Tutorial- Physical Security
ORIGINALLY POSTED BY JAYMILL230 FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
Its very easy to focus on the digital side of security, updates apply to everybody because everybody uses the same operating systems (within reason on this one guys). Updates are easy and very public. But how many of the system admins (or even local users) have their computers in the same types of spaces? How many of our server rooms/closets have the same locks? How many of us have it on a separate floor, how about a remote corner? And is there always somebody in there? And my final question is, are you guilty of not even thinking about this?
The majority of major corporate computer attacks come from within the company or group. This can be for several reasons, among them are, 1) we never suspect out own, and 2) we can’t watch everybody. But the threat obviously exists and is far too often looked over. In this brief tutorial we will look at some simple measures that will allow us to minimize the risks of physical security.
Where are your servers located? Are they in a worst case scenario, left in a fairly public area where somebody could sit down and do whatever damage they set out to do? As an attacker from within a company I could do an incredible amount of damage by waiting until I was alone around the server during a low traffic time (such as during the night if I was in the IT department) and rebooting it to a live CD. Once I am on a different operating system, I can exploit the computer any number of ways, from changing passwords, locking out access, adding malicious code to startup folders etc. Every firewall, access control list, and intrusion detection system won’t stop me then because I never touch the network, I have physical access.
How then are we going to mitigate this risk? The solutions are numerous and cheaper then most other computer security equipment. The best solution which I know is not available to everybody is to have a separate room with a digital keypad for entry. Many of these keypads allows you to set up different rules for different passwords. Regular IT workers probably don’t need to be in there within an hour or 2 after normal working hours, their password can be set to those rules. Full admins and people who could NEED access can have a separate code. It is important to note that codes are useless if people share them, just like passwords. If you don’t have the budget, a regular deadbolt/good door lock will do the same thing without the added security.
Now what about those of you who don’t have a spare room? How about a locking server rack? Lesser security to be sure, but it still limits the physical access to the server. You can improvise quite a bit with this type of security if you are on a budget, but trust me, its worth it to have. Just make sure that the case can’t be opened without the key/combo (I had a guy who built a cage around it, and said it was secure, all I had to do was undo the 4 screws holding it down on the outside and life it up). If a rack is out of the question for some reason, a closet can work, but I would advise against it due to heat issues and weak locks.
As you’ve seen in some of my earlier tutorials wireless security has it own problems but wired networks are not foolproof either. But you can severely limit the opportunities for an attacker by following some simple rules. For instance, I was doing work for a company and they had an empty room with Ethernet jacks installed. Plugging into them gave me access to the network and a quiet place to do my work. I’ve seen routers and switches in peoples offices that are often unlocked and ready to be attacked. Leaving a router/switch in the open allows an attacker to often edit the configurations through any number of attacks.
Routers and switches should have the same rules applied to them as to the servers. The general population does not need to access them and should be able to. I won’t go into too much depth with this because its already been covered. As for open Ethernet jacks, there is no reason that an empty room/ unused ports should remain connected. If they are needed it’s a 10 second job to reattach the wire to the switch and make it live again. This is often an invitation to attackers and a point of entry.
The wires themselves are also a possible point of attack. This can be done by splicing the wire by re-tipping it, or much more discreetly by the use of a vampire tap. While more rare now, it is still possible to do on cat5 cables and coax WAN links. This allows an attacker to view information being passed along the wire while the only way of being caught (apart from finding the tap/collection device), is a minor degradation in signal strength.
The legitimate computers on your network can also be points of attack. Improper permissions aside they can be places for information loss/theft. If I walk up to Sally B. Lazy’s computer when she is on break (and left herself logged in) and use it, I am very unlikely to be caught because everything that I do will show up as being Sally! Now getting catching me is much harder, because of Sally’s laziness. Consider using a strict lockout policy or something similar to the DoD’s CAC card system. In that system the card is needed to log in to the computer, and as soon as it is removed, the computer is locked out. Integrating this with the employee ID badge is best because people need to have it on while moving about the building, and it makes it hard to forget.
This tutorial is a stub at the moment, and I look forward to updating it frequently and soon. Any additions/comments/criticisms are more then welcome J