• United States




Physical security: The overlooked domain

Jun 23, 20155 mins
Physical SecuritySecurity

With today's complex threats, physical security has unfortunately taken a back seat

burglar 153550618
Credit: Thinkstock

As few as 15 years ago, if you mentioned security to someone in the business world, they would immediately think about alarm systems, badge readers and door locks. Some years back, I visited the Equifax Atlanta data center, entry to which required a retina scan and practically an act of Congress. Today, the focus is on logical security — threat management, breach detection, intrusion prevention, etc. With the threats we face today from all over the world, logical security is very important. Physical security has unfortunately been relegated to the realm of secondary concerns.

In the world of CISSP certification, physical/environmental security has historically been one of the nine domains. As of 2015, it was combined with another domain that includes other items, further evidence of its diminishing importance in the minds of many security experts. I would suggest, however, that physical/environmental security is still of vital importance to information security, and is dangerous to overlook.

While it would seem easier for someone to breach your network in order to steal critical data and information, physical theft cannot be overlooked. These thefts may involve actual information, or just items such as manuals or a phone list to be used for social engineering purposes. In the early days of phone phreaking, for example, systems were breached as a result of hackers stealing manuals from Dumpsters.

Another concern related to physical security is the insider threat — an employee or contractor helping themselves to your information for financial gain. While these too often involve a breach of systems, they can easily involve physical security lapses, since these individuals are rightfully in your building in the first place. The 2014 U.S. State of Cybercrime Survey, a joint effort by Pricewaterhouse Coopers, Carnegie Mellon University, CSO magazine and the U.S. Secret Service, reported that “Only 49% of companies have a plan to address and respond to insider security threats — even though 32% of the same companies agree that crimes perpetrated by insiders are more costly and damaging than those committed by outsiders.” If insiders can walk into your data center and grab a removable hard drive, they have no need to break into your servers.

Finally, physical security is important to protect your most important assets: your employees. Many of the key aspects of physical security also protect your people. Beyond the value of human life, your business would be hard-pressed to operate without your employees.

Given the diminishing focus on physical security, I think a review of some key exposures in this domain is warranted.

The open lobby

This is one of my pet peeves in the physical security realm — the ability for an intruder to walk into a company lobby and straight through to the inside of the facility. Companies with open lobbies often rely on a receptionist to be the gatekeeper, but receptionists can get busy and distracted. A few weeks ago, I visited a company with an open lobby. Had the receptionist been distracted, and with the few people walking in the halls, I could have easily made it through the building to the unlocked data center. A locked door between the lobby and inside of a facility is very important.

The unlocked data center

This takes us to another key deficiency — the unlocked data center. Someone with physical access to a system can do many things that a network intruder could not. I helped a church blank the local admin password on a PC this week, something I could only do with hands-on access to the system. If you have a data center of any size, it needs to be securely locked, with access restricted to those with a need to be there.

Poorly secured doors

Systems requiring a proximity card for entry are now quite common, and with good reason. They provide tight granularity of access control for individual doors and a detailed audit trail. They are important, and should be used more than they are. That being said, they are not the answer to tight access control that many think, given the ease with which access information can be captured and used by bad actors. One of my customers recently described an audit by a major corporate customer that included an attempt to capture badge data using inexpensive, off-the-shelf hardware and software. The auditor arrived 30 minutes early and rode up and down the elevators with arriving employees.  After 30 minutes, the auditor had captured enough data to easily enter almost any office in the building. I discussed this threat, and the options for badge encryption in a recent article.

Lack of surveillance

Cameras are very inexpensive today, and yet they can do double duty, not only detecting possible threats in progress, but allowing for forensic review of incidents. What a bargain!  And yet, surprisingly few companies use them, and many that do, install and ignore them. Cameras should be installed at all entry points to a facility, and in key areas such as data centers and telecom closets. The video should be recorded and retained, with a live monitor placed on the desk of someone who can keep an eye on it.

Inadequate intruder detection

The good news is that intrusion alarms are in very common use today. There is much opportunity for improvement, however. Many smaller offices in multitenant buildings do not bother with them, because a guard is often present in the lobby. If you refer to the badge paragraph above, you will realize just how easy it can be for someone to get into such a building. Further, these offices often share a common wall with other tenants. You don’t have to watch many home improvement shows to realize just how easy it is to get through drywall. You need an intrusion system, and you need one supporting unique codes for each individual for audit trail purposes.

The bottom line: It is appropriate to pay attention to logical security threats, but overlook physical security at your own peril.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author