3.1 Identifying Physical Security Vulnerabilities

No matter how secure your server operating systems are, physical security vulnerabilities can allow intruders?or even misguided employees?to compromise your company's information security. Learning to identify physical security vulnerabilities requires you to look at your entire network from a whole new point of view. It's time to get paranoid and think about all the ways in which your network's security could be compromised.

Even if your company's security plans don't require you to provide a solution for every physical security vulnerability you find, you should make yourself aware of them all anyway. You never know when your company might need to provide extra security for some collection of information, and understanding your vulnerabilities up front will make that task easier.

As an example, let's consider a typical corporate office with typical physical security measures. The office contains any number of client computers, which connect to network jacks installed in the walls. Those jacks, in turn, are wired back to a cable plant, where they're all connected to switches or hubs. Larger offices might have several cable plants, or wiring closets, which are connected to one another. The office probably has a data center of some size. Access to the data center might be restricted to individuals with an authorized card key, or the data center's door might have a combination lock. Within the data center, servers are installed in racks. Especially security-aware companies might even keep a log of who goes in and out of the computer room. Card key systems make that easier, since the systems can usually keep track of who uses the door in a master log file.

Your company's offices are probably similar to that theoretical office. And that means your network is positively full of security vulnerabilities.

3.1.1 Your People

Tommy Lee Jones said it best in the movie Men in Black: people are stupid. They're often the biggest security vulnerability in any company. From a two-person office to a multinational conglomerate, you can expect some significant percentage of people will have no idea about security. These people are a bigger risk than the failure of a firewall, the opening of a port, or the receipt of an email virus.

For example, my mother works at a law firm that forecloses on homes. Not a wonderful thing, but she tries really hard to keep people in their homes. This firm sometimes has clients who bring checks or cash physically to the firm to keep from having their houses sold. At the front of the firm is a huge bulletproof glass window, and all the doors are equipped with proximity card readers that allow only authorized employees to open them. However, the receptionist allows anyone who shows up to enter the unprotected waiting room. In addition, the doors are often propped open to allow vendors easy access during their visits. So the security is in place but is being circumvented by people who are oblivious to the security implications?that is, until something bad happens.

Physical attack isn't the only avenue that's opened by people that don't think about security. Social engineering, or the practice of manipulating people to do what you want them to do, has gained popularity. This is partially fueled by Kevin Mitnick's book The Art of Deception from Wiley. In it, Mitnick shows numerous examples of situations in which users are simply asked for information such as passwords, domain names, and sensitive files. Naïve users and administrators provide this information far more often than you might expect. In fact, a recent study conducted by Infosecurity Europe 2004 found that 71 percent of users were willing to provide their password to a stranger on the street in exchange for a bar of chocolate.

Although I said people are stupid, I also believe that almost all people can be educated. A strong security awareness and employee education program can help mitigate people-based attacks. This should be required for all new employees and followed up periodically with refreshers, leaflets, posters, and so on. Maintaining even a minimal amount of security awareness greatly improves the security of most organizations.

What do people need to know about security? This is very role-dependent. A DNS administrator, for example, needs to know more specialized security information than a janitor. However, they both have common security responsibilities and should both be aware of a minimum set of security concepts and practices. Some of the more common security concepts that all employees should be made aware of include:

  • Do not open email attachments that are sent from unknown individuals. In fact, never open executable email attachments at all, no matter who they come from.

  • Leave the security on your computer alone. Don't disable virus scanners, firewalls, content filters, or anything else without permission.

  • Report suspicious activities to corporate security. This can include activities such as an unknown individual trying to log onto a coworker's computer, folks wandering the halls without ID, or a phone call from "Joe in IT" asking for your password.

  • Be especially careful with laptop or home computers. Any computer that you use on any network is potentially part of the corporate network.

Of course any security awareness and education program should be developed based on a risk analysis so that you're delivering the shortest and most effective message to your users. You should also ensure that your human resources and executive management groups approve and support any lessons you intend to teach users. After all, what good is security barking without some bite behind it?

3.1.2 Your Office

Who's plugging into your network? With network jacks liberally scattered throughout your office, how can you be sure that a visiting salesperson, or even the custodial staff, isn't plugging a laptop in, receiving a TCP/IP address via DHCP (Dynamic Host Configuration Protocol), and launching an automated attack against the data on your servers? Some intruders would think nothing of sneaking into your company's office dressed as a janitor and plugging a laptop into your network to see what data could be accessed from there.

Your office probably includes phone lines, and some of those phone lines are probably connected to computers. Are you sure those phone lines and computers are secured? That phone line connected to your sales manager's client computer is a security vulnerability that could be exploited to provide complete access to your entire network?bypassing your firewalls and other security measures.

What about the floppy disks and other removable media in your users' computers such as CD-ROMs and portable USB "thumb" drives? How many users actually use floppy disks for business purposes any more? Very few. But floppy disks are the number-two source of viruses on corporate networks (email is number one). If a malicious intruder were able to sneak ninja-like into your office, he could pop a floppy disk into any computer he found. That floppy disk could easily contain a trojan that collected sensitive data and transmitted it back to a home base across the Internet, all without your knowledge.

Floppy disks and other removable media are also a great way for disgruntled employees to make off with sensitive data. Some government facilities, for example, completely prohibit the use of removable media for this exact reason. Many have even gone as far as physically removing the removable drives from computers and installing hardware devices to prevent their reinstallation.

3.1.3 Your Laptops

Some percentage of the workforce of almost all companies uses laptops. These users may have a variety of requirements for using laptops such as travel, executives who need data access in meetings, and trainers who need laptops for presentations. In virtually all cases, these users will store data on the laptops that should not be disclosed to anyone outside the organization. This is often where the true cost of a loss occurs: not with the physical replacement of the laptop, but with the lost data.

Protecting the data on the laptop, as well as the laptop itself, is an administrator's nightmare. Essentially you need to secure something that cannot be completely secured and is often lightly managed or unmanaged. Measures can be taken, however, to help ensure that the loss of a laptop has a reduced impact on the security of the data it contains and your network as a whole.

3.1.4 Your Data Center

How secure is your data center? Combination door locks are easily defeated, since a careful observer can determine the door combination. Card keys are much better, but too often a company's card keys are managed by the company's facilities personnel, who aren't always fully aware of the implications of granting access to a data center.

And what about tailgating, the polite practice of holding the door open for the person coming in behind you? Although our society stresses being polite to our fellow humans, this practice is an enormous security vulnerability. Tailgating defeats card key logging, since someone enters the room without using her card key. Similarly, authorized personnel often take visitors into data centers, partially defeating the security of the data center by allowing an unauthorized person to carefully observe the security precautions that are in place. Company employees tend to assume that only authorized personnel are in the office, but it's usually pretty easy for a determined intruder to get into an office without anyone knowing. Always assume your office's first lines of defense?your receptionist, security guard, and locked doors?will fail and that your network and data center security will need to provide a second line of defense. This is one example of defense in depth.

3.1.5 Your Servers

How secure are your servers? Imagine a scenario in which an unauthorized person gained access to your data center. Could he restart servers with an MS-DOS floppy disk? Could he unplug key network connections? Although most companies use racks in their data centers, those racks are usually left unlocked. Few companies install the rear doors of the racks, making the servers within completely vulnerable to tampering. Some companies even leave the sidewalls off the racks in a misguided attempt to improve ventilation (which it doesn't), leaving the servers within vulnerable to tampering.

An intruder would have a field day in a data center with unlocked server cabinets. She could place network taps that capture every byte of data transmitted from a server or reboot servers with floppy disks and access their file systems. She could easily install keyboard monitor devices, which would quickly provide her with your most sensitive passwords. Making your servers physically inaccessible would prevent these types of security breaches, with the trade-off of reducing ease of access for administrators.

The Reality of Stolen Computers

Computer theft isn't rare. Once computers became reasonably small (smaller than a refrigerator), they became the target of thieves. Their high resale value and relative mystery (could they contain financial info, network maps, and the like?) contributed to this. So when I was recently asked to help assess the impact of a computer theft, I thought nothing of it. Generally speaking, the value of a computer is the hardware plus any difficult- or impossible-to-replace data it contains. I quickly found out that I was wrong. This stolen computer wasn't really a stolen computer.

Imagine a small data warehousing and consulting company with its headquarters in a light industrial park. I pass dozens of these every day when I go to work, and I hope you can form the picture in your mind. Most of these buildings are huge, with very high roofs, and many companies coexist within one larger structure. This is where the consulting company is.

The thief didn't, as you might expect, crash through the plate glass in the lobby and dash off with the receptionist's desktop. He had followed this rough procedure (based on physical evidence):

  1. Identify the target computer. This is usually done by social engineering?posing as a worker, bribing an employee or contractor, or some other trick.

  2. Bring a ladder, cutting tools, a dead hard drive, and small computer tools back to this business late at night.

  3. Extend the ladder on the side of the building, and climb to the roof.

  4. Cut a hole in the roof above the neighboring business (in this case, a luncheonette).

  5. Drop down into the luncheonette.

  6. Identify the point in the adjoining wall where the target hardware is.

  7. Carefully cut a hole in the drywall about the size of the target computer.

  8. Unplug the target computer.

  9. Remove its hard drive and replace it with the damaged one he brought.

  10. Plug it in and power it back up.

  11. Roughly patch up wall and ceiling, remove all material, and leave.

This attack, as you can see, is a bit more sophisticated than a "bash and dash." And the thief obviously didn't go to all this trouble to steal a useless file or print server hard drive. No, he stole a domain controller's hard drive. And he did it on a Friday night when the office would be closed until Monday. Because the burglar alarm didn't go off and because the machine seemed to just have a failed hard drive, the IT staff pushed it to the bottom of the priority list. Only when they discovered the evidence of a physical break-in and the replaced hard drive did they raise the alarm.

So what was the value of the lost hard drive? The hardware itself was no more than $200. But the cost to the corporation was enormous and probably hasn't been fully realized yet. Since the burglar stole a domain controller, every user's password had to be changed, and that's just the beginning. Having to rebuild much of the IT infrastructure securely to prevent any compromised information from being leveraged is the real cost. So this seemingly minor theft actually cost more than the consulting firm could imagine.

3.1.6 Your Wiring Closets

Do your wiring closets make security administration easier? Messy wiring closets are easy for an intruder to tap into, since the additional cables will never be noticed. Hubs and switches installed on open shelving or in unlocked racks are also easy targets, since intruders can connect to the devices' serial management ports and alter the way your network operates to conceal a security breach.

Many organizations keep their network cabling, switches, and hubs in easily accessible closets. If someone gained access to the office?usually not too difficult a task?she could plant equipment that transmitted a copy of your network's sensitive data to her home base. Failing to protect your network's cabling and infrastructure devices makes it easy for intruders to implement long-term schemes to compromise your company's sensitive data.

3.1.7 Your Network Cables

Even if every other aspect of your network is physically secure, your data is still vulnerable as it is transmitted across the network cables in your office. Typical Ethernet networks use electrical signals to transmit data, and those signals can be intercepted from many feet away, with the right equipment. These cables can also be physically tapped without interfering with their operation, allowing transparent monitoring of network data.

Fiber-optic cables, such as those used in high-speed backbone networks, aren't susceptible to electronic eavesdropping, because the light signals used in fiber-optic networks don't create any electromagnetic radiation for intruders to capture. But fiber-optic cables can still be spliced and tapped, presenting a security vulnerability. Although this type of attack is complex and costly to execute, it happens often in corporate environments where industrial espionage payoffs can be high.

With the proliferation of wireless networks, the network cable defense changes. Essentially, anyone within a few hundred feet of your office has the potential to gain access to your network "cables" through wireless access.