Photo Credit: Thomas Hawk via Compfight cc
Physical security personnel constantly monitor all sorts of movements and activities of the occupants of the facility where I work. They observe employees as they arrive, work and leave. They check when contractors and workers of all types arrive to provide services, whether it is the landscapers or the plumbers or the mainframe service personnel. Visitors are signed in, picture IDs are checked, badges are issued, and employee escorts are identified and assigned. Numerous cameras watch over the parking lot, key hallways, and critical areas of the facility. And perhaps most importantly, security staff regularly patrol the premises, looking for any abnormal behavior, or any suspicious circumstances.
In the physical realm, decades of experience have given us established procedures for risk management. Further, this experience informs us regarding effective technologies, such as badges, cameras and patrols. Efficient and effective business can be conducted at the facility because these methods reduce the risk of exploitation of the facility or its personnel, and this protection is delivered in a non-intrusive way.
In the digital realm, however, the challenges are different, and the headlines belie our wholesome expectations. Massive data breaches at retailers, smaller but more personally devastating breaches at hospitals and emergency rooms, and a continuous stream of vulnerability announcements undermine our sense of order and security in computing. A bewildering set of tools beckon for our attention to reduce the risk of future breaches. Anti-virus, encryption, authentication, monitoring, and intrusion detection only begin to categorize the areas an information security professional must oversee to control information security risk. And yet, the physical realm has some simple but powerful concepts that are also applicable to the digital realm.
Three ideas from physical security can help us reduce risk to information. First, be sure to patrol your network. This means monitoring activity, and being familiar enough with that activity that you can identify new or abnormal activity. Normal business activity will tend to produce repeatable identifiable behavior that can be “white listed” and subsequently ignored. Second, investigate new activity that seems either abnormal or out of place. While this won’t eliminate intrusions, it can help you discover intrusions when they do not initially look like normal business traffic. Third, assess and challenge the activity that doesn’t meet your criteria for normal. This is the digital equivalent of preventing loitering or asking if a new person needs assistance when they wander aimlessly or suspiciously around your facility.
Physical surveillance puts eyes on physical activity that might otherwise hide in the shadows. Once it is seen in plain sight, it can be addressed. Network surveillance can do the same in the digital realm. While specialized tools will still be needed, active network surveillance by trained personnel can de-mystify network activity, and bring abnormal network activity out of the shadows and into plain sight.