Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 52

Physical vulnerabilities are tangible in some way. Such vulnerabilities allow for access to an organization or its resources.

Most organizations have buildings, and many have outside properties where materials are stored. These facilities generally have perimeters that are protected by walls and fences. While people assume perimeters keep outsiders out, the reality is that the perimeters usually possess many vulnerabilities.

Such vulnerabilities may include doors and gates that are not closed and locked, unmonitored entrances, materials left on the property but outside of the protective perimeter, information visually exposed due to open windows, materials exposed to the weather, poor monitoring of visitors, and so on. All of these physical vulnerabilities present opportunities for your resources to be damaged by the environment or by outsiders.

Sometimes organizations take their physical perimeter for granted, and they unknowingly circumvent it. One example of this is leaving materials on the property but actually outside of the protective perimeter. Another example is having users work remotely. If users can access the facility without having to cross the physical perimeter, that is effectively a physical vulnerability.

Often, organizations put some level of faith into perimeter security and then leave resources vulnerable inside their facilities. In reality, internal physical vulnerabilities are as important as external vulnerabilities. If a malicious outsider makes it past your perimeter security, they can pass as an insider. And it is a rare organization that has absolutely no malicious insiders.

What vulnerabilities might a malicious threat see inside your perimeter? Things that come to mind include equipment to steal, computers left logged in and unattended, papers left on printers in public areas, unattended desks, file cabinets unlocked, sensitive information left on whiteboards, telecommunication equipment rooms left unlocked, USB drives untracked, and countless other things. You don't have to be a world-renowned penetration tester to see how your organization leaves resources vulnerable to anyone with malicious intent.

At the same time, you also need to recognize what leaves you vulnerable to accidental compromises or damages. For example, do people leave coffee cups on printers? Is fragile equipment transported in an unsafe manner? Is information stored on USB drives that are easy to lose? Accidental damage to resources sometimes creates greater loss than malicious actions.

Vulnerabilities are not just relevant to equipment, materials, and data. You must also be concerned about physical vulnerabilities of your environment that put people at risk. Unattended doors allow for intrusions where outsiders can enter and do harm to your people. Obstacles and sharp edges can cause injuries. Moving vehicles can hit people. While there are some freak injuries, with an open mind, you can identify a great deal of vulnerabilities that can result in injury. These factors relate to safety science, which we discuss in Chapter 7.