White Badger Group Blog: Security Articles: April 2008 Archives

Compartmentalization

Anyone who knows me will be able to attest to the fact that I have at least a touch of the OCD. Most of those people will probably tell you it's more than just a touch. In any case, I like things to be neat and orderly. When looking at networks and security, this usually translates into splitting up an otherwise monolithic network into smaller, more manageable chunks.

If you look at the design of a submarine, the vessel is divided into many different compartments, usually grouping like functions into a single physical space. Between all of these sections there is a thick barrier with heavy doors which can be locked down at a moment's notice. Why is that? Well, if they spring a leak somewhere, the Navy prefers that the entire crew doesn't drown.

The same principal should be applied to most business networks. Splitting things up along the lines of security, functionality, and physical location can yield a much more secure and manageable network. If it's done right, it will be transparent to everyday business, but be a serious barrier to anyone attacking the network. It will also make monitoring of network traffic much easier, as all traffic traveling between segments will be traveling across a device which should be able to do some accounting and reporting.

In my personal experience, I've seen absolutely enormous (>6000 hosts) networks set up as a single, switched subnet. The more average case usually involves 100 or so devices total, and sometimes multiple locations. Whatever the size or configuration of the network (aside from the really small <10 devices networks, of course), there is usually some split that can be made to improve it. At the very least, I push customers to move administrative interfaces of all devices that have them to a different network. Every network I've ever run in to has at least one device with a web or telnet administrative interface on its internal network. Most IT managers never think that the secretary or the accounting guy will ever want to or be able to do anything with those interfaces. The issue is, that if an attacker manages to get inside, those administrative interfaces are up for grabs along with everything else. Furthermore, if someone on the inside stumbles across one which isn't properly secured, malice isn't required to cause some serious down time.

When performing a vulnerability assessment on your organization and network, it is very typical to consider only the inbound attacks (even those coming from the inside). However, it is critical to consider what would happen should an attack be successful. What if every other layer of defense failed to block or even notify you of an attack. What keeps an attacker from moving around within your network and further compromising your organization once on the inside? Well, a properly segmented network can help there. If traffic between segments of your network are limited only to what is needed, it is considerably less likely that an attacker will be able to attack or move any data between segments. Furthermore, if all segments connect only through a firewall with an IDS/IPS, there is a much higher chance of catching the attacker traversing segments.

The down side of segmentation is that it requires a fair amount of work up front, and it forces you to know everything about your network. The latter isn't really a down side as I see it. But it does mean extra work, and extra work is generally considered a bad thing in the IT world. As network devices go, midrange UTM-type firewalls with 8 interfaces or more aren't very expensive ($3000-4000) when compared to other network devices, but they will provide you with more visibility and security than pretty much anything else.

In pretty much every assessment I've done, and a good deal in day-to-day life, I see a disparity between physical security and information security. While I could ramble endlessly about monolithic networks and their evils (especially the irony in locking servers in a secure room, while leaving access to the same network open in a totally unsecured room), I'm going to talk today about cameras.

Closed Circuit TV (CCTV) systems installed in most banks and other facilities are there to catch thieves with guns and ski masks. They can and do serve other purposes, like accounting for everyone entering/exiting a building, and watching accident-prone areas, but for the most part, they're only there to try and get a shot of a robber's face good enough to put on the evening news.

In this day and age, while there is still a significant amount of robbery at gunpoint, there are much more costly thefts and intrusions that need to be watched for by CCTV systems. I can't tell you how many times I've been in some financial institution (as a customer, not doing work for them) and been left alone in a room with a network-connected PC with full access to the rear of the machine. Furthermore, because of the camera coverage in the building being geared heavily towards the lobby, I was unwatched.

Given this level of access, one could easily use a pocketable USB device (a USB hacksaw, for example) that would steal credentials and leave an agent capable of stealing even more data, all without the victim organization knowing.

According to this article about bank robbery, the average bank robbery costs about $25,000 when it is all said and done (including turnover, lost time, etc.). The average ID theft usually ends up costing between $90 and $305 per record, according to this page. This can vary wildly based on how high- or low-profile the incident is. If we were wanting to make it an average, let's say that 5,000 records were lost (that's a very conservative size for a small bank or credit union). That would be between $450,000 and $1,525,000 in total cost for that breach. A bit of a difference, huh? Now, imagine the public backlash at an organization that just "let" someone walk in and take data, versus the relative empathy the organization would receive because of losses due to gun-wielding robber.

So, given the absolutely enormous difference in the financial damage able to be done between the two attacks, why do financial organizations not seem to take the more costly attack seriously? Well, the big reason is lack of knowledge. Despite cybercrime and hacking being buzzwords in today's society, most of the defensive effort goes into antivirus and perimeter security. My experience in performing security assessments for these organizations says that they rarely have a thorough and consistent approach to security. A secondary reason is inertia. It's the same reason that banks still have large vaults, despite their most valuable items being in the server room. It's just that financial institutions have a long history of needing physical security to stop intruders with guns, jackhammers, torches, and crowbars, but have relatively little history in dealing with thieves bent on stealing data. Displaying a large number of cameras in the front lobby can often deter an attacker before anything happens.

Given all of the above, what should your cameras be looking at? Well, here's a quick list:

All major entrances to the building. You need to be able to account for everyone entering and exiting your facility in order to narrow a suspect list given a breach.
Everywhere that customers normally go. This is not limited to the lobby. There should be camera coverage of all side offices, conference rooms, and other places customers are taken regularly. Furthermore, once these places are defined, customers should be kept out of all other areas.
Areas surrounding the building. For attacks that happen wirelessly (and shame on any financial institution employing wireless to begin with), attackers are likely to sit in parking lots or on the sides of streets to do so.
Last, but not least, areas with servers and infrastructure devices should be covered. These devices are the core of everything you do, and having physical access grants you a ton of opportunity to steal data.

Additionally, physical considerations need to be made for all computers and network jacks in the areas where customers are allowed. Computers need to be hidden or turned away from places where customers sit, preventing them from accessing the ports where USB devices or keyloggers could be installed. Network jacks should be completely disabled (unplugged from the switch, not just disabled in configuration), or placed on a separate switch for a guest network.

Of course, many of the attacks mentioned above (except the ones with guns, naturally) can be mitigated using good policy and configuration. For example, the USB hacksaw attack is ineffective if autoplay is disabled. It is also considerably less effective if the account currently logged in is running under limited permissions. USB-based attacks are even less effective if the ports are disabled altogether. Other, more common-sense solutions for these problems include simply not allowing customers to be alone in offices. In my experience, the person who was assisting me kept having to leave in order to go to the copier/printer which was located down the hall.

Security Basics: Part 3 - Compartmentalization

What are You Looking At?

Search

About this Archive

Categories

Monthly Archives

Pages