portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Security 101: physical security

posted on Tuesday 24th of November 2020 in ,

One of the most overlooked aspects in information security is physical security. There is a wide range of things that can go horribly wrong and lead to a data breach. Some of them sound like a bad joke people make up to negotiate more money in the annual budget planning session. Some of them are things people simply do not think about anymore in 2020. But they all have one thing in common – a fairly good chance to cause problems you want to avoid.

Let us begin with one scenario most people will be able to relate to – a stolen laptop. This happens every day, they get swiped off of the table at a coffee shop or lifted out of an open bag. Thieves can also get fancy and use bluetooth scanners to find devices left in cars. A data breach originating from a stolen laptop can actually get pretty expensive.

The best stolen laptops story I’ve had to deal with personally happened a few years ago: Someone walked into an office, put some laptops that were lying behind the unmanned reception desk into a trash bag and walked out. Just like that, in broad daylight. Luckily those were all spares and were not provisioned, but counting on luck is most likely a guarantee to end up in court or the Have I Been Pwned database.

However, there are some simple and mostly free things you can do to mitigate some of the risk associated with stolen hardware.

Turn on automatically locking the system after a short period of time. Require a proper pass phrase and / or biometric authentication. Biometric authentication might be a bit questionable depending on the hardware being used, but circumventing it takes time and skill, something people most likely will only invest when it is a targeted attack. It does tremendously improves the user experience and makes adopting shorter timeouts and longer pass phrases easier.

Encrypt the hard drive – Windows and macOS ship one click solutions, Linux users can – as always – pick from many.

Deploy mobile device management. Most MDMs will allow you to remotely wipe a device when you notice it was lost or stolen. If geolocation services are supported you might even be able to locate the device once it connects to a network. I would not bet on being able to recover it, but you never know.

Granted, geolocation services are problematic, especially for mobile devices that might have constant Internet connectivity. As long as your employees have a company owned device with them, you and/or your IT team will be able to locate them whenever you feel like it. This requires proper education of your employees so they know about potentially being tracked. It might also be the reason employees with company issued hardware need longer to respond to emergencies, as they might not be comfortable carrying their device with them all the time. You should also make sure anyone with access to the monitoring software is properly trained and understand the implications (fired before they can even think of an excuse) of abusing it.

Overall, physical security is often ignored due to the misunderstanding of the potential threats. I once talked to a client with blueprints of physical products they manufacture (fully patented!), just lying around for anyone to take a photo of or grab them and run. You could easily access this area from their reception desk. Even demonstrating how fast you can take a photo without anyone noticing could not convince them that potential competitors would buy information like this. While a company focusing on a SaaS product probably has less obviously crucial things just sitting around on desks, there are often laptops, paperwork, external drives, maybe legal documents.

A few months ago I would have taken a bet that you have an office that a significant part of your workforce spends their days in. As soon as this becomes true once again (if it does), you should properly take care of your office security. There are three very obvious (and often not well implemented) steps for a solid baseline.

1) Make sure you got locks and access control. Best case you have some digital locks that keep track of who is entering and leaving the office. This might sound unnecessary, but open door policies are a security nightmare. Remember the laptops in the trash bag I mentioned? Open door policy.

If your locks use RFID or NFC keycards for access control get everyone an RF blocking case for each keycard. Hardware to copy those keycards with a swipe is only slightly more expensive than an RF blocking case.

2) A clean desk policy also reduces the risk of things spontaneously finding a new owner. Access control is all fine and good, but you will have external people walk into your office for legitimate reasons – cleaning, catering, maintenance, just to name a few. Have people take their laptops and paperwork with them or lock them away. It might be a bit inconvenient and require some training and reminders, but having a full desk drawer or desk carried out of the office is far less likely than a laptop.

3) Security cameras are a bit of a misunderstood asset. They will not prevent break ins or theft. They rarely help you identify a thief and chances to find one based on footage alone is even less likely. So what are they actually good for? Well, cutting insurance cost if you are lucky. Prominently placed they discourage crimes of opportunity. “Oh look! A new MacBook and no one is around! Ohhh, there is a security camera… never mind”.

Exceptionally good physical security is hard. Really hard, really expensive and nearly impossible to get right without professional 3rd party services. Following the advice in this post you will not be guarded against targeted attacks specifically designed to hurt you, professional industry espionage or someone beating one of your employees with a five dollar wrench.

But these are not your most likely risk scenarios. The most common and biggest physical security risks for early stage companies are crime of opportunity, accidents and carelessness. Getting the basics right is more often than not enough to cover those.