Page # 1

Chapter 5
Enhancing Physical Security

COC C Cee eee o eee EOE ee ee OEE EEE EE SESE E EEE EEE EEE SEO OE EEOE ELE OE
OEE EEOESELELOC®S

IN THIS CHAPTER

»» Understanding why physical security is an important part

of cybersecurity

»» Understanding the basics of physical security for data

and electronic devices

» Identifying what needs protection

»» Reducing physical security risks

You may be tempted to skip this chapter — after all, you are
reading this book to learn about cybersecurity, not physical
security.

But, please don't.

Seriously.

Certain aspects of physical security are essential ingredients of

any cybersecurity program, whether formal or informal. Without
them, all of the policies, procedures, and technical defenses can
prove to be worthless. In fact, just a few decades ago, the teams
responsible for protecting computers and the data housed within
them focused specifically on physical security. Locking a computer
in a secured area accessible by only authorized personnel was
often sufficient to protect it and its contents. Of course, the dawn
of networks and the Internet era, coupled with the mass
proliferation of computing devices, totally transformed the risks.
Today, even computers locked in a physical location can still be
accessed electronically by billions of people around the world.
That said, the need for physical security is as important as ever.

Page # 2
This chapter covers elements of physical security that are
necessary in order to implement and deliver proper cybersecurity.
| cover the “what and why” that you need to know about physical
security in order to keep yourself cyber-secure. Ignoring the
concepts discussed in this chapter may put you at risk of a data
breach equivalent to, or even worse than, one carried out by
hackers.

Understanding Why Physical

Security Matters

Physical security means protecting something from unauthorized

physical access, whether that access is by man or by nature.
Keeping a computer locked in an office server closet, for example,
to prevent people from tampering with it is an example of physical
security.

The goal of physical security is to provide a safe environment for

the people and assets of a person, family, or organization. Within
the context of cybersecurity, the goal of physical security is to
ensure that digital systems and data are not placed at risk
because of the manner in which they’re physically housed.

rememser Classified information contains secrets whose compromise

can endanger American intelligence agents and operations,
undermine diplomatic and military operations, and harm
national security.

| hope that you're not storing highly sensitive classified files in your
home. If you are, you had better know a lot more about
information security than is taught in this book. Also, because
removing classified information from its proper storage location is
often a serious crime, | suggest that you get yourself a good
lawyer.

Page # 3
Taking Inventory

Before you implement a physical security plan, you need to

understand what it is that you have to secure. You likely possess
more than one type of electronic device and have data that varies
quite a bit in terms of the level of secrecy and sensitivity that you
attach to it. Step 1 in implementing proper physical security is to
understand what data and systems you have and determine what
type of security level each one demands.

SECRETARY OF STATE HILLARY CLINTON’S

EMAIL PROBLEM

Whenever politicians or journalists attack former U.S. Secretary of State Hillary

Clinton for storing sensitive information on a server located inside a spare closet
in her home in Chappaqua, New York, they’re effectively accusing her of
endangering national security by placing sensitive digital data in an insufficiently
secure physical location. After all, as far as the risks of Internet-based hackers
are concerned, digital security is what matters; to hackers from China and
Russia, for example, whether her server was located in her spare closet or ina
data center protected by armed guards is irrelevant.

The security experts who devised our national security procedures for the
handling of classified information understood the necessity of keeping such
data physically secure — itis, generally speaking, against the law to remove
classified information from the secure locations in which it’s intended to be
handled. While many modern-day workers may telecommute and bring work
home with them at times, folks who handle classified information can be
sentenced to serve time in prison for even attempting to do the same with
Classified data.

The laws governing the protection of classified information prohibit removing it

from classified networks, which are never supposed to be connected to the
Internet. All people who handle classified information are required to obtain
clearances and be trained on the handling of sensitive information; they are
required by federal law to understand, and to adhere to, strict rules. As such,
Sec. Clinton should have never removed classified information from classified
networks and should never have brought it home or accessed it via a server in
her home.

In fact, people can be charged with a crime for mishandling classified

information — even if they do so inadvertently, which is a point that the
Republicans mentioned repetitively during the 2016 Presidential election. Sec.

Page # 4
Clinton’s email security challenges likely impacted world history in a big way —
something to keep in mind when people ask how important cybersecurity can
be.

In all likelinood, your computer devices fall into two categories:

» Stationary devices, such as a desktop computer sitting in
your family room on which your teenagers play video games

» Mobile devices, such as laptops, tablets, and cellphones

rememser Don't forget to inventory the equipment to which your

devices are connected. When you inventory your devices, pay
attention to networks and networking equipment. To what
networks are stationary devices attached? How many
networks are in place? Where do they connect to the outside
world? Where is the relevant network equipment located?
What mobile devices connect to wirelessly?

Stationary devices

Stationary devices, such as desktop computers, networking

equipment, and many Internet of Things (loT) devices, such as
wired cameras, are devices that don’t move from location to
location on a regular basis.

These devices can, of course, still be stolen, damaged, or

misused, and, therefore, must be adequately protected. Damage
need not be intentionally inflicted — early in my career | helped
troubleshoot a server problem that began when a nighttime
custodian unplugged an improperly secured server from its
uninterruptible power supply in order to plug in a vacuum cleaner.
Yes, seriously. As it is imperative to secure stationary devices in
the locations in which they “live,” you must inventory all such
devices. Securing something that you do not know that you
possess is difficult, if not impossible.

ccc

Page # 5
SMARTPHONES ARE A LOT MORE THAN
SMART PHONES

The term smartphone is extremely misleading — the device in your pocket is a

ful-blown computer with more processing power than all the computers used to
first put a man on the moon combined. It is only a smartphone in the same way
that a Ferrari is a fast, horseless carriage — a technically correct description,
but one that is highly misleading. Why do you call these devices smartphones
— well, think of where you encountered your first smartphone.

Most people’s first experience with a smartphone was when they upgraded from
a regular cellphone — and they obtained the new devices from cellphone
providers who (likely correctly) reasoned that people would be more likely to
upgrade their cellphone to “smartphones” than to replace their cellphones with
“pocket computers that have a phone app.”

Smartphone is, as such, a marketing term. “Easily lost or stolen, and potentially
hackable, pocket-sized computer with lots of sensitive information on it’ provides
a more accurate understanding.

rememeer IN Many Cases, anyone who can physically access a

computer or other electronic device can access all the data
and programs on that device, regardless of security systems
in place. The only question is how long it will take that party to
gain the unauthorized access that it desires. Never mind that
anyone who can access a device can physically damage it —
whether by physically striking it, sending into it a huge power
surge, dumping water on it, or setting it ablaze. In case you
think that these scenarios are far-fetched, know that | have
seen all four of these options utilized by people intent on
damaging computers.

Mobile devices

Mobile devices are computerized devices that are frequently

moved. Laptops, tablets, and smartphones are all mobile devices.
In some ways mobile devices are inherently more secure than
stationary devices — you likely always have your cellphone with

Page # 6
you, so that device not sitting at home unwatched for long periods
of time as a computer may be.

That said, in reality, experience shows that portability dramatically

increases the chances of an electronic device being lost or stolen.
In fact, in some ways, mobile devices are the stuff of security
professionals’ nightmares. The “smartphone” in your pocket is
constantly connected to an insecure network (the Internet),
contains highly sensitive data, has access tokens to your email,
social media, and a whole host of other important accounts, likely
lacks security software of the sophistication that is on desktop
computers, is frequently in locations in which it is likely to be
stolen, is often out of sight, is taken on trips that cause you to
deviate from your normal routine, and so on.

rememser Properly inventorying every mobile device so that you can

properly secure all such devices is critical.

Locating Your Vulnerable Data

Review what data your devices house. Think of the worst-case

consequences if an unauthorized person obtained your data or it
leaked to the public on the Internet. No list of items to search for
can possibly cover all possible scenarios, but here are some things
to think about. Do you have

» Private photos and videos

» Recordings of your voice

» Images of your handwriting (especially of your signature)

» Financial records

» Medical records

» School-related documents

» Password lists

Page # 7
» Repositories of digital keys

» Documents containing:

» Credit card numbers

»» SSNs/EINs/taxpayer identification numbers

» Maiden names

» Codes to physical locks or other passcodes

» Correspondence with the IRS and state tax authorities

» Lawsuit-related information

» Employment-related information

» Mother’s maiden name

» Birth dates

» Passport numbers

» Driver’s license numbers

» Information about your vehicles

» Information about your former addresses

» Biometric data (fingerprints, retina scan, facial geometry,

keyboard dynamics, and so on)

These items will need to be protected against cyberthreats, as

described in multiple later chapters. But the data stores in which
they reside also need to be protected physically, as described in
the next section.

Creating and Executing a

Physical Security Plan

In order to adequately physically protect your technology and data,

you should not attempt to simply deploy various security controls
on an ad hoc basis. Rather, it is far better to develop and
implement a physical security plan — doing so, will help you avoid
making costly mistakes.

Page # 8
In most cases, physically securing computing systems relies on
applying a well-known established principal of crime prevention,
known as Crime Prevention Through Environmental Design
(CPTD), that states that you can reduce the likelihood of certain
crimes being committed if you create a physical environment that
allows legitimate users to feel secure, but makes ill-doers
unconformable with actually carrying out any planned problematic
activities.

Understanding this high-level concept can help you think about

ways to keep your own systems and data safe. Three components
of CPTD as they apply in general to preventing crime include
access control, surveillance, and marking:

» Access control: Limiting access to authorized parties, by

using fences, monitored entrances and exits, proper
landscaping, and so on makes it harder for criminals to
penetrate a building or other facility, and increases the risk to
crooks that they will be noticed, thus discouraging potential
criminals from actually carrying out crimes.

Surveillance: Criminals often avoid committing crimes that are

likely to be seen and recorded; as such, they gravitate away
from environments that they know are well-watched. Cameras,
guards, and motion-sensitive-lighting all discourage crime.
» Marking: Criminals tend to avoid areas that are clearly marked
as belonging to someone else — for example, through the use
of fences and signs — as they do not want to stand out and be
easily noticeable when committing crimes. Likewise, they avoid
environments in which authorized parties are marked. Consider,
for example, that an unauthorized person not wearing a post
office uniform while walking around in an area marked “U.S.
Postal Service Employees Only” is far more likely to be noticed
and stopped than someone else walking in a similar unmarked
environment belonging to a business that does not require
uniforms.

Page # 9
©)

te Youcan apply these same principles in your own home —

for example, placing a computer in a parent’s home office
sends a message to children, babysitters, and guests that the
device is off limits, far stronger than the message would be
delivered if the same machine were located in a family room
or den. Likewise, curious babysitters or houseguests are far
less likely to go into one’s private home office without
permission after being told not to if they are aware that the
area is monitored with cameras.

You know your own environment. By applying these concepts you

can improve the likelihood that unauthorized parties will not attempt
to gain unauthorized access to your computers and data.

Implementing Physical Security

You can use many techniques and technologies to help secure an

object or facility. How much physical security you implement for a
device depends heavily on the purpose for which it is being used
and what types of information it houses.

Here are some examples of methods of securing devices — based

on your tolerance level for risk and your budget, you may choose
variants of all, some, or none of these techniques:

» Locks: For example, store devices in a locked room, with

access to the room provided to only those people who need to
use the device. In some environments, you may be able to
utilize a smart lock to record or monitor all entrances and exits
from the room. Another popular variant is to store laptops ina
safe located in one’s master bedroom or home office when the
computers are not in use.

» Video cameras: For example, consider having a video camera

focused on the devices to see who accesses them and when
they do so.

Page # 10
»

»
»

Security guards: Obviously, security guards are not a

practical solution in most home environments, but human
defenders do have a time and place. For example, consider
posting guards inside the room where the device is located,
outside the room, in halls around the entrance to the room,
outside the building, and outside the perimeter fence.

Alarms: Alarms not only serve as a reactive force that scare

away criminals who actually attempt to enter a home or office,
they also serve as a strong deterrent, pushing many
opportunistic evildoers to “look elsewhere” and target someone
else.

Perimeter security: Traffic posts prevent people from

crashing cars into a facility, and proper fences and walls
prevent people from approaching a home or office building. You
should note that most experts believe that a fence under 8 feet
tall does not provide any significant security value when it

comes to potential human intruders.

Lighting: Criminals tend to avoid well-lit places. Motion-

triggered lighting is even more of a deterrent than static
lighting. When lights go on suddenly, people in the area are
more likely to turn and look at what just happened — and see
the criminals just as they are illuminated.

Environmental risk mitigation: If you're in an area that is

likely to be hit by floods, for example, ensure that computing
resources are stationed somewhere not likely to flood. If such
advice seems obvious, consider that residents of northern New
Jersey lost telephone service after a storm in the late 1990s
when telephone switching equipment flooded — because it was
situated in the basement of a building standing next to a river.
Having proper defenses against fires is another critical element
of environmental risk mitigation.

Backup power and contingencies for power failures:

Power failures impact not only your computers, but many
security systems as well.

Page # 11
» Contingencies during renovations and other construction,
and so forth: The risks to data and computers during home
renovations are often overlooked. Leaving your cellphone
unattended when workers are routinely entering and exiting
your home, for example, can be a recipe for a stolen device
and/or the compromise of data on the device.

» Risks from backups: Remember to protect backups of data

with the same security precautions as you do the original
copies of the data. Spending time and money protecting a
computer with a safe and cameras because of the data on its
hard drive, for example, is silly if you leave backups of that
same data on portable hard drives stored on a family room
shelf in plain sight of anyone visiting your home.

Of course, you should not consider the preceding list to be

comprehensive. But, if you think about how you can apply each of
these items to help keep your devices safe within the context of a
CPTD approach, you will likely benefit from much greater odds
against an “unfortunate incident” occurring than if you do not. (For
more on CPTD, see the earlier section “Creating and Executing _a
Physical Security Plan.”)

Security for Mobile Devices

me Of course, mobile devices — that is, computers, tablets,

smartphones, and other electronic devices that are moved
from location to location on a regular basis — pose additional
risks because these devices can be easily lost or stolen. As
such, when it comes to mobile devices, one simple, yet
critically important, physical security principle should be
added: Keep your devices in sight or locked up.

Such advice may sound obvious; sadly, however, a tremendous

number of devices are stolen each year when left unattended, so

Page # 12
you can be sure that the advice is either not obvious or not
followed — and, in either case, you want to internalize it and follow
it.

In addition to watching over your phone, tablet, or laptop, you

should enable location broadcasting, remotely triggerable alarms,
and remote wipe — all of which can be invaluable at quickly
reducing the risk posed if the device is lost or stolen. Some
devices even offer a feature to photograph or video record anyone
using a mobile device after the user flags it as stolen — which can
not only help you locate the device, but can also help law
enforcement catch any thieves involved in stealing it.

Realizing That Insiders Pose the

Greatest Risks

According to most experts, the majority of information-security

incidents involve insider threats — meaning that the biggest cyber
risk to businesses are posed by their own employees. Likewise, if
you share a home computer with family members who are less
cyber-aware, they may pose the greatest risk to your
cybersecurity. You may take great care of your machine and be
diligent with cybersecurity every single day, but if your teen
downloads malware-infected software onto the device on evena
single occasion, you may be in for a nasty surprise.

One critical rule from “the old days” that rings true today — even
though it is often dismissed as outdated due to the use of
technologies such as encryption — is that anyone who can
physically access a computer may be able to access the data on
that computer.

rememaer Anyone who can physically access a computer may be

able to access the data on that computer.

Page # 13
This rule is true even if encryption is utilized, for at least two
reasons: Someone who accesses your device may not be able to
access your data, but that person can certainly destroy it and may
even be able to access it due to one or more of the following
reasons:

» You may not have set up the encryption properly.

» Your machine may have an exploitable vulnerability.
» The encryption software may have a bug in it that undermines
its ability to properly protect your secrets.

» Someone may have obtained the password to decrypt.

» Someone may be willing to copy your data and wait until

computers are powerful enough to break your encryption. This
is especially true today, as experts believe that in the not-so-
distant future we will see the next generation of computers
(known as quantum computers) that will be able to undermine
most of today’s encryption mechanisms.

warnine Here is the bottom line: If you do not want people to

access data, not only should you secure it logically (for
example, with encryption), you should also secure it physically
in order to prevent them from obtaining a copy of the data,
even in encrypted form.

On that note, if your computer contains files that you do not want
your children to have access to, do not share your computer with
your children. That may seem like obvious advice, but you would
be amazed at how often it is ignored for financial reasons. (Why
should | buy a second computer for my children when | already
have a perfectly good computer at home?)

Page # 14
rememser DO not rely solely on digital security. Utilize a physical
defense. While it is true that crafty, skilled children may be
able to hack your computer across your LAN, the risks of
such an attack occurring are miniscule compared with the
temptation of a curious child who is actually using your
computer. That said, ideally you should keep your most
sensitive data and machines on a network physically isolated
from the one that your children use.