It’s easy to focus on the technical security issues affecting Linux in the enterprise. After all, those of us working with Linux are techies at the core, so we tend to focus on the bits and bytes of security. But there’s another often overlooked aspect we must not forget about when it comes to managing Linux-related risks: physical security.
When physical security is weak in the office building or data center, it can often detract -- if not completely negate -- all other security controls. It doesn’t matter if your business or your data center provider has gates, armed guards or glowing SAS 70 Type II audit reports -- once physical access is gained, all bets are off. Physical security weaknesses are something that affect practically every organization, every building and every person involved. Exacerbating the problem, physical security tends to be more dynamic in nature -- it’s constantly changing. Sure, there are typically a few fixed controls associated with physical security, but the fact that people who are continually coming and going are involved with many aspects of physical security makes this a difficult beast to tame.
Linux is often run on critical systems in areas where physical security matters. Some common issues I come across in environments containing Linux-based systems include:
- Server room/data center control systems with a Web-based management interface running with the default admin password. Anyone on the network could disable cameras, delete DVR files and audit logs, adjust temperature thresholds, and more -- including outsiders via an exposed wireless network.
- No functional cameras at server room/data center ingress and egress points. They’re reactive, but it’s still a good control to be able to fall back on.
- Unconcerned and overly trusting receptionists not questioning the business of people without badges -- or fake badges. Fake badges are easily created and a quick flash of the badge to the receptionist is often all that’s needed to get in or tailgate behind other trusting souls.
- Physical keys being used for server rooms. They’re easily copied, lost and unaccounted for.
- Shared passwords for customer kiosks that tie into door access codes. The principle of accountability applies to physical security too, and one-time passwords help solve the access control management nightmare of high-traffic areas.
- “Protected” storage areas that had no locks on the doors and broken locks on filing cabinets. It’s odd that people leave sensitive IT-related documentation, such as incident response plans and password lists, in unprotected storage areas around the office, but it happens.
- Media, such as tapes, external hard drives, and USB drives containing backups of critical development and IT administration systems. Once the media is acquired, it’s often easily restored to another system.
The reality is that someone doesn’t have to break and enter in the traditional sense to compromise physical security and, ultimately, information security. Once physical access is obtained, anything is fair game. Recently I had a colleague who specializes in social engineering ask me if I were able to gain physical access to an environment and he provided me information of a specific machine to target on the network, would it be possible to gain control of that system? I told him several factors would come into play: patch levels, configuration settings, intruder lockout, whether I could access the same network segment as the target system and so on, but yes, it’s entirely possible. Even simpler, if I had access to the system itself, we’d have near 100% certainty of gaining access.
Never forget that securing your Linux systems is just as much a non-technical issue as it is a technical one. Be it for employees, contractors, vendors or other guests, physical security must always be on the top of your mind. If not, a weakness can rear its ugly head and bite when you’re least expecting it.
ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments. Kevin has authored/co-authored eight books on information security, including Hacking For Dummies, now in its third edition. He’s also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website, www.principlelogic.com, and on Twitter at www.twitter.com/kevinbeaver.
This was first published in October 2010