Chapter 3. Physical Security
At a Glance
“Physical security” is almost everything that happens before you start typing commands on the keyboard. It’s the building alarm system. It’s the key lock on your computer’s power supply, the locked computer room with the closed-circuit camera, and the uninterruptible power supply and power conditioners. Despite the fact that physical security is often overlooked, it is extraordinarily important. This chapter discusses many physical security threats, including environmental dangers, vandalism and sabotage, and theft. It offers suggestions for how to address them.
Elements of Physical Security
People First
It should go without saying that in an emergency or disaster situation, the lives and safety of personnel should always come before data or equipment. Although there may be very limited exceptions to this rule (in certain military situations), you should never lose sight of what is truly irreplaceable.
Planning for the Forgotten Threats
Surprisingly, many organizations do not consider physical security. One New York investment house was spending tens of thousands of dollars on computer security measures to prevent break-ins during the day, only to discover that its cleaning staff was propping open the doors to the computer room at night while the floor was being mopped. A magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday: an employee had used his electronic key card to unlock the building and disarm the alarm system; after getting inside, the person went to the supply closet where the alarm system was located and removed the paper log from the alarm system’s printer.
Other organizations feel that physical security is simply too complicated or too difficult to handle properly. Few organizations have the ability to protect their servers from a nuclear attack, a major earthquake, or a terrorist bombing. But it is important not to let these catastrophic possibilities paralyze and prevent an organization from doing careful disaster planning.
The issues that physical security encompasses—the threats, practices, and protections—are different for practically every different site and organization. Because every site is different, this chapter can’t give you a set of specific recommendations. It can only give you a starting point, a list of issues to consider, and a suggested procedure for formulating your actual plan.
The Physical Security Plan
The first step to physically securing your installation is to formulate a written plan addressing your current physical security needs and your intended future direction. Ideally, your physical plan should be part of your site’s written security policy. This plan should be reviewed by others for completeness, and it should be approved by your organization’s senior management. Thus, the purpose of the plan is both planning and political buy-in.
Your security plan should describe the assets you’re protecting, their value, the areas where they’re located, and the likely threats and their associated probabilities. Don’t forget to include information as an asset. You’ll also want to outline your security perimeter – the boundary between the rest of the world and your secure area – and any holes in the perimeter, along with your defense, plans for strengthening them, and the cost of implementing those plans. If you are managing a particularly critical installation, take great care in formulating this plan. Have it reviewed by an outside firm that specializes in disaster recovery planning and risk assessment. Consider your security plan a sensitive document: by its very nature, it contains detailed information on your defenses’ weakest points.
The Disaster Recovery Plan
You should also have a plan for immediately securing temporary computer equipment and for loading your backups onto new systems in case your computer is ever stolen or damaged. This plan is known as a disaster recovery plan. It should also include its own security component; even when you’re operating at your disaster site or transitioning back to normal operations, it’s best to operate securely.
You can regularly test parts of this plan by renting or borrowing a computer system and trying to restore your backups. Less frequently, it’s a good idea to test the entire plan, to include that your alternative facilities are available and will function when you need them.
Other Contingencies
Beyond the items mentioned earlier, you may also wish to consider the impact on your operations of the following:
Loss of phone service or network connections
How will the loss of service impact your regular operations?
Vendor continuity
How important is support? Can you move to another hardware or software system if your vendor goes out of business or makes changes you don’t wish to adopt?
Significant absenteeism of staff
Will this impact your ability to operate?
Death or incapacitation of key personnel
Can every member of your computer organization be replaced? What are the contingency plans?
Disaster recovery planning efforts should fit into your organization-wide contingency plans. Saving data is often critical, but becomes less useful when you don’t have space, power, or tools necessary to continue to operate anyway.
Protecting Computer Hardware
Physically protecting a computer presents many of the same problems that arise when protecting typewriters, jewelry, and file cabinets. As with a typewriter, an office computer is something that many people inside the office need to access on an ongoing basis. As with jewelry, computers are valuable and generally easy for a thief to sell. As with legal files and financial records, if you don’t have a backup—or if the backup is stolen or destroyed along with the computer—the data you have lost may well be irreplaceable. Even if you do have a backup, you will still need to spend valuable time setting up a replacement system. Finally, there is always the chance that the stolen information itself, or even the mere fact that information was stolen, will be used against you.
To make matters worse, computers and computer media are temperamental. A computer’s power supply can be blown out simply by leaving the machine plugged into the wall if lightning strikes nearby.
There are several measures that you can take to protect your computer system against physical threats. Many of them will simultaneously protect the system from dangers posed by nature, outsiders, and inside saboteurs.
Protecting Against Environmental Dangers
Computers often require exactly the right balance of physical and environmental conditions to operate properly. Altering this balance can cause your computer to fail in unexpected and often undesirable ways. Even worse, your computer might continue to operate erratically, producing incorrect results and corrupting valuable data.
Fire
Computers are notoriously bad at surviving fires. You can increase the chances that your computer will be an exception by making sure that there is good fire-extinguishing equipment nearby, and that personnel are trained to use it. Automatic gas discharge systems and dry-pipe water-based sprinkler systems each have advantages and disadvantages that should be carefully considered (PUIS, 198-200)
Be sure that your wiring is protected, in addition to your computers. Be certain that smoke detectors and sprinkler heads, if used, are appropriately positioned to cover wires in wiring trays (often above your suspended ceilings) and in wiring closets.
Smoke
Smoke is very damaging to computer equipment. Smoke is a potent abrasive and collects on the heads of unsealed magnetic disks, optical disks, and tape drives.
Sometimes smoke is generated by computers themselves. Electrical fires—particularly those caused by the transformers in video monitors—can produce a pungent, acrid smoke that may damage other equipment and may also be poisonous or a carcinogen. Another significant danger is the smoke that comes from cigarettes and pipes.
Install smoke detectors in every room with computer equipment, and be sure to mount them under raised floors and over suspended ceilings as well. Do not permit smoking in your computer room. (PUIS, 200-201)
Earthquake
Nearly every part of the planet experiences the occasional temblor. While some buildings collapse in an earthquake, most remain standing. Careful attention to the placement of shelves and bookcases in your office can increase the chances that you and your computers will survive all but the worst disasters.
Avoid placing computers on any high surfaces or near windows; similarly, avoid placing other heavy objects on shelves near computers where they might fall onto your equipment. A good approach is to place computers under strong tables. Also consider physically attaching the computer to the surface on which it is resting. You can use bolts, tie-downs, straps, or other implements. (This practice also helps deter theft.)
Temperature extremes
Computers, like people, operate best within certain temperature ranges. Most computer systems should be kept between 10 to 32 degrees Celsius (50 and 90 degrees Fahrenheit). If the ambient temperature around your computer gets too high, the computer cannot adequately cool itself, and internal components can be damaged. If the temperature gets too cold, the system can undergo thermal shock when it is turned on, causing circuit boards or integrated circuits to crack.
Once you’ve determined what temperature ranges your computers can tolerate, maintain those temperatures. Pay particular attention to the heat discharge and air flow patterns of the machines. Use temperature alarms to monitor the ambient temperature. (PUIS, 203-204)
Electrical noise
Motors, fans, heavy equipment, and even other computers generate electrical noise that can cause intermittent problems with the computer you are using. This noise can be transmitted through space or nearby power lines.
Electrical surges are a special kind of electrical noise that consists of one (or a few) high-voltage spikes. If possible, each computer should have a separate electrical circuit with an isolated ground and power filtering equipment; in no cases should a computer share a circuit with heavy equipment. Radio transmitters (including cellular phones) should be kept away from computers. (PUIS, 204-205)
Lightning
Lightning generates large power surges that can damage even computers with otherwise protected electrical supplies. If lightning strikes your building’s metal frame (or hits your building’s lightning rod), the resulting current can generate an intense magnetic field on its way to the ground. Computers should be unplugged during lightning storms; if that’s not possible, invest in surge suppression devices. Although they won’t protect against a direct strike, they can help when storms are distant. Magnetic media should be stored as far as possible from the building’s structural steel members. Never run copper network cable outdoors unless it’s in a metal conduit. (PUIS, 205)
Water
Water can destroy your computer. The primary danger is an electrical short, which can happen if water bridges between a circuit board trace carrying voltage and a trace carrying ground.
Water usually comes from rain or flooding. Sometimes it comes from an errant sprinkler system. Water also may come from strange places, such as a toilet overflowing on a higher floor, vandalism, or the fire department
Keep computers out of basements that are prone to flooding. Mount water sensors on the floor of computer rooms, as well as under raised floors, and use them to automatically cut off power in the event of a flood.
Food and drink
Food—especially oily food—collects on people’s fingers and from there gets on anything that a person touches. Often this includes dirt-sensitive surfaces such as magnetic tapes and optical disks. One of the fastest ways of putting a desktop keyboard out of commission is to pour a soft drink or cup of coffee between the keys. Generally, the simplest rule is the safest: keep all food and drink away from your computer systems.209
209 Perhaps more than any other rule in this chapter, this rule is honored most often in the breach.
Other environmental hazards
Several other environmental hazards bear consideration:
• Dust. Keep computer rooms as dust-free as possible, and use a computer vacuum with a microfilter on a regular basis. (PUIS, 201-202)
• Explosion. If you need to operate a computer in an area where there is a risk of explosion, you might consider purchasing a system with a ruggedized case. Backups should be kept in blast-proof vaults or off-site. (PUIS, 203)
• Insects. Take active measures to limit the amount of insect life in your machine room. (PUIS, 204)
• Vibration. In a high-vibration environment, place computers on a rubber or foam mat if you can do so without blocking ventilation openings. (PUIS, 205-206)
• Humidity. Monitor and maintain an appropriate humidity.
Environmental monitoring
To detect spurious problems, continuously monitor and record your computer room’s temperature and relative humidity. As a general rule of thumb, every 1,000 square feet of office space should have its own recording equipment. Log and check recordings on a regular basis.
Controlling Physical Access
Simple common sense will tell you to keep your computer in a locked room. But how safe is that room? Sometimes a room that appears to be safe is actually wide open.
Raised floors and dropped ceilings
In many modern office buildings, internal walls do not extend above dropped ceilings or beneath raised floors. This type of construction makes it easy for people in adjoining rooms, and sometimes adjoining offices, to gain access.
Entrance through air ducts
If the air ducts that serve your computer room are large enough, intruders can use them to gain entrance to an otherwise secured area. Areas that need a lot of ventilation should be served by several small ducts, or should have screened welded over air vents or inside the ducts. In a very high-security environment, motion detectors can be placed inside air ducts.
Glass walls
Although glass walls and large windows frequently add architectural panache, they can be severe security risks. Glass walls are easy to break; a brick and a bottle of gasoline thrown through a window can cause an incredible amount of damage. An attacker can also gain critical knowledge, such as passwords or information about system operations, simply by watching people on the other side of a glass wall or window. It may even be possible to capture information from a screen by analyzing its reflective glow. Interior glass walls are good for rooms which must be guarded but which the guard is not allowed to enter; in most other cases, avoid them. (PUIS, 208-209)
Defending Against Vandalism
Computer systems are good targets for vandalism. Reasons for vandalism include revenge, riots, strikes, political or ideological statements, or simply entertainment for the feebleminded. In principle, any part of a computer system—or the building that houses it—may be a target for vandalism. In practice, some targets are more vulnerable than others.
Ventilation holes
Several years ago, 60 workstations at the Massachusetts Institute of Technology were destroyed in a single evening by a student who poured Coca-Cola into each computer’s ventilation holes.
Computers that have ventilation holes need them. Don’t seal up the holes to prevent this sort of vandalism. However, a rigidly enforced policy against food and drink in the computer room—or a 24-hour guard, in person or via closed-circuit TV—can help prevent this kind of incident from happening at your site.
Network cables
In many cases, a vandal can disable an entire subnet of workstations by cutting a single wire with a pair of wire cutters. Compared with Ethernet, fiber optic cables are at the same time more vulnerable (they can be more easily damaged), more difficult to repair (they are difficult to splice), and more attractive targets (they often carry more information).
“Temporary” cable runs often turn into permanent installations, so take extra time and effort to install cable correctly the first time. One simple method for protecting a network cable is to run it through physically secure locations. For example, Ethernet can be run through steel conduits. Besides protecting against vandalism, this practice protects against some forms of network eavesdropping, and may help protect your cables in the event of a small fire. Fiber optic cable can suffer small fractures if someone steps on it. A fracture of this type is difficult to locate because there is no break in the coating.
Some high-security installations use double-walled, shielded conduits with a pressurized gas between the layers. Pressure sensors on the conduit break off all traffic or sound a warning bell if the pressure ever drops, as might occur if someone breached the walls of the pipe.
Network connectors
In addition to cutting a cable, a vandal who has access to a network’s endpoint—a network connector—can electronically disable or damage the network. All networks based on wire are vulnerable to attacks with high voltage.
Utility connections
In many buildings, electrical, gas, or water cutoffs may be accessible—sometimes even from the outside of the building. Because computers require electrical power, and because temperature control systems may rely on gas heating or water-cooling, these utility connections represent points of attack for a vandal.
Defending Against Acts of War and Terrorism
Because it is simply impossible to defend against many attacks, devise a system of hot backups and mirrored disks and servers. With a reasonably fast network link, you can arrange for files stored on one computer to be simultaneously copied to another system on the other side of town—or the other side of the world. Sites that cannot afford simultaneous backup can have hourly or nightly incremental dumps made across the network link. Although a tank or suicide bomber may destroy your computer center, your data can be safely protected someplace else.
Preventing Theft
Computer theft—especially laptop theft—can be merely annoying or can be an expensive ordeal. But if the computer contains information that is irreplaceable or extraordinarily sensitive, it can be devastating.
Many computer systems are stolen for resale—either the complete system or, in the case of sophisticated thieves, the individual components, which are harder to trace. Other computers are stolen by people who cannot afford to purchase their own computers. Still others are stolen for the information that they contain, usually by people who wish to obtain the information but sometimes by those who simply wish to deprive the computer’s owner of the use of the information. No matter why a computer is stolen, most computer thefts have one common element: opportunity. In most cases, computers are stolen because they have been left unprotected.
Laptops and other kinds of portable computers present a special hazard. They are easily stolen, difficult to tie down (they then cease to be portable!), and easily resold. Personnel with laptops should be trained to be especially vigilant in protecting their computers. In particular, theft of laptops in airports has been reported to be a major problem. Laptops should not be left unattended anywhere, for any period of time. If you’re traveling by cab, keep your laptop with you, rather than in the trunk.
Fortunately, by following a small number of simple and inexpensive measures, you can dramatically reduce the chance that your laptop or desktop computer will be stolen.
Locks
One very good way to protect your computer from theft is to physically secure it. A variety of physical tie-down devices are available to bolt computers to tables or cabinets. Although they cannot prevent theft, they make it more difficult.
Mobility is one of the great selling points of laptops. It is also the key feature that leads to laptop theft. One of the best ways to decrease the chance of having your laptop stolen is to lock it, at least temporarily, to a desk, a pipe, or another large object.
Most laptops sold today are equipped with a security slot. For less than $50 you can purchase a cable lock that attaches to a nearby object and locks into the security slot. Once set, the lock cannot be removed without either using the key or damaging the laptop case, which makes it very difficult to resell the laptop. These locks prevent most grab-and-run laptop thefts.
Tagging
Another way to decrease the chance of theft and increase the likelihood of return is to etch equipment with your name and phone number or tag it with permanent or semi permanent equipment tags. Tags make it very difficult for potential buyers or sellers to claim that they didn’t know that the computer was stolen.
The best equipment tags are clearly visible and individually serial-numbered, so that an organization can track its property. A low-cost tagging system is manufactured by Secure Tracking of Office Property (http://www.stoptheft.com). These tags are individually serial-numbered and come with a three-year tracking service in Europe, Australia, Latin America, or North America. If a piece of equipment with a STOP tag is found, the company can arrange to have it sent by overnight delivery back to the original owner. An 800 number on the tag makes returning the property easy.
Laptop recovery software and services
Several companies now sell PC “tracing” programs. The tracing program hides in several locations on a laptop and places a call to the tracing service on a regular basis to reveal its location. The calls can be made using either a telephone line or an IP connection. Normally these “calls home” are ignored, but if the laptop is reported stolen to the tracing service, the police are notified about the location of the stolen property.
Of course, many of these systems work on desktop systems as well as laptops. Thus, you can protect systems that you believe are at a heightened risk of being stolen.
Component theft
When RAM has been expensive, businesses and universities have suffered a rash of RAM thefts. Many computer businesses and universities have also had major thefts of advanced processor chips. RAM and late-model CPU chips are easily sold on the open market. They are virtually untraceable. And, when thieves steal only some of the RAM inside a computer, weeks or months may pass before the theft is noticed. If a user complains that a computer is suddenly running more slowly than it did the day before, check its RAM, and then check to see that its case is physically secured.
Encryption
If your computer is stolen, the information it contains will be at the mercy of the equipment’s new “owners.” They may erase it or they may read it. Sensitive information can be sold, used for blackmail, or used to compromise other computer systems.
You can never make something impossible to steal. But you can make stolen information virtually useless— provided that it is encrypted and the thief does not know the encryption key. For this reason, even with the best computer-security mechanisms and physical deterrents, sensitive information should be encrypted using an encryption system that is difficult to break. We recommend that you acquire and use a strong encryption system so that even if your computer is stolen, the sensitive information it contains will not be compromised.
Protecting Your Data
There is a strong overlap between the physical security of your computer systems and the confidentiality and integrity of your data. After all, if somebody steals your computer, they probably have your data. Unfortunately, there are many attacks on your data that may circumvent the physical measures mentioned in earlier sections.
Eavesdropping
Electronic eavesdropping is perhaps the most sinister type of data piracy. Even with modest equipment, an eavesdropper can make a complete transcript of a victim’s actions—every keystroke and every piece of information viewed on a screen or sent to a printer. The victim, meanwhile, usually knows nothing of the attacker’s presence and blithely goes about his or her work, revealing not only sensitive information but also the passwords and procedures necessary for obtaining even more information.
Tools exist for eavesdropping at many points, including the connection between the keyboard and the computer, data cables and wiring, Ethernet and fiber optic networks, wireless networks, and even by analyzing radio emissions from equipment. (PUIS, 216-219) There are several ways to make eavesdropping more difficult:
• Routinely inspect all cables and wires carrying data for physical damage or modification, and consider using shielded or armored cable to make wiretapping more difficult. If you are very security-conscious, place cable in steel conduit.
• Make sure unused offices do not have live Ethernet ports. Use Ethernet switches instead of hubs. Run LAN monitoring software like arpwatch that detects packets with previously unknown MAC addresses, or use switches that can perform MAC address filtering. Use fiber optic cables in preference to twisted-pair networks when possible; they are harder to tap undetected.
• Avoid using wireless networks; if you must build a wireless network, enable all possible security features for defense-in-depth (e.g. encryption, firewalling, disabling SSID broadcasts, MAC filters, etc.) Because most of these features provide very little security, educate your users to always use a VPN or other encrypted tunnel for wireless networking. Place the wireless access point outside your firewall (or between two firewalls).
• Encryption provides significant protection against eavesdropping. Thus, in many cases, it makes sense to assume that your communications are being monitored and to encrypt all communications as a matter of course. When this is not feasible, at least encrypt all sensitive traffic (such as login names and passwords for remote services).
Protecting Backups
Backups should be a prerequisite of any computer operation—secure or otherwise—but the information stored on backup tapes is extremely vulnerable. Protect your backups at least as well as you normally protect your computers themselves. Never leave them unattended in a generally accessible area, keep then in physically secure locations (ideally, some in a location away from your computers) and be careful who you trust to ship them from location to location.
Most backup programs allow you to encrypt the data before it is written to backup. Encrypted backups dramatically reduce the chance that a backup tape or CD-ROM, if stolen, will be useful to an adversary. If you encrypt backups, be sure you protect the encryption key, both so that an attacker cannot learn it and so that your key will not be lost if you should change staff.
Sometimes, backups in archives are slowly erased by environmental conditions. Magnetic tape is also susceptible to a process called print through, in which the magnetic domains on one piece of tape wound on a spool affect the next layer. The only way to find out if this process is harming your backups is to test them periodically.
A surprisingly common problem is inadequate labeling and inventorying of backup media. You can choose any system of labeling and cataloging that you find effective, as long as you choose one and document it clearly.
Sanitizing Media Before Disposal
When you discard disk drives, CD-ROMs, or tapes, make sure that the data on the media has been completely erased. This process is called sanitizing.
Simply deleting a file that is on your hard disk doesn’t delete the data associated with the file. Parts of the original data—and sometimes entire files—can usually be easily recovered. Hard disks must be sanitized with special software that is specially written for each particular disk drive’s model number and revision level.
For tapes, you can use a degaussing machine or bulk eraser—a hand-held electromagnet that has a hefty field. Experiment with reading back the information stored on tapes that you have “bulk erased” until you know how much erasing is necessary to eliminate your data.
Some software exists to overwrite optical media, thus erasing the contents of even write-once items. However, the effectiveness of these methods varies from media type to media type, and the overwriting may still leave some residues. For this reason, physical destruction may be preferable.
Incinerators and acid baths do a remarkably good job of destroying tapes, but are not environmentally friendly. Until recently, crushing was preferred for hard disk drives and disk packs. But as disk densities get higher and higher, disk drives must be crushed into smaller and smaller pieces to frustrate laboratory analysis of the resulting material. Degaussing machines are available for hard drives, but expensive. As a result, physical destruction is losing popularity when compared with software-based techniques.
One common sanitizing method involves overwriting the entire disk or tape. If you are dealing with highly confidential or security-related materials, you may wish to overwrite the disk or tape several times, because data can be recovered from tapes that have been overwritten only once. Commonly, tapes are overwritten three times— once with blocks of 0s, then with blocks of 1s, and then with random numbers. Finally, the tape may be run through a band saw several times to reduce it to thousands of tiny pieces of plastic.
Sanitizing Printed Media
Printed material that may find its way into the trash may contain information that is useful to criminals or competitors. This includes printouts of software (including incomplete versions), memos, design documents, preliminary code, planning documents, internal newsletters, company phone books, manuals, and other material. Other information that may find its way into your dumpster includes the types and versions of your operating systems and computers, serial numbers, patch levels, and so on. It may include hostnames, IP numbers, account names, and other information critical to an attacker. We have heard of some firms disposing of listings of their complete firewall configuration and filter rules—a gold mine for someone seeking to infiltrate the computers.
Consider investing in shredders for each location where information of value might be thrown away. Educate your users not to dispose of sensitive material in their refuse at home, but to bring it in to the office to be shredded. If your organization is large enough and the law allows, you may also wish to incinerate some sensitive paper waste on-site.
Protecting Local Storage
In addition to computers and mass-storage systems, many other pieces of electrical data-processing equipment store information. For example, terminals, modems, and laser printers often have memory buffers that may be downloaded and uploaded with appropriate control sequences.
Naturally, any piece of memory that is used to hold sensitive information presents a security problem, especially if that piece of memory is not protected with a password, encryption, or other similar mechanism. However, the local storage in many devices presents an additional security problem, because sensitive information is frequently copied into such local storage without the knowledge of the computer user.
Unattended Terminals
Unattended terminals where users have left themselves logged in present a special attraction for vandals (as well as for computer crackers). A vandal can access the person’s files with impunity. Alternatively, the vandal can use the person’s account as a starting point for launching an attack against the computer system or the entire network: any tracing of the attack will usually point fingers back toward the account’s owner, not to the vandal. You should never leave terminals unattended for more than short periods of time.
Some systems or screensavers have the ability to log a user off automatically—or at least to blank his screen and lock his keyboard—when the user’s terminal has been idle for more than a few minutes. Take advantage of these features.
Key Switches
Some kinds of computers have key switches that can be used to prevent the system from being rebooted in singleuser mode. Some computers also have ROM monitors that prevent the system from being rebooted in single-user mode without a password. Sun’s OpenBoot system and all new Macintosh systems support a password to control boot configuration access.
Key switches and ROM monitor passwords provide additional security and should be used when possible.210 However, you should also remember that any computer can be unplugged. The most important way to protect a computer is to restrict physical access to that computer.
210 There’s another good reason to set ROM monitor passwords. Consider what would happen if an attacker found a machine, set the password himself, and turned it off.
|
