I used to love to break into my brother’s bedroom when he wasn’t there. He always locked the door to keep me out (I think I was 13 and he was 10). The bedroom doors had a very simple lock and a thin piece of metal or wood – such as a meat skewer – stuck in face of the knob allowed one to open the door. I wouldn’t take anything, of course, I’d just move something a little bit so he thought I’d been messing with his stuff. Those experiences helped be to become fascinated with locks.
It seems I’m not the only one. Some “hacker” conventions have classes on lock picking and lock picking contests. A Google search for “make lock picks” will not disappoint the would-be creator of his or her own tools. Raw materials run from paperclips to street sweeper bristles. One can also buy professional tools. Be warned, though, that having the tools may be illegal in some places so check local laws first.
I’m not particularly good at lock picking. OK, I’m pretty bad, actually. That’s completely from lack of practice – I never spent much time trying to learn. There are a lot of different types of locks out there and some are (apparently) ridiculously hard to pick. It seems most homes use easy-to-pick ones for one reason or another.
So, why am I talking about picking locks? Well, if you haven’t guessed, the issue is physical security. We lock our businesses and data centers, but we need to ensure that the locks we use are good, or more generally, that our entire physical security plan is good.
The computer part of cyber security is sexy: viruses, firewalls, firmware, and so forth. But a well-rounded plan needs to have a serious physical security plan. Locks are only a part of it, of course. Cameras, lighting, ID cards, etc. all play a part. But if people can open your data center in just a few moments, either by picking a lock or cloning an access card, you may be more vulnerable than you previously thought.
And remember, not all bad actors are outsiders. Some may have limited access to a facility, but possess skills to give them accesst perfect and unless properly monitored may serve more of a role after an attack. We need to be able to defend against social engineering deceptions.
I know that for some readers of this blog, physical security issues just aren’t exiting. They weren’t for me for a long time until I realized their importance in overall system and network security. I’d like to hear of your plans to learn about physical security. Let me know in the comments below. Maybe if enough of you express an interest Learning Tree will develop a class in that area.
To your safe computing,