Physical Security
- Type
- Slides
- Tags
- physical security
- Authors
- Mark Seiden
- Event
- Chaos Communication Congress 21th (21C3) 2004
- Indexed on
- Mar 27, 2013
- URL
- http://events.ccc.de/congress/2004/fahrplan/files/315-physical-security-ccc-slides.pdf
- File name
- 315-physical-security-ccc-slides.pdf
- File size
- 1.6 MB
- MD5
- 0770f9263c71f2a11c8882e9ab9006f5
- SHA1
- 791ac4591e667370c05a4cedd3a55ef313fced90
Physical security is an oft-overlooked but critical prerequisite for good information security. Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system. Physical security is an oft-overlooked but critical prerequisite for good information security. A bad guy with a console root login can obviously adversely affect behavior in basic or profound ways, but it may not be obvious how a brief/seemingly limited physical exposure can result in complete breach of trust using today's spiffy and inexpensive attack tools (all available on eBay). Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. You might expect that, for example, a badge access control implementation would be as simple as the model seen by the user -- "wave the badge at the reader, and you're in (or not)", but by the time the coders are done, it's more than 200K lines of C, and as buggy as any other large program. I'll discuss some of these bugs, and one vendor's response to them. Another dirty little secret: When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system. Typical excuses include "We're trying to raise the bar high enough to deter a typical burglar", "We don't think that attack is likely to occur", "We do better than locks and keys", and "That's not our problem". I'll talk about outsourcing and colocation facilities which present the perception (but seldom the actuality) of security, and more generally the problems and solutions involved in trusting outsiders to supply your physical security.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
