Physical Security Is a Part of Cybersecurity

Every day there is a new headline about a large company suffering a data breach, exposing their customers to the worst that the cybercriminal world has to offer. These headlines focus upon the traditional hacker getting in via a poisoned email or an unsecured public-facing database, allowing the bad guys to conduct their “business” remotely from safe havens where they know they will not be prosecuted. However, the old-school physical breaches are still very much in play, and are frequently just not considered.

TL;DR keep physical access in mind! Physical security has implications far beyond just “someone took all our expensive stuff”.

Hearkening back to the days of Watergate brings images of burglaries, stolen papers, movies with Dustin Hoffman and sneaky guys in cool sneaky-suits. This hasn’t gone away. Eavesdropping bugs, Wifi hijacking and just plain stealing computers containing juicy proprietary info are still very much a thing. As a company goes through various security certifications, the focus tends to be on the Internet/networking aspect of the threat, but the physical aspects are often overlooked. With that in mind, I’d like to share a few things to think about, or better yet, turn into policy.

For your servers, desktops and laptops:

• ?Use full-disk encryption like Bitlocker or Filevault. Enforce it being on. When the ninjas break in, they get hardware but not information.
• Enforce a policy that locks the computer (via its screensaver etc.) if there is no activity for a short while – 5 to 15 minutes or so. If a bad guy, particularly one that’s targeting your info, gets their hands on an unlocked laptop all they need do is keep it open and active until they get it somewhere then, as you with your active logins, take all your data and wreak havoc to your public image.
• Please in the name of all that is proprietary, disallow the use of USB thumb drives! You know how many of those you have lost, and you’re a security pro. How many contracts, patent applications, customer lists, trade secrets and info covered by HIPAA and other PII regulations were on those?
• Follow up to the above. Tell your coworkers to never get curious as to what’s on that thumb drive they found in the parking lot. That’s a very reliable way for a bad guy to infect your computer with something nasty; just drop a few malware-infected thumb drives in the parking lot of the company you want to penetrate, wait a day then reap the rewards.
• Remind your employees to keep their laptops locked up and not lying on a car seat in plain view next to the broken car window glass that will be there in a moment, to not share their work computers with friends/family, and not muck with corporate antivirus, endpoint protection, software update management and email security software (you do have antivirus, endpoint protection, software update management and email security services, right?).

For your offices:

• Get a managed alarm system from a reputable major provider. Ask them the hard questions – most modern alarm systems have microphones and cameras for communicating with people at the door… who at the alarm company has access to that? Who can listen in? Do they sell/give away that info and access?
• Get a good door lock; one that can’t be bypassed easily by a “slim jim” or similar device that are so widespread in Youtube videos . Similarly. make sure your doors and windows are snug-fitting and can’t have those bypass devices slid in. Also, when you move into your office or otherwise rekey your doors, always ask your locksmith whether they use “security pins” in the locks (you want these). These are tumblers designed to be harder to pick, especially with all the no-skill-required picking devices that are so easy to buy. Check out “The Lockpicking Lawyer ” on Youtube to see how that works.
• Cameras aimed at your employees’ desks or in the break room are creepy; don’t freakin' do it. But cameras aimed right at the entry doors that record to the cloud are A-OK, and can be hooked into your alarm/access system to let you let deliveries, etc. occur or buzz in badge-forgetting employees when you’re away from the office. Handy!
• Don’t leave office doors propped open if there’s nobody there. That’s just begging for trouble.
• Do a periodic inventory of badges, keys and alarm codes. Do you have lost badges that need to be deactivated? Has the foliage-care service you hired to water your plants because you keep forgetting and now your ficus benjamina is dead you plant-killing monster had personnel changes since you gave them an alarm code? Are your physical keys accounted for?
• Get a safe for your office to keep expensive and sensitive items like spare laptops, extremely proprietary documents, that one USB key with your code-signing certificate passphrase, etc. in. Hint: document safes are super-expensive. Consider a small fire-rated gunsafe instead. You’ll save a couple thousand. Just make sure it's heavy enough that it can't be just picked up and hauled away by a knucle-dragger or two (a few half-inch iron plates or bolting it to the floor will do the job nicely).
• Make a periodic check on the underside of keyboards and the backs of monitors. That’s where you’ll find the post-it notes with passwords written on them. Even at trade shows and conferences. About info security products. From info security vendors that should know better. Totally unrelated, honest: I have a collection of post-it notes.
• IS IT SAFE? IS IT SECRET? Proprietary info like customer names, pending deals, etc. doesn’t belong on whiteboards, especially ones visible through an external window. Erase ‘em after you’ve snapped a photo with your smartphone.
• Clean out the fridge every Friday. It’s gross.

For your office network:

• Don’t include your company name in your Wifi SSID names. Make the bad guys work a bit to figure out which SSIDs are yours.
• If you can afford it, consider network switches that won't allow an unrecognized device that's physically plugged into an Ethernet port in the conference room into which you bring job candidates and other folks from outside your company (basically, MAC address whitelisting or other similar controls). Alternatively, have a separate network for such conference rooms that outsiders will have access to that only gives outgoing Internet access... basically, a physical equivalent of a guest wifi network.
• Keep hardware like your printers, wireless cameras, "smart" TVs etc. on a separate wireless network that cannot initiate connections into your core networks. Such hardware is notorious for terrible network security, never get their firmware patched, and become a gateway into whatever network they’re on. Did you know many big-screen TVs have microphones for voice control that can be surreptitiously turned on to listen in on you, and some manufacturers have been caught doing exactly that to secretly build advertising profiles? Yep. Don’t enable networking on devices that don’t need it, or if they need local access, manually configure them to not have a default route/gateway so they can’t hit the Internet (hint: if you use DHCP for that you're probably giving them an outgoing Internet gateway as part of the lease). For wireless presentation to a big TV or for sharing your favorite cat videos with everyone in the conference room, instead of the built-in crap consider using a well-supported device from a security-conscious manufacturer like an Apple TV instead.
• Strongly consider not using wireless keyboard, mice, etc. They’re transmitting keystrokes like passwords, etc. constantly which any doofus with a directional antenna can record from hundreds of yards away (I’m a ham radio operator doofus, I’ve done exactly this as an experiment). Sure, the encryption may be fine today, but if it’s cracked tomorrow then those recordings can be retroactively opened up, depending upon the nature of the breakage of the cryptography. And there are older wireless keyboards that have already been thoroughly cracked. Bonus: did you know that some keyboards and mice, both wired and wireless, now feature built-in flash drives that make moving data super-easy and super-stealthy? Do you really want those in your company network?
• Every so often have a walkabout your office and look at what’s physically plugged into your network ports and switches. Do you recognize everything? Has someone plugged in a mysterious black box? Has someone been shopping at Hak5 ? (I mean... I have, and are you sure I'm not one office over from you?)

And in general:

• Is your office in a sketchy neighborhood? Consider making sure your employees know where the well-lit routes are, where safe parking is, etc.
• Don’t go overboard on paranoia or xenophobia, but that said, consider executive evacuation travel services if your team needs to travel to unstable parts of the world. These are services which will teach you the lay of the land, arrange reputable ground transportation and safe hotels if you have to do business in places that are highly unstable or otherwise dangerous, and which will try to extract you from serious trouble if a natural disaster occurs or civil unrest or war breaks out (have you seen the headlines lately?). And if your handlers tell you to do a thing or not do a thing, listen to them.
• Remember that Customs agents in just about every country in the world are empowered to grab your laptop and smartphone and make copies of their storage the moment you cross their border or step off of that international flight. In some jurisdictions they can even keep you in a little windowless room until you log in to your laptop or unlock your phone for them. Strongly consider using "burner" phones and freshly-reimaged laptops with no interesting documents or stored logins on them when traveling internationally. And if they ever take your devices out of your sight, you can 100% count on keylogging and other back-door access software (stop giggling) being installed while-u-wait. If it's been taken out of your hands, consider it to be compromised, possibly even on a firmware/BIOS level. Trash it when you can.
• Also keep in mind that just because someone has a delivery service uniform or says they’re sent by the landlord doesn’t necessarily mean they have Amazon loot for you or is here to check your A/C. If you’re not expecting a visit, be just a tiny bit wary. You can always verify with someone whether that visit is expected.

What other general tips about physical security that belongs in your policies and controls do you guys have? I’m sure there are more, but I don’t want to write “War and Peace Part 7”. I’m too lazy and am not paid by the word.