Physical security, mainly social engineering, is one of the most vulnerable parts within a company. Why? Social engineering preys on people not technology. No matter how fantastic your network security is, your employees can still be exploited because people do not come with antivirus scanners. People are brought up to be helpful and this is why they can be exploited. Only IT-security awareness-training can help circumvent social engineering.
Dumpster diving is simply when someone goes through your rubbish in an attempt to find confidential records. Bank statements, employee records and more can be used to eke out vulnerability within networks as well as identity theft.
Protect your server
If you have a server room, make sure it’s secure by having a strong lock. If you can afford it, use biometric security or a smart card for access. Aim for two hurdles before anyone can get near your server-room door. It’s also important to think about its location – is it, for example, close to a river, in a basement or near a kitchen?
Put removable media in a safe
USB drives, external hard drives, hard drives, CDs, DVDs, floppy discs, tapes and so on should be stored in a safe as well as encrypted; you should never leave them on your desk since where they can be swooped up in seconds.
Destroy removable media, laptops and computers
Before disposing of removable media, laptops, hard drives or desktop computers ensure the data is purged, either by shredding the device physically or over-writing the data before it leaves your hand. Formatting is not sufficient as this doesn't always removed the data.
Keep ports, routers, hubs and switches out of sight
Open ports scream out “plug something into me” and for a hacker it’s a great start. Any port of any sort can be used to connect to your company network. Ensure all ports and network devices, are hidden and under lock and key. A lockable comms cupboard is a good start.
Password-protect the bios (basic input/output system)
The BIOS is like a micro basic operating system that sits on a computer's motherboard and lets everything communicate within the computer. It is a good idea to password-protect the BIOS to stop people changing settings like the boot-up device.
Question/ID all visitors
Social engineers can easier appear as anyone. Don a fluorescent jacket and people think you are the ultimate authority. Just because someone turns up at your office with paperwork, tools and a fluorescent jacket it doesn’t mean they are genuine. Ask for identification, check the entry logs and call the person who booked him or her.
Lock PC and laptops
Lock your computers down using a computer-locking kit, this stops/slows down any attempted thefts. The same applies for laptops or a laptop docking station will do. A thief with giant bolt cutters will probably be able to get through the cables but every little helps. In the meantime someone might notice and apprehend them.
Lock your door
Never have an open-door policy as any old person can simply walk in the door and steal what he or she likes. A smart-card is an excellent idea but never put the company's name on it ... if it's stolen, nobody will know where it came from. It’s also a good idea to install CCTV at key entrances and exits as well as extra authentication at server and comm rooms.
Be careful on the phone
Another method of social engineering is by phone. Again this preys on the helpfulness of people and only training can solve the problem. Someone might call up and pose as a senior manager’s assistant. A hypothetical script could run something like: "Hi, my name is Christine and I was wondering if you can help. My boss, David, the managing director is on and holiday and he has asked me to reset his accounts password. It’s for a critical shareholders report tomorrow and I will get in trouble if I fail". Seniority and a sense of urgency are part of the spiel and this is why it works. Before giving anything out, ask for a name, email address and phone number and then check the story.