Physical Security

Slide 1

This security awareness training covers physical security.

Most of the training you are taking now is focused on information technology, and covers IT security topics like passwords and malware. However, poor physical security can often defeat the best IT security controls.

Today we will look at five common physical security problems, and easy and effective ways to avoid or prevent them. Two of the problems are related to the theft and misuse of printouts and technology. Three others are related to colorful terms that describe how unauthorized people often gain access to information, systems and facilities.

Slide 2

Printing a document copies information from its secure digital home to a physical piece of paper. At this point, the information is accessible to anyone who has physical access to the paper or its printer, which is often an entire building or floor full of people.

To protect sensitive information from being exposed at printer stations, it is important to either use printers in secure locations, or to quickly pick up materials printed in open locations. Printed materials left in open locations are at risk of theft, casual reading or another misuse.

Slide 3

Like printouts, unattended computers, phones and other technology are also at risk of being stolen or misused. Some technology is stolen so it can be resold or reused by thieves. Other technology is stolen so its information can be used to impersonate the owner, embarrass an organization, or expose the people an organization employs or serves.

Unattended technology can also be a threat even if it is not stolen. Criminals can quickly access phones to copy contacts, install malware, or make purchases. Criminals can also access unlocked computers to access bank accounts, install malware and access confidential materials.

The best defense against theft and misuse is to never leave your technology unattended, not even when you visit a restroom or service counter in a familiar location.

However, you should also plan as if your technology could be stolen. In this case, the best defense is the same whether you lose a laptop, phone, tablet or removable media like a thumb drive. That defense is the use of encryption to secure your data. Only encryption ensures that thieves cannot access the information on the technology they stole.

You should also use locking screensavers on computers, and automatic screen locks on phones and tablets. This defense prevents criminals from accessing your information, making purchases or money transfers in your name, or viewing the confidential materials you can access.

Slide 4

Which of the following actions improve safety from physical security attacks? Select all that apply, then click Submit.

That’s right!

Leaving jump drives in a desk drawer could create a security risk unless the drawer is locked. All other actions would improve safety from physical security attacks.

Click anywhere to continue.

Sorry, but that’s incorrect.

Leaving jump drives in a desk drawer could create a security risk unless the drawer is locked. All other actions would improve safety from physical security attacks.

Click anywhere to try again.

Slide 5

Now that we’ve seen ways to avoid the theft and misuse of printouts and technology, we’ll take a look at three common types of attacks people use to gain unauthorized access.

Printed material, technology and even removable media can be at risk even after they are no longer needed. Hackers and thieves can easily steal documents and digital files if they are simply thrown in the trash. In fact, the practice of stealing material from publicly-accessible trash bins is so common that it is known as “dumpster diving.”

Fortunately, the defenses against dumpster diving are easy to implement. All involve destruction before disposal. Confidential documents should be shredded or placed into shred bins for shedding before disposal. Similarly, storage technology, like hard drives and removable media, should also be destroyed by IT or private professionals before disposal.

Slide 6

Which of the following items should be given to your IT team for disposal? Select all that apply, then click submit.

That’s right!

You should dispose of paper documents and CDs using a shredder. Jump drives, tablets, laptops, and other storage technology should be disposed of by IT professionals. NEVER throw any of these items away!

Sorry, but that’s incorrect.

You should dispose of paper documents and CDs using a shredder. Jump drives, tablets, laptops,
and other storage technology should be disposed of by IT professionals. NEVER throw any of these items away!

Please try again.

Slide 7

Unfortunately, dumpster diving is not the only way hackers harvest information from public places. A second way hackers use to harvest information is to observe other people using technology in public places, both in person and with cameras. The information hackers gather this way includes data displayed on screens, how people unlock their phones, PINs typed into bank machines, and passwords typed into keyboards. Gathering information this way is known as “shoulder surfing” because the clearest view of what you are doing would come from someone standing directly behind your shoulders.

To prevent shoulder surfing you should use several defenses. First, always be aware of who is near you and whether or not anyone is paying attention to your activity. You should also look for cameras on walls, ceilings, furniture and other people’s phones. Second, turn your monitor and keyboard away from public areas if possible. Sitting with your back to an opaque wall is best. Third, use your hand to shield the pattern of keys or swipes you use to gain access and unlock devices from prying eyes.

When you are in your facility, you probably feel more secure about your technology then when you are in public. However, some hackers will also attempt to access facilities so they can steal or exploit your technology from the inside.

Slide 8

The most common way the protection a locked door offers breaks down occurs when an authorized employee opens a door and an unauthorized person slips in behind. This technique is so common that it is called “tailgating” or “piggybacking,” and is frequently used when a thief or hacker wants to steal or access something specific on your premises. The root cause of tailgating is courtesy. Courteous people hold doors for other people, especially if the other person is carrying a load. A trespasser can easily take advantage of this courtesy by appearing to be a coworker with their arms full of business materials.

Defending against tailgating requires a widespread but simple change in behavior. The change is to require every unknown person who reaches a secure door to use their own key or badge to confirm they have the right to pass through. This behavior is often called a “badge check” and is a common best practice at secure sites whether or not information assets are at risk.

Slide 9

In the last few minutes, we learned how to avoid the theft and misuse of printed materials and unattended technology. We also learned how to prevent dumpster diving, shoulder surfing and tailgating, which are all common ways that unauthorized people access information, systems and facilities.

Please take a moment to review these takeaways, and then click “continue” to complete the module.