CASES.LU

Articles

How to discuss cybersecurity with your employees? Use BYOD!
Physical and environmental security: because threats are not just digital ...
Risk management: from directive 95/46 to the GDPR
Cybersecurity4success: l’état aide les entreprises à se protéger
Règlement général sur la protection des données: privacy and security by design
Cloud: the sky is the limit?
La cybersécurité made in Luxembourg se distingue au Maroc et en Tunisie
Vacances, réseaux sociaux et Internet : un « big data » pour les cambrioleurs
CASES participe au mois de prévention de l’arnaque
Alerte: nouvele vague de Ransomware
Données personnelles: une révolution en marche
BYOD un risque et une opportunité en même temps

Physical and environmental security: because threats are not just digital ...

Companies are not immune to “physical and environmental-based” incidents which can lead to serious consequences for both information systems and society in general: fire, theft, intrusion, water damage, etc., all of these can be executed in a completely “physical” way in order to access computer data.

Two videos from CASES illustrate classical “physical threat” scenarios relevant to a company’s or organization’s information systems and data.

  • In this first case, it is a so-called maid who manages to attach a “sniffer” device to a computer
  • In the second case, a spy managed to find sensitive data simply by searching through garbage cans

The Risks

The propagation of laptops, tablets and other portable devices increases the risk that they will be lost or stolen. An investigation by Kensington revealed that:

  • 89% of companies have already experienced a laptop theft
  • 67% of laptop thefts occur at the office
  • Only 3% of stolen laptops are recovered

It should be noted that the real cost of these attacks is more than just the price of the hardware. Overall costs can become astronomical if sensitive data was stored on the stolen equipment or if the thief was able to access other company resources through the stolen PC.

Take the following 2 scenarios as an example of the damage which can be done; both of which are actual events which occured in Luxembourg.

The first is the well-known case of “Medicoleaks” in 2012, when thousands of medical records were disclosed due to a password which was visible to visitors. This event was a typical “theft of passwords” and can be considered a form of “spying”. But there was also the possibility of classifying it as “sabotage” due to the possibility of destroying the integrity of the data.

More recently, several violent floods have done damage in many locations and have affected more than 30 companies located near the Müllerthal. Several of them (including 1 hotel, a garage and some professional offices) lost data due to the water damage done to their IT infrastructure.

The Impact

The impact of physical security vulnerabilities can be very high: data can be completely destroyed (in the case of fire or flood), can be used in a malicious way by third parties, or just corrupted.

In general, these incidents can have 5 types of impact:

  • Operational impact: the daily functioning of the organization is affected.
  • Financial impact: direct losses, market losses, …
  • Impact on reputation: loss of customer confidence
  • Legal impact: where legal proceedings are concerned
  • Impact on the person: directly impacting a victim in some way

Each risk can have different types of impact. The below table demonstrates these effects by highlighting some examples:

Risks Most Likely Impacts Possible Impacts
Fire Operational Impact
Financial Impact
Reputational Impact
Water damage Operational Impact
Financial Impact
Reputational Impact
Electrical failure Operational Impact Financial Impact
Reputational Impact
Communications Operational Impact Financial Impact
Intrusion or Theft Financial Impact
Personal Impact
Reputational Impact
Legal Impact
Espionage Operational Impact
Financial Impact
Personal Impact
Reputational Impact
Legal Impact
Sabotage Operational Impact
Financial Impact
Legal Impact
Reputational Impact

Note that one disaster can have several types of simultaneous impacts. For example, if a construction company loses data after a fire, it could experience a financial, operational and legal impact.

Prevention and protection

A company that wishes to prosper must remain open to the outside world. But openness does not mean a “free for all”. First of all, physical security needs to conform to the standards in force concerning both fire and environmental risks. Next, organizations should define sensitive areas (computer room, specific offices …) which must be protected in a specific way because they shelter vital data or critical infrastructures; a sort of high-level inventory dedicated to security.

The protection of sensitive areas must be based on a prioritizaion of which risks to combat first. For example, in the case of a fire, fire suppression mechanisms using products that are not likely to damage computer hardware should be used, fireproof cabinets may be required, and restrictions on smoking should be enforced. A recovery plan should be put in place and tested, including the protection of all IT infrastructure.

For all types of risk, the approach should be the same:

  1. Define the perimeter
  2. Put in place preventive (to avoid the disaster) and protective measures (to protect the installation in case the disaster occurs).
  3. Test and evaluate these measures regularly.

To protect against all of these risks, approaches may vary depending on the situation. Below are some basic protective measures which are required for most cases:

To guard against: Protective Measure:
Electrical failure Electronic protection / controls (inverters…)
Redundancy (duplication of machines / circuits)
Fire Detection and fire protection: smoking ban, disaster plan, fireproof cabinets ...
Decentralized back-ups
Redundancy (duplication of machines / circuits
Flooding Location of computer rooms outside risk areas
Flood detection system
Elevation of computer equipment
Use of hermetic tubes for wiring
Compartmentalized flooring
Decentralized back-ups, dry archives
Theft, Intrusion, Espionage, Restricted physical access
racking of visitors
Alarm systems
Sabotage Redundancy (duplication of machines / circuits)
Decentralized back-ups
Restricted physical access
Hardware Malfunctions Regulation of Temperature (computer rooms)

Visitors can pose a significant risk (theft or espionage) if there is insufficient tracking or access control. In recent years, CASES specific diagnostics have recorded several failures linked to the reception and tracking of visitors: notably the lack of support or occupancy of the reception area and a lack of access control to sensitive locations.

Sometimes printers located in corridors are used to print sensitive data and many times employees do not immediately recover their printouts – this leaves a lot of time to read or make copies of sensitive information.

Example: a law firm with ongoing court cases practicing in commercial litigation. Any leaked information could be used to harm their customers or be used to influence the outcome of cases. Strict physical protection measures must therefore be taken to prevent any form of leakage. For example, customers or service providers need to be met at reception and then escorted to dedicated meeting rooms to prevent these visitors from discovering confidential information.

We must also beware of prying eyes on public transportation, in restaurants and lobbies. You should also be aware that people can watch you through windows. One solution could be to place a privacy screen protector / privacy filter on screens that make reading impossible for anyone who is outside the visual angle of a legitimate user… Good to know!

Garbage cans are often used by spies who are not afraid of getting their hands dirty to find the information they are looking for. To remove this opportunity, just send all documents to the shredder to make them unreadable. Beware of digital media that are to be discarded: total destruction is necessary because the simple erasure of data is not always enough to make it disappear completely.

Where to start?

Ensuring optimal protection for your business against all risks may seem like an insurmountable task for some - but we must not give up. On the contrary, we can start with some simple and inexpensive measures that can immediately and significantly reduce our level of risk; or “Quick Wins”. For example, we could think about:

  • Installing an inverter
  • Setting up a controlled access system with alarm
  • Establishing an access control procedure and visitor log
  • Placing computer locks on desktops …
  • Increasing employee awareness via training

If you want to better understand your physical security flaws through an initial diagnosis, you can contact us to take advantage of our CASES Diagnosis service.

Table of Content