P1: JDV
Michael WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:10 Char Count= 0
PREVENTIVEMEASURES 71when the worst-case scenario becomes reality. Unfortu-
nately, there is no comparable preventive measure for con-
fidentiality.Control and Monitoring of Physical
Access and Use
There are several philosophical approaches to physical
access control, which can be used in combination with
one another:- Physical contact with a resource is restricted by putting
it in a locked cabinet, safe, or room; this would deter
even vandalism. - Contact with a machine is allowed, but it is secured
(perhaps permanently bolted) to an object difficult to
move; this would deter theft. A variation of this allows
movement, but a motion-sensored alarm sounds. - Contact with a machine is allowed, but a security device
controls the power switch. - A machine can be turned on, but a security device con-
trols log-on. Related to this is the idea of having a
password-protected screensaver running while the user
is away from the machine. - A resource is equipped with a tracking device so that
a sensing portal can alert security personnel or trigger
an automated barrier to prevent the object from being
moved out of its proper security area. - An object, either a resource or a person, is equipped
with a tracking device so that his, her, or its current
position can be monitored continually. - Resources are merely checked in and out by employ-
ees, for example by scanning barcodes on items and ID
cards, so administrators know at all times of who has
what, but not necessarily where they have it.
Yet another approach can be applied to mobile com-
puters, which are easier targets for theft. More and more
high-density, removable storage options are available, in-
cluding RAM-disks, DVD-RAMs, and memory sticks. This
extreme portability of data can be turned to an advantage.
The idea is to “sacrifice” hardware but preserve the con-
fidentiality of information. If no remnant of the data is
stored with or within a laptop (which may be difficult to
ensure), the theft of the machine from a vehicle or room
will not compromise the data. The downside is that the
machine is removed as a locus of backup data.
There are also a multitude of “locks.” Traditional locks
use metal keys or require a “combination” to be dialed
on a wheel or punched on an electronic keypad. Another
traditional “key” is a photo ID card, inspected by security
personnel. Newer systems require the insertion or prox-
imity of a card or badge; the types of cards include mag-
netic stripe cards, memory cards, optically coded cards,
and smart cards (either contact or contactless). The most
promising direction for the future appears to be biometric
devices, the subject of a separate article; a major advan-
tage of these is that they depend on a physiological or
behavioral characteristic, which cannot be forgotten or
lost and is nearly impossible to forge.To paraphrase General George C. Patton, any security
device designed by humans can be defeated by humans.
Each type of locking device has its own vulnerabilities and
should be viewed as adeterrent. In some cases, even an in-
expensive, old-fashioned lock is an adequate deterrent—
and certainly better than nothing (as is often the case with
wiring cabinets). In assessing a candidate for a security
device or architecture, the time, resources, and sophisti-
cation of a likely, hypothetical attacker must be correlated
with both the security schemeandthe assets it protects.
An example may be helpful. To determine the suitabil-
ity of smart cards, first research the many potential attacks
on smart cards and readers. Then estimate how long an
outsider or malicious insider might have unsupervised ac-
cess to a smart card or reader of the type used or in actual
use. Finally, make a guess as to whether the assets at stake
would motivate an adversary to invest in the necessary
equipment and expertise to perform a successful attack
given the level of access they have.
It is sometimes appropriate for an organization to al-
low public access on some of its computers. Such comput-
ers should be on a separate LAN, isolated from sensitive
resources. Furthermore, to avoid any liability issues, the
public should not be afforded unrestricted access to the
Internet.
A different aspect of access is unauthorized connec-
tions. A multipronged defense is needed. Checking for
renegade modems can be done either by visually inspect-
ing every computer or by war-dialing company extensions.
Hubs must be secured and their ports should be checked
to verify that they are used only by legitimate machines.
Unused jacks or jacks for unused computers must be de-
activated. Computers that are no longer on the LAN must
be locked away or at least have their hard drives san-
itized. To prevent wiretapping, all wires not in secured
spaces should be enclosed in pipes (which can themselves
be protected against tampering). Unprotected wires can
periodically be tested by sending pulses down the wires;
exhaustive visual inspections are impractical.
A more complex issue is that of improper use of ser-
vices, especially e-mail and Internet access, whose proper
use may be an essential part of work-related duties. Com-
panies are within their rights to limit or track the usage
of their resources in these ways, even if employees are
not forewarned. Many employers monitor e-mail passing
through company hardware, even that for an employee’s
personal e-mail account. In addition, they useactivity
monitors,software to record keystrokes, to capture screen
displays, or to log network access or use of applications.
(These monitoring activities can in turn be detected by
employees with suitable software.) Alternatively, inbound
or outbound Internet traffic can be selectively blocked, fil-
tered, orshaped; the last is the least intrusive because it
limits the portion of bandwidth that can be consumed by
certain services while not prohibiting them entirely.Control and Monitoring of Environmental
Factors
HVAC systems should have independently controlled tem-
perature and relative humidity settings. Each variable
should be monitored by a system that can issue alerts