- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.7 Look for Signs of Unauthorized Access to Physical Resources
Although we tend to think of the information in networked computer systems as being in electronic form, we should remember that this information is held on physical mediaCD-ROMs, tapes, disks, paperthat are subject to physical compromise by theft, destruction, corruption, or unauthorized duplication. To ensure the security of your network, you should also ensure the physical security of its components by periodically inspecting them for possible compromise.
In many organizations, designated personnel are responsible for the physical security of the premises. However, as a system or network administrator, you are often in a unique position to notice signs of physical access to system resources.
If a document or electronic storage medium is stolen, the confidentiality and availability of the information it contains is lost. Even if the item is recovered, you won't know the extent to which its contents have been copied and disseminated. Also, you won't know whether the information it contains has been corrupted or altered. Furthermore, if the compromised information is critical to security (e.g., user passwords, internal network addresses, or system configuration data), your entire network is potentially threatened by more damaging intrusions.
Therefore, it is just as important for you to keep track of physical resources and to promptly detect attempts at physical intrusion and access as it is for you to track and protect your electronic resources.
You may want to consider encrypting all backup and other selected electronic media in the event that your site, an offsite data storage site, or a disaster recovery site is physically compromised.
6.7.1 Check All Physical Means of Entrance or Exit
Perform this check daily, looking for signs of tampering, trespassing, or attempted trespassing. Keep in mind that intruders have many strategies for obtaining confidential or security-critical documents. For example, they may steal discarded copies of reports, console logs, system printouts, or other sensitive data. They search through trash containers or Dumpsters to find carelessly discarded physical copies. They may also attempt to steal backup or archive tapes, whose disappearance may not be noticed for some time.
6.7.2 Check Physical Resources for Signs of Tampering
Perform this check daily. For example, inspect locks or seals on hardware cabinets, review console logs, and monitor paper usage.
6.7.3 Perform a Physical Audit of All Movable Media
We recommend performing an audit weekly if possible. Ensure that write-disabled media continue to be so. Note that, as a complementary practice, you should also audit the contents of the media for electronic integrity.
6.7.4 Report All Signs of Unauthorized Physical Access
Report signs of unauthorized physical access to your organization's internal security point of contact. Such intrusion includes access to offsite data storage and disaster recovery sites.
6.7.5 Policy Considerations
Your organization's networked systems security policy should require the tagging and inventory of all physical computing resources as described in Section 5.3.12, and should specify how to respond when a physical intrusion has been detected