Physical and Operational Threat Assessment

Because the preceding chapter was all about threat and risk assessment, you d be correct to assume that this chapter starts off by giving you some tools to figure out what level of risk you face from physical and operational threats. Many of these threats will be familiar, as they affect homes and offices equally; some are specific to particular environments.

The most obvious physical threats are those that directly threaten the physical components of a computer. These include damage due to fire, flooding, careless placement of coffee cups or soda cans (the so-called grand latte effect), power surges or dips, and so on. We can loosely refer to these threats as environmental, because most of them stem directly from the physical environment in which the computer is located.

Next come threats from people. These threats can be divided into two primary categories: malicious and nonmalicious. Malicious threats include theft, sabotage , and physical attacks against the integrity of the computer s software or hardware. Nonmalicious threats include accidental damage, improper maintenance, or plain old forgetfulness (as at one customer I visited; they set a blank password on the domain administrator account so that their hardware vendor could build a new cluster for them, but they forgot to change it back later!).

Of these possibilities, the most interesting are probably related to physical integrity attacks. Some potential attacks you might not have thought of include the following:

• Surreptitiously booting the machine off a floppy or CD and stealing or modifying valuable data.

• Booting with a third-party boot disk that allows changing the local administrator password, then using that account to compromise a trusted domain account.

• Installing Trojans or escalating privileges using local exploits against vulnerabilities in the operating system or applications.

• Disabling access or audit control systems or tampering with security logs and audit records.

• Changing the basic input/output system (BIOS) password so that legitimate administrators don t know what it is. A variant of this attack is to secretly remove the BIOS password altogether.

• Using bootable universal serial bus (USB) or FireWire devices ( especially those diabolically clever little thumb- sized USB storage devices) to steal or modify data.

• Hooking up unauthorized peripherals, including Web cams, microphones, and keystroke loggers (that s how the FBI eventually bagged traitor Aldrich Ames and organized crime kingpin Nicky Scarfo).

People threats are harder to mitigate against, because a clever attacker can exploit the principles described in Chapter 4, Threats and Risk Assessment, to attack precisely the component you haven t protected at the time you least expect it (or at the time it s most vulnerable). In addition, don t disregard the simple fact that people can be bribed or threatened; if you have extremely valuable or sensitive data, you should keep this in mind as you design your security policies. The good news is that strengthening your access controls will help keep malefactors away from the machines in the first place.