InfoSec Answers-Physical Access
Today's question was "Let's say that someone gains physical access to your server room. What could he/she do to your data?"
This is a great question and one with many answers. I will attempt to hit on the major things that can be done with physical access to a computer or server room, as well as some mitigation techniques to prevent these types of attacks.
With physical access, there are so many things you can do. One fun story I heard a while back that is an example of what you can do goes like this:
Two friends were having lunch one day. During lunch the two friends were bragging about how secure their networks were. Friend1 said "Let's make a friendly bet. First one to gain administrative access to the other's domain wins. Loser buys the winner lunch." Friend2 agreed and they shook hands. Friend1 went back to work. Soon after Friend1 walked in the door, Friend2 pulled up to Friend1's building. Friend2 walked past the receptionist, saying hello as he passed, and walked to the server room. Friend2 then unplugged a server, and walked out the door with the server under his arm. Waving goobye to the receptionist, Friend2 got in his car and called Friend1. "How's it going?", Friend2 said. "Just so you know, I have your server, and as soon as I have obtained the password, I will let you know. Lunch should be good tomorrow!"
With physical access, you can cause a DoS, by unplugging servers. You can boot to a LiveCD and drop hashes from the system then use those hashes to crack, or pass the hash. You can also access files on the system. Also, in a server room, you can plug in a PwnPlug or another system that will connect back to your systems, giving you network access inside the environment. Another thing is just putting in a network tap to access all traffic on that port.
We use physical access vectors quite often in tests we perform. One recent test, one of the guys on my team created a "dropbox", which was a Raspberry Pi with a Linux Distro on it, and it also had a mic and camera. He dropped it off in a conference room and it went unnoticed for the majority of a meeting that occurred there. He then saw a lady notice it, and look close at the camera and say "Oh Hell NO!". The picture was pretty epic, but what it goes to show is that unless you are looking for it, it can easily be hidden. (it is easier to hide equipment in a server room because of all the equipment, and many people don't keep it clean). The system he used, when he connected it to the network, it turns out the network drop he plugged into was on the surveillance network, and he quickly gained access to the surveillance system.
Pretty much anything an admin can do, an attacker can do with physical access. That is why it is so important to physically secure your equipment.
- Some things you can do to help mitigate this threat are:
- Keep server rooms locked and access controlled
- Monitor server room access
- Encrypt your drives - This greatly applies to mobile systems, but if I can gain physical access to your systems, encryption is the only thing that will be able to stop/slow me down
- Limit the Pass the Hash vulnerability - local account usernames and passwords should be different than each other and a domain group should be used to manage the computer. At a minimum, make the administrator passwords different on each computer/server. (There is also a Group Policy/Local Security Policy setting that will prevent local users from logging on remotely, and this is a good mitigation tactic.)
- Use port security to monitor and prevent unauthorized devices on your network
Have an InfoSec question you would like answered? Wonder how attackers do certain things? Leave me a note in the comments and I will look into answering. On Twitter? Follow me @kirkphayes and send a tweet with #InfoSecAnswers and I will use those as well.