Let’s get physical

IT security must include locked doors and premises protection, not just firewalls.

Wells Fargo bank offered $100,000 in November to catch a thief who stole the Social Security numbers and account information of thousands of bank customers. While the crime sounds like something that a clever hacker might pull, in this case the crook did his work the old-fashioned way – he broke into a consultant’s office and walked off with his computer.

This story, which had a happy ending for the bank and its customers, points to the need for IT security professionals to pay attention to the “guns and dogs” physical security that surrounds their networks. No amount of firewalls, encryption or access lists can stop a criminal who gets into a server room.

“IT guys really have to think about what’s protecting their data. How much of that is Cisco or Microsoft or IBM, and how much of that is Pinkerton or Brinks?” says Phil Libin, president of CoreStreet, a vendor that makes equipment to control access to buildings and networks.

Once intruders with know-how are left alone with machines, the game is pretty much over. “I can have a hard drive out of a computer within 5 minutes,” says Bill Farwell, head of the digital forensics practice at Deloitte Touche. Keeping data thieves away from your machines is key and requires learning more about securing hardware, rooms, buildings and campuses, he says.

Interest in this convergence of corporate security is growing. At a fall Computer Security Institute conference, a session on general security trends was booked in a room with seats for about 20. About 120 people showed up eager to discuss physical security, says session moderator Terri Curran, information security officer for the Center for Digital Forensic Studies and former chief security officer at Gillette. Government regulations on privacy in healthcare and accountability in financial institutions are spurring this interest. Protecting data is no longer a business-by-business decision; it can be the law.

One hurdle to leap is that people in charge of building security and those in charge of IT security come from different cultures. Many traditional security chiefs are retired cops who apply their knowledge of personal safety to a business. IT security people worry more about who can break into a network electronically, Curran says.

Vulnerabilities can lie in the seams between these realms, says Andrew Stewart, the security practice lead for Intellinet, a network services consultancy. For instance, a financial institution he worked with had network terminals inside conference rooms located off a busy lobby guarded by a lone receptionist. The IT staff didn’t consider that the room was unsecure and the physical security people didn’t consider that a valuable asset was being exposed. “Many IT security people are locked into the mindset of thinking about virtual domains and not physical domains,” he says.

More and more security professionals recognize this and are seeking dual certification, Curran says. One is the Certified Protection Professional granted by the American Society of Industrial Security for physical security expertise. The other is the Certified Information System Security Professional issued by the Information Systems Security Certification Consortium².

Short of that, individuals can start to think differently, Farwell says. Physical security should be looked at as a series of concentric perimeters, with each layer more secure than the previous one. What belongs in which circle depends on the value the corporation places on it. A Web server that contains only corporate public information might have a lower value than one on which customers buy products. “If somebody steals a server, it costs $10,000 or $30,000 [for the machine], but it might represent $5 million in lost revenue. You have to identify your assets. What are your crown jewels?” he says.

Once ranked, assets have to be protected accordingly. “You think access control,” Farwell says. “At the first layer you have a key-card door. At the second door you need a key card plus a PIN.”

When outside help needs to get in for upgrades and repairs, authorized staff must watch them at all times.

Screening those with cards and PINs is just as important, Curran says. “Hardened facilities, man-traps, biometrics are fine. You also have to check the backgrounds of people you let into the facility,” she says. Someone with a criminal past obviously would be excluded. But a firewall expert with phony credentials can be just as dangerous, even if he fouls things up out of incompetence rather than bad intent, she says.

Implementing an overarching security policy is essential and might require a chief security officer who has responsibility for both the safety of personnel and property as well as network security, Stewart says.

“When I ask who is in charge of network security, I often hear that it’s part of everybody’s job. But unless somebody is accountable for security, it won’t get done,” Stewart says. “Security is about accountability – whose fault is it when something occurs that should not occur.”

Even with someone clearly in charge, it’s tough to know whether things are working well. No successful attacks could mean either none were tried or that some were tried and all were defeated. Companies don’t know whether they have enough security until something goes wrong and they find out they didn’t have enough, Stewart says.

In the case of Wells Fargo, the data was on the computer of a consultant and was outside bank facilities. In hindsight, it’s easy to see that if the data was allowed on that computer, that computer should have been secured.

Luckily, the burglar apparently stole the computer for the hardware and software, not for the value of its contents. When the suspect used the computer’s AOL account, investigators traced the connection to his house where they found the missing machine and made an arrest.

It’s a happy ending to a story that need not have started at all if a tighter, converged security plan was in place.