When I do an audit, or a penetration test, I start by walking around the building, both inside, outside, and sometimes even on the roof. In my travels, I’ll leave my business card where I can gain unauthorized access. How often am I successful? 95% of the time.
I mentally catalog the exterior doors, the signs on them, and I keep an eye on whether people use them a lot. Then I monitor where the smokers go; I’ve often been able to enter a building undetected that way.
From there, I move to the Data Center. How many doors? Do the doors close firmly and immediately behind whoever enters? I’ve gotten in that way, too.
How about door locks? At a business I was at recently, they were still using push-button locks with a four digit code. After the fourth visit to the server room, I had the code in my head. They couldn’t recall when the last time was they had changed the code, either.
Keys? How many keys are there? I’ve never seen a key that couldn’t be duplicated. How about having to deal with when they get lost? One memorable evening, I went around the IT staff’s desks, looking in desk drawers (in pen tests, all “politeness” is off). I found a very nice key ring labeled “Server Room.”
What about contractors or cleaning people? Does someone escort them while they’re in there, or are they left to their own devices? As boring as that is, leaving someone alone with the corporate crown jewels is equivalent to unlocking the barn door. Are the server cages secured? Are there segments to your Data Center, so that the really significant equipment is in a further secured area inside the Data Center?
I recently visited a really nice Data Center, and the Security guys were very proud of their camera system. It was an excellent system, covering all the doors. But what about once someone actually gets in? What are they doing? Where do they go? The company used a lot of subcontractors, and I pitched to the Security guys the idea that they needed cameras for all areas of the Data Center, not just the doors.
They needed to be able to see where someone went down the server rows to do their work. It’s great physical evidence that says it all in a court of law. If someone says they didn’t touch that server, and you have pictures showing them walking down that row and stopping at that rack, well, game over.
We often think about hacking or breaches as something that is completed with some esoteric piece of magical computer code. I think like the bad guys: what’s the easiest way in?