Attack points

Criminals can exploit a handful of building infrastructure vulnerabilities. Consider the following commonly overlooked attack points:

• Are doors propped open? If so, why?
• Can gaps at the bottom of critical doors allow someone using a balloon or other device to trip a sensor on the inside of an otherwise “secure” room?
• Would it be easy to force doors open? A simple kick near the doorknob is usually enough for standard doors.
• What is the building or data center made of (steel, wood, concrete), and how sturdy are the walls and entryways? How resilient is the material to earthquakes, tornadoes, strong winds, heavy rains, and vehicles driving into the building? Would these disasters leave the building exposed so that looters and others with malicious intent could gain access to the computer room or other critical areas?
• Are any doors or windows made of glass? Is this glass clear? Is the glass shatterproof or bulletproof?
• Do door hinges on the outside make it easy for intruders to unhook them?
• Are doors, windows, and other entry points wired to an alarm system?
• Are there drop ceilings with tiles that can be pushed up? Are the walls slab-to-slab? If not, someone could easily scale walls, bypassing any door or window access controls.

Countermeasures

Many physical security countermeasures for building vulnerabilities might require other maintenance, construction, or operations experts. If building infrastructure is not your forte, you can hire outside experts during the design, assessment, and retrofitting stages to ensure that you have adequate controls. Here are some of the best ways to solidify building security:

• Strong doors and locks
• Windowless walls around data centers
• Signage that makes it clear what’s where and who’s allowed
• A continuously monitored alarm system with network-based cameras located at all access areas
• Lighting (especially around entry and exit points)
• Mantraps and sallyports that allow only one person at a time to pass through a door
• Fences (with barbed wire or razor wire if needed)

Attack points

Intruders often exploit utility-related vulnerabilities. Consider the following attack points, which are commonly overlooked:

• Is power-protection equipment (surge protectors, uninterruptible power supplies [UPSs], and generators) in place? How easily-accessible are the on/off switches on these devices? Can an intruder walk in and flip a switch? Can an intruder simply scale a wood fence or cut off a simple lock and access critical equipment?
• When the power fails, what happens to physical security mechanisms? Do they fail open, allowing anyone through, or fail closed, keeping everyone in or out until the power is restored?
• Where are fire-detection and -suppression devices — including alarm sensors, extinguishers, and sprinkler systems — located? Determine how a malicious intruder can abuse them. Are they accessible via a wireless or local network with default login credentials? Perhaps they’re accessible over the Internet? Are these devices placed where they can harm electronic equipment during a false alarm?
• Where are water and gas shutoff valves located? Can you access them, or would you have to call maintenance personnel when an incident arises?
• Are local telecom wires (both copper and fiber) that run outside of the building located aboveground, where someone can tap into them with telecom tools? Can digging in the area cut them easily? Are they located on telephone poles that are vulnerable to traffic accidents or weather-related incidents?

Countermeasures

You might need to involve outside experts during the design, assessment, or retrofitting stages. The key is placement:

• Ensure that major utility controls are placed behind closed and lockable doors or fenced areas out of sight to people passing through or nearby.
• Ensure that any devices accessible over the network or Internet are tested using vulnerability scanners and other techniques I’ve outlined in this book. If they don’t have to be network- or Internet-accessible, disable that feature or limit who can access the systems via firewall rules or a network access control list.
• Ensure that someone walking through or near the building cannot access the controls to turn them on and off.

Security covers for on/off switches and thermostat controls and locks for server power buttons, USB ports, and PCI expansion slots can be effective defenses. Just don’t depend on them fully, because someone with a hammer (or strong will) can easily crack them open.

I once assessed the physical security of an Internet colocation facility for a very large computer company. I made it past the front guard and tailgated through all the controlled doors to reach the data center. After I was inside, I walked by equipment that was owned by very large companies, such as servers, routers, firewalls, UPSs, and power cords. All this equipment was completely exposed to anyone walking in that area. A quick flip of a switch or an accidental trip over a network cable dangling to the floor could bring an entire shelf — and a global e-commerce system — to the ground.

Attack points

Intruders can exploit various weaknesses around the office. Consider these attack points:

• Does a receptionist or security guard monitor traffic in and out of the main doors of the building?
• Do employees have confidential information on their desks? What about mail and other packages — do they lie around outside someone’s door or, even worse, outside the building, waiting for pickup?

• Where are trash cans and dumpsters located? Are they easily-accessible by anyone? Are recycling bins or shredders used?

  Open recycling bins and other careless handling of trash are invitations for dumpster diving. People with ill intent often search for confidential company information and customer records in the trash — and they’re often very successful! Dumpster diving can lead to many security exposures.

• How secure are the mail and copy rooms? If intruders can access these rooms, they can steal mail or company letterhead to use against you. They can also use and abuse your fax machine(s), assuming you still have those!
• Are closed-circuit television (CCTV) or IP-based network cameras used and monitored in real time? If your setup is less proactive and more as-needed, are you confident that you’ll be able to quickly access videos and related logs when you need them?
• Have your network cameras and digital video recorders (DVRs) been hardened from attack — or at least have the default login credentials been changed? This is a security flaw that you can predict with near 100-percent certainty on practically all types of networks from public utility companies to hospitals to manufacturing companies and all types of businesses in between.

• What access controls are on doors? Are regular keys, card keys, combination locks, or biometrics used? Who can access these keys, and where are they stored?

  Keys and programmable keypad combinations are often shared among users, making accountability difficult to determine. Find out how many people share these combinations and keys.

I once came across a situation for a client where the front lobby entrance was unmonitored. It also happened to have a Voice over IP (VoIP) phone available for anyone to use. But the client did not consider that anyone could enter the lobby, disconnect the VoIP phone (or use the phone’s data port), and plug a laptop computer into the connection and have full access to the network with minimal chance that the intruder would ever be questioned about what he or she was doing. This type of situation is easily prevented by disabling network connections in unmonitored areas (if separate data and voice ports are used or if the voice and data traffic had been separated at the switch or physical network levels).

Countermeasures

What’s challenging about physical security is the fact that security controls are often reactive. Some controls are preventive (that is, they deter, detect, or delay), but they’re not foolproof. Putting simple measures, such as the following, in place can help reduce your exposure to building and office-related vulnerabilities:

• A receptionist or a security guard who monitors people coming and going. This is the simplest countermeasure. This person can ensure that every visitor signs in and that all new or untrusted visitors are always escorted.

  Make it policy and procedure for all employees to question strangers and report strange behavior in the building.

  Employees Only or Authorized Personnel Only signs show the bad guys where they should go instead of deterring them from entering. It’s security by obscurity, but not calling attention to the critical areas may be the best approach.

• Single entry and exit points to a data center.
• Secure areas for dumpsters.
• CCTV or IP-based video cameras for monitoring critical areas, including dumpsters.
• Cross-cut shredders or secure recycling bins for hard-copy documents.

• Limited numbers of keys and passcode combinations usage that’s also logged and monitored.

  Make keys and passcodes unique for each person whenever possible or, better yet, don’t use them at all. Use electronic badges that can be better controlled and monitored instead.

• Biometrics identification systems can be very effective, but they can also be expensive and difficult to manage.

Attack points

The keys to the kingdom are often as close as someone’s desktop computer and not much farther than an unsecured computer room or wiring closet.

Intruders can do the following:

• Obtain network access and send malicious e-mails as a logged-in user.
• Crack and obtain passwords directly from the computer by booting it with a tool such as the ophcrack LiveCD (http://ophcrack.sourceforge.net). I cover this tool and more password hacks in Chapter 8.
• Place penetration drop boxes such as those made by Pwnie Express (https://www.pwnieexpress.com) in a standard power outlet. These devices allow a malicious intruder to connect back into the system via cellular connection to perform their dirty deeds. This is a really sneaky (spy-like) means for intrusion that you can use as part of your own security testing.
• Steal files from the computer by copying them to a removable storage device (such as a phone or USB drive) or by e-mailing them to an external address.
• Enter unlocked computer rooms and mess around with servers, firewalls, and routers.
• Walk out with network diagrams, contact lists, and disaster recovery plans.
• Obtain phone numbers from analog lines and circuit IDs from T1, Metro Ethernet, and other telecom equipment to use in subsequent attacks.

Practically every bit of unencrypted information that traverses the network can be recorded for future analysis through one of the following methods:

• Connecting a computer running network analyzer software (including a tool such as Cain and Abel which I cover in Chapter 9) to a switch on your network.

• Installing network analyzer software on an existing computer.

  A network analyzer is very hard to spot. I cover network analyzers capturing packets on switched Ethernet networks in more detail in Chapter 9.

How would someone access or use this information in the future?

• The easiest attack method is to install remote-administration software on the computer, such as VNC (www.realvnc.com).
• A crafty hacker with enough time can bind a public IP address to the computer if the computer is outside the firewall. Hackers or malicious insiders with enough network knowledge (and time) can configure new firewall rules to do this.

Also, consider these other physical vulnerabilities:

• How easily can computers be accessed during regular business hours? During lunchtime? After hours?
• Are computers — especially laptops — secured to desks with locks? Are their hard drives encrypted in the event one is lost or stolen? Do their screens lock after a short period of non-use?
• Do employees typically leave their phones and tablets lying around unsecured? What about when they’re traveling or working from home, hotels, or the local coffee shop?
• Are passwords stored on sticky notes on computer screens, keyboards, or desks? This is a long-running joke in our circles but it still happens!
• Are backup media lying around the office or data center susceptible to theft?

• Are safes used to protect backup media? Are they specifically rated for media to keep backups from melting during a fire? Who can access the safe?

  Safes are often at great risk because of their size and value. Also, they are typically unprotected by the organization’s regular security controls. Are specific policies and technologies in place to help protect them? Are locking laptop bags required? What about power-on passwords? Encryption can solve a lot of physical security-related weaknesses.

• How easily can someone connect to a wireless access point (AP) signal or the AP itself to join the network? Rogue access points are also something to consider. I cover wireless networks in more detail in Chapter 10.
• Are network firewalls, routers, switches, and hubs (basically, anything with an Ethernet connection) easily accessible, which would enable an attacker to plug in to the network easily?

• Are all cables patched through on the patch panel in the wiring closet so all network drops are live as in the case of the unmonitored lobby area I mention earlier?

  This set-up is very common but a bad idea because it allows anyone to plug in to the network anywhere and gain access. This is not only a great way to allow intruders onto your network but it can also be used as a means for spreading malware.

Countermeasures

Network and computer security countermeasures are some of the simplest to implement yet the most difficult to enforce because they involve people and their everyday actions. Here’s a rundown of these countermeasures:

• Make your users aware of what to look out for so you have extra sets of eyes and ears helping you out.
• Require users to lock their screens — which only takes a few clicks or keystrokes — when they leave their computers.
• Ensure that strong passwords are used. I cover this topic in Chapter 8.
• Require laptop users to lock their systems to their desks with a locking cable. This is especially important for remote workers and travelers as well as in larger companies or locations that receive a lot of foot traffic.
• Require all laptops to use full disk encryption technologies, such as BitLocker in Windows (ideally combined with its central management software called Microsoft BitLocker Administration and Monitoring that can be found at https://technet.microsoft.com/en-us/windows/hh826072.aspx) and WinMagic SecureDoc Full Disk Encryption (www.winmagic.com/products/securedoc-full-disk-encryption).
• Keep server rooms and wiring closets locked and monitor those areas for any wrongdoing.
• Keep a current inventory of hardware and software within the organization so it’s easy to determine when extra equipment appears or when equipment is missing. This is especially important in computer rooms.
• Properly secure computer media when stored and during transport.
• Scan for rogue wireless access points.
• Use cable traps and locks that prevent intruders from unplugging network cables from patch panels or computers and using those connections for their own computers.
• Use a bulk eraser on magnetic media before they’re discarded.