Physical and Environmental Security: threats are not just digital...

Companies are not immune to ‘physical and environmental-based’ incidents which can lead to serious consequences for both information systems and society in general: fire, theft, intrusion, water damage, etc. All of these can be executed in a completely ‘physical’ way to access computer data.

Two videos from CASES illustrate classical ‘physical threat’ scenarios relevant to a company’s or organisation’s information systems and data.

The Risks

The propagation of laptops, tablets and other portable devices increases the risk that they will be lost or stolen. An investigation by Kensington revealed that:

It should be noted that the real cost of these attacks is more than just the price of the hardware. Overall costs can become astronomical if sensitive data was stored on the stolen equipment or if the thief was able to access other company resources through the stolen PC.

Take the following two scenarios as an example of the damage which can be done; both of which are actual events which occurred in Luxembourg.

The first is the well-known case of ‘Medicoleaks’ in 2012 when thousands of medical records were disclosed due to a password which was visible to visitors. This event was a typical ‘theft of passwords’ and can be considered a form of ‘spying’. But there was also the possibility of classifying it as ‘sabotage’ due to the possibility of destroying the integrity of the data.

More recently, several violent floods have done damage in many locations and have affected more than 30 companies located near the Müllerthal area. Several of them (including a hotel, a garage and some professional offices) lost data due to the water damage done to their IT infrastructure.

The Impact

The impact of physical security vulnerabilities can be very high: data can be destroyed (in the case of fire or flood), can be used maliciously by third parties, or just corrupted.

In general, these incidents can have five types of impact:

Each risk can have different types of impact. The table below demonstrates these effects by highlighting some examples:

Risks Most Likely Impacts Possible Impacts
Fire Operational Impact
Financial Impact
Reputational Impact
Water damage Operational Impact
Financial Impact
Reputational Impact
Electrical failure Operational Impact Financial Impact
Reputational Impact
Communications Operational Impact Financial Impact
Intrusion or Theft Financial Impact
Personal Impact
Reputational Impact
Legal Impact
Espionage Operational Impact
Financial Impact
Personal Impact
Reputational Impact
Legal Impact
Sabotage Operational Impact
Financial Impact
Legal Impact
Reputational Impact

Note that one disaster can have several types of simultaneous impacts. For example, if a construction company loses data after a fire, it could experience a financial, operational and legal impact.

Prevention and Protection

A company that wishes to prosper must remain open to the outside world. But openness does not mean a ‘free for all’. First of all, physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organisations should define sensitive areas (computer room, specific offices…) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.

The protection of sensitive areas must be based on a prioritisation of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure.

For all types of risk, the approach should be the same:

  1. Define the perimeter.
  2. Introduce preventive (to avoid the disaster) and protective (to protect the installation in case the disaster occurs) measures.
  3. Test and evaluate these measures regularly.

To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:

To guard against: Protective Measure:
Electrical failure Electronic protection/controls (inverters…)
Redundancy (duplication of machines/circuits)
Fire Detection and fire protection: smoking ban, disaster plan, fireproof cabinets...
Decentralised back-ups
Redundancy (duplication of machines/circuits)
Flooding Location of computer rooms outside risk areas
Flood detection system
Elevation of computer equipment
Use of hermetic tubes for wiring
Compartmentalised flooring
Decentralised back-ups, dry archives
Theft, Intrusion, Espionage, Restricted physical access
Tracking of visitors
Alarm systems
Sabotage Redundancy (duplication of machines / circuits)
Decentralised back-ups
Restricted physical access
Hardware Malfunctions Regulation of Temperature (computer rooms)

Visitors can pose a significant risk (theft or espionage) if there is insufficient tracking or access control. In recent years, CASES specific diagnostics have recorded several failures linked to the reception and tracking of visitors: notably, the lack of support or occupancy of the reception area and a lack of access control to sensitive locations.

Sometimes printers located in corridors are used to print sensitive data and many times employees do not immediately recover their printouts – this leaves a lot of time for unauthorised people to read or make copies of sensitive information.

Example: a law firm with ongoing court cases practising in commercial litigation. Any leaked information could be used to harm their customers or be used to influence the outcome of cases. Strict physical protection measures must, therefore, be taken to prevent any form of leakage. For example, customers or service providers need to be met at reception and then escorted to dedicated meeting rooms to prevent these visitors from discovering confidential information.

We must also beware of prying eyes on public transportation, in restaurants, and lobbies. You should also be aware that people can watch you through windows. One solution could be to place a privacy screen protector/privacy filter on screens that make reading impossible for anyone who is outside the visual angle of a legitimate user… Good to know!

Dustbins are often used by spies who are not afraid of getting their hands dirty to find the information they are looking for. To remove this opportunity, just send all documents to the shredder to make them unreadable. Beware of digital media that are to be discarded: destruction is necessary because the simple erasure of data is not always enough to make it disappear completely.

Where to Start?

Ensuring optimal protection for your business against all risks may seem like an insurmountable task for some - but we must not give up. On the contrary, we can start with some simple and inexpensive measures that can immediately and significantly reduce our level of risk. Such ‘Quick Wins’ can be, as follows:

If you want to better understand your physical security flaws through an initial diagnosis, you can contact us to take advantage of our CASES Diagnosis service.

Table of Content