In the era of mega breaches, countless lost or stolen customer records, and as we now may call it, the ‘hacking-of-everything,’ it is safe to assume that the logical security of devices has become just as important as the physical protection around those assets.
While it is true that the security of devices (or lack thereof) renders remote attacks, it’s possible there is still an important defense layer that surrounds your device: the physical security.
On my flight to Washington a few weeks ago, I noticed the seat beside me in the back of the airplane was empty (yes, that still occurs sometimes despite all the overbooking and other tantalizing measures of the airliners).
I set my book and magazine on the seat during the flight and my cell phone on top. Then, when the plane finally landed and touched ground, we felt a pretty heavy bump. The pilot hit the thrust reversal and brakes, so much that I needed to hold on against the seat back in front of me.
The heavy bump made my cell phone drop to ground and when the plane decelerating completely, my cell phone slid towards the cockpit. I was looking under the seats around me, but I saw nothing. Then, a friendly stewardess came up to me smiling with my cell phone in her hands, asking if it was mine. I was quite happy to say yes.
My phone had crossed the entire plane up to the first-class cabin, where someone else had found it. But my encrypted device showed a display PIN and owner information, including my name and phone number that likely helped the stewardess look up my name and seat number on the passenger list; hence, the quick resolution to my almost lost device.
So, what should this little anecdote tell us? In my opinion, it provides reasons why you need to use the physical seat belts; why you should put upwards your tray tables during takeoff and landing and bring forward your seat back; why you should put your belongings in the seat pocket in front of you; and that labeling and logical security are really important, too.
Sometimes, physical events can change your possession of something making it necessary for you to rely on those additional controls. It is the combination of different types of controls (also often called ‘defense-in-depth’) that can make-or-break your protection.
I can think of many other situations where I’ve witnessed this first-hand. In my global endeavors, I remember seeing data centers in collocation or shared facilities with other companies. While one of the data centers was physically and logically safeguarded, the cage surrounding it could be entered through the top and bottom (the necessary latter and/or floor handles were conveniently positioned directly close-by), allowing anyone to easily intrude into the neighbor’s data center units.
This alone was already risky enough, but within the data centers I then found the important logical controls, like firewalls or other such choke points, in a less-than-standard fashion with the siding of the firewall racks taken off (“to solve heat/cooling problems”). Therefore, the intruder or even people with otherwise authorized access to data center cage, could easily put their hands or attacks against it.
Lastly, in another setting I discovered cable trays wide open and accessible via a parking garage, which was not protected against unauthorized third-party access. The main facility with the core backbone was vulnerable via a simply physical attack with millions of dollars at risk.
I am not saying that all the logical controls wouldn’t be necessary. In fact, they are needed and even more than that, given the endless forms of new attack vectors and the daily increasing attack surface.
My “lessons learned” are that you have to think things through completely from the ground up— starting at the physical level and then upwards in the ten layers of the security stack.
If you analyze this further, you would come to the conclusion that that is why it’s important to have at least 60 miles of distance between redundant data center facilities, and that your DR and BCP plan should be based on the worst case physical scenarios to cover you bases.
Backups need to not only be physically separated from the place of origin, but also protected physically and logically. Otherwise, the attack against your crown jewels will happen against the offsite (or during transport).
Hopefully, the provided examples give enough reason to understand that physical security absolutely still matters. Now, let’s focus on the information, or logical, security piece.
Why does it still matter? Well, even if you would create a “Fort Knox” from a physical perspective around your assets, the reality is that every system that has communication channels open (port/protocols/input/output facilities, etc.) is vulnerable to logical attacks along that protocol or via the encapsulated data itself. This is one of the reasons why we have the current crisis—it is “system-immanent” so to speak, and it will remain for quite a long time.
So, in order to protect your assets, you need to employ logical controls, such as:
- Control points
- Protocol-aware firewalls
- Malicious code detection and response (anti-malware)
- Intrusion detection and prevention systems (IDS/IPS)
- Log monitoring
- SIEM and correlation tools
- Data leakage prevention (DLP)
- Classification systems
- Network segmentation
- Compartmentalization of virtualized environments
- Multi-factor authentication
- Strong and complex passwords,
- Global cyber threat information and real-time intelligence
- Strong encryption (AES256, etc.)
- Hashing for integrity
The key is that a fully crafted and well-designed security architecture, governed by clear and concise policies, run by best practices, supported by sophisticated and well-trained cyber intelligence specialists, consumed by well-aware users, organizationally lead and managed by experienced CSOs and CISOs, will strategically solve the security threat by design.
In other words, security has to become a design goal. No more programming, software or hardware developments, implementation projects or delivery programs without clear and upfront security requirements in the specifications and planning phase.
It will take a generation or two, but it is possible. Let’s get started!
About the Author: Michael S. Oberlaender (@MSOberlaender) is a world-renowned security executive, thought leader, author and subject matter expert and has worked in executive level security roles (CSO/CISO) both in the US and EU (Germany) and in IT for over two decades. Most recently, he has been serving as CSO for Kabel Deutschland AG. the largest European cable network provider in Munich, Germany. Prior to his role at Kabel Deutschland AG, Michael served as CISO for FMC Technologies Inc., a leading oil field services and engineering company in Houston, TX.
He has more than two decades professional IT experience and is a member of (ISC)², ISACA, InfraGard, and several industry associations. Additionally, Michael is certified CISSP, CISM, CRISC, CISA, ACSE, GSNA and CGEIT and holds a Master of Science (Physics) from the University of Heidelberg, Germany.
Michael is also the author of C(I)SO – And Now What? How to Successfully Build Security by Design, which is available at CreateSpace and Amazon.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Challenging the Current State of Security
- Beyond Products and Services: Conversations that Should Have Already Happened
- On Connecting Security to the Business
- Why the Security Stack Has Ten Layers, Not Seven
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock