Infophysical Security

Information security teams work hard to secure the data that they are responsible for. They put in perimeter protections, network protections, host protections and all sorts of devices to monitor and manage all of these devices and protections. Configurations are checked before they go into production and all changes are tested and approved. All of this hard work pays off when you look at firewall logs, IDS/IPS logs, and the reports that your SIEMs generate to show just how many attacks are blocked, dropped and stopped before they get to the goal of stealing or damaging your data.

Of course we all know that this can easily be bypassed by one unpatched system, zero day exploit, reckless admin or user or a really good hacker or social engineer. There is always something that isn't exactly as it should be and that one thing leaves you vulnerable. There is one other area that information security needs to have regular contact with and influence with. Physical Security. Physical Security are the ones who are tasked with keeping the bad guys physically away from the data. Unfortunately, many times these two disciplines don't communicate with each other and this lack of communication can ruin the well laid plans and protections that have been put into place.

CISO's and their management teams need to be proactive and take the lead in reaching out to the physical security teams at their company. They need to collaborate with each other and they need to work together to ensure that the data is protected. Often physical security teams don't realize the dangers that a person can present when they allow them to roam the halls unescorted or when they don't do their job and ensure that a person is really supposed to be there. They don't understand that a good hacker may not be able to gain physical access to the data center due to other access controls in place but if he gets a hold of a hot network jack or a unmanned system. They aren't aware of the fact that a seemingly innocent flower, stuffed animal or other item can hide wireless AP's, mini laptops, wireless cameras, etc...

This is another reason that when you are rolling out a security awareness program you need to ensure that it's not a generic one size fits all program. Different departments need to be taught different things so that they are aware of the things that are most likely to affect them. A effective security program will reach out to all lines of business and work with them to be proactive in securing the data.