Originally published in Communications and Networking
Every day, network administrators stand guard over their employers’ data. After years in the trenches, many justifiably take pride in their virtual defences. Send a virus their way? They have that base covered. Wi-fi access? Watertight. Clumps of spam threatening to clog e-mail servers? Water off a duck’s back.
Many IT security product vendors reinforce the theft-by-wire mindset. For example, a recent Symantec Internet security threat report goes on endlessly about bots, spyware, and other electronic nasties – the threat types that Symantec and its competitors make their business. Implicit in such reports is the assumption that the only tunnel through which data enters or leaves is of the Ethernet or wireless variety.
It’s tunnel vision like this that has landed more than a few firms in hot water.
What about the tangible stuff: computers and storage media? Consider the midnight theft of computer equipment from a downtown Toronto retail store, where computer equipment (along with its data) left through smashed windows. The scary part: while the computers were the store’s property, much of the data on them wasn’t. To compound the problem, store management showed dubious ethics when it kept the theft quiet.
My favourite example of “physical data theft” is fictional: the hack job from the feature film Ocean’s 11. If you haven’t seen the movie, here are the details: a thief disguised as IT staff enters a Las Vegas casino’s server room unchallenged, hooks up a sniffer, and gets access to, among other things, every video security feed in the place. End result: thief and his team make off with $180M.
This fictional tap is worth mentioning simply because it’s plausible. Does your firm reside on several office tower floors? Are the building’s phone cabinets secure? Do visitors regularly stroll unaccompanied through the office?
Too many businesses need to ask themselves such questions, but one outweighs them all: Who has ultimate responsibility for physical network components? IT? Security? Somebody else?
Once that question elicits an answer, IT has to determine the physical security needs of your organization’s data. Server rooms, data conduits, PCs, all the physical bases (and access to them) come into play. The goals are twofold: theft prevention and crisis management.
With these answers in hand, the group who protects the physical network can put theft prevention measures in place. Locks and alarms help secure phone panel doors. Motion sensors cover server rooms at night. Security guards can add those rooms to their detail. Employees can anchor notebook PCs to desks by day and lock them up at night. RFID transponders on your most critical servers ought to let you track them should they “disappear”.
Hardware disappearances have triggered crises at IBM and a major Canadian bank, among others, so nobody can afford to be smug. Does your company already have plans to manage such crises? (Hint: The ostrich defence of the Toronto retail operation mentioned above won’t cut it.)
Finally, as information security consultant Claudiu Popa notes, people will always be the weakest link. Popa regularly hears of laptops that vanish. What’s more natural, after all, than seeing people walk around the office carrying laptops? What isn’t as natural, Popa says, is seeing laptops anchored to desks or walls. When executives, especially, are too busy to follow security policies, those laptops and their data are sitting ducks.
This returns us to the question of who is responsible for data security. The real answer: everybody who touches that data, from network analysts to the executives who carry confidential information on their hard drives. No theft prevention or crisis management strategy is complete unless every one of these people understands the risks and takes precautions.
It’s time to jump the rails traveled by the Symantec report train of thought. Keep asking: how else could data escape? If your organization hasn’t already secured its physical network assets, it’s time to raise the topic at your next department meeting. Otherwise, you and your colleagues may inadvertently provide plot ideas for Hollywood’s next hit heist flick.