Slashdot Mirror
Physical and Network Security Merging?
MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."
does this mean we are going to be giving network admins guns? I don't really trust those guys, with all their quake playing and all.
GoatPigSheep, the 3 most important food groups
I guess I'm gonna have to start ripping CD's off from the store instead of stealing them online. After all, if they're gonna replace their security guards with fat, pimply-faced l33t h4x0rz, I probably have a better chance outrunning them...
(-1, Raw and Uncut is the only way to read)
If your boss comes to the server room and hands you a badge and a gun, please *try* to take it a bit easier on the caffeine...
(Maybe they should also ban FPS gaming during work hours too...)
-- My Weblog.
I cannot wait until the Bastard Operator From Hell gets in on this....
www.eFax.com are spammers
I do network security for a living. I also know the physical security people in my company. We have completely orthogonal skill sets and cultures. Most (non-guard) physical security posititions require knowledge of police work, evidence handling, physical monitoring equipment, etc. (Good) Network security requires advanced understanding of network theory, operating systems, programming, algorithms, network protocols, etc. It's not about watching an intrusion detection system all day. It's about influencing how programs and entire systems and networks are designed and operated, outthinking attackers, and so forth.
The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.
Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.
Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)
(ISC^2 can be found here)
-PM
The slack-jawed rent-a-cops aren't the ones who DESIGN or DECIDE on physical security -- they are a facet of the implementation.
Think of them as a crude firewall.
The article was talking about merging the decision making and responsibilities at a higher level. It was NOT talking about giving PCs to rent-a-cops or guns to sysops.
Actually, most network admins I know ALREADY own guns.
Learning HOW to think is more important than learning WHAT to think.
When someone comes into your server farm with a gun and says "Let me access info I want or I'll blow your fucking heads off"! Then you will understand that security is security.
Plus the best place to hack a network is from the inside. Its not a "mission impossible" to get yourself access to a computer at any major financial institution here in the states.
Data is an asset that needs to be protected both in the physical world where it is stored and, and in the virtual world where it is acessed. The goal in each arena is the same, ignoring either is irresponsible. Thus the inevitability of these two departments combining.
The ASP I was working for last year was very forward thinking on this and ran both network and physical security as a simgle entity. Unfortunatly thinking ahead in security, didn't translate to thinking ahead when creating a sustainable business model.
is getting rid of that operating system that is simply 'not built for security'...;P
So, instead of Rent-a-cops, are we going to have lots of Rent-an-admin positions available?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I think the idea was not that sysadmins don't know that physical security is important, but rather that they don't have direct control over the physical security of their systems sometimes.
If the local IT security guy/gal gets privilages on the physical security side, he/she can do a much better job of keeping the systems physically secure.
Contrary to the parent poster's rather foolish statements, physical security people who help assess (perform threat/risk assessments) and implement solutions in physical security can be quite sharp and quite technically savvy.
For example, in evaluating a server room for the RCMP, I saw a physical security guy assess things like smoke detectors, fire extinguishers, construction of the ceiling, construction of the floor and walls, construction of the doorjamb and the locks used, etc. And he had to know his stuff as well as knowing what the pertinent standards for good practice (and in the case of government, for government standards for physical security). His prior job involved some assessments of some CSIS facilities (managing construction of same or something like that IIRC).
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
I recall reading a security text which devoted about twenty pages to encryption, network security, etc. and about 200 pages to other organizational security processes (including audits, risk assessments, emergency response plans, etc). If it costs me $100,000 to hack your network electronically or $5K to payoff a janitor, which do you think the bad guys will target?
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Recently, a revolutionary new technology has been discovered that has the ability to grant access to certain areas or items to a few people, but to keep the rest of the world at a safe distance of the often high-valued areas or items. This item will provide a great security tool for network administrators, considering it enables them to secure the server rooms from 1337 h4x0rzzz with a screwdriver. This amazing device, made usually from wood but in special cases where extra security is required, made out of steel or steel/metal alloys is called a "Door" and has been hailed by security experts around the world as the "entlösung" to most, if not all security problems, especially if this device is coupled with small pieces of metal/steel called "Keys", which can be used to lock the door using a complicated mechanical procedure.
Scientist are now thoroughly investigating in alternate ways of protecting ones servers or other private belongings. Several options include Glyphs of Warding, cummon the undead to protect a server and storage of servers inside highly radioactive or otherwise toxic enviroments.
Hate me!
Kid on playground #2: Aaaghghgkk!
Kid on playground #1: ha-HA! You're box rootin' days are over Bad Hax0r Bill!
Kid on playground #2: Gosh darn it Tommy! Why do I always have to be the intruder every time we play 'sys-admin'?
Kid on playground #1: quit whining Robby, when we're at your house you can be the network admin
Kid on playground #2: Fine, but at least pretend you're an MSCE this time so I can win one game
Kid on playground #2: Pfft. Alright, but next time we play 'content pirate' you have to be Valenti. I'm sick of peeing my pants so I don't miss the commercials.
On a serious note, consider the locations of all the hot network jacks at your employer. Are any of them in public locations that are empty at times, say conference rooms in common areas? How easy would it be for someone to go in, plug in a lap top, and start up a packet sniffer? There are aspects of your network that need physical consideration other than the server room.
Now the most difficult part is figuring out how to convey "w3 0wn j00r a55, fUx0R!" over the dubious medium that is the megaphone.
If you open yourself to the foo, You and foo become one.
A friend of mine works in a dedicated IT building for one of the larger banks in the US (can't think of the name right now, but i know it's located in Ferndale, south west of Detroit, MI). He took me around the place, and showed me all the security stuff they had set up. You need a card, finger print, and key-code to even get into the building (yes, the janitor's entrance is like this too). You need those to get into the elevator, and to go into any of the areas with actual machines. I was only allowed to see their huge terabyte server cluster through very dark tinted glass: nobody but the head IT people are allowed in there.
I guess that if someone decided to walk into the place with guns a blazing he could, but that's not exactly the most subtle way to steal credit card and bank account information.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
> ... as the old adage goes, an attacker with physical access already has you owned.
Oh, I dunno about that. We've already seen a number of reports about people who got their laptop back after a theft, apparently because it was running linux or *BSD. The thiefs couldn't get past the login screen, so they trashed it or left it lying somewhere, and whoever found it called the phone number on the sticker.
Granted, this might not stop your expert unix hacker. But most laptop thefts are by petty thiefs who are pretty much computer illiterate, as are the guys who fence them. With Windows or Macs, they can turn it on, try a few things to verify that it runs ok, and it's in the pipeline. With a unix-like system, they can't get in, they conclude that it's unusable, and they toss it.
Your typical laptop thief only gets a hundred bucks or so for the machine. It's not worth a great deal of effort to break through security to verify that you're not buying a fancy-looking brick. So login+password is plenty secure for the typical theft.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Physical access isn't necessarily owned - with proper encryption and the passphrase nowhere but in my neurons they can still be locked out, but for a small bribe I could be convienced to reveal the secret to the executives outrageous incomes and my lousy salary.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
It's more than just physical and logical security. There is also psychological security, if you will. All the physical and logical security in the world won't protect you from social engineering.
(Oh, and don't forget to email your username/password/IP to me. Thanks.)
Just open up our Nerf guns, replace the innards with some real weaponry, and put it back where you found it. We'll defend our serverrooms just fine. :-)
Vintage computer games and RPG books available. Email me if you're interested.
I doubt this is too likely to happen much. Security departments have a lot more to deal with than just securing locations from access. Our own computer department does, in fact, handle some of this (for our own areas, at least)--security keypads and our own alarm system.
I work for a large auto parts distributor, and our security department doesn't even deal much with access security. They deal with investigations for sticky-fingered employees for the most part. They also deal with the more complicated theft rings, which usually involve state authorities due to dirty city cops being involved.
This is WAY outside sysadmin territory, and I don't see them merging anytime soon.
My problem with this is that physical security is not a sinecure for technological problems.
If this were *merely* to eliminate redundant management structures, it might be agreeable. But probably wouldn't be.
As a former IBM employee, I've had to deal with the management of firewalls by a seperate security organization; the result was a minimum of six weeks to get a TCP port other than 80 opened, if it's permitted at all.
XML was invented by IBM employees as a means of routing around these people by tunneling operations on port 80, which these people would permit by virtue of it being port 80, without concern for the content of the traffic over that port.
Given encryption on storage media, both active and backup, and multiple site replication, physical security is more and more meaningless for information technology.
IMO, eventually corporate networks will not exist at all, *except* as VPNs.
At that point, "physical security" means sending armed guards out on business trips with every schmuck with a laptop, and posting them outside the homes and telecommuting centers of every remote worker.
Frankly, a merger in this area feels more like the physical security people trying to defend against their increasing irrelevance, in the same way that RIAA and MPAA are attempting to defend their increasing irrelevance.
-- Terry
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
Different skill sets, but the approaches are analogous (perimeters, critical resources, etc.)
Personally I think that it would be a great idea if people had at least some contact and cross-training.
One caveat though-- This should not be about eliminating redundent jobs. Sure this means that you can operate more securely, but it really means you can buy better security for the same cost.
LedgerSMB: Open source Accounting/ERP
1. Physical Security, so that only autorized people get direct access to your hardware, including terminals, ports, routers, etc.
2. Personnel Security, so that you reduce the chances that you've given authorization to an untrustworthy person.
3. Computer/Network Security, to reduce the chances that unauthorized people get into your network from outside your facility, and to control the access that authorized users have to your systems.
All 3 are needed. If one person isn't doing all 3 security jobs, then the different security people should be working together so that they don't accidentally work at cross-purposes.
For example, one of the buildings on our site had been vacant for several months, so to save money physical security dropped the alarm monitoring and guard patrols when the contract was renewed. Two months later IT set up a new server farm in it,and didn't tell the physical security folks. One month after that, the servers went down and "walked away" over a three day weekend...
"an attacker with physical access already has you owned"
I usually feel a superiority complex when it comes to the "humor" and "wit" that normally accompany the average slashdot text, but this one has me stumped... Is this a really an old adage? Or is it some semi-subtle joke, using the relatively new term "owned" and calling a phrase with its usage an "old adage"?
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
Physical security isn't just locks, although the realm of access-control alone is enough for an entire job when it comes to background knowledge. The notion that there is redundancy between physical and computer security specialists is insane. I've worked with a few physical security specialists, and I was utterly in awe of the various things they had to know. There are almost no overlaps, very few synergies, and frankly, I don't really care to know what the latest and greatest in door strikes and CCTV lenses are, so if I were asked to do double-duty, I'd be heading for the door before you could say "emergency exit."
For your security, this post has been encrypted with ROT-13, twice.