330 likes | 479 Views
Why is securing a machine physically important, in this day of data centers?. Armed robberies of data centers are becoming more common.Criminal gangs are becoming more aware of data on a server.Cooperation between gangs, allows one gang to obtain the hardware, sell to another who will extract info
E N D
1. Keeping information secure, even if the local machine is stolen. Douglas R. Floyd
2. Why is securing a machine physically important, in this day of data centers? Armed robberies of data centers are becoming more common.
Criminal gangs are becoming more aware of data on a server.
Cooperation between gangs, allows one gang to obtain the hardware, sell to another who will extract info, to hand over to a third ring for selling on the ID theft market.
Being in a server room doesnt mean a machine is immune from being stolen.
3. Why are server rooms being targeted by criminals? Many high value targets in a relatively small area. Even a smash and grab of hard disks would obtain good cash.
Blackmail is lucrative, as businesses do not want their private information (especially customer data) sold to ID thieves.
The loss of business information (customer records, payroll, accounts payable, accounts receivable, licensing keys) can result in a business closing its doors, so criminals holding data for ransom can make money.
Data centers have historically not been targeted by violent criminals.
The current economic state is forcing criminals to find new soft targets.
4. Data center robberies are already occurring Peter Gabriels web server was stolen by armed robbers.
A Level 3 data center has been hit by armed thugs.
A data center in Chicago has been hit four times and the employees taken hostage each time in the past year.
There are a number of other cases, but most will not make the news, as most businesses are trying to negotiate with the criminals to get their stolen data back, or do not want people to know how vulnerable they are to physical attack.
5. Not just inside jobs. There are a number of smash and grab robberies where servers in small businesses are targeted.
6. Not just servers hold critical data Client desktops and laptops generally hold important meetings, blueprints, source code, and other information critical to a company.
7. What tools are out there to help? Encryption tools
Render the data unusable if the machine physically falls into the wrong hands.
Holdup alarms and duress codes
Allow access to data, but send a silent alarm to notify a monitoring center that there is a robbery taking place.
Chassis Intrusion detection systems
Cause a machine to shut down and not operate if its case is opened by an unauthorized user.
GPS systems
Cause a machine not to operate if it is moved from its location.
Monitoring software
If notified that the machine the software is on is stolen, the software reports to a monitoring center, logging IPs and other information.
Some monitoring software can be told to erase sensitive data.
Physical anti-theft systems.
Secure enclosures and cables
Secure computer cases, designed for burglary resistance.
CCTV cameras
Record who goes in and out.
Limiting data exposure
Read only domain controllers that only store cached data.
Headquarters/Hindquarters buildings having one building for customers, another for your critical IT stuff.
8. Encryption tools The last line of defense should computer hardware fall into the possession of unauthorized users.
Various types of encryption for different levels.
Disk controller level
Volume level
Disk block level
Filesystem level
Directory level
File level
Row and column level (for databases)
9. Encryption tools (continued) The biggest weakness with encryption tools is not the algorithm, but how encryption keys are managed.
Some tools allow only one passphrase, forcing groups of staff to share it, which can result in it being divulged.
Some tools store the passphrase in a weak manner, allowing for easy brute force cracking using rainbow tables or dictionaries.
Some tools may be poorly designed and leave sensitive information out of the protected areas (by saving into a non encrypted /tmp filesystem for example)
Some tools have a license fee, and if the tool vendor goes under, there may not be a way to recover data, even with the right passphrase or credentials.
10. Disk controller encryption Pros As the encryption is done in hardware, little to no performance loss is encountered.
A secure erase and repurposing of the drive can be done in milliseconds by wiping and generating a new master encryption key.
Cons Only select few drives have AES encryption on the drive controller level.
Key management is an issue with some drives, as they only may have one password that would have to be shared among staff.
11. Disk/Volume encryption (BitLocker, PGP Whole Disk Encryption) Pros Generally excellent key management depending on utility.
Recovery of data by IT staff is doable. BitLocker can store recovery keys in Active Directory, PGP can issue disk recovery tokens.
Encrypts everything on the disk, OS, data, and all. This protects against leakage of private information. Cons Most are commercially licensed.
Malicious software that manages to get superuser access can pull the master decryption keys from memory and set them aside for later use by an attacker.
May have performance issues if used on volumes with high read/write throughput.
May render data unrecoverable if used with RAID, depending on program.
Only protects if the machine is powered off or volumes are unmounted.
Unable to resize disks or filesystems once implemented.
Backup programs (other than raw sector by sector ones) will store the data decrypted.
12. Filesystem encryption (EncFS, FileVault) Pros Able to resize filesystems without having to copy data or decrypt files.
Backup programs can store the encrypted data.
Users can have their own encrypted directories, protected against a root/admin compromise. Cons Sensitive data, if stored outside the protected filesystems can be left unprotected.
None have any enterprise level recovery abilities. EncFS only has one passphrase, FileVault can offer a recovery passphrase, but that isnt scalable.
May have performance issues with large files like database containers.
13. Directory/file level (EFS) Pros Excellent recoverability.
Multiple users can have access to groups of encrypted files.
Cons Confidential information can leak, if stored outside the EFS protected directory.
Unless a backup program uses special semantics to back EFS protected files up, the backup will fail.
14. Row/Column level for databases Pros Encryption is independent of the system.
Resistant to compromise even if superuser privileges are obtained by unauthorized entities.
Most new DBMS programs support this.
Database container backups remain secure. Cons Key management is an issue. Where does the app keep its authorization credentials?
Recovery of encrypted data is iffish, depends on the database program.
Sometimes hard to sync up encrypted data from a backup with existing tables.
15. Hardware assisted encryption (cryptographic tokens) Pros Protects against brute force password guessing by either disabling access after a number of password guesses, or adding a significant delay between entries.
Allows a machine to boot unattended while providing hard disk protection (Bitlocker).
Is able to store private keys on a chip that is tamper resistant. Cons Hardware is sometimes hard to find. For example, its hard to find machines with an onboard TPM/security chip.
Different drivers required for different cards. There is no real standard for cryptographic token I/O, other than APDU.
Hardware can fail, locking legitimate users out.
People can deliberately lock legit users out by typing in bad passwords until the device times out or locks.
16. Holdup alarms/duress codes Pros One can provide access to an assailant with less risk of injury to staff.
Cons Requires a secure monitoring center.
Requires processes in place to limit/deny information and call for emergency assistance.
If a robber is quick, they could be long gone before help arrives.
Few existing security structures (Active Directory) have duress code provisioning in place.
17. Case/Chassis intrusion detection systems Pros If the machine is online, can notify enterprise servers that a machine has been physically tampered with.
Can prevent booting of the OS until a password is entered. Cons Without an infrastructure in place, chassis intrusion warnings are useless.
Unless using the on board TPM, the warning can be likely cleared with a CMOS reset.
Wont help if machine is removed from the network or physically taken.
May have false alarms when a machine is opened by authorized personnel for upgrades.
18. GPS systems (in theory) Pros If combined with a TPM, can provide anti-theft protection passively, regardless of other alarms and anti-theft measures.
Can be set up and not worried about, as machines can be serviced in place without issue. Cons Not invented yet.
Data centers have a lot of metal, so GPS reception may be problematic.
19. Monitoring software (LoJack for Laptops) Pros Can be installed in the BIOS of a computer so it persists even if a machine is erased and reinstalled.
Can keep an audit trail of deleted files.
Can be told by the central monitoring station to erase sensitive data on a machine. Cons Requires the machine to be running Windows and connected to the Internet in some way to function.
An attacker who is familiar with BIOS flashing and disk formatting can wipe the protection.
20. Theft Deterrent Physical Security (Kensington cables) Pros Can slow an attacker down.
Provides evidence for criminal charges of breaking and entering, or malicious destruction of property if the criminal is caught.
Can protect against removal of equipment, as well as opening the case. Cons These are theft deterrent devices. They do not protect against a true thief with bolt cutters and other tools.
May impede legit uses (upgrades, servicing) especially if keys are offsite.
A number of cable locks are pickable, either with a bump key, or a Bic pen. One really needs high security pick resistant padlocks, or a Kensington Abus/Abloy cylinder lock for effective anti pick measures.
21. Anti-theft physical security (enclosures, cages) Pros Forces an attacker to use heavier tools (angle grinders, power saws) to remove equipment.
Slows down a theft or robbery in progress.
Keys can be kept offsite without affecting machine function. Cons Fairly hard to find vendors for. Anchor Pad is the best in the business.
May impede legitimate uses should a machine need serviced.
Costs a good amount of money.
22. Cameras Pros Have an audit log of who enters and leaves an area.
Cons Most CCTV systems have a very low resolution, usually to low to obtain facial recognition, especially if the footage is to be used in a trial.
Cameras dont prevent anything, just make a log of the carnage.
If the footage is stored onsite, it can be compromised. If its stored offsite, bandwidth may be an issue.
23. Limiting data on machines Pros If the data isnt there, it cant be stolen.
For read only domain controllers, it can limit loss of user info to only a branch of organizational unit.
Remote desktop utilities are a mature technology, same with thin clients. Cons Very hard to do in some cases. Many businesses live and die by how fast their employees can access and manipulate figures.
It may be hard for users to remote desktop all the time.
Network bandwidth is a consideration.
24. Headquarters/Hindquarters for buildings Pros Someone robs the known headquarters, the machines are not accessible.
Only trusted officers and IT people are even allowed to know the hindquarters physical location in come cases.
Separation of privileges, where if one buildings security is compromised, the whole company is not in danger.
The hindquarters can be heavily protected against attack, while the headquarters is attractive to prospective customers.
Cons Expensive to implement for smaller businesses, as it requires two offices, and a high speed, very secure link between the two.
Forces two sets of IT employees, or one set to travel between locations often.
25. Scenarios for security tools What tools, when used together provide adequate protection.
Nothing is 100% secure. Its all about lowering risk.
Each business has individual needs. Information which might cause small financial loss to one business (which uses PayPal for all its credit card transactions) may pose financial ruin and prison terms for its officers to another business (especially with corporate regulations like HIPAA and Sarbanes Oxley)
26. Scenario 1: The one person consultant Fairly low chance of being robbed.
All machines would run TrueCrypt, BitLocker or another hard disk encryption program with a long passphrase. Major projects would be stored on encrypted file based volumes, and only mounted when needed to minimize data exposure.
A Kensington Microsaver lock would be used to keep honest people honest. If possible, the key would be kept offsite.
Backups would be done to an encrypted hard disk, or backup sets encrypted by the backup program itself, if it offers that functionality. A secure offsite backup service like Mozy is also an option.
A holdup alarm and/or CCTV camera as backup.
27. Scenario 2: A small law office A small office nearby that has alarms and cameras present might be considered as a place to physically locate servers, especially a backup service.
Servers would be encrypted with BitLocker to allow unattended booting, but provide protection against theft.
If possible, anti-theft enclosures would be used for the servers so a would be robber would need more than bolt cutters to remove the machine.
Desktops would be encrypted with BitLocker (if they have a TPM chip) and locked with a cable lock, to keep honest people honest.
Backups would be copied to a central backup server (with some form of hard disk encryption), then either external hard disks or tapes saved offsite (encrypted of course), in case of disaster or theft.
28. Scenario 3: A call center staffed by not trusted contractors Use of headquarters/hindquarters separation is recommended, so disgruntled employees do not know where the real corporate crown jewels are stored.
The domain controller would be read only, to minimize data on it if stolen or compromised.
Both servers and desktops would have anti-theft enclosures if possible.
All machines would have BitLocker in place, not to just guard against theft of data, but to guard against piracy of licensed software.
Any critical database input/output will go through a VPN to a server not on that site (as opposed to a database replica), so if the site is physically compromised, the companys data is not.
If data has to be stored onsite, the applications accessing it would use row and column encryption.
If possible, install LoJack on the servers and desktops so aid recovery if a machine is stolen.
29. Scenario 4: A branch office with decently trustworthy employees Headquarters/Hindquarters separation is a good idea here. Employees can have easy access to customers, while the sensitive information can be in a hardened location.
A read only domain controller should be used.
Servers should have some physical protection.
All machines should have some hard disk encryption present, either PGP, BitLocker, or an enterprise solution.
Only the servers need to be physically secured for the most part. A CCTV camera at entrances will ensure that most equipment stays put.
30. Scenario 5: A central office, and employees working at home. If possible, employees should use company hardware only for access to the network. If that cant be done, then remote desktop functionality should be used. Never should a users home machine contain corporate data.
BitLocker, PGP WDE, or another enterprise disk encryption solution should be mandatory due to the ease of how a laptop can be stolen.
LoJack should be installed on all corporate laptops to not just aid in recovery, but to allow for destruction of sensitive data via remote.
A duress based system in Active Directory would be a help here just in case someone got mugged or robbed.
31. Scenario 6: A schools lab Machines should have some physical security, such as a Kensington Microsaver lock.
The server that students log onto, if not part of the classroom instruction, should be in another area.
A CCTV camera should be present.
No sensitive data should be present on any lab machines. Best practice would be to install a utility like DeepFreeze to ensure clean, usable computers.
32. Summary: There is no such thing as 100% security. A dedicated thief will find a way in somehow.
Figure out what your largest security risks are.
Employee theft of equipment an issue?
Bad area of town where drug-crazed people might pay a visit to smash/grab for their next fix?
The business has enemies that would come in to do damage or trash data in hopes of causing it to be shut down.
Disgruntled employees.
High profile.
Use layers of security.
Disk encryption and hardware locks should be the last barriers stopping a thief from getting to data.
Avoid assuming that one layer of protection is enough. If a backup program offers encryption, use it, even though the drive it is stored on has AES encryption. However, dont have redundant layers if they dont serve a distinct purpose (file hosted volumes that are always mounted atop of disk volumes.)
Separate privileges. From physical separation of data centers from main employee work areas, to keeping database servers on separate networks, one needs to make sure that one compromised machine cant cause a domino effect, compromising the whole enterprise. A single, hardened firewall does not cut it these days. In larger companies, no single employee should have access to everything.
33. Conclusion (continued) Educate people. No lock or security system can keep something secure if someone leaves the key in it, or just doesnt bother implementing it right.
Morale is a major factor in risk of compromise. The better the employee morale, the more likely employees will comply with security guidelines, the more likely employees will report anomalies, and the less likely they will be security risks.
Always make sure your backups are as secure, if not more so, than the computers you have in use. Even trusted backup offsite couriers sometimes lose or have backups go missing.
If one can afford it, hire a reputable security firm to run penetration testing, both physical and network based, to find and help get rid of weaknesses. This should be done at least on a semi annual, if not quarterly basis.
Some times of the year require more vigilance than others. End of quarter, end of year, holidays, and weekends are times when people will attempt to do attacks. Schedule an incremental backup before 4:00 PM on Fridays and Saturdays to hopefully have a known good image of systems, as statically, systems get trashed or compromised after 5:00, and on weekends.
Encryption keys are just as important, if not more so, than data. Keep them in redundant, secure places.