Physical access controls

 Mythbusters TV series explored a variety of physical security controls including fingerprint readers, intruder detectors that detect body heat and a safe-breaking technique involving water and a depth charge (!). 

 Security Magazine focuses on physical security.

Physical access control systems: are you protected by two screws and a plastic cover?, a DefCon 15 (2007 ) presentation, concerned the vulnerability of many card access control system card readers to physical tampering. 

Procedures are necessary to govern the authorization, issue, use, checking and return of visitor passes or badges, and to control visitors’ movements and activities whilst on-site. Cards that visually expire reduce card reuse, while holographic overlays devalue simple forgeries.

Have you heard about the sport of draining, also known as infiltration? If you manage physical security on a large or sensitive site with drains and sewers, look it up and check those grates and drain covers.

If a skilled adversary can gain physical access to a system, it’s probably game over as far as information security is concerned. Without appropriate controls in place, he/she can potentially install a hardware keyboard logger, reboot from a complete operating system on, say, a CD/DVD or USB memory device, steal the hard drive or other components, destroy the system ...

Londoners evidently like leaving their laptops behind in black cabs. [“Ere, you’ll never guess wot I found back there last week mate ...” I shudder to think what happens to laptops, PDAs and mobile phones that end up at lost luggage places.]

It is good security practice always to use a strong front gate, and to observe the requirements at airport-style metal detectors. 

Fed with the right search term, Google will serve up a list of Internet-connected webcams all over the world , a few of which look like they are possibly being used to monitor building security. Presumably, those video streams are supposed to be confidential? More information at VNUnet.com, BoingBoing and The Register.

The fine art of picking (“manipulating”) combination locks on safes relies heavily on physical imperfections in the mechanical construction of the locks, coupled with the accumulated effects of wear. HowStuffWorks published a simpler article on lock picking. The circular locks commonly used on bicycle padlocks can reportedly be opened simply by mashing a conveniently-sized Bic pen barrel into the lock mechanism and turning it. The originator of the story seems entirely credible. Tubular locks evidently have other mechanical vulnerabilities too - some pickers recommend using a drill and/or grinder to defeat the mechanism.

Computers that are no longer required should not simply be thrown in the trash, especially if they contain sensitive information, and especially especially if you are a Dutch prosecutor.

Fire and flood risks

Valuable paper-based records archived in an Iron Mountain storage facility in East London were lost in a huge fire in 2006. The storage warehouse was apparently “full of paper”, such that the fire raged for more than a day. Naturally, Iron Mountain’s more sensible customers will have taken the precaution of copying their valuable archive materials and storing them separately in diverse, well-protected and secured storage facilities - won’t they? Iron Mountain’s press release takes an admirably responsible position: “Iron Mountain already invests heavily and emphasises security as a normal operating principle. Due to the unknown cause of the fire at this time, we are taking extra precautions to supplement our current high level of security: Increased security staff has been added to all London facilities; Conducting an out of cycle review of background checks on personnel; Auditing external agencies and internal security assessments; Re-issuing of vendor background checks; Re-implementation of security awareness of all internal employees; Performing an out-of-cycle inspection of all Iron Mountain vehicles.”

When it comes to computer room disasters, people naturally seem to think first about fires (apart, that is for a certain senior manager of our past acquaintance who insisted there was no need for a fire system in the computer suite because “computers have no moving parts”!!), but in fact floods seem to happen more frequently ... and if this report from the Association of British Insurers is to be believed, climate change is increasing the threat of flooding for everyone in low-lying areas by the sea, on flood plains or situated near rivers and streams.

Fire risks in IT are not confined to the data center. Bonfires can be quite a handful.

Electrical power

 8 cyber security standards have been mandated for the US electricity industry as part of the effort to protect the nation’s critical infrastructure.

The Guide to Business-Critical Power from BITS, the ‘financial services roundtable, provides financial institutions with industry business practices for understanding, evaluating, and managing risks associated when the predicted reliability and availability of the electrical system is disrupted. Further, it outlines ways financial institutions can enhance reliability and ensure uninterrupted back-up power.

A power outage that took down a datacenter for an hour illustrates the unfortunate impact of rare but not impossible coincidences. Although the power was out, the datacenter had sensibly rented a standby generator to provide cover whilst installing a new genny. That should have been enough to keep the UPS topped up ... except for a coincident problem with water in the standby genny’s diesel fuel supply. Oops.

A massive US/Canada power outage in 2003 caused power cuts over a wide area. Some 60% of US companies had no formal contingency plans/procedures Network worms or hackers were originally blamed but an industry task force found “no evidence that malicious actors are responsible for, or contributed to, the blackout”. A bug in GE Energy’s XA/21 system contributed to the problem. The task force warned that the grid’s reliance on the Internet does make it vulnerable to potentially devastating online attacks. Others argue, though, that the US electricity infrastructure has been extremely reliable with only a handful widespread problems in two or three decades. Former White House advisor Richard Clarke reportedly said that Homeland Security leaders still “think of risks to our society in terms of things that explode and incidents that have body bags. In the 21^st century, as the power blackout of August 14^th proved, a great deal of damage to our economy and disruption to our way of life can be done without anything exploding or anybody being killed.”

A good article in the German Telepolis Magazin covers the main issues associated with electrical power in the context of blackouts in New York, London, Denmark and Italy, claiming that blackouts “bare the Achilles Heel of our ‘information society’.”

As weary workers made their way home from London one Thursday evening, a faulty substation led to 35 -minute power cuts across South London. The BBC said: “It showed the vulnerability of London.” The incident was an effective contingency test for some London-based organizations who invoked their disaster recovery plans, and a useful learning experience for those with inadequate data backups, or with main and backup locations so close they both suffered power problems.

Air conditioning

Make sure to track the electrical power consumption of your data center equipment. High school physics tells us that practically all the power which enters through the electric cables leaves as waste heat, in other words total cooling demand closely tracks total input power. Consider also the need for passive heatsinks to stabilize the temperature through power cuts that knock out the high-amperage air conditioning supplies (if they are not on your UPS).

You may find advice from IBM, HP, more HP and Sun useful if you need to specify air-con requirements for the computer room.

Zinc fingers, microscopic strands of zinc plating from the movement of raised floor tiles, can be blown around the data center by the air conditioning, causing short circuits and sporadic equipment failures. Web sources including NASA seem credible enough, even discounting warnings from cleaning companies and data center suppliers. 

A glossary of air conditioning terms includes a rather curious entry for the “tonnage” unit of cooling, based on tonnes of ice perhaps? Tonnes of greenhouse gas released to keep the computer room cool?

Miscellaneous other physical security links

 Read a declassified and partially redacted NSA account of TEMPEST for a glimpse into the paranoia that a professional interest in commsec engenders. Although not updated for a few years, The Complete, Unofficial TEMPEST Page still offers a wealth of information and anecdotes on TEMPEST incidents.

 We often use photographs from past security audits (with the client’s permission and anonymously, of course) to illustrate awareness presentations on physical security. We’re not the only ones who collect such photos. Check these really bad wiring jobs and work through all four episodes for for truly horrific health and safety, service resilience and support nightmares.

 Bank customers using Automated Teller Machines (ATMs) are being compromised using “skimmers” - card reader devices and hidden cameras. It’s worth getting to know ATMs in your area. Take a good look at a range of machines. Look particularly at the shape of the card slots. If you go to use a machine and notice ‘something odd’ about the slot, do not feed in your card in but either call the Police or go in to the nearest bank branch and report your suspicions to the branch manager. Do not take matters into your own hands: the gang is probably watching nearby and bank robbers, as a breed, are not exactly meek ...

If you are an IT or Facilities person tasked with building, renovating or updating the corporate datacenter, consider purchasing and reading Data center design and methodology (~$63 from Amazon). In this book from the Sun Blueprints series, author Rob Sneveley dispenses sage advice on issues such as capacity sizing, site selection, environmental considerations, network infrastructures, building code and construction considerations, and hazard avoidance.

In his book Physical Security For IT (~$41 from Amazon), Michael Erbschloe advises on the protection of computing and telecommunications facilities against malicious damage by foes, activists, disgruntled staff, terrorists and vandals. [Although this is valid and worthwhile content, it’s a shame the book does not appear to cover the related and arguably more pressing needs to protect IT facilities against accidental damage such as fire/smoke and flood, overheating and power failure - other important aspects of physical IT security that are covered by ISO/IEC 27002.]

Industrial-sized shredders and disintegrators can cope with serious quantities of paper, computer media, hard drive units and even whole systems. If standard office shredders just don’t cut it for you, check out the brochures from companies such as ABT Shredders and Semshred. There’s even a trade association for companies providing information destruction services called NAID (National Association for Information Destruction Inc.).  Watch an industrial-sized shredder unit in action here.

 A free software tool can help you delete data from hard disks prior disposal, assuming the disks are still usable. Darik’s Boot and Nuke (DBAN) is a Linux-based bootable disk utility that handles SCSI and IDE drives . It offers a range of deletion options. The US military specifications (essentially 7 overwritings with random data, taking about 10 minutes per gigabyte) are generally accepted as being adequate to foil even determined and resourceful forensic analysis - whether this is sufficient for your specific needs depends on your paranoia level. If you can afford the time, additional rounds of overwriting may be beneficial but then if you are THAT concerned, physical destruction and incineration of the disk is probably a safer bet. [In which case you probably *own* the only forensic labs even remotely capable of regenerating the data.] The DBAN page helpfully lists a number of alternatives: WhiteCanyon WipeDrive, Paragon Disk Wiper, Acronis Drive Cleanser, LSoft Active@ KillDisk and CyberScrub CyberCide. [If you are truly paranoid enough to doubt your own forensic labs, you might like to run DBAN followed by each of these utilities set to maximum and finally invite the Vogon constructor fleet to call.]

TEMPEST is the name of a group of techniques used by the military to prevent the radiation of radio signals by electronic devices such as computers, monitors, telephones and modems. TEMPEST 101 has a useful description of TEMPEST and briefly outlines techniques used to intercept signals. 

SecurityInfoWatch is a portal focusing on physical security products.

The theft of a computer system made headlines in the UK when it was revealed to have contained an extremely sensitive database containing details of terrorist and organized crime suspects. “No evidence has been lost, as the company keeps back-ups.” ...

Studies have repeatedly shown that a fair proportion of computer disks for sale on auction sites still have valuable/sensitive data on them. A recent UK/US/Australian study using simple point-n-click forensic tools found that at least 41% of the drives had commercially sensitive information on them - using more thorough forensic tools, the proportion would undoubtedly have been even higher.

Here’s a primer and 2nd part on physical security in an IT context.

An unusual article concerns the theft of copper wires (and sometimes fiber optics!) due to a peak in the global price of copper. Thieves are literally risking their lives to steal power cables.

Mechanical diggers (backhoes) are evidently one of the most serious threats to comms networks, including otherwise well-designed resilient networks with redundant links.

It is evidently possible to determine what someone is typing on a keyboard purely by analysis of tiny differences in the sounds made by the keys. A research team used the standard letter distribution in English to reconstruct what had been typed by a typist using a computer keyboard, using just a 15-minute audio recording. [A creative application of a standard cryptanalysis technique.]

Physical security has an extra-special significance for airplane passengers, airlines and democratic governments, post 9/11. Click here for Frank Sinatra’s take on this.

If you have a policy on document retention and destruction, don’t forget to allow for legal holds on documents sent for destruction at the expiry of their retention periods, advises discovery and retention of paper and electronic files. Also, remember that necessary retention periods vary between document types.

---

Related NoticeBored links collections

Information security management, incident management, risk management, contingency planning, privacy & data protection, mobile computing & teleworking and hacking.

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.