I never leave my home without locking my door.

Sometimes I become so paranoid by how automatic this process is, I fall into self doubt and find myself running back home to double check a locked door.

It may come across as strange if this was regarding anything else but the door to my home, but almost everyone universally seems to have a mutual understanding on what is just considered “Safety” or “Insurance”.

It’s not strange to keep your possessions, loved ones, valuables and more locked away. Restricting the access someone else may have is also considered a norm and expectation of society and it would be strange not to do so (houseparty@mine).

Physical security falls into so many categories of our lives and far extends the world of IT Security. The phrase and term “Physical Access” in computing simply refers to a system or device that can be physically interacted with. In IT Security terms, it’s a phrase used to describe how accessible a device might be to a member of staff or an attacker.

Just this week I was reading this, which details the story of how an individual armed with a USB stick was able to render the physical hardware of multiple devices useless. There are multiple times of attacks and mitigations for all things physical access which I won’t be going into great detail in here, I do however hope to raise some points regarding it as a concept overall and my personal advice regarding it.

Mike Meyers (Author to many CompTIA training guides and courses) put’s it best by stating:

“The best network software security measures can be rendered useless if you fail to physically protect your systems”

“Network+ Certification All-in-One Exam Guide, Michael Meyers, Third Edition, Chapter 17, p. 551” – Mike Meyers

The Perimeter

Before your machines and your valuables, wherever they may reside, there is a perimeter.

If your office is your home, this would be your front door/driveway/hallway or anything prior to your device. Often companies and individuals make the oversight that this factor doesn’t apply to the valuables inside.

Unfortunately, this isn’t the case and those that do have access inside are just as much as a threat (if not far higher) than those on the outside. Securing the “front door” to wherever your valuables are kept is not only important but vital for securing your goods.

Another large oversight with this is too much trust.

I’ve personally dealt with organisations that are so trusting of their RFID card system or door access systems that they reduced all other forms of security. The same way that mechanical locks can be picked, security systems world wide are broken into regularly as new methods and means are discovered to do so.

Take this story which outlines how hotel rooms were not only easily hackable, but also could be done by hardly being noticed.

(You may also like this!)

With the right set of policies/procedures securing The Perimeter doesn’t have to be a chore and can make all the difference to even becoming a target. CCTV, locked doors, identity cards, sign in/out logs, access control/restrictions and more can all help not only prevent or thwart intrusions but can also be key in forensic investigation (if the unforseen or the worst-case was to occur).

The Goods

Whether you keep your devices in an open space or locked away, there are many small considerations that can factor in just how much an attacker or intruder might be able to do once they’ve broken through The Perimeter.

A locked PC for example, is as secure as the password left on a sticky note on the same desk. As stated earlier, entire security systems and network policies can be completely undermined by a lack of consideration for the physical access to devices.

This whole area goes beyond locking USB ports or untrusted devices, it extends even to the access of people.

(does your cleaner need to be in your server room?)

Physical attack tools (like the USB rubber ducky) rely solely on being able to physically access a machine. Windows passwords/user accounts can be ripped away with bootable media which might still take a short while, but as tech advances so does the speed of these attacks.

Put simply; you cannot rely on software alone to protect your data.

There is however, ways to improve security and to mitigate the potential damage caused by physical access. Encrypting hard drives, account lockouts, locking down USB ports, use of thin-clients, restricted logon times, segmented networks, physical locks and more could all help prevent/reduce the damage done by a breach.

There are many great security solutions that can truly minimise the damage that could be caused but they must also be upheld along side strict policies to be truly effective.

Hopefully this article has provided more insight to just how the environment around you is just as important for your IT security hygiene (if not more) than everything else.

Some good resources: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120

https://www.dummies.com/programming/networking/network-security-physical-securit

https://www.techrepublic.com/blog/10-things/10-physical-security-measures-every-organization-should-take/

https://securityinabox.org/en/guide/physical/