It is, however, important not to focus too much on locks and doors because criminals are well practised at defying threat models. In response to car immobilizers, thieves started breaking into houses to steal the keys; a prolific burglar who was recently jailed in the UK defeated home security measures by removing tiles and then cutting his way in through roofs. 4 The less-imaginative crook could always use the tried-and-tested technique of smashing a hole in the drywall or a window. Many security officers will be aware of certifications uch as the Common Criteria and accompanying Evaluation Assurance Levels and will choose their equipment accordingly, 5 but, often, physical security items are purchased by another department without information security being considered. Physical security standards also exist. For example, in the UK, the Loss Prevention Certification Board (a collaboration amongst government, manufacturers and the insurance industry) tests the security claims of products to destruction according to Loss Prevention Standard 1175.6 The standard’s security levels range from 1 to 8—with a product security rated as 1 resisting entry for one minute to opportunistic attacks using limited tools up to a product security rated as 8, which is certified to resist entry for 20 minutes from professional attackers using extreme means with a wide range of tools (including electrically powered tools uch as saws and drills). Just as security officers would want to know exactly what a vendor means when it reports that a product is ‘secure’, so should physical security claims be queried and tested. Penetration testing physical security by seeing how much effort it requires to defeat a door or window is unlikely to be popular at any business, so using products based on the correct certification standards for one’s country is important. A physical security asset that is certified to withstand, for example, 10 minutes of attack allows more accurate incident- response plans to be developed, such as reducing the gap between a break-in being detected and the time it takes for key holders or law enforcement to travel to the scene. Furthermore, certification standards help provide reasonable assurance to the organisation that its information assets are properly protected and allow some quantification of the organisation’s ability to withstand an attack. Depending on the severity of the threat environment faced, the UK government’s information risk assessment guidance (Information Assurance Standard 1) refers to three levels of preparedness for computer systems: aware, detect and
resist, and defend. 7 This categorisation could equally apply
to physical security. At a minimum, security officers should
be aware of the limitations of physical security (i.e., as the
ancient Greeks advised, they should ‘know themselves’) and
perhaps move sensitive assets to a different location or put
in place compensating controls. Where sensitive assets are at
risk, measures that will detect and resist attacks, i.e., those
that are tamper-evident or alarmed, should be deployed.
Finally, where assets are mission-critical, physical security
measures that will defend those assets from unauthorised
access for a certified level of time should be put in place.
ENDNOTES
1 Schneier, Bruce; ‘Mossad Hacked Syrian Official’s
Computer’, Schneier on Security, 5 November 2009,
www.schneier.com/blog/archives/2009/11/mossad_
hacked_s.html
2 BBC News, ‘Thousands Lose Vodafone Service’,
28 February 2011, www.bbc.co.uk/news/
technology-12595681
3 Laxton, Benjamin; Kai Wang; Stefan Savage; ‘Reconsidering
Physical Key Secrecy: Teleduplication Via Optical
Decoding’, Association for Computer Machinery (ACM)
Computer and Communications Security (CCS) conference,
USA, October 2008, http://vision.ucsd.edu/~blaxton/
sneakey.html
4 BBC News, ‘Prison for “Crime Show” Burglar’,
26 September 2008, http://news.bbc.co.uk/1/hi/england/
nottinghamshire/ 7638909.stm
5 Common Criteria, www.commoncriteriaportal.org
6 Red Book Live, ‘Physical Security of Buildings’,
www.redbooklive.com/page.jsp?id=306
7 National Technical Authority for Information Assurance,
Her Majesty’s Government Information Assurance (HMG IA)
Standard No. 1, Technical Risk Assessment, issue 3. 51,
October 2009, UK, www.cesg.gov.uk/publications/media/
policy/is1_risk_assessment.pdf
