I find it amazingly easy to gain physical access to customer’s networks in a wide variety of instances.
Picture this: Just a few days ago I walked into a mall in the KCMO area with a backpack over my left shoulder and carrying a bag of tools and a manila folder; I walk to the third level and up to the counter of a well-known jewelry store, ask for the manager on duty, and state my business: “I’m here to cutover a fax line.”
While my visit is legitimate, and I have on my person a valid ID, work order, and letter of authorization, and the staff is expecting the service call, I’m never asked to provide any of the verification I have at hand. I am promptly escorted behind the counter into the back room and shown into the equipment area. They were expecting the service call and I looked the part.
You’re probably shaking your head in amazement, but let me share with you that this is a very common occurrence for me. I have experienced this in banks, nursing homes, grocery stores, healthcare practices, stock brokerages, and, well, just about any other business sector you can imagine. If this is so common for DPS to encounter, just think for a moment how truly widespread this could be!
Scams of all sorts abound in today’s world and I find it alarming that so much focus is given to security threats that may originate from the “ether” but not enough is given to protecting the physical network.
With that said, let’s explore a few simple and mostly low cost solutions to this concern:
This level of control should begin at the front door. While many mid-sized and larger businesses employ electronic access restriction using card or fingerprint readers, such solutions are cost-prohibitive for smaller businesses.
Beyond electronic access, there should be human intervention at which point credentials, i.e., personal IDs and company IDs, and authorization documents, i.e., printed work orders and authorization letters should be reviewed. NOTE: a valid work order should contain the technicians name and on-site point of contact.
Visitors should be required to sign-in, providing the date of visit, name, company, personal phone number, a stated purpose of the visit and times of arrival and departure. A visitor/vendor badge should be issued so that employees are provided a visual level of verification.
The technician’s point of contact (POC) should be called to personally escort the them to the area(s) where the work is to be performed and review the scope of work before the work begins. In the event the POC is unable to remain with the technician for the duration of the tasks, physical or electronic access should be provided in order to expedite the work. The POC should provide information as to where the technician can locate them if needed.
Most of the businesses that I work with actually do a decent job of protecting their networks from a workstation access level. It is very rare that I encounter a workstation that is not user-restricted to an acceptable level so as to prevent a user from making changes to the workstation itself or some other network component which could lead to network damage.
Even though we have witnessed the demise of the floppy drive (thank goodness!) and the inherent risks that it presented, we still have a small yet massive hole in our network security if we ignore the USB port. Without these ports secured, there remains the risk of file theft or, worse yet, the introduction of unauthorized software/malware onto the network.
USB ports can be disabled right in most operating systems. For Windows, just review this Microsoft Knowledge Base article to discover how. Fortunately this is a free solution; unfortunately this solution is pretty much all or nothing. If you need a little added security there are software programs available that allow more options when it comes to granting and denying access to USB ports. These programs are very flexible. Most have the ability to assign read only access, read/ write capabilities, complete denial or full control to certain devices or files. You can program the software to allow only certain media, like a keyboard or mouse, but deny everything else. You can grant temporary or scheduled access to certain media or file types, and also control which applications users are allowed to transfer to and from removable devices. Most allow you to assign these settings to a particular user or group name, and apply them to whatever machine that user logs onto. All in all, these software programs are very adaptable, and can be tweaked to fit almost anyone’s needs.
In keeping with the theme of this article, if software sounds a little too over-the-top for your situation, you may want to think about a physical solution: there are locks on the market that trap the cable connecting your keyboard or mouse to your computer, and keep it there. It cannot be unplugged from the USB port without a key. This is like a dual level security lock. Not only does it prevent people from plugging into your USB drive, it keeps your peripherals in place too.
Printer/Multi-function Device Access
Many of the businesses that I interact with have migrated to multi-function devices for all of their fax, copy, and document scanning needs. These devices have evolved over the years and are now quite advanced and include abilities to scan to network device (server or workstation), file, email, and cloud. There are security features that must be setup in order to prevent or restrict the transmission of documents, or direct default storage locations. If your firm deals with sensitive documents, then, you’ll want to be sure to apply appropriate settings.
Inclusive in such settings should be the restriction of access via USB memory devices. The USB port can be restricted or disabled depending on your individual needs.
Equipment Room Access
If your facility already has key card access, then, this is an easy fix. If not, there are options available to secure individual doors using either mechanical or electronic combination latches. Be sure that only those who have a legitimate need for access to such rooms possess the codes.
Equipment rooms come in many sizes and situations. Some are actual rooms and others may be a wall mounted cabinet. If yours is a wall-mounted type, just be sure its secured and a designated staff member has access to the key or combo.
Once in the network room or cabinet access to the network, both internal and external, can easily be gained. Keeping the network space secure may be sufficient, but an awareness that anyone with a laptop and patch cord can plug directly into a network switch and be “on” your network. The vast majority of switches in commercial use today are “managed” meaning that the individual ports thereon can be assigned specific features. Such features as port speed, VLAN ID’s, etc., but they can also be disabled and that is the measure of security I would advise.
Point of Demarcation (POD)
The demarc is the physical point at which the public network ends and the private network of a begins – this is usually where the cable, whether fiber optic, copper, or coax, physically enters a building. I have seen an increase in active components being placed in these areas by both the owner of the public network and some intermediaries. A service delivery switch or a Network Interface Device (NID) are common sights in the demarc these days and these areas are largely unsecured.
In summary, if there’s an open door or an open port of whatever flavor, there’s a vulnerability that’s there for the exploitation in the physical sense. Verifying the identity and authorization of technicians and taking simple steps to secure and restrict access to devices and spaces are important and inexpensive ways to protect the physical side of your network. None of these need be overly complex, because we aren’t suggesting creating additional bureaucratic red tape, just keep things simple and remain diligent.