I taught Learning Tree’s Cyber Security Introduction from my office studio recently. The course participants had one thing in common with every other group to which I’ve delivered that class: they really weren’t interested in physical security. I tried to change their minds.
Along with the usual activity where a Windows device is booted from Linux and a tool is used to crack the passwords, I talked about physical security to prevent theft, and so on. Here are a few more aspects:
While cameras cannot prevent theft or intrusion in and of themselves, they may be used to detect intrusion or theft. They have to be properly placed, actively monitored or recorded, and be of the proper type to work in the light (or lack of it) where they are deployed.
Cameras can be covert so evildoers do not know where they are being watched, or be overt to act as a deterrent. Some sites may deploy both as part of a system to detect physical intrusions.
Most IT pros see the need to physically secure servers and communication devices in locked rooms or even cabinets. Laptop and desktop devices are often left unsecured or perhaps secured with a cable to prevent theft. That may not be enough.
The Verge reported about a student who allegedly used a “USBkiller” device to destroy sixty-six campus computers. The article does not say whether he bought the device or built his own. The commercial device is designed for testing a known design issue (likely a genuine design flaw) with USB devices. It puts out 215 volts at a high current around ten times a second. Devices with the flaw are likely to be disabled by the device.
Clearly, a malicious individual could damage a significant number of computers at a large organization in short order with an inexpensive tool. Until the design flaw is corrected, many devices are vulnerable. A set of cameras could detect the bad actor, but only securing the devices in a cage, say, or physically disabling the USB ports would protect against this threat.
( While not a physical security issue, per se, user education is important here, too, by the way. Users need to be reminded not to insert unknown devices into USB ports. The usual argument is that the devices could contain malware, but the threat of destroying a computer via the USB port is clearly very real.)
Some years I worked at a secure government installation. That site had an interesting approach to the physical security of data cables: they were run in exposed cable trays. Having run and maintained cables myself, I liked the idea from the standpoint of quick access to the trays for installing new cable runs and finding a particular cable when troubleshooting.
But another benefit is that any attempts to wiretap the cables would likely be detected. A new device connected to a cable in the tray would probably be noticed at least by security or IT workers.
There are many more aspects to physical aspects of cyber security than I can address in this limited space. Physical access, from key cards to ID badges is just one of those issues. The point is that cyber security does have a physical aspect and we must not overlook it.
To your safe computing,