Handbook of Information Security Management:Computer Architecture and System Security

In Chapter 10-3-1 you will find practical information about physical security measures to protect microcomputers, particularly those that leave the office on business (notebooks and portables). However, awareness of current trends in computer theft will not only help you plan countermeasures, but also help you refine policy and provide timely security awareness training. The first point to note is that personal computers are now a commodity, like VCRs, camcorders, and stereos. This means they can be turned into cash very quickly, making them a target for casual thieves and those supporting drug habits. Because of their higher value-to-weight ratio, notebook computers are very popular with this type of thief.

More organized felons will target notebooks at locations such as airports, where there are rich pickings. For example, a popular tactic in recent years has for two-person teams to steal notebooks at security check points. One thief waits until a notebook-bearing bag is placed on the conveyor belt to the X-ray machine, then holds up the line going through the metal detector (not hard to do). The accomplice waiting on the other side of the check point simply picks up the bag and departs.

While desktop systems in office are sometimes targeted by the “smash and grab for cash thief,” the more serious risk may be sophisticated criminals stealing to order. Such thieves tend to target high-end equipment like graphics workstations, large monitors, and production-quality typesetters and color scanners. European offices seem to be particularly vulnerable due to the high demand and relative lack of resources in former Eastern bloc countries. On occasion, Scotland Yard has recovered trucks full of expensive Apple Macintosh desktop publishing equipment stolen to order and destined for Eastern Europe.

A slightly different combination of factors led to a rash of chip heists in the early 1990s. Shortages of memory chips resulted in high prices and led to several types of theft. Europe experienced a rash of thefts in which chips were removed from office systems. Employees arrived in the morning to find desktop computers torn apart (none too gracefully) and the memory chips removed. This represents a major blow to any organization (a charity for the elderly and the Automobile Association were two of the victims). No data processing can occur until the chips are replaced. Specification of chips for used equipment is no simple matter (there are many different types and many compatibility issues). Even if you can afford the high replacement cost there may be delays obtaining chips, after all, the motive for the theft was high prices caused by a shortage.

A different type of theft occurred in chip producing areas such as America’s Silicon Valley and Scotland’s Silicon Glen. This involved direct, and sometimes violent, attacks on chip factories and shipping facilities. However, the motivating factors were the same: memory chips are easily resold, hard to trace, and they can have a higher value-to-weight ratio than gold or platinum.

The point of these examples is that as an information systems security professional you need to be keenly aware of the current economics of both crime and computing. As this chapter is being written, memory prices are at an all-time low, reducing the incentive for chip theft, and possibly impacting your spending on countermeasures, relative to other threats. However, if prices suddenly rise again you will need to tighten security measures in this particular area.¹¹ Some specific microcomputer physical security measures to consider include:

¹¹For example, case locks, building locks, increase surveillance.

1. Good site security: this not only protects against theft, but also against vandalism, unauthorized access, and media removal.

2. Case locks: these not only deter theft of internal components, but also protect BIOS-based security services, described elsewhere in this chapter.

3. Documentation: you need to keep detailed records of all your hardware and software, including serial numbers, purchase dates, invoices, and so on. These records will be invaluable if you ever have to prove loss or reclaim stolen items that have been recovered.

4. Insurance: computer equipment typically requires separate insurance or a special rider in your business insurance or office contents policy. Note that home contents policies often exclude computers used for work.

5. Access controls and encryption: if a computer is stolen you would like to make it as difficult as possible for the person who ends up trying to use it to access the data that are stored on the system.

DESKTOP DATA BACKUP

Clearly, the single most effective technical strategy you can employ to defend the integrity and availability of computer-based data is making backup copies, often simply referred to as backup. This is standard doctrine for most information systems professionals, particularly those familiar with the mainframe environment, where backup is an integral part of computing. However, in the desktop environment, which is based on systems that have their origins in casual, even recreational use, the task of backing up is all too often neglected until it is too late.¹²

¹²A few years ago a manufacturer of data backup tapes, 3M Corp., did a survey about backup regimes and found that, of those respondents who regularly performed backups, some 80 percent only started to do so after they had lost data through lack of backup.

Table of Contents

The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.