Header Ads

How to prevent your laptop from getting stolen; or just taking Physical Access Control seriously

There’s a very important lesson that sometimes gets forgotten when it comes to securing information. After implementing a wide range of security controls, such as firewalls or using anti-virus programs, an attacker can still get access to an asset if physical security is neglected. Physical Access Control describes the mechanisms for admitting and denying a user access to your environment. It can be considered the first line of defense and should be a top priority for any organization. But sometimes securing physical access to an organization’s building can fall to the bottom of the list in business priorities as can be seen from the video below.

The video above is the CCTV footage of a someone supposedly stealing a laptop at a radio station. The suspect was said to have snuck into the office when the owner of the laptop stepped out. The suspect also left fake contact details at the gate. From the video, we can clearly see him checking if the coast was clear before covering the laptop in a shirt and putting it into a bag.
From the video, I would like to highlight three critical elements of Physical Access controls that were neglected or not properly implemented.

Door Access
The first is why was the office not locked? The last person to have left the office should have locked it. This is common sense and also good practice especially in offices that have a lot of traffic and have devices lying around. The also leads to other questions such as does the door even have a lock? If it does what kind of lock is it? Most conventional locks are susceptible to a bump key attack. A bump key is a normal key that has been filed down to fit into a lock—the key is inserted into the lock and pulled out one notch. When the key is tapped, it causes the pins in the lock to align and then unlock the door. Suffice to say the type of lock used should depend on the area your building is and the crime rate. But at a minimum, a lock should have been in place and the last person to leave the office should have ensured that it was locked.

While it’s not necessary to have guards in the building they should be at the gate checking anyone entering or leaving the premises. The proper practice is to have the guards at the gate verify that a visitor is expected at the facility and then typically give them a “visitor” ID badge to be worn at all times. Also, staff are to have their own ID badges worn at all times. This helps to identify everyone on the premises, so a visitor can be easily spotted when loitering around areas that they shouldn’t be in. But most importantly the guards at the gate will monitor persons leaving the facility and try to ensure that equipment is not being stolen from the facility. Clearly, this was not done. Aside from signing a register, the guards at the gate should have been verifying equipment brought in or taken out of the premises.

A lot of places today are still without CCTV, hence we must commend this organization for implementing this security control. In other climes this is usually sufficient to apprehend the suspect as the image of the suspect can be queried against a database and his details gotten. But in our context where identification and documentation of citizens is still a huge challenge it would have been better if the CCTV was actively monitored by a security personnel. This would have served as a detective control and alerted others to the theft when it was in progress.

Finally, I urge the organization to look into its business processes with a view adopting a more robust physical access security. 

No comments

Powered by Blogger.