Physical information security is the intersection, the intersection between physical security and information security. This mainly involves the protection of assets related to real information such as computer systems and storage media against physical, real-world threats such as unauthorized physical access, theft, fire and floods. This usually involves physical controls such as protective and protective locks, uninterruptible power supplies, and shredder. Information security controls in the physical domain complement them in logical domains (such as encryption), and procedural or administrative controls (such as information security awareness and compliance with policies and laws).
Video Physical information security
âââ ⬠<â â¬
Assets are essentially valuable and vulnerable to a variety of threats, both evil (eg theft, arson) and accidents/nature (eg loss of property, bush fires). If threats manifest and exploit vulnerabilities that cause incidents, there may be negative impacts on organizations or individuals who legitimately own and utilize assets, varying from trivial to damaging. Security controls are intended to reduce the probability or frequency of occurrence and/or severity of the impacts arising from the incident, thus protecting the value of the asset.
Physical security involves the use of controls such as smoke detectors, fire alarms and extinguishers, along with laws, regulations, policies, and procedures related to their use. Obstacles such as fences, walls and doors are clear physical security controls, designed to block or prevent unauthorized physical access to controlled areas, such as a home or office. The moat and castle of medieval castles is a classic example of physical access control, such as bank safes and safes.
The information security control protects the value of the information asset, especially the information itself (ie intangible information content, data, intellectual property, knowledge, etc.). But also computers and telecommunications equipment, storage media (including paper and digital media), cables and other assets -asets related to real information (such as computer power supplies). The corporate mantra of "Our people are our greatest asset" is literally true in the sense that so-called knowledge workers are valuable asset assets, perhaps irreplaceable. Health and safety measures and even medical practices can also be classified as physical information security controls as they protect people from injury, illness and death. This perspective exemplifies everywhere and the value of information. Modern human society is heavily dependent on information, and information has importance and value at a deeper and more fundamental level. In principle, subcellular biochemical mechanisms that maintain the accuracy of DNA replication can even be classified as vital information security controls, given that genes are 'life information'.
Malicious actors who may benefit from physical access to information assets include computer crackers, corporate spies, and fraudsters. The value of information assets is self-evident in the case of, say, stolen laptops or servers that can be sold in cash, but information content is often much more valuable, such as an encryption key or password (used to gain access to the system and more information), confidential trade and other intellectual property (which are inherently valuable or valuable due to the commercial benefits provided), and credit card numbers (used for identity fraud and further theft). Furthermore, loss, theft or damage to computer systems, plus power failures, mechanical/electronic failures and other physical incidents prevent them from being used, usually resulting in disruptions and consequential costs or losses. Unauthorized disclosure of confidential information, and even coercive threats from such disclosures, can be damaging as we see in Sony Pictures Entertainment's retreat at the end of 2014 and in many incidents of privacy violations. Even in the absence of any evidence that discloses personal information has actually been exploited, the fact that it is no longer secured and under the control of its rightful owner is itself a potentially harmful privacy impact. Substantial fines, adverse reputation publicity/damage and penalties and other non-compliance effects that flow from serious privacy offenses should be avoided, for whatever reason!
Maps Physical information security
Examples of physical attacks to obtain information
There are several ways to get information through physical attacks or exploits. Some examples are described below.
Diving waste
Dumpster diving is the practice of searching through junk in hopes of getting something valuable such as information that is thrown indiscriminately on paper, computer discs or other hardware.
Access unplug
Sometimes the attacker will just go into the building and retrieve the information they need. Often when using this strategy, an attacker will masquerade as someone who is included in the situation. They can claim to be employees of the copy room, remove documents from someone's desk, copy documents, replace original documents, and leave copied documents. Individuals who pretend to build maintenance can gain access to a restricted space. They may walk out of the building with a garbage bag containing sensitive documents, carry a portable device or storage media left on the desk, or perhaps just by memorizing a password on sticky notes attached to a person's computer screen or calling a colleague in an open office.
Physical Information Security Control Example
Unplugging paper documents literally before use is a common physical information security control, intended to prevent information content - if not media - from falling into the wrong hands. Digital data can also be shredded in a figurative sense, either with strong encrypted or repeatedly overwritten until there is no realistic probability of information ever taken, even using sophisticated forensic analysis: it is also a physical information security control since the computer storage media can be cleaned freely discarded or sold without compromising original information content. Both of these techniques can be combined in high security situations, where digital data content destruction is followed by physical destruction and incineration to destroy storage media.
Many organizations limit physical access to controlled areas such as their offices by requiring people to show valid ID cards, proximity access cards or physical keys. Provided that the access token or device itself is strictly controlled and secure (making it difficult for unauthorized persons to obtain or create and use), and electronic, mechanical, door, wall, barrier, etc. keys A powerful enough and complete, unauthorized physical entry into the controlled area is prevented, protecting information and other assets in it. Likewise, office workers are generally encouraged or required to comply with "clear desk" policies, protect documents and other storage media (including portable IT devices) by tidying them away from view, possibly in locked drawers, filing cabinets, safes or vans at risk. Requiring workers to memorize their passwords rather than writing them where the audience might be observed (perhaps colleagues, visitors or intruders) is an example of risk aversion.
Computers obviously need electrical power, therefore they are vulnerable to problems such as power outages, accidental disconnection, flat batteries, chocolate discharge, surges, spikes, power failures and electronic failures. Physical information security controls to overcome related risks include: fuses, powerless battery powered supplies, power generators, power sources and excessive wiring, "Do not remove" warning signals on sockets, surge protectors, power quality monitoring, backup batteries , professional design and installation of electrical circuits plus routine inspection/tests and preventive maintenance. It is ironic that so-called uninterrupted power supplies often cause electrical noise if they are not adequately defined, designed, manufactured, used, maintained or maintained - an illustration of critical (physical) failure failure.
See also
- Paper shredder
- Physical security
References
External links
- The Basics of Social Engineering
Source of the article : Wikipedia