Weak Physical Security
The second and third gaps are related, and result from non-existent or weak physical barriers between network devices and unauthorized physical access to switches, routers, servers, and end-user devices.
Figure 1 shows common switch and router locations. Typically, the data center is secure with strict access controls in place. However, many organizations fail to pay attention to the physical security of floor and satellite office network devices. It doesn't matter where an attacker gains access to your network. Any opportunity for physical access is a great opportunity to lose control of some or all of your network.
An example of poor physical security is a company I once did some work for. The organization had several remote locations connected to the main office via IP VPN connections (over the Internet). They also had several floors at their corporate headquarters.
The company's datacenter was secured by a centralized electronic badge system. The floor on which the datacenter door was located was also controlled by the same badge access system. This was a good start. However, physical access controls began to fall apart as I began looking at the other locations.
Access to floors was via the badge system. The floor switches were behind locked doors in rooms designed specifically for housing floor access equipment. However, I found one of the doors propped open. When I asked about this, I was told the doors to the floor switch rooms required a key for access. Once an engineer gained access to work on a project or problem, he or she left the door ajar so access was easy, and one of the other engineers could use the one and only key.
Although access to the floor was controlled, IT was counting on non-IT staff to make sure no unauthorized personnel piggyback to gain access. They also relied on the honesty of every employee at the corporate office. This was not a good physical security plan.
At the satellite offices, switches and routers were often placed in mop closets or other unlocked areas. I also found a server in an activities room. Apparently, the office manager found the server too noisy and had it moved from the business office by the maintenance staff.
Physical security should not be an afterthought. Rather, security analysts and auditors should include it in the same assessments they use to ensure adequate technical and administrative controls. No one should have physical access to devices unless required by identified business requirements.