Considering the Physical Aspects of Cyber Security

Guest blog by James Jackson, Security Consultant, Logiq

Comprehensive physical security controls are as essential as digital cyber security controls. A strong physical security posture is key to avoiding incidents – however stakeholders may overlook these more traditional defences against the ever-changing digital landscape.

Physical security is the prevention and mitigation of unauthorised access to facilities and personnel. Whilst this may seem somewhat unrelated to the more abstract digital aspects of cyber security, malicious physical access to a datacentre or office can be a direct and dangerous route into an organisation’s entire system.
For this reason, almost all security frameworks call for a baseline level of physical security control. In fact, all Ministry of Defence suppliers assessed at a ‘Foundational’ (Level 1) Cyber Risk Profile or above are required to comply with 5 individual physical security controls in order to be eligible to supply services or goods to the MOD, as detailed in DEFSTAN 05-138: Cyber Security Standards for Suppliers.

Know Your Enemy

Every single business differs in what they deliver, how they process data, and what their physical footprint looks like. These aspects shape who their adversaries may be.
There are many different types of adversaries (also known as ‘threat actors’) when one is concerned with security. These groups all differ in both method of operation and capability. Some examples of threat actors include:

• Enthusiasts or ‘Script Kiddies’
• Competing organisations
• Insider threats
• Criminal organisations
• Nation-state backed groups

Whilst an organisation providing government services is less likely to have a physical breach from an enthusiast than a criminal organisation (for example), every organisation must consider:

• Who could be maliciously interested in their data?
• What could be done maliciously with their data?
• Where could their data be accessed physically?
• Why would the threat actor(s) benefit from their data?

Some stakeholders may argue that the threat of physical intrusion is diminishing in the age of online cyber warfare, however one only needs to look at the Oct 19^th Louvre Robbery as an example of the ongoing physical threat. Early reports indicate that the floor in which the robbers broke into had neither CCTV nor window alarms to warn the museum of incoming threats, something which would have been easily identified in a threat assessment.

So, how can an organisation take steps to ensure their physical security?

Secure Your Office

Most organisations operate out of one or multiple physical office locations, where the majority of their data is accessed, manipulated, and controlled. Your organisation must ask itself:

Who are you letting into your office?

Depending on the nature of the industry, some organisations may have more visitors than others. They should ensure that a suitable log of visitors is kept and that each visitor signs in and out when visiting. Furthermore, some organisations may wish to enact further checks, such as verifying ID. Staff should be suitably trained and aware as to not let any visitors who could have malicious intent access the office.

How can people access your office?

Office facilities should not be accessible to the public. Controls such as PIN codes & card scanners provide an important layer of protection against opportunistic ‘walk in’ breaches.
Policy also provides a role against attackers. Suitably trained and aware staff should have the confidence to challenge any suspicious people inside the office building.

What damage can be done inside your office?

Whilst the controls mentioned above deter initial building access, organisations must consider their key assets internally if the controls are bypassed. Important infrastructure such as server rooms and sensitive document storage benefit greatly from ‘defence in depth’, such as more restrictive key-code access, physical key access, and enhanced surveillance.

Please see NIST SP 800-53 Section 3.11 for detailed physical controls that an organisation can implement.

Cloud Computing & Physical Security

Almost all organisations use at least one form of cloud services, such software-as-a-service (SaaS), cloud storage solutions (e.g. OneDrive or Google Drive), or remote virtualisation (e.g. Azure). Whilst organisations have limited control over what physical security controls their cloud provider puts in place; they are able to take steps to ensure that their data is safe.

Whilst organisations may be familiar with digital-focused security frameworks such as NIST or ISO27001, there also exist frameworks tailored to datacentre security. Datacentre service providers should display their compliance with frameworks such as ISAE 3402 to provide a level of transparency and confidence to the end user.

Organisations must also use physical location to their advantage whilst configuring their capabilities. Backups, for example, should never be located in the same rooms, buildings, or even sites as each other. Your individual organisational tolerance will vary, however the recent Datacentre Fire in South Korea highlights the need for geographically distributed backups in case of fire, flood, or other natural disasters.

Many cloud providers allow the customer to configure where their data is geographically held and processed. Organisations should consider where their data resides, as this often has security and regulatory implications.

What Next?

The breadth and depth of your physical controls ultimately depend on the nature, function, and threat profile of your organisation. However, it is beneficial to always be considering what information might threat actors want – and how they can get it.
You may find it beneficial to conduct a STRIDE threat assessment against your physical security posture to identify any gaps in your defences. From there, you can define a roadmap for improvement.

Logiq offers services that can assist in this process. Your organisation may benefit greatly from an NCSC Cyber Assessment Framework (CAF) assessment, or by utilising our Audit and Review service. More information can be found on Logiq’s Security & Assurance page.