Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2016
08:15 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Data: Why CISOs Must Pay Attention To Physical Security

Information security professionals are missing the big picture if they think of vulnerabilities and threats only in terms of data protection, password hygiene and encryption.

Battered by a nearly constant onslaught of attacks and revelations of security breaches, IT businesses and departments have doubled down on securing their organizations’ data. Better password hygiene, data access restrictions and encryption are all fundamental to preventing a data breach. However, physical security is often overlooked.

As InfoSec defends their organizations from attackers whose motivations run the gamut from quick financial gain to disgruntled employees and customers, it’s imperative for IT departments to take a comprehensive approach to securing their organizations.

Overcoming “not my job” syndrome
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats. IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.

Technology professionals needs to get back to basics. While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer. Security must be considered at every step, even when no networked communication is taking place.

This means not only making sure the cabling, power supply and other infrastructure are in place, but also addressing unlocked server rooms, loosely managed inventory and environmental hazards. It can be easy for IT professionals to dismiss physical security as another department’s purview, but only IT has the expertise necessary to identify and assess these sources of risk.

Merging physical and data security
The IT implications of poor physical security practices can be dire – as aptly demonstrated by the late 2014 attack on Sony. In fact, a statement attributed to one of the attackers in various news reports went as far as to claim, “Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in.” Even barring the potential for internal sabotage, it can be extraordinarily difficult for organizations to re-secure their environment once a physical security breach occurs.

Thankfully, IT departments have a variety of tools at their disposal to address both physical and data security. Disk encryption, already widely used in the business world, can be extended to provide greater physical security through the use of a trusted platform module (TPM). Combined with trusted network configurations, IT departments can ensure that data is inaccessible to unauthorized parties, even if a workstation or server is physically compromised.

Additional measures, like keeping server room doors locked, creating and enforcing ID policies, or installing mantraps can dramatically reduce the consequences physical security threats pose. Other software-based approaches, like implementing a mobile device management (MDM) solution, enabling geolocation and disabling unnecessary physical ports on workstations can prevent many common attacks without creating an undue burden on end users. By taking simple steps to reduce physical security loopholes, IT professionals can narrow and better manage their vulnerabilities.

A holistic approach to security
Whether through phishing, impersonation, tailgating or more “traditional” network-based attacks, organizations and their data face a number of serious threats. IT professionals must take a more comprehensive view of their organization’s security landscape, accounting for all potential weaknesses, not just software vulnerabilities. It’s imperative to close off obvious avenues of attack by using security controls already in place – almost every organization has at least some policies around locking doors and verifying employee identities – but many businesses don’t see the importance of these procedures and enforcement tends to be lax.

Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access. Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder. By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to rBegister.

Related Content:

 

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
7/20/2016 | 7:19:02 PM
Physical Security and Decommissioning
CISOs should review their refresh and decommissioning processes for physical security threats.  We often see unsecured servers, storage units and loose hard drives when starting hard drive destruction projects.  

The equipment usually is found in the company's warehouse facilities attended by warehouse personnel (which probably dont have authorized access to the information).     

E-Waste Security provides onsite hard drive shredding services.

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.