Chris Jager has an interesting post over at the NESCO Tac Diary blog, and I would say that even if he didn’t mention my blog post from yesterday. Chris reminds us that security programs (and it applies to physical security as well as cybersecurity) cannot afford to overlook the simple processes to protect the system/facility. Protecting the system against Stuxnet/Flame/Project X is all well and good, but it doesn’t do any good if there is a simple backdoor into the system.
Yesterday’s post about default user names and default passwords was not intended as a slight against vendors including such things in the shipped products. Such defaults are necessary tools for initial installation and integration. Removing those defaults is a requirement that is frequently overlooked; sometimes deliberately to make subsequent maintenance access easier. Checking that it has been done is just a good security procedure.
Here are some other basic security checks that need to be done on a routine basis:
• Check desk drawers under workstations for passwords.
• Check doors that are required to be locked to see if they are propped open to make routine access easier.
• Check gate guards to see if they are making required checks of routine delivery vehicles.
• Check key sign-out logs in key boxes to see if absent keys are accounted for.
• Check to see if the receptionist can get into the control room.
• Check to see if a USB device dropped in the parking lot gets plugged into a facility computer.
• Check to see if loading and unloading lines are properly closed and locked.