Physical security

- What physical security concepts should you be aware of for Project+? Join us for a great discussion. - [Narrator] You're watching ITProTV. (gentle music) - Welcome into another great episode with Robin Abernathy. I'm your host Lauren Deal. And in this episode, we got to get serious, Robin. We got to talk about security and how to keep our, whether digital or physical property safe, right? - Correct. And there's a lot of different aspects to security and there's a lot of different ways to provide security. And there's tons of different security controls that are out there that you can deploy to protect yourself and your assets. But in this particular episode, we want to talk strictly about physical security. Now physical security is the security controls that you implement to protect all of your assets from physical access. And if you can touch it, there needs to be some sort of a security control deployed to protect it. This includes protecting physical access to the buildings, physical assets to any other assets to your data, and also protecting the physical access to your personnel. So there are so many aspects to physical security. I am in, you know me as a project manager, but I'm also a security expert, and so I know a lot about cybersecurity. And so when I saw this little bit in the CompTIA objectives about security and specifically about physical security, I first read the thing and I was like, oh, this is rather a small list. But I also understand that oftentimes in these exams, they're constrained by what they're going to cover. So we're going to cover these points, but one of the things that I do want to encourage you in any of these security concepts or in any other of the episodes as well, take a little bit of time if it's something that we're talking about and you want to go just a little bit deeper. Go out there and look on the internet and look at other references that are out there and learn a little bit more about security controls. I'm going to touch on a few physical security controls and a few physical security issues that you need to think about here, but there are so many more out there, that I'm just touching on a tiny little piece. - Well, I think this is such a great discussion to kind of open up the conversation that, you know, we'll cover as much as we can in this episode, but we encourage a rabbit hole kind of exploration after this episode. Make sure that you're diving a little bit deeper and truly become the expert that we know that you can. So when we talk about security in the physical format, you mentioned a couple, but can we go into some examples? - Well, there are three main examples that CompTIA actually includes as part of this topic in their exam guide. And the first one is mobile device considerations. Now all of us know what mobile devices are. We carry one around in our hand every day and we look it all of the time, including at the table when we're eating when we shouldn't. And, but we're all guilty of it. But mobile devices just aren't the phones. It can also be, there are things like Kindles, their iPads, your laptop is a mobile device. If it can be easily picked up and transported and put away, it is considered a mobile device. So we need to talk about some of the physical security measures that you need to think about for these mobile devices that you have. Now, first of all, an organization and as part of a project, if you issue mobile devices to your team, you need to require that they use a pin or some other login mechanism with each use of the device after a certain idle period. So you know how your phone defaults to the little, the page, when you're not using it after a certain number of minutes and you have to, you know, show it your face or type in your little, that is a security measure and that keeps people, they may have physical control of the device, they may have it in their hands, but that doesn't mean they can get beyond that physical holding of it. Anything that's behind that pin or that access mechanism is protected. Another thing you need to do as an organization and as a project manager is you'll need to limit the third-party software that you allow your team members to install. Now this, all of these points that I'm making, apply more to a company or organization-issued devices. You can't control a person's personal device that you allows them to do work. I understand that. So keep all of these as this is what you would definitely do if you issue a company-owned device to the users. And it is something that would be recommended for you to encourage them if they use their personal device. The next point that we would need you to do is you implement a GPS or some other location services, and that's in case the device is lost. If you have GPS and location services enabled, it's very easy to go to that Find My iPhone feature or whatever your device has and locate at least within a certain proximity where that device may be. You should also, and as part of that, enable remote locking and remote wiping features. And what this means is, is if that device is lost or stolen, you have the ability to restore it to its original conditions, so none of your organizational data that resides on that device can be pulled from that device. Hackers are very sophisticated, they have some great tools, and they really, really, really want your data. So you want to have the ability to wipe or erase the contents on that device. - Well, it makes me think, you know, you really need to get familiar with your settings and really see the abilities that you have on your device. And if you don't have some of these in place, utilize this episode as, oh, I need to get up to speed with my security features. - Yes. Yes, very much. And a lot of people don't realize too, with their organizations don't even have really good policies in place when it comes to that. - Mm-hmm. - That oftentimes the organization doesn't have a policy and not having a policy is not a good policy. - Right. - So if you're part of a project and you know those users have those devices and are going to be using them as part of the project, especially, you know, you're going to have data and stuff that you're going to have to have access to and you don't want that data compromised, you may have to be the catalyst that goes to your supervisor and says, hey, we don't have a policy on this and we need to set some. And then work with those teams to make sure that the correct policies are set. Now another thing that a lot of people don't realize is you should have a written policy that tells your team members and your personnel that they should never leave their mobile device unattended. It's very easy to plug something into that thing and you don't know what they're uploading to the device or what they're downloading from the device. And both of those can have very, very bad consequences. Your personnel should be encouraged to immediately report a lost or stolen device. I can't iterate this one enough. A lot of times person are very reluctant to go to their boss and go, my laptop's been stolen or I lost my laptop. But until, you know, an event has occurred, you can't do anything about it. So you have to have an environment where, number one, they're told that they have to tell you, but also make that environment comfortable enough that they feel okay in coming to you and making that admission that there aren't all these bad things that are going to fall from the sky on them should they report that. Mistakes happen, security events occur, we all have them occur to us. And we need to make an environment that is easier for that communication to happen. Users should also be encouraged to store those mobile devices in a secure location. Setting them in the seat in your car where whether anybody can see them is probably not a good idea. But also when you're in your office and you're leaving your office for the weekend and you know the cleaning people are coming in, you should, if you're going to leave your mobile device, your laptop there for the weekend, you know, disconnect it from the cables, fold it up, stick it in a drawer, lock the drawer. Just sticking it in the drawer isn't enough. Also, you need to encourage your users to regularly back up their own data. That may be a part of something, some sort of a process you go through to train them to make sure they have a place to back it up, as well as they understand the process for backing it up. A lot of users just don't understand enough about it. So you need to have a process in place to help them. And then finally, when it comes to mobile devices, you need to have a process in place to reset the mobile device to the factory defaults before it is disposed of or before it's transferred to another entity. It has to go back to that factory defaults. There's too much on there that could possibly be, and this is for those, you know, not everybody who ends up with your device is going to have your organization or your best interest in mind. So it's just a good, and this is a good policy all the way across the board, it's not just for organizations. - Well, I think this is a great discussion just about systems and how does your organization structure their IT security. You know, it's one thing to be reactive to a security breach and, - Yes. - but we can prevent a lot by being proactive. Thinking of the worst case scenario before it happens and then putting systems in place or policies that allow our team to prepare for this. Simple things like this can really go a long way when it comes to protecting our mobile devices. But what else should we know about? - So next we want to talk about removable media considerations. Now most of you know what removable media is. Almost everyone has got that little cute little USB flash drive that you've plugged into that port so that you can copy some data off onto that small device that you can stick in your purse and run to the Photoshop and have them print those pretty little pictures for you. Well, removable media in that it is so tiny also makes it very easy to conceal. So companies need to have a removable media policy so that their data is protected if it is ever placed on removable media. Because they're so easy to conceal, oftentimes they're also, even though they're tiny, they store a lot of data. So anyone with the removable media that attaches to a device can get a lot of data off of that device. So let's talk about some security measures that you need to take if your organization is going to allow removable media. Let me interject a note here. Some companies out there don't allow them, period. There's nothing wrong with that. It also depends on the security stance of the organization and the types of data they're collecting, okay? So there's nothing wrong with totally saying no removable media of any kind. And there are generally in most systems, ways to lock them from being able to even use those ports and attach a removable media device. So there's always that. But just in case you decide, okay, we've got to use removable media because it's just the nature of the beast, we've got to transport data quickly. Let's talk about those things. Always keep removable media in a secure location when not being used. Locked drawer, locked filing cabinet, locked in a glove box in a safe locked up, because it holds that data. The other thing that you need to do, and this really isn't a physical security measure. Remember I told you physical security was all about having access, being able to take it. Well on the removable media, you're going to have data. The data needs to be, that is stored on that removable media needs to be encrypted. Encryption makes the data unreadable unless you have the encryption key that makes it readable. So even if I get your removable media and there's data on it, if you've encrypted that data, if I don't know your encryption key, I can't even see what that data is. It's just gobbledygook to me. It's just a mess. And so it means nothing to me. Now if I have the encryption key or I have a way to discover it, then all of that data's open to me. But encryption at least provides the confidentiality of the data that resides on that removable disk. So the next point we need to talk about when it comes to removable media is remove data from that media once it is no longer needed. Now I'm probably the world's worst. If you look on my phone, there's pictures from, you know, eons ago, and I just am reluctant to get rid of them. I mean, there's random screenshots, there's this picture of this tree and I go, why did I take a picture of this tree? And so I don't even clean up my phone. But as a project and as part of an organization, you should have a policy whereby users are encouraged that after a certain lifetime when data that is stored on removable media is no longer needed or should no longer be stored there because it's maybe in an archive somewhere, take that stuff right off with that removable media, because if anyone can steal it, they can get that data. So you want the data gone. Now the final point that we want to make about removable media is that you erase the data from removable media when disposing of the removable media, and like I mentioned with the mobile devices, or when you're transferring ownership. So if it's going from one user to the next, from one organization to the next, erase everything off of that. The good thing about the removable media is it's not like our traditional magnetic hard drives. Magnetic hard drives can hold remnants of data. So you can have a way to restore that data if you have the right tools. With the storage devices that we have, the flash drives, it's a solid state drive and so the data doesn't remain there in any remnants. Once you erase it, it's gone. So that is removable media. - Well, talking about removable media, it made me kind of think like these are things that we might not think about, but it's something that we should know because if you're not thinking about it, again, it goes back to that reactive, proactive. But I have to say, the first thing that came to mind when we talked about physical is I was thinking about the building. - Well, that's excellent point and it's also my next point. - Oh, okay, good. - So let's talk about it. So let's talk about facility access. Now this is where most of the people like Lauren, when they think about physical security, they're thinking of let's keep peoples out of our building, we don't want them to get in. And so facility access is any of the security controls that you may implement to protect either the outer edges of your building, whether it's just the premises, then the actual building itself or internal areas of the building. 'Cause a lot of places will have security zones and as you breach a different securities zone, another security layer has to be added. So we need to keep in mind that for your facility access, you will need to have a layered approach. The layered approach is the best plan. So you provide, maybe you have an outer gate with a slider that you put a card in and it lets you in if you have the right access token. Then you may have locks on your outer doors that provide access to the building. Then you may have inner areas like a data center that may have a biometric control where you have to actually scan a fingerprint or they scan your eye or some other mechanism that's a little bit more secure. Oftentimes your security controls that you deploy based on the different zones of your facility, whether it's the outer zone or an inner zone, you deploy the more expensive and the more harder to upkeep like your biometrics, you would deploy them over the assets that have the highest value. I don't care who gets to my lobby, but what they, we have all kinds of visitors to the lobby. They've got to get to the lobby 'cause they're going to deliver packages, they're going to come meet other personnel, whatever, that's fine. But once I let them be on that lobby area, I may also have to restrict them there. So internal physical security should be provided just as much as that external physical security. You should have visitor procedures. You should not just allow them into the building. There should be escorts, there should be sign-ins, there should be all sorts of things. So make sure that you provide security awareness training about physical security to your facility, so that your users understand things like why they shouldn't allow someone to piggyback on their access when they come in, especially if they don't recognize the person. So those are just some of the kind of things that you need to understand for the actual physical access portion of physical security. - I'm glad that we touched upon that because like I said, that was the first thing that came to mind, but it was also the last thing that we talked about in this episode. So it's so important to take note that physical can mean beyond what I think we bring to the table in our mind. It goes a little bit deeper than that. And like Robin said, after this episode, take a little bit of time and dig a little bit deeper into what physical security may look like in your organization and beyond. It's better to be more prepared than regretful later. Right, Robin? - Yes, very much so. Very much. - All right. Well, like Robin said, there is more security topics in the next episode, so don't miss out, we'll meet you there. - [Narrator] Thank you for watching ITProTV.