Even companies with the most modern network security standards can remain vulnerable to some physical -- and decidedly low-tech -- threats that networking professionals must consider when developing corporate security standards.
Physical network security standards should be applied to everything from how old servers are treated at end-of-life to how the new voicemail system operates, because anything could prove a potential security hole. Companies must develop best practices in-house for recognizing and mitigating these threats.
"There's really no way I can write a document to protect you from risk," said Anton Chuvakin, a security author and blogger who's covered standards like the Payment Card Industry (PCI) Data Security Standard extensively. "I might not think about mandating locking your office, for example, because I live in New York City so I would never consider not locking my office."
While no "definitive" guide to risks can be written, it is possible to determine the risk areas for your enterprise -- any place where sensitive data is stored -- and then begin securing, or eliminating, those.
Getting started with physical security
A good source of inspiration might be a common standard, like PCI.
"The PCI standard is fairly comprehensive, with a 60-page document," said Charles Wu, president of CTI, a vendor of networking and telecom services and equipment. Many of the pages of that security standard cover best practices for physical security, ranging from restricting physical access to wireless access points (APs) to keeping security camera footage of sensitive locations logged for three months.
"It's like you're reading the traffic laws," Wu said. "For a network guy, when you really look into it, it's like having a firewall. It's really not that hard to do."
More complete security really requires going back, however, and evaluating sources of risk, looking at where sensitive data is coming in, and where it is being stored.
The PCI standard, for example, does not cover voicemails, where customers might leave their credit card information, Chuvakin said.
"It's such a side angle," he said. "But the threats are very real."
One often-overlooked way of reducing these threats, Chuvakin suggested, is to tweak business processes slightly to reduce possible avenues of attack or misadventure.
For example, if a company still takes some orders via fax, network security managers should push to eliminate the practice. Faxed orders can leave sensitive data sitting out exposed in a mailroom.
"Maybe you can adjust your processes just a little bit and the data is no longer stored there, so instead of 10 places you only have to protect in five places," Chuvakin said. "That really halves your efforts and expenses."
It's also important to stay on top of new business processes, like the aforementioned voicemail example. Many systems now send voicemails straight to email, opening up potential new avenues for risk.
"In PCI, that's not missed, it's just out of scope," Chuvakin said. "But if you're doing your own risk assessment, you have to think about it."