Physically hacked off
So far, we have tentatively flagged the importance of a safe working environment and of a secure network from fingertips to page query. We'll begin to tuck in now, first looking at the physical risks to consider along our merry way.
Note
Risk falls into the broad categories of physical and technical, and this tome is mostly concerned with the latter. Then again, with physical weaknesses being so commonly exploited by hackers, often as an information-gathering preface to a technical attack, it would be lacking not to mention this security aspect and, moreover, not to sweet-talk the highly successful area of social engineering.
Physical risk boils down to the loss or unauthorized use of (materials containing) data:
Break-in or, more likely still, a cheeky walk-in
Dumpster diving or collecting valuable information, literally from the trash
Inside jobs because a disgruntled (ex-)employee can be a dangerous sort
Lost property when you leave the laptop on the train
Social engineering which is a topic we'll cover separately, so that's ominous
Something just breaks ... such as the hard-drive
Password-strewn sticky notes aside, here are some more specific red flags to consider when trying to curtail physical risk:
Building security whether it's attended or not. By the way, who's got the keys? A cleaner, a doorman, the guy you sacked?
Discarded media or paper clues that haven't been criss-cross shredded. Your rubbish is your competitor's profit.
Logged on PCs left unlocked, unsecured, and unattended or with hard drives unencrypted and lacking strong admin and user passwords for the BIOS and OS.
Media, devices, PCs and their internal/external hardware. Everything should be pocketed or locked away, perhaps in a safe.
No Ethernet jack point protection and no idea about the accessibility of the cable beyond the building.
No power-surge protection could be a false economy too.
This list is not exhaustive. For mid-sized to larger enterprises, it barely scratches the surface and you, at least, do need to employ physical security consultants to advise on anything from office location to layout as well as to train staff to create a security culture.
Otherwise, if you work in a team, at least, you need a policy detailing each and every one of these elements, whether they impact your work directly or indirectly. You may consider designating and sub-designating who is responsible for what and policing, for example, kit that leaves the office. Don't forget cell and smart phones and even diaries.
Note
Refer to Appendix C's Security Policy as a template to start working on yours.
