Physical Security being overlooked

Credit: ID 37582108 © Djama86 |

The next time you are visiting any business, private or public look around and take things in with a – let’s call it  “security filter”. Really look at your surroundings, every detail and I will bet you will see some obvious things that would have a negative effect on IT security. 

Let’s put some more context to this so you can get a better picture of what I am talking about, you walk into a shopping centre and pick a retail store (Any store it doesn’t really matter which) and look at the counter.  Many places will have a pc sitting on the counter, sometimes nice neat AIO’s and you may see a monitor sitting on top of a slimline box or even worse a mini pc mounted to the back of the monitor. Okay, so most of the time cables are well controlled and it all looks great but what about the security of this device? 

I was in a shop last week (Let us call it an auto parts store) and I asked for something and the gentleman who was assisting me went out the back to see if they had what I wanted (this is a pretty common scenario). I was out the front of the shop all alone; I could not see any cameras or general surveillance. Even if there was I could have easily leaned forward, rested on the counter and plugged in a compact USB stick into the back of the computer, they can be smaller than a 5-cent piece nowadays. With something like that, I could have executed an installer, recorded keystrokes (waiting for me to collect or send them to me by the pc internet connection), there could be some interesting options.

This is not something that people think about; it has probably never even been a thought at all. What about when you go see your accountant and you can see a post-it note stuck on the monitor with Password clearly written for all to see. (I have actually seen this one and had a conversation with an accountant about this exact scenario, who once I explained the risk, moved it into a locked drawer in their desk – an improvement I guess *rolls eyes*).

A few months ago, I had a sick family member and had to take a trip to the hospital (they are all better now in case you were wondering). The same thing, PC on the desk USB ports available and worse a communication cabinet in the triage/treatment room with a key still in the lock with network switches and possibly a router of some sort there for me to access. Again, no camera in the room – that would be unethical given that it was a treatment room. We were left alone for more than 30 minutes at a time in the room (Do not get me started on the ridiculous waiting times at hospitals – 4 hours before we were even seen). I could have easily accessed the network and who knows what sensitive information I could have gleaned from the network by just listening to traffic before even considering what systems I could break into.