Protecting Hosts
- 2. THE SECURITY PROBLEM • The problem that faces professionals charged with securing a company’s network can be stated rather simply: • Physical access negates all other security measures. • No matter how impenetrable the firewall and intrusion detection system (IDS), if an attacker can find a way to walk up to and touch a server, he can break into it. • Physically securing information assets does not mean just the servers. • It means protecting physical access to all the organization’s computers and its entire network infrastructure.
- 4. BOOTDISKS • Any media used to boot a computer into an operating system that is not the native OS on its hard drive can be classified as a bootdisk. • In the form of a floppy disk, CD, DVD, or a USB flash drive • A boot source can contain a number of programs. • Typically, a NTFSDOS or a floppy-based Linux distribution that can be used to perform a number of tasks including mounting the hard drives and performing at least read operations, via script
- 5. LIVE CDS • A LiveCD contains a bootable version of an entire operating system, typically a variant of Linux, complete with drivers for most devices. • LiveCDs give an attacker a greater array of tools than could be loaded onto a DVD or USB. • These tools include scanners, sniffers, vulnerability exploits, forensic tools, drive imagers, password crackers, and more. • With a LiveCD, an attacker would likely have access to the hard disk and also to an operational network interface that would allow him to send the drive data over the
- 6. DRIVE IMAGING • Drive imaging is the process of copying the entire contents of a hard drive to a single file on a different media. • Often used by people who perform forensic investigations of computers • Uses a bootable media to start the computer and load the drive imaging software • Makes a bit-by-bit copy of the hard drive on another media • Keeps the original copy exactly as it was for evidence • The information contains every bit of data that is on the computer: any locally stored documents, locally stored e-mails, and every other piece of information that the hard drive contains. • This data could be very valuable if the machine holds sensitive information about the company. • Physical access is the most common way of imaging a drive. • Biggest benefit for the attacker is that drive imaging leaves absolutely no trace of the crime. • One can minimize the impact of drive imaging by an attacker. • Encrypting important files • Placing files on a centralized file server • A denial-of-service (DoS) attack can also be performed with physical access. • Stealing a computer, using a bootdisk to erase all data on the drives, or simply unplugging computers
- 7. USB • USB ports have greatly expanded users’ ability to connect devices to their computers spawning a legion of USB devices, from MP3 players to CD burners. • Automount feature of USB drive keys creates security problems. • Can conceal the removal of files or data from the building or bring malicious files into the building and onto the company network • Can accidentally introduce malicious code • If USB devices are allowed, aggressive virus scanning should be implemented throughout the organization. • There are two common ways to disable USB support in a Windows system. • On older systems, editing the Registry key • On newer systems, using Group Policy in a domain or through the Local Security Policy MMC on a stand-alone box
- 8. AUTOPLAY • Remove or disable bootable CD/DVD drive. • DVD drive can be used as a boot device or be exploited via the autoplay feature that some operating systems support. • Since the optical drive can be used as a boot device, a DVD loaded with its own operating system could be used to boot the computer with malicious system code.
Editor's Notes
- #4: Prior to handheld devices, the attacker would have to work in a secluded area with dedicated access to the Ethernet for a time. The attacker would sit down with a laptop and run a variety of tools against the network, and working internally typically put the attacker inside the firewall and IDS. Today’s capable mobile devices can assist these efforts by allowing attackers to place the small device onto the network to act as a wireless bridge, as shown in this slide.
- #5: Before bootable CDs or DVDs were available, a boot floppy was used to start the system and prepare the hard drives to load the operating system.
- #6: LiveCDs give an attacker a greater array of tools than could be loaded onto a floppy disk, such as scanners, sniffers, vulnerability exploits, forensic tools, drive imagers, password crackers, and so on. These sets of tools are too numerous to list here and are changing every day.
- #7: From an attacker’s perspective, drive imaging software is useful because it pulls all information from a computer’s hard drive while still leaving the machine in its original state.
- #8: From a security perspective, the most interesting are flash memory with a USB interface in a device that is typically about the size of your thumb providing a way to move files easily from computer to computer. When plugged into a USB port, these devices automount and behave like any other drive attached to the computer. Their small size and relatively large capacity, coupled with instant read-write ability, present security problems. Their small size and relatively large capacity, coupled with instant read-write ability, present security problems. They can easily be used by an individual with malicious intent to conceal the removal of files or data from the building or to bring malicious files into the building and onto the company network. Well-intentioned users could accidentally introduce malicious code from USB devices by using them on an infected home machine and then bringing the infected device to the office, allowing the malware to bypass perimeter protections and possibly infect the organization.
- #9: Another boot device to consider when looking at physical security policies and procedures is the CD/DVD drive. This device can probably also be removed from or disabled on a number of machines. Autoplay was designed as a convenience for users, so that when a CD/DVD or USB containing an application is inserted, the computer instantly prompts for input versus requiring the user to explore the device filesystem and find the executable file. Unfortunately, since the autoplay functionality runs an executable, it can be programmed to do anything an attacker wants. If an autoplay executable is malicious, it could allow an attacker to gain remote control of the machine. Since the optical drive can be used as a boot device, a DVD loaded with its own operating system (called a LiveCD, introduced earlier in the chapter) could be used to boot the computer with malicious system code (see Figure 8.9). This separate operating system will bypass any passwords on the host machine and can access locally stored files.