Physical security is an important topic for businesses dealing with the security of information systems.. Companies therefore perform many activities to attempt to provide physical secur
Trang 1Security in the Infrastructure
n Chapter 7 Physical Security
n Chapter 8 Infrastructure Security
n Chapter 9 Authentication and Remote Access
n Chapter 10 Infrastructure
Trang 2For most American homes, locks are the primary means of achieving physical security,
and almost every American locks the doors to his or her home upon leaving the
resi-dence Some go even further and set up intrusion alarm systems in addition to locks All
these precautions are considered necessary because people believe they have something
significant inside the house that needs to be protected, such as important possessions
and important people
Physical security is an important topic for businesses dealing with the security of
information systems Businesses are responsible for securing their profitability, which
requires a combination of several aspects: They need to secure employees, product
in-ventory, trade secrets, and strategy information These and other important assets affect
the profitability of a company and its future survival Companies therefore perform
many activities to attempt to provide physical security—locking doors, installing alarm
systems, using safes, posting security guards, setting access controls, and more
Most companies today have committed a large amount of effort into network
secu-rity and information systems secusecu-rity In this chapter, you will learn about how these
two security efforts are linked, and you’ll learn several methods by which companies
can minimize their exposure to physical security events that can diminish their network
security
The Security Problem
The problem that faces professionals charged with securing a company’s network can
be stated rather simply: Physical access negates all other security measures No matter
how impenetrable the firewall and intrusion detection system (IDS), if an attacker can
find a way to walk up to and touch a server, he can break into it The more remarkable
thing is that gaining physical access to a number of machines is not that difficult
187
Trang 3Consider that most network security measures are, from necessity, directed at tecting a company from the Internet This fact results in a lot of companies allowing any kind of traffic on the local area network (LAN) So if an attacker attempts to gain access to a server over the Internet and fails, he may be able to gain physical access to the receptionist’s machine, and by quickly compromising it, he can use it as a remotely controlled zombie to attack what he is really after Physically securing information as-sets doesn’t mean just the servers; it means protecting the physical access to all the or-ganization’s computers and its entire network infrastructure.
pro-Physical access to a corporation’s systems can allow an attacker to perform a ber of interesting activities, starting with simply plugging into an open Ethernet jack The advent of handheld devices with the ability to run operating systems with full net-working support has made this attack scenario even more feasible Prior to handheld devices, the attacker would have to work in a secluded area with dedicated access to the Ethernet for a time The attacker would sit down with a laptop and run a variety of tools against the network, and working internally typically put the attacker behind the fire-wall and IDS Today’s capable PDAs can assist these efforts by allowing attackers to
num-place the small device onto the network to act as a wireless bridge The attacker can then
use a laptop to attack a network remotely via the bridge from outside the building If power is available near the Ethernet jack, this type of attack can also be accomplished with an off-the-shelf access point The attacker’s only challenge is finding an Ethernet jack that isn’t covered by furniture or some other obstruction
Another simple attack that can be used when an attacker has physical access is
called a bootdisk Before bootable CD-ROMs or DVD-ROMs were available, a boot
flop-py was used to start the system and prepare the hard drives to load the operating tem Since many machines still have floppy drives, boot floppies can still be used These floppies can contain a number of programs, but the most typical ones would be NTFS-DOS or a floppy-based Linux distribution that can be used to perform a number of tasks, including mounting the hard drives and performing at least read operations Once an attacker is able to read a hard drive, the password file can be copied off the machine for offline password cracking attacks If write access to the drive is obtained, the attacker could alter the password file or place a remote control program to be exe-cuted automatically upon the next boot, guaranteeing continued access to the machine.Bootable CD-ROMs and DVD-ROMs are a danger for the same reason—perhaps even more so, because they can carry a variety of payloads such as malware or even entire operating systems An operating system designed to run the entire machine from an optical disc without using the hard drive is commonly referred to as a LiveCD LiveCDs contain a bootable version of an entire operating system, typically a variant of Linux, complete with drivers for most devices LiveCDs give an attacker a greater array of tools than could be loaded onto a floppy disk For example, an attacker would likely have access to the hard disk and also to an operational network interface that would allow him to send the drive data over the Internet if properly connected These bootable op-erating systems could also be custom built to contain any tool that runs under Linux, allowing an attacker a standard bootable attack image or a standard bootable forensics image, or something customized for the tools he likes to use Bootable USB flash drives
Trang 4emulate the function of a CD-ROM and provide a device that is both physically smaller
and logically larger Flash drives are now commonly available that provide 32 gigabytes
of storage, with more expensive versions stretching that capacity to 64, 128, and even
256 GB Electronic miniaturization has made these devices small enough to be
unno-ticed; a recent version extends only 5mm from the USB port Made bootable, these
devices can contain entire specialized operating systems, and unlike a bootable
CD-ROM, these devices can also be written to, providing an offload point for collected data
if an attacker chooses to leave the device and return later
These types of devices have spawned a new kind of attack in which a CD, DVD, or
flash drive is left in an opportunistic place near an organization This CD or flash drive
is typically loaded with malware and is referred to as a road apple Relying on curious
people to plug the device into their work computer to see what’s on it, occasionally
they may also try to tempt the passerby with enticing descriptions like “Employee
Sala-ries” or even as simple as “Confidential.” Once a user loads the CD-ROM, the malware
will attempt to infect the machine
The use of bootdisks of all types leads to the next area of concern: creating an image
of the hard drive for later investigation Some form of bootable media is often used to
load the imaging software
Drive imaging is the process of copying the entire contents of a hard drive to a
sin-gle file on a different media This process is often used by people who perform forensic
investigations of computers Typically, a bootable media is used to start the computer
and load the drive imaging software This software is designed to make a bit-by-bit
copy of the hard drive to a file on another media, usually another hard drive or CD-R/
DVD-R media Drive imaging is used in investigations to make an exact copy that can
be observed and taken apart, while keeping the original exactly as it was for evidence
purposes
From an attacker’s perspective, drive imaging software is useful because it pulls all
information from a computer’s hard drive while still leaving the machine in its original
state The information contains every bit of data that was on this computer: any locally
stored documents, locally stored e-mails, and every other piece of information that the
hard drive contained This data could be very valuable if the machine held sensitive
information about the company
Physical access is the most common way of imaging a drive, and the biggest benefit
for the attacker is that drive imaging leaves absolutely no trace of the crime While you
can do very little to prevent drive imaging, you can minimize its impact The use of
encryption even for a few important files will provide protection Full encryption of the
drive will protect all files stored on it Alternatively, placing files on a centralized file
server will keep them from being imaged from an individual machine, but if an
at-tacker is able to image the file server, the data will be copied
EXAM TIP Driveimagingisathreatbecauseallexistingaccesscontrolsto
datacanbebypassedandallthedataoncestoredonthedrivecanberead
fromtheimage
Trang 5An even simpler version of the drive imaging attack is to steal the computer right Computer theft typically occurs for monetary gain—the thief later selling his prize We’re concerned with the theft of a computer to obtain the data it holds, how-ever While physical thievery is not a technical attack, it is often carried in conjunction with a bit of social engineering—for example, the thief might appear to be a legitimate computer repair person and may be allowed to walk out of the building with a laptop
out-or other system in his possession Fout-or anyone who discounts this type of attack, sider this incident: In Australia, two individuals entered a government computer room and managed to walk off with two large servers They not only escaped with two valu-able computers, but they got the data they contained as well
con-A denial-of-service (DoS) attack can also be performed with physical access cal access to the computers can be much more effective than a network-based DoS The theft of a computer, using a bootdisk to erase all data on the drives, or simply unplug-ging computers, are all effective DoS attacks Depending on the company’s quality and frequency of backing up critical systems, a DoS attack using these methods can have lasting effects
Physi-Physical access can negate almost all the security that the network attempts to vide Considering this, you must determine the level of physical access that attackers might obtain Of special consideration are persons with authorized access to the build-ing but who are not authorized users of the systems Janitorial personnel and others have authorized access to many areas, but they do not have authorized system access
pro-An attacker could pose as one of these individuals or attempt to gain access to the cilities through them
fa-Physical Security Safeguards
While it is difficult, if not impossible, to be totally secure, many steps can be taken to mitigate the risk to information systems from a physical threat The following sections discuss policies and procedures as well as access control methods Then the chapter explores various authentication methods and how they can help protect against physi-cal threats
Walls and Guards
The primary defense against a majority of physical attacks are the barriers between the assets and a potential attacker—walls and doors Some organizations also employ full-
or part-time private security staff to attempt to protect their assets These barriers vide the foundation upon which all other security initiatives are based, but the security must be designed carefully, as an attacker has to find only a single gap to gain access.Walls may have been one of the first inventions of man Once he learned to use natural obstacles such as mountains to separate him from his enemy, he next learned
pro-to build his own mountain for the same purpose Hadrian’s Wall in England, the Great
Wall of China, and the Berlin Wall are all famous examples of such basic physical fenses The walls of any building serve the same purpose, but on a smaller scale: they
Trang 6provide barriers to physical access to company assets In the case of information assets,
as a general rule the most valuable assets are contained on company servers To protect
the physical servers, you must look in all directions: Doors and windows should be
safeguarded and a minimum number of each should be used in a server room Less
obvious entry points should also be considered: Is a drop ceiling used in the server
room? Do the interior walls extend to the actual roof, raised floors, or crawlspaces?
Ac-cess to the server room should be limited to the people who need acAc-cess, not to all
employees of the organization If you are going to use a wall to protect an asset, make
sure no obvious holes appear in that wall Outside of the building’s walls, many
orga-nizations prefer to have a perimeter fence as a physical first layer of defense Chain-link
type fencing is most commonly used, and it can be enhanced with barbed wire
Anti-scale fencing, which looks like very tall vertical poles placed close together to form a
fence, is used in high-security implementations that require additional scale and
tam-per resistance
EXAM TIP Allentrypointstoserverroomsandwiringclosetsshouldbe
closelycontrolledandifpossiblehaveaccessloggedthroughanaccesscontrol
system
Guards provide an excellent security measure, because a visible guard has a direct
responsibility for security Other employees expect security guards to behave a certain
way with regard to securing the facility Guards typically monitor entrances and exits
and can maintain access logs of who has visited and departed from the building In
many organizations everyone who passes through security as a visitor signs the log,
which can be useful in tracing who was at what location and why
Security personnel can be helpful in securing information assets, but proper
protec-tion must be provided Security guards are typically not computer security experts, so
they need to be educated about network security as well as physical security involving
users They are the company’s eyes and ears for suspicious activity, so the network
secu-rity department needs to train them to notice suspicious network activity as well
Mul-tiple extensions ringing in sequence during the night, computers rebooting all at once,
or strange people parked in the parking lot with laptop computers are all indicators of
a network attack that might be missed Many traditional physical security tools such as
access controls and CCTV camera systems are transitioning from closed hardwired
sys-tems to Ethernet- and IP-based syssys-tems This transition opens up the devices to network
attacks traditionally performed on computers With physical security systems being
implemented using the IP network, everyone in physical security must become smarter
about network security
Policies and Procedures
A policy’s effectiveness depends on the culture of an organization, so all of the policies
mentioned here should be followed up by functional procedures that are designed to
implement them Physical security policies and procedures relate to two distinct areas:
those that affect the computers themselves and those that affect users
Trang 7To mitigate the risk to computers, physical security needs to be extended to the computers themselves To combat the threat of bootdisks, the simplest answer is to re-move or disable floppy drives from all desktop systems that do not require them The continued advance of hard drive capacity has pushed file sizes beyond what floppies can typically hold LANs with constant Internet connectivity have made network ser-vices the focus of how files are moved and distributed These two factors have reduced floppy usage to the point where computer manufacturers are making floppy drives ac-cessory options instead of standard features.
The second boot device to consider is the CD-ROM/DVD-ROM drive This device can probably also be removed from or disabled on a number of machines A DVD can
not only be used as a boot device, but it can be exploited via the autorun feature that
some operating systems support Autorun was designed as a convenience for users, so that when a CD containing an application is inserted, the computer will instantly prompt for input versus having to explore the CD filesystem and find the executable file Unfortunately, since the autorun file runs an executable, it can be programmed to
do anything an attacker wants If autorun is programmed maliciously, it could run an executable that installs malicious code that could allow an attacker to later gain remote control of the machine
Disabling autorun is an easy task: In Windows XP, you simply right-click the DVD drive icon and set all media types to No Action This ability can also be disabled by Ac-tive Directory settings Turning off the autorun feature is an easy step that improves se-curity; however, disabling autorun is only half the solution Since the optical drive can
be used as a boot device, a CD loaded with its own operating system (called a LiveCD)
could be used to boot the computer with malicious system code This separate ing system will bypass any passwords on the host machine and can access locally stored files
operat-Some users will undoubtedly insist on having DVD drives in their machines, but, if possible, the drives should be removed from every machine If removal is not feasible, particularly on machines that require CD-ROM/DVD use, you can remove the optical drive from the boot sequence in the computer’s BIOS
To prevent an attacker from editing the boot order, BIOS passwords should be set
These passwords should be unique to the machine and, if possible, complex, using multiple uppercase and lowercase characters as well as numerics Considering how of-ten these passwords will be used, it is a good idea to list them all in an encrypted file so that a master passphrase will provide access to them
As mentioned, floppy drives are being eliminated from manufacturers’ machines because of their limited usefulness, but new devices are being adopted in their place,
such as USB devices USB ports have greatly expanded users’ ability to connect devices
to their computers USB ports automatically recognize a device plugging into the tem and usually work without the user needing to add drivers or configure software This has spawned a legion of USB devices, from MP3 players to CD burners
sys-The most interesting of these, for security purposes, are the USB flash memory–based storage devices USB drive keys, which are basically flash memory with a USB interface in a device typically about the size of your thumb, provide a way to move files
Trang 8easily from computer to computer When plugged into a USB port, these devices
auto-mount and behave like any other drive attached to the computer Their small size and
relatively large capacity, coupled with instant read-write ability, present security
prob-lems They can easily be used by an individual with malicious intent to conceal the
re-moval of files or data from the building or to bring malicious files into the building and
onto the company network
In addition, well-intentioned users could accidentally introduce malicious code
from USB devices by using them on an infected home machine and then bringing the
infected device to the office, allowing the malware to bypass perimeter protections and
possibly infect the organization If USB devices are allowed, aggressive virus scanning
should be implemented throughout the organization The devices can be disallowed
via Active Directory settings or with a Windows registry key entry They could also be
disallowed by unloading and disabling the USB drivers from users’ machines, which
will stop all USB devices from working—however, doing this can create more trouble if
users have USB keyboards and mice Editing the registry key is probably the most
effec-tive solution for users who are not authorized to use these devices Additionally, the
road apple attack mentioned earlier can be especially effective with USB devices, and if
not caught quickly by anti-malware programs, could infect multiple computers This
attack relies on social engineering to be successful, so users who do have authorization
for USB drives must be educated about the potential dangers of their use
EXAM TIP USBdevicescanbeusedtoinjectmaliciouscodeontoany
machinetowhichtheyareattached.Theycanbeusedtodownloadmalicious
codefrommachinetomachinewithoutusingthenetwork
The outright theft of a computer is a simple physical attack This attack can be
miti-gated in a number of ways, but the most effective method is to lock up equipment that
contains important data Insurance can cover the loss of the physical equipment, but
this can do little to get a business up and running again quickly after a theft Therefore,
special access controls for server rooms, as well as simply locking the rack cabinets
when maintenance is not being performed, are good ways to secure an area From a
data standpoint, mission-critical or high-value information should be stored on a
serv-er only This can mitigate the risk of a desktop or laptop being stolen for the data it
contains Laptops are popular targets for thieves and should be locked inside a desk
when not in use, or special computer lockdown cables can be used to secure them If
desktop towers are used, use computer desks that provide a space in which to lock the
computer In some cases valuable media will be stored in a safe designed for this
pur-pose All of these measures can improve the physical security of the computers
them-selves, but most of them can be defeated by attackers if users are not knowledgeable
about the security program and do not follow it The rise in laptop thefts has spawned
new applications that try to prevent access to the data, modeled on the remote wipe
capabilities of smartphones These new applications are remote deletion tools that will
delete the hard drive contents if the computer becomes connected to the Internet
Oth-er applications attempt to provide laptop location sOth-ervices or IntOth-ernet-based tracing of
Trang 9where a stolen laptop has been Currently the majority of these are software-based and easily disabled by a determined attacker; however, hardware manufacturers are begin-ning to offer these applications and are integrating them directly into the BIOS as well
as the functions of the cell modem, allowing the remote deletion to work even when the computer is not connected to the Internet
The incorporation of security keys into an embedded TPM chip on the board, and the subsequent use of these keys to encrypt/decrypt the hard drive, adds significant hurdles for adversaries attempting to obtain data or use a stolen device Al-though there is no such thing as perfect security, the TPM platform has been shown to provide “good enough” security for almost any case
mother-Users are often mentioned as the “weakest link in the security chain,” and that can also apply to physical security Fortunately, in physical security, users are often one of the primary beneficiaries of the security itself A security program protects a company’s information assets, but it also protects the people of the organization A good security program will provide tangible benefits to employees, helping them to support and re-inforce the security program Users need to be aware of security issues, and they need
to be involved in security enforcement A healthy company culture of security will go a long way toward assisting in this effort If, for example, workers in the office notice a strange person visiting their work areas, they should challenge the individual’s pres-ence—this is especially important if visitor badges are required for entry to the facility
A policy of having a visible badge with the employee’s photo on it also assists everyone
in recognizing people who do not belong
Users should be briefed on the proper departments or personnel to contact when they suspect a security violation Users can perform one of the most simple, yet impor-tant, information security tasks: locking a workstation immediately before they step away from it While a locking screensaver is a good policy, setting it to less than 15 minutes is often counter-productive to active use on the job An attacker only needs to
be lucky enough to catch a machine that has been left alone for 5 minutes
It is also important to know about workers typically overlooked in the tion New hires should undergo a background check before being given access to net-work resources This policy should also apply to all personnel who will have unescorted physical access to the facility, including janitorial and maintenance workers
organiza-Access Controls and Monitoring
Access control means control of doors and entry points The design and construction of
all types of access control systems as well as the physical barriers to which they are most complementary are fully discussed in other texts Here, we explore a few important points to help you safeguard the information infrastructure, especially where it meets with the physical access control system This section talks about layered access systems,
as well as electronic door control systems It also discusses closed circuit television (CCTV) systems and the implications of different CCTV system types
Locks have been discussed as a primary element of security Although locks have been used for hundreds of years, their design has not changed much: a metal “token”
Trang 10is used to align pins in a mechanical device As all mechanical devices have tolerances,
it is possible to sneak-through these tolerances by “picking” the lock.
As we humans are always trying to build a better mousetrap, high-security locks
have been designed to defeat attacks; these locks are more sophisticated than a standard
home deadbolt system Typically found in commercial applications that require high
security, these locks are made to resist picking and drilling, as well as other common
attacks such as simply pounding the lock through the door Another common feature
of high-security locks is key control Key control refers to the restrictions placed on
making a copy of the key In most residential locks, a trip to the hardware store will
al-low you to make a copy of the key Key control locks use patented keyways that can only
be copied at a locksmith, and they keep records on authorized users of a particular key
High-end lock security is more important now that attacks such as “bump keys” are
well known and widely available A bump key is a key cut with all notches to the
maxi-mum depth, also known as “all nines.” This key uses a technique that has been around
a long time, but has recently gained a lot of popularity The key is inserted into the lock
and then sharply struck, bouncing the lock pins up above the shear line and allowing
the lock to open High-security locks attempt to prevent this type of attack through
various mechanical means such as nontraditional pin layout, sidebars, and even
mag-netic keys
Layered access is an important concept in security It is often mentioned in
conversa-tions about network security perimeters, but in this chapter it relates to the concept of
physical security perimeters To help prevent an attacker from gaining access to
impor-tant assets, these assets should be placed inside multiple perimeters Servers should be
placed in a separate secure area, ideally with a separate authentication mechanism For
example, if an organization has an electronic door control system using contactless
ac-cess cards, a combination of the card and a separate PIN code would be required to open
the door to the server room Access to the server room should be limited to staff with a
legitimate need to work on the servers To layer the protection, the area surrounding the
server room should also be limited to people who need to work in that area
Many organizations use electronic access control systems to control the opening of
doors The use of proximity readers and contactless access cards provides user
informa-tion to the control panel Doorways are electronically controlled via electronic door
strikes and magnetic locks These devices rely on an electronic signal from the control
panel to release the mechanism that keeps the door closed These devices are integrated
into an access control system that controls and logs entry into all the doors connected
to it, typically through the use of access tokens Security is improved by having a
central-ized system that can instantly grant or refuse access based upon access lists and the
reading of a token that is given to the user This kind of system also logs user access,
providing nonrepudiation of a specific user’s presence in a controlled environment
The system will allow logging of personnel entry, auditing of personnel movements,
and real-time monitoring of the access controls
One caution about these kinds of systems is that they usually work with a software
package that runs on a computer, and as such this computer should not be attached to
the company network While attaching it to the network can allow easy administration,
Trang 11the last thing you want is for an attacker to have control of the system that allows physical access to your facility With this control, an attacker could input the ID of a badge that she owns, allowing full legitimate access to an area the system controls An-other problem with such a system is that it logs only the person who initially used the card to open the door—so no logs exist for doors that are propped open to allow others access, or of people “tailgating” through a door opened with a card The implementa-
tion of a mantrap is one way to combat this function A mantrap comprises two doors
closely spaced that require the user to card through one and then the other tially Mantraps make it nearly impossible to trail through a doorway undetected—if you happen to catch the first door, you will be trapped in by the second door Door systems, like many systems, have two design methodologies, fail-safe, or fail-secure While fail-safe is a common enough phrase to enter the lexicon, think about what it really means—being safe when a system fails In the case of these electronic door sys-tems, fail-safe means that the door is unlocked should power fail Fail-secure means that the system will lock the door when power is lost This can also apply when door systems are manually bypassed It is important to know how each door will react to a system failure, not only for security but also for fire code compliance, as fail-secure is not allowed for certain doors in a building A common term is fail-open, and these could be construed as fail-safe doors, for when failure occurs, they will be open The terms fail-safe and fail-secure are used to prevent confusion on what is “open” during failure—the mechanism, or the door
sequen-EXAM TIP Amantrapdoorarrangementcanpreventunauthorizedpeoplefromfollowingauthorizedusersthroughanaccesscontrolleddoor,whichisalsoknownas“tailgating.”
CCTVs are similar to the door control systems—they can be very effective, but how they are implemented is an important consideration The use of CCTV cameras for sur-veillance purposes dates back to at least 1961, when the London Transport train station installed cameras The development of smaller camera components and lower costs has caused a boon in the CCTV industry since then
CCTV cameras are used to video monitor a workplace for security purposes These
systems are commonplace in places such as banks and jewelry stores, places with value merchandise that is attractive to thieves As the expense of these systems dropped, they became practical for many more industry segments Traditional cameras are ana-log based and require a video multiplexer to combine all the signals and make multiple views appear on a monitor IP-based cameras are changing that, as most of them are standalone units viewable through a web browser These IP-based systems add useful functionality, such as the ability to check on the building from the Internet This net-work functionality, however, makes the cameras subject to normal IP-based network attacks The last thing that anyone would want would be a DoS attack launched at the CCTV system just as a break-in was planned For this reason, IP-based CCTV cameras should be placed on their own separate network that can be accessed only by security personnel The same physical separation applies to any IP-based camera infrastructure Older time-lapse tape recorders are slowly being replaced with digital video recorders