accident, death, coercion, bribery and corruption etc. of workers, including injuries and stress, depression and other potentially devastating forms of mental ill-health.

Physically securing information involves: physical access controls; fire, smoke and flood protection; redundant/spare equipment, supplies, communications routes and people; UPSs, generators, spare batteries; lightning conductors, surge arrestors etc.; health and safety plus welfare arrangements for workers; laws, policies, agreements and other rules and regulations; physical security-related processes and activities ... including security awareness of course!

Don't bother contacting us if your people are all fully up-to-speed on the physical side of information security as outlined here. If your management already understands the need and willingly invests in physical security controls, good on you. If you and your professional colleagues actively encourage and enable the implementation of physical controls, excellent! Otherwise, we're keen to help.