Secure your assets in three layers: perimeter, rooms, individual devices. Mike explores options for each layer, from security guards at the perimeter to cable locks on individual devices.
- Years ago I had this buddy who had set up a web server that he was convinced was totally unhackable, and he's like, Mike, I'll pay you X number of dollars, well it was a lot, if you can get to this computer. And I mean, he really did have it set up pretty good. Really robust firewall, all kinds of stuff, and I couldn't get into it. But what I could do is I put on a janitorial costume, and I walked in to his offices, walked up to the server room, and I physically removed the server and took it home. That's a true story and I won that bet. So in this episode what I want to talk about is physical security. Now, we've been talking about shells, let's talk about the three shells of physical security. We tend to draw physical security as a big circle around all of our stuff and that's a fine way to start, but that's actually a little bit inaccurate. So what we have is what we call perimeter security, and this is stuff to keep people from even getting on the property, to keep them away from anything. Secondly, then we're going to start having locks. Now, we tend to think about the idea of room locks here, although, we can also put locks into buildings, but we're going to stick with rooms for right now. And the third part of physical security is for individual devices. What can we do to physically secure individual computers. To secure our actual perimeter we're talking about serious stuff here. To me the big starter is a security guard. Security guards are amazing. Number one, they are a passive protection, because bad guys are going to drive pass and go, oh my goodness, they have a security guard, I'm not even going to try to get in. Equally, a security guard can check credentials if somebody is really trying to get in and can stop them. So security guards are great. The next one, and this is often done at the security guard position, but it doesn't have to be, is a mantrap. Now, a mantrap is simply a two door scenario, where somebody walks into a scenario, they close that door, and for a few moments, they are completely isolated within the mantrap. Usually within the mantrap, this is where credentials are checked, things are verified. There's probably a camera talking to the person. And then once that person is verified as being okay, we then go ahead and open the door, and let them into the actual protected area itself. The next big one and this is where we start coming down to, really, the rooms. Although, I can also say buildings work as well here, and that is the idea of locking doors. So traditionally, just simply locking a door is a great start. However, a locked door could have some problems. Number one, you're going to need a key. So how that key manifests can be a challenge. Also, we usually would like to have some kind of entry control roster. Something where people sign in at the door, however it's pretty hard to get people to sign in or people can spoof people's names and stuff like that. So, entry control rosters are rarely pieces of paper on the side of a door anymore, although I could name a certain three letter US federal agency that still does that at some locations. I ain't saying nothing. Okay, so what we do instead for door locks is we tend to look for something a little bit more aggressive. One of them would be a badge reader. So in this case people are carrying around individual badges. Now these badges are often RFID individual badges, and then what happens as a person goes up, and approaches that door, they press the badge up to the door, they may also have to type in a pin code for example, and they actually have multi-factor authentication in a situation like that, and yes the entry control roster also updates that they just went in that door. Similar to this are smart cards. The difference between a smart card and a badge reader is that a smart card is usually something that's going to be swiped or inserted. And in that case someone is going to walk up to a door, they're then going to either swipe or insert a smart card, which reads it and then grants them entry. Now, If you want to get a bit fancier, there are biometric locks. Now, the problem with biometric locks is that for example, things like retina readers, where people put their heads up to a screen, and actually look in, are actually pretty rare. I've only seen one once in my entire life of working in IT, and it was in a very very high security kind of network operations center. It's the only time I've ever seen that. Finger print readers, I've seen a number of those. Okay, so this is what's going to get you into the room, and now we're down to the individual host. So, to physically protect hosts, there are a number of devices you need to be aware of. Number one, some kind of cable lock. So a cable lock is something that's going to physically hold down that individual computer. Cable locks are very common on things like laptops and such. They are seen, but not nearly as commonly on desktop, workstation type systems. However, if you've got servers, a lot of times these servers are going to be sitting in a rack some place. So if you want to prevent somebody like me from stealing your server, you might want to consider a server lock. A server lock simply physically locks the server into the rack, usually behind some kind of door, and without the key you're not going to actually get to the server itself. Another big place we have to deal with individual systems is with USB. Thumb drives are a notorious problem when it comes to security. It is so easy to just go up to a computer, shove in a thumb drive and start grabbing data. So you can actually turn off the USB port itself in BIOS, that's a common thing to do. But another one we like to see are USB locks. USB locks are physically little small, I'm going to call them a dongle for lack of a better term, that you shove into the USB ports. These will prevent people from physically inserting USB ports, and then on top of that, if they're taken out, there's usually software on the system that gives some kind of warning to let you know, hey, wait a minute, somebody's actually pulled out one of these locks. Now, the last one I want to talk about on the individual systems itself are privacy screens. Privacy screens are wonderful and again, in a lot of security environments, they're very very common. These usually manifest as nothing more than polarized screens that are placed on top of any type of monitor that you might be using. These are seen on desktops, they're seen on smart devices, all kinds of stuff. And basically it limits the field of view to a very very tight, as little as about a hundred degrees. So you have to almost be directly in front of them to be able to protect yourself. Oh, okay, wait wait wait. There's two more I want to show you, 'cause I actually have these on me. Sorry, I had to go grab my keys. So, what we're looking at here are, these are key fobs. Now, key fobs are used in physical security, primarily for getting into parking garages. You rarely see them into people getting into buildings, but they can be used in that aspect. And the last one is going to be hardware tokens. Hardware tokens are physical devices that provide some kind of information that help you get into a computer. For example, here's a picture of the famous RSA token. And this device puts out a number that changes, I believe every minute, and then you have to use this as part of your logon process to protect yourself. Whew, that's a lot of stuff, isn't it? Physical security is really important and I know as a tech, you want to get into setting up firewalls, and setting up anti-malware and stuff, and those things are important, but trust me, if you want to keep people like me out of your networks, never forget physical security. (upbeat music)
This Total Seminars course covers the exam certification topics. For information on additional study resources—including practice tests, lab simulations, books, and discounted exam vouchers—visit totalsem.com/linkedin. LinkedIn Learning members receive special pricing.
This course was created by Total Seminars. We are pleased to offer this training in our library.