Monday, June 7, 2010

Weakness at the seam: electronic vs physical security

I noticed recently that government security blogger Bob Gourley is updating an article he originally published in 2003 titled “Cyber and Physical Security Unite”.  The article clearly remains relevant today.  In fact we have more to be concerned with today than before, particularly at the seam where electronic data meets the real world.

We need to be more intelligent about protecting electronic assets from physical threats, and not treat the two as separate issues.  Today the practitioners in these two security spheres are usually independent.  As a result, some of the most vulnerable spots are to be found along the seam where the two intersect. 

Computer IT experts focus on protecting data "on the wire" with firewalls, encryption, VPNs, IPS, etc.  This is all good.  Physical experts tend to look at perimeters.  Also good. 

The under-rated risk is where that electronic information enters the real world at the computer monitor.  The logical data protection control ends as the data is handed off to the physical world where it can be viewed by anyone who happens to have physical access.  The rules associated with who can view what in the electronic world are rarely matched with who as has access in the physical world. 

Think about your own work environment.  You have an access card to get into the building, and a password to access the company financials you use to do your job.  However there is nothing to stop other employees from looking at your computer screen.  They have physical access to get into the building, but they don't have a need to see those sensitive financials.  It's a simple example of how physical and electronic protections are not working together.

We put more and more of our lives into electronic assets every day.  The value of protecting our data increases constantly, but social engineering and shoulder surfing are more serious today than ever. Security practitioners need to admit the risks go beyond just electronic, or just physical and make sure they protect information at all points along the way.  If you are a security manager looking to protect computer screens against eavesdroppers I urge you to look at Oculis Labs PrivateEye and Chameleon products.
Posted by at
Labels: , ,

3 comments:

  1. etat-majorJuly 19, 2010 at 9:16 PM

    wear special eyeglasses with encryption going in between it and the monitor...so that only the person wearing them can see the monitor, other see it blank or black... science fiction, ha!.
    I think it is doable.. just think about it.

    ReplyDelete
  2. yosimJuly 20, 2010 at 3:35 AM

    Fair revival of INFOSEC

    ReplyDelete
  3. Bob GourleyJuly 28, 2010 at 3:13 PM

    Bill,

    Thanks much for citing my posting. Clearly one of the greatest examples of cyber and physical coming together is right at the screen. And I don't know of any other capability that does what Oculis Labs can do in protecting that incredibly important cyber and physical component.

    Bob

    ReplyDelete

Subscribe to: Post Comments (Atom)