What is Physical Security?

Ok, I'm just going to say it, I'm a physical security guy in an IT security world. So why physical security for IT? Easy, you cannot have a secure network without a secure environment around it. After all Physical Security is part of the CISSP isn't it? I have conducted many physical security assessments and penetration tests around the world, and based on my observations, most employees believe security has become more of a necessary evil or even worse an inconvenience to them when their business has strong physical security requirements. We've all seen some sort of movie where the hero has to come up with some elaborate plan involving helicopters, acrobatics, and stealth suits to get into a facility. Well let's face it, most of the time it's a person that can more easily social engineer their way into a facility than needing to go through all of those complex plans. What makes it so easy for them? What is it about certain businesses and individuals that make it easy for the criminals to exploit them?

To help explain this, I'm going to discuss the different basic levels of physical security and give you tips on how you can be proactive within each level.

First is the outer perimeter, this is the parking lot and outside of the building you work at. This is where you lock your car in the parking lot, don't leave valuables in it, like electronic devices or your company's access card. Basically the security here is left up to the individuals, and maybe an occasional security check by security personnel.

Second is the inner perimeter, this is the public areas, lobby, entryways, even the windows of your building. Your company should have all personnel authenticated who enter into the building or the important areas of your building where the public shouldn't belong. This is done by either posted security personnel or a receptionist. Most authorized employees usually enter with valid credentials or some sort of authentication process like access card or pin code. This can sometimes be a burden on your building's security, especially with personnel piggybacking or simply holding the door for the people behind you. To remediate this always ensure the door closes behind you and force the other people to authenticate themselves before entry. Along with authenticating entry procedures, security will also incorporate searches either inbound or outbound, this is a remediation for theft. For this think of something between airport security and a sporting event or theme park, have everything available and open to be searched and never carry property that is not yours.

Third is your work space, this is the area you are directly in control of. This area needs to maintain a level of security as well, not only for the safety of fellow employees but your business as well. If people are wandering around in your area that you do not recognize or acting suspicious, you should confront them or report them either to your supervisor or security professionals. Also do not leave devices and important documents unsecured. Desktop computers should have a restraining device, and laptops or smaller items should be locked up, especially if you are not around for long periods of time. If you step away ensure your device screens are locked, and important documents are out of sight.

Last thing I would like to discuss is the climate of the business you work in. Some companies rely on their employees and staff being extra courteous to visitors, this is one of those circumstances where the importance of your company's goals outweighs your company's security needs, especially within the areas of customer service. This is what we consider acceptable risk. Acceptable risk needs to be weighed heavily by management and security professionals in order to maintain a fine balance between security needs and the company's mission. Other areas of security to think about is operational security, things like "water cooler talk" in a public area, posting information on social media, displaying your badges outside of your workspace, or losing control of them. These are probably the most violated security tendencies or practices that an individual can make. I can't tell you how many times I've used social media to find a picture of a badge, and replicate it with Photoshop to assist gaining entry into a building. Only you can help with operational security, by properly storing your work items, and keeping your work talk to a minimum or until you are back in your workspace is the key.

In conclusion, when it comes to physical security in an IT world, don't think about it as just something you have to get through, and actually be part of it. Eventually through good practices, physical security will become part of your routine. Then hopefully your actions will spread through your co-workers and the result will be a much safer and more secure environment to work in.