• Choose a category
• All
• Classic-Fiction

■ Never perform any activity that is unethical or illegal, even if not doing so will cost you the petty respect of your peers and/or your job.

■ Watch out for conflicts of interest and make them known to the security administrator when they occur.

■ The person who configures a system should not be the auditor.

■ The person who designs a system should not be the tester.

■ Only log on with your admin account when you actually need that level of access.

■ Log on as a normal user account for your daily activities.

■ Limit the use of admin accounts over the network; try to use them directly at the console /terminal to reduce the risk of eavesdropping.

Be aware of all of the policies that govern your behavior. Knowing what you are responsible for makes it much easier to comply. Ignorance is never a valid excuse when a violation occurs.

Keeping Physical Security Meaningful

It is difficult to overstress the importance of physical security. Physical security is controlling who can and cannot gain physical proximity to assets. It is a form of access control: defining who has access where and who doesn’t. Without physical access control, there is no security. Every technological security control can be overcome with the right tools or enough time. Even cryptography will fail eventually. Brute-force attacks are always successful, given enough time. But time itself is becoming an ever smaller relative value with the onset of massive parallel distributed processing. For example, with the services of distributed.net or its competitors, 10,000 computing hours can be harnessed in an hour of real time.

Two of the scariest issues today in terms of physical security are bootable portable OSs and hardware-based keystroke loggers. A bootable portable OS on a CD, a DVD, or a USB drive can fully bypass any OS-enforced security because they don’t allow the host OS to load! Without the host OS, no security is actually being enforced. In fact, the only security remaining is file- or drive-based encryption. Thus, an attacker can make copies of encrypted files and then take them elsewhere to break the encryption at their leisure.

Hardware-based keystroke loggers are another security nightmare. As mentioned earlier, these gadgets are available for under $100 and are designed to be unobtrusive to even the most observant of users. A few seconds to plant, a few seconds to extract days later, and presto! The attacker now has possession of your password-based logon credentials and anything else you might have. Your only protections are multifactor authentication and strong physical security.

To prevent the compromise of technological security, you must use good physical security. As an employee of any organization, it is part of your job to be aware and be suspicious.

To assist with the physical security of the company’s facilities, here are some suggestions:

■ Make sure that every time you unlock and open a door, you then close and relock it before you walk away.

■ If you discover an unlocked door that should be locked, report it immediately.

■ If you discover that a door’s locking mechanism has been damaged or tampered with, report it immediately.

■ If you discover a door propped open when it should be closed and locked, report it immediately.

■ Regularly take notice of whether windows are closed and locked; report any changes.

■ Regularly look at the security cameras in the area, and report any changes to their direction, whether they become obstructed, or if they become damaged.

■ Get to know the faces of as many of your fellow employees as possible so you can spot outsiders or intruders.

■ If you see any suspicious activity, especially by personnel you do not recognize, report it.

■ Don’t hold open locked doors that require each person to self-authenticate.

■ Never allow anyone into a secured environment who does not have their authentication credentials, even if you think you know them.

■ Keep your keys, smart cards, and other access devices under your complete