Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #9: Access Controls, Including Wireless, Modems, VPNs, and Physical Access

Published: 2007-10-09
Last Updated: 2007-10-09 20:41:57 UTC
by Swa Frantzen (Version: 8)
0 comment(s)

As this topic is very wide, we intentionally kept the tips limited to those end-users have influence over.

Modems

When not using the old style modem, disconnect it, or if an external model, power it down. It's an expensive lesson learned by those who managed to catch a dialer calling on their behalf to 900 style numbers for hours in a row...

VPNs

  • Just because the tunnel is authenticated and encrypted does not mean that malware cannot flow through the VPN.
  • Once the VPN tunnel is up, don't allow a separate connection to a network of a lower security classification e.g. don't connect to the corporate VPN while simultaneously connecting to P2P networks over the Internet.
  • When connecting to those networks out of your control (such as in hotels, airports, conferences, a cafe, a hotspot, ...) do use caution to minimize the dependency on offered services and guard yourself against man in the middle attacks. One way is to set up a VPN or a SSH connection that forwards all traffic to a trusted machine.
    Read more ...

Wireless

  • Turn off wireless and Bluetooth on your laptop when you don't need it.
  • Use encryption, even if it's only WEP. Prefer WPA2 and, -if needed- upgrade the hardware to support this.
  • Clean out the preferred network list on the wireless side, those hotel and vendor names of unprotected network make you a sitting duck.
  • No dual connectivity - only allow one network connection at a time i.e. disallow connection to the WiFi-hotspot in the cafe downstairs whilst having a simultaneous connection to the corporate LAN

Physical Access

  • War stories are always a great way to get people interested into listening to what you want to bring across. Jim wrote in:

    "At my previous place of employment we had several small machine rooms dotted around the building. You needed to get a key stored at the security station to enter any of them and there was a list of approved personnel who could check out a key. When I needed to reboot a downed server I asked to borrow the key, but as my name was not on the list security needed an email from someone who was. Their names revealed by the security guard, I promptly went to the authorized person's PC, fired off an email in their absence and trotted back down to the security station. Key was handed over, server rebooted and all was well.

    This place had better security than many other places I've worked but some simple social engineering meant I could get hold of the key and gain physical access to server. The security system was sound in principle, but let down by the simple means by which access could be delegated with a single email. I could have simple forged an email if the person's PC had been locked and most likely achieved the same result.
    "

    Social engineering works in most cases, training people to be service minded and guarded against social engineering isn't the easiest job.

  • Brian wrote in with his war story:

    "Working as a n00b general-service tech at my .edu, I was to physically verify that all servers and systems were shut down as weekend work was scheduled to replace a failing electrical utility feed. As part of the plan, I would be contacted when the power was restored, and make sure all servers were booted up gracefully.

    Well, this happened to be the weekend of the last big NorthEast blackout. Instead of a controlled power shutdown on Friday, everything went dead on Thursday. Most folks assumed the work schedule had just moved up.

    I spoke with the electrical project managers, and they decided to put work off - but since they were here, they were going to stay and monitor the power restoration. I hung around to practice my plan to bring all computing systems back on line.

    Well, I needed to get into an administrative office when power came back on. The magnetic locks were in a default lock condition, (1st dangerous problem), so my 'master' keys wouldn't work. I did remember some employees of that office using a fire door for sneaking the occasional cigarette, so I tried that door, and got in. (No alarm on that door - 2nd issue). One of the chief admins found me in the office, and wondered how I got in. I explained, and thought nothing of it until Monday morning, when both I and my director were 'invited' to speak with detectives in separate 'interview' rooms with the campus police.

    I later found out that the campus police - who also manage all access keys - had told that administrator his office suite was only accessible to 6 people who had the "special" keys. They had no idea that all of the IT staff - and possibly others - also had access.

    What I learned:

    1) If you promise security, you had better verify your claim and keep checking it.

    2) If you manage keys, remember that many keys open locks they aren't specifically keyed to. Check each set.

    3) If you are the person who will access restricted areas, be sure to get affirmative consent from the appropriate parties before you attempt that access."

  • Password protect BIOS and set to boot from HDD only.
  • Locking down computers against physical theft can be a great way to slow down thieves, but it'll not slow them down that much if they really want your machine. As Niel put it: "at Defcon I let a guy pick the Master lock on my laptop bag.  He did it in 12 seconds.  His friend took 16 seconds on the same lock.  So a lock may be viable in some environments, but not a long-term deterrent".

Thanks

In no particular order: thanks to Boris, Jim, Andy, Peter, Niel, Brian and many others.

 

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)
Diary Archives