IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Hardware attacks threaten integrity and confidentiality

March 21st, 2008 · No Comments

There have been recent success in research efforts (mostly academic and theory in origin and a few recently progressing into the more exploitative POC) to identify weaknesses that exist in everything from Firewire connections to the magnetic cards used to access secure facilities.  These proofs of concepts highlight the necessity of a well deployed control environment.  It provides evidence of something we have taken for granted over the years, and lessons without being caught in the press or in courts is a lesson worth taking with pride and passion.

To recap:
Physical access to a device with a firewire port can lead to rewriting certain pieces of code, and allowing you to bypass the authentication protocols of the device.  This works in both the Microsoft platforms, and the OS X.  This is an attack at the hardware itself, so it applies to every system with such a port!  This includes desktops, laptops, and most importantly servers.

Disk encryption can be overcome if the system is stolen (as an example) and was left in standby mode.  This is the result of being able to attack the memory of the system.  There was also a recent demonstration of reading the RAM from your system using an alternate operating system.

Finally due a manufacturing error in the vastly integrated and seems by a primary provider has exposed over 2 billion electronic access cards.

As these exploits have come out over the past few weeks I felt stronger conviction that the practices endorsed by the PCI SCC the FFIEC, and others are dead on.   Given the above threats here are some common best practices that neutralize the above:

Physical Access attacks are always king when compromising systems.  Regardless of safeguards in place a stolen system will be breached and if the thief has any saviness will promptly find a buyer for the data on its new fortunes.  Therefore we must prepare and safeguard ourselves.  The Firewire / Disk Encryption / Standby Mode / RAM Reader attacks may be addressed with the following controls:

  • Systems should be configured securely and with least services.  Specifically disabling through bios or drivers the unnecessary hardware (USB drives, Firewire, that extra DHCP configured network port).
  • Keep all portable devices on persons, and this may require establishing a policy for remote devices that requires the associates to maintain proximity to the device (i.e. don’t leave your device in your airport chair while you run “real quick” to throw out your coffee… seen at least one of these cases everytime I am at the airport)
  • Limit the data that is on portable devices, period.  Embrace virtualization, remote computing, and data management initiatives that ensure – if that laptop is “lost” the impact can be mitigated in minutes and not hours.
  • Supervise all visitors to your data center – including contractors, interns, and anyone else!

The threat to the card readers is huge, but not unmanageable.  In fact you already have controls in place to mitigate this threat simply by having a mature control environment.  Specifically:

  • Monitor the access attempts by users with these cards and ensure that the behaviors match user patterns & comply with policies.  (I.e. Is a user accessing 2 locations that are 50 miles apart in the same 20 minute period?)
  • Establish Badge in and Badge out procedures – users must badge in and badge out of areas, thereby eliminating the ability for a stolen card to be used to access the facility if the user is already inside.  This also provides a second layer of monitoring – If the compromised user cannot access the office they will call the support desk and this should trigger an investigation.
  • Release a communication to all personnel who have access to issue, and reset these badges to ensure that someone doesn’t “fix” an access problem without vetting the situation.
  • Create triggers on access logs that occur in near-real time to report any violations and using email escalation procedures to elevate as necessary.

The need for a mature and complete control environment is evident as new (and old) attack vectors and fraud methods are developed.  Consider the lessons of the past, and take this opportunity to ensure the effectiveness of these controls.

Best regards,

James DeLuccia IV

Upcoming Speaking Engagements:

Tags: Access and Authorization · Incident Response Capability · Logical Access · Monitoring and Performance Reviews · PCI · Physical Access

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment