Earlier this week, Ira Winkler wrote What security practitioners can learn from the United\u2019s failures. He astutely noted that organizations should learn from failure, and ideally the failure of others. I\u2019ll take his lead and provide another learning opportunity for information security professionals.\n\nPhysical security is a fundamental part of information security. In fact, operating systems base much of their security controls on an assumed secure physical infrastructure.\n\nMuseums are a great example of where effective physical security comes into play. Like information security teams, museum security is often understaffed with limited budgets.\n\nMuseum physical security incidents provide an excellent learning mechanism for information security teams. With that, I\u2019d like to look at three major museum incidents and provide a lesson learned from each for information security professionals.\n\nIsabella Stewart Gardner museum\n\nThis is the granddaddy of all museum thefts, where 13 pieces of art were stolen from this Boston museum in 1990 worth over $500 million. It\u2019s the largest private property theft in US history. While never proven, circumstantial evidence points to a low-paid security guard who facilitated the thefts. After 27 years, the case is unsolved.\n\nLessons learned: Unsolved cases make it harder to draw lessons. But it seems as if one of the museum guards was allegedly involved. Be it Edward Snowden, the unnamed Sony Corp. employee or myriad others; insiders with access are a threat that most firms don\u2019t consider.\n\nMany firms think that starting a program to defend against insider data theft makes it seem like they don\u2019t trust their employees. Yet these same firms won\u2019t think twice about locking the office supply closet or securing the room with snacks. Confidential data should be at least given the same level of security consideration as printer toner or M&M's.\n\nThe CERT Insider Threat Center at the Carnegie Mellon Software Engineering Institute is the best place to start your data gathering around insider threats. Their research has information to help identify potential and realized insider threats, institute ways to prevent them, and establish processes to deal with them if they do happen.\n\nBode Museum\n\nJust last month, one of only six Royal Canadian Mint issued Big Maple Leaf coins, worth $6 million, was stolen from the Bode museum in Berlin, Germany.\n\nGerman police said that the thieves used a ladder to break into the museum around 3:30 a.m. Investigators haven\u2019t revealed how the burglars managed to avoid setting off alarms and leave the museum unnoticed while carrying the heavy coin. News reports said the theft itself was meticulously organized and reminiscent of the plot of a Hollywood film.\n\nUtilizing a 2 1\/2-hour lull in the early hours of the morning when Berlin\u2019s public transport shuts down, the burglars walked along the empty light-rail tracks running adjacent to the museum. They proceeded to bridge the four-meter-wide gap between the museum and the tracks using a ladder, jimmying open a window on the museum\u2019s top floor.\n\nPolice later discovered the ladder discarded on the tracks after they were alerted to the break-in around 4 a.m., only 15 minutes after investigators believe the burglars made off with their loot.\n\nLessons learned: The Gardner theft started around midnight, with this one around 3:30 a.m. Graveyard shifts often have bored and lonely skeleton staffs. Adversaries are more likely to launch an attack on a holiday weekend, than on Tuesday afternoon.\n\nCSOs must ensure that their staff (both internal and outsourced) monitoring systems and networks are there during the wee hours of the night and on long weekends.\n\nIn addition, these attacks are done with a significant planning and exploitation of weaknesses in design and architecture. Did museum security staff see the light-rail tracks as a threat? Did they mitigate against it? The attackers knew the weak points of the museum and thought outside of the box. Internal security teams must think both inside and outside of the box if they want to protect their data assets.\n\nNational Gallery of Ireland \u2013 \n\nIn 2012, Andrew Shannon ruined a Monet masterpiece worth $10 million by punching a hole in it with his fist. Shannon initially said he felt faint and fell into the painting. But a security video showed otherwise, to which he was convicted and sent to prison.\n\nLessons learned: Comprehensive physical security goes a long way. The video shows that the Monet was well secured into the wall to prevent someone from dashing away with it. But since there was no additional protection, Shannon, while no heavyweight, could issue a knockout punch to the painting.\n\nThe CCTV also showed Shannon lied. In IT, the equivalent is logs. While you can\u2019t stop every event; if you have a good logging strategy in place, it makes finding the culprit and the cause much easier.\n\nWhen it comes to data, the principle of least privilege is your friend. Don\u2019t give users more access than they need. Far too many users have administrative privileges, and many will have access rights they no longer need. Regular checks for appropriate access are in order.