Slashdot Mirror

← Back to Stories (view on slashdot.org)

Physical and Network Security Merging?

Posted by michael on from the etherkiller dept.

MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."

6 of 132 comments (clear)

  1. ISC^2 already defines this by phreakmonkey · · Score: 5, Informative
    ... as the article points out. To me, the bigger relevation to "geeks" here should be that information security is about a lot more than OS vulnerabilities and firewalls.

    The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

    Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.

    Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)

    (ISC^2 can be found here)

    -PM

  2. Banks do this by zaffir · · Score: 2, Informative

    A friend of mine works in a dedicated IT building for one of the larger banks in the US (can't think of the name right now, but i know it's located in Ferndale, south west of Detroit, MI). He took me around the place, and showed me all the security stuff they had set up. You need a card, finger print, and key-code to even get into the building (yes, the janitor's entrance is like this too). You need those to get into the elevator, and to go into any of the areas with actual machines. I was only allowed to see their huge terabyte server cluster through very dark tinted glass: nobody but the head IT people are allowed in there.

    I guess that if someone decided to walk into the place with guns a blazing he could, but that's not exactly the most subtle way to steal credit card and bank account information.

    --
    "Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
  3. Re:CSIS and other agencies have known for decades by sshack · · Score: 2, Informative

    Which security text book was this? I've been looking for a decent one and haven't fouind it yet

  4. Re:Bad idea by Col.+Panic · · Score: 3, Informative
    If you want a CISSP you will have to learn something about physical security. You will also have to learn about all the other parts of the CBK, including:

    Access Control Systems & Methodology

    Applications & Systems Development

    Business Continuity Planning

    Cryptography

    Law, Investigation & Ethics

    Operations Security

    Physical Security

    Security Architecture & Models

    Security Management Practices

    Telecommunications, Network & Internet Security

  5. More than physical and logical... by spoonist · · Score: 2, Informative

    It's more than just physical and logical security. There is also psychological security, if you will. All the physical and logical security in the world won't protect you from social engineering.

    (Oh, and don't forget to email your username/password/IP to me. Thanks.)

  6. The 3 BIG Securities protecting your network by Siergen · · Score: 2, Informative

    1. Physical Security, so that only autorized people get direct access to your hardware, including terminals, ports, routers, etc.

    2. Personnel Security, so that you reduce the chances that you've given authorization to an untrustworthy person.

    3. Computer/Network Security, to reduce the chances that unauthorized people get into your network from outside your facility, and to control the access that authorized users have to your systems.

    All 3 are needed. If one person isn't doing all 3 security jobs, then the different security people should be working together so that they don't accidentally work at cross-purposes.

    For example, one of the buildings on our site had been vacant for several months, so to save money physical security dropped the alarm monitoring and guard patrols when the contract was renewed. Two months later IT set up a new server farm in it,and didn't tell the physical security folks. One month after that, the servers went down and "walked away" over a three day weekend...