Physical Security

Physical security is an oft-overlooked but critical prerequisite for good information security. A bad guy with a console root login can obviously adversely affect behavior in basic or profound ways, but it may not be obvious how a brief/seemingly limited physical exposure can result in complete breach of trust using today's spiffy and inexpensive attack tools (all available on eBay).

Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. You might expect that, for example, a badge access control implementation would be as simple as the model seen by the user -- "wave the badge at the reader, and you're in (or not)", but by the time the coders are done, it's more than 200K lines of C, and as buggy as any other large program. I'll discuss some of these bugs, and one vendor's response to them.

Another dirty little secret: When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system. Typical excuses include "We're trying to raise the bar high enough to deter a typical burglar", "We don't think that attack is likely to occur", "We do better than locks and keys", and "That's not our problem". I'll talk about outsourcing and colocation facilities which present the perception (but seldom the actuality) of security, and more generally the problems and solutions involved in trusting outsiders to supply your physical security.