Physical Security and Its Role in Information Security Management Systems

Our team is always on the lookout for new topics and concerns within the realm of information security. One of our team members recently came across an interesting article The Little White Box That Can Hack Your Network on www.wired.com. The article discusses a recent penetration test at multiple branches of a bank using a small computer called a Pwn Plug that simply plugs into a power outlet and the network. Once deployed the Pwn Plug releases its hacking tools. Dressed as a technician, Jayson Street was able to successfully penetrate four banks without a single issue.

This article brings attention to the point of what information security is holistically, and its ever changing nature. To many people, information security brings up images of hackers in a dark room surrounded by monitors and energy drinks, sending spam emails or attempting to hack into government networks. However, information security has a far reaching perimeter in that information security deals with everything from strong passwords, to the physical security of a building.

How this could have been prevented

In this case, it can be assumed that the bank had a security plan in place, given that they were testing the ability to penetrate their systems. Controls were probably spelled out and in theory the controls were most likely implemented at the bank branches. However, the implementation of controls and putting them into an operations manual does not mean they will serve their purpose. Organizations must work in accordance with the controls and test their effectiveness at every level. Security managers must make certain that employees are actually practicing controls at all times. Penetration tests such as the one discussed are perfect examples of ways to expose when implemented controls are not actually being practiced.

We have utilized this article as a brief case study to provide an example of how a successful functioning information security management system could have stopped Mr. Street from successfully penetrating the system.

Controls focusing on unauthorized access to the physical premises that were being practiced were obviously lacking in this case. Using ISO/IEC 27001 as an example guideline for controls, we can examine some controls, if practiced which would have successfully prevented Mr. Street’s access.

First, the intruder in this case posed as a technician that was there to measure the power fluctuations on the power circuit. ISO/IEC 27001 suggests the implementation of a control which is meant to allow access only to authorized personnel. In implementing this control, visitors’ names, date and time of entry and departure are recorded. Further, visitors are suggested to be supervised, unless previous permission has been granted and visitor should be given name badges

An additional example of an authentication control would be a system which allows staff to log third party services into a database or calendar which can be accessed by reception in order to confirm the visit. This would allow for transparency and validity for the visitors purpose of the visit. These are just two examples of controls, if practiced would have effectively deterred the penetration which occurred.

Conclusion

The underlying message is the importance of seeing that controls are implemented and practiced. It is not enough to simply comply and pass audits. Organizations must continuously test its ISMS to ensure that it is working properly. It is important for organizations to consider information security controls as important as other regulations. For example, in some cases, the consequence of not putting up a wet floor sign, and risking litigation from a patron who slips, takes priority over not following an information security control. It is our hope that organizations who do not currently implement proper ISMS practice understand the potential cost this poses.