How vulnerable is your data?
Is a loss of data caused by a breakdown in physical security any less damaging than a loss caused by a breakdown in cyber security? With all the emphasis on cyber security, physical security has taken a back seat. The purpose of this article is to discuss vulnerabilities of critical infrastructure and present easily implemented mitigation.
We will not discuss what a hacker or terrorist can do once inside a data closet. Needless to say, you don’t want those people on the inside of your facility. Understand that if a hacker or terrorist is in your data closet, he or she is already inside your firewall. Data closet doors are often not opened or checked for weeks or even months. These intruders may never be detected.
Let’s review some of the issues related to the physical security of data. Finding a data closet is a very simple matter. Walk down any hallway in a business complex and listen. The noise from the fans used to cool the data switches is a dead giveaway, this is a data closet door.
Recently I had completed an inspection of a data closet. When walking away from the closet, the click of the door closing did not sound right to me. The door had recently been secured with a new badge entry system. As I checked the installation, I noticed the gap between the door edge and the jamb was too wide. I was able to open the door in 1.6 seconds with a piece of plastic, sometimes called the “credit card door-opening trick”.
Become familiar with the proper action of a dead latch on a door lock. Improper installation of the lock on the door mentioned above is what allowed the 1.6-second defeat of the door lock. An internet search as simple as “dead latch not working” will produce an ample list on how to mitigate this vulnerability.
Key control deficiencies
Mechanical key control is probably the most common known weakness of physical security. If a “Grand Master” key is lost and then found years later, it can still open all the locks. Another weakness of mechanical keys is any key can be duplicated. An audited list of keys and keyholders is not a “guarantee” of who has every key. Even “high security” or “patented” keys can be defeated.
At another building I found an unlocked door. I was able to remove the lock cylinder with a power screwdriver in about 17 seconds. When maintenance or security finds a missing cylinder, they may dismiss the issue with “people will steal anything”, replace the missing cylinder and never give it another thought. With that cylinder and a rudimentary knowledge of locks, even the grand master key can be reverse engineered. With a few tools, a block of metal and enough time, a grand master “key” can be handmade, giving access to every door.
A cell phone camera may be the biggest threat to mechanical keys. Because of specifications in manufacturing, a photograph of a key will reveal the depths of the cuts used for a key to open a door. With that information, and a basic knowledge of locks, anyone can handmake a key to your door. Even easier is a key-making service. Visit key.me on the internet.
Key control remediation
One solution to mechanical keys is to eliminate them with just badge access. However, this may not be practical for a hospital. If a data closet goes down taking the badge reader down at the same time, it may become a “life safety” issue if patient monitoring and electronic records are affected. Other institutions may have similar issues with dire consequences if a failed badge reader is the only access to the data closet.
Another solution to mechanical keys is an electronic key system. Several exist, including those manufactured by Medeco and ASSA-Abloy. A desirable feature of electronic keys is that each key has a limited life, from 1 day to 365 days. Before the key expires, the user needs to plug the key into a “refresh station”. The electronic key program provides an audit of where the key has been used. The key then receives a new schedule of where it may be used and a new expiration date. If a key is lost or an employee is terminated, that key can be “blacklisted” very quickly, preventing further use. The user can also be required to use a PIN to refresh his or her key, thus preventing a found key from being used by an unauthorised user.
Heavy duty steel door frames should be a requirement for secure areas, including data closets. Doors should be heavy duty solid core. A door closer is mandatory. Security doors need to close automatically. The door closer should swing the door completely closed so the latch and dead latch engage the strike plate properly. Door locks should be “storeroom” function that stays locked 100% of the time, and require a key or badge swipe every time the door is opened.
For locks with a mortis or rim cylinder, a security ring designed to spin while not allowing pliers or a pipe wrench to collapse around the cylinder, should be used. Pliers can grab the outer rim of a cylinder and force the cylinder to turn and be removed. A mortice cylinder is held in place with a set screw which can be forced or bent allowing the cylinder to be removed. At that point a finger can be inserted into the lock and can usually operate the locking mechanism quite easily, opening the door.
Within most badge-access software is a “door propped open” feature. If a door is held open for more than a predetermined length of time, the system will alarm. Security can be dispatched to investigate and ensure the door is properly closed. Another feature in most badge access software is a “forced door alarm”. If the door opens any other way than a normal badge swipe, such as a door being kicked or forced open with a crow-bar, the system will alarm.
Additional security can be achieved with a motion activated camera and two-way voice capability. For each entry into a data closet, require that a work order be in place. Security, once alerted to motion, can view the person entering the closet and require them to show the work permit to the camera. If no permit can be produced, security can be dispatched to escort them from the building.
Question the manufacturers of the hardware used to physically protect your data areas as well as the actual components of your network. Have the printed circuits being used been tested against Electromagnetic Pulse (EMP)? Some feel this is a real and imminent threat. Consider this in your business continuity plans.
These suggestions are by no means comprehensive and cannot guarantee that no one will be able to get in your data closet. The goal is: “Harden the target”. Implementing these and other suggestions may harden your data areas enough that a hacker or terrorist who might have been intent on getting physically inside your firewall, will be discouraged and try some other business or location. It is far better to keep that hacker out than to clean up the mess later.
To learn more on the topic of physical data security, and the wider topic of cybersecurity, please see the latest findings from ISACA’s State Of Cybersecurity Report (Part II), and the agenda for the EuroCACS/CSX 2019 conference occurring 16th-18th October in Switzerland.
Carbon Lundgren, CISA, brings a unique perspective to securing IT assets that carry your data. With a background of 50 years in physical security, his career has now taken him to the position of lead security specialist for a world-renowned health care company with over 600 data areas to secure. Carbon has been heard to say, “I have a criminal mind”. Using the criminal mindset, Carbon has developed a best practices protocol that is becoming widely accepted by industry and governments. Some of the skills Carbon has learned is lock picking, and that of a professional safe-cracker. These skills directly relate to establishing physical barriers that will prevent hackers and terrorists from beginning their attacks inside the firewall. Carbon’s knowledge directly relates to several areas of COBIT: Appendix A: Mapping Pain Points to COBIT Processes and NIST: Table D-1: Mapping Access Control Requirements to Security Controls.
If you would like to join our community and read more articles like this then please click here.