February 17, 2005, 3:11 PM — As information security professionals, we often spend much of our time working on network-related security problems, and can often forget that system security begins with physical security.
Physical security of a system is often one of the hardest and most expensive facets of information security. After all, to be truly secure, the information on the system must be cared for as a physical asset. You can run firewalls, anti-virus tools and all kinds of protection software on your computers and networks, but if an attacker can simply walk away with the hard disk or a back-up tape of the data, the game is lost without a single packet coming across the wire. (And you can forget those ideas of keeping all data encrypted all the time, most organizations don't have the resources, staffing or capability to come anywhere close to such a goal!)
If you don't have a formal data center, perhaps locking racks or a normal room with locking doors and an alarm system will fit your needs. Just remember, it is not just theft of the systems you must worry about. An attacker can use a boot disk or CD to quickly hijack data, so additional steps such as BIOS passwords, disabling CD drives and floppy disks as boot devices and other physical access control techniques are also recommended. Here's a great site for researching physical security techniques.
Spend a few minutes looking at the physical security of your systems and networks. Do they meet your cyber security posture? Do they provide for the safety of your data? If the answer is no, then your security team should probably take a step back to the basics and look for ways to grow the physical security of your systems. If the answer is yes, then have a nice lunch, relax, take a breath and get ready for the next onslaught of patches, exploits and packet floods