I have a number of rules I use in a professional and sometimes personal capacity. This is number 1:
Always assume the worst about everything. You’ll rarely be disappointed.
When you apply it in a security context, it means given a choice, users will always choose the stupid option. Take passwords, if you don’t mandate a certain password quality, then they’ll choose crap passwords (No, Pa55w0rd does not could as a good one!) If you make the password rules too difficult, well…
With a little patience and technical expertise though, it is possible to secure your systems effectively. Password policies, anti-malware, effective network design, and user awareness can make for nice secure system. Which will remain secure, even as the guy you invited into your office wanders down the street with it. Right now, you’re probably thing “Huh? You what? Why would I let some random stranger walk off with my computers?” That’s because physical security is often the poorer cousin to information security. If you look the part, and say the right things, you can walk into just about any environment and get up to all sorts of mischief. That’s where this sort of guy comes in.
What happens when you neglect physical security
This is a presentation given by Jayson E. Street at DEFCON 19 a few years back. Jayson is a physical penetration tester. He’s paid to get into buildings and attempt to steal data. A job which is apparently much easier than you’d think. From it, he picks out a number of conclusions which, while they appear to be common sense, very few people observe (rule 1).
What conclusions should you draw from this video? Well, physical security isn’t hard. In fact it’s fairly easy to get a good level of physical security. I would suggest that these are things to consider:
- Locks: Use them to restrict access to your environment, and to protect your equipment. Use locks that are secure and appropriate for the environment. If these are electronic locks, change the code on a regular basis or revoke access cards that are no longer needed. If it’s a key lock for your front door, you may have to periodically re-key the door. Deal with it. Oh, and if you really must use mechanical code locks… Change them before the code can be guessed from the wear pattern!
- People: Ask questions of yourself and the other person (This includes your security). Who are you? Why are you here? Should you be here? If so, what proves you should be here? Can I see the proof? This is suspicious, who should I talk to? Also don’t be afraid to be a horrible person in the name of good physical security. Don’t hold a security door open for a person in a wheelchair, make them scan through like everybody else. Oh, and a uniform with a logo on it does not imply authority to be somewhere or do something.
- Awareness: User’s need to be aware of security, and security has to be pitched at the right level. Make the requirements too easy, and users won’t do it. Make them too hard and they’ll subvert them. Remember, always assume the worst. Pitch security at the right level, then use people’s motivators to drive the correct behaviours. If all else fails, make sure you hold the big stick and punish bad security behaviour.