Introduction:
All of the software and network security in the world won't protect your systems as long as someone can gain physical access to them. This section will discuss some of the various measures that can be taken to ensure your systems and data don't fall into the wrong hands.
Building Entry:
The best way to prevent unauthorized access to equipment and theft is to not allow people into facilities that don't belong there. Many companies have a magnetic key card that is swiped over a pad to unlock the door. Smart cards are becoming more commonly used for this purpose. Smart cards are credit card-sized devices with varying capabilities including building entry. The card is typically inserted into a reader device which reads the contents of the ICC chip in the card.
Building entrances may also be accompanied by security cameras. Companies that don't utilize some sort of card entry system should lock all doors and use a single point of entrance - usually this would be a front desk or lobby. In addition to preventing equipment and data theft, these steps are designed to minimize the risk of social engineering exploits as well.
If you suspect that someone is in the building that does not belong, it should be immediately reported to a supervisor or security team (if applicable). Incedence reporting is an integral part of the security process.
Internal Physical Security:
Access to server rooms and other locations of important equipment should be limited only to those whose job description warrants their access. The door should be locked to everybody else. Security cameras are sometimes used in these locations as well.
The most important way to prevent access to sensitive data is to have a sufficient authentication program in place. For quite some time, the standard authentication method has been for users to enter a username and password that has to be entered correctly in order to login to the computer or network. Unfortunately, many users have usernames and passwords that are easy to guess, or they can be garnered through a brute force attack. Furthermore, many users will write their credentials on a piece of paper and tape it to their monitor, put it in their desk drawer, put it under their mousepad, or other insecure location.
To address this, there is a movement toward other authentication techniques. The first is the use of previously mentioned smart cards and newer operating systems support smart card authentication. Another type of authentication method is biometric using voice recognition, fingerprint scanners, and other devices for authentication. Many new PC keyboards and laptops now come with a smart card reader or fingerprint scanner built right in. More recently, RFID key fobs allow users to scan their biometric information into the fob which transmits the data via radio waves to unlock the system.
When using passwords for authentication, instruct users to choose good passwords. Names of their family members, birthdays, pet's names are not secure. Passwords should be at least 6 characters and contain a mixture of letters, numbers, and punctuation marks. Passwords should be changed periodically.
When not in use, your workstation should be locked at the operating system level or shut down. A workstation can be locked by pressing CTRL + ALT + DEL and clicking the "Lock Workstation" button on the screen that comes up.
Most laptops come with a lock mechanism that allows you to lock the laptop to your desk or other item to prevent its removal (see right image). These locks look a lot like older bicycle locks. Other types of locks will prevent the laptop from being physically opened, while some laptops have built-in locks that do the same thing.
Garbage and Recycling:
Many companies unwittingly throw sensitive data in the garbage in paper format without shredding it. The same thing often occurs with computer equipment. Often when companies upgrade a computer, they throw away or donate the old one. What they often forget to do is make sure their sensitive data isn't still located on the drive. For starters, computer equipment shouldn't be thrown away - people have been known to dumpster dive to get their hands on sensitive data, not to mention the environmental concerns. If you are going to recycle a hard drive, you can either erase the hard drive with a 3rd party disk cleaning software or take a hammer to the drive and completely destroy it. Formatting a drive doesn't completely erase it and leaves remnants which is why 3rd party software is recommended. If you are going to donate the computer, use the software approach just mentioned.
Protecting Data:
For many companies, their data is the lifeblood of their company and losing could be catastrophic for a variety of reasons. This is why most companies backup their data. There are a variety of backup methods available, but regardless of the type, there are a couple of best practices to follow. First, data should be stored at a separate location (different building) and it should be stored in a safe. Safes prevent the destruction of data during a fire in addition to preventing theft or unauthorized access. The location of the backup data should only be accessible by those who need access to it and kept secure.
Most laptops come with a lock mechanism that allows you to lock the laptop to your desk or other item to prevent its removal (see right image). These locks look a lot like older bicycle locks. Other types of locks will prevent the laptop from being physically opened, while some laptops have built-in locks that do the same thing.
