Hand in Hand
Physical security professionals have traditionally lived in a very different world from the folks in information security (IS). More and more, though, both types of security experts are being asked to team up to fight off common threats. What can a policeman, military officer or security guard do to help protect an agency’s computer-based information? How much do they really need to learn about the inner workings of computers?
“Physical and computer security people really need to work together. A weakness in physical security can cause a weakness in computer security, and vice versa,” says Gerhard Eschelbeck, chief technology officer for information security vendor Qualys.
“If a hacker breaks into a human resources database, and gets access to the home phone numbers of top officials, it can undermine physical security efforts, as well,” agrees Bill Jensen, manager of Firewall One’s government practice.
“We cannot ask IT and perimeter security within the Department of Defense (DoD) to give up their respective missions. However, we can absolutely expect them to cooperate with each other,” says Greg Dix, vice president of government systems for ActivCard.
Dix credits U.S. government agencies such as the Department of Defense, Department of Transportation, and Department of Interior as leading the way toward greater cooperation between two security organizations — and surrounding industries — that have been quite separate historically.
“Agencies are saying to security vendors, ‘OK, Mr. Physical Security and OK, Mr. IS, let’s start bringing this whole thing together,” Dix elaborates.
However, experts almost unanimously agree that, right now, physical security and IS are still two very different animals. “Information security can be very confusing and complex. Moreover, the technology isn’t that mature yet. It keeps changing all the time,” admits Nick Brigman, senior director of strategy for RedSiren, a provider of managed security services to both government and private industry.
More Doors and Windows
Brigman points to other areas of difference. “In the physical world, catching criminals is about judging how fast they can move and how high they can jump. In cyberspace, on the other hand, everything moves at the speed of electrons, and it might not be possible for anyone to witness what’s happening,” he says.
“A perpetrator can break into a computer network without necessarily having physical access to a keypad or mouse at a facility. A computer virus, for example, might hop through five or six different computers on the Internet in a matter of seconds,” he adds.
“The barriers to entering a computer network just aren’t as high,” Eschelbeck notes. “In physical security, you put locks on the windows and doors. In information security, you must put up many different ‘layers of walls,’ and it’s easier to ‘leave a window open’ by mistake.”
Safeguarding the Keys
One way to get a better grip on information security is to focus more on the similarities than the differences. “On both sides (of security), you need to be able to secure the ‘keys,’” Eschelbeck says.
As Dix sees it, in both types of security, access control and identity management are the name of the game. Smart cards are already starting to form one kind of bridge between the two different worlds.
Some smart cards will initially be deployed only for access control and identity management around computer access, Dix says. “Still, though, IS can ask a guard, ‘Please go over to that room. We can tell that somebody over there is doing something on the computer that he shouldn’t be doing.’”
Meanwhile, on the other side of the coin, the DoD, State Department, Treasury Department, and General Services Administration (GSA) have been working together on a new smart card architecture — the Government Smart Card-Interoperability Specification (GCS-IS 2.0) — which will initially be used only for interchangeable access to physical facilities.
Hot Technologies to Handle
With IS moving as fast as it does, physical security professionals also need to be aware of special security risks around hot new technologies such as notebook PCs, handheld computers and wireless networks.
“Notebooks and handhelds bring a high risk of theft, whether inside the office or when an employee turns his back at the airport,” Eschelbeck says.
Whenever possible, these mobile computing devices should be locked in some way, Jensen suggests. Physical security people should also familiarize themselves with motion detection and alarm systems for PCs.
Just as importantly, IS departments should protect confidential data by setting up encryption and authentication systems on mobile computers.
Says Eschelbeck: “People who are on the road regularly constitute one of the biggest exposures to an organization.”
“If auditors are taking laptops out in the field to look at the books, the spreadsheets shouldn’t be left out there, open on the PC, for everyone to see,” Jensen adds.
Wireless: A Double-Edged Sword
Notebook PCs are raising even more security risks now that they’re starting to come with built-in wireless networking. Until recently, PCs needed to be outfitted with a special card in order to be used on wireless networks. At this point, though, wireless networking is starting to be embedded directly into the computer chip.
“Wireless technology can open up data to a lot more ‘doors’ on the network,” Eschelbeck contends.
As a result, physical security professionals need to be on the alert for wireless snooping activities, as well as the presence of unauthorized wireless devices in the office.
Wireless networking requires the use of a small external device called an “access point,” as well as the card or embedded wireless chip in the computer.
For security reasons, many organizations forbid the use of wireless networks in the office. “Still, almost anybody can go out to the local Radio Shack, buy an access point, and set it up in the office without the knowledge of the IS department,” Dix points out.
The main problem is that employees might not know the ins-and-outs of wireless security. Inadvertently, they can open up the agency’s network to eavesdropping from within the building, outdoors in the parking lot, or even from adjacent buildings.
Is it Time for Cross-Training?
For physical security to support IS most effectively, organizations should be giving educational training on computer security basics, according to experts.
“In fact, physical and information security people really ought to be cross-training,” Brigman advises. “Security people should probably be meeting together on a weekly basis — and most certainly, whenever there’s a threat.”
Beyond that, physical security professionals should be just as involved as their IS counterparts in establishing an organization’s overall security policies.
In today’s world, everyone who works in the security field needs to know the ABCs of computer security. Beyond that, though, an organization’s security department can stand out by applying physical security knowledge to the new challenges of the 21st century.
Info Security: Glossary of Terms
ENCRYPTION — Computer-based technology that “scrambles” data so it can’t be read by unauthorized eyes.
FIREWALL — Technology that screens access from outside the network, based on a computer’s location on the Internet, or “IP address.”
AUTHENTICATION — Controls access to computers by requiring one or more “identifiers” (log-in name, password, and biometric information such as a fingerprint, for example).