Physical Security not a high enough priority…

We regularly do network and application reviews for customers to make sure they know where the security problems are hiding.  I kind of expect to find servers unpatched, applications accepting unvalidated user input and the raft of standard security faux pas on both the network administrator and developer sides of the house.  What get me everytime is when I see physical security ignored or given token attention.


I was once teaching a class on SQL Server when a student jumped up and ran from the room, not to be seen again for 2 days.  I asked what I had said wrong and was told that 16 of his servers had been stolen out of their datacenter.  The datacenter in question had been on the 1st floor and had windows that the theives broke and took the machines at their leisure.  This is an extreme case and it happened back when SQL Server 6.5 was still a new product, but you would be surprised how many companies are still largely ignoring physical security.


Over 50% of hacking is done from the inside.  Physical possession is the ultimate vulnerability.  Unless your system is secured far beyond what is customary using technologies like encrypted file systems, anti-tampering devices and the like, then tools like Lophtcrack will give up the goods in a relatively short period of time.


Take another look at your physical security.  You might have a really solid server room with a locked door, but if the hinged can be removed from the outside, how is that going to deter the soon to be ex-employee from liberating a server over the weekend.


In our company we send out emails at intervals to the staff reminding them of how to avoid unleashing a virus on the network.  We do this before we get nailed by the latest in exploits.  I suggest you remind yourself and your staff about physical security in the same way.  Regularly and proactively, the job you save may be your own!


If you have a physical security horror story you would like to share then please share via the comments.