Presentation is loading. Please wait.

Presentation is loading. Please wait.

Physical Security In the Cyber Arena UNCLASSIFIED//FOR OFFICIAL USE ONLY.

Similar presentations

Presentation on theme: "Physical Security In the Cyber Arena UNCLASSIFIED//FOR OFFICIAL USE ONLY."— Presentation transcript:

1 Physical Security In the Cyber Arena UNCLASSIFIED//FOR OFFICIAL USE ONLY

2 Security Notice This presentation is classified UNCLASSIFIED//FOR OFFICIAL USE ONLY Redistribution outside US Government channels is prohibited without proper authorization. This document contains information that may be exempt from mandatory disclosure under the Freedom of Information Act UNCLASSIFIED

3 Agenda Why it Matters – Part 1 Guards, Gates and Guns What is a Network Attack Surfaces Network Infrastructure Threats User Equipment Threats Users Wireless and Mobile Why it Matters – Part 2 Recommendations UNCLASSIFIED//FOR OFFICIAL USE ONLY

4 Why Physical Security Matters (1) We spend billions securing our networks –Almost always localized malware (AV/PSP) –Usually by segregation (Firewall or Air-Gap) –Sometimes from internal propagation (IDS) –Rarely from physical threats (how??) Most networks are a Cadbury Crème Egg –Hard and crunchy on the outside –Soft and gooey on the inside So let’s attack the weak point: From the inside out! UNCLASSIFIED//FOR OFFICIAL USE ONLY

5 Don’t Underestimate Gates, Guards and Guns An attacker can do a lot of damage remotely They can do even more physically! "Then we need physical access”Then we need physical access –Create a fake badge and ‘tailgate’ in –"Thanks to all the smokers out there for leaving doors unlocked” In the simplest case, just steal the HDD –Full Disk Encryption (FDE) is important UNCLASSIFIED//FOR OFFICIAL USE ONLY

6 What is a Network? A collection of computing equipment that can communicate electronically Where your data lives –Servers and data storage –User computers, laptops, and mobile devices How your data moves –Routers, switches and firewalls –Cabling and wireless links Peripherals –Keyboards, Mice, Thumbdrives –Printers, Scanners, Cameras UNCLASSIFIED

7 Attack Surfaces Infrastructure User-Space Wireless UNCLASSIFIED//FOR OFFICIAL USE ONLY

8 Infrastructure Threats Hit the core of your network Are often harder to identify and isolate Can provide access to everything –If not well-secured Are more often intentional –Although misconfiguration is still a concern Can be readily prevented with: –Proper physical security –Appropriate configuration/controls UNCLASSIFIED//FOR OFFICIAL USE ONLY

9 LAN/WAN Infrastructure Eqpt. Rarely has antivirus tools you can run Is infrequently updated Is usually in-place for many years –Often in a neglected network/server closet Frequently have provisions for back- channel communications (eg console port) –Sometimes even USB 3G dongle support Frequently now includes built-in wireless And the case is rarely ever opened … Use your imagination UNCLASSIFIED//FOR OFFICIAL USE ONLY

10 Cable Threat: PwniePwnie Man-in-The-Middle (MiTM) on Ethernet –Intercept, add, drop, or modify packets in- transit –Full bi-directional exploit capability Can NAT attacker directly in Not just passive collection Masquerade as a trusted computer Cellular back-channel –Bypasses your firewall Or uses your own internet-connected WiFi Built-in WiFi exploits (more on that later) UNCLASSIFIED

11 PwniePlug r2 - $395 UNCLASSIFIED © Pwnie Express

12 PwnPhone UNCLASSIFIED © Pwnie Express

13 How could they use it? When was the last time anyone moved that heavy cabinet or safe??? –But the cabling runs behind it –And there’s a power outlet back there How about looked under the floor tiles? Or above the drop-ceiling? Or gave a second-thought to that surge- protector that also has Cat5 protection? And it can be carried in a pocket… UNCLASSIFIED//FOR OFFICIAL USE ONLY

14 Passive Attacks Exist Too Trivial to build a $10 passive Ethernet tap$10 passive Ethernet tap The Throwing Star LAN Tap is a passive Ethernet tap, requiring no power for operation. There are active methods of tapping Ethernet … but none can beat passive taps for portability. To the target network, the Throwing Star LAN Tap looks just like a section of cable. The monitoring ports are receive-only … This makes it impossible for the monitoring station to accidentally transmit data packets onto the target network. The Throwing Star LAN Tap is designed to monitor 10BASET and 100BASETX networks. It is not possible for an unpowered tap to perform monitoring of 1000BASET networks, so the Throwing Star LAN Tap intentionally degrades the quality of 1000BASET target networks, forcing them to negotiate a lower speed (typically 100BASETX) that can be passively monitored. UNCLASSIFIED © HakShop

15 User-Space Threats Hit the periphery of your network –But can then spread via software Are harder to prevent via physical security, because: –Users each have physical access to more equipment –There are many more users than sysadmins, who are the only ones with access to infrastructure equipment Are often unintentional by legitimate users –But don’t discount malicious activity Can be prevented with: –Security software –Appropriate configuration/controls UNCLASSIFIED//FOR OFFICIAL USE ONLY

16 User-Space Equipment History: GUNMANGUNMAN –Soviet bugging of IBM Selectric typewriters in US Embassy Moscow –Accessed due to poor shipping security “ All of the implants were quite sophisticated. Each implant had a magnetometer that converted the mechanical energy of key strokes into local magnetic disturbances. The electronics package in the implant responded to these disturbances…and transmitted the results to a nearby listening post. Data were transmitted via radio frequency. The implant was enabled by remote control… Engineers estimated that a skilled technician could install an implant in a typewriter in a half hour. ” UNCLASSIFIED

17 User-Space Equipment Commercial keyloggers are readily available, even on Amazon, with wirelesskeyloggers Amazon –To hide completely, order it built-in built-in –Or a “USB Charger” that snoops on wireless Microsoft keyboardssnoops You can also get screengrabbersscreengrabbers Keyloggers are bad, but not nearly as dangerous as… UNCLASSIFIED © KeeLog

18 USB Peripherals If an attacker can hide a keylogger in a keyboard, how about: –A USB 3G modem?3G modem –A USB WiFi adapter?USB WiFi adapter Windows built-in drivers can automatically connect to the internet UNCLASSIFIED//FOR OFFICIAL USE ONLY © Amazon © Intel

19 USB to Another Level Most PC motherboards usually have open USB headers, even servers –Opening a PC case is easy –A “header-to-connector” adapter costs $10 It’s not hard to install USB Devices inside a computer –How often do you open the case and inspect inside?? UNCLASSIFIED//FOR OFFICIAL USE ONLY © Newegg ©

20 More USB MADNESS A USB Business Card that’s been re- flashed to download malwareUSB Business Cardre- flashed Program an Android phone to be a keyboard, and launch malwareAndroid phone Modify a COTS thumbdrive to attackModify a COTS thumbdrive These are all items users think are innocent UNCLASSIFIED © IntelliPaper

21 Users Are an unavoidable reality Naïve and generally trusting Frequently choose convenience over security, even when educated on threats –They often break the rules due to frustration with slow/bureaucratic processes The Unavoidable Reality: Users need to be protected from themselves, but they’ll work with you UNCLASSIFIED//FOR OFFICIAL USE ONLY

22 Malicious Users Not going to dive into the counter- intelligence implications of the trusted insider threat –But be cognizant they do exist, albeit in VERY low percentage of the population Two very different types: –“Smash-and-grab” –Long-term penetration Best defense is a good offense UNCLASSIFIED//FOR OFFICIAL USE ONLY

23 Wireless Is, fundamentally, giving an attacker a way to bypass your physical safeguards WiFi Pineapple canWiFi Pineapple –Auto-spoof networks –MiTM the data –Or redirect to attack sites Anybody can break your WEP/WPA/WPA2 passwords today with CloudCracker for under $20 CloudCracker UNCLASSIFIED © HakShop

24 “Secure” WiFi Can still leak data –Assume they manage to get malware on your laptop somehow… –Now, adjust the timing of transmitted packets in a known way, leaking the crypto key Is still running on physical hardware that could be compromised Is likely accessible from outside your controlled spaces –Gee, now I can just park outside the building… UNCLASSIFIED//FOR OFFICIAL USE ONLY

25 Mobile Devices Pocket-sized computers –With built-in wireless and USB –Easily hackable –Rarely running effective antivirus No such thing as “just charging” a phone –The USB port is a data connection! –This is one of the most frequently violated policies Can easily create a network connection: PC  USB  Phone  Cell/WiFi  Internet Either overt (tethering), or covert (hacked phone) –Already discussed phone hacking PC as keyboard –Phone can also act as thumb-drive, carry malware UNCLASSIFIED//FOR OFFICIAL USE ONLY

26 Why Physical Security Matters (2) All networks must ingest data to be useful –Generally far more low  high transfers than the opposite –So you WILL get malware, inevitably The challenge is therefore preventing exfiltration of your sensitive data –The exception is Computer Network Attack (CNA) threats… Good physical security, combined with good policy and electronic security, keeps your data where it belongs UNCLASSIFIED//FOR OFFICIAL USE ONLY

27 Best Practices Practice good security in procuring IT equipment –This is antithetical to contracting policies  DON’T assume your computers are trusted – Especially in user-space Double-down on physical security and Technical Surveillance Countermeasures (TSCM) inspections for the core equipment Use encryption on the wire –Renders MiTM moot Isolate things that don’t need to talk –Why should a user be able to ping a database server? They should only see the front-end UNCLASSIFIED//FOR OFFICIAL USE ONLY

28 The ideally secure network Has core all in 2-person controlled closets Does controlled purchasing and incoming TSCM inspection for core eqpt Uses thin-clients in user-accessible space Firewalls all connections leaving the closet –Only allow RDP in/out –Use IPSEC to the thin-client terminals Uses port-security, internal VLAN’s and firewalls –Don’t let attackers propagate everywhere Locks-down USB device permissions, and includes alerting/auditing to the sysadmin Is isolated from other networks UNCLASSIFIED//FOR OFFICIAL USE ONLY

29 Questions? UNCLASSIFIED

30 Facilities All Information Systems require power –Kill the power – kill the system Power systems are all SCADA-managed –Supervisory Control And Data Acquisition The grid is a target! –How to Hack the Power Grid for Fun and Profit (MIT)MIT –Can Hackers Turn Your Lights Off? The Vulnerability of the US Power Grid to Electronic Attack (SANS)SANS –Hacking the Industrial SCADA NetworkHacking the Industrial SCADA Network –How to Hack Into a City's Power GridHow to Hack Into a City's Power Grid UNCLASSIFIED

31 Hacking SCADA – Fact or Fiction STUXNET –Hacked SCADA controlling Iranian centrifuges –The SAME controllers are used in power and water stations… “A radical environmental group was caught hacking into an electric utility IT system at an undisclosed U.S. location” (SANS) Although many aspects of Eligible Receiver remain classified, it is known that the Red Team was able to infiltrate and take control of … power grids and 911 systems in nine major U.S. Cities. (Wikipedia)Wikipedia UNCLASSIFIED

Download ppt "Physical Security In the Cyber Arena UNCLASSIFIED//FOR OFFICIAL USE ONLY."

Similar presentations

Ads by Google