Preface: This article was published in Security Oz Magazine, April 2002, aimed at a non IT-expert audience. Although most of the concepts are highly relevant today, some of the information herein is dated (or no longer applicable), however is archived here for posterity.
Twelve hours before his announcement to the world, the CEO sits hunched over his keyboard putting the finishing touches to his company's plans. If any competitors discover these plans the company will be finished. In the street below, an innocent looking delivery van sits with its engine idling quietly. Inside the rear of the van, two men sit in front of a wall filled with monitors watching every word appear as it is typed on the keyboard in the office six floors above. "We've got them" mutters one of the van's occupants as he smiles, amused that the company will never know how secrets which were kept on computers not even connected to a network, inside locked cabinets in a secure building ever fell into their opponent's possession.
The CEO has fallen victim to a TEMPEST attack. The interception and monitoring of electromagnetic radiation (EMR) emitted by electronic devices - in this case, his computer's monitor. The above reads like a spy novel, yet the technology is quite real. TEMPEST, speculated on for many years, is now publicly acknowledged by agencies such as the Defence Signals Directorate (DSD) in Australia and the National Security Agency (NSA) in the United States. Both of these organisations maintain lists of approved TEMPEST attack resistant hardware such as shielded rooms, laptops, monitors and cabling equipment for those wishing to reduce their exposure to this form of eavesdropping.
For many organisations, the romantic notion of Information Security (infosec) is 'Us versus Them' with 'Them' either being long haired 'hackers' hunched over keyboards in darkened rooms somewhere in the world, or men in vans as described above. Imagine this scenario then:
The cleaner has to gain access to the server room daily at half past five. Per your company's security policy, he must be supervised at all times. With a burly guard watching his every move, he walks behind a rack and while dusting, plugs aKeyGhost into the back of a server. A week later, he unplugs the KeyGhost and deftly pockets it. That night he reconnects it to his home computer's keyboard connector and types a password on his own keyboard. Seconds later, every keystroke that was typed on the keyboard at the office is copied onto his screen. Every username, every password and every command is now in his possession. Conveniently, one of the system administrators also used the server to access his online banking to which the cleaner now has the PIN as well.
I deliberately used a cleaner in the above example to illustrate several key infosec issues. Firstly, sophisticated 'hacking skills' and black vans are not required to gain access to protected systems. The KeyGhost is a cigarette lighter sized New Zealand invention, available to anyone for several hundred dollars that will faithfully capture keystrokes straight off the keyboard cable. That is, you do not require the ability or administrative permissions to install software, only physical access to the back of the target machine for about five seconds.
Secondly, consider the company IT Security Manager, so concerned about external threats that he had approved a $200,000 firewall, encryption across the whole network and made users regularly change their long, un-guessable passwords. As system authentication was principally dependant on passwords however, the cleaner, in possession of passwords, now had unrestricted access to view, modify or delete files and their contents. Even more insidiously, this intrusion would likely remain undetected. Alternatively, if subsequent damage was eventually discovered, as the stolen passwords belonged to actual users, the system logs would show the genuine administrator as having perpetrated whatever pernicious deeds were committed. He or she would then potentially be liable despite taking all mandated security precautions to safeguard their password (not writing it down, not disclosing it to others and so on).
Like firearms, electronic surveillance tools such as the KeyGhost can be used for good, as well as nefarious purposes, depending on who has control of them and how they are used. For the 'good guys', the KeyGhost is also marketed as a backup device to allow users to capture keystrokes for subsequent replay if the hard disk or operating system crashes. Equally, where authorised and lawful, similar devices or their software equivalents can be employed as a surveillance tool to monitor potentially unlawful activity, or by untrusting spouses to see if their partner is visiting porn sites on the Internet!
International governments are becoming increasingly interested in large-scale electronic monitoring programs, most notably the US sponsored systems, 'Echelon' and 'Carnivore'. Available information on these projects ranges from Government issued documentation confirming existence of large monitoring networks, to conspiracy theorist newsgroup postings that would convince you The World is Ending on Tuesday.
Essentially, the systems fall into two broad categories. One, of which Echelon is an example, is that effectively all traffic over the nominated network (such as the Internet) is intercepted at one of several 'listening posts' in allied countries, captured and searched for information which might indicate unlawful activity (for example keywords such as "car bomb", "airport" or "launder"). The second, functions on a more targeted basis and restricts monitoring to a specific person, or network. This is the computing equivalent of wiretaps - an NSA agent could install a Carnivore on the ISP's connection to monitor one of their clients under investigation. Even if it is not the Government reading it, remember system administrators and numerous others have ready access to email in much the same way that a postal delivery worker might your real mail. It is therefore prudent to assume that your email is being intercepted and read by third parties. If this poses a threat, then encryption is generally the only solution. Under this scenario, should the mail be intercepted, it is not necessarily intelligible. Recent reports by MSNBC claimed the FBI were developing software codenamed 'Magic Lantern' which would enter a user's computer similarly in fashion to a virus and record keystrokes on that machine for despatch to an FBI address. This would eliminate the difficult requirement for the FBI to crack any encryption used by allowing them to directly attack the protocol used - stealing the password, rather than using massive computing power to crack the encryption with 'brute force'; with no guarantee of success, timely or otherwise.
Legislation in these matters is generally restricted in scope and new evidence being gathered by these techniques is subject to scrutiny by the courts for admissibility. In the United States, privacy advocates are arguing that security agencies are relying on the events of September 11 to speed their desired legislation through the legal system while civil liberties may be still be taking a back seat to security issues. This legislation is occasionally complemented by laws affecting how encryption software - which would make interception difficult - may be used. As with many 'cyber law' issues however, legislation in the USA or Australia would not necessarily be enforceable in many other nations. As well, it is often drafted, ratified and approved by people without the necessary technical nous to fully appreciate its scope. The potential result is legislation, which could unfairly punish legitimate users, yet be incapable of prosecuting illegal activity where the perpetrators have the technical means to evade detection.
Physical versus Computer Security
Drawing on a basic principle that all security professionals should be familiar with - that any security is only as strong as its weakest link - we can see from the above, that despite the best intentions and practices from an IT security perspective, the lack of physical security resulted in a complete failure to protect the systems in question. Consider whether your organisation has measures in place to prevent unknown parties from gaining physical access to your computers. I have conducted numerous 'ethical hacking' exercises on behalf of companies wishing to realistically test their own security. Often these companies anticipate technically sophisticated hacking attempts or use of highly advanced data intrusion techniques that hopefully will be warded off by their firewalls and network intrusion detection systems. Unfortunately for them, one of the most effective tools is a suit and tie together with the ability to not look out of place in their company. Amazingly, not only is it still common to be able to 'tailgate' someone through a supposedly secure door, but often staff would politely hold doors open for me as I entered. Remember, ten seconds access to a machine may be all that is required. Grabbing an unsecured laptop on the way out, and the data it contained, could also likely be worth more than the dollar cost of the computer itself.
It is no longer appropriate for security professionals to classify themselves into either 'physical security' or 'IT security'. Physical security electronics are becoming increasingly technically advanced. One only needs consider the newest technologies being marketed as compared to five years ago to understand that security managers now require a solid technical expertise to fully appreciate and utilise this technology. Equally, computer security managers must become increasingly familiar with physical security risks, and the means to mitigate these. No amount of firewall software or password protection will prevent a person with physical access to the computers literally carrying the protected servers, tape cartridges or CDs out of the office into the boot of a car to review at their leisure.
Am I at risk?
Good security plans stem from a formal threat and risk assessment. This allows an organisation to identify where their greatest threats originate from and the relative risk they pose. From this, priority can be assigned in determining how to effectively mitigate these risks and hence limit their potential for damage. Priorities are important as an organisation can otherwise add more and more security; with the massive cost this might entail yet completely fail to protect themselves adequately. Alternatively, their efforts might be directed toward the wrong area (like having strong passwords, yet allowing a cleaner to get access to the machine). AS/NZS7799, the Australian/New Zealand Standard for Information Security dictates the need for a formal threat and risk assessment, and compliance with 7799 is an excellent goal for companies, even though they might not be legally required to attain certification as is soon to be the case with Australian Government suppliers for example.
If you are only looking overhead for attackers, you might fall down a manhole
Echelon and TEMPEST attacks join cryptanalysis (breaking encryption) and packet sniffing as frequent topics of discussion among the security and hacking discussion forums. These threats are certainly real and this article does not suggest otherwise, it is however important to take an overall approach to your organisation's security. If you come from a physical security focus, give greater consideration to the IT security issues. Banks today carry more value online than in cash stored in their vault. You should consider the value of your company's information assets as well as tangible goods. If your background is predominantly based in computing, you should increase attention to the physical security issues as well. Eliminate the weakest link!
Returning to the earlier concept of where threats originate, remember that it is statistically more likely that a threat will originate from inside the organisation than outside. Staff may be deliberately accessing files or data to which they are not authorised. This may also mean accessing other people's email. Alternatively, staff may be working under another person's login. This means any logging or account auditing will be useless as there is no direct accountability for user actions. Staff may be using your email system to send confidential data to your competitors. Consider whether you have any temporary or freelance staff using your systems! If staff routinely execute file attachments to their email, they could be unwittingly installing a Trojan horse application, which would potentially allow a person outside your office to have full control over that machine. This could include the ability to read and write files and even turn on the computer's microphone or camera to listen in on the area around it! Even though your staff may have known the person who sent them the seemingly innocuous file, that person may not have knowingly sent it. Many digital virii can self-propagate without any user action.
The 2001 FBI Computer Crime and Security Survey notes that although the number of attacks originating from inside the organisation has historically been higher than from outside, this trend may be gradually reversing. It is important under either scenario simply to be aware that neither 'side of the wall' should ever be overlooked or underestimated as a source of attack.
Security without expense
Sadly it is often difficult to gain approval for spending on security, as companies often fail to see a return on that investment. Considering the alternatives however makes for a compelling argument indeed. The mantra of "You won't make money on security" is believed because the public nearly never hears about security that works; only security that failed. This is of course why you will never see a front page newspaper headline declaring "Large Australian Company Not Hacked Today" only one proclaiming the opposite.
How then can a Security Manager convince the financial managers and accountants that the expenditure on security is necessary? The good news is that within the IT Security market, vendors are increasingly positioning their products as "business enablers" rather than merely security tools. For example, most firewalls today also provide Virtual Private Network (VPN) functionality. This can allow remote offices to securely connect to corporate networks over the Internet, saving the considerable expense of privately leased lines. As well, employees can connect from home and this has obvious financial benefits. The firewall can therefore be sold as a tangible cost-saving device rather than solely a security expense.
Technology isn't the answer
Companies must remember however that technology alone does not guarantee security. It is completely false to believe that plugging a box into your network will resolve your security problems. At best, security hardware and software is simply digital enforcement of your corporate security policy. If your policies are not in place and appropriate to begin with, then your security will never be either. A good security policy is also only effective when it is accurately adhered to by management and users alike.
Are your users trained in their responsibilities? People often don't understand all of the rationale behind good security practice if they have not been shown how to take responsible steps in maintaining it. Consider whether your staff have been shown how to prevent 'tailgating' through doors for example. If they have not, then it should come as no surprise why this security breach takes place. Similarly, do all your users ensure their machines are locked or logged out when they are not sitting at them? How well do your users guard their passwords? Do your staff understand how to minimise the threats of viruses on the network? Antiviral software alone is insufficient without proper training and guidance. Would your users fall victim to a social engineering attempt that could result in them giving away sensitive information to someone posing as an authorised party? A receptionist in a Melbourne company received a call from a person claiming to be from the business that services their PABX system. The receptionist was asked to type a series of digits and read the comment that appeared on the LCD screen. Unaware she was in fact diverting one of the office phone lines overseas, she duly typed in the digits, read the screen and ended the call. One month and approximately forty seven thousand dollars worth of calls later, the company discovered what had happened. By this time of course it was too late, and the company was found liable for the full amount of the bill.
Your staff should understand that security transcends all company rank. It is important that staff challenge supposed seniors for positive identification before yielding sensitive information, or access to systems and data.
Are your staff all familiar with internal security procedures, or would one (and it only takes one) of them let a stranger into a sensitive area of your office? Do your employees shred documents with religious fervour? Are doors propped open by employees? Are visitors supervised at all times? Consider that very few of the preceding points would cost a lot of money (if any) to implement. Failure to implement any of them would however also almost certainly negate any investment in a firewall, content filtering gateway or other security software and hardware.
The events of September 11 made much of the world sit up and consider security issues for the first time. Despite this, no new threat was actually born that day that hadn't existed the day before. What was however born was an increased awareness by even the most non-security aware people of certain issues. Good security however is proactive. It is not about putting out fires, it's about removing the means to light them in the first place.