%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% N.I.A. %% %% Network Information Access %% %% 10MAR90 %% %% Lord Kalkin %% %% FILE #7 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% :_Computers: Crime, Fraud, Waste Part 3 :_Written/Typed/Edited By: Lord Kalkin :_Information Security PHYSICAL SECURITY Traditional Security: Locks, Fences, and Guards Physical security once meant keeping a computer and its information from physical harm by surronding the computer facility with locks, fences, and guards. But physical security has changed to accomodate the realities of today's computer enviroment -- an enviroment that is often a typical office setting with many small computers, word processors, and portable terminals. Physical security is concerned with controls that protect against natural disasters ( e.g., fires, flood, or earthquakes ), and accidents. Physical security controls regulate the enviroment surrounding the computer, the data input, and the information products. In addition to the site where the computer equipment is housed, the enviroment includes program libraries, logs, records, magnetic media, backup storage areas, and utility rooms. Whether physical security controls are called enviromental controls, installation controls, or technical controls, they must be responsive to today's enviroment and they must be cost-effective. For exapmle, installing costly fire suppression may be essential to protect a large computer that process sensitive data but may not be justifiable to protect a single microcomputer. CRIMES, ABUSES, AND WASTE Computers have been shot, stabbed, stolen, and intentionally electrically shorted out. Disks and tapes have been destroyed by spilled beverages, and computers have been harmed by water leaks. Computers have been seriously damaged by temperature extremes, fire, electric power surges, natural disasters, and a host of accidents. Information has been intercepted, stolen, sold, and used for the personal gain of an individual or for the benefit of a company. - Small computers are an especially attractive target for thieves. - During a fire, disks stored in nonfireproof cabinets and floppy disks left next to computer terminals were destroyed by a sprinkler system. Thousands of dollars were spent reconstructing the information they contained. But accidents and ordinary contaminants are propably the major cause of damage to computers and realted equipment. COMPUTER GERMS: SPILLS, SMOKE, AND CRUMBS HEAT AND HUMIDITY CLUES The following clues can help indicate physical security vulnerabilities: 1. Smoking, eating, and drinking are permitted in the computer work area. 2. Computer equipment is left unattended in unlocked rooms or is otherwise unsecured. 3. There is no fire alert or fire protection system. 4. Disks are left in desk drawers; there are no backups of disks 5. Strangers are not questioned about being in the computer area. 6. An inventory of computer equipment or software in nonexistant, incomplete, never updated, or not verified after it is completed. Inventory shortages occur frequently. 7. Printouts, microfiche, or disks containing sensitive data are discarded as normal trash. 8. Locks which secure computer equipment or provide access to computer equipment are never changed. 9. No assessment is made of the computer site, i.e., how vulnerable is it to access by unauthorized persons, to fire or water damage, or to other disasters. "THIS PRINTOUT IS WORTH $$$$$!!! IT WILL GET ME INTO THE SYSTEM." PHYSICAL SECURITY CONTROLS 1. Prevent intentional damage, unauthorized use, or theft. Small computers can be locked or bolted to work stations and access to them limited by computer equipment cover locks. Lock offices where they are located. Ensure individuals are responsible and accountable for the small computer they use. If the information used by a goverment program is processed by a major computer facility, check to see how physical access to the facility and to related locations are controlled. Methods such as logs, locks, identifiers ( such as badges ), and guards may be appropriate. The input of sensitive information requires proper handling of source documents. Proper handling means giving the same security considerations to these documents whether they provide input to automated or nonautomated systems. Consideratiosn may involve securing the area, logging the documents, ensuring that only appropiate cleared persons see these documents, and using burn abgs or other approved disposal methods. Carefully consider computer location. Is it too accessible to unauthorized persons or susceptible to hazards? Alert Staff: Be aware of common access-gaining schemes, such as "piggy-backing," where an authorized worker is followed into the computer area by a stranger carrying an armload of computer printouts or by persons claiming to be maintenance workers. Know persons with authorized access to the computer area and challenge strangers. Many people believe that locked and guarded doors provide total physical protection. But electromagnatic emissions from other computers can be intercepted and automated information read. Recommended protections (e.g., equipment modification and shielding ) must take into the account the level of security required by the automated information and the fact that such an interception is rare, but mare occur. An inexpensive precautionary measure is makin Downloaded From P-80 International Information Systems 304-744-2253 12yrs+