Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The Role of Physical Security in Cybersecurity
Quick Take
On this episode of Compliance Unfiltered, the CU guys give you the listener, a first-hand look at the ins and outs of physical security as it pertains to the overarching topic of cybersecurity.
- Curious why physical security is an important part of cybersecurity?
- Wondering what organizations can do to determine what their physical security needs are?
- Looking to improve your best practices around physical security in the realm of cybersecurity?
Well you’re in luck! We’ve got all these answers and more, on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the bouncer to your compliance nightclub, Mr. Adam Gosling. How the heck are you, sir? As long as we’re doing some form of cool rock or EDM, then I’m okay. Duly noted, sir. Duly noted. Well, today, funny enough, we’re actually having a chat about the role of physical security in cybersecurity. Do you have any fun stories about physical security you’ve experienced over your years in the trade, sir? Well, long, long, long time ago before TCT, it’s actually working at an organization where it was kind of corporate culture, too. When you were finished with your meeting, you would leave your laptops in the… Sorry, when you were finished with your meeting and you were kind of stepping away for lunch but coming back, everybody would just leave their laptops in these conference rooms. Well, somebody, a bad actor, if you will, had kind of clued into what was going on. And these conference rooms happen to be directly accessible from the public lobby. So, basically, you’d walk into the lobby and you would go left or right. right, and you would basically be walking down this line of conferences, when you were conference rooms, when you got to the end of the line of the conference rooms, then you would go through a door to get back into the employee area, you know, type of a thing, but there was no barrier between the lobby and all of those conference rooms. Well, lo and behold, they had a they had a an intern that happened to be walking in one of the side entrances of the building. And meanwhile, bad actor had basically skirted the receptionist at the front desk, ran down all of the conference rooms, had literally piled one on top of the other on top of the other, about 12 different laptops, and was heading out of the door. The intern actually nicely held the door open for the person walking out with the stack of laptops. So that was that was one.
Another, another interesting one was, was doing as doing so. And by the way, none of this is going to include names. If anybody decides to ask me, oh, was, was it this company that such and such happened at? I will never tell you, you know, type of thing. So we’re leaving people anonymous. But I had a medical facility. I was doing I was doing some work at and basically evaluating their, their physical security. And they had a building that had, oh, God, it was millions and millions of dollars of medical equipment, you know, were inside of this building. Meanwhile, they didn’t have a they didn’t have an alarm system. And I was able to bypass the physical, physical security authentication with a pair of car keys to be able to get into the facility. And actually, it was kind of fun because the gentleman that was the director of that particular facility is like, how did you do that? Just kind of amazed, you know, another one that I ran into, I was doing, I was doing again, physical security assessment. And don’t ask me why. Don’t ask me why I was walking through this. was in the secured side of a data center, so in other words, not their public lobby. But this was like a shared hosting facility. And I was on the secured side, which basically, if I had a rack or a cage or something along those lines, this is the area I would be in to be able to then go and access my rack or my cage or whatever. So I was in the, we’ll call it the semi -common area, where anybody that’s got a rack or a cage is back in that area. And for some obscure reason, I decided to pop open the medicine cabinet that they had. They got those boxes with the Advil, Tylenol, whatever it may be. And I popped that open and I looked at the bottom and there was a ring of keys sitting there, which as luck would have it, turned out to be the master keys to the entire facility.
Oh my geez. Yeah, yeah. And when I pointed these out and discovered what they were, you know, the explanation was, well, who’s gonna look at the medicine cabinet? Oh my God, seriously. So anyway. Why is physical security an important part of cybersecurity? Well, I mean, you can do all of the training and policies and, you know, kind of logical protections for your, you know, networking environment and they’re all fantabulous, but it’s not gonna protect the damn thing if somebody can walk in, pull a device and walk back out the door with the source of where the data is stored. You know, another real possibility is that you don’t necessarily have a device that’s removed, but instead somebody manages to add a device, you know, to the environment. So let’s say the bad actor gains physical access, you know, and then plugs in a, you know, their own wireless network. Depending on where they put it, I mean, it could sit unnoticed for months, you know, type of a thing. Meanwhile, they’re in the, you know, they’re in the back parking lot and accessing the network remotely. Somebody could throw a USB drive in that’s scraping physical data off of a, you know, off of a device or dropping Trojans onto your systems, et cetera. You know, if a bad actor gains physical access, then there’s a lot of possibilities for, you know, potentially significant and long -term damage to the organization.
Well, how should organizations go about determining? what their physical security means are. Physical, as you go through, really the nature of the scope of the organization is gonna dictate what do you need for physical security? And what kind you’re needing to implement. So if you host all of your servers yourself and you host them in your own facility, then physical security is far more critical. Where if I’m doing it in a cloud provider, that’s gonna be a different set of scenarios. To figure out what do you need for physical security, you need to do a scoping activity. An inventory, all of your physical access points to sensitive information. physical access points within your control with logical access to the network. So that would include infrastructure equipment and servers, laptops, mobile devices, things that are written down, any device that connects to your network, storage locations, storage facilities. If you’ve got some type of like a archival room for equipment or paper type of thing that would come into fray, basically what you wanna start with, where is all of our stuff with any sensitive information? And again, I would look at it from a perspective of, does it have personally identifiable information? Is there certainly medical data or credit card data, you know, network nation secrets, whatever. Let’s figure out what types of sensitive data that we’ve got and where all it is, et cetera. And then looking at how does the sense of information flow so that we can figure out what all needs to be protected. For example, you could have a scaled back scope for credit cards, but a ton of PII or intellectual property. So it really just kind of depends on what the organization has so that they can then figure out what types of things would they need. Well, what are some of the physical security best practices? Well, everybody has to use their own kind of unique set of physical security needs as we were talking about before with the scoping and whatnot, but I’ll just go through some general realms for physical security and we’ll kind of talk those through. So, you know, first up, let’s go security cameras. So, you know, you wanna have security cameras at your entrances, exits. You wanna make sure that you’ve got 90 days. of storage of the footage. You want to be able to record the interior and the exterior of the building. It’s one thing to be able to see somebody walking toward the front door, and it’s another to be able to have a closer shot while you’re looking at their, able to pick up physical features, etc. Where did they go once they got through the door? That type of thing. So your security cameras appropriately, and really looking at it from the perspective of how could somebody gain access and move about the building, and would you be able to tell where they went, etc. So there’s a lot of, kind of a lot of strategically, if you will, going into the security camera side of it. Sure. Door locks, making sure that you actually have lock mechanisms on all of the doors where you need them and that the locks are actually functioning. Making sure that the locks are protected so the locking mechanisms can’t be bypassed. I brought up the example earlier of this multi -million dollar medical facility. And meanwhile, I’m able to get past the locks and gain entry. It just takes literally looking at this a little differently than you normally would. You need to put on your bad actor hat. Also looking at how do people gain entry. Are they using physical keys or are they using badges? If you have physical keys, if your doors have actual physical keys, even when you’re using a badge entry or bio, who has access to the keys? Did someone that had a key leave? Were the doors re -keyed after that person left? Those are the types of things that you want to think about in the door locks arena. Perimeter security. A lot of times an organization is going to look at their perimeter security and only consider the doors. It’s out of reput. Just because you don’t use a window to gain access doesn’t mean a thief won’t. Windows become doorways once bricks go through them. Just remember, the thieves don’t need to gain entry from the ground level.
If you’re a multi -floor building, they could be coming in through the second or third floor. They could be trying to gain access. gain roof access, et cetera. So certainly part of the perimeter security mechanisms that should be in play certainly are things like door alarms, glass break alarms, motion sensors at pivotal elements within the organization, et cetera and having those actually connected to an alarm system.
That actually reminds me of one thing. If you’re gonna bother finger air quote having an alarm system, you may, I would encourage doing some form of like an annual test or validation that your alarm system is actually functioning. I’ve had a couple of organizations that had an alarm from back in the day and sure enough, they hadn’t gone into do any testing or validation and whatnot when they actually need it, that’s when they determined that it wasn’t working. So doing the validation every here and there is a good idea. Visitor access. You always wanna know who’s in your building using visitor logs, visitor badges, so you can keep track of and identify people that are onsite at all times. That way if you have a problem or some form of an emergency arises, then now I know who’s in the building besides your people, making sure that the visitor badges don’t grant access to sensitive areas of the building, setting up expiration dates on the badges or using those oxidization badges that within 24 hours will just automatically turn into like a red void label, that type of thing.
Was this mission impossible? That’s awesome. Yeah, those things are actually pretty, those things are actually pretty, they’ve been out for a little bit, but those things are actually pretty cool. That way back in the day, even if you’re using the hello my name is badges, then you’d have to go write the person’s name in, you’d have to physically write the expiration date. Those ones are cool because you just go to, the minute it’s torn off in the backing, then hey, the 24 hour clock is running, so you don’t need to worry about it. Yeah, those ones are pretty cool. Employee access, making sure you have a process for, oh, wait a second, I wanna stick on visitor access one more second. So not only granting them access, but have a process where the visitors are kind of clocking out as well. I’ve seen a lot of organizations where they’re great about, checking people in on the way through the door, but they’re, at making sure that they’re noting who’s gone, who’s gone, when do they leave, things like that. So make that part of the process when you have visitors on site. Employees, making sure there’s a process for granting and revoking employee access to physical areas. Making sure that any access permissions remember that physical access permissions need to be updated immediately if there’s someone joining or leaving the organization or changes roles within the organization.
I can’t tell you how many times you get somebody that moves from this role to that role. Whatever, I used to be part of the accounting team and now I’m part of the You know, now I’m part of the IT team, and so I still have access to all of the archival records for the accounting department. They don’t have to be able to, they just added my, you know, my IT needs. Yeah, yeah, exactly. So it takes some rigor to be able to make sure you’re doing it, depending on the sensitivity level of the information, you know, at your location, using two -factor authentication for the granting of physical access. So, you know, I bet, you know, use my badge and I use my finger print. Yeah, well, we could, we could go there. I don’t think we’re quite there with the visual, you know, kind of AI capabilities, but you never know. You might be onto something. Panjections are coming, I’m telling you. That said, yeah, like a physical badge with a fingerprint, physical badge with a retinal scan, physical badge with a pin entry, something. So that if you lose your badge, then, you know, then you don’t, you know, then you don’t end up just having somebody be able to go waltz, you know, waltz right in. They have to use that second factor. The other thing is, which I’ll mention about the physical access and badges, is making sure that your badges do not have, they are not plastered with your company name, you know, type of a thing. The reason I say that is that if someone loses the badge, well, I can always just, you know, sundown the badge type of a deal, but, you know, it gives the bad guys, you know, a clear path to be able to get, get and gain access, you know, to the, to the facility. Now they know where it’s, you know, which, which facility it’s for. So, you know, again, just making sure you’ve got that under control. Depending on your business, you might have offices across a region, you know, so the same logic would apply. to any of the location sales offices or developer building or whatever it may be. It might even be just a single salesperson with a rented office. If that office has a direct connection to the corporate network, now you need to make sure that you’ve got the physical protections for that space as well. In a lot of cases, companies will treat the sales offices like they’re remote employees. The sales people, there’s this notion that the sales people only have an internet connection, et cetera. Just making sure that they’re making their connections through VPN, using multi -factor authentication, et cetera, from the sales office if they don’t have a direct pipeline.
Employee training. Making sure you’re training your people thoroughly. Making sure that everybody knows what they should and shouldn’t be doing. So, you know, not allowing computer screens to be visible through windows. Not writing down of passwords. Don’t ever hold the door open for somebody. You know, don’t, you’re making sure that you lock up your computer when you’re not actively using it. And even when you’re in a home -based environment, that’s a good habit to be in. You know, provision the training on the new hire’s very first day and provision it annually at any time that there are relevant changes. Also, giving your employees quarterly security reminders is a great idea. You know, and alongside that security training, you want to create a accountability that’s got some teeth. You know, implement repercussions into your policies and procedures for failure to comply with the security policies.
That’s another good example. Vendors. When you’re dealing with vendors for your, you know, for your hosting, as an example, get their security paperwork. Actually look at it. It sounds like a wild idea, but I can’t tell you how many organizations would they say, well, we’re supposed to go in and gather this thing from the hosting company once a year. And so they go, they make the request, they get an email that says it’s attached and they call it done and keep it moving. You know, just because a vendor’s telling you that they’re compliant with a particular standard, you know, it doesn’t mean that they’re compliant. It doesn’t mean that they’re actually fulfilling the requirements appropriately. You know, don’t just take the vendor’s word for it. No, don’t look for the receipt of an email and all of a sudden poof, I’m off, you know, I checked. box and I moved on. You know, verify it yourself. Read through the details. Look at the controls that they have in place versus what are best practices for what they should be doing. You know, if you’re, if they’re going up against PCI DSS, you know, then requirement nines where all the physical security, you know, elements are, you know, etc. Also, with those vendor supplied, with a vendor supplied documentation, very specifically read what it is that they covered, what services did they cover as part of their, of their engagement. Well, why is that so important? Well, because what I, what I’ve seen is I’ve seen, I’ve seen organizations that would throw, oh gosh, let’s say they got, they got compliant with their accounting practices. and their handling of credit cards and how they do invoicing as an example. They would take that AOC with that scope and then be handing that out to clients that says, hey, are you as an organization compliant when in all reality the customers are wanting to make sure that the e -commerce platform is compliant as an example. So you’ve got to pay attention to what’s going on just because they made absolutely certain with the, whatever, I’m just making this up, 23 credit cards that they’re dealing with for their, you know, for their invoicing type of thing does not mean that their e -commerce platform is compliant until you go through and you read, make sure number one, they’re covering the e -commerce platform. Number two, if the vendor is location specific, then, you know, does it cover your location, right? Maybe the vendor has 18 locations and you happen to be in, you know, in whatever, the Las Vegas facility. And, but their paperwork doesn’t cover the Las Vegas facility. Well, okay, well, where’s the paperwork for that one that I’m in? So there’s a lot of things around the vendor arena that you want to kind of pay attention to, if you will. It’s an area where I have seen a lot of variability and it’s primarily been amiss by the organizations leveraging the services, which is why I wanted to spend a little bit of time on this one. That makes sense.
Parting shots and thoughts for the folks this week, Adam. Well, I mean, cybersecurity inherently includes effective physical security practices. You can’t, you know, you can’t protect your data if you aren’t doing your due diligence in the physical realm. So, you know, just don’t make assumptions about your present state of your physical security, the bad actors. are clever, they will find creative ways to gain access. So stay a step ahead of the bad actors, train your people, and kind of step up your physical security game.
And that right there? That’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
Thanks for watching. We’ll see you next time.
