When talking about security, companies often focus on the “security perimeter“. Inside this perimeter, you have the “good” guys and all the rest is considered as the “wild” world, the Internet. Once you passed the access controls, you are free to walk and do what you want. Can you approve this from a security point of view? And this is true for physical security as well as network security. So often, I found myself alone in corporate buildings where I could perform so many malicious actions! (I insist here on the “could” verb ;-))
A new wave of gadgets, called the “PlugBot” or the “Pwnie Express“, are available for sale on the Internet. The work “gadget” is not the most appropriate in this case. I would say “killer tools” instead. Those small boxes have the same size as a PLC adapter. This makes them extremely portable and discrete. They integrate a powerful toolbox:
- 1.2Ghz CPU.
- Local storage (expendable via memory cards).
- Linux based.
- Several communication ports (Ethernet, WiFi, 3G, Bluetooth) depending on the model.
- A full set of useful tools (Metasploit, SET, nmap & co).
A full package for only a few bucks (starting from $220 for a Pwnie Express). This is a ridiculous investment compared to the profit that could be made by stealing data from companies. With the help of social engineering, it’s very easy to enter a company building and find an unprotected network patch! Some examples of scenario:
- Coffee & soda suppliers have full access to building to recharge their devices
- Fax/Printers maintenance is performed by external companies
- Cleaning people / gardeners
- Plumbers
- Contractors
- Visitors
- Inside intruders (don’t under estimate them!)
Pentesters will like this! Once connected to your network, game over, you are 0wn3d! The device will be remotely accessible via WiFi or 3G. The attacker will have plenty of time to plan his attacks without fear of being discovered. It completely changes the pentester’s perspective. Really nice. But from the other point of view, how to protect yourself against this type of intrusion? They are two approaches that must be combined: enforce a physical security policy and enforce network controls.
The first one, physical security, is easy to understand but not always easy to implement. The golden rule is: Nobody can be allowed to access your premises without a prior identity control, a valid access reason and a contact person:
- Visitors must be clearly identified and access logged (time-in, time-out). They must wear a visible “visitor” badge.
- Visitors cannot be left alone and must always be accompanied by a team-member
- Visitors must stay in their allowed area (ex: a meeting room).
- Visitors must leave their luggage at the reception and carry on only the required stuff.
About the network security, some best practices could reduce the risk. First, implement network segmentation! Networks must be classified based on the data passing over them and access to them must be restricted based on their classification. Why allowing access to the servers VLAN from a meeting room? Tools and configurations can be used to increase your network security. They can be grouped in two categories: prevention and detection.
Prevention is the techniques and solution that will (or at least, try to) avoid attacks from happening. At the opposite, detection is the implementation of controls to detect and to notify about ongoing attacks. Both are part of a defense-in-depth model. If prevention fails (and keep in mind that it will!), detection will ring an alert.
Here are some recommendations:
Solution | Prevention | Detection |
Shutdown unused port on switches. “shut” is your best friend command on Cisco switches. Don’t let ports “open” or at least set them in a default (safe) VLAN. | x | |
Active MAC address learning on switches. Major switches implement a control on the MAC addresses. If a new MAC address is detected, the port can be automatically disabled. | x | |
Implement a NAC (“Network Access Control“) solution. Based on free (like PacketFense) or commercial tools/protocols: (802.1x, VPMS), a NAC can allow/deny access to your network and report problems. | x | x |
Implement network segmentation (Read: don’t put all you eggs in the same bag). Unknown devices must be connected to an untrusted VLAN. A “guest” VLAN can be created for temporary Internet access (on demand!) | x | |
Implement MAC address detection. Using tools like arpwatch, unknown MAC addresses can be detected on a network. | x | |
Monitor ports status on switches. Except on access switches, once a device is connected, it remains in the same state. Monitor the port status changes on your switches. They could hide suspicious activity. | x | |
Lock public network ports / wall plugs. Don’t leave unattended ports in public area (reception, meeting rooms, etc). Use locks. | x | |
Look for suspicious traffic! It’s always interesting to analyze your network flows for suspicious traffic. | x | |
Enable host based firewalls / ACL’s. All hosts must implement ACL/firewall to restrict access to authorized people/hosts only. | x | |
Use WiFi scanners to detect rogue wireless access points. | x | x |
This proves, once again, that the good old security perimeter is definitively dead! Don’t trust any device nor traffic seen on the “internal” side of your network. If we can still call it “internal”…
We went as far as utilize RJ45 Port locks, such as Padjacks, in our clients faiclities to prevent the curious from plugging in.
Two customers were hacked with the help of Connectify. It turns on your Windows workstation as a wifi AP. Security hole can now be everywhere.