As mentioned before, The Onion series will address security in layers. Like a real onion, there are so many layers to look at and deal with it can make some network administrators cry. (Ok, yes that was a bad pun.) This latest chapter of the series will address Layer 1, which will cover some physical aspects of layered security.
When the term layered security is mentioned, I, as well as others, often remember suffering in network classes learning about the OSI model. To be complete, the Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered description (mostly abstract and used as general reference) for communications and protocol design. There are seven layers, and most will start with Layer 7 (Application) and work backwards to Layer 1 (Physical) when dealing with it. Some will do the opposite, move from Layer 1 to Layer 7, but when dealing with security, you have to start from the ground up (layer 1) and build from there.
While not covering the OSI to the letter of the law, we will borrow from it to frame how layered security works. The physical layer, when dealing with security, can include hardware and various appliances. The good rule of thumb when looking at this layer is that if you can touch it, you must secure it. Routers, for the home or office, modems and other devices, all are physical in nature and each must be secured either with solid configuration settings or with actual honest physical security.
Remember, security starts from the ground up. No matter what the project, when it begins security must be taken into account. Penetration testers make a fortune exploiting this weakness, not just by cracking networks, but by walking into the building as well and making off with data, and in some cases, hardware. In part one of this article, we will cover true physical security, things that you can touch but are not necessarily on a network.
The best guide that can explain some of the physical aspects of security in their most basic form is No Tech Hacking by Johnny Long. (Amazon: http://tinyurl.com/3bt9or)
If you have never heard of No Tech Hacking, or have never seen Johnny speak, then you should watch the video from DefCon 15. (http://tinyurl.com/23uett) Johnny has worked with CSC for years, and he is a professional penetration tester. He is well-known for his Google Hacking series. However, his most recent book looks at security from a different angle. While the concept of security makes most corporate officers and IT professionals envision hackers and news reports of data breaches, often the basics are forgotten.
The base for security, is not a killer app based firewall, or a cool IDS/IPS system. No, the base for security are little things. Little things such as restricting access to areas which are sensitive, like wire closets, offices, copy rooms, mail rooms, etc. There have been numerous reports and news items in which auditors or malicious persons have simply walked into a building, and gotten what they were after. You see several examples of this in No Tech Hacking.
What good is all of your expensive network security if someone writes down the entire schema, and then throws it out for someone to stumble upon? This may seem extreme, but it has happened before, and will happen again. Physical security is not just about networks, it is about controlling access to those networks in various forms.
Control it, and secure it. Paper reports hold more information than some people give credit for. IT uses paper for most things, expense reports, budgets, PO requests, etc. This information seems harmless, but why should it be left to chance? In the No Tech Hacking video you will see examples of valuable documentation left hanging off dumpsters, or blowing in the wind. A potential attacker might not have had a clue as to your network design, but thanks to those CDW receipts and PO requests, he or she now knows that you just installed over the last few months. Network maps and other schemas are also useful and are frequently tossed aside after a new revision is produced. The same thing is said for policy and other types of documents. The first draft or the last still houses interesting information, and can be used against a network.
Shred everything into a fine mist; leave the paper in a state that can never be recovered if you have to dispose of it. You should be disposing everything that is past a certain age or useless. If you have to store it, then store it securely, inside a locked room with very limited access. This seems alarmist, but it is true. There is no FUD in these examples. If you need proof, walk over to marketing or HR and see what they are throwing away. If there is any information that can be used against the company or the network, no matter how insignificant it seems, it needs to be protected. There needs to be policy in place, and controls that are a mix of both IT and every department. Security officers are more than just network watchers; they are the keepers of the castle.
The process of documentation control and security is not just a business thing either. Home users can benefit from a good shredder as well. There is nothing wrong with spending $100.00 or more for a decent shredder in the home, and using it for junk mail, pre-screened credit offers, and old bank statements. With the surge of worry over Identity Fraud in the public, this type of physical security can help everyone. While there is no run on the trash and mail box in the neighborhoods across the globe, there is also no reason not to put forth a little extra effort.
In 2007, The Federal Trade Commission released a survey showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005. Of those 8.3 million, 1.8 million victims, or 0.8 percent, found that new accounts were opened or other frauds were committed using their personal identifying information. The USPS often warns about mail fraud, and it is now a federal law that banks take you off a “pre-screen” list of you request it.
Physical security is just that, literally locking things up. In his book, No Tech Hacking, Johnny Long talks about how he and his partner took down a multi-million dollar physical security system. They walked right into the building and used nothing more than a stick and wet washcloth. The method of lock bumping earned some detailed news coverage, some reports were off base and filled with FUD, but the technical reports covered it pretty well. A simple search on You Tube, http://tinyurl.com/4hyt8h, offers over six thousand videos on picking locks.
There are groups, and clubs where people do nothing but study and learn how to pick locks. It is a fascinating subject to learn. Sadly some of the most expensive, and “secure” locks known, have fallen to people with a ballpoint pen, toilet paper tube, dental floss holder, or just a pencil and paper to write things down on. In no time at all the locks were defeated, rendering their security worthless.
An example of failed lock protection would be The Central Collection Bureau, a collection agency based in Indianapolis, IN., who reported in April that one of their servers, containing information on more than 700,000 people, was stolen from its offices. The data was stored in clear text. This alone was the damaging factor regarding the data, but the company thought the data was safe because it was stored behind three different locked doors and required two passwords. If the locks can be picked, they offer no security. If the door can be kicked in, it offers no security. Adding two passwords to a computer, yet not encrypting the data, well, that is a different layer, we will cover it another time.
You need to ensure that not only is the paper data or physical data secured, but that access to that data is physically locked down. This can take some time and effort to research. Call a local bonded security company, and talk to a unionized locksmith. In some cases they will test the security of your locks for little or nothing.
Taking the time to control physical access to the building or office where your network resides, is the first step in working with layers in security. You are already used to the concept if you have ever walked into a datacenter and had to scan your hand or move through several doors just to access the rack where your server is housed. Just assess you current physical layer and see where you stand.
Part two of this article will cover hardware physical security, this will be uploaded tomorrow.