Beyond Data: Why CISOs Must Pay Attention To Physical Security

Information security professionals are missing the big picture if they think of vulnerabilities and threats only in terms of data protection, password hygiene and encryption.

Todd Thibodeaux, President & CEO, CompTIA

July 18, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Battered by a nearly constant onslaught of attacks and revelations of security breaches, IT businesses and departments have doubled down on securing their organizations’ data. Better password hygiene, data access restrictions and encryption are all fundamental to preventing a data breach. However, physical security is often overlooked.

As InfoSec defends their organizations from attackers whose motivations run the gamut from quick financial gain to disgruntled employees and customers, it’s imperative for IT departments to take a comprehensive approach to securing their organizations.

Overcoming “not my job” syndrome
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats. IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.

Technology professionals needs to get back to basics. While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer. Security must be considered at every step, even when no networked communication is taking place.

This means not only making sure the cabling, power supply and other infrastructure are in place, but also addressing unlocked server rooms, loosely managed inventory and environmental hazards. It can be easy for IT professionals to dismiss physical security as another department’s purview, but only IT has the expertise necessary to identify and assess these sources of risk.

Merging physical and data security
The IT implications of poor physical security practices can be dire – as aptly demonstrated by the late 2014 attack on Sony. In fact, a statement attributed to one of the attackers in various news reports went as far as to claim, “Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in.” Even barring the potential for internal sabotage, it can be extraordinarily difficult for organizations to re-secure their environment once a physical security breach occurs.

Thankfully, IT departments have a variety of tools at their disposal to address both physical and data security. Disk encryption, already widely used in the business world, can be extended to provide greater physical security through the use of a trusted platform module (TPM). Combined with trusted network configurations, IT departments can ensure that data is inaccessible to unauthorized parties, even if a workstation or server is physically compromised.

Additional measures, like keeping server room doors locked, creating and enforcing ID policies, or installing mantraps can dramatically reduce the consequences physical security threats pose. Other software-based approaches, like implementing a mobile device management (MDM) solution, enabling geolocation and disabling unnecessary physical ports on workstations can prevent many common attacks without creating an undue burden on end users. By taking simple steps to reduce physical security loopholes, IT professionals can narrow and better manage their vulnerabilities.

A holistic approach to security
Whether through phishing, impersonation, tailgating or more “traditional” network-based attacks, organizations and their data face a number of serious threats. IT professionals must take a more comprehensive view of their organization’s security landscape, accounting for all potential weaknesses, not just software vulnerabilities. It’s imperative to close off obvious avenues of attack by using security controls already in place – almost every organization has at least some policies around locking doors and verifying employee identities – but many businesses don’t see the importance of these procedures and enforcement tends to be lax.

Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access. Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder. By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to rBegister.

Related Content:

 

About the Author

Todd Thibodeaux

President & CEO, CompTIA

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development and growth efforts for the association. Before joining CompTIA in July 2008, Mr. Thibodeaux spent more than 17 years with the Consumer Electronics Association, where he served in a wide range of roles culminating as its senior vice president of industry relations.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights