Wednesday, January 30, 2008
Blind spots and JJ's blog
I was reading Shimel's blog today and followed an indication from him about another security blog, "JJ's Security Uncorked". It was a very nice surprise to find this post about three things that are often forgotten in network inventories, assessments and other processes: Cameras, Controllers and Card Readers.Â It was particularly interesting for me because those things are listed in an article I'm writing about "Security blind spots", those things that are present in our IT environment and are overlooked by security initiatives and control deployments.Besides the devices, it's also interesting to look into the processes that deal with them. It's funny that I've found several companies with very advanced Infosec programs that overlooked the physical access control world, keeping things like access reviews, segregation of duties and least privilege far away from it. Sometimes the logical access control processes are deeply documented and all the responsibilities are properly defined, but nobody knows exactly who is in charge of controlling badges, tapes from CCTV systems and so on.So, follow JJ's advice and don't forget those three C's. In a few days I'll talk more about other security blind spots too.