Let’s get physical

Phishing scams and viruses dominate the headlines, but enterprises remain under threat from a more mundane attack vector: physical breaches. NME looks at how companies can protect their network from physical attacks and the increasing role of IT in physical security.

  • E-Mail
By  Administrator Published  February 1, 2007

It is always imperative for enterprises to ensure their network is protected by robust and up-to-date IT security solutions. However, regardless of the number of service packs installed on company systems, if an enterprise's server is left in an unsecured room, and if the company's physical perimeter is insecure, there is nothing stopping an intruder from directly accessing the IT systems and stealing data. But, with rise of biometrics and converged security systems, IT is beginning to increase the diversification and reliability of physical security solutions.

Physical security can mean many things, envelop many areas and attackers can penetrate it in many ways. From physically rebooting the server, installing a new copy of the operating system, and establishing new access rules, to searching through bins to recover disposed documents and printouts that can contain sensitive company data, motivated individuals can use a wide variety of techniques at the physical level - not least just plugging in to a handy network port.

The main goal in the manufacturing of any security program is to ensure that an enterprise is not susceptible to theft or vandalism, through the development and establishment of proper security measures. Organisations need to take steps to lessen the risk of possible breaches, and all members of an organisation need to be aware of the role they play in the securing of company assets.

David Michaux, CEO of Scanit, believes that the culture of trust in Middle Eastern region has made physical security in the region particularly lax.

"It is not all that hard to walk past security guards. Especially in this part of the world where a nice suit and a big smile, or a short skirt, means you can walk right past a guard without having too many questions asked of you. Although they are becoming a lot better trained, they still are not given the authority they need to prevent people getting access, they are the simplest thing to bypass," he says.

The security of a network can be significantly compromised if an attacker gains any degree of physical access to a company terminal. Hackers can bypass server security software, steal, crack or just guess user passwords, and reset routers to get access to entire enterprise IT systems.

"For a lot of companies here it is like an egg, it has a relatively strong shell on the outside but a very weak inside. So if you can manage to get in past a perimeter then you have a good chance to get what you want," says Michaux.

Traditionally only authorised individuals would be able to access a company's network. Servers were previously locked in secure rooms where only IT people would venture. Today branch offices are receiving servers that demand larger communications bandwidth. More operations are moving local to the user to further improve their responsiveness.

This leads to a situation where servers end up coexisting with other equipment and potentially with a cross-section of employees. A server may end up sitting at the back of an office or tucked away in the recreation area, where stringent physical access systems may not be practically installed and careless employees are more liable to inadvertently unplug a cable.

However, with companies becoming increasingly reliant on providing computer access across departments, business have had to democratise computer access technology, necessitating the need for secure identity management.

However, nothing is secure today unless there is a continuous audit carried out on Tushar Gosh, Tushar Gosh, Ejada's practice head of security, has been in the IT security industry in the Middle East for 27 years, he believes the major concern for security managers should be to ensure compliance measures are in place.

"Administrators have to meet the compliance objectives of the organization, by not doing anything without the proper authorisations, in order to prevent floor violations. There are products that look for compliance and auditing automatically, and events can alert users automatically. So it is secure as long as the proper auditing and compliance is in place. That is my firm belief," comments Gosh.

A simple lock and key can suffice but, if a company deals with data that is particularly valuable, an audit trail, detailing who is accessing what, can prove incredibly useful. Identity management solutions can enable provisioning for new users, streamlining the creation of directory accounts and required user applications, as well as physical access privileges and web-application access control. However, they can be costly and time-consuming to implement.

Wireless networks confound the issue by potentially giving users access to a company's network without having to navigate through a physical access point. However, there are common sense tactics a security manager can use to protect a wireless network with physical security. The most obvious being to ensure the signal strength of the transmitters are set to a level that does not extend outside the physical perimeter of the company.

Gosh believes that Middle Eastern enterprises are not spending enough on the latest technology to physically secure their networks, stating that even basic identity management technology has not taken off due the reluctance of regulatory bodies to enforce security regulations onto Middle Eastern enterprises. According to Gosh the first step all enterprises should take is to make sure a secure identity management solution is in place.

"People know what the regulatory bodies are saying, they understand the regulations, but the central authorities are not enforcing it. So having a proper identity management will be using a proper product, which has compliances to various security regulations and can be enforced is highly important," says Gosh.

A great deal of access solutions are not reliable according to David Michaux,. The most common access technology in the Middle East, according to Michaux, works on Pin identification. However, such systems are not hard to bypass, as Michaux believes a vast number of individuals chose combination keys that are relatively easy to crack.

"Most people use 1234 or 0000 with four digit passwords, so companies need to be tight with their policies to avoid such practice. Magnetic strip card access is primarily a waste of time, it is a technology from 1974 and I think you can find enough tools on the internet to bypass that. Smart cards are getting pretty good, although the new credit card standards have just been broken, so smart card technology may not be all that secure," says Michaux.

It is not always feasible for large enterprises to install an impenetrable network perimeter. Breakdowns in security always happen. Therefore monitoring is necessary to ensure that unauthorized actions do not occur with the server. By monitoring for servers that go offline, you can identify connectivity and stability problems as well as machines that may be targets. For an intruder to attack a server, they will have to take it completely off the network, either by removing the equipment or by rebooting it to their own operating systems.

Monitoring for when a server is present and when it is not present is obviously a good way to ensure nobody walks off with it, but in order for an security manager to identify who took the server video monitoring needs to be employed. IP based cameras, such as the ones offered by Axis Communications, can detect motion and be equipped with event management functionality in order to notify users when a stationary object, such as a server, has been moved. They can then record images and forward them to an e-mail account or an FTP server. This can work well in an office environment. However, environments that contain a great deal of visual activity can cause the camera to make mistakes, necessitating the deployment of small magnetic door switches, which allow the cameras to know when an enclosed area has been breached and notify users.

Because a great deal of recently built offices are now pre-equipped with networking as standard, cable and IP cameras can make use of this infrastructure in their installation. Therefore users do not need extra equipment other than standard PCs and servers to store and view the images, a cost effective solution for businesses.

"The intelligence can add a lot of value to a security system. If an enterprise decides to go for a intelligent IP solution closely linked with the physical security then the biggest thing they receive is flexibility and also a huge economy of scale in terms of installation because in any new building the first thing that is put in is the network infrastructure and you can use some of that for the security system," says Simon Nash product manager - network video monitoring and CCTV, Sony.

"The bandwidth is there, we can create VLANs within the network, and we can virtually separate the network into different functions depending upon the customer requirement and if you want to upgrade the network you upgrade the end points, putting in better switches," he adds.

Gilles Ortega, regional director of Axis Communications, has recently opened offices in Dubai in order to meet the strong demand in the region for IP based monitoring solutions. He believes IP based cameras are a cost effective converged solution for enterprises and offer significant benefits over older CCTV technologies.

"Most of the time if you compare analogue camera to IP camera, yes the cost of the analogue with similar features is lower price, but it is only a camera, it is a lens only. An IP camera is a lens, together with a kind of embedded PC, with all of the networking features embedded into the camera, so you don't need any other equipment to connect it to the network.

"What we can see so far when we are working on the project, and we are facing analogue solutions, is that it is usually the same price or even cheaper overall to use IP solutions when making use of the already existing IP infrastructure," says Ortega.

The logical extension of the above technology is the complete convergence of IT and physical security systems. Enterprise security convergence has been talked about for some years now, analysts continue to predict the point when companies will begin to take a holistic view of their security operations.

For instance the first access card security barrier you encounter when you enter a building will be integrated into the same security system you navigate when you log onto your PC at your desk. When converged, these conventionally separate systems will interconnect, communicate and validate a user's identity across systems, in order to provide an audit trail of what an individual within a company does and where he goes.

Scanit has devised an innovative employee training system that give users access to IT and physical areas, via a centralised system.

"So when a new user comes into a company they have to go through our system and they are given basic safety and security videos, email policy videos, proper internet surfing classes, which then gives them authorisation on their access card for the relevant system," says Michaux.

However, merging these very different systems requires a cultural and technological shift within an organisation, due to the age-old separation of the IT security and physical security universes. Physical security and building access systems are usually installed by a corporation's security department - typically comprised of staff with backgrounds in law enforcement rather than IT - whereas logical security systems fall under the jurisdiction of the IT department. Nevertheless, Gosh sees convergence as a major priority for business in the Middle East region.

"Convergence is absolutely necessary because I can have a policy, but if I am supposed to work on a machine I should have entered the premises, if I have not entered the premises then someone is faking my identity," says Gosh.

However such systems are hard to implement and often require planning from the ground-up.

"I have not seen truly converged systems in use in the Middle East. I haven't seen companies being able to adopt it and I haven't seen them able to integrate it into their systems. I think it is a very complex task and it requires a company to plan this from the very start. If you have an existing enterprise then to install a converged system to control the physical and logical security is an incredible task, it needs to be thought of from the ground up," says Michaux.

Ortega believes another reason behind the slow uptake of converged systems is because many IT manufacturers themselves are not doing enough to promote the technology.

"Everything is linked to communication and training so on our side we have to train and to educate the market and to explain the benefits of this convergence. I do not think IT security managers are closed to this, they are fully open, as long as we can prove the benefit and show how it can make their life easier, there is no reason for them to refuse," says Ortega.


Fingerprint recognition

Finger recognition has come a long way. Access gates can now use a semiconductor fingerprint door lock, which makes it near impossible to fool, since the lock require a small amount of body-generated electricity to activate. Currently it is the most efficient and cost effective biometric authentication system available.

Iris recognition

The iris is the most distinctive feature of the body, statiscally more accurate than DNA. The technology works through comparing the patterns in the exterior iris, rather than retinal scanning which analyses the vascular patterns inside the eye.

Facial recognition

A big advantage of facial recognition is that it can continuously verify your authentication credentials by constantly updating itself every time a user logs into the system, storing up to 90-100 different biometric blueprints that identify who you are. The donside of facial recognition is that it can be fooled using photographs, though companies such as FastAccess have developed systems that are sensitive to environmental conditions and less easily fooled.

“If an enterprise decides to go for an IP solution closely linked with the physical security then the biggest thing they receive is flexibility.”

“People know what the regulatory bodies are saying, they understand the regulations, but the central authorities are not enforcing it.”

“Everything is linked to communication and training so on our side we have to train and educate the market and explain the benefits of convergence”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code