Course

Protect the Physical Security of Your Digital Devices

Training Code
Topic 1.5
Format
Document
Delivery
On Demand
Location type
Virtual/Online

Description

The Bottom Line

Physical security best practices are crucial for your cybersecurity, too.

The Problem

Without physical safeguards in place to protect your device(s), you are more vulnerable to cyber intrusions that occur because of a physical security compromise. This could lead to:

  • Direct installation of malware or spyware. If a threat actor gains physical access to your device or network, it could install malware or other surveillance capabilities.
  • Loss or theft of devices and data. Losing a device could mean losing all data stored on it and potentially lead to a major data breach for you or your organization. Some of the worst breaches that organizations have faced occurred when stolen laptops held large amounts of sensitive data and had insufficient security controls to protect the data.
  • Unauthorized access of data. Someone with physical access to your computer or device could simply copy files or data onto a thumb drive―or if they have enough time, clone your computer drive, allowing them to have a complete copy of your computer operating system (OS), software, and data. 

The Solution

Ensure there are physical security controls in the areas where you store your devices.

To protect your devices when they are not in your direct physical control, keep them locked in a secure physical area with limited access by others. Don’t forget to keep your home Wi-Fi router in a secure location, too!

Keep important documents in a secure location.

Important documents containing security information, such as the master password to your password manager, should be kept in a safe or similar security system with access controls.

Lock your device if you have to step away from the screen.

If you need to step away from your computer or mobile device, lock the screen and verify that security features are enabled―even if you only step away from the screen for a few minutes. In addition, you should set your device to auto lock the screen if the device is idle for more than 15 minutes.

Do not leave your devices unattended.

If you are in a public space, do not create an opportunity for someone to steal or access your device. If you find yourself working at a coffee shop and you need to use the restroom or go get a refill, it may be tempting to leave your device momentarily, but it is crucial that you take it with you. Devices are also commonly stolen when people leave them in cars or hotel rooms, which can be easily broken into.

Remember to be aware of your surroundings. If someone can look over your shoulder while you work at a coffee shop or the airport, they don’t need physical access to your device to see your data, passwords, or other sensitive activity.

Have a plan for data loss or theft.

You should regularly back up your computers or mobile devices to avoid losing your data in the event your device is stolen. (Project Upskill Topic 3.0). You also need a plan to mitigate further damage if your device falls into the hands of a sophisticated threat actor that can successfully bypass its security authentication measures. For many mobile devices, you can perform a remote factory reset, which overwrites your data from the device.

By contrast, most laptops do not have this function, so you will need to enable full disc encryption to safeguard the data stored on it. (Project Upskill Topic 3.0). You should also make a list of all accounts that your device is automatically logged into, such as your email and secure messaging apps. You will need to immediately reset these account passwords to prevent the threat actor from accessing sensitive information.

Do not throw away or sell your old device.

Follow the guidance in Project Upskill Topic 3.1 to protect data stored on old devices. While it is recommended that you store old devices in a safe or similar security system, you should go to a professional destruction facility that can offer a certificate of destruction if you plan to dispose of your device instead.

Note: For desktop and laptop computers, simply removing and storing the encrypted hard drive should be sufficient. For devices with hard drives that cannot be removed (e.g., cell phones, tablets, and smartwatches), you should maintain and store the entire device. 

Do not insert unknown media storage devices (e.g., thumb drives) into your computer.

Threat actors will sometimes attempt to gain access to your device or network by loading a media storage device, such as a thumb drive, SanDisk (SD) card, or even a compact disk (CD), with malware or spyware and leaving it somewhere where you or someone from your organization will find it. When you plug it into your computer to find out what is on it, the malicious code will infect your computer system without your knowledge.

Do not charge your device in a public USB port without a data blocker.

It is becoming more common for public spaces to offer Universal Serial Bus (USB) ports for people to charge their devices. Anyone who travels through an airport or stays at a hotel will notice all of the places that now have USB chargers instead of traditional wall outlets. While the likelihood of a threat actor hijacking one of these outlets as part of a scheme to upload malware or download your data is low, a simple way to ensure that can’t happen is to use a USB data blocker that simply connects to one end of your USB cable and prevents data from transferring across while allowing power to your device. (You can find and buy these online through a simple browser search.)

Data transfer is most likely to happen when plugging your mobile device into a modern car infotainment system, causing your information to be downloaded. If you’re in a rental vehicle, you may have just given your data over to the vehicle owner or anyone who rents that vehicle after you.

Takeaways

Do

  • Have physical security controls in places where you store your devices.
  • Keep important documents in a securely locked location.
  • Lock your device if you have to step away from the screen.
  • Have a plan for data loss or theft.

Do Not

  • Leave your devices unattended, including in a car or hotel room.
  • Insert unknown media storage devices into your computer.
  • Throw away your device or sell it without taking proper precautions. (Project Upskill Module 4.)
  • Charge your device in a public USB port without using a data blocker.

 

Project Upskill is a product of the Joint Cyber Defense Collaborative.

Prerequisites

  • Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
    • Topic 1.0: Implement User Account Control to Protect Your Personal Computer
    • Topic 1.1: Keep Your Device’s Operating System and Applications Up to Date
    • Topic 1.2: Ensure Your OS Antivirus and Anti-Malware Protections are Active
    • Topic 1.3: Manage Application Permissions for Privacy and Security
    • Topic 1.4: Vet Technologies Before Adding Them to Your Network