Briefcase chained to his wrist, the officer cautiously looks for anything out of the ordinary as he makes his way purposefully to a black vehicle with government plates. You would think he might relax with two armed men flanking him and another waiting at the car but his rigorous training keeps him focused. The thought of the coded orders he protects falling into another’s hands reminds him of the need to stay alert.
The scene depicted here highlights the importance the government places on data being transported. Organizations also transport valuable data but too often little is done to protect it. The scene above is an extreme case. Shareholders do not expect companies to go to that same length to protect each hard drive or backup tape but they do expect reasonable physical security measures to be taken to protect data in transit.
Physical security is a major component of information security. Physical security encompasses the actions taken to prevent attackers from accessing equipment, facilities, and other resources where data is stored, shared, or worked with. Physical security is often likened to a castle. Whereas a castle has tall walls, a moat, drawbridge, gate, guards, and lookouts, physical security systems likewise have cameras, sensors, guards, walls, authentication devices, GPS, and many other technologies.
Physical security needs to be in place for assets in transit. For example, a store manager wouldn’t toss bundles of cash into his trunk to transport to the bank. This would be much too risky. Rather, the money is picked up by armored car. Why then is valuable data often transported with little or no thought to security? The evidence of such activity is profuse. Stolen tapes, lost hard drives, and flash drives containing valuable company information or private customer data fall into the wrong hands, making headlines in the process.
This is why organizations need to recognize the importance of physical security, not only for data in facilities, datacenters, offices, or storehouses, but in situations where devices containing data are being transported. Such situations might include transporting backup tapes off-site or distributing data on optical storage or flash media.
Using the Same Password for Multiple Accounts
Using the same password for multiple sites can lead to a compromised account on any of the sites. For example, if you use the same username and password on ebay and buystuff.com then your username and password for ebay is essentially stored in a database at buystuff.com. If there is a malicious individual at buystuff.com or if buystuff.com gets hacked, your ebay account could be compromised as well because malicious people will try to use the username and password combination they know at many common locations. This could lead to quite a few unauthorized bids and a big headache.
This article looks at ways to provide physical security for data in transit. Physical security protects against incidents such as:
- Backup tape damage
- Hard drive damage
- Media theft
- Media interception
- Media duplication
Backup Tape Damage
Backup tapes are a form of magnetic media and they can be easily damaged. Electromagnetic waves can scramble the data on a tape or physical impact, such as dropping a tape, can damage the media or mechanisms inside the tape housing. Organizations should protect against backup tape damage by requiring tapes to be stored in their plastic clamshells and to be transported in a padded case.
Those transporting tapes need to be careful not to expose the tapes to magnetic fields or devices that generate large amounts of electromagnetic waves such as speakers or subwoofers. Those handling tapes should be trained not to touch the magnetic media inside the tape as oils from a person’s skin will interfere with the ability of backup devices to read and write to the tape.
Lastly, tapes should be protected against the elements. The transport case should be water resistant in case tapes are transported in the rain.
Hard Drive Damage
Similarly, hard drives need to be protected in transit. A hard drive is made up of round platters that store data on both sides. Small devices called heads glide very close to the surface of these platters to read the information stored on the magnetic platter. If a hard drive is impacted or jolted back and forth these heads may scrape against the platter damaging the data stored in those locations and possibly the head as well. Care should be taken when transporting hard drives. Drives should be transported in protective cases to protect the drive to some degree from shock if the drive is dropped.
Drives can also be damaged by static electricity. People absorb and discharge electrons as they come into contact with other objects. Normally the absorption or discharge is too small for a person to take note of but occasionally a person might feel a static shock. Computer equipment can be damaged by a much smaller amount of static electricity so a person could damage the electronics in a hard drive without even knowing it. Antistatic bags decrease the chance of static electricity being discharged into the drive electronics and they should be used whenever a drive is transported.
Theft is a concern for media being transported, be it tape, hard drive, flash drive, or some other storage device. Controls in this area could be as simple as locks on tape or drive transport units or something more complex like GPS tracking devices or switches that demagnetize media if stolen. Additionally, the transport method could be obscured to make thieves unaware that data is being transported. Transport devices could be made to look like a standard briefcase or, if small enough, could be slipped inside a backpack.
Pictures and names of employees authorized to transport media should be provided to locations that have guards on duty and those guards should check identification before allowing personnel to leave carrying media.
Media interception is another area where physical controls are needed. If data is sent via postal mail, ensure that mailboxes can be opened only by postal service workers. Media packaging should be tamper resistant. Such packaging can only be opened once because the process of opening the package renders it useless. After that the package cannot be reassembled without providing clear evidence of the tampering. Tracking should be used on packages and a signature required upon receipt.
Transported media needs to be secured at all times. Thieves who have access to the media for a sufficient amount of time could make copies of data or some portion of it. Sign out and check in procedures will not protect against a copy because the original media will still be present when checked in. For this reason, those transporting media should not make unrelated stops along the way to their destination. This means no coffee breaks, window shopping, or picking up groceries along the way. Needless to say, media should not reside in an insecure location on its way to the destination such as storing tapes in the trunk of a car while picking up kids from school or leaving a hard drive in a briefcase overnight to avoid an extra trip to the office. These situations create opportunities for theft.
Controls in this area can take the form of transport procedures, sign in and sign out procedures and audits to ensure that media leaves and arrives in the appropriate amount of time. Transports that take too long could be cause for concern.
Most of the controls mentioned here can be implemented at nominal cost to improve security for data in transit. Along with these physical controls, operational controls should be implemented to enforce usage of the physical controls and those transporting data should be trained on the use of physical controls.