In the current era of mega-(should I say giga-?) breaches with tens to hundreds of millions of lost customer records and the hacking-of-everything, it is safe to assume that the logical security of devices becomes almost more important than the physical protection around those assets. While it is true that the logical (in-)security of devices renders “remote attacks” (attacks that are carried out against the system from another location than where the device is located, i.e. via a communication channel with a protocol such as TCP/IP, Ethernet, Bluetooth, or CDMA, GSM, etc.) possible, there is still an important defense layer that surrounds your device: the physical security.
To provide a little anecdote: a little while ago I took a flight into Washington and the seat beside me in the back of the airplane was empty (yes, that still occurs despite all the overbooking and other tantalizing measures of the airliners) – I set my little book and magazine there during the flight, and my cell phone on top of it. Then, when the plane landed and touched ground, it was a pretty heavy bump, and the pilot really hit the thrust reversal and hit the brakes, so much, that I needed to stretch my arm against the seat back in front of me. During the initial bump I saw my cell phone drop to ground and when the full deceleration took place, the cell phone slid very fast towards the cockpit. I was looking under the seat(s) in front of me, but couldn’t find it. Then, a friendly stewardess came up to me smiling with my cell phone in her hands, asking if it was mine – and I was quite happy to say yes.
My phone had crossed the entire plane up to the first class cabin – where someone found it, and since my device is encrypted, has a display PIN, and shows my owner information with my name and my home phone number (should someone find it and intend to give it back), that likely helped the stewardess look up my name and seat number on the passenger list, hence the quick resolution to my almost lost device.
So, what does this little anecdote tell us? In my view, it provides reasons why you need to use the physical seat belts, why you should put upwards your tray tables during takeoff and landing and bring forward your seat back, why to put your belongings in the seat pocket in front of you (and not elsewhere), and that labeling and logical security are really important, too. Sometimes physical events can change your possession of something making it necessary for you to rely you need to rely on those additional controls.
It is the combination of different types of controls (also often called “defense-in-depth”) that can make-or-break your protection.
Another example: I have also seen in my global endeavors data centers where these were in collocation or shared facilities with other companies. While the DC was physically and logically safeguarded, the cage around it was at the top and bottom open (so anyone could use the near-by standing latter or the floor handles (to open the raised floor) and thereby allowing anyone with access to the collocation site to easily intrude into the neighbor’s DC units. This alone was already risky enough, but within the DC(s) I found then the important logical controls like firewalls or other such choke points in a less-than-standard fashion: the siding of the firewall racks were taken off (to “solve” heat / cooling problems) so that the above-mentioned intruder (or even people with otherwise authorized access to the DC cage) could easily put their hands or attacks against it.
Lastly, in another setting I discovered cable trays wide open and accessible via a parking garage (which was not protected against unauthorized 3rd party access) – the main facility with the core backbone was vulnerable via a simply physical attack with an axe or something similar – all the other spent millions of dollars were at total risk here. I am not saying that all the logical controls wouldn’t be necessary (in fact, they are needed and even more than that, given the endless forms of new attack vectors and the daily increasing attack surface) – but my “lessons learned” are that you have to think things through completely from the ground up, starting at the physical level and then go upwards in the ten layers of the security stack.
If you think this further, you will come to conclusion that that is why you need to have at least 60 miles (~100 km) of distance between redundant data center facilities, and that your DR and BCP plan should be based on worst case physical scenarios to cover you bases. Backups need not only be physically separated from the place of origin, but they in addition need to be protected both physically and logically (otherwise, the attack against your potential crown jewels will happen against the offsite-transport truck or the storage facility etc.).
Hopefully the provided examples give enough reason to understand that physical security absolutely still matters. Now, let’s focus on the second aspect – the information (or logical) security piece.
Why does it still matter? Well, even if you would create a “Fort Knox” from a physical perspective around your assets, the reality is that every system that has communication channels open (ports/protocols/input/output facilities, etc.) is vulnerable to logical attacks along that protocol or via the encapsulated data itself (this is why we have the current crisis, it is “system-immanent” so to speak, and it will remain for quite a long time.
So, in order to protect your assets, you need to employ logical controls, like gates and control points. Think of protocol-aware firewalls, malicious code detection and response (anti-malware); intrusion detection/prevention systems (IDS/IPS); log monitoring; SIEM and correlation tools; data leakage prevention (DLP) and classification systems; network segmentation; compartmentalization (of virtualized environments); multi-factor authentication; strong and complex passwords; and other sophisticated tools like global cyber threat information and real-time intelligence, or strong encryption (AES256 etc.) and hashing for integrity.
The key is that a fully crafted, well-designed security architecture, governed by clear and concise policies, run by a best-practices-oriented security operations, supported by sophisticated and well-educated / trained cyber intelligence specialists, used by well-aware and trained users, organizationally lead and managed by truly experienced CSOs / CISOs, will strategically solve the security threat by design. Security has to become a design-goal. No more programming, software- or hardware-developments, implementation projects, delivery programs, etc. without clear and upfront security requirements in the specifications and planning phase. It will take a generation or two, but it is possible. Let’s get started!
Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO - And Now What? and has held positions such as CSO and CISO for several large global companies. You can reach the author via email@example.com or via LinkedIn.