I have often been asked what physical security has to do with an IT administrator's logical network. My response is: "Everything!" I think that it is safe to say that without physical security, you have no security at all. Let's go through a few scenarios to see why.
Do your employees listen to music, and do any of them bring an iPod to work? While this may seem like a rather innocuous question, consider the possible threat of Podslurping.
Abe Usher wrote this controversial program to demonstrate the danger of iPods and other mass storage devices. Maybe someone on your cleaning crew comes in with an iPod and seems to go about his normal nightly activities. Once everyone is gone, this trusted member of the staff moves quickly from system to system using Podslurp to recursively search all subdirectories of each targeted computer looking for Word documents, PDFs, HTML files, and any other text documents that contain sensitive information. At the end of the shift, the employee walks out of the business with 30 GB or more of sensitive proprietary information.
If you want to learn more about Podslurp, check out the author's site. Gartner Research has recommended that portable devices such as iPods be banned from the workplace. Samsung has taken this advice and banned its employees from using Samsung's latest cell phone, which has 8 GB of storage. Samsung's senior management took this step in the belief that so much storage would allow a malicious insider to steal a critical amount of confidential information. I agree with this decision.
2. Password insertion
Maybe you're thinking this is not a problem. You believe that all of your systems are locked down. Without a username and password, there is no way anyone can get access to anything! If that is your belief, let's look at another item on our list of physical threats: password insertion and password extraction. Password insertion can be performed with programs such as NT Password.
All this program requires is physical access to a system and the ability to boot from a floppy or other device. Once an attacker boots the program, which is Linux based, he simply steps through a series of questions that ask which account he wants to access and what he wants to change that user's password to. Since this resets the user's password, a malicious user would then have access to the system. The use of encryption, among other things, can help render this tool useless. If such countermeasures have been taken, there are other options for the attacker. One option is physical password extraction.
3. Password extraction
Password injection allows an attacker to reset a password; password extraction allows the attacker to extract the passwords and then crack them so he can gain access to the targeted computer. All the attacker needs is a bootable version of Linux. Distributions like Knoppix STD have the required tools.
The attacker simply boots the system with a Knoppix CD and then extracts the Security Accounts Manager (SAM) -- which holds the encrypted version of the username and passwords in a Microsoft system -- and the system file to a USB thumb drive. Next, he moves those files over to a Windows system and uses a program such as SAMInside. This allows him to extract the passwords from the SAM and bypass Syskey. Once this is completed, he loads the results into a password recovery program like LCP.
4. USB drives with AutoRun
Our last item up for discussion is the danger of AutoRun and USB drives. How hard would it really be for an attacker to leave a CD or thumb drive lying around with a juicy-sounding label like "pending layoffs"? If you were to find this, might you be tempted to see what it was all about. If AutoRun is active and you load the disk, it's "game over" -- any number of malicious scripts could potentially load.
Microsoft summed this up best with rule No. 1 of its 10 immutable laws of security: "If a bad guy can persuade you to run his program on your computer, it is no longer your computer." People really can let curiosity get the better of them. A recent story on DarkReading.com entitled "Social Engineering the USB Way" describes how a security consultancy gained access to a bank for which it was performing a pen test using USB thumb drives. All the physical attack required was a custom script loaded on 20 USB thumb drives. These drives were seeded in the employee parking area. Fifteen of the 20 were found and all of those were plugged into the bank's computers. Restricting AutoRun and controlling what employees can plug into USB ports is of critical importance to the security of your network.
The most important aspect of physical security is control. If you can gain physical control of a device, it almost always means that this can be leveraged to control the device's behavior. This is what makes physical security such an important piece of overall security. There are many angles from which physical security can be attacked, from stealing data to hardware modification. Each offers the potential to gain access or the understanding of how a security control works. Maybe you cannot ban everything, but security officers need to have a frank discussion with management about what is allowed, who has access to resources, and how they will be controlled. Whatever the decision, there will be a need to establish policies to enforce management's decision. This policy should address all types of physical security.
About the author: Michael Gregg has been involved in IT and network security for more than 15 years. He is the founder and CTO of Superior Solutions Inc., a risk assessment and security consulting firm. He has developed high-level security classes and written six books; the most recent is Hack the Stack: The Eight Layers of an Insecure Network.