Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Physical Security

11/1/2018
09:35 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Let's Get Physical: Why Protecting Hardware Is Essential to Good Cybersecurity

Enterprises need to consider physical security as part of any comprehensive cybersecurity plan.

If possession is nine-tenths of the law, then undetected physical access is nine-tenths of the way to a successful cyber attack.

Many of us know how to protect servers and routers from unauthorized individuals, whether they're visitors, burglars, trespassers, or employees. Those protections, though, aren't enough.

Security starts at home -- in some cases, literally. Not long ago, my wife and I were staying in a small bed and breakfast that happened to be near a major company's local office. The WiFi access point sat on a table between several of the bedrooms, and had an "insert paperclip to reset" switch.

What are the odds that we could have broken into that unprotected device and potentially configured a hack?

Perhaps a hack that would let us eavesdrop on unencrypted traffic, like email logins or passwords. Maybe we could have overridden the DNS settings, and set up some faux web pages or staged a man-in-the-middle attack. Or even replaced the firmware with a version with a backdoor.

Sure, the odds of a successful payoff might be small from such an attack. What about if we knew that corporate board members would be staying at that B&B next week? If the hardware's not physically secure, then neither is the network.

Far-fetched? Perhaps.

So let's talk about protecting the hardware in official business locations. Are all your servers physically secured from unauthorized access? Maybe. Maybe not. Ask yourself if a thief could unplug a server, stick it on a cart, and walk it out the door during office hours -- or after hours. Or place removable hard drives into a briefcase. (Before the advent of always-on local or cloud backups, removable tapes were pretty easy to pilfer -- and nobody might notice for days or weeks.)

Theft isn't the only worry.

If hackers can get to the servers, they might be able to reboot those devices and make firmware modifications, read unencrypted drives, disable security protections, or plant malware such as keyloggers.

Compared to the one-time theft of a server, such activities could be gifts that keep on giving to malicious actors.

Beyond infiltrating servers, hackers could use physical access to gain access to networking gear or other devices -- and then subvert them. This type of hack is at the heart of what Bloomberg alleged in a controversial story about Chinese spies inserting specialized chips on Supermicro motherboards as part of an elaborate cyber espionage campaign. (See China Hacks Hardware in Spying Attempt on Apple, Amazon & Others Report.)

Some routers, for example, are configured to disallow out-of-band (that is, remote) control from outside the organization's local area network. If a baddie can get to the management console from inside the LAN, or by using a dedicated management port on the device, hacking became a whole lot easier.

Indeed, as the US-Computer Emergency Response Team (US-CERT) team writes in its June 2018 brief, "Securing Network Infrastructure Devices," that type of hardware are ideal targets for malicious cyber actors because organizational and customer traffic must traverse these critical devices. To quote:

  • An attacker with presence on an organization's gateway router can monitor, modify and deny traffic to and from the organization.
  • An attacker with presence on an organization's internal routing and switching infrastructure can monitor, modify and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.

A real worry is that network hardware can be neglected by security teams, especially when compared to desktops, servers and mobile devices. Additional risk factors, according to CERT:

  • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation and maintenance.
  • Owners and operators of network devices often don't change vendor default settings, harden them for operations, or perform regular patching.
  • Internet service providers may not replace equipment on a customer's property once the equipment is no longer supported by the manufacturer or vendor.
  • Owners and operators often overlook network devices when they investigate, look for intruders and restore general-purpose hosts after cyber intrusions.

What can you do?

CERT offers several suggestions for network infrastructure; see which you can readily implement, and make sure you check them periodically.

For servers and other gear, make sure they are locked away, and if possible, have surveillance cameras, motion sensors, and other means of knowing if your server room -- or wiring closet -- is breached.

If you are breached, take it seriously. Because undetected physical access is nine-tenths of the way to a successful hack.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...