Physical information security

Physical information security

Physical information security is concerned with physically protecting data and means to access that data (apart from protecting it electronically). Many individuals and companies place importance in protecting their information from a software and/or network perspective, but fewer devote resources to protecting data physically. However, physical attacks to acquire sensitive information do frequently occur. Sometimes these attacks are considered a type of social engineering.

Background

Many individuals and companies consider it important to protect their information for a variety of reasons, including financial, competitive, and privacy-related purposes. People who wish to obtain this information may be computer crackers, corporate spies, or other malicious individuals. This information may be directly beneficial to them, such as industrial secrets or credit card numbers. It may also be indirectly beneficial to them. For example, computer passwords do not have inherent value. However, they provide computer system access that may be used to get other information or to disable a person/company electronically. Sometimes these malicious individuals use electronic means or social engineering to gain information. However, sometimes they use direct physical attacks.

Examples of physical attacks to obtain information

There are several ways to obtain information through physical attacks or exploitations. A few examples are described below.

Dumpster diving

Dumpster diving is the practice of searching through the trash of an individual or business in attempt to obtain something useful. In the realm of information security, this frequently means looking for documents containing sensitive information. However, as more and more information is being stored electronically, it is becoming increasingly useful to those seeking information through this means to search for computer disks or other computer hardware which may contain data. Sometimes this data can be restored to provide a wealth of information.

Overt document stealing

Sometimes attackers will simply go into a building and take the information they need. Frequently when using this strategy, an attacker will masquerade as someone who belongs in the situation. The thief may pose as a copy room employee, remove a document from someone's desk, copy the document, replace the original, and leave with the copied document. Alternatively, the individual may pose as a janitor, systematically collecting information and "throwing it away." The individual may then be able to walk right out of the building with a trash bag containing documents that were left out in the open or a sticky note which had been left in a partially open desk drawer on which a user had written his/her passwords. [cite web | last = Granger | first = Sarah | title = Social Engineering Fundamentals, Part I: Hacker Tactics | publisher = Security Focus | date = 2001-12-18 | url = http://www.securityfocus.com/infocus/1527 | accessdate = 2006-08-27 ]

Common Physical Information Security Practices

There are many practices commonly used to decrease the possibility of success for these kind of attacks. Document shredding has become common, and the practice is still growing. Also electronic storage media are often prepared for disposal by purging, which erases files which may have been "deleted" by an operating system but never overwritten with other data.

Many choose to restrict access to areas where information is kept to those possessing a proper identification badge and/or other form of authorization. This attempts both to decrease the ease with which someone could access documents and to decrease the possibility of someone physically tampering with computer equipment. Along the same lines, many companies train their employees to physically protect documents and other sources of sensitive information on an individual level by locking the information in a file cabinet or by some other means. Also, companies request that employees memorize their passwords rather than writing them down as the paper with the password could be seen or stolen.

See also

*Physical security
*Social engineering
*Information security
*Computer security
*Computer insecurity

References

External links

* [http://www.securityfocus.com/infocus/1527 Social Engineering Fundamentals]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Information security professionalism — is the set of knowledge that people working in Information security and similar fields (Information Assurance and Computer security) should have and eventually demonstrate through certifications from well respected organizations. It also… …   Wikipedia

  • Information security audit — An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple type of audits, multiple objectives for different audits, etc. Most… …   Wikipedia

  • Extreme physical information — (EPI) is a principle, first described and formulated in 1998 Frieden, B. Roy Physics from Fisher Information: A Unification , 1st Ed. Cambridge University Press, ISBN 0 521 63167 X, pp328, 1998 ( [ref name= Frieden6 ] shows 2nd Ed.)] by B. Roy… …   Wikipedia

  • Chief information security officer — A chief information security officer (CISO) is the senior level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected. The… …   Wikipedia

  • Information diving — is the practice of recovering technical data, sometimes confidential or secret, from discarded material. In recent times, this has chiefly been from data storage elements in discarded computers, most notably recoverable data remaining on hard… …   Wikipedia

  • Security controls — are safeguards or countermeasures to avoid, counteract or minimize security risks. To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security… …   Wikipedia

  • Security engineering — is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to… …   Wikipedia

  • Security — is the condition of being protected against danger, loss, and criminals. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside.… …   Wikipedia

  • Security convergence — is a term that refers to the convergence of two historically disparate security functions namely physical security and information security within enterprises. MotivationSecurity convergence is motivated by the recognition that corporate assets… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”