"Physical security" is almost everything that happens before you (or an attacker) start typing commands on the keyboard. It's the alarm system that calls the police department when a late-night thief tries to break into your building. It's the key lock on the computer's power supply that makes it harder for unauthorized people to turn the machine off. And it's the surge protector that keeps a computer from being damaged by power surges.
This chapter discusses basic physical security approaches. It's designed for people who think that this form of security is of no concern. Unfortunately, physical security is an oft-overlooked aspect of security that is very important. You may have the best encryption and security tools in place, and your UNIX systems may be safely hidden behind a firewall. However, if you cheerfully hire an industrial spy as your system administrator, and she walks off with your disk drives, those other fancy defenses aren't much help.
Surprisingly, many organizations do not consider physical security to be of the utmost concern. One New York investment house was spending tens of thousands of dollars on computer security measures to prevent break-ins during the day, only to discover that its cleaning staff was propping open the doors to the computer room at night while the floor was being mopped. In the late 1980s, a magazine in San Francisco had more than $100,000 worth of computers stolen over a holiday: an employee had used his electronic key card to unlock the building and disarm the alarm system; after getting inside, the person went to the supply closet where the alarm system was located and removed paper from the alarm system's log printer.
Physical security is one of the most frequently forgotten forms of security because the issues that physical security encompasses - the threats, practices, and protections available - are different for practically every different site. Physical security resists simple treatment in books on computer security, as different organizations running the identical system software might have dramatically different physical-security needs. (Many popular books on UNIX system security do not even mention physical security.) Because physical security must inherently be installed on-site, it cannot be pre-installed by the operating system vendor, sold by telemarketers, or FTP'ed over the Internet as part of a free set of security tools.
Anything that we can write about physical security must therefore be broadly stated and general. Because every site is different, this chapter can't give you a set of specific recommendations. It can only give you a starting point, a list of issues to consider, and a procedure for formulating your plan.
The first step to physically securing your installation is to formulate a written plan addressing your current physical security needs and your intended future direction - something we discussed in Chapter 2, Policies and Guidelines. Ideally, such a plan should be part of the site security policy, and should include:
Description of the physical assets that you are protecting
Description of the physical area where the assets are located
Threats you are protecting against
Your security defenses, and ways of improving them
Estimated cost of any improvements, the cost of the information that you are protecting, and the likelihood of an attack, accident, or disaster
If you are managing a particularly critical installation, you should take great care in formulating this plan. Have it reviewed by an outside firm that specializes in disaster recovery planning and risk assessment. You should also consider your security plan a sensitive document: by its very nature, it contains detailed information on your defenses' weakest points.
Smaller businesses, many educational institutions, and home systems will usually not need anything so formal; some preparation and common sense is all that is usually necessary, although even a day of a consultant's time may be money well spent.
Some organizations may consider that many of the ideas described in the following sections are overkill. Before you come to this conclusion, ask yourself five questions:
Does anybody other than you have physical access to your computer?
What would happen if that person had a breakdown or an angry outburst, and tried to smash your system with a hammer?
What would happen if someone in the employ of your biggest competitor were to come into the building unnoticed?
In the event of some large disaster in the building, would you lose the use of your computer?
If some disaster were to befall your system, how would you face all your angry users?