Last Fall, I started taking a cybersecurity certificate program at the University of Rhode Island (http://dfcsc.uri.edu/academics/cyber_security). Without a doubt, I am the only physical security representative in the class, and am surrounded by 30-plus IT security managers and aspirants.
Recently, I was tasked with leading an online discussion group with my classmates about the role of physical security in provisioning better cybersecurity. It was a great opportunity to get their perspectives on what we do every day.
Clearly, this is a work in process, but there are promising signs. Here are some of their most eye-opening comments, which come from experts in various IT-related disciplines:
The Good
“Any attempt to establish a comprehensive security program must include physical security. The best efforts of the rest of the team are in vain if there is inadequate physical protection. Most ‘defense in depth’ diagrams focus on cyber, but the physical infrastructure provides an extensive range of defense in depth before the cyber space is encountered.”
“I believe that physical security is one of the most overlooked topics in security. Everybody is usually more concerned about having the latest and greatest security appliances that we forget about all of the other security domains.”
“Keeping physical security top-of-mind will be as good an investment as all the firewalls and anti-virus software you purchased.”
“A compromise of physical security can lead to the worst kind of cyber-attack because an assumption is often made that an attacker does not have physical access to the equipment.”
“Physical security cannot just be putting locks on exterior doors and calling it a day. Companies need to take a layered approach when securing its physical contents. It is not hard to gain access to a restricted building even without the proper credentials using the social engineering method of tailgating.”
“Physical access usually correlates to the insider threat – someone who is trusted but has ill intent and has physical access to company resources. A company can implement the best logical security but if their physical security is flawed or lacking then the company's assets are at high risk.”
“A company that only is focused on the bottom line or is trying to survive are less impressed with security investments until they are caught with their pants down.”
“The physical element of security is often overlooked and typically less of a priority, in favor of logical threat concerns; however, physical security should be seen as an intricate part of cybersecurity that requires controls to safeguard company assets. The controls should consist of multiple layers to deter and deny an attacker’s attempt at compromising an asset.”
“PC-based end-points form our largest and most unsecured (from a physical security perspective) attack surface. Physically compromising a PC is a rather quick operation for a training individual…We are in general very cavalier towards the physical security of endpoints. Compromises can be a lot more obscure than we realize.”
“Frame security as a critical enabler…Encourage your employees to view security not as something restrictive but as something that enables your organization to deliver its promises to its customers.”
“How many organizations have regular security tests against the physical security infrastructure? A lot of organizations are hiring companies to perform pen testing, but that typically only tests the digital/network infrastructure.”
“When the physical and logical access is maintained by different systems the departments that manage the access often do not interact with one another. This could lead to ineffective security policies that negatively impact the safety and security of the organization. A sound security posture is one allows the teams responsible enforcing policies and procedures to have the flexibility of effortlessly interacting and managing user access across the different silos within the organization.”
The Bad
“I believe that having a physical security department would be a waste of resources. It is more effective if all employees undergo physical security training. The more employees that are aware, the better.”
“I think the answer to the problem of vulnerabilities in devices like surveillance cameras is to perform due diligence on the suppliers. Research should be done on the company before choosing to make a purchase. The most important is to change the default password. The cameras should also be put on an isolated network so that they can't talk to other nodes that don't need to communicate with the cameras… There should be a regular check for updates from the manufacturer. Security patches should be installed as quickly as possible.”
“Password complexity and certainly default passwords are examples of low hanging fruit that in general IT can and should require meet minimum complexity and minimum periodic change intervals.”
The Ugly
“Why does an organization need to pay a ‘Facilities’ or ‘Maintenance’ department to provide keys to an individual when this can easily be consolidated to the IT department? This becomes even more relevant as we see an increase in the use of biometrics where verification happens on IT infrastructure.”
“The most effective way to eliminate tailgating issues is to hire physical security personnel and station them at entrances; however, the issue I find with that is, the quality of the individuals that companies will be able to hire for such positions will be low.”
“The main factors to consider when developing a physical security policy are cost, benefits and return on investment… Should we (the organization) actually spend the money for physical security controls, and to what extent? It is worth it? What will our organization achieve by making this investment?”
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. Contact him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or on Twitter, @RayCoulombe.
