Physical information security
Physical information security is the intersection, the common ground between physical security and information security. It primarily concerns the protection of tangible information-related assets such as computer systems and storage media against physical, real-world threats such as unauthorized physical access, theft, fire and flood. It typically involves physical controls such as protective barriers and locks, uninterruptible power supplies, and shredders. Information security controls in the physical domain complement those in the logical domain (such as encryption), and procedural or administrative controls (such as information security awareness and compliance with policies and laws).
Background
Asset are inherently valuable and yet vulnerable to a wide variety of threats, both malicious (e.g. theft, arson) and accidental/natural (e.g. lost property, bush fire). If threats materialize and exploit those vulnerabilities causing incidents, there are likely to be adverse impacts on the organizations or individuals who legitimately own and utilize the assets, varying from trivial to devastating in effect. Security controls are intended to reduce the probability or frequency of occurrence and/or the severity of the impacts arising from incidents, thus protecting the value of the assets.
Physical security involves the use of controls such as smoke detectors, fire alarms and extinguishers, along with related laws, regulations, policies and procedures concerning their use. Barriers such as fences, walls and doors are obvious physical security controls, designed to deter or prevent unauthorized physical access to a controlled area, such as a home or office. The moats and battlements of Mediaeval castles are classic examples of physical access controls, as are bank vaults and safes.
Information security controls protect the value of information assets, particularly the information itself (i.e. the intangible information content, data, intellectual property, knowledge etc.) but also computer and telecommunications equipment, storage media (including papers and digital media), cables and other tangible information-related assets (such as computer power supplies). The corporate mantra "Our people are our greatest assets" is literally true in the sense that so-called knowledge workers qualify as extremely valuable, perhaps irreplaceable information assets. Health and safety measures and even medical practice could therefore also be classed as physical information security controls since they protect humans against injuries, diseases and death. This perspective exemplifies the ubiquity and value of information. Modern human society is heavily reliant on information, and information has importance and value at a deeper, more fundamental level. In principle, the subcellular biochemical mechanisms that maintain the accuracy of DNA replication could even be classed as vital information security controls, given that genes are 'the information of life'.
Malicious actors who may benefit from physical access to information assets include computer crackers, corporate spies, and fraudsters. The value of information assets is self-evident in the case of, say, stolen laptops or servers that can be sold-on for cash, but the information content is often far more valuable, for example encryption keys or passwords (used to gain access to further systems and information), trade secrets and other intellectual property (inherently valuable or valuable because of the commercial advantages they confer), and credit card numbers (used to commit identity fraud and further theft). Furthermore, the loss, theft or damage of computer systems, plus power interruptions, mechanical/electronic failures and other physical incidents prevent them being used, typically causing disruption and consequential costs or losses. Unauthorized disclosure of confidential information, and even the coercive threat of such disclosure, can be damaging as we saw in the Sony Pictures Entertainment hack at the end of 2014 and in numerous privacy breach incidents. Even in the absence of evidence that disclosed personal information has actually been exploited, the very fact that it is no longer secured and under the control of its rightful owners is itself a potentially harmful privacy impact. Substantial fines, adverse publicity/reputational damage and other noncompliance penalties and impacts that flow from serious privacy breaches are best avoided, regardless of cause!
Examples of physical attacks to obtain information
There are several ways to obtain information through physical attacks or exploitations. A few examples are described below.
Dumpster diving
Dumpster diving is the practice of searching through trash in the hope of obtaining something valuable such as information carelessly discarded on paper, computer disks or other hardware.
Overt access
Sometimes attackers will simply go into a building and take the information they need. [1] Frequently when using this strategy, an attacker will masquerade as someone who belongs in the situation. They may pose as a copy room employee, remove a document from someone's desk, copy the document, replace the original, and leave with the copied document. Individuals pretending to building maintenance may gain access to otherwise restricted spaces. [2] [3] They might walk right out of the building with a trash bag containing sensitive documents, carrying portable devices or storage media that were left out on desks, or perhaps just having memorized a password on a sticky note stuck to someone's computer screen or called out to a colleague across an open office.
Examples of Physical Information Security Controls
Literally shredding paper documents prior to their disposal is a commonplace physical information security control, intended to prevent the information content - if not the media - from falling into the wrong hands. Digital data can also be shredded in a figurative sense, either by being strongly encrypted or by being repeatedly overwritten until there is no realistic probability of the information ever being retrieved, even using sophisticated forensic analysis: this too constitutes a physical information security control since the purged computer storage media can be freely discarded or sold without compromising the original information content. The two techniques may be combined in high-security situations, where digital shredding of the data content is followed by physical shredding and incineration to destroy the storage media.
Many organizations restrict physical access to controlled areas such as their offices by requiring that people present valid identification cards, proximity passes or physical keys. Provided the access tokens or devices are themselves strictly controlled and secure (making it hard for unauthorized people to obtain or fabricate and use them), and the associated electronic or mechanical locks, doors, walls, barriers etc. are sufficiently strong and complete, unauthorized physical entry to the controlled areas is prevented, protecting the information and other assets within. Likewise, office workers are generally encouraged or required to obey "clear desk" policies, protecting documents and other storage media (including portable IT devices) by tidying them away out of sight, perhaps in locked drawers, filing cabinets, safes or vaults according to the risks. Requiring workers to memorize their passwords rather than writing them down in a place that might be observed by an onlooker (maybe a colleague, visitor or intruder) is an example of risk avoidance.
Computers plainly need electrical power, hence they are vulnerable to issues such as power cuts, accidental disconnection, flat batteries, brown-outs, surges, spikes, electrical interference and electronic failures. Physical information security controls to address the associated risks include: fuses, no-break battery-backed power supplies, electrical generators, redundant power sources and cabling, "Do not remove" warning signs on plugs, surge protectors, power quality monitoring, spare batteries, professional design and installation of power circuits plus regular inspections/tests and preventive maintenance. It is ironic that so-called uninterruptible power supplies often lead to power interruptions if they are inadequately specified, designed, manufactured, used, managed or maintained - an illustration of the failure of a critical (physical) control.
See also
References
- Granger, Sarah (2001-12-18). "Social Engineering Fundamentals, Part I: Hacker Tactics". Security Focus. Retrieved 2006-08-27.
- "Four Men Arrested for Entering Government Property Under False Pretenses for the Purpose of Committing a Felony". U.S. Department of Justice (Press release). The FBI - New Orleans Division. January 26, 2010. Retrieved October 3, 2010.
- "Four Men Plead Guilty to Entering Federal Property Under False Pretenses Entered Senator Mary Landrieu's Office to Secretly Record Office Staff Conversations". Department of Justice Press Release. The FBI - New Orleans Division. May 26, 2010. Archived from the original on May 31, 2010. Retrieved October 3, 2010.