P1: JDV
Michael WL040/Bidgolio-Vol I WL040-Sample.cls June 19, 2003 16:10 Char Count= 0
78 PHYSICALSECURITYservice to a building is interrupted, but phone systems
in general become overloaded and may sustain dam-
age as a result of a major event. Or cellular services
could be shut down (as occurred on September 11, 2001,
for fear they might be used to trigger bombs). An al-
ternative emergency communication system would be a
battery-powered, two-way radio that broadcasts on a fre-
quency monitored by emergency agencies. In any case,
RF-emitting devices must not be active near equipment
that could suffer from the emissions.
ISP (Internet service provider) redundancy is also
complicated. Politically, operationally, and economically,
it may make sense to have a single ISP. From the stand-
point of robustness, it is better to have at least two service
providers and to have their respective cables exit the orga-
nization’s physical perimeter by different routes (so that
any careless excavation cannot damage both lines). In-
ternally, the organization must be able to switch critical
services promptly from one provider to the other.
The ultimate redundancy is a hot site, ready to take
over operations. This does not need to be owned outright;
services of this sort can be contracted.Sanitization of Media
At some point in time, every piece of storage media of ev-
ery type will cease to play its current role. It may be reused
to store new information, it may be recycled into a new
object, or it may be “destroyed” in some sense (probably
not as thoroughly as by incineration). If the media is to
be used by another individual not authorized to access the
old information, the old information must be purged. In
the case of recycling or destruction, the original user of the
media may assume that no attempt to access the old infor-
mation will be made after it leaves his or her possession;
as was pointed out in the discussion of dumpster diving,
this is a foolhardy assumption. Sanitization of media that
held sensitive information at any time is the responsibility
of its owner.
Printed media holding sensitive information can be
shredded. Some shredders are worthless, slicing pages
into parallel strips, which can be visually “reassembled.”
At the other extreme is government equipment that lique-
fies documents to the point that they cannot be recycled
(due to the destruction of the paper fibers). In between are
crosscut shredders that produce tiny pieces of documents,
a reasonable approach.
For magnetic media, one of the best known vulner-
abilities comes from “deleting” a file, which really only
changes a pointer to the file. There are commercial, share-
ware, and freeware tools for (repeatedly) overwriting files
so that each byte is replaced with random garbage. Echoes
of the original information may remain in other system
files, however. Another potential problem is that sectors
that have been flagged as bad might not be susceptible
to overwriting. Special, drive-specific software should be
used to overwrite hard drives because each has its own
way of using hidden and reserved sectors.
Even after all sensitive bytes have been overwritten
by software, there may still be recoverable data, termed
magnetic remanence.One reason is that write heads shift
position over time, that is, where new bytes are writtendoes not perfectly match where the old bytes were written.
Hence the use of a degausser (bulk eraser) is generally rec-
ommended. Some models can each accommodate a wide
range of magnetic media, including hard drives, reel or
cartridge tape, and boxed diskettes. Degaussers are rated
in Gauss (measuring the strength of the field they emit),
in Oersteds (measuring the strength of the field within the
media they can erase), or in dB (measuring on a logarith-
mic scale the ratio of the remaining signal to the original
signal on the media). A degausser generates heat rapidly
and cannot be operated continuously for long periods; it
should be equipped with an automatic shutoff feature to
prevent overheating. Even degaussing may leave informa-
tion retrievable by an adversary with special equipment.
Another suggestion is to grind off the surface of a hard
drive. For more information on magnetic remanence, see
National Computer Security Center (1991), also known as
the Forrest Green Book in the Rainbow Series.
Guidelines for sanitizing write-once or rewritable opti-
cal media are not as clear. In theory, even write-once disks
can be overwritten, but this is not reliable. Two “folk reme-
dies,” breaking the disk or placing it in a microwave oven
for two seconds, shouldnotbe used. Another suggestion,
scratching, may be ineffective because there are commer-
cial products and services for repairing scratched disks by
polishing. Therefore, if complete destruction of the disk
is not possible, it should be ground to the point of oblit-
erating the layer on which the data is actually stored.
For maximum security in recycling or disposing of me-
dia, study forensic science as it applies to computing (a
separate article), and learn to think forensically—if a gov-
ernment agency could recover information from your me-
dia, so could a sufficiently sophisticated adversary.Physical Security Awareness Training
Because security is everyone’s business, education is one
of the most important aspects of physical security. It is
also cost-effective. Proper practices cannot replace ex-
pensive security equipment, but improper practices can
negate the value of that equipment. All personnel should
be trained how to react in case of a fire, the most likely
threat to life in a computing facility. The most important
aspect ispracticingegress procedures. In the areas where
total flooding (to be discussed later) is to be employed,
occupants of those areas must understand the different
alarms, must know how to proceed when the first alarm
sounds, and must appreciate the seriousness of that en-
vironment. (A short science lesson might help.) All per-
sonnel should be acquainted with the location and proper
use of portable fire-suppression devices. If more than one
type is available, they must know which type is suitable for
which kinds of fires. Depending on how many operations
are automatic, certain people (enough so that an adequate
number are always on duty) must be trained to perform
extra duties, including shutting off electricity and natu-
ral gas, calling emergency officials, and operating special
fire systems (hoses, wheeled portable units, manually con-
trolled sprinklers, etc.).
The variety of possible disasters is so broad (e.g.,
fallen space debris—with or without radioisotopes), it is
impossible to educate employees with regard to every