Physical Security
May 10, 2006

The bad guys are all out there in cyberspace, waiting to invade our computer with an electronic attack. Right? Well, mostly. What we often forget is physical security - how to protect our computer from someone who can touch it.

Before I launch into the topic, I want to repeat a security maxim I mentioned once before. Computer security is a balance of risk versus convenience. Unless your computer is turned off, you are at some risk. It's up to you how you manage your risk. You can decide to have high security and suffer some inconveniences, have lower security and enjoy convenience, or something in between. There are things in this article that you might decide you'd rather not implement, and that's okay as long as you're aware of the risks.

For starters, you need to make sure your computer can't walk off. For most people, there's no risk that their computer will disappear. But there are many situations where a home or office is frequented by people you might not know well who have the opportunity to remove your computer. Make sure that you've evaluated the possibility that your computer could be stolen.

Requiring a password can prevent misuse of your computer. Many times a visitor will think nothing of sitting down at your computer to surf the web. Before long, though, some may start changing your system settings. They may also start looking through your files. I've actually had someone read some Word documents that were on my laptop without permission. Several of the files contained sensitive material and this led to an uncomfortable situation. And once about ten years ago, a fellow employee deleted some files that he didn't want me to have.

If you have any reason hesitation, create a login password for your computer. You can always log on for a visitor if they want to use your computer. In many corporate settings you can get fired if you walk away from your computer without logging out.

A friend of mine is a computer security consultant. He bet a client that he could steal the client's data within 24 hours. He won the bet. We always think that you have to hack a computer in order to steal data, but that's not necessarily true. My friend walked into the server room, picked up the backup media, and walked out. Now he had all of the client's data. I think he really enjoyed the case of beer that he won.

There's a surprising area of physical security known as social engineering. A good example goes like this. Someone calls, identifies them as an authority figure of some sort saying that you computer has a data error. They convince you that they will log on to your computer and fix the error. You give the person your password and wait for them to do their thing. Before you know it, some serious damage could have been done. The lesson here is to be careful when it comes to social interaction. You may become vulnerable without realizing it.

Those are the basics of physical security.