Network security is complex, but it starts at two simple places: the hardware and human levels. Jimmy Ray explains how USB ports, keyboard loggers, Bluetooth, and more can make your smaller business vulnerable -- and how to protect it
I used to love the game Sim City. I would work for hours to create an urban utopia filled with parks, great transportation, NASCAR, fishing spots, and Popeye's Chicken. Then I would destroy the city with monsters, fires, earthquakes, and mother-in-law pop-ins.
When the Sim people would complain, I raised taxes and cut public services. Reminds me of when I first started out in network security. I would work hard to build a smoking-hot network, and some outside source would tear it down. Users would complain, and I would raise the security policies to a higher level. Many vendors out there today define security models for our networks, but more often than not, they are not security outlines as much as they are implementation guides for places to cram their gear.
The Complexity of Security
I am a security purist. I believe the best products work the best ways for the best outcomes. (That phrase is available for bumper stickers: just twitter me at jimmyray_purser.) Anyway, security can be very complex, so this paper is the first in a series of eight that will map to securing the OSI layer at each individual layer, so you know what is involved and what hackers are targeting at each layer. These papers will be designed to stand alone, so if you are interested in Layer 1 and Layer 5, then just read those. I know the ISO only sanctioned seven OSI layers, but theory gives way to practicality. Layer 8 is the human layer. Users, managers, politics, regulations, and yes ... gulp ... server admins. As network admins, we do much of our work at Layer 8, and my guess is that paper will be 100 pages long.
Isaac Asimov said, "Never punch a Vulcan in the head." No, wait a minute, that was Robb Boyd. Mr. Asimov said; "If knowledge can create problems, it is not through ignorance that we can solve them." I mention this because of the Robin Hood syndrome that sometimes hits people just starting out in network security. Do not go out surfing the Internet looking for vulnerabilities in other people's Web sites so you can help them out. It is illegal, and you can get in big trouble with the FBI for it. A friend of mine did just that and reported problems with a school's Web site, but instead of a ticker-tape parade, the FBI showed up, and he donated his entire computer gear to Uncle Sam and received a new name: 1890447871-a. I look forward to seeing him in 5 to 10 years.
Practice on your lab on gear your own. When doing a pen test, never take your system out the bag before you have an endorsed letter from the company's top execs acknowledging what you are doing. A "get out jail free" card, if you will.
Physical Layer Defense
It should be no surprise that without physical security you have no security. If we need to be ISO 17799 compliant, physical security is the very first step. Truthfully, ISO 17799 is actually a great checklist to use when looking at physical security. When we're talking about the OSI physical layer, we also need to bridge the data world with the actual world and touch on physical security. Physical security is one of the most important non-data security controls you can have on your network. Today, many hackers love to pick physical locks. At nearly every hacker meeting I attend, we have a lock-picking contest. Lock picking and hacking have a lot in common. They are both self-taught, the bigger the challenge the better, and they are considered dark arts. The fastest and most effective way into any network is around the firewall and not through it. As a security auditor myself, I have zipped into many networks through non-data methods. Physical layer security is one of the biggest failure points on any network. One of the biggest attack vectors today is the USB port.
USB Port Security
Many people are noticing that USB ports are major vectors for losing data. Hackers are using USB keys to "slurp" your data right off of your machine. This is a very simple attack and can be conducted by your employees, cleaning crews, contractors, or hackers just tossing infected USB keys around break/common areas so that your users will pick them up like finding a free ticket to a ZZ Top concert. Of course, to make sure there is nothing important on the key, the users will plug them into their USB ports and immediately grant access to hackers by launching the hacker's tools. Now, let's run this through the TechWiseTV demystifying machine. Not every USB key is capable of doing this. Windows by default will not autoplay an autorun.inf file placed on any USB key as many people might lead you to believe. It is an easy attack, but not that easy. The USB key needed is called a U3 and is normally made by SanDisk. Hackers remove the "U3 Launchpad" program and replace it with a data stealer such as switchblade or hacksaw (my favorite). These programs are fast and powerful and will capture your passwords, files, and network info all silently. iPods can do this also, but USB keys are cheaper, faster, and easier to write custom hacks for, whereas iPods are expensive, easier to track to the owner, and more difficult to write code for, and fingerprints show up very well on them. Protect your USB ports by disabling autorun, training your team, and purchasing a client firewall program that protects the USB ports.
See more columns by Jimmy Ray Purser
Next Page: A Team Approach to Physical Security
