Physical Security - Starting Points
Introduction
If you peruse all of F5 DevCentral, you might see a few mentions of physical security, but not really any dive into it. Today we are going to take a very shallow look into physical security. We will look at its general considerations and concerns, some systems surrounding physical security and some specific considerations with F5 hardware. In this article I am going to lightly touch on a number of points, not comprehensively, and give you some jumping off points for further study.
It is important to understand that with most networking hardware, with some specific exceptions, physical access will allow an attacker quite a bit of access to the software environment on the hardware. The one major exception to this is FIPS Hardware Security Modules (HSM). These are specialized hardware that stores crypto keys in a physical package that presents a substantial defense against hardware attacks. I intend to review FIPS HSMs in a later article.
A Quick Overview of Physical Attacks on Hardware
With physical access to hardware, the attacker has a number of options for accessing the underlying system:
- There may be a serial console that is not fully protected. A historical example would be routers with no password protection on the basic shell, only having passwords for making changes.
- Most modern hardware has a number of debug ports that may provide access to the main CPU or other auxiliary processors in the system.
- The system could be restarted into a maintenance mode or an attacker-provided software environment. This will allow access to extract data or secrets such as private keys or password hashes.
- It may be possible to compromise the boot chain and inject software into the running environment before the OS loads.
- Even if the system is protected against these attacks, some subsystems may be susceptible to power glitching or analysis attacks.
- There are extreme ways to fix this problem. For example, DRAM could be moved outside the system and read quickly after being put in liquid nitrogen. This slows down the depletion of the DRAM cells and allows more time between refreshes.
F5 considers many of these attacks in designing BIG-IP hardware. We incorporate protections such as a secure boot chain and platform security modules to prevent the use of unauthorized software, but these only prevent some attacks and would not prevent outright theft of the systems or other attacks.
Walls and Ladders
Often when discussing physical security a phrase is thrown around: "Walls and Ladders" this is referring to the continual process where a defender constructs a larger wall, and then the attacker will come along with a longer ladder. Physical security, like network security, does not remain static. As defenses are developed, attacks are developed to defeat those defenses. It is important to keep analyzing and improving your physical security posture.
My personal model for categorizing physical security aspects is:
- Assets to be protected.
- Potential Attacks
- Physical Deterrence
- Intrusion Detection
- Surveillance and Auditing
- Fire and Disaster Response
- Training and Continuous Improvement
Assets and Attacks - Developing a strategy suitable for the threats.
To avoid perfect being the enemy of good, we need to analyze what assets are being protected and from that we can think about what potential attacks would look like. Not every company is going to have assets that attract state-level attacks. So, not every company will need incredibly robust and expensive security in place to defend against the same.
Physical Deterrence - Locks and Keys - Where We Started
Nothing is more iconically associated with physical security than the lock and key. For hundreds of years, people have been developing locks to keep other people from gaining access to important assets. It’s easy to think of locks as unchanging, not being improved over time, but that is very much not the case. For example, over the last 50 years many innovations have been introduced, like spool pins, serrated pins, angled pins, sidebars, and that's all just enhancements in the interaction between the lock and key. Locks have been enhanced with protections against physical force, either violent, like using a Ramset powder actuated hammer to break the shackle off a padlock to drill the lock or subtle like using magnets to open combination locks.
Starting points:
- LockPicking Lawyer - Saintcon Keynote
- Deviant Ollam - DEF CON 13 talk, This Key is Your Key, This Key is My Key
Physical Deterrence - Elevators - The Inside Barrier Breaker
If your buildings have more than one floor, there is most likely one or more elevators into the building. As pentesters have found, these present an opportunity to move around the building once inside, even if effort is made to secure them. Elevators can be hijacked using common keys, some of which are mandated by local authorities for fire service. Deviant Ollam and Howard Payne have created a few talks, linked below, which will help you understand how elevators affect physical security and how they work in general.
Starting points:
- Deviant Ollam - Elevator Hacking: From the Pit to the Penthouse, Elevator Obscura: Hacks and Curios in the Lift Industry
Access Control Systems - Bridging Physical Deterrence, Intrusion Detection, Auditing and Surveillance
Most modern enterprises use some sort of credential based access control system. The credentials usually take the form of an employee badge, but could be a special key with RFID built into it or a nondescript keyfob. These systems, when configured properly can be an important bridge between many aspects of physical security. However, if built using outdated technology or improperly configured, they could be a potential open door for intruders to exploit.
Key aspects of these systems are:
- Revocable credentials - You should not need to get the credential back from the user to disallow its use.
- Robust, hard to copy credentials - Modern high-end access control systems use cryptographically secure credentials that make copying hard to do without substantial investments in time, equipment and expertise.
- Robust auditing - Recording all access attempts and outcomes and unexpected state changes in locked doors and other protected items like key cabinets.
- Intrusion detection and alerting - If a door were to be picked open instead of a valid credential being used, the system should be able to generate an actionable alert that can be followed up on.
Starting points:
- How to Bypass RFID Badge Readers (w/ Deviant Ollam and Babak Javadi)
- DEF CON 32 - Unsaflok: Hacking millions of hotel locks - Lennert Wouters, Ian Carroll
The Importance of Real Time Intrusion Detection
An unoccupied building is more expensive to insure than an occupied building, because of this many facilities employ security guards to monitor for intrusions and also potential disasters like fires or water leaks. While the trope is that these guards are lazy and sit in the security office every day, with proper motivation and training, they can be your first boots on the ground to investigate potential intrusions. Once you have a properly configured access control system, it should be configured to alert when doors are opened without using the card keys or when other issues are detected, like glass being broken, water where it should not, and hot particulate that won’t trigger sprinklers but could be the sign of a potential fire.
Surveillance and Auditing - Your Enterprise Flight Data Recorder
Surveillance cameras are not really there for a security guard to stare at all day. This is not to discount their value as something that can enhance situational awareness in the security room or other areas, but humans are not very good at maintaining vigilance while watching a static image on a screen. When combined with a robust digital video recording system, surveillance cameras can provide an invaluable tool for figuring out what happened, from break-ins to the building or cars in the parking lot, to major disasters or industrial accidents having a record of what happened can help piece together the information needed to prevent it in the future.
One point I always touch on with these systems is often the lack of robust distributed storage of the recorded data. While it may be okay to store massive amounts of video data on site if your a casino and your not expecting to need recordings of blackjack tables after a major fire, the opposite is true if you're perhaps a rocket fuel plant. I believe that all auditing data, logs and recordings should be stored both onsite and replicated offsite. Depending on how critical the data is and concerns about tampering, you may want to consider systems designed to only allow ingestion and storage of the data and are otherwise not connected to the local network or other systems. I have seen these implemented as syslog going through a data diode (one-way data interface) and into a secure system to log it to disk, but the old-fashioned tractor-feed printer in a safe also works.
Fire and Disaster Response - Either Salvaged or Burned To The Ground, it's Going to be a Long Day
Something that sometimes is inexplicably left off physical security threat models is what happens after the fire alarm sounds. Your multimillion dollar data center might not survive even if the fire sprinklers put the fire out right away... because it just got a whole lot of water dumped into it. This is why threat modeling disaster scenarios is important. What will happen if fire suppression goes off? What happens if it’s not effective? Like a data backup strategy, periodic testing is essential to verify these systems will work as expected.
And then, even if these systems are effective, what happens when the fire department shows up? You want to make them want to use the access methods most compatible with surviving the disaster, make sure your KnoxBox has an access credential that can get anywhere without restrictions. Things you may want to turn off on this credential are things like mantraps and anti-passback. Your going to have to put physical keys in that KnoxBox, make sure they open every door and are clearly marked.
Make sure your security guards are up on procedures in the event of a fire or other disaster, from simple things like keeping First Aid and AED training up to date to complex training for initial fire response. Has someone trained them on how fire extinguishers work? How about those special clean agent extinguishers you have in your data center? Expired extinguishers are a cheap opportunity to train in the parking lot.
Starting points:
- Deviant Ollam - S**t's on Fire, Yo! All about NFPA Fire Code and One of My Favorite Red Team Cover Identities, Non Destructive Entry for Firefighters, Police Officers & EMS
- Which Fire Extinguisher Is Best?
Training and Continuous Improvement - Evolving Defenses for Evolving Threats
The last point I am going to touch on is the importance of recurrent training and continual improvement of defense mechanisms. In many professions, we rely on continual training to keep professionals working at their best. Pilots will get recurrent training and check-rides; lawyers and engineers have to take a certain amount of classes and other training each year to keep their licenses, why shouldn't everyone involved in security do the same?
I am a big fan of using a number of different overlapping training methods. Just making everything a web-based training with simple quizzes is not going to cut it. Maybe some of the training can be that, but the more interactive the training is, the more it will be retained, so webinars and classroom training should be a starting point for getting out of a forgettable training rut. As evidenced by the links above, I think there’s real value in interesting videos on YouTube and other sites like it, be it conference talks or other presentation formats.
At the very top, hands on exercises should be used to help reinforce everything from standard policies and procedures to exploring potential vulnerabilities. These can range from simple practicing with old fire extinguishers in the parking lot example from above to full-on classroom and field training courses.
Lastly, you will want to keep reassessing your physical security posture based on changing conditions, new attacks and new defensive technologies. Maybe there are suddenly protests going past your offices each week, a new bypass method has become popular with burglars, or you have become targeted by larger, and more resourceful attackers than before. Schedule penetration tests to check your defenses and find holes. Schedule periodic reviews of all aspects of the defenses and update training to meet the changing times.
Questions?
If you have any questions, please leave them below. If you want to see any of these topics covered in more depth or other topics covered, please also let me know by writing below. Thanks!
