Companies are not immune to “physical and environmental-based” incidents which can lead to serious consequences for both information systems and society in general: fire, theft, intrusion, water damage, etc., all of these can be executed in a completely “physical” way in order to access computer data.
Two videos from CASES illustrate classical “physical threat” scenarios relevant to a company’s or organization’s information systems and data.
The propagation of laptops, tablets and other portable devices increases the risk that they will be lost or stolen. An investigation by Kensington revealed that:
It should be noted that the real cost of these attacks is more than just the price of the hardware. Overall costs can become astronomical if sensitive data was stored on the stolen equipment or if the thief was able to access other company resources through the stolen PC.
Take the following 2 scenarios as an example of the damage which can be done; both of which are actual events which occured in Luxembourg.
The first is the well-known case of “Medicoleaks” in 2012, when thousands of medical records were disclosed due to a password which was visible to visitors. This event was a typical “theft of passwords” and can be considered a form of “spying”. But there was also the possibility of classifying it as “sabotage” due to the possibility of destroying the integrity of the data.
More recently, several violent floods have done damage in many locations and have affected more than 30 companies located near the Müllerthal. Several of them (including 1 hotel, a garage and some professional offices) lost data due to the water damage done to their IT infrastructure.
The impact of physical security vulnerabilities can be very high: data can be completely destroyed (in the case of fire or flood), can be used in a malicious way by third parties, or just corrupted.
In general, these incidents can have 5 types of impact:
Each risk can have different types of impact. The below table demonstrates these effects by highlighting some examples:
|Risks||Most Likely Impacts||Possible Impacts|
|Water damage||Operational Impact
|Electrical failure||Operational Impact||Financial Impact
|Communications||Operational Impact||Financial Impact|
|Intrusion or Theft||Financial Impact
Note that one disaster can have several types of simultaneous impacts. For example, if a construction company loses data after a fire, it could experience a financial, operational and legal impact.
A company that wishes to prosper must remain open to the outside world. But openness does not mean a “free for all”. First of all, physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organizations should define sensitive areas (computer room, specific offices …) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.
The protection of sensitive areas must be based on a prioritizaion of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure.
For all types of risk, the approach should be the same:
To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:
|To guard against:||Protective Measure:|
Electronic protection / controls (inverters…)
Redundancy (duplication of machines / circuits)
Detection and fire protection: smoking ban, disaster plan, fireproof cabinets ...|
Redundancy (duplication of machines / circuits
Location of computer rooms outside risk areas|
Flood detection system
Elevation of computer equipment
Use of hermetic tubes for wiring
Decentralized back-ups, dry archives
|Theft, Intrusion, Espionage,||
Restricted physical access|
racking of visitors
Redundancy (duplication of machines / circuits)
Restricted physical access
|Hardware Malfunctions||Regulation of Temperature (computer rooms)|
Visitors can pose a significant risk (theft or espionage) if there is insufficient tracking or access control. In recent years, CASES specific diagnostics have recorded several failures linked to the reception and tracking of visitors: notably the lack of support or occupancy of the reception area and a lack of access control to sensitive locations.
Sometimes printers located in corridors are used to print sensitive data and many times employees do not immediately recover their printouts – this leaves a lot of time to read or make copies of sensitive information.
Example: a law firm with ongoing court cases practicing in commercial litigation. Any leaked information could be used to harm their customers or be used to influence the outcome of cases. Strict physical protection measures must therefore be taken to prevent any form of leakage. For example, customers or service providers need to be met at reception and then escorted to dedicated meeting rooms to prevent these visitors from discovering confidential information.
We must also beware of prying eyes on public transportation, in restaurants and lobbies. You should also be aware that people can watch you through windows. One solution could be to place a privacy screen protector / privacy filter on screens that make reading impossible for anyone who is outside the visual angle of a legitimate user… Good to know!
Garbage cans are often used by spies who are not afraid of getting their hands dirty to find the information they are looking for. To remove this opportunity, just send all documents to the shredder to make them unreadable. Beware of digital media that are to be discarded: total destruction is necessary because the simple erasure of data is not always enough to make it disappear completely.
Ensuring optimal protection for your business against all risks may seem like an insurmountable task for some - but we must not give up. On the contrary, we can start with some simple and inexpensive measures that can immediately and significantly reduce our level of risk; or “Quick Wins”. For example, we could think about:
If you want to better understand your physical security flaws through an initial diagnosis, you can contact us to take advantage of our CASES Diagnosis service.