Slashdot Mirror
Physical and Network Security Merging?
MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."
does this mean we are going to be giving network admins guns? I don't really trust those guys, with all their quake playing and all.
GoatPigSheep, the 3 most important food groups
I guess I'm gonna have to start ripping CD's off from the store instead of stealing them online. After all, if they're gonna replace their security guards with fat, pimply-faced l33t h4x0rz, I probably have a better chance outrunning them...
(-1, Raw and Uncut is the only way to read)
If your boss comes to the server room and hands you a badge and a gun, please *try* to take it a bit easier on the caffeine...
(Maybe they should also ban FPS gaming during work hours too...)
-- My Weblog.
I cannot wait until the Bastard Operator From Hell gets in on this....
www.eFax.com are spammers
I do network security for a living. I also know the physical security people in my company. We have completely orthogonal skill sets and cultures. Most (non-guard) physical security posititions require knowledge of police work, evidence handling, physical monitoring equipment, etc. (Good) Network security requires advanced understanding of network theory, operating systems, programming, algorithms, network protocols, etc. It's not about watching an intrusion detection system all day. It's about influencing how programs and entire systems and networks are designed and operated, outthinking attackers, and so forth.
The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.
Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.
Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)
(ISC^2 can be found here)
-PM
The slack-jawed rent-a-cops aren't the ones who DESIGN or DECIDE on physical security -- they are a facet of the implementation.
Think of them as a crude firewall.
The article was talking about merging the decision making and responsibilities at a higher level. It was NOT talking about giving PCs to rent-a-cops or guns to sysops.
Actually, most network admins I know ALREADY own guns.
Learning HOW to think is more important than learning WHAT to think.
So, instead of Rent-a-cops, are we going to have lots of Rent-an-admin positions available?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I think the idea was not that sysadmins don't know that physical security is important, but rather that they don't have direct control over the physical security of their systems sometimes.
If the local IT security guy/gal gets privilages on the physical security side, he/she can do a much better job of keeping the systems physically secure.
Contrary to the parent poster's rather foolish statements, physical security people who help assess (perform threat/risk assessments) and implement solutions in physical security can be quite sharp and quite technically savvy.
For example, in evaluating a server room for the RCMP, I saw a physical security guy assess things like smoke detectors, fire extinguishers, construction of the ceiling, construction of the floor and walls, construction of the doorjamb and the locks used, etc. And he had to know his stuff as well as knowing what the pertinent standards for good practice (and in the case of government, for government standards for physical security). His prior job involved some assessments of some CSIS facilities (managing construction of same or something like that IIRC).
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
I recall reading a security text which devoted about twenty pages to encryption, network security, etc. and about 200 pages to other organizational security processes (including audits, risk assessments, emergency response plans, etc). If it costs me $100,000 to hack your network electronically or $5K to payoff a janitor, which do you think the bad guys will target?
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Kid on playground #2: Aaaghghgkk!
Kid on playground #1: ha-HA! You're box rootin' days are over Bad Hax0r Bill!
Kid on playground #2: Gosh darn it Tommy! Why do I always have to be the intruder every time we play 'sys-admin'?
Kid on playground #1: quit whining Robby, when we're at your house you can be the network admin
Kid on playground #2: Fine, but at least pretend you're an MSCE this time so I can win one game
Kid on playground #2: Pfft. Alright, but next time we play 'content pirate' you have to be Valenti. I'm sick of peeing my pants so I don't miss the commercials.
On a serious note, consider the locations of all the hot network jacks at your employer. Are any of them in public locations that are empty at times, say conference rooms in common areas? How easy would it be for someone to go in, plug in a lap top, and start up a packet sniffer? There are aspects of your network that need physical consideration other than the server room.
Now the most difficult part is figuring out how to convey "w3 0wn j00r a55, fUx0R!" over the dubious medium that is the megaphone.
If you open yourself to the foo, You and foo become one.
> ... as the old adage goes, an attacker with physical access already has you owned.
Oh, I dunno about that. We've already seen a number of reports about people who got their laptop back after a theft, apparently because it was running linux or *BSD. The thiefs couldn't get past the login screen, so they trashed it or left it lying somewhere, and whoever found it called the phone number on the sticker.
Granted, this might not stop your expert unix hacker. But most laptop thefts are by petty thiefs who are pretty much computer illiterate, as are the guys who fence them. With Windows or Macs, they can turn it on, try a few things to verify that it runs ok, and it's in the pipeline. With a unix-like system, they can't get in, they conclude that it's unusable, and they toss it.
Your typical laptop thief only gets a hundred bucks or so for the machine. It's not worth a great deal of effort to break through security to verify that you're not buying a fancy-looking brick. So login+password is plenty secure for the typical theft.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I doubt this is too likely to happen much. Security departments have a lot more to deal with than just securing locations from access. Our own computer department does, in fact, handle some of this (for our own areas, at least)--security keypads and our own alarm system.
I work for a large auto parts distributor, and our security department doesn't even deal much with access security. They deal with investigations for sticky-fingered employees for the most part. They also deal with the more complicated theft rings, which usually involve state authorities due to dirty city cops being involved.
This is WAY outside sysadmin territory, and I don't see them merging anytime soon.
My problem with this is that physical security is not a sinecure for technological problems.
If this were *merely* to eliminate redundant management structures, it might be agreeable. But probably wouldn't be.
As a former IBM employee, I've had to deal with the management of firewalls by a seperate security organization; the result was a minimum of six weeks to get a TCP port other than 80 opened, if it's permitted at all.
XML was invented by IBM employees as a means of routing around these people by tunneling operations on port 80, which these people would permit by virtue of it being port 80, without concern for the content of the traffic over that port.
Given encryption on storage media, both active and backup, and multiple site replication, physical security is more and more meaningless for information technology.
IMO, eventually corporate networks will not exist at all, *except* as VPNs.
At that point, "physical security" means sending armed guards out on business trips with every schmuck with a laptop, and posting them outside the homes and telecommuting centers of every remote worker.
Frankly, a merger in this area feels more like the physical security people trying to defend against their increasing irrelevance, in the same way that RIAA and MPAA are attempting to defend their increasing irrelevance.
-- Terry
It is a very different skillset, but it makes total sense to combine expertise in both into one entity if organizational security is a requirement (and when is it not?). Ideally, in such a group, people will be cross-trained and particular experts in network/computer and site/physical/emission security will be retained. In practice, some poor sysadmins may get stuck trying to ensure physical security as well - depends on who is implementing the rationalization.
Different skill sets, but the approaches are analogous (perimeters, critical resources, etc.)
Personally I think that it would be a great idea if people had at least some contact and cross-training.
One caveat though-- This should not be about eliminating redundent jobs. Sure this means that you can operate more securely, but it really means you can buy better security for the same cost.
LedgerSMB: Open source Accounting/ERP