Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Mobile Security, Critical Infrastructure Issues Drive Physical, Logical Security Together

At opening of (ISC)2 World Congress and ASIS International, the walls between traditional security and cybersecurity come down

PHILADELPHIA, PENN. -- (ISC)2 World Congress 2012 and ASIS International 2012 -- In most organizations, those who guard the fences and those who guard computer networks still work in separate departments. But at the co-resident annual meetings of the world's biggest physical security professionals' association and the world's biggest cybersecurity professionals' association, there is more interaction between the two groups than ever before.

Here at the co-resident (ISC)2 World Congress and ASIS International meetings, nearly 20,000 physical and logical security pros will attend sessions and exhibits together. Their interests aren't always the same, but issues such as mobile security and protecting critical infrastructure are increasing the overlap, leaders say.

"Protecting critical infrastructure is probably right on top of the stack of issues that are driving the physical and logical sides together," says Hord Tipton, executive director of (ISC)2, an association of more than 80,000 IT security professionals. "For years, critical infrastructure has been about protecting the physical plant, but with Stuxnet and other attacks, there is a lot more concern about the cyber side."

Eduard Emde, president of ASIS International, agrees. "Stuxnet, attacks on nuclear facilities, on the smart grid and smart meters mean that both physical and logical defenses have to work together. Incident response is a key for both groups."

The merger of physical and logical security organizations -- sometimes called "convergence" -- has been predicted for years. But according to an InformationWeek Reports study on convergence, only about half of organizations have any plans to merge the two departments.

"I think for many enterprises, convergence is more of a philosophical shift than an organizational one," says Emde. "Rather than combining the two functions into one department, they are seeing themselves as two parts of a common strategy to protect both infrastructure and data."

Tipton concurs. "They may not be in the same organization, but the physical and logical sides are communicating now more than they ever have."

The growing use of mobile devices is making the integration easier, experts say. Companies can now use mobile devices as a physical means of authentication, or even to geo-locate users as they move in and out of corporate facilities. At the same time, the move toward bring-your-own-device (BYOD), which allows users to bring physical storage devices onsite that can also act as cameras or recorders, affects both physical and cybersecurity.

"I'm not sure people understand how powerful some of these BYOD devices are," Tipton says. "They introduce all sorts of new risk on both sides."

The co-resident conferences will also deal with a number of other issues that demonstrate the overlap between physical and logical security. Physical video surveillance systems are increasingly being driven by IP-based cybersecurity systems. IT systems are increasingly being accessed via physical biometrics, such as fingerprints or keystroke identification. And both organizations are being called upon to provide a common view of overall enterprise security posture.

"If you're entering the security profession today -- or even if you're in management -- there's a need to have an understanding of both the physical and logical threats and issues," Emde says.

But while 18% of enterprises have integrated the physical and logical functions in the last five years -- and 26% have had those functions integrated for more than six years -- 50% of enterprises have not integrated the two sides and have no plans to do so, according to the InformationWeek Reports study.

"I think there will continue to be specialization," Tipton says. "What's important is that there's more communication going on between the two sides, and we expect to see that happening even more this week."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-23
Upwork Time Tracker doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
PUBLISHED: 2019-07-23
GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...