Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Physical and Network Security Merging? 132

MonMotha writes "CSO reports that physical and network security may be merging in an effort to eliminate redundant jobs, create a more secure security plan, and make security procedures more standardized across the company. This would seem to be a logical step forward as businesses become more and more dependent on their computers, and as the old adage goes, an attacker with physical access already has you owned."
This discussion has been archived. No new comments can be posted.

Physical and Network Security Merging?

Comments Filter:
  • by GoatPigSheep ( 525460 ) on Saturday September 07, 2002 @07:02PM (#4213908) Homepage Journal
    does this mean we are going to be giving network admins guns? I don't really trust those guys, with all their quake playing and all.
  • by Gizzmonic ( 412910 ) on Saturday September 07, 2002 @07:04PM (#4213915) Homepage Journal
    I guess I'm gonna have to start ripping CD's off from the store instead of stealing them online. After all, if they're gonna replace their security guards with fat, pimply-faced l33t h4x0rz, I probably have a better chance outrunning them...
    • "Oh, great, another one's running..."
      "Hold on, I got it... *BANG*"
      "Head shot, nice."

      Actually, I imagine the only change this will make to the status quo is an explosion in the amount of "hidden camera" pr0n available in the Gnutella network.
    • After all, if they're gonna replace their security guards with fat, pimply-faced l33t h4x0rz,..

      Hmmm, I wonder after the commentary on the thread for FBI Hirings/Physical Requirements [slashdot.org] we might be hearing a "HA-hah!" from beyond by J. Edgar Hoover.
    • Who says all us are fat, pimply-faced slobs? I'm in the military and I've seen quite a few others in here that are computers geeks, so obviously we have to be in shape you know.
    • Hmm. You must have different security guards than any I've ever seen.

      In my experience, the most roly-poly chairbound computer nerd could probably run circles around the average security guard.
  • Then, it'll be really difficult to fire network operators!
  • One Caveat (Score:4, Funny)

    by wirefarm ( 18470 ) <(jim) (at) (mmdc.net)> on Saturday September 07, 2002 @07:06PM (#4213922) Homepage
    If your boss comes to the server room and hands you a badge and a gun, please *try* to take it a bit easier on the caffeine...

    (Maybe they should also ban FPS gaming during work hours too...)

    • Why ban FPS's during work? If they give you a gun and a badge and a bad guy comes walking in you will have a very real and very instantanious FPS. :) Only problem with that is, you get fragged, you don't respawn.
  • If my CEO reads the article I'm going to wind up getting locked in my server room!
  • I'm glad the so-called network 'experts' have realized they not only need to keep their systems digitally secure, but also physically secure. Either sysops are dumb, or this is just a stupid submission slashdot put up because they needed an article.
    • One vote for the stupid submission option. Any decent sisadmin allready knows physical security is important.
      • I think the idea was not that sysadmins don't know that physical security is important, but rather that they don't have direct control over the physical security of their systems sometimes.

        If the local IT security guy/gal gets privilages on the physical security side, he/she can do a much better job of keeping the systems physically secure.
    • The need for physical security is obvious. What's not so obvious is that the same people should be in charge of both electronic and physical security, since these seem like very different realms. It seems fairly clear to me that the bottom-line security people shouldn't have both jobs. However, I'm still pondering whether the management could or should be combined since, as the article points out, both jobs are aspects of the same ideal: a secure company.
      • so, yes, even half-witted sysadmins know it's important to keep their stuff physically secure.

        i also know it's important to have legal help should someone break in to the system, or just plain decide to sue the company. however, as a sysadmin, i'm not expected to take the lead in any lawsuits. when we're talking about physical and network security, we're talking about two different skillsets.

        i can see the value of putting them in the same group, under some greater auspices of "Security," but if you're talking about making *one person* do both i just don't know. i can't say i'd want any of the sysadmins *i* know responsible for handling intruders. even things like evaluating badge systems and alarm systems are outside a sysadmin's real skillset. sure, i could pick an alarm system. so could the receptionist. we'd probably do about the same job picking one, too.
  • by wowbagger ( 69688 ) on Saturday September 07, 2002 @07:15PM (#4213951) Homepage Journal
    I cannot wait until the Bastard Operator From Hell gets in on this....
  • Bad idea (Score:5, Insightful)

    by techmuse ( 160085 ) on Saturday September 07, 2002 @07:16PM (#4213955)
    I do network security for a living. I also know the physical security people in my company. We have completely orthogonal skill sets and cultures. Most (non-guard) physical security posititions require knowledge of police work, evidence handling, physical monitoring equipment, etc. (Good) Network security requires advanced understanding of network theory, operating systems, programming, algorithms, network protocols, etc. It's not about watching an intrusion detection system all day. It's about influencing how programs and entire systems and networks are designed and operated, outthinking attackers, and so forth.
    • require knowledge of police work, evidence handling, physical monitoring equipment, etc.

      All those skills are required to do proper conputer forensics also, especially if you ever expect to be able to press charges. You at least need to know enough no to destroy the chain of custody, or change vital information by rebooting a server before collecting data, things like that.
    • Your company actually has people looking after physical security? (non-guard).

      How many people work for said company?

      My understanding is that in most companies less than 4000 employees worldwide there isn't really any physical security, except perhaps a "Facilities Manager" and a load of useless "Security Guards".
      • 4K workers is a lot, especially if they're at a single at a small enough number of sites to have over 1k employees per site.

        You'd think in that situation that there would be enough turnover or risk to hire somebody with a security background to monitor the security systems (alarms, cameras, card-key systems).

        And a lot of places sell or work with valuable, high risk or dangerous materials (weapons, drugs, precious metals & gems, chemicals, radioactive materials, etc). I'd imagine that insurance would demand a more rigorous security situation than property-management supplied "security" (which really are nothing more than rent-a-suits).

        Although even for plain-old big buildings, what kind of security do you *want* other than security guards (and the usual card-access systems and cameras)? Ex-Mossad guys with MP5s, German Shepherds and "interrogation" rooms?

        Maybe I'm just security unaware, but it strikes me that you can take a long walk down a paranoid road for little purpose...

      • My understanding is that in most companies less than 4000 employees worldwide there isn't really any physical security, except perhaps a "Facilities Manager" and a load of useless "Security Guards".

        Perhaps you don't know your audience. Have you any clue how many SlashDot readers are "useless 'Security Guards'"? How many of us wear down shoe leather for pay that is lower then that earned by a burger flipper? Even the gun-toting ones typically earn $13-15/hour.

        Perhaps you are one of the people that make those "useless" security guards necessary. For example, how many times have you consumed alcohol to excess and bothered the other customers excessively? Have you extended the concept of piracy to include shop-lifting? How about your place of employment: ever though that a piece of office equipment would look better in your house than at your workplace?

        Just to give you an example, the US Bankruptcy Court trustee determined that $15K/month for 24/7 guards on a property for asset protection during the process was money well-spent...and the Judge agrees. Of course, those "useless" security guards are protecting roughtly $1.5 million in highly-resellable assets, plus another $1.8 million in structure cost, from theft, destruction, or vandelism.

        Did you know that in many states the protection jobs -- private investigator, polygraph operator, security guard, and security consultant -- are licensed and regulated? Check your state laws; in Nevada it's NRS 648. Who knows, you might be breaking the law and don't know it.

    • Exactly, this is not going to work out unless 99% of all physical security is automated and than I would worry even more.
    • Re:Bad idea (Score:3, Informative)

      by Col. Panic ( 90528 )
      If you want a CISSP you will have to learn something about physical security. You will also have to learn about all the other parts of the CBK, including:

      Access Control Systems & Methodology

      Applications & Systems Development

      Business Continuity Planning

      Cryptography

      Law, Investigation & Ethics

      Operations Security

      Physical Security

      Security Architecture & Models

      Security Management Practices

      Telecommunications, Network & Internet Security

      • Sure - physical security is a part of information security. After all, a screwdriver and wire cutters can be just as damaging to a network as a remote command line and appropriate privilidges. But that does not mean information security becomes physical security or visa versa.

        But there is still a rather wide gulf between the concepts and techniques used within information and physical security realms. To the uninitiated, they may seem to be very simular. They are not. I've seen infosec activities ran by those who have a physical security background... and they end up focusing entirely on the wrong areas.

        Information security needs to be aware of physical security. And physical security needs to have an increasing knowledge of IT. But that does not mean one activity should be ran by another.

        Just because the CISSP includes Law and Investigation, it does not mean infosec becomes a wing of the Legal department nor does infosec become a police force.
        • Just because the CISSP includes Law and Investigation, it does not mean infosec becomes a wing of the Legal department nor does infosec become a police force

          True - what it really means is to be a CISSP you have to have three (soon 4) years verifiable experience in one or more of those fields. To pass the test, you have to know "enough" about each of them. Then you can go practice in your area of specialty, but you should only accept jobs for which you are qualified. For example, someone soming from a physical security background should not apply for a job as a PIX admin just because he passed the CISSP.
      • CISSP = Certified Information Systems Security Professional

        CBK = Common Body of Knowledge

        (ISC)^2 = International Information Systems Security Certification Consortium

        ----

        How expensive is this CISSP anyways? If you are a professional in the field, is this certification really going to get you a raise? I guess if the company is paying than who cares, free books and paid time away from work. Work the system !

        • $400 for the test. Boot camp training ranges from #3,000-$4,000 from what I have seen. I got a package deal of CISSP boot camp and a Applied Hacking boot camp so they were $3,250 each. A friend at the CISSP boot camp said ISC2 does their own training course for $3,000.

          Cisco's CSO said CISSP is worth $10,000 more per year (I don't think he meant that in a good way). Of course I'm sure he has a higher opinion of Cisco's own security certifications ;)

          One guy I went to boot camp with applied for the same job he had not gotten before the test, but he got the job after the test. (He wore the lapel pin to the interview). That should be some indication of what the cert is worth.
          • I wonder if you can buy CISSP pins on ebay? :D

            I bet it's alot cheaper than the class. Maybe I could borrow yours for $50. Hahaha. Then I would have to make a story about the missing diploma.

            Maybe when I start making headway on my B.S. loans I can think about more schooling. A year ago, I was thinking about a M$ cert in programming or database design, now I can't decide. One in network security might be helpful for the company I am interested in starting.

    • We have completely orthogonal skill sets and cultures.

      Yep, it's sometimes refered to as left-brain and right-brain people.. There ase such fundamental differences in the skill sets of those people that giving all the responsability to one person will lead to reduced security. I can't understand who ever came up with the idea of combining the two ?

  • by phreakmonkey ( 548714 ) on Saturday September 07, 2002 @07:17PM (#4213956) Homepage
    ... as the article points out. To me, the bigger relevation to "geeks" here should be that information security is about a lot more than OS vulnerabilities and firewalls.

    The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

    Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.

    Anyone interested in the relations of risk management and physical/information security should aim their research towards ISC^2 related documentation.. in addition to being fairly comprehensive you will be better prepared when you become experienced enough to apply for your CISSP certification. ;-)

    (ISC^2 can be found here [isc2.org])

    -PM



    • To me, the bigger relevation to "geeks" here should be that information security is about a lot more than OS vulnerabilities and firewalls.


      To anybody involved in information security, this is probably not a revelation. But just because this is an aspect of infosec, does not mean it naturally falls in to the physical security realm.

      To put another way... because infosec includes physical security, it does not mean a manager with physical security background is a good choice to lead an infosec activity.


      The International Information Systems Security Certifications Consortium (ISC^2) defines ten domains of information security.

      Physical Security is one of them... a big one. So is network security, auditing, forensics, and liability, amongst other things.


      One of these domains includes Law, Investigation, and ethics. And just like physical security, inclusion of legal considerations does not mean infosec should be ran by your corporate Legal office.

      Infosec personnel should be aware of legal and physical security aspects that affect their environment. Certainly. And when they need experts in those areas, they should contact their physical security activity or legal.
      • To anybody involved in information security, this is probably not a revelation. But just because this is an aspect of infosec, does not mean it naturally falls in to the physical security realm.

        Ideally I wish the first sentence were true, but it's not. I've been working in information security for almost 10 years, and most of the "security experts" I meet know a lot about one particular operating system, possibly a lot about network vulnerabilities or firewalls, and never even consider the idea of risk valuation or exposure assessment.

        They tend to harp on and on about "but this is insecure" or "that will get you hacked" but can't even begin to describe the business justification for or against mitigating it.

        I think ISC^2 is doing the information security industry a great service by exposing people who claim to be "Information Security Professionals" to the whole picture.

        BTW - I totally agree with your points, just because you have to understand the structure of a building to put out a fire doesn't mean that you should use architects as firefighters either. :-) It's just nice to see the "big picture" finally getting some exposure to a largely immature industry.

        - PM

  • After reading the headline, I pictured the guys from Armed and Dangerous [imdb.com] sitting at a computer trying to figure out how to set up a firewall.
  • One and the same (Score:2, Insightful)

    When someone comes into your server farm with a gun and says "Let me access info I want or I'll blow your fucking heads off"! Then you will understand that security is security.

    Plus the best place to hack a network is from the inside. Its not a "mission impossible" to get yourself access to a computer at any major financial institution here in the states.

    Data is an asset that needs to be protected both in the physical world where it is stored and, and in the virtual world where it is acessed. The goal in each arena is the same, ignoring either is irresponsible. Thus the inevitability of these two departments combining.

    The ASP I was working for last year was very forward thinking on this and ran both network and physical security as a simgle entity. Unfortunatly thinking ahead in security, didn't translate to thinking ahead when creating a sustainable business model.
    • When someone comes into your server farm with a gun and says "Let me access info I want or I'll blow your fucking heads off"! Then you will understand that security is security.

      Bad guy: "Let me access all your info, or I'll blow your fucking heads off"

      Admin: Uh.. whatever. Root password is 'god'

      Admin #2: talk about shit security... I thought you were going to change that.

      Bad guy: Hey? Where's the start button?

      Admin: You did know this was a Linux farm right?


    • Data is an asset that needs to be protected both in the physical world where it is stored and, and in the virtual world where it is acessed. The goal in each arena is the same, ignoring either is irresponsible. Thus the inevitability of these two departments combining.


      Inevitability of physical and information security combinging? Just because one involves the other does not mean they become the same activity.

      Infosec involves purchasing hardware, software, licesnse, etc... does that mean Infosec and the Purchasing department should combine? Information security involves liability and privacy issues... do we combine Infosec with Legal? A compromised system can lead to a serious public relations issue... is Infosec now under the guise of the PR department?

      No.

      Each department has its own expertise and focus. Issues that one department focuses on can certainly affect other departments. And because of that... those departments should have the ability to coordinate and communicate... and draw on each other's strengths when they hit an issue that another specializes in. But they don't become the same activity.
  • Re: (Score:2, Funny)

    Comment removed based on user account deletion
    • Yes, tongue in cheek humor and all that is great.

      For those of us without that option, the first step is almost always physical.

      NO internet connectivity until latest/greatest patches are installed. (Downloaded once to trusted server, scanned, then installed)

      No physical access without badges.

      Cameras at major intersections within the buidling and outside.

      I work for a huge company, but in a smaller building. Everyone knows everyone else. The guards no us all by name. They come to us before letting ANYONE beyond the guest area.

      It works...so far so good. Time for the old Ben Franklin (I believe) quote of the week:

      Two can keep a secret if one is dead.

      Do I get my precioussss karmassss nowwssss?
  • Considering the geek pay is 5x+ of what a rent-a-cop pays, and there is NO WAY IN HELL you can get your geeks to lay off the junk food and caffeene long enough to get in shape to chase down the mouse on their own desks... guess which one is the one amangement wants to get rid of... Hint: it's not the one who can move from his chair unassisted and can go read Security for Dumbies.

  • so... (Score:3, Funny)

    by DarkHelmet ( 120004 ) <.mark. .at. .seventhcycle.net.> on Saturday September 07, 2002 @07:26PM (#4213979) Homepage
    So, instead of Rent-a-cops, are we going to have lots of Rent-an-admin positions available?
  • Recently, a revolutionary new technology has been discovered that has the ability to grant access to certain areas or items to a few people, but to keep the rest of the world at a safe distance of the often high-valued areas or items. This item will provide a great security tool for network administrators, considering it enables them to secure the server rooms from 1337 h4x0rzzz with a screwdriver. This amazing device, made usually from wood but in special cases where extra security is required, made out of steel or steel/metal alloys is called a "Door" and has been hailed by security experts around the world as the "entlösung" to most, if not all security problems, especially if this device is coupled with small pieces of metal/steel called "Keys", which can be used to lock the door using a complicated mechanical procedure.

    Scientist are now thoroughly investigating in alternate ways of protecting ones servers or other private belongings. Several options include Glyphs of Warding, cummon the undead to protect a server and storage of servers inside highly radioactive or otherwise toxic enviroments.
    • cummon the undead

      That's disgusting. Whatever room you do that in is secure from me, at least.
    • ...especially if this device is coupled with small pieces of metal/steel called "Keys", which can be used to lock the door using a complicated mechanical procedure.

      Do you have any clue why companies have gone to electronic lock systems? Let's see:

      1. Keys can be duplicated, rather easily. Buying the appropriate blanks is relatively simple for those really wanting them, and you can purchase the appropriate files in any Home Depot, Ace Hardware, or equivalent.
      2. There is no access audit. You don't know who, and when, a person went through a particular door.
      3. People lose keys. In a mastering system, the loss of a mid-level key can cost thousands of dollars to re-key. (Of course, that limitation keeps my locksmith neighbor busy, busy, busy!)
      4. If a supervisor neglects to get all the keys a terminated employee has, that counts as a lost key, at high risk if the employee was fired and s/he doesn't take it well.

      The complex mechanical device associated with the Key is called a Lock, and the design of most locks enable it to be defeated by turning a handy control which puts it in a failure-null state; even without the control, the Lock can be defeated with Duct Tape or other readily-available blocking device.

      Of course, there is a defeat for the Door as well: the Door Stop. How many times have I approached a secure area only to find that some lazy person has employed a Door Stop to completely defeat the security provided by the Door?

  • by bilbobuggins ( 535860 ) <bilbobuggins@[ ]tjunt.com ['jun' in gap]> on Saturday September 07, 2002 @07:36PM (#4214007)
    Kid on playground #1: Kerplow* *Kerplow* [with finger]

    Kid on playground #2: Aaaghghgkk!

    Kid on playground #1: ha-HA! You're box rootin' days are over Bad Hax0r Bill!

    Kid on playground #2: Gosh darn it Tommy! Why do I always have to be the intruder every time we play 'sys-admin'?

    Kid on playground #1: quit whining Robby, when we're at your house you can be the network admin

    Kid on playground #2: Fine, but at least pretend you're an MSCE this time so I can win one game

    Kid on playground #2: Pfft. Alright, but next time we play 'content pirate' you have to be Valenti. I'm sick of peeing my pants so I don't miss the commercials.

  • Good for them (Score:1, Flamebait)

    by foonf ( 447461 )
    in an effort to eliminate redundant jobs

    We definately need to eliminate more redundant jobs. After all, you always hear people complaining these days about having jobs, what with them being redundant, and how much simpler things would be if they were fired. This is definately a step in the right direction.
  • open ports (Score:3, Insightful)

    by sohp ( 22984 ) <snewton.io@com> on Saturday September 07, 2002 @07:54PM (#4214059) Homepage
    On a serious note, consider the locations of all the hot network jacks at your employer. Are any of them in public locations that are empty at times, say conference rooms in common areas? How easy would it be for someone to go in, plug in a lap top, and start up a packet sniffer? There are aspects of your network that need physical consideration other than the server room.
  • by Mr_Icon ( 124425 ) on Saturday September 07, 2002 @07:55PM (#4214060) Homepage


    Now the most difficult part is figuring out how to convey "w3 0wn j00r a55, fUx0R!" over the dubious medium that is the megaphone.

  • Banks do this (Score:2, Informative)

    by zaffir ( 546764 )
    A friend of mine works in a dedicated IT building for one of the larger banks in the US (can't think of the name right now, but i know it's located in Ferndale, south west of Detroit, MI). He took me around the place, and showed me all the security stuff they had set up. You need a card, finger print, and key-code to even get into the building (yes, the janitor's entrance is like this too). You need those to get into the elevator, and to go into any of the areas with actual machines. I was only allowed to see their huge terabyte server cluster through very dark tinted glass: nobody but the head IT people are allowed in there.

    I guess that if someone decided to walk into the place with guns a blazing he could, but that's not exactly the most subtle way to steal credit card and bank account information.
    • its still not entirely secure, if someone swiped a keycard and got the codes they could then defeat the fingerprint scanner with a gummi bear
    • That would most likely have been Comerica... it's the biggest bank around here... and I do think I remember seeing a rather large Comerica office last time I was in Ferndale (it's hard to remember... I only go there for the bars:)
    • "I guess that if someone decided to walk into the place with guns a blazing he could, but that's not exactly the most subtle way to steal credit card and bank account information. "

      Why do people think the target is always credit card information and/or bank account info? There is so much more you can do with information and control than just stealing a pitiful few thousand dollars on credit cards...
    • The physical security at the big iron centers is probably pretty good at most large banks. I work for a large bank - but not for the big iron shop. As a DBA, I don't have card key access to our server room (and that's okay) - but the janitors do. Go figure.
  • by jc42 ( 318812 ) on Saturday September 07, 2002 @08:03PM (#4214082) Homepage Journal
    > ... as the old adage goes, an attacker with physical access already has you owned.

    Oh, I dunno about that. We've already seen a number of reports about people who got their laptop back after a theft, apparently because it was running linux or *BSD. The thiefs couldn't get past the login screen, so they trashed it or left it lying somewhere, and whoever found it called the phone number on the sticker.

    Granted, this might not stop your expert unix hacker. But most laptop thefts are by petty thiefs who are pretty much computer illiterate, as are the guys who fence them. With Windows or Macs, they can turn it on, try a few things to verify that it runs ok, and it's in the pipeline. With a unix-like system, they can't get in, they conclude that it's unusable, and they toss it.

    Your typical laptop thief only gets a hundred bucks or so for the machine. It's not worth a great deal of effort to break through security to verify that you're not buying a fancy-looking brick. So login+password is plenty secure for the typical theft.

    • Oh, give me a fuckign break. Do you have numbers or statistics to prove this? Of course you don't, you're just karma whoring by trying to make Linux look more secure. Well, let me clue you into something buddy, Linux survives a complete hard drive wipe as well as Windows or Mac. They couldn't care less what data is on the machine.

      If the thief DOES care what is on the machine I truly believe they will either know how to hack into it or they will have someone they trust do it for them. The target will be specifically picked out (random dumb luck isn't a good way to run an operation like this) and a plan will be in place down to what to do with the data once they have it.
  • Physical access isn't necessarily owned - with proper encryption and the passphrase nowhere but in my neurons they can still be locked out, but for a small bribe I could be convienced to reveal the secret to the executives outrageous incomes and my lousy salary.
  • by Anonymous Coward
    somehow I doubt that there will ever be a day when physical security and network security are one. Sure there may be some that can do both very well, and those will usually be veterans with decades of experience under their belt. There will of course be ecclectic mixtures of both... however you will not be able to field both easily or affordibly. This does not mean that any network security from a macro level is not to be the core of knowledge for any security individual... this is just like security guards at places with high tech security systems now. The guards must know many things about the electronic surveilance, countermeasure, digital access, keying, etc to do their job. If we add another layer like actual network security, then it should be abstracted and ORGANIZED enough so that the guards do not have to grep and cat their way through files and systems just to check what the status is or even fix problems.

    It is that issue there that will present the problem, and also the very thing that many 1337 do0dz will never understand.

    That being said, I am glad that the ideas are merging... mainly because I think that it will clue many developers in for the need to provide consistent, standard, and robust interfaces instead of 'hacked for this and only this feature/platform/language/etc' I personally have crappy front end skill, but I understand its very vital nature. For every 1337 do0d that thinks it is not good to 'dumb down' anything, then they obviously do not understand that abstraction does not change or prevent any low level interfacing, but merely provides the means for working with other systems like GUI's. Of course it also means they are wanna be loosers who if they rubbed two neurons together would realize how stupid that kind of thinking is. They should be real programmers and throw away the keyboard, monitor, mouse... and go with a bank of binary dials for any computing. Retards... talk to me later after you have grown some pubes.... oh! look at me, I can code! Yay for you... I can drop most adults in a fight, you won't see my ass taking on Sadam by myself however. Idiots.

  • It's more than just physical and logical security. There is also psychological security, if you will. All the physical and logical security in the world won't protect you from social engineering [securityfocus.com].

    (Oh, and don't forget to email your username/password/IP to me [mailto]. Thanks.)
  • Comment removed based on user account deletion
    • or are they going to take the risk of entrusting the network to former McDonald's employees?
      Hey, as a high school dropout who used to work at McDonald's, I resent the implications of your post.
      I'm a network engineer/unix-alike sys admin by profession. That I didn't finish high school and was employed by McDonald's doesn't diminsh my intellectual or technical capabilities.

  • by Vrallis ( 33290 ) on Saturday September 07, 2002 @09:08PM (#4214240) Homepage
    I doubt this is too likely to happen much. Security departments have a lot more to deal with than just securing locations from access. Our own computer department does, in fact, handle some of this (for our own areas, at least)--security keypads and our own alarm system.

    I work for a large auto parts distributor, and our security department doesn't even deal much with access security. They deal with investigations for sticky-fingered employees for the most part. They also deal with the more complicated theft rings, which usually involve state authorities due to dirty city cops being involved.

    This is WAY outside sysadmin territory, and I don't see them merging anytime soon.
  • by tlambert ( 566799 ) on Saturday September 07, 2002 @09:34PM (#4214302)
    My problem with this is that physical security is not a sinecure for technological problems.

    If this were *merely* to eliminate redundant management structures, it might be agreeable. But probably wouldn't be.

    As a former IBM employee, I've had to deal with the management of firewalls by a seperate security organization; the result was a minimum of six weeks to get a TCP port other than 80 opened, if it's permitted at all.

    XML was invented by IBM employees as a means of routing around these people by tunneling operations on port 80, which these people would permit by virtue of it being port 80, without concern for the content of the traffic over that port.

    Given encryption on storage media, both active and backup, and multiple site replication, physical security is more and more meaningless for information technology.

    IMO, eventually corporate networks will not exist at all, *except* as VPNs.

    At that point, "physical security" means sending armed guards out on business trips with every schmuck with a laptop, and posting them outside the homes and telecommuting centers of every remote worker.

    Frankly, a merger in this area feels more like the physical security people trying to defend against their increasing irrelevance, in the same way that RIAA and MPAA are attempting to defend their increasing irrelevance.

    -- Terry
  • Very simply, there are 2 main types of hack. One is untargetted (ie scan a netblock and see what happens) and targetted (hacking a specific target). Now type 1 is by far the most common, and paying a heap for physical network security is pointless as the hacker is just looking for an open port/service. On the other hand, the concerted hacker is doing it to get at you. If you increase physical network security, they will just look for another way in.

    The first principle behind hacking something is to attack the weakest point. In most cases the human factor is the weakest point. Social engineer a password out of a luser and you're on your way. In other cases it might be physical security. By increasing physical security of your network, you just push it further down the list of ways to get in.

    The truth is that a truly concerted, determined (and skilled) hacker will get into pretty much any system they want.

  • When we built the new building my company moved to, I did all the wiring / network design and had to liase with a security -type on how we were going to secure the building. I was pushing for a KISS principle of key trust (physical key not PGP key) exactly the same way that a retail store works; you have a manager who has the key to the joint and certain "keyholders" who are trusted. They lock and unlock the doors. Simple, elegant, and hard to beat. The consultant said "that's no good, you need a cardswipe system with maglocks on the doors" and he presented a spec that managment loved, sicne it had all those gee-whiz card sensors that went BLING! when you swiped your card. I looked at the spec during a meeting and said to the consultant: "These maglocks, they close (lock) when they are energized (have power applied to them), right?" him: "Yep" me: "So what happens when the power goes out?" him:"Errr...I'll get back to you" he gets back to me and assures me that there is room in the budget for a UPS that will keep the doors up for a long time. So we get the system, and one day (long weekend), the power goes out. No prob, my racks have APC RM UPS'es and everything gets shut down gracefully. I get warning bleeps on my SMS cell that power's out, I go, "So what, it's the weekend" and ignore it. 8 hours later the company president calls me up, says "WTF? Door's unlocked, anyone can walk in and take the 17" TFT on the receptionist's desk!" Me: "WTF?" Haul ass down there, take a look, pop my head in the ceiling to take a look at the door UPS

    I *can't* believe it! The security guy specs out an APC Back 250 UPS like you get at Costco for $80 The frickin door probably only stayed locked for, like, a half hour. The security guy though it would stay locked for days!

    I inserted my key into the deadbolt on the door (which I insisted on) and firmly closed the lock. The APC was replaced with a 1500 the next day.
  • 1. Physical Security, so that only autorized people get direct access to your hardware, including terminals, ports, routers, etc.

    2. Personnel Security, so that you reduce the chances that you've given authorization to an untrustworthy person.

    3. Computer/Network Security, to reduce the chances that unauthorized people get into your network from outside your facility, and to control the access that authorized users have to your systems.

    All 3 are needed. If one person isn't doing all 3 security jobs, then the different security people should be working together so that they don't accidentally work at cross-purposes.

    For example, one of the buildings on our site had been vacant for several months, so to save money physical security dropped the alarm monitoring and guard patrols when the contract was renewed. Two months later IT set up a new server farm in it,and didn't tell the physical security folks. One month after that, the servers went down and "walked away" over a three day weekend...
  • I don't think they will be a great loss of jobs, nor will guns be given to admins. More likely the management of both functions will be incorporated. I have consulted and managed security projects for my company and many clients. THe one item you usually have to work on with them is that the physical security is as important as the data security.
    Once you cross this hurdle and good well rounded security expert can approach a building, office or room and address everything from the points of entry to the servers.
    An example, when approaching a server room I look at the entry mechanism on the door, the hinges and jam. I look at the walls for material, thickness and accessiblity. Is the ceiling accessible? Once inside I look at the physical access to the hardware, the fire prevention equipment, etc. Then we move on to the data security. I have hired people that are experts in each field and they train each other.
    In the end you end up with a much more secure environment and the same workforce minus maybe one manager.

    I think this was inevitable.
  • "an attacker with physical access already has you owned"

    I usually feel a superiority complex when it comes to the "humor" and "wit" that normally accompany the average slashdot text, but this one has me stumped... Is this a really an old adage? Or is it some semi-subtle joke, using the relatively new term "owned" and calling a phrase with its usage an "old adage"?
  • Half a dozen in the other. Security in my mind is about protecting information assets, be they physical, electronic, or human. It all comes down to defining policy and implementing reasonable measures to enforce your policies. Some times the solution is physical, sometimes it is social, and sometimes it is 1s and 0s.

    At some high level, all of those elements should be combined into a single responsible entity. Whether the person in charge comes from a physical world or a data world does not matter, provided they have a talent pool from both worlds capable of enforcing their policy. I do not think the article intended to imply that we would see admins being asked to take a bullet (good luck!) or security guards expected to respond to the next Bind exploit (once again, good luck!).

    If however, on the off-chance my company wished to provide me with say, oh I don't know maybe a chain gun or a redeemer, I would be more than willing to sit in a tower and secure the physical perimeter for them.

  • but does this mean I can finally bring a gun to work?

    how about throwing MCSEs off the property? or hitting the new admin w/ a taser when he gives a user root so they can install software on their machine?

    ( gleefully rubbing hands together while entertaining thoughts )

  • My experience says me that a logical solution (keep crackers away.. etc etc...), has another counter logical solution agaist it (a way to reverse it, to put in plain text: crack it..). Why?, because otherwise it wouldn't be "a logical solution" in the first place.

    89 1 55 1 34 2 21 3 13 4 8 5
    which number shouldn't be there? (that's right, these numbers are the result of some logic, except one... which, I ask : ))

    (ps! Just becasue a logical solution maybe "simple", dosn't mean the counter logical solution should/would be the same)

    (PS nr2!! The point I want to make?? (If you haven't figured it out). Well then, you have some thing to make sense of then : ))

  • Physical security isn't just locks, although the realm of access-control alone is enough for an entire job when it comes to background knowledge. The notion that there is redundancy between physical and computer security specialists is insane. I've worked with a few physical security specialists, and I was utterly in awe of the various things they had to know. There are almost no overlaps, very few synergies, and frankly, I don't really care to know what the latest and greatest in door strikes and CCTV lenses are, so if I were asked to do double-duty, I'd be heading for the door before you could say "emergency exit."

Every cloud has a silver lining; you should have sold it, and bought titanium.

Working...