Software Engineering Institute

If an intruder can gain physical access to a computer resource, he can bypass software-based access control mechanisms, install Trojans horses, install hardware to facilitate subsequent access, copy data to another device, boot the computer into another operating system, modify data stored on the device, or destroy, steal, or disable physical components, including security-related components. This has been well documented. See

http://security.uchicago.edu/docs/physicalsec.shtml
http://www.unixtools.com/security.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/5min/5min-203.asp
http://www.utoronto.ca/security/policies.html
http://www.cio.gov.bc.ca/itsp/sec72.htm

Data may be protected by encrypting it using strong cryptography. However, an intruder is still able to copy or modify the encrypted data. If the data is copied, an intruder may have the resources available to conduct off-line cryptographic attacks against the data. If the data is modified, it may be rendered useless. Alternately, the intruder may be able to insert a Trojan horse that will lead to subsequent compromise.

You should not assume that access control lists or other software-based security mechanisms provided by an operating system will prevent an intruder from gaining access to data if the intruder can boot the computer into an alternate operating system.

An intruder who gains physical access to a computer system can alter or control any aspect of the hardware and software. Encrypted data may provide protection against data theft.

Restrict physical access to computer systems to only those personnel who must have access. Consider using an encrypting file system or database to encrypt data stored on mobile devices such as laptops or PDAs. Restrict access to network closets or data centers.