Network Security Blog

As a computer security professional, I have to admit that physical security is not always my first concern, but it is something I’m aware of. At one of my first network administration jobs, getting the network and telephony areas secure was probably the single biggest contribution I made for the company. Well, that and getting the servers into a location that didn’t consistently have a temperature in the triple digits.

The reality of network security is that physically securing equipment should be the very first thing considered. All the wonderful authentication tools in the world can become useless once someone with malicious intent has direct access to your servers. Once someone has their hands on your machine it is hard to keep them from comprimising it. Really hard, if they’re any good.

A couple of months ago, two men in Australia impersonated workers from a server maintanance company and were able to walk into the Australian airport and walk out with several mainframes. The airport had a breakdown of the 3 P’s: People, Policies and Procedures. Where was the policy that says no one who doesn’t work for the airport can be unescorted in the server room? What happened to a procedure for verifying that the intruders were really who they said they were? Do those security guards still have a job?

I ran into a situation at my own place of business that just reinforces the need for the need for good policies and procedures. Not to mention the wisdom of employing security guards who will work for minimum wage. Apparently, the policy for allowing people into the building before 6:00 am is very different from allowing them in during regular business hours. It’s easier to get in to the building when sane people should be asleep than it is during the 9-5 hours. Huh? Shouldn’t the fact that I’m entering the building during off hours raise some alarms in the minds of the security guards? I guess they’re just as punchy at that time as I am.

I am tired of seeing policies that look good on paper and make management think something is getting done, and then seeing the implementation totally ignore common sense. I know that this is probably more of the rule than the exception, but I wish it wasn’t. Think outside the box sometimes; what happens when people come in during off hours, or what happens if someone uses a non-standard port for an application. Most of the security vulnerabilities out there come from a malicious user who finds a way to use your systems (physical and electronic) in unexpected ways. It may be impossible to predict some of these vulnerabilities, but it is possible to minimize their impact.

Oh well, enough rambling, back to work.