Physical security is often over looked, especially by technical people, although in most cases, it is the simplest and easiest to circumvent, as well as the simplest and easiest to mitigate.
Take the results from higher level Asset Identification. Remove any that are not applicable, and add any newly discovered. Here are some to get you started:
You can take the same process that we did at the top level, but abstract the ideas, and then solidify them on physical components. Some of the ideas will work, some won’t.
Many times physical security is good, but then is compromised by the people problem. My wife used to do commercial cleaning when she was younger, and every night she would come home with new stories about how people were the weakest link when it came to security. Most of the time when physical security is breached, there is actually no security, because people have failed the design.
I am also a qualified carpenter, and part of my job was to break into buildings when the tenants had run out on the lease, so I know a few things about physical security as well. Even when doors and windows are locked, their security is usually trivial to compromise without damaging anything. Funnily enough, it was seldom that we were required to force latches, bump or pick locks. There is always a path of least resistance, the lowest hanging fruit, because people are usually the weakest link in any security solution. This does not actually have to be the case though, they can be the strongest link as well. Refer to the chapter on People for further details.
We see the same analogy of the candy bar (fortress) running through many areas of security.
“Many organizations still adopt a fortress mentality, where everyone on the outside is bad and stuff on the inside is less dangerous,” said Brian Krebs, author of the Krebs on Security blog. “Years of experience has taught us that the biggest problems often stem from the fact that once something gets through the outer defences, it’s often a cakewalk to move around the internal network unimpeded.”
We not only see this principle applied to networks, but also to physical security.
Consider doors that lead to isolated areas, filing cabinets and other cupboards left unlocked or locked, and keys or combinations put in obvious places. What assets or potential foot holds are in those areas? What about electronic systems other than core computing systems, such as alarm, surveillance or air conditioning components? Sometimes all that is in the way of a successful exploit being carried out, is the fact that someone’s watching something. If an attacker can take that someone’s attention away from an exploitable target (be it a computer, another unlocked door, person, or whatever) for a short period of time, they may be able to carry out an activity that takes them further along their attack traversal path.
Open doors and windows are typically uninteresting because they represent so little challenge to mitigate. So little challenge, in fact, that the vulnerability is often ignored. Believe it or not, it is often the cleaner’s responsibility to lock doors, windows and set alarms. Anyone can be, or masquerade, as a cleaner. I have discussed some of these types of threat agents on my blog. Many places I have worked in that have double latched windows, are only single latched when I do the rounds just before I leave. It is very easy to pry a double latch window open from the outside when it has only been single latched.
There are many building materials used today, that are trivially easy to compromise. Although cyber attacks, as opposed to simple physical penetration, are on the increase, physical attacks are generally lower tech and easier to carry out by less technically skilled people. One factor being realised with regard to cyber-crime is that the physical vector can also be a key component of carrying out a successful technology based attack, in a manner similar to social engineering as we cover in the People chapter.
Often labels are attached to doors, windows, air conditioning units, and any other number of electrical appliances, clearly displaying who the service agent is. This sort of information can be very useful to aid an attacker in their social engineering pretexts. With this sort of information, an attacker can pretend to be the service agent specified on the label and will more likely succeed with this attack.
What about all the RFID cards or tags used for accessing buildings, elevators, car parks, etc? Again, these are relatively easy to exploit with readers and cloners which can be bought across a full range of prices.
You can even build your own with the likes of the Tessel and its RFID module.
Of course, there are many more that I may explore in a later book or blog post.
Computers left logged in, not locked, and screens left on often include very sensitive material clearly displayed. This is very common. Again physical security is rendered useless due to the people problem.
Wherever you have networking equipment installed, it represents an optimal target for an attacker looking to compromise assets on your network. An attacker only needs just enough time to plant infectious media that will do their bidding, perhaps destruction or establishing a reverse shell to an external host they control, giving them full access to your network. Do not underestimate how quickly this can be done. Often simply plugging media in, is all that is required.
Active network ports are just that, active and waiting for a malicious actor to plug in a rogue Wi-Fi Access Point or drop box that will allow malicious activity on the network, including exfiltration of information it has gathered. Devices such as the Lan Turtle are popular for this.
Wi-Fi took the world by storm. It provided an extremely convenient way to access the network from both transient and stationary devices. Connected devices no longer required a physical data connection. Because of the amazing convenience Wi-Fi brought with it, users were blind-sided to the huge attack surface Wi-Fi created. With any increases in convenience, there is also an increase in attack surface. You can not have one without the other.
The human race seems bent on adopting technologies as integral parts of our lives with often almost complete ignorance to the costs we are incurring. As ubiquity and convenience increase so too does the cost. With Wi-Fi, the cost represents the huge attack surface that comes with it. An attacker no longer needs to break into a building and find an active port. They can just sit in their car in the parking lot pretending to answer email or the like. Worse, they can wait until staff have left for the day and comfortably establish themselves outside the organisations premises, then go to work on the internal network. It could not be much easier. Keep in mind, most attacks come from within organisations.
This is discussed in more depth in the Network chapter of Fascicle 1.
Hiding your SSID is security via obscurity. It’s useful against the casual unskilled observer, but it is not really the casual unskilled observer you need to be concerned about. Depending on an attackers kit, there are plenty of ways to locate hidden SSIDs.
WPS is a network security standard that is supposed to allow users to easily add devices to an existing network without entering pass-phrases. WPA is available on many consumer-grade APs and even some entry level enterprise devices. This standard as implemented provides a large, easy attack surface that provides convenience, thus significantly reducing security.
There are several methods in the WPS standard to provide authorisation to an Enrollee (entity wanting to connect to the AP). No method provides security if the Enrollee has physical access to the AP, and little security even if they do not. If the Enrollee can obtain physical access at some point, then a trust relationship can be established for an ongoing remote relationship. The method names are:
Several brute-force attacks exist in which an attacker can compromise the PIN method. How WPS on the specific AP is implemented determines how long brute-force attacks will take to crack the PIN. In most cases this is only a matter of hours.
Once connected, the wireless pass-phrase can be extracted from the Enrolled device with no special tools. Essentially the AP just trusts the Enrollee.
In my experience, when a staff member finishes working for an organisation, they are never made to, or even encouraged to remove wireless access point credentials from their personal transient devices, but yet, keys and RFID tags are claimed. This makes no sense at all.
A lack of visibility removes the ability to make well-informed decisions. Visibility dictates your ability to react when a malicious actor is doing something to compromise your asset(s).
The tools you use to provide visibility will determine what an attacker needs to do to go about avoiding or removing it.
There is a common theme throughout this section: prevent, detect and respond. It is discussed in a little more depth in the RFID Tags section.
Harden internal attack vectors. BinaryMist takes the approach of De-perimeterisation. Do not rely only on network firewalls or LAN segmentation. Harden every layer (defence in depth) as though all other layers are weak and easily compromised.
I have blogged and spoken about this on many occasions. The same principle applies to physical security. When the outer layer is removed, there should be many layers of defence within the physical premises as well. We will discuss some of these below.
Provide education, then monitor and test that the education is taking effect; repeat if not, have someone with a devious, creative mindset test these areas. There are also quite a few ideas in the People chapter on increasing staff engagement.
Much of ensuring that staff do secure the premises when they leave, comes down to the level of engagement. See the People chapter for ideas on how to increase staff engagement and motivation to take care of the organisation they work for, while being alert. Do not underestimate how much of the staff member’s attitude affects this.
Do not overwork your staff to the point that they are too tired when they leave the premises to think about doing a full rounds check, or if they do, then miss something.
It is an age old law. What goes around comes around. Treat your staff as you would like to be treated, and they will be more likely to make sure that the premises openings are locked properly when they leave.
Train staff. The training loop is also important. Educate -> monitor -> test, repeat.
If you have the luxury of building your premises from scratch, steer clear of using materials that just look good. Tilt panel concrete and 8” steel reinforced, grouted block-work is very good against most types of attacks. Of course, if you have a determined attacker, they will break through that, so you will have to rely on defence in depth. Make sure you have many layers of protection, and think as though every one of them will be compromised with enough time, planning and/or perseverance.
Again, if you are in the position to be building a premise from scratch, or completing an in-depth refurbishment, you can implement CPTED. This is a focus on the external elements of a premise. Using landscaping techniques focused on security, you can use pathways, benches, hedgerows, sculptures and plantings in combination with lighting techniques and highly visible external security cameras to control access to the building, increasing the difficulty for an attacker to approach undetected. A well designed CPTED strategy can deter many attackers before they even reach your building, let alone attempt to access the building.
There is of course detection followed by response techniques that you can use to help in cases where you are unable to, or it does not make sense to change weak building materials. These are covered below.
Just remove them. Do not make information publicly available that could be used against you.
There are many attack vectors represented here in the following countermeasures:
There are at least a couple of strategies to deal with RFID tag cloning.
Keep in mind though, as Bruce Schneier said: “Detection works where prevention fails and detection is of no use without response.”
As part of Identify Risks, you will need to apply the ranking techniques discussed in order to decide the Likelihood and Impact applicable to what is important to your business, and all the other factors that threat modelling techniques walk you through.
You can then use your ranking as input to the Countermeasures step, thus helping you decide which, if any, countermeasures are worth implementing.
Most of what you can do here comes down to the people problem described in the chapter on People.
Ideally, these components should be stored in server cabinets which are locked; do not leave the keys sitting in the locks, or in an obvious place, and have all the panels fitted. So often I have seen these cabinets wide open due to laziness, or because no one knows where the keys are any more. The server rooms should also be locked when no one is in them, and closely guarded. Also consider using detection mechanisms. Use movement detection devices and cameras that are set up to capture and send alerts to someone that will notice them and respond. This way when your prevention fails, your detection and response will save the day.
You will also need to think about company culture as it pertains to networking, and whether this needs some work.
Do not leave network ports active unless the devices using them are authorised and documented. Network ports should be audited regularly, and all connected devices documented. Ideally, utilise executable documentation as opposed to static. As an example, document the devices using the ports within the switch or router itself. This way the documentation can not grow stale in terms of having the connected devices listed. It can however grow stale when devices are physically removed. This may require an auditing schedule. As per Transient Devices, use DHCP static mappings, and have your DHCP server configured to deny unknown clients.
This is discussed in more depth in the Network chapter of Fascicle 1.
The “outside” vulnerability can be mitigated by the implementation of Li-Fi (Light Fidelity) systems. Li-Fi transmits high-speed data using visible light communication (VLC), and as the light waves cannot penetrate walls, external access becomes virtually impossible. Li-Fi APs also have an inherently short range, which is essentially diffused by windows. The speed benefits of Li-Fi are also compelling, many times faster than current Wi-Fi speeds.
I usually use a pass-phrase of about 40 characters long, made up of random characters including a mix of alphanumeric, upper case, lower case and symbols. For some people this can be a little awkward. For those abiding by the best practises of using password vaults, it should actually be easier than typing a short pass-phrase, because they will be copied and pasted from the safe. In this case, there is no convenience lost. If such long pass-phrases feel inconvenient for users, it should compel them to use a password vault (which they should already be doing).
The Transient Devices section may also be of interest.
Feel free to hide the SSID, but it adds little in the way of security and does add quite a bit more in the way of inconvenience.
Make sure your AP is set-up to use one of the encryption algorithms considered to be secure enough today. Make use of Wi-Fi Protected Access 2 (WPA2), but not with the flawed WPS standard which undermines WPA2 security.
Do not use WEP with TKIP, it is trivial to crack.
WPA, which was a stop gap solution created due to the insecurities found in WEP, it is a significantly stronger protocol than its predecessor. WPA also implements Temporal Key Integrity Protocol (TKIP) which generates a new 128 bit key for each packet rather than using the same key for each packet as WEP does, thus mitigating replay attacks.
WPA also includes the message integrity checking algorithm “Michael” which is much stronger than the cyclic redundancy check (CRC) used by WEP.
WPA2 uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is an Advanced Encryption Standard (AES) based encryption mode, and is still considered fairly secure in its own right.
You may have also noticed the pre-shared key (PSK) acronym related to WPA2. It simply relates to a shared secret (often called a pass phrase) that the AP clients know and is used for authentication.
Make sure that, as part of a staff members exit interview, whether they be permanent or a contractor, you do everything in your power to have them remove Wi-Fi credentials from their transient devices, or better still, have the network administrator remove their ability to connect to your network.
Be very careful who you hand credentials out to. For visitors, consider setting up an AP that has access to the internet alone. Always limit access to your internal resources.
Use DHCP static mappings and have your DHCP server configured to deny unknown clients. There are other methods you can use to stop rogue wireless devices connecting to your network. Be creative if you want to, just make sure that former staff members can no longer access your assets (any assets). Aerohive Networks also have a “Private Pre-Shared Key” Solution.
Again, company policy and culture may require some work as well.
Detection is an important part of the overall security of your premises. When your prevention fails, you are going to want to know about it so that you can react appropriately. Ideally, surveillance systems should also be configured to send alerts to someone who is going to take notice of them. I have addressed some of the concerns about alerts that fail to trigger human reaction specifically in the “Morale, Productivity and Engagement Killers” section of the People chapter. I have found ZoneMinder, an open source video surveillance solution, to be excellent at recording, detecting motion, and providing events. You can then do what ever you like with the events, including email, SMS, push notifications, etc. Be prepared to get your hands dirty here though as this is an open and extensible platform. I have also noticed NodeMinder, which was of interest to me, but at the time of this writing, was not being maintained, like so many NPM packages.
I do not see many risks associated with improving a premises internal security, other than possible over confidence that may result as a by-product.
The inconvenience related to always having to unlock and lock doors and cabinets can cause frustration and lack of understanding around why this process is necessary. Additional openness, empathy and education may be required by (servant leader) management to keep staff motivated and devoted to the cause.
There is the risk of reduced traversal and/or egress in some areas where it may be required, particularly for service personnel, if doors are locked or self-locking. Make sure visitors and new workers know the escape routes and have unlocking mechanisms (keys, cards, codes) on their person.
There are few risks involved with increasing the quality (strength) of building materials. Some visual aspects (and others) of the building architecture may be affected if you also take into account the security of building materials. This is another aspect that the architect has to think about. Costs may be more than they would have been otherwise, depending on what “otherwise” entailed.
With labels removed you run the risk that someone will forget who services the appliances.
People may rebel against policy if they are not treated the right way. Sometimes it is hard to see this, people are good at hiding their true feelings. I discuss strategies of getting the most out of your people in the People chapter so as to avoid a lack of buy-in and engagement.
As with security in all other areas, increasing it is likely to cost a little more and decrease some convenience. Although, with thought and planning, this can become part of your company culture. People can be your strongest, or your weakest defence. This is your choice. Cultural change can be implemented from any level. The most successfully being from the shop floor.
High quality shredders are not much more expensive than their lesser counter-parts.
With multi-factor authentication, the “something you have” or “something you know” components could potentially be lost or forgotten. In a drastic case, “something you are” could also be removed. Increasing security decreases convenience.
Once this is addressed, there is a risk that staff will begin to start thinking about security in many areas, but this is the whole point, right? This is really simple stuff. There is always the risk that it takes a second longer to access your desktop.
It may be inconvenient to have to unlock server cabinet doors and remove panels. There is a risk that this could produce frustration for those that do not fully understand why the policy is in place. If this is the case, the fault lies with the people pushing the policy. Check which part of the “educate -> monitor -> test” cycle is failing and improve the faulty component. Repeat the cycle again. Remember, we are dealing with people here. People can be complex. Level set with them and do what ever it takes to gain understanding of their world, their problems, and their frustrations. Empathise and build relationships. This alone will go a long way to bringing them to your side of the fence.
There may be some inconvenience encountered when new network components require a port connection. Schedules may be ignored or forgotten. Try adding some accountability and perhaps electronic reminders. Be creative!
In terms of long and complex pass-phrases, there are no real risks here, other than the fact that those without password vaults will be pushed toward using them. This should be looked at, as a bonus. Yes, there may be some initial frustration, but that will soon be replaced with a solution that is both convenient and that elevates security. This affects not just those using password vaults, but anyone related to the people using them, because unique credential sets become so much easier to use and ubiquitous.
This may lead to a possible false sense of security or frustration caused due to not being able to easily initiate a contract with the AP.
If you are used to using WPS to establish contracts, it may feel a little inconvenient for the first few times, but in removing WPS, you have eliminated an easy-to-compromise attack vector. Perhaps, there is some risk of buy-in with the slight increase in effort of having to enter a pass-phrase. It often helps to convey understanding if you can demonstrate how easy it is to compromise wireless security when WPS is employed.
No real risk here. It is possible, although unlikely, that you may not be using APs that support WPA2. I would actually see this as a blessing in disguise now though. If you were not aware of the insecurities of older protocols, hopefully you now know enough to upgrade your wireless security.
There could be potential kickback due to the tightening of policy and implementation of transient device management. People often do not like change.
Alarms may scare off an attacker lacking determination, but besides that, they generally just annoy neighbours due to the regular occurrence of false alarms. Do everything you can to minimise false alarms. Physically silent alarms that actually reach someone on alert, and who cares, can be far more effective. Do what ever it takes to make sure that the person supposed to be monitoring alarms and alerts does notice. Be creative if need be.
You may experience possible complacency. We are under surveillance and have alarms, so we must be safe, right? Education may be required to make sure people understand that these are only one layer of defence and only as effective as the weakest link, often the person tasked with monitoring.
Consider the potential of an attacker avoiding, vandalising, or removing any of these mechanisms.
There is often much work to be done specific to your internal organisation. Work your way though the biggest wins that are the cheapest to implement first.
There is a time cost, and the prospect that staff will question the costs associated with this policy and its worthiness. These sorts of issues require solid relationships and empathy as an investment from those mandating the policies.
There are trade-offs that must be thought about and discussed in regards to what happens if people lose unlocking mechanisms, and cannot traverse the premises or exit in emergency. Coded locks may be an appropriate mechanism in this case, but changing codes and their assignment to people may also need to be thought about.
Consider where the lowest hanging fruit is in terms of your over-all security stature. This is why iterating on the threat model is important to build your intuition. Consider everything, then weigh the importance of building materials for your situation. For example, if your internal posture is comprised of many layers of well thought out security, and people are engaged, loyal and subscribed to well constructed policy, then your external posture will be less of an issue if it is breached. Before you can make this decision though, you will need to work through the various chapters to gain a good understanding of your current security posture in each area.
Record who the service agents are in a secure place and only those that need to know that information have access to it.
This decision needs to be made once you have a good understanding of the rest of your assets, risks and countermeasures, and of all possible attack vectors. In most cases the highest costs here will be in getting staff buy-in (firmly sold on organisational policy). Mandating policy may produce the appearance that people are on board, but in fact, it may have quite the opposite effect. Effective change comes through relationship.
You need to decide how much loss of convenience is worth the added security. Once you have threat modelled everything, you will be in a good place to make this decision. Some convenience losses are not that big a deal, and they may significantly increase security, thus making the change worthwhile.
There is a potential increase in costs for a smarter back-end and the likely addition of physical surveillance system. However, relate this to a kill-two-birds-with-one-stone scenario. Just bear in mind that increasing back-end intelligence also creates other possible attack vectors.
This is a no brainer. There are no real disadvantages to securing your session before you leave your work station at any time. Adopt the habit, it only takes one weak link to move past a layer.
Along with the training -> monitoring -> testing cycle, adding detection mechanisms may be extra cost and overhead. Iterating on the threat model will help provide insight into where you can cut costs and where you may have to invest. Often it is a matter of moving expenditure rather than just adding it. Balance out the areas that need it more than others. Overall security can be increased in most cases by moving expenditure to areas that are in more need.
An auditing schedule may cost some time to perform. Perhaps piggyback the audit on another schedule that is already being carried out.
It takes some effort to start using password vaults, make it an organisation-wide policy that staff use some type of password vault but don’t mandate which type, as existing users may have their preferences. This cultural modification will lead to much increased security for very little time expenditure.
This technically does not provide any increased security, but reduces convenience and may depend on how frequently new users are provided access.
This leads to a little increase in effort to establish a wireless connection. Those who are provided with access should also be recorded as having access, discussed below in the Transient Devices section.
There are costs of upgrading if you have to change your APs, though it is unlikely because there has been WPA2 support even in consumer grade APs for quite a few years now.
There may be a little more work in recording who has been granted access or been removed. Consider the fact that having better visibility to who has access to the network is worth the extra overhead. The fact that you can remove access for staff members, ex-staff members, and guests, while maintaining access visibility, can be quite empowering and makes it easier to track down unwanted visitors.
I have found CCTV systems using ZoneMinder, an excellent cost-effective physical surveillance tool kit, with many options to configure and to suit what ever scenario will work best for you. There will be some set-up time, and you may have to pay for physical cameras if you do not already have them, as well as computer hardware and video capture cards. The cameras can be expensive if you require high resolution images. Video capture cards and the other hardware is inexpensive. Lighting can be an issue as well. In dark areas, you may have to use infra-red lighting around the cameras (often included in the camera), although movement sensors that switch flood lights on, can also be an option in dark areas.