Physical security defenses, in many cases, are the primary protective boundary for personnel assets in the real world. Physical security involves the protection of such assets as personnel, hardware, applications, data, and facilities from fire, natural disasters, robbery, theft, and insider threats. The problem with physical security is that it can be easily overlooked in favor of the more publicized technical issues. Companies do so at their own peril, however, since nontechnical attacks can be carried out with little or no technical knowledge.
Simple Controls Various controls can be used to protect and preserve the physical security of an organization. You have already encountered several throughout this book. In many cases, just the visible presence of controls is enough to stop an attack. One of the most basic controls that can protect physical interaction with a device, system, or facility is the use of passwords. Passwords can protect a system from being physically accessed or from being used to access a network.
Passwords and Physical Security
Passwords and Physical Security Passwords are perhaps one of the best primary lines of defense for an environment. Although not commonly thought of as a protective measure for physical intrusions, they do indeed fulfill this purpose. However, the downside is that unless passwords are carefully and thoughtfully implemented they tend to be somewhat weak, offering protection against only the casual intruder. Organizations have learned, as you saw in our system hacking exploration, that passwords can be easily circumvented and must be managed in order to avoid problems.
Working with Passwords
Experience has shown that users of systems tend to do the following: Ninety percent of respondents reported having passwords that were dictionary words or proper names. Forty-seven percent used their own name, the name of a spouse, or a pet’s name as their password. Only 9 percent actually remembered to use cryptographically strong passwords.
Companies and organizations of all types have had to enforce strong password policies and management guidelines in order to thwart some of the more common and dangerous attacks. As you saw earlier in this book, passwords should always be complex and well managed; components of a good password include the following:
Allow no personal information in passwords. Avoid passwords that are less than 8 characters. The standard nowadays is moving toward 12 characters and longer. Require regular password change intervals—for example, every 90 days a password will be changed. Enforce complex passwords that include upper- and lowercase letters as well as numbers and characters. Limit logon attempts to a specific number before an account is locked.
Note :Something increasingly observed in the real world is the replacing or
supplementing of traditional passwords with additional security measures, including tokens and smart cards. The idea is that the addition of these devices to existing password systems will markedly improve the security of systems and environments overall. The problem is that such an approach carries a large cost up front in terms of upgrades to infrastructure and equipment. However, do expect these devices and systems to become more commonplace.
Screensavers and Locked Screens In the past, one of the common ways to gain access to a system was to simply look around for an unattended system. In many cases, the system would be left logged in and unlocked by a user who was only going to step away “for a moment” without realizing that a moment was enough for an attacker to cause mischief or worse. To thwart intruders from attempting to use an unattended system, you can use a password-protected screensaver or a locked console. The older of these two mechanisms is the password-protected screensaver. Its popularity comes from the fact that it is easy to implement and will stop many a casual intruder. The concept is simple: When a user leaves a system idle for too long, the screensaver starts and, once it does, only a password can deactivate it. In most cases, someone walking by wiggling a mouse or tapping the keyboard will be prompted for a password, usually providing a deterrent sufficient to stop any further attempts. Working alongside or instead of screensavers is the newer and more preferred lock screen. This screen, when available on a given operating system, will actively lock the desktop until a password and username are entered into the system. The benefit of this mechanism over screensaver mechanisms is that it provides a much more secure way of locking a computer than a simple screensaver, which provides minimal protection. In a Windows environment, pressing Ctrl+Alt+Del will lock the screen manually, while a system administrator can deploy a policy that will lock the system automatically after a defined period. It is important, however, to make sure that users understand that locking
the screen automatically does not absolve them of any responsibility for making sure they log out properly.
Note : In some environments, smart cards are issued in addition to standard
usernames and passwords. The smart card must be inserted into a reader on the system prior to logging in to the desktop.
Another mechanism for protecting or defending a system is the use of warning banners. When in place, a warning banner provides a high-profile message stating that a user of a system will be held accountable for their actions as well as consent to other things such as monitoring. In addition, warning banners establish what is and is not acceptable on a system and set the stage legally if any sort of action needs to be taken against a user, such as termination of employment. The following is an example of a warning banner: **WARNING**WARNING**WARNING** This is a (Agency) computer system. (Agency) computer systems are provided for the processing of Official U.S. Government information only. All data contained on (Agency) computer systems is owned by the (Agency) and may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized personnel. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. System personnel may give to law enforcement officials any potential evidence of crime found on (Agency) computer systems. USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING, OR CAPTURING and DISCLOSURE. **WARNING**WARNING**WARNING** Although different companies and organizations will use different warning banners, the intent is generally the same: to inform users that they are being monitored.