Physical Security of Data Systems

So far in this course, you have learned about different ways to protect software and data from remote attackers. But what about the hardware that this information is stored on? In this step, we will look at how to physically protect our data systems.

Intruders

You may have developed a highly sophisticated network that can defend against attackers hacking your system, but if an intruder can easily walk onto your premises and access a computer, then your security may be redundant. Ensuring the physical security of your network may require a different set of solutions to securing your network, but many of the same principles apply.

Access to the Premises

You need a method of granting and denying access to your premises that is effective and proportionate. Many systems use key cards, which are pieces of plastic programmed to unlock digitally secured locks, for instance, on doors. This technology can be highly specialised. For example, different members of the same organisation may have different access authorisations, so their key cards can be programmed to reflect their individual access authorisations.

Key cards are not perfect. They can be lost or stolen quite easily, and could therefore be used by the wrong person. This can be mitigated by requiring a key code to be used as well as the card (this is a form of two-factor authentication) or by turning key cards into photo ID cards. Security staff can then inspect card users to make sure that they are the legitimate owners.

As with device security, an alternative to key cards (or passwords) is biometrics systems. Retinal, fingerprint, and facial scanners, and voice recognition software authenticate users by verifying biological features. It is harder to lose or steal this biometric data, but biometrics systems are not infallible and can be tricked.

A further issue with door access is tailgaiting. Tailgaiting is when someone who does not have access permissions follows someone who does through a door or gate. Many organisations have policies to prevent tailgaiting, but these can be difficult to enforce. For instance, organisations could require employees to unlock doors to enter or leave a room or building. If, for example, only employees who have used their key card to open a door into a room are able to open the door to leave, then employees are incentivised to unlock doors themselves, instead of following their co-workers. This makes tailgaiting by attackers easier to identify.

Access to the Network

Even when organisations have secured their premises against unauthorised access, they still need to protect their computers and other devices with passwords and/or the other forms of security discussed in Week 1. Passwords are only useful if the devices they protect are kept locked, so organisations may put a policy in place to deter employees from leaving their computer unlocked and unattended.

Attackers might not need to access an employee’s account to carry out an attack. If they have access to a device, they may be able to infect the network with malware through a USB flash drive. That is why some organisations disable the USB ports on their computers. In addition, if the objective is to destroy data rather than steal it, getting access to and corrupting a server might be enough to take a service offline or permanently delete important files. Therefore, it is important to keep backups in a separate location.

Questions

• Where necessary, many organisations allow visitors temporary access to a system. How might an organisation give visitors access to the system without granting them the same privileges as employees?
• Are you aware of the security policies concerning access to your school premises? How well do you think they are enforced?
• Are external threats the only threats an organisation needs to be wary of?