“‘Twas the night before Christmas, when all thro’ the house, Not a creature was stirring, not even a mouse;”. These classic words from The Night Before Christmas, first published in 1823, evoke images and emotions from our childhood of a time when we believed anything was possible and we were only limited by our wildest imaginations. As a child, the idea of Santa coming down the chimney with presents for me and my family was something I longed for every year. However, as an adult and the illusion of Santa shattered many many years ago I find that this lovely poem and the magical bearded man in red not only can remind us of our childhood but can also help us understand some basic cybersecurity principles and ideas around the topic of physical security as well.
While Santa may have a magical disposition for ‘breaking and entering’, we are not completely helpless in stopping him from getting into our homes. We can lock the doors, cover chimneys, and shutter the blinds along with other proactive measures. . . OK, ok, maybe we don’t need to take such drastic measures for Santa but we definitely need to be thinking this way about the physical security of our school districts. Physical security can seem relatively straightforward to understand, however, in practice it can be difficult to fully implement, and oftentimes it is either overlooked entirely or old and outdated with little care or maintenance to systems, devices, or policies. This neglect of physical security can lead to some unintended consequences including weakening our district’s cybersecurity and while it may not seem like it at first glance, physical security and cybersecurity actually go hand in hand. So much in fact that in order to have a robust cybersecurity practice implemented means that you must also have strong physical security in place as well.
But cybersecurity is all digital, how does physical security strengthen our cybersecurity? Let’s illustrate this question with a simple but rather practical example. Your district has fully implemented the world’s greatest cybersecurity solution and all training and policies are up to date. If an attacker gets into the building and the network closet is unlocked, nothing is stopping them from going in and removing the servers or switches that you have worked so hard to protect. The best cybersecurity in the world would not be able to stop that attacker. What’s even crazier is that while this example may seem like an oversimplification and not a real world scenario, we, Forward Edge, actually have data to back it up. In our comprehensive assessment we ask the question “Is the MDF/IDF behind a locking door/cabinet?” with possible answers of 0%, 25%, 50%, and 100%. 0% meaning no MDFs or IDFs are behind a locking door or cabinet and 100% meaning all MDFs and IDFs are behind locking doors or cabinets. From our data, we see that less than half (43%) of districts that have been assessed have MDFs and IDFs that are 100% behind locking doors or cabinets leaving 57% of districts assessed vulnerable to the scenario explained earlier.
So we understand now why physical security is important but how can we implement better physical security for our district? The easiest and most effective way to start improving your physical security is to start with the easy “low hanging fruit” of doors, locks, and access control. The truth is that most attackers are lazy and will look for the easiest items first. The harder you make their job the less likely they will pick that as a target. So on a practical level make a list of all MDFs and IDFs and start by looking at what is behind a locking mechanism and what is not behind one. If everything is behind something that locks, try to get into something with a lock without a key and see if you can do so. If you can, you probably want to invest in better locks. If you can’t access them without a key of some kind, next think about who all has a key or a way to access those areas. If you find that the school nurse has access to the MDFs then you may want to re-think your access control strategy.
Now it’s important to note that physical security not only protects your physical assets but also your most important assets: people, teachers, students, staff, as well. So if you find that some physical security is lacking in your district make sure to involve the superintendent, treasurer, custodians, maintenance or whoever else may need to be involved and create a plan to better secure the district. “All major theme parks have delays. When they opened Disneyland in 1956, nothing worked!; Yeah, but John, if The Pirates of the Caribbean breaks down, the pirates don’t eat the tourists.” While we don’t have dinosaurs in our districts, this point made by Ian Malcom from the classic movie Jurassic Park does hold some truth when it comes to physical security. We would not want to compromise learning or anything else because our district’s physical security was non-existent when it was needed the most.
Beyond the basic security principles that we have covered, we can take our physical security up to the next level with a good security camera system and ingress and egress monitors and sensors. Security cameras are an important part of the physical security topology and allow us to monitor and record events and people for a better understanding of what is happening in our environments. Higher-end security camera systems may even offer features like alerts when motion is detected between a certain time frame in a certain area. They often even act as a deterrent causing attackers to think twice before taking any action. Ingress and egress sensors then allow you to monitor physical traffic in and out of buildings or specific areas with the ability to alert or sound an alarm when the sensor is activated when activity is detected when or where it shouldn’t be. Mantraps, turnstiles, and RFID entry badges are also ways to control ingress and egress and are often monitored by a receptionist or other security personnel. For parents and other visitors coming into schools, some systems can scan driver’s licenses to check for any unauthorized people coming into the building, such as a former disgruntled employee or a non-family member, or an unauthorized person picking up a student from school. These controls step up the physical security allowing for real-time monitoring and alerting for an activity that is defined as abnormal or not expected in the district.
After stepping up your physical security in the district it is important to communicate any new expectations, policies, and procedures to the staff and anyone in the district. Remember, your physical security is only as strong as your weakest link. If your front doors are locked with 10 deadbolts, 3 security cameras, and a man trap but one of the custodians leave the door by the dumpsters propped open unattended during the school day then all of that front door security is useless and the district just wasted money on nothing more than expensive paperweights. Likewise, if a staff member holds the door open for a non-employee and lets that person in the building all of those front door security controls again become nothing more than expensive paperweights. Proper and frequent training is important for physical security controls to be the most effective. This means training staff not only on proper do’s and don’ts but also on things like how to recognize and report social engineering and deception attempts like tailgating and piggybacking.
Just like every heist movie ever made, looking at you Ocean’s 11 – 54, we don’t want to wait for an attacker to be the ones testing our physical security and defenses and instead proactively examine our physical security and create a plan to update, upgrade, or overhaul the current security measures of our districts. Physical security is a key part of making our cybersecurity posture stronger and more resilient. With the proper security controls and training in place, we can in turn keep our physical assets, digital assets, and people safer and more secure. Lastly, have a happy and safe holiday! Enjoy spending time with family and friends. By the way, my favorite Christmas movie is Christmas Vacation because it’s so ridiculous yet so unavoidably possible with my favorite line being “She falls in a well, eyes go cross. She gets kicked by a mule. They go back to normal. I don’t know.” Good luck with your own cousin Eddie and I’ll see you back next year!
Informational Article was written by Forward Edge Cyber Engineer: Brice Dickinson