Physical Security

In my many years of working in the computer industry, one fact has always amazed me. You see, for years I was a consultant, helping companies solve their business problems using advanced computer systems. And after being a consultant for a number of years, I was promoted to the Vice President of Consulting. Later, when I changed companies, my role remained the same.

One task that we performed for many clients was to inspect their computer systems for security issues. This was much different back in those days - there were no PCs, no desktop systems of any kind really, and no internet or world wide web.

Yet these systems had security vulnerabilities galore - usually the same issues from site to site. Banks of modems with weak (or in one case no) password protection, default passwords on system accounts, personnel with questionable backgrounds and poor or entirely missing backup procedures.

Some of the points below summarize simple things that you can do to increase the physical security of your computer equipment. I am not suggesting that you be paranoid or anything like that - just treat your computer equipment as if it was valuable and as if someone wanted to take it from you.

Lock the computer room door - You don't have any idea how many computer facilities I've examined over the years which violate the first rule of physical security: put them into a room with a door which has a lock (and remains locked most of the time). You see, the computer room is typically windowless, hidden in some out-of-the-way area where no one can see it. An evil-doer can gain access and then take his time to crack your system. So if you've got a computer room, for god's sake lock it up.

Lock office doors and cabinets - You cannot watch every entrance to your building all of the time. It's best to make sure that any cabinets containing disk drives, laptops, handheld systems or anything of that nature remains locked up when not in use. Remember that much of this equipment is easily shoved into  briefcase or under a coat, so take a few simple steps to prevent that from happening.

Secure workstations - Computers are expensive pieces of equipment. Even more important, they contain data which is often priceless. Modern computer systems are small, light, and easily stolen. Lock them down by bolting them to the desk, attaching a cable or some other means. This will not prevent a determined thief from stealing them, but it will prevent casual stealing by the cleaning crew.

Add a system or BIOS password - Most workstations allow you to lock them down even further with a BIOS or system password. This prevents someone from rebooting them up into the BIOS, which prevents someone from easily formatting hard drives, reinstalling an operating system or whatever. Keep these BIOS passwords secret.

Secure diskettes, tapes and other media - 

Secure disk drives - In many ways, the data on your disk drives is worth far, far more than the computer systems themselves. Make sure you don't leave spare drives sitting around for someone to shove in their pocket. And while you are at it, ensure that each and every disk drive gets scrambled and formatted before it gets thrown out, sold or given away.

Secure company information - In the past, it was common for hackers to sift through trash cans (this was called Dumpster Diving) to find printouts with valuable information such as account names and passwords. They might also pose as repair people and look around the office for information that they can use. Be sure all of this information, as well as accounting and other data, is properly secured and disposed of. 

Control access to the building - Don't let just anyone wander around your building. At my office, we only allow visitors in through the front lobby, and they only go into the back (where we all work) with an escort. It's not a matter of trust, it's just that visitors are unknown and thus must not be allowed access to sensitive data.

Secure remote systems - Don't forget about remote systems. I remember one security audit that I performed years ago. The customer passed with flying colors, until I examined the security of those systems that dialed into the mainframe. Because that security was weak, it was possible for someone to gain access from those systems into the main system. In addition, remote terminals at stores, warehouses, vendors and even at home must be secured or have extremely restricted and controlled access.

Laptop security - It's wise to assume that any or all of your laptops could be stolen or lost at any time. How much of a problem would that be? I usually recommend that laptops data be encrypted, at least. Also, passwords and vital databases should never, ever be saved on laptops - it's too easy for them to disappear unexpectedly.