Physical Security
#1: Lock up the server room
Even before you lock down the
servers, in fact, before you even turn them on for the first time, you should
ensure that there are good locks on the server room door. Of course, the best
lock in the world does no good if it isn't used, so you also need policies
requiring that those doors be locked any time the room is unoccupied, and the
policies should set out who has the key or keycode to get in.
The server room is the heart of your
physical network, and someone with physical access to the servers, switches,
routers, cables and other devices in that room can do enormous damage.
#2: Set up surveillance
Locking the door to the server room
is a good first step, but someone could break in, or someone who has authorized
access could misuse that authority. You need a way to know who goes in and out
and when. A log book for signing in and out is the most elemental way to
accomplish this, but it has a lot of drawbacks. A person with malicious intent
is likely to just bypass it.
A better solution than the log book
is an authentication system incorporated into the locking devices, so that a
smart card, token, or biometric scan is required to unlock the doors, and a
record is made of the identity of each person who enters.
A video surveillance camera, placed
in a location that makes it difficult to tamper with or disable (or even to
find) but gives a good view of persons entering and leaving should supplement
the log book or electronic access system. Surveillance cams can monitor
continuously, or they can use motion detection technology to record only when
someone is moving about. They can even be set up to send e-mail or cell phone
notification if motion is detected when it shouldn't be (such as after hours).
#3: Make sure the most vulnerable devices are in that locked room
Remember, it's not just the servers
you have to worry about. A hacker can plug a laptop into a hub and use sniffer
software to capture data traveling across the network. Make sure that as many
of your network devices as possible are in that locked room, or if they need to
be in a different area, in a locked closet elsewhere in the building.
#4: Don't forget the workstations
Hackers can use any unsecured
computer that's connected to the network to access or delete information that's
important to your business. Workstations at unoccupied desks or in empty
offices (such as those used by employees who are on vacation or have left the
company and not yet been replaced) or at locations easily accessible to outsiders,
such as the front receptionist's desk, are particularly vulnerable.
Disconnect and/or remove computers
that aren't being used and/or lock the doors of empty offices, including those
that are temporarily empty while an employee is at lunch or out sick. Equip
computers that must remain in open areas, sometimes out of view of employees,
with smart card or biometric readers so that it's more difficult for
unauthorized persons to log on.
#5: Protect the portables
Laptops and handheld computers pose
special physical security risks. A thief can easily steal the entire computer,
including any data stored on its disk as well as network logon passwords that
may be saved. If employees use laptops at their desks, they should take them
with them when they leave or secure them to a permanent fixture with a cable
lock, such as the one at PC Guardian.
Handhelds can be locked in a drawer
or safe or just slipped into a pocket and carried on your person when you leave
the area. Motion sensing alarms such as the one at SecurityKit.com are also available to alert you if
your portable is moved.
For portables that contain sensitive
information, full disk encryption, biometric readers, and software that
"phones home" if the stolen laptop connects to the Internet can
supplement physical precautions.
#6: Pack up the backups
Backing up important data is an
essential element in disaster recovery, but don't forget that the information
on those backup tapes, disks, or discs can be stolen and used by someone
outside the company. Many IT administrators keep the backups next to the server
in the server room. They should be locked in a drawer or safe at the very
least. Ideally, a set of backups should be kept off site, and you must take
care to ensure that they are secured in that offsite location.
Don't overlook the fact that some
workers may back up their work on floppy disks, USB keys, or external hard
disks. If this practice is allowed or encouraged, be sure to have policies
requiring that the backups be locked up at all times.
#7: Disable the drives
If you don't want employees copying
company information to removable media, you can disable or remove floppy
drives, USB ports, and other means of connecting external drives. Simply
disconnecting the cables may not deter technically savvy workers. Some
organizations go so far as to fill ports with glue or other substances to permanently
prevent their use, although there are software mechanisms that disallow it. Disk locks, such as the one at SecurityKit.com, can be inserted into floppy drives
on those computers that still have them to lock out other diskettes.
#8: Protect your printers
You might not think about printers
posing a security risk, but many of today's printers store document contents in
their own on-board memories. If a hacker steals the printer and accesses that
memory, he or she may be able to make copies of recently printed documents.
Printers, like servers and workstations that store important information,
should be located in secure locations and bolted down so nobody can walk off with
them.
Also think about the physical
security of documents that workers print out, especially extra copies or copies
that don't print perfectly and may be just abandoned at the printer or thrown
intact into the trash can where they can be retrieved. It's best to implement a
policy of immediately shredding any unwanted printed documents, even those that
don't contain confidential information. This establishes a habit and frees the
end user of the responsibility for determining whether a document should be shredded.
No comments:
Post a Comment