If you would like to read the next article in this series please go to Physical Security Primer (Part 2).
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
In this sequence of articles, we will thoroughly cover what the difference between physical security and logical security is, what some of those vulnerabilities could be and some of the things you can do to prevent these issues from occurring, or at minimum, plan for them to take place proactively. We will also look at how Windows Servers survive from physical disaster; some of these topics include considerations on physical drive failures, as well as what could happen in your data center, server farm, or elsewhere. We will also discuss more advanced topics like how to physically secure entry into specific locations as well as how to catch intruders if they break your security posture.
This article set is meant to show you as a Security Analyst, a different perspective in the security arena, how to deal with security issues that are not necessarily all 'logic' based... but physically - which is generally the 'easiest' way to penetrate a network if you are an attacker - and most commonly used. Also, most physical security aspects if left ignored could cripple your business or organization; nature could cause you a lot of trouble in the form of physical disaster if it strikes as an example. Let's look at this in more detail.
Difference between Physical and Logical Security
When considering 'physical' security, you have to consider more than just a firewall ruleset or access control lists (ACL's) to block intruders from logically entering your network. When you consider other aspects of security, such as creating a security posture that takes creating a safe environment into account, you are considering 'physical' security. This would include a biometric lock system on your server farm entrance point, a fence with a guard at the point of entry into the compound, campus or complex, all the way to keeping a set of backup tapes offsite in case of a fire that destroys the current location you are working at. This is all very important in the realm of security, and has nothing to do with the typical security fix-all - install a firewall! Some analysts trying to enter the security realm fail to consider this aspect and it's the easiest for a Hacker to exploit. Think about it - what is easier?
- Write a large piece of code that exploits a flaw in a system (before its patched)
- Set fire to a building that contains all your important data
Yes, both are a crime and albeit, arson is far worse than hacking a system, but they are both against the law and could land you in serious trouble - point is, which is easier? If you knew a company wasn't doing backups or kept their backups onsite in a non-fireproof location, then yes, physical security should be thought of as a huge gaping hole in your security infrastructure.
Too many management teams today are not looking at security as an important factor and many of the ones that are, only see the edge of the network as the point of entry - and ultimate point of penetration. Some have understood the concepts of Defense in Depth as well underlying the need for security internally to the organization as well - but physical security is yet another piece of the security onion. Yet, another layer to consider... Physical security also adds a layer to your Defense in Depth posture, which is always an advantage in your overall security architecture.
The principles of physical security are:
- Identify assets that need protection
- Identify threats and vulnerabilities through assessment
- Identify what your acceptable threshold of risk is
- Choose countermeasures to lower or contain expected loss based on that risk level
- Apply Defense in Depth concepts when at all possible to create a layered security model
Remember, to install a firewall is not how to apply security, it's a seemingly never-ending chore because you can technically apply security anywhere to anything these days. Through the media and marketing, Defense in Depth is easy to create these days because just about every software and hardware vendor today has some form of 'security' features ready for you use. (Nice of them eh?) So how does the 'physical' come into play? Now that you understand the difference between physical and logically applied security, let's narrow down into the physical realm.
Physical Based Vulnerabilities
Physical security can be applied in different ways, but so I don't make this article extremely boring for you to read with tons of theory and bulleted lists, I would like to use more of a 'scenario' based approach to the world of physical vulnerabilities and try to add in as much 'real world' stuff I have seen as a Network Manager responsible for an organizations development in the arena of logical and physical security.
Mind of the Villain
Before we get neck deep, I want to cover something quickly with you... an attacker, hacker, and cracker, whatever... they all have something they want. It's your assets, or something to prove. How do you prepare? Well you have to prepare for crime by thinking like a criminal. It's hard sometimes to know what the attackers know, but that is the only way to be a White Hat. You can only protect what you know is vulnerable. That's rule number one. Rule number two (which I was fortunate enough to learn from a Drill Instructor in Marine Corps Boot Camp referencing the famous footlockers you see in Full Metal Jacket) is that if you leave something unlocked, you invite crime. Simple theory, if you don't want your stuff stolen... ENSURE you lock it up and protect it. Even though I learned this theory first hand as a young teenager, this simple thought process is really the fundamental to ensuring secure infrastructure. Lock it up - keep it secure - don't invite crime.
In this section we will look at some scenarios as I mentioned before. We will look at 4 specific scenarios' that in themselves will hopefully show you that physical security is something that you should not overlook! Let's take a look:
Scenario 1 - Unchecked Building Access
Stu is the systems administrator for a large company. He knows that his infrastructure department handles the routing, switching and security (VPN, Firewalls, etc) for the company and he also knows there is a security analyst on board to deal with the polices, and other high level security assessments and testing of systems. What he doesn't know is that he is just as responsible for a company's security posture as much as those two other teams, but because the teams have never grouped together to discuss how they can help each other, they only 'assume' that they are doing what they need to do to ensure security for the company. Problem is, that is what is going to lead to their breach today. Stu has just left the building today and by accident left the server room unlocked. This happens. What he didn't realize was that the guy on the cleaning crew who comes and dusts of the phones at night is also a recent graduate of a local computer school. The cleaning guy walks in and wreaks havoc on the systems by severing a cable in a place not very visible. A web server is down for over 60 minutes as Stu rushes back to work to find and fix the problem. He eventually traces and finds the severed cable. Although far fetched, it could happen and the point here is to look at how we could have avoided this through physical security.
- Use CCTV (Set up cameras and even if you don't have the budget, set up fake ones. Either way, someone who sees a camera and doesn't know the layout of the company internally will be less likely to take a chance like this.
- Yeah, Stu could have closed the door or checked it, but this is just not always possible. A better way would be to have a log on the door to the server room which enforces a signature after leaving the server room. In the log you could add a column to 'check the door lock'.
- Have a night guard (if you have one), escort the cleaning crew into the 'sensitive' area which would be where your systems reside.
Scenario 2 - No security in sensitive areas
Todd is the Engineer assigned to a medium sized marketing company. Todd runs all of the systems and is part of a small staff. The server room is located in a large closet that was renovated into a makeshift server room. Since there are only two racks of equipment with one monitor and a KVM, the size of the closet is efficient. Todd entered the room and found that after a hurricane came over the area that weekend; all the systems were screwed up. The Cisco core switch was dead as a doornail from a power surge. There was water on the floor and the servers sitting there - ruined. Worse, the humidity in the room ruined some other electronic test equipment being stored. This one not so far fetched (seen this before), it could happen and the point here is to look at how we could have avoided this through physical security.
- Well, you can't dodge the inevitable but you can prepare. This network server room was not taken serious period. Now, I have worked in many large companies, but many medium to small sized as well, so this does happen (for those of you in ISP's, etc that may not realize how pathetic a server room could possibly look). Here is a snapshot of one I saw a long time ago in a galaxy far, far away.
- Floods happen, but that's why server rooms need to have raised floors. Since I mentioned in the scenario that the servers were sitting on the floor, then they are likely candidates to get soaked. no raised floor equals damage.
- Storms knock out power. When they do, and the power is restored - you have the beginnings of a catastrophe waiting to happen. Why you ask? Well think about it - power surges and spikes unregulated will destroy any power supply not expecting more than it should. That's why Generators (to keep power on in case of failure), and UPS's are used. A UPS is an Uninterruptible Power Source or Supply and it basically acts like a mini-generator but also provides line conditioning. This means that no matter what the UPS receives (like a power sag or surge), it will only provide what the power supply expects and never surge it thus damaging or killing it.
- Redundant power supplies were obviously not installed on the core switch of the network. I don't care what money you want to skimp on, keep your 'core' protected because that equals 'dead network'. This means your business fails to run if it's dependant on that network to operate. No, this is not a server failure where you can do without email for a few hours but all your business applications are up and running, this means that everything is down - dead and not functional. Worth buying a second power supply? If not, then have a cold spare sitting around to replace it with. Either way, you need to worry about it physically, not how its 'configured'.
- Heat and humidity build up, ruin systems - you need climate control, which means splurging the big bucks on an air conditioning unit. Computer systems need to remain cool; if a storm comes through and water is dripping into this closet... you will need to consider some way to keep the humidity level under control. Water and computers do not mix no matter what form that water makes, mist is damaging, heat and humidity levels can also ruin computer systems.
- One last one - please make sure you have the right class fire extinguisher in your server room too. We didn't mention fire, but having some form of Halon system or something is also a large physical security consideration to consider.
Note: You have to consider physical security! Mother Nature will take you out, she promises!
Scenario 3 - Open Infrastructure
Bruce is a router installation tech for a small company that does Internet connections for small businesses. Bruce is also responsible for launching the next largest denial of service attack you haven't seen yet. He is a master of penetration - specifically your network today. Left unattended and without being on camera, Bruce pulls out his blue console cable and is logged into your router with a password of Cisco in about 2 or 3 seconds. How many of you have Cisco as a password... be honest!
- The first thing you are thinking is... well isn't a password logical security? Why yes it is, but what you may have missed here was all the physical security issues that led up to the inevitable exploit of a simple-to-guess password. Console Access to routers and switches with the password of Cisco or none applied are common so make sure you remove that issue to be safe from it.
- Another way this could have been avoided was to never leave a tech from a vendor site unattended in a server room. Ok, some of them you can trust, but if you do not know them, it's better for you and for them to be escorted. Its not an insult, just a safety precaution, much like how Help Desk technicians sometimes are let go with a check for 2 weeks severance, but escorted out the door 5 minutes after being let go from their position.
- No server locks on chassis, No lock on Server racks (back and front) also added to this physical security exploit. Keep your equipment locked in the rack. 90% of the racks out there have doors (catch is they cost a little more), but if you keep them unlocked then you are bypassing physical security.
In sum, it's important to understand that the past three scenarios could be considered as far-fetched as you want to something that really hit home with you just now from seeming way too familiar. This being said, just consider why we are looking at this in the first place, all about physical security and the possible lack of it which bypasses your 100 grand a year budget you sank into the logical.
The other world of security is physical... locks, fences, cameras or even a bouncer at a nightclub you may frequent. Again, not to beat a dead horse to death even more but understand that today's attackers are focusing on the cakewalk, the easy path in. Physical security is it. Remember, the logical would be some of the following examples:
Firewall rule sets, Instruction detection systems, Access Control Lists, Hardening of Operating Systems and their applications, setting up auditing and logging, etc.
Why crack un-crackable encryption by capturing a secure packet in transit if you could even get that far, when you can walk into a building undetected, open the server case, take the drive out and take it home to get the data off it? Why would you try to spend months capturing data off the network (if you could get a sniffer on it undetected) and sifting through all of it for a password when you can walk up to someone's cubicle and take the password off their desk because it was written on a sticky pad and put on their monitor? Think physical, think outside the box. In part 1 of this article we have looked at the basics of physical and logical security to familiarize you with why it's important to know about and what it means. In part 2 and 3 we will look at how to implement this on your Windows systems and in your organizations.
References and Links:
Physical Security Best Practices
Introduction to Password Cracking
If you would like to read the next article in this series please go to Physical Security Primer (Part 2).