2KKUU7ita

Chapter 6: Physical Security
✓ Does a receptionist or security guard monitor traffic in and out of the
main doors of the building?
✓ Do employees have confidential information on their desks? What about
mail and other packages — do they lie around outside someone’s door
or, even worse, outside the building, waiting for pickup?
✓ Where are trash cans and dumpsters located? Are they easily accessible
by anyone? Are recycling bins or shredders used?
Open recycling bins and other careless handling of trash are invitations
for dumpster diving. Hackers search for confidential company information,
such as phone lists and memos, in the trash. Dumpster diving can
lead to many security exposures.
✓ How secure are the mail and copy rooms? If intruders can access these
rooms, they can steal mail or company letterhead to use against you.
They can also use and abuse your fax machine(s).
✓ Are closed-circuit television (CCTV) or IP-based network cameras used
and monitored in real time?
✓ Have your network cameras and digital video recorders (DVRs) been
hardened from attack — or at least have the default login credentials
been changed? This is a security flaw that you can predict with near
100-percent certainty.
✓ What access controls are on doors? Are regular keys, card keys, combination
locks, or biometrics used? Who can access these keys, and where
are they stored?
Keys and programmable keypad combinations are often shared among
users, making accountability difficult to determine. Find out how many
people share these combinations and keys.
I came across a situation for a client where the front lobby entrance was
unmonitored. It also happened to have a Voice over IP (VoIP) phone available
for anyone to use. But the client did not consider that anyone could enter the
lobby, disconnect the VoIP phone (or use the phone’s data port), and plug
a laptop computer into the connection and have full access to the network
with minimal chance that the intruder would ever be questioned about what
he or she was doing. This could have been prevented had a network connection
not been made available in an unmonitored area, if separate data and
voice ports were used, or if the voice and data traffic had been separated at
the network level.
Countermeasures
What’s challenging about physical security is the fact that security controls
are often reactive. Some controls are preventive (that is, they deter, detect,
or delay), but they’re not foolproof. Putting simple measures, such as the following,
in place can help reduce your exposure to building and office-related
vulnerabilities:
87