We often think of network security as bits and bytes, but a large part of technology security exists in the physical world. In this video, you’ll learn about hardware locks, tailgating, shoulder surfing, shredding, and more.
<< Previous Video: Client-side VirtualizationNext: Digital Security Techniques >>
When you think about physical security, you most always think about a door lock. Preventing somebody from getting to your physical computers is an important part of your physical security. And obviously, putting a traditional lock on the door will keep people from going into your data center or the area where you have all of that valuable computer equipment.
And you also want to think about things like a deadbolt. This can be a physical bolt. It could be something that is an electronic lock. You might even want to integrate a method that is keyless, so you simply press in a few numbers, and then you’re able to get into the room. You don’t have to worry about having any keys with you or having any additional cards. And if there’s a lot of people that need access to the room, that might be a very easy way to provide that.
Many people will have some type of token-based access. You will have a security card. You’ll have a magnetic swipe card. Sometimes it’s a proximity reader with an RFID tag, so that you only have to get close to the door and it will open for you automatically.
A lot of the higher-end security will deal with things like biometrics where you have to have part of you available to prove that it’s really, really you. And it might be some type of retina scan. It might be a fingerprint scan, or an outline of your hand, and then it knows that you must be physically there, therefore, we can open the door and let you in.
In larger environments, it’s not unusual to have this multi-factor access where you not only need to be available, you need to provide a password, so something you know. You have to provide maybe something you have like, for instance, an access card. And then maybe something that you are, like a biometric. All three of these things can be combined to finally give you that combination to get you into the room.
One of the challenges with putting in these physical systems with these door locks, and retina scans, and pin numbers, and access cards is they can be easily defeated through something called tailgating. You simply put in all of your credentials, you open the door and then somebody’s running up behind you perhaps holding some donuts or some food for lunch. And you’re trying to be a nice person. You hold the door open and you let them in. And, of course, now they’ve tailgated right through the door without having to put in any of those credentials.
In Johnny Long’s book No Tech Hacking, he describes one method that he used to tailgate in, and it was pretty elaborate. He got clothing that made him look like he was a third-party that was supposed to be in the building. In this case, one of the telco companies, the telecommunications companies. He was there, and he looked like he was supposed to be there.
He stopped by the smoking section outside and had a smoke. And as other people would come out, he’d start up a conversation with them. And then when it was time to go in, he would simply follow them in and tailgate in on their credentials. So much easier to bring the donuts, but you can see that going through this very involved process, and having a level of trust, would help you get right in the door.
This becomes a significant problem for organizations, because once you’re inside, of course, you can go anywhere you like. It’s a lot different when you have the ability to stop or someone right at the door and prevent them from getting into the organization. To be able to prevent this tailgating, you need to have policies in place that can help restrict the access of people through the doors. One is to simply have the policy and educate people and let them know that even if they’re holding the donuts, even if they have your lunch, you have to first close the door and have them access using their credentials.
You can, of course, have this policy and make sure that people are restricting access one user at a time. You can also put in physical restrictions that require that it’s one person at a time. These are called things like mantraps. Some people will call them airlocks. You have to put in your credentials, it gains you access, the wheel turns and allows you in the other side. And the next person has to provide their credentials as well.
It’s very common to see these mantraps in very large organizations, especially ones that have financial or health care information, because that data is so sensitive. And, of course, your users have to be encouraged to ask people, if you’re not wearing a visitor badge, why are you here? Where is your visitor badge? And then you can get the right people involved to make sure that everybody on the inside of your building is really supposed to be there.
Another physical security challenge is what you do with your waste. There’s a lot of very important information on the printouts and the papers that come from your organization. And it’s not unusual for the bad guys to do what we call in the states dumpster diving. That’s the name of the dumpster.
In other parts of the world, you may hear this referred to as a rubbish skip. This is something that people are looking through there because there’s important information hidden in those bags. There’s information that might have been shredded that they can put back together. Or sometimes, it’s not even shredded. They’re able to gather that really important and sometimes sensitive information right from your garbage can.
And of course, this information could be used to perform attacks against your organization. Maybe it’s something relatively innocuous like a list of all of the people who work there and their phone numbers. A simple address book of your employees can be very, very useful, because now you can begin social engineering. You have a familiarity with people’s names, their departments, and their phone numbers. You can access them directly.
The timing of finding this information is very important. You don’t want to show up after the garbage truck is already left you want to go just before they get there. So the bad guys are going to be poking around. It’s not unusual for very large organizations to protect their garbage just as much as they’re protecting the assets on the inside of their building. And that’s why you’ll see these garbage areas have fences around them. They’ll be locks. They don’t want you have access to that garbage.
Of course, it will be picked up, eventually, and taken away, so you have to think about how you’ll protect the data once it leaves your building. And the best idea is to shred this information into tiny little pieces. It makes it exceptionally difficult for anybody to piece back together what happened to be on those pages. If you’re a government entity, or you’re just not comfortable with shredding, some of those highly sensitive environments will burn this to make sure that nobody has access to this data.
So think about what you were putting in the garbage. Think about what’s going out with the trash. And see if there’s information in there that you should be protecting a little bit better by either shredding it or burning it and making sure that you are physically securing all of that information.
It’s nice to have a username and password, but also a piece of information that physically is associated with you is also useful. Something like a smart card where this particular card is associated with you. When you put in your username and your password, and slide the smart card into your laptop you can authenticate to the resources on your network.
Or maybe the information that you need is in a USB key. That way you don’t need a specialized card. The special certificate that you need is part of this USB key, so you slide that into your USB slot when you’re trying to gain access to those resources. Another common method or the pseudo-random codes that can be created on these USB tokens, the software tokens, or physical token itself.
I have this PayPal token that I use when I login into Paypal. I provide my username, I provide my password, and then it always asks me for the special number that comes up on the key, and this number is changing all the time. That way PayPal can guess that it is the right username, it is the right password, and he has the key with him, therefore, that must be him.
If somebody was to get my username and password, they still would not be able to log into PayPal. They would have to have that token generation with them. And, of course, these days maybe it’s not a physical device. We’re all carrying around our mobile devices.
So you can have these third-party systems SMS you a special code, and that’s what you put in when you authenticate with your username and password. Since we always seem to have our phones with us these days, that’s a very simple way to still have multi-factor authentication, but not have to carry around a separate physical device.
When you’re out in public, one of your security challenges is making sure that nobody can see what you’re working on on your laptop screen, especially if that information is very sensitive. If somebody’s sitting behind you, they can easily see these screens. Our laptop screens are very big, they’re very bright. And they’re very, very easy to see in a coffee shop or on an airplane.
One common way to prevent this type of shoulder surfing is to use one of these types of filters. They work amazingly well. I can be sitting next to someone on a plane, and if they have one of these privacy filters, the screen looks completely black to me. But if I was right in front of the laptop, it’s perfectly clear. And I’m sitting right next to the person. It’s remarkable how well these work, and it’s a great way to prevent somebody from seeing what you’re working on, especially in those tight quarters.
You want to also think about keeping your monitor out of sight. If you’re in a place, even in your building, where people are walking by, and you’re working on sensitive information, maybe the monitor should be turned a different direction. Maybe you should make sure that it’s not somewhere where people can see it when they walk by your office.
And if you’re wondering if this is a significant problem, I can tell you that I fly quite a bit, and I see what’s on people’s laptops all the time. This is something I’m doing, of course, for science, so I can tell you about it, but I can’t help myself. It’s right in front of me. I can see everything going on, and I can tell you that sometimes it’s something relatively innocuous.
Maybe someone is reading a legal pleading, or maybe it’s something dealing with a spreadsheet with sales numbers on it. These sales numbers certainly are sensitive, and I probably shouldn’t be able to read those. But it’s right in front of me on the plane, available for whoever is around that person to be able to read. Those physical security challenges are things you have to think about whether you are in your office or you’re travelling somewhere in public.