Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2016
08:15 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Data: Why CISOs Must Pay Attention To Physical Security

Information security professionals are missing the big picture if they think of vulnerabilities and threats only in terms of data protection, password hygiene and encryption.

Battered by a nearly constant onslaught of attacks and revelations of security breaches, IT businesses and departments have doubled down on securing their organizations’ data. Better password hygiene, data access restrictions and encryption are all fundamental to preventing a data breach. However, physical security is often overlooked.

As InfoSec defends their organizations from attackers whose motivations run the gamut from quick financial gain to disgruntled employees and customers, it’s imperative for IT departments to take a comprehensive approach to securing their organizations.

Overcoming “not my job” syndrome
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats. IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.

Technology professionals needs to get back to basics. While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer. Security must be considered at every step, even when no networked communication is taking place.

This means not only making sure the cabling, power supply and other infrastructure are in place, but also addressing unlocked server rooms, loosely managed inventory and environmental hazards. It can be easy for IT professionals to dismiss physical security as another department’s purview, but only IT has the expertise necessary to identify and assess these sources of risk.

Merging physical and data security
The IT implications of poor physical security practices can be dire – as aptly demonstrated by the late 2014 attack on Sony. In fact, a statement attributed to one of the attackers in various news reports went as far as to claim, “Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in.” Even barring the potential for internal sabotage, it can be extraordinarily difficult for organizations to re-secure their environment once a physical security breach occurs.

Thankfully, IT departments have a variety of tools at their disposal to address both physical and data security. Disk encryption, already widely used in the business world, can be extended to provide greater physical security through the use of a trusted platform module (TPM). Combined with trusted network configurations, IT departments can ensure that data is inaccessible to unauthorized parties, even if a workstation or server is physically compromised.

Additional measures, like keeping server room doors locked, creating and enforcing ID policies, or installing mantraps can dramatically reduce the consequences physical security threats pose. Other software-based approaches, like implementing a mobile device management (MDM) solution, enabling geolocation and disabling unnecessary physical ports on workstations can prevent many common attacks without creating an undue burden on end users. By taking simple steps to reduce physical security loopholes, IT professionals can narrow and better manage their vulnerabilities.

A holistic approach to security
Whether through phishing, impersonation, tailgating or more “traditional” network-based attacks, organizations and their data face a number of serious threats. IT professionals must take a more comprehensive view of their organization’s security landscape, accounting for all potential weaknesses, not just software vulnerabilities. It’s imperative to close off obvious avenues of attack by using security controls already in place – almost every organization has at least some policies around locking doors and verifying employee identities – but many businesses don’t see the importance of these procedures and enforcement tends to be lax.

Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access. Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder. By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to rBegister.

Related Content:

 

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
7/20/2016 | 7:19:02 PM
Physical Security and Decommissioning
CISOs should review their refresh and decommissioning processes for physical security threats.  We often see unsecured servers, storage units and loose hard drives when starting hard drive destruction projects.  

The equipment usually is found in the company's warehouse facilities attended by warehouse personnel (which probably dont have authorized access to the information).     

E-Waste Security provides onsite hard drive shredding services.

 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18885
PUBLISHED: 2019-11-14
fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.
CVE-2019-18895
PUBLISHED: 2019-11-14
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file.
CVE-2019-18957
PUBLISHED: 2019-11-14
Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has reflected XSS.
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.