Contemporary issues in physical and IT security

Cracking the Code

The contemporary issue of physical security/IT security

Modern day businesses and organizations face the contemporary issue of physical security/IT security. Whether a business needs to maintain network security for a website or server, or an organization needs to restrict access to a server room, there are several aspects facing the problem of dealing with IT security. Any general computer networking instructor teaches the DOD and/or OSI networking models and from this IT professionals understand that everything start from the bottom, like with the physical level. Therefore, IT professionals tasked to handle IT security, must base their foundation or overall strategy in IT security management on the physical security of software, hardware, and equipment.

Some organizations forget the importance of physical security in an IT security setting may become distracted by the safeguarding features of certain software-based security merchandise and overlook the significance of protecting the network and all its components at the base level, the physical level. Research lends to current applications being ineffective. "Existing security approaches are either inapplicable, not viable, insufficiently scalable, incompatible, or simply inadequate to address the challenges posed by highly complex environments such as the smart grid" (Li, Cheng, Zhang & Tong, 2013, p.637). Besides the maintenance software, the "white hat" hackers, the trained personnel, and the software meant to eradicate any potential threats, physical security like addition of security guards, becomes an important step in producing successful results in the field of IT security. The essay will the physical and technical aspects of IT security; how it relates to physical security, from two different perspectives. Physical security/IT security can become a great way to not only allow for inclusion of security personnel in businesses, but also allow for the growth of the security field in the ever-expanding IT part of business and commerce.

The contemporary issue of physical security/IT security

What is IT security? First, it is important to look at the various aspects of IT security as discussed in the introduction. Things like viruses and hackers have become an all too common occurrence within the IT world. However, some people may not know how hackers or "black hat" hackers get the information needed to break into high security servers and websites. An article on hacking discusses the low-tech ways and techniques in which hackers gain the sensitive information needed to hack into businesses and organizations.

The first step comes from acquiring the information from an employee or personnel from a business organization. Sometimes a simple phone call allows the would be hacker access to information that can lead to password cracking and identifying who in the organization or business may be in charge of IT security. From there, hackers can trick people into giving those things like their mother's maiden name, where they live, and even very sensitive information like a social security number. Hackers are ingenious at times and can easily thwart efforts of businesses and organizations that attempt to deal with IT threats.

The second step comes from infiltration. Hackers or other people seeking to steal private information from businesses or organizations tend to go there and/or physically speak with personnel, sometimes pretending to be personnel or installation/service workers. They may then steal hardware like laptops and hard drives containing sensitive information, or may physically hack into their systems from a place in the building that could have access to secure servers. In essence, there is a variety of ways and methods into which a hacker, for instance, can gain access to IT related information and then wreak havoc digitally. Therefore, security guards at strategic checkpoints may play a crucial part in IT security.

IT security in the sense of physical security may not seem like a crucial part of the IT industry at first. However, that is far from true. IT security enables businesses like those in the video game industry to keep online pirates and hackers from stealing their video games and sensitive information from the public before a release of a game or update. Often people will try to hack popular video game companies in order to gain access to undisclosed plots and stories, leading to millions in video game sale losses should this occur. An article discussing IT security problems, explains the importance for such measures within the video game industry. "IT security issues are an important aspect for each and every organization within the video game industry. Within the video game industry alone, you might not normally think of security risks being an issue. But as we can and have seen in recent news, no company is immune to security risks no matter how big or how small" (Mohr & Rahman, 2011, p. 1).

Aside from the "burglars and pirates" of the tech industry, there are other aspects of security that businesses often encounter. Vandalism can happen for many reasons. There could be a protest, a rally, something happening in relation to politics and so forth. Vandals can come and not necessarily steal, but damage any of the hardware and equipment in a building. An instance in a college in NYC had vandals come from a different university to break windows, computers, and ruin the hallway because of a protest the students wished to participate in. Although the incident did not result in any serious injuries, thousands of dollars in computer equipment were destroyed. Things like this can happen anywhere.

An article discussing heuristics, discusses how participants may evaluate IT security tools for increased efficacy.

Participants who used the ITSM set found more problems categorized as severe than those who used Nielsen's. We analyzed several aspects of our heuristics including the performance of individual participants using the heuristic, the performance of individual heuristics, the similarity of our heuristics to Nielsen's, and the participants' opinion about the use of heuristics for evaluation of IT security tools (Jaferian, Hawkey, Sotirakopoulos, Velez-Rojas & Beznosov, 2014, p. 311).

Although physical security of IT related locations may be different. It can still be a means to consider evaluation of physical security in IT locations. If businesses or organizations saw the importance and need for increased physical security, the demand for such employees may increase.

There is a need for physical security within the IT industry. Video games, software developers, they have all generated enough business to build offices both nationally and internationally. To protect from potential thieves, hackers, and pirates, the most important aspect of IT security, physical security, must be implemented in various stages from access into a building or office to additional security for important sections like the server room or main computer room. Things like security cameras and sign in sheets may assist security offices in identifying potential hazards and assist law enforcement in tracking any suspects.

There are a total of three main aspects or components to physical/it security. For instance, any kind of obstacle a security company or officer can place in order to prevent potential thieves and attackers from getting through into the interior where the business or organization keeps the hardware/software/equipment. Measures include various locks, walls, fencing, water sprinklers (fire), fireproof safes (explosions, bombs), and even security gates that detect weapons or anything metal. Second, notification and surveillance systems, put in place, like heat sensors, lighting, smoke detectors, alarms, intrusion detectors, and cameras all show, record, and provide an additional la all show, record, and provide an additional layer of physical security. Finally, techniques in apprehending attackers (preferably without any damage done) and recovering quickly from vandalism like fires and even just natural disasters. Natural disasters like Hurricane Katrina can wreak havoc and cause massive damage to electrical and computer equipment.

Discussing the issue from two viewpoints

Working within the IT Industry

From working as a computer analyst to working as a graphics designer, many in the IT industry believe the importance of security in safeguarding sensitive information and preventing system attacks and physical attacks. Employees in company's like Google INC. value physical security and the benefits a system integrating both IT security and physical security can have. One of the first benefits is better attack prevention.

There are hosts of problems that may happen when it comes to IT. As earlier mentioned, hackers come in all forms from online attacks, cyber-attacks like shutting down websites or physical attacks like going into the company and obtaining personal information of employees or the company or organization itself. Having additional support for threat detection removes the strain on IT specialists and allows them to focus on cyber-attacks. It also allows for better task management as things are effectively streamlined like surveillance and guest registration.

Maintenance for IT workers comes often during the after-hours of a business schedule. These are often the prime times for attackers to come and do their damage. Physical security keeps IT workers safe during these important times. With personnel there to safeguard the workers and the computer equipment, the company or organization experiences a higher level of safety.

A business requires quick recovery from attacks. Integration of a physical security system allows for faster recovery from both physical and cyber-attacks. Surveillance cameras allow for possible recognition of suspects. Guest registration deters some attackers, especially if ID is required, to continue their mission to cause disruption or damage to the company or organization. Present attempts at integration of physical and IT security may fail at times because of the lack of target identification speed. Use of a smart grid that enables both systems to work together will allow for successful application. "The development of a trustworthy smart grid requires a deeper understanding of potential impacts resulting from successful cyber-attacks. Estimating feasible attack impact requires an evaluation of the grid's dependency on its cyber infrastructure and its ability to tolerate potential failures" (Sridhar, Hahn & Govindarasu, 2012, p. 210).

Some of the negative aspects of integration or convergence involve confusion of job duties and responsibilities. Imagining from the perspective of someone who works within the IT industry, it would seem less effective for a merge of security responsibilities if things are managed well when a merge happens. Extra precautions come into consideration when involving the use of physical security personnel. Security gates, for example, make it necessary for security personnel to search employees, guests, coming inside the building.

Procedures like the search gate may delay the time an employee enters the building and begins work. Surveillance cameras may reduce privacy. Although they are helpful in monitoring activity, some may feel an attack on their privacy if they are constantly watched at work, reducing potential productivity. Other problems arise from lack of understanding when it comes to how to handle attacks whether cyber or physical, and how to relay that to the other security system without risking a waste of time and energy.

Integration of security systems also means a possible reduction in employees as the company will attempt to find employees that can handle both the IT and physical aspects of security. Some may find that separate systems work better and are more efficiently managed than integrated systems. Communication between workers may also reduce due to the need to communicate among different departments like the IT department and the security department. Overall, the positives outweigh the negatives in regards to integration of security systems if businesses or organizations handle communication and management well.

Working within the Security Industry

Information security relays to information protection and refers to the safeguarding of three important factors that fall into a CIA Acronym: Confidentiality, Integrity and Availability. Fundamentally, confidentiality denotes prevention of illegal release of any kind of information. Integrity denotes the securing of assets that official parties reserve the privilege to modify only in official means. Availability means the critical and information services becoming available as necessary to meet any organization or business requirements.

Information thus becomes a central quality of any business or organization. It exists in various forms, playing a significant part in keeping information secure and most notably, safe from external interference. The principal concern of information assurance and information security consists of protecting information from countless susceptibilities and threats. Organizations and businesses achieve success and efficacy through implementation of appropriate sets of controls. To ensure proper handling and management of security issues in regards to fulfilling business objectives and requirements, businesses and organizations must establish such controls effectively. Careful planning and complete understanding is required in order to identify and select controls.

Businesses and organizations need information security. It permits businesses to fulfil state and federal law requirements by averting damage to a business' standing. Physical security can play a vital part when integrated into IT security. Simply protecting data from online or cyber threats will not prevent proper handling of physical threats. Physical in conjunction with IT security provides a comprehensive plan of action and policy to deal with all potential threats including natural disasters. Protocols involving evacuation drills and removing, protecting equipment and data can prove essential in these kinds of scenarios.

It will also open up more job opportunities for security officers and people working in creating, operating, and maintaining surveillance and security software. There are some setbacks involved, like additional training, and some initial expenses, but overall, the integration of security systems will prove useful overall. PUFS can prove useful in providing additional protection and prevention from attacks. "Preventing or detecting these attacks has become a challenging task in modern cryptographic research. In this context intrinsic physical properties of integrated circuits, such as Physical (ly) Unclonable Functions~(PUFs), can be used to complement classical cryptographic constructions, and to enhance the security of cryptographic devices" (Armknecht, Maes, Sadeghi, Standaert, & Wachsmann, 2011, p. 397). Armknecht et al. continues by adding PUFs allow for anti-counterfeiting and other various uses.

PUFs have recently been proposed for various applications, including anti-counterfeiting schemes, key generation algorithms, and in the design of block ciphers. However, currently only rudimentary security models for PUFs exist, limiting the confidence in the security claims of PUF-based security primitives. A useful model should at the same time (i) define the security properties of PUFs abstractly and naturally, allowing to design and formally analyze PUF-based security solutions, and (ii) provide practical quantification tools allowing engineers to evaluate PUF instantiations (Armknecht, Maes, Sadeghi, Standaert, & Wachsmann, 2011, p. 397).

Define its applicability to the security profession

Combining IT security with physical security means applying convergence. Convergence is formal cooperation among previously separated security functions. This does not mean, however, that a merging of information security group along with the physical or corporate security group on an organizational chart. It simply means cooperation meant to focus on function and not just form. Focus on form leads to pushback when businesses decide on security convergence. Even though merged organization charts act as a legitimate manner to safeguard profitability and cooperation, in terms of application, many organizations and businesses will not reconfigure their reporting lines. Instead, convergence becomes a way to achieve expense efficiencies and security augmentations.

Most companies and CSOs agree security must adapt to the growing needs of society in relation to business and commerce. The significance of day-today business activities must be acknowledged in order to fulfill the security needs of any business or organization. Since more companies require the use of IT services, and more companies are going online, convergence may benefit by adapting to the growing needs.

A clear definition of convergence is "the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment)" (Slater, 2015). Cost savings becomes one of the most important payoffs convergence (holistic security strategy). Since there is always some expense in security programs, it seems most logical that an integration of security systems becomes more cost-effective to manage than separate ones. Especially in industry like the video game industry, businesses like Sony may benefit more from convergence than having separate security forces on call for separate functions.

In an article discussing convergence conferences held to discover better ways to merge security and IT security, one of the paper examined a convergence security sysyem.