It All Starts With Physical Access

Sometimes we focus on the details of cybersecurity protections. And ignore the core issues.

In a lot of cases, when companies office in multi-tenant office buildings, the Internet comes into a shared area of the building that is not part of the company’s leased space. This is called a Dmarc for point of demarcation. The demarcation is where the Internet provider’s responsibility ends and your company’s responsibility starts.

But this is not in your space. it could be in a closet or in the building’s basement. You may not even have access to that space. If you do have access, other people may also have access. It may not even be locked. I used to have an office in a building where all of the communications connections came in to the basement and that space didn’t even have a door, never mind a lock.

Many times it is more convenient to put your company’s network gear such as switches and firewalls in this area. That way you don’t have to allocate any space in your area.

But why is this a problem?

Because now a hacker doesn’t have to hack your network from the outside; he or she can just come in and be on the inside. He or she can pay a janitor a few bucks, at night, to let him or her in, for example, or pick a lock. When only the cleaning crew is there, is someone taking 60 seconds to pick a lock in a hall closet going to be noticed?

Come into the building at night when the cleaning crew is there and insert a probe into your network. The cleaning crew is not going to stop anyone. At that point the hacker may be able to see and capture and transmit all of your network data to any place they want. They can come back at some time in the future and retrieve their gear. Or consider it a throwaway.

So what should you be doing?

Number one is that YOUR Dmarc should be inside your office space and it should be locked in a cabinet. The cabinet can have a tamper seal on it (since locks are for honest people) to make it more likely that you can detect if someone tries to get into it.

Hackers sometimes masquerade as cleaners or maintenance people and even if the equipment is in your space, if it is easily accessible, then that is a problem. Other times they just bribe them.

No one wants to think that an employee would go rogue, but it does happen. Ask the NSA. They “vetted” Edward Snowden. It didn’t work out very well for them.

If you lock the equipment up – and I am talking all network gear – you at least make it more difficult for the hackers.

You still have to deal with that common area Dmarc, but for a one time fee, the utility will typically extend that into your space. Then they are responsible for that wire. If you have to extend it yourself, you really should put your firewall at the end of the wire that is in your space. That way, anything outside your firewall is not trusted and not a whole lot different than what a hacker sees from the Internet – untrusted and with no sensitive data.

If you have questions about how your network gear is protected, reach out to us. We can do a virtual inspection and make recommendations for improvements, if needed.

Leave a Reply

Your email address will not be published.