Physical Security
Overview
Physical security refers to the physical location and access level to servers, workstations, wiring and other electronics, or any other target that a corporation may have that an attacker may want to gain access to. For example, if a company houses its servers in a building that it leases space from while the property management company uses a third party janitorial service, it would be rather simple for an attacker to use Social Engineering to gain access while posing as a janitor and enter the server room.
Execution
One of the most common ways that an attacker can exploit physical insecurity is by way of nearby physical access. If an attacker is able to gain physical access to a floor below or a floor above his target, or to certain boxes outside the building mounted to it, the attacker may be able to attach what is commonly known as a Vampire tap to a network cable or phone line owned by the target corporation. A vampire tap allows an attacker to physically “tap” into a network. If an attacker compromises a network line, s/he may be able to gain an IP address, sniff out authentication sessions and continue to penetrate the network from a physical line. If a phone line is compromised, phone calls could be recorded, and a hidden control system for the recording system could even be implanted.
With physical access to a machine, almost anything is possible. An attacker could replace CMOS, EP/P-ROM chips, graphics cards, install malicious hardware devices and keyloggers, or even simply steal a hard disk drive. An attacker can do almost anything given physical access to a machine. It is because of this that physical security can be even more important than software security.
Prevention
One of the best ways to physically protect systems is combination of proper wiring jobs, BIOS passwords and BIOS startup passwords, air-bolted hard drives, hardened building security with 100% ID checks, and biometric verification for office and laboratory entry. Be sure that any telecommunications boxes outside the building are either air-bolted or welded shut, and that the biometric verification systems look at the capillary patterns in the thumb or fingers as well as the print itself, that way an attacker cannot use what is commonly referred to as “gummy prints” to circumvent the biometrics.
Attack Vectors
If an attacker gains physical access to a machine, given enough time anything is possible. Live CD’s like HELIX, Knoppix STD, Backtrack, and PHLAK are commonly used to download operating system password files to a USB drive to be cracked at a later time. Live CD’s are Operating Systems capable of running from a CD. If an attacker loads a live CD on a system, they have free run of any resources on the system under their own terms.
Hardware keyloggers are also seriously dangerous. A hardware keylogger can fit in the space of a couple centimeters, and is usually plugged into the keyboard port on the back of a machine, and the keyboard is then plugged into the keylogger. There is no current way to detect keyloggers or vampire taps. Wireless keyboards are the most susceptible to keylogging, not just because of the hardware keylogger aspect but also because of the transmission signal. A wireless keyboard can usually broadcast approximately 20-30 feet, about the same as Bluetooth or an RFID chip. An attacker can listen in on keystrokes through a wall or door, so it would be a good idea to stay wired.
The same goes for networking. Even with WPA-AES encryption on a wireless network, an attacker can still cause broadcast storms of encrypted packets and use that to gain enough data to crack the key for the WPA-AES algorithm and gain access to systems. A secure network needs to stay hardwired, no matter the performance and accessibility costs. Attackers primarily use ceiling vaults and lock bumping and picking to gain access to restricted areas.
