Physical Security Policies

With all the importance given to technology and cybersecurity tools, physical security is often overlooked or is not adequately covered by a lot of cybersecurity programs. If you read the other article about the Cybersecurity Mindmap, this area covers things like:

• Always visible employee badges
• Visitor escorting policies and ensuring that they leave the sensitive areas
• Identifying sensitive areas for additional security measures
• And, clean desk policies

The reason why these are fairly important is because they cover a lot of the human aspects of cybersecurity. As I've often said, humans are the weakest link as far as cybersecurity issues are concerned. So, it is important to cover the physical security aspects in your program. If a physical barrier is breached, i.e. if an unauthorized person is able to act within an office that is limited to employees of a company, your attack surface just exploded.

Why? Because mostly organizations will have a different network segment for "internal" networks vs. others that are used by non-employees. i.e. Chances are that network port under an office desk will have more access to systems than the "guest wifi". So, if you try to attack the systems from the internal network, you're going to get access to a whole lot more systems. And the more the attack surface, the easier it is to find vulnerabilities to exploit.

So, how easy is it for a rogue attacker to gain such access? Let me ask you a question: When was the last time you held open the badge door for a person tailgating you when you got to work? :) It is as easy as that if you don't know the person you just held the door open for -- you possibly just let in the attacker. A penetration tester that I know got such access almost with 100% success rate. How? He used the weakest link - humans!

What would you do if you saw someone with a leg cast and crutches following you into your workplace? Yup -- you're exactly right. Most of us would hold the door open -- and on top of that, even if you had the discipline of asking for badges if it was an unknown person, chances are you're going to let it slide just this one time :). That's human behavior, and just so easy to exploit. My opinion is that the company should foster a culture that would make it ok to ask to see the badge if you don't know the person. There isn't anything wrong with it -- just need to make it so that people are expected to do that and be comfortable doing it.

There are other tangential policies that you should also be considering:

• If there are areas which have more privileged access to systems, then it would be wise to have additional security. e.g. some organizations have the ports in the "IT" area have special access to the production segment.
• Make sure you have a "guest wifi" available for guests and visitors to use that only has access to the internet and no internal access.
• Ensure that you again remind employees that it is their responsibility to walk guests/visitors back out to the non-sensitive areas. It would also be a good idea to have visibly different badges for visitors so that employees can be more vigilant about authorized folks vs. visitors.
• And finally, don't forget clean desk policies. Don't leave sensitive documents, sticky notes with passwords and such at your desk. Today's mobile cameras have enough resolution to read pretty much everything in a picture that is taken from 10's of feet.

And finally the unfortunate part: even after knowing this, you're going to hold the door open for the next person in crutches behind you to let them in :).

The question is, will you ask to see a badge?