Within the past decade or so, the practices of physical and information security have been quietly converging. Adequate physical security is a prerequisite for information security, and vice versa given that modern security and building management systems handle confidential safety- and business-critical data. Furthermore, the true value of information often far exceeds that of other corporate assets, marking a shift in the nature of the things being protected.
Historically, however, the physical and information security domains have been largely independent of each other, separately driven by their respective experts. The time is ripe to dissolve what remains of a boundary, align the functions, and make the most of the combined expertise – and perhaps start working towards further integration with related functions such as risk management and compliance.
What makes ‘adequate physical security a prerequisite for information security’? Well, consider the implications of, say, an adversary obtaining unfettered physical access to one or more of your organization’s IT systems. They might have stolen them, had them stolen to order, found them, or even bought them on eBay (it happens!). In the comfort of their office, workshop or laboratory, given enough time and resources, they and/or the data recovery specialists openly advertising their services can probably overcome all but the most powerful logical security controls – and we know that even super-strength mil-spec data encryption is not totally invulnerable. ‘Rubber hose cryptanalysis’ refers to the use of coercion or torture to force someone to reveal their passwords. If you believe that is too extreme for your adversaries (which is itself a value judgment concerning the severity of the threat: you could be wrong!), all manner of social engineering tricks and sophisticated technical attacks are conceivable, for instance using electron microscopes and sensitive power monitoring in side-channel attacks to reveal the encryption processes and/or keys employed by supposedly secure crypto-chips, or freezer spray to delay the erasure of private keys held fleetingly in RAM.
When it comes to compromising the confidentiality of paperwork and other unencrypted data storage media, brief physical access alone may be sufficient. How long does one need to snap a photo of a computer screen, a commercial contract or a customer list on, say, a cellphone’s multi-megapixel camera? How many pick-pockets have come away with credit cards, staff passes, smartphones and tablets replete with personal and commercial information? Bag snatchers and muggers are as successful as ever, and doubtless some have learnt the value of targeting high-ranking politicians, celebrities and executives.
Meanwhile, the average site security office has been dragged into the 21st Century with networked CCTV cameras, card-access pods and miscellaneous alarms feeding high-tech integrated security management systems. Facial recognition, once the domain of sci-fi and the intelligence agencies, is becoming accessible to anyone with the will and a few thousand dollars of unspent security budget – oh and by the way, audio recognition is a much easier challenge.
So, that's the backdrop for July's NoticeBored physical security awareness module. We've delivered over 130Mb of content to subscribers - 3 seminars, several briefings, posters, a crossword, checklists, a board agenda, an FAQ, a quiz, a survey and more. What does your security awareness program have to say about physical security? Bet you wish you had the time to prepare 130 megs of motivational material!