You’ve purchased a firewall to protect your entire network. You’ve installed anti-virus software which updates its definitions daily. You’ve downloaded and installed all security patches for your operating system. You have anti-spyware software regularly scanning your system and removing any unwanted downloads.
You may think you’ve done everything necessary to protect your network and devices from security threats. But you might be wrong. “About 80 percent of security breaches are physical in nature,” says Peter Dougherty, president and CEO of OnPATH Technologies, which provides physically secure switches.
Physical security is key
Indeed, if your network and equipment don’t have physical security, you almost may as well not bother with the firewall. “If a hacker gets physical access to a device, all bets are off,” notes Sean Convery, CTO of Identity Engines, a Sunnyvale, Calif. Company that provides network access control.
How can you make sure your network is safe from physical as well as software breaches? Here are some steps to consider:
1. Lock down servers. Limit access to server rooms and data centers only to those, such as IT staff, who have a legitimate need to be there. “It’s a good idea to lock the doors on the server racks themselves as well,” Dougherty says. He also recommends placing the “management server” — the device used to control and configure the network — in a separate location with its own locked access as a further measure to ensure the network’s physical safety.
2. Don’t forget wiring and switches. Once the servers are secure, take a look at the wires and switches connecting them. “Where is your wire closet? Can the local cable technician get in without authorization?” asks Dougherty. If outsiders have access to the wires and switches that transmit your data, you run the risk of a security breach.
3. Treat cables with care. “Companies typically have some sort of firewall device protecting their network,” Dougherty says. “But because your Internet access comes in from outside, you may have one router on the non-secure side of the network, outside the firewall.” Given the confusing array of devices that are often plugged in side by side, it’s frighteningly easy for an inexperienced or distracted employee to plug in a device outside the firewall. “That’s a very big risk,” Dougherty says. “There are companies set up to do nothing but ping for unprotected networks.”
How can you protect yourself from this type of error? One simple, but effective solution is to attach a color-coded label to each cable, showing exactly where it should be plugged in.
4. Set some alarms. Consider installing software alarms that will alert IT administrators every time a cable or device is unplugged from the network — or plugged into it. “It should not only generate an alarm, but also automatically lock down the network,” he adds.
Don’t count on encryption
Whatever you do, don’t count on encryption to protect your data in case of a physical security breach. Recently, a research team at Princeton University revealed that, by the relatively simple means of freezing DRAM chips with the liquid nitrogen in canned air, they were able to retrieve encryption keys.
And, if the data is password-protected, access is even easier. “Most operating systems have either a well-known or not-well-known method for password retrieval or reset, such as by booting from a CD,” Convery says. The reason, he adds is obvious. If a legitimate user loses his or her password, the device becomes an expensive pile of useless metal and silicon without some way to override password protections.
And this feature is not limited to computers or servers but includes every piece of electronics, including firewalls themselves, Convery says. “If you can touch the device, and cut power to it, you can reset the password.”