The Lost Art of Physical Security

 

When you read about IT security, you see lots of hype about Operating System security, application security and various types of encryption.  What is often left out is the concept of physical security.

You might ask what physical security is and it is a good question!  Physical security, as it applies to Information Technology, is the art and science of controlling what individuals have access to IT systems and the areas and support functions that contain them.

The most basic method is a simple locked door.   Unfortunately, standard locks like those that you would have on your front door are relatively simple to defeat using a standard lock picking kit.  Picking a lock generally uses 2 tools a known as a rake and a tension wrench that allow the tumblers to be depressed and the lock turned.  The video below does a great job at showing how this process works.

Even easier now is the technique known as bump keying.  Bump keys were originally made on an individual basis but now can even be bought in complete sets to cover a plethora of lock makes and models.  Bump keying works using the same principle as the standard lock picking tools, but a much easier to use application as demonstrated in the video below.

Another common locking system is the magnetic swipe card.  This is most often seen in large companies and hotels.  The problem with these keys is that they often are clearly labeled with what building they will gain access to via the using of company logos.   The most common security threat from these types of keys is physical theft.  This is not the only threat though; it is exceedingly simple to clone a magnetic swipe card as show by the folks over at Hack a Day that does not require much more than a few seconds of access with a valid magnetic swipe card.  This access is most often done via a combination of social engineering and actual theft and return.

One of the latest types of key is that of RFID that is generally imbedded in a card like and ID card.  They work based on the card having a chip on the card having a code that is picked up by a receiver and validated against a system if that code is in the system.  Unfortunately, like all the types of keys before them, they can be copied or spoof as well.  Again, the folks over at Hack a Day have a great example of a cheap low-level example.  The researchers at Iowa University demonstrated that RFID security implementers HID  has “hackable” flaws and recommend a using two-fold authentication using the RFID card in conjunction with things like PINs.  Melanie Rieback gave a great talk on this at DEFCON 14 on how it is being using and spoofing.

Even more “high tech” is the advent of biometric access controls.  Biometric controls basically means that you are being granted access based on WHAT you are versus something you have (key) or something you know (PIN or combination).   Common examples are things like hand geometry, fingerprints, iris scans, and facial recognition.  Yet even these technologies are not spoof proof.  As far back as 2001 presenters at Blackhat have show the issues with biometric controls.

Now all these locking mechanisms are “cool” and while they can be “hacked”, there are even easier methods of gaining access to a building.  One of the easiest ways is something called “tailgating” which is simply following someone else in when they user their key to gain access.  Another common method is going back to the standard of social engineering.  How does that work?  Ever see someone say they left their key/ID at home or desk and someone let them in?  They were socially engineered.  Yet another social engineering attack is “spoofing” your way in.  A great example that actually happened is someone went to a Goodwill store and got a uniform for a local telephone company and showed up at a company with a large directory of various departments with a receptionist at a front desk.  This individual walked in, and said (picked the name of the person from the IT Department) called about a problem with the telephone system.   The secretary, rather than calling the person to verify or even the telephone company, they seen the uniform and then the person gave a valid employee name so they must be “legitimate” and gave them UNSUPERVISED access to their entire communications node room.

This is why your high value areas should have multiple layers of DIFFERENT security to protect them.  A good example would be an RFID and PIN required to enter a building.  A different physical card to use a magnetic swipe and PIN to enter a sub-area of the building, and then a biometric control like iris scan to enter a mantrap room that relies on a person viewing the individual via closed circuit camera against an access control list to “buzz” them in room.   While this may seem “extreme”, yet this kind of defense in-depth is key at preventing someone from accessing something like your main server room.

Now you are probably wondering: “well someone has physical access, what can they do?”  PLENTY! Using readily available FREE software a “bad guy” can gain access to your IT systems.  Here are a few examples.  Using various free tools like Ultimate Boot CD (UBCD) the individual can gain local administrative access to a system on your network in under 15 minutes of unsupervised access.  Let us say that they do not really care about accessing your network, they just want the data on a specific IT asset.  Enter the free software Clonezilla!  Using this software, they can make a complete copy of the hard drive on an IT system using nothing but a properly configured external USB hard drive.  Depending on the size of data on the drive, this can take as little as 15 minutes and they can go home and mine the data at their leisure.   Even your telephone systems can be “hacked” and have wiretaps installed in just a few minutes.

This obviously does not cover everything regarding physical security, but it should serve as a spring-board to draw your attention to the topic and get your mental wheels turning as to what you currently are doing, what flaws you might be able to identify and maybe even make you a bit more aware of if someone is trying to gain access to your building or assets.

 

Tags: badge, Biometrics, bump key, Clonezilla, hacking, id card, lock picking, magnetic swipe card, mantrap, RFID, security, social engineering