What is Physical Security? Why is it so important? How does it affect Cyber security?
Physical Security involves the protection of physical assets from a loss of Confidentiality, Integrity, Availability-the CIA Triad. It deals with the physical protection of access to assets and exposure to harm.
Let’s start with Confidentiality the 1st of the three pillars of the CIA Triad which is the goal of all Security. We have all heard in the news recently the publication of the Panama and now the Paradise Papers where the secret financial dealings of billionaires, some of them heads of states have been exposed. Obviously, these documents, millions of files in fact, were only meant to be seen by the attorney’s involved, as they were highly confidential.
In the same way, in your house, company, or place of business, you must have certain documents which are sensitive, such that only a few people or in some rare cases only 1 person should have access. If you’re smart those documents are in a safe, or in a locked file cabinet with access to the safe’s or locked cabinet’s combination or key highly controlled and only a limited number of people are allowed access. By doing this you are protecting the confidentiality of those assets.
You could have servers, the computer that hosts your QuickBooks files, the president’s computer or the computer of the IT Director, these are critical assets and must be physically protected from access. The reason being is that if someone were to be able to get in front of those servers or sensitive computers they might be able to login and see or worse yet steal privileged information. Protecting the confidentiality of assets is critical to physical security.
How does integrity come into play? Integrity is the 2nd pillar of the CIA Triad that Physical Security protects. This means that the information in that safe, file cabinet, Director’s office, Server Room is safe from alteration. The data is kept in a state of Integrity.
What does that mean? Let me provide an example, and it will be easier to understand. Let’s say someone where to have access to the accountant of finance director’s computer and they altered the files, let’s say they cooked the books or made some modifications the QuickBooks files and entered information that was inaccurate. What would be the consequences? Depending on the severity of the change and what type of company it could be devastating.
If the company was a publicly traded company the company itself including the board of directors, CEO, Senior Executives could be held personally liable including being subject to criminal charges for exposing the data and reporting false information regarding the financial status of the company (that’s if these changes were never detected and were processed as they normally are, and no other compensating controls existed should as file verification). There could be stiff fines involved.
Due to the nature of the competitiveness of business, there would be a loss of reputation, and the company would lose business as the competitors of the firm would be happy to assist in winning over customers. As the saying goes: “Who wants to do business with a tarnished name?”
The integrity of the company’s assets is critical as the data related to the organization is highly valuable. Any alteration could adversely affect the profitability of the company and its investor’s. In the worst-case scenario, the company could go out of business. For example, when it was discovered that ENRON had cooked the books or fabricated their financial statements, in this case the company itself maliciously altered the assets of the company and breached the integrity of their own information to commit fraud, ENRON went out of business and the senior executives went to jail, investors lost 100 billion dollars and the big 5 accounting firm that represented them in auditing their Financial information as having Integrity, went out of business.
Physical Security aims to protect the integrity of the physical assets of a company so that they are not altered in any way. Protection of keys assets from physical access is critical to ensuring the viability of any business. A computer is just a computer, but if that computer is the one belonging to the secretary of the owner of the company it must be protected with extra care.
What about availability? This is the 3rd pillar of the CIA Triad. For information to be useful it must be available, people must be able to access or use the data. Think about this for a moment, what were to happen if your web server which hosts your company’s important websites, and which is in the server room was unplugged? What if the accountant’s computer that host the QuickBooks files was stolen or they stole the hard drive? What if there were no backups of that machine?
What if someone broke into the server room and unplugged the fiber connection from the firewall to the core switches and this was a nonemployee? Imagine if this happened on a Monday at 10 AM in the middle of production and no-one could login to the network? What would be the consequence beside many angry users? The availability of data is critical to understanding physical security and cyber security.
How does physical security impact cyber security? I gave some good example of the relationship between physical and cybersecurity I hope but let me emphasize the point-if someone has physical access to a network they can own it. It’s fine to have perimeter security, Firewalls, IDS/IPS Systems, setup continuous monitoring, but if you don’t physically protect the building and the hard assets, servers, network equipment, key computers, sensitive documents, you are exposing yourself and your company to serious harm.
Simply put physical security and cyber security go hand in hand. You cannot have cyber security without physical security. If you don’t protect your assets physically they will be unprotected by a hacker and you could potentially face a breach.