Physical Security being overlooked
- 08 March, 2019 14:31
The next time you are visiting any business, private or public look around and take things in with a – let’s call it “security filter”. Really look at your surroundings, every detail and I will bet you will see some obvious things that would have a negative effect on IT security.
Let’s put some more context to this so you can get a better picture of what I am talking about, you walk into a shopping centre and pick a retail store (Any store it doesn’t really matter which) and look at the counter. Many places will have a pc sitting on the counter, sometimes nice neat AIO's and you may see a monitor sitting on top of a slimline box or even worse a mini pc mounted to the back of the monitor. Okay, so most of the time cables are well controlled and it all looks great but what about the security of this device?
I was in a shop last week (Let us call it an auto parts store) and I asked for something and the gentleman who was assisting me went out the back to see if they had what I wanted (this is a pretty common scenario). I was out the front of the shop all alone; I could not see any cameras or general surveillance. Even if there was I could have easily leaned forward, rested on the counter and plugged in a compact USB stick into the back of the computer, they can be smaller than a 5-cent piece nowadays. With something like that, I could have executed an installer, recorded keystrokes (waiting for me to collect or send them to me by the pc internet connection), there could be some interesting options.
This is not something that people think about; it has probably never even been a thought at all. What about when you go see your accountant and you can see a post-it note stuck on the monitor with Password clearly written for all to see. (I have actually seen this one and had a conversation with an accountant about this exact scenario, who once I explained the risk, moved it into a locked drawer in their desk – an improvement I guess *rolls eyes*).
A few months ago, I had a sick family member and had to take a trip to the hospital (they are all better now in case you were wondering). The same thing, PC on the desk USB ports available and worse a communication cabinet in the triage/treatment room with a key still in the lock with network switches and possibly a router of some sort there for me to access. Again, no camera in the room - that would be unethical given that it was a treatment room. We were left alone for more than 30 minutes at a time in the room (Do not get me started on the ridiculous waiting times at hospitals – 4 hours before we were even seen). I could have easily accessed the network and who knows what sensitive information I could have gleaned from the network by just listening to traffic before even considering what systems I could break into.
Yes in some cases, USB ports are disabled (I would almost bet that none of the above is but hope the Hospital has this implemented) and this would prevent me executing something from a USB port. I could use a key logger that plugs into the port in which the keyboard is and then the keyboard would be plugged into it just like a USB extension (obviously shorter and much more malicious). The machine wouldn’t see it as any different and I would be recording all keys that were typed.
Let us look at a different angle now, do you have a waiting room or reception area at your business with seating that customers or guests to your business wait for a meeting or the next available representative of your business? Do you have network ports available in this area, if so are these ports live?
Could I just plug my laptop into this port and have access to your corporate network? If this is the case at your office ensure that these ports are unpatched at the switch so this can't happen, best practice would be to only patch ports in when they are needed not just make all ports in the building live all the time. Yes, I know that it's a pain to get IT to patch it back in or annoying to have to do this when needed but it is definitely better security practice.
I think you get what I am trying to get across to you all by now (or at least I hope you do). Take a few minutes and just look at your location with security in mind. Can you see obvious things like those that I have pointed out above that could put your business at risk? Really, think about this and fix the problems, move the pc under a counter, disable ports on the machine in the bios so I cannot just plug something in. Un-patch the unused ports in meeting/waiting rooms, take the keys out of the server and communication cabinets (This is a stupid thing to do, so go take the key out of the lock now and secure it somewhere a little better please).
If you do this, you could be dramatically improving the security of your system and together we would have done at least one thing that could make a difference (That is something to celebrate). One small change could prevent the embarrassment of needing to announce to your customers and possibly the public that your systems were breached and all of the sensitive data you have stored was extracted from your systems. This type of incident could be the end of your organisation, no I am not being dramatic it really could have that great of an impact. If customers do not trust that you will keep their data safe, why would they do business with you? No customers, no business.
Normally at this point, I would ask you to tell me your opinion on what I have blabbered on about in my article and that I don't mind if you disagree with me or not just tell me what you think but I don't want you to do that this time. Tell me some horror stories, what you have seen concerning physical security. I bet at least a couple of you have good stories you could tell us all about? Let me know on LinkedIn or comment on the article itself, either way, let’s have a bit of a laugh and maybe learn something at the same time about ways not to secure your IT systems.
Till next time.