In part 2 of X, I'm going to cover the aspects of physical security. This doesn't seem like rocket science, but again, I'm surprised how the same breaches happen again and again so it's necessary to cover it. Physical security is often overlooked. If a bad guy has access to the server room, network gear, etc, he owns it, not you. The biggest, baddest security is worthless if it's taken out by pulling a power cord -- game over and time to update the resume.
Personally, I think physical security is the easiest to figure out. Look around a room, figure out the logistics of people coming and going and put something in between it. Also, consider the ifs - "If I made it here, what would be my next easy target". Sticking with the previous post's style, we're going to create a server room to help illustrate the various aspects of this particular topic. Also, get into the mindset of being downright evil and I mean EVIL. It will help you expose real problems that could be easy to protect and its fun.
Let's say the server room is on the 3rd floor of an office building. It's a real room, has a door with a lock, an AC unit for environmental control and 50 servers of various kinds. Let's start with the first if. "If I wanted to get in, how would I start?" By simply walking in the front door. I know, lame, but if there's nothing providing access control to the whole building, getting in is the easiest part. Now there's a guard. The guard doesn't necessarily control who comes in when, but we'll come back to the guard's role as we move though this. Now I move to the server room.
"If I got to the server room, what would be my next easy target?" The ceiling. Surprised? How many office buildings have you seen that have false free hanging ceilings? The first thing I would do is look around for an adjoining office, jump up on the desk, push up some tiles and hop up and over - fancy locks and doors are now worthless. Also, if the walls are weak, ie, made of drywall, how long would it take to punch though that? Seconds. The door itself - could it take a brute force kick?
Notice I didn't talk about locks. Why? As hard as it was to get my head around it, I do not consider locks a security piece. Many companies would have you believe if you have a lock on something, that's it, no one can get into it which is dead wrong. At best, locks are a delayed access control device, nothing more. Example : if I put a big, $500 lock on a door made of 3/16" plywood, I'm not attacking the lock, I'm attacking the door. Game over. Removing the idea of a lock making something "secure" helps in this thought process.
Now, moving on into the server room itself. "If I made it into the server room, what would be my next easy target" -- this one is stupid easy, I'm looking for incredible impact with the least amount of effort - the network cables. Most companies have their network cables funneling into the room in one BIG pipe - cut that and I win! No level of documentation will save you on this one because that bundle of cables goes to 500 different locations all over the building and you shouldn't (can't) splice the wires back together or worse, fiber, so now what? Told you to get into an evil mindset! Next I'm looking at the power, another big win if I knock it out. A switch, a panel, something that I can blow to kingdom come (not just throw the switch, I want that puppy to fry, spark and smoke - real damage). What about the AC (or now more commonly called the EU, environmental unit)? If I can disable that in some way, especially on a long weekend in July, it'll be the gift that keeps on giving! How quickly would YOU notice?
Ok, I'm having fun wrecking a server room, but let's say all those are protected. The power/network wires are under the floor, the servers are the only thing I really have access to. Regardless if the servers are in a rack or otherwise sitting out, if I can get to the cables going INTO them, this opens a whole new list of problems. Many KVMs have an input and 4, 8, 16 outputs. Now I install a keylogger device that transmits wirelessly, game over. I can also pull cables at random and take out other systems one by one (or with one big pull).
The servers are all in enclosed racks, no wires outside at all, I can see the lights blinking, and thats it. Ok, fine, lets just take the whole thing! Roll that puppy out the door! Most companies don't assemble their racks, so it's going to fit rolling out the door. Oh, and nevermind the wires your ripping up while you do it, maybe it'll be just intertwined enough to pull other stuff out as you go (or just cut it). At this point, the guard comes into play. Without that guard, no one would think twice, much less say anything but any (good) guard would stop that in a heartbeat. Easier fix for this is just bolt the thing to the floor in some manner, most racks come with a kit. If not, build your own. No really.
Ok, now what? I can't get into the server room because there's concrete walls to the ceiling, a nice steel door with no visible lock and it wouldn't matter because the servers are locked down tighter than the outside. I can't get to the wires, I can't get to anything inside that room. Ok, so let's plug our laptop into the network and see what we can find -- which I'll talk more about in the next posting.
Hopefully this has got you thinking. Granted yes, some of the things covered here are a bit extreme but not unrealistic. I'm sure some are thinking "that person would be caught and throw in prison forever! No one is stupid enough to do that" -- I beg to differ and ultimately, if someone does something amazingly destructive to your companies ability to be productive, it doesn't make ANY difference what happens to the person that did it, none, zero because it's already done and money is already being lost.
Cost wise, with the exception of the guard and the true floor-to-ceiling walls, none of them are all that expensive. Most important, consider your needs. You may not need the 5000$ RFID system where a simple key-code door will do. That will be left to cost analysis and religion policy.
Subscribe