Physical and Environmental Security: threats are not just digital...
Companies are not immune to ‘physical and environmental-based’ incidents which can lead to serious consequences for both information systems and society in general: fire, theft, intrusion, water damage, etc. All of these can be executed in a completely ‘physical’ way to access computer data.
Two videos from NC3 illustrate classical ‘physical threat’ scenarios relevant to a company’s or organisation’s information systems and data.
- In this first case, a maid managed to attach a ‘sniffer’ device to a computer.
- In the second case, a spy managed to find sensitive data simply by searching through dustbins.
The Risks
The propagation of laptops, tablets and other portable devices increases the risk that they will be lost or
stolen. An investigation by Kensington
revealed that:
- 89% of companies experienced a laptop theft.
- 67% of laptop thefts occurred at the office.
- Only 3% of stolen laptops were recovered.
It should be noted that the real cost of these attacks is more than just the price of the hardware. Overall costs can become astronomical if sensitive data was stored on the stolen equipment or if the thief was able to access other company resources through the stolen PC.
Take the following two scenarios as an example of the damage which can be done; both of which are actual events which occurred in Luxembourg.
The first is the well-known case of ‘Medicoleaks’ in 2012 when thousands of medical records were disclosed due to a password which was visible to visitors. This event was a typical ‘theft of passwords’ and can be considered a form of ‘spying’. But there was also the possibility of classifying it as ‘sabotage’ due to the possibility of destroying the integrity of the data.
More recently, several violent floods have done damage in many locations and have affected more than 30 companies located near the Müllerthal area. Several of them (including a hotel, a garage and some professional offices) lost data due to the water damage done to their IT infrastructure.
The Impact
The impact of physical security vulnerabilities can be very high: data can be destroyed (in the case of fire or flood), can be used maliciously by third parties, or just corrupted.
In general, these incidents can have five types of impact:
- Operational impact: the daily functioning of the organisation is affected.
- Financial impact: direct losses, market losses, etc.
- Impact on reputation: loss of customer confidence
- Legal impact: where legal proceedings are concerned
- Impact on the person: directly impacting a victim in some way
Each risk can have different types of impact. The table below demonstrates these effects by highlighting some examples:
| Risks | Most Likely Impacts | Possible Impacts |
|---|---|---|
| Fire | Operational Impact Financial Impact |
Reputational Impact |
| Water damage | Operational Impact Financial Impact |
Reputational Impact |
| Electrical failure | Operational Impact | Financial Impact Reputational Impact |
| Communications | Operational Impact | Financial Impact |
| Intrusion or Theft | Financial Impact Personal Impact |
Reputational Impact Legal Impact |
| Espionage | Operational Impact Financial Impact Personal Impact |
Reputational Impact Legal Impact |
| Sabotage | Operational Impact Financial Impact |
Legal Impact Reputational Impact |
Note that one disaster can have several types of simultaneous impacts. For example, if a construction company loses data after a fire, it could experience a financial, operational and legal impact.
Prevention and Protection
A company that wishes to prosper must remain open to the outside world. But openness does not mean a ‘free for all’. First of all, physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organisations should define sensitive areas (computer room, specific offices…) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.
The protection of sensitive areas must be based on a prioritisation of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure.
For all types of risk, the approach should be the same:
- Define the perimeter.
- Introduce preventive (to avoid the disaster) and protective (to protect the installation in case the disaster occurs) measures.
- Test and evaluate these measures regularly.
To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:
| To guard against: | Protective Measure: |
|---|---|
| Electrical failure |
Electronic protection/controls (inverters…) Redundancy (duplication of machines/circuits) |
| Fire |
Detection and fire protection: smoking ban, disaster plan, fireproof cabinets... Decentralised back-ups Redundancy (duplication of machines/circuits) |
| Flooding |
Location of computer rooms outside risk areas Flood detection system Elevation of computer equipment Use of hermetic tubes for wiring Compartmentalised flooring Decentralised back-ups, dry archives |
| Theft, Intrusion, Espionage, |
Restricted physical access Tracking of visitors Alarm systems |
| Sabotage |
Redundancy (duplication of machines / circuits) Decentralised back-ups Restricted physical access |
| Hardware Malfunctions | Regulation of Temperature (computer rooms) |
Visitors can pose a significant risk (theft or espionage) if there is insufficient tracking or access control. In recent years, NC3 specific diagnostics have recorded several failures linked to the reception and tracking of visitors: notably, the lack of support or occupancy of the reception area and a lack of access control to sensitive locations.
Sometimes printers located in corridors are used to print sensitive data and many times employees do not immediately recover their printouts – this leaves a lot of time for unauthorised people to read or make copies of sensitive information.
Example: a law firm with ongoing court cases practising in commercial litigation. Any leaked information could be used to harm their customers or be used to influence the outcome of cases. Strict physical protection measures must, therefore, be taken to prevent any form of leakage. For example, customers or service providers need to be met at reception and then escorted to dedicated meeting rooms to prevent these visitors from discovering confidential information.
We must also beware of prying eyes on public transportation, in restaurants, and lobbies. You should also be aware that people can watch you through windows. One solution could be to place a privacy screen protector/privacy filter on screens that make reading impossible for anyone who is outside the visual angle of a legitimate user… Good to know!
Dustbins are often used by spies who are not afraid of getting their hands dirty to find the information they are looking for. To remove this opportunity, just send all documents to the shredder to make them unreadable. Beware of digital media that are to be discarded: destruction is necessary because the simple erasure of data is not always enough to make it disappear completely.
Where to Start?
Ensuring optimal protection for your business against all risks may seem like an insurmountable task for some - but we must not give up. On the contrary, we can start with some simple and inexpensive measures that can immediately and significantly reduce our level of risk. Such ‘Quick Wins’ can be, as follows:
- Installing an inverter
- Setting up a controlled access system with alarm
- Establishing an access control procedure and visitor log
- Placing computer locks on desktops
- Increasing employee awareness via training
If you want to better understand your physical security flaws through an initial diagnosis, you can contact us to take advantage of our NC3 Diagnosis service.