Most cyber defences are automated tools and eyes-on monitoring that look at network traffic, block spam, and search for malware. But physical security is a major risk too, especially in highly-secure facilities that hackers can’t penetrate in other ways. So a company needs to be aware of and set up defences against company insiders and outside spies connecting computing cards to LAN cables in hidden places, removing disk drives, plugging directly into routers and switches, and attaching USB drives to machines to infect the boot sector, or copy data directly.
Attacking Smart Devices
Anyone who has seen the highly-rated TV series Mr Robot knows this risk. Hacker Elliot Alderson gains access to the Level 2 floor of a secure data facility by posing as an invited guest. He makes his way into the executive dining room where he excuses himself to go to the men’s room. There he removes a smart thermostat from the wall and attaches a Raspberry Pi to the LAN cable. His goal is not to spy on network traffic; this would only be possible from the vantage point of a router. Instead, now he has an IP address and can freely run commands on the company’s network. The Raspberry Pi can be fitted with a 4G modem with which to communicate with the hacker’s command-and-control centre. The Pi runs Linux, has an ssh command prompt, and is not much bigger than a deck of playing cards.
In movies, like Ocean’s 11, hackers tap into video systems by snapping on a clamp. The clamp pierces the cable shielding and connects to the copper wire inside. But you cannot tap traffic on IP networks unless you connect a device that can obtain its own IP address.
What a hacker needs to do is install a computing card that has two LAN ports: one for itself and one for the traffic going out the other side. The Raspberry Pi or other computing cards need to run OpenWRT or similar software that will query a DHCP server. In the case of the smart thermostat, the computing card will obtain one for itself and for the smart thermostat since it is now playing the role of a switch. The only way to block this would be to use static IPs and not DHCP. Then the computing card would only work if the hacker already knows the IP address of the smart device.
Is there a way to block this attack? When the hacker cuts the LAN cable, a monitoring system could alert that a device has gone offline. But since devices go on and off all the time, the triggered alert is likely to be ignored. There would have to be an inventory of the MAC address of every device on the network. Any device not in that inventory should be shut down automatically.
Also, routing tables and subnets are going to control what networks the hacker can attack. If the IoT sensor is on a separate network than, say, the SAP system, the hacker cannot get in. They would have to attack the adjacent switch and update the routing tables in order to move laterally through the company.
Stolen Disk Drive
Most enterprise disc drives are hot-swappable. They are built that way so that a technician can remove a failed drive without turning off the array. So hot-swapping is not likely to generate an alert. Drives are replaced frequently in data centres as they have a limited shelf life. Replication ensures that the application keeps on running.
Any data that is lost this way is limited if the drive is encrypted, or if it is only writing data blocks for a file that spans multiple drives. When you pull out an encrypted drive you lose the encryption key. So you cannot read it. And the drive will not be a logically complete file in the case of RAID, which is how disc drives use multiple drives to create one logical file and protect against loss by writing pieces of it (blocks) to different drives.
Access to the Router
A man-in-the middle attack is possible on a wired or wireless network, but not easy. You cannot spy on traffic flowing across the network simply by using brute force to attach to a Wi-Fi router. This is because data packets flowing from one connected device to another do not pass by all devices connected to the network (They would in a ring-topology as in the old Novell IPX networks).
But a hacker who gains physical access to a closet where there is networking equipment or the data centre can plug an ethernet cable into the management ethernet port of a switch. They can then see all the traffic that passes.
Now they could do a man-in-the-middle attack. This will fail against VPN, AES, and other traffic unless the hacker has a valid certificate with a correct (CN). Man-in-the middle attacks usually only work against SSL when a human being is dumb enough to click through and ignore the browser warning when the hacker is using a self-signed certificate. So, employees need to be warned against such an occurrence.
Having access to the router too lets the hacker tap into device discovery protocol and find other devices and determine what software they are running by querying microservices. A load balancer in particular has knowledge of the network architecture and container and VM IP addresses and ports. Docker, Kubernetes, and Mesos broadcast configuration information that contains far more than the IP address stored in a microservices registry. So tapping into that traffic will let a hacker know what kind of software is running where.
Access to a USB Port
Anyone who has replaced Windows with Ubuntu on their laptop knows that they can boot a device using a USB, bypassing the operating system on the computer to which it is attached. Then they can run Linux and mount file systems. They could then install a rootkit into the boot sector and update the grub configuration on the device to load that when the device boots up. They infect a machine, disconnect, and walk away leaving the device compromised.
There are different ways to protect against such an attack. Such as encryption keys etched into the firmware of the device. The iPhone works like that. It checks the integrity of the host operating system and does a factory reset if the OS image hash value does not match. Also PCs have secure boot. Microsoft does that to keep people from using copies of Windows that they did not pay for. But that is easily disabled in bios.
The Need for Physical Security
All of this means that it is crucial to control physical access to the data centre. People need to be trained against the tricks of social engineering so hackers cannot talk their way past security guards. Employees need to be trained to challenge people who are trying to piggyback access cards, walking into a door that someone else has opened. Data centre cages should be locked. Credentials and keycards need to be issued through an identity management system. IDM is a system that is used to give new employees computer and physical access and, more importantly, take it away when they change positions of leave the company.