As HW is approaching, how is the physical security that has been forgotten doing？

In recent days, a network attack joke has gone viral on the Internet.

Admittedly, this section has an element of exaggeration, but it also points out the importance of physical security (here referring to

The reason is that, when enterprises build a security system, they will pay more attention to the prevention of network attack risks. Moreover, the resources and manpower invested in security are limited, naturally cannot be all-encompassing, and naturally some insignificant corners will be forgotten. But in these corners, there are also hidden fatal risks.

With the rapid development of Internet of Things technology and its extensive application in daily life, the importance of physical security has further highlighted. At this time, enterprises also need to start paying attention to physical security. After all, security is an integrated concept, and as long as there is a gap in any place, attackers may take advantage of this gap to carry out attacks.

As the annual HW is about to begin, how is the physical security that has been forgotten in the corner?

Physical security is the foundation of network security.

So-called physical security refers to the security measures that refuse unauthorized access to facilities, equipment, and resources, and protect personnel and property from damage or harm (such as espionage activities, theft, or terrorist attacks). Physical security involves the use of multi-layer interdependent systems, including closed-circuit television monitoring, security guards, protective barriers, locks, access control protocols, and many other technologies.

Physical security mainly involves three aspects: requirements for the machine room environment, equipment safety, and transmission medium safety, each with its own requirements. Among them, equipment safety mainly includes the prevention of theft, damage, equipment failure, electromagnetic information radiation leakage, prevention of line tapping, resistance to electromagnetic interference, and power supply protection. Its goal is to prevent the organization from facing risks such as asset damage, asset loss, sensitive information leakage, or disruption of business activities.

For physical security, the GB 2.0 issued earlier also has similar clear requirements.

For example, in terms of the physical location selection of the data center, GB 2.0 clearly stipulates: 1. The data center and office space should be located in buildings with the ability to resist earthquakes, winds, and rain; 2. The data center site should avoid being located on the high floors or basements of buildings, as well as on the lower or adjacent sides of water equipment.

After all, data centers are the lifeline of enterprises. If power outages, water leaks, and other problems occur, causing the data center to fail to operate, it will cause a devastating blow to the continuity of enterprise business, and even lead to the inability of the enterprise to operate.

In terms of physical access control, the GB 2.0 also points out:

1. Special personnel should be arranged at the entrance and exit of the machine room to control, identify, and record personnel entering;

2. Visitors who need to enter the machine room should go through an application and approval process, and their activity range should be restricted and monitored;

3. The machine room should be divided into areas for management, with physical isolation devices set between areas, and transition areas such as delivery or installation should be set in front of important areas;

4. Electronic access control systems should be configured for important areas to control, identify, and record personnel entering.

In fact, physical security is all around us. For example, the access control systems we commonly see are a physical security measure that can prevent external personnel from entering and leaving the company, but attention should be paid to other entry and exit channels, such as stairwells; similar measures include strictly distinguishing between visitor networks and internal employee networks to prevent attackers from directly accessing employee networks and initiating network attacks, etc.

In addition, some sensitive and important places should set permission rules to minimize the approach of unnecessary personnel, including data centers, financial systems, etc., to prevent attackers from infiltrating.

Don't think that no one will destroy data centers or centers. This mindset is extremely detrimental to security work. In 2021, a man in Texas, USA, had planned to launch a bomb attack on Amazon's network services (AWS) data center deployed in Virginia, with the goal of 'destroying about 70% of the Internet'.

Fortunately, the FBI's undercover agent gave the man a dud bomb, which prevented this crazy act from succeeding.事后亚马逊表示，公司非常重视员工和客户数据的安全保障，并不断审查各种载体，以应对任何潜在威胁，未来将继续保持对员工和客户的这种警惕性。

Currently, both enterprises and institutions are paying more attention to data security, and various security products and security strategies are arranged in an orderly manner. However, at the same time, the physical security of important places such as machine rooms and data centers cannot be neglected.

Currently, the physical threat situation that enterprises are facing is becoming increasingly severe. According to the '2021 Mid-Year Outlook Security Intelligence Report' released by the Ontic Protection Intelligence Center, the majority of respondents said that enterprises should maintain a certain level of vigilance against physical threats; more than half of the respondents believe that physical attack activities are gradually increasing; and more than half of the respondents believe that their own enterprises are not well-prepared in terms of physical security.

Those 'wonderful' physical attacks

As the profitability of network attacks becomes increasingly obvious, attackers are more inclined to use lower costs to obtain higher returns. Sometimes, physical attacks are often more cost-effective, completing the attack in an unexpected way, but sometimes the effect is more direct and effective, leaving people to marvel 'how can this be possible'.

Here are several representative cases listed simply.

1. Deliberately lost USB flash drives

In the early 21st century, USB attacks were a very common attack method. In 2007, the 'USB Parasite' virus even topped the virus ranking list, becoming one of the major threats the Internet faced. Attackers generally place USB flash drives loaded with malware deliberately on the paths that target users must pass. Once the target picks up the USB flash drive and inserts it into the computer, the malware virus will bypass the computer's protective system, and hackers can easily invade the target user's system.

In addition to USB flash drives, MP3, MP4, portable hard drives, digital cameras, and other mobile storage devices have all become carriers of such viruses without exception. In 2018, TSMC's production line was infected with the notorious WannaCry ransomware, causing multiple plants to be forced to shut down, resulting in losses of nearly 1 billion yuan. The root cause of all this may have been that TSMC employees used a USB flash drive loaded with ransomware.

2. Data theft through power supply

Ben-Gurion University of the Negev in Israel once released a research report revealing a 'talking' malicious software. It affects the switching frequency of power supply by starting and stopping CPU workload, thereby causing transformers and capacitors in the power supply to emit sound signals.

In simple terms, malicious software utilizes the changing electromagnetic field corresponding to the changing current, converting it into audio to steal data. Once this special 'noise' is captured by an acoustic wave receiving device, it can be slightly extracted and processed to restore the original information, which is the highly sensitive data on the target computer device.

Does this attack method sound very different from traditional network attacks? It does not require WiFi or Bluetooth, and hackers can easily obtain the target's confidential data. Moreover, since this type of attack is not carried out in the traditional invasive manner, it is extremely difficult to detect.

3. Incomplete disaster recovery led to heavy losses

In 2020, Weimob suffered heavy losses due to a programmer's deletion of the database. According to a public report, the programmer deleted Weimob's database for personal reasons late at night, causing Weimob to be paralyzed since 7 pm on February 23, 2020, with over 3 million users unable to use the company's SaaS products normally. The fault lasted for 8 days and 14 hours. Weimob's market value evaporated by over 1 billion yuan overnight, and 300,000 stores were paralyzed. The total economic losses of Weimob included the cost of data recovery services, merchant compensation fees, and overtime pay for employees, totaling over 22.6 million yuan in RMB.

Although data deletion is not a truly physical attack, the severe impact caused by data deletion clearly shows that Weimob did not do a good job in disaster recovery and backup, at least the daily incremental backup work was not completed, and there may not have been any backup of non-institutionalized data. The lack of attention to physical security ultimately led Weimob to pay an unimaginably painful price.

Similar cases have occurred many times in history, some of which involved situations where backups could not be restored, but there are always some companies that take chances, and when accidents occur, they are unable to cope.

4. Directly infiltrate the company to obtain login credentials

Many people, because they are unwilling to remember their account and password, simply stick them on the table. During a HW exercise, after the attacking party members learned about this situation, they disguised themselves as the company's cleaning staff, entered the office area openly, and used the excuse of cleaning and garbage collection to secretly check the employees' login credentials, and ultimately succeeded in infiltrating the corporate internal network with this information. However, the target company was completely confused, looking at the unattacked security system, they could not understand why the internal network was so easily broken.

5. Breaking through physical isolation using lasers and LEDs

As is well known, LEDs are commonly used in devices such as printers to display device status, and these LEDs can accept light signals. By utilizing this feature, attackers direct lasers to pre-installed LEDs and record the response of the LED lights, establishing a concealed communication channel that can be used in both directions and is up to 25 meters long.

According to test results, the data input rate of this concealed communication channel can reach more than 18KB per second, and the data output rate can reach 100KB per second, which is enough to support the real-time transmission of general text files. This means that, with the help of lasers and LEDs, attackers can not only read data from physically isolated systems but also write data; and without adding extra hardware, they can retrieve data from the attacked devices.

There are many similar cases of physical attacks. Faced with these physical attacks, corporate security systems often appear to be inadequate, and traditional methods of dealing with networks are ineffective, even failing to find the cause of the problem in a short period of time.

Physical attacks are widely present in commercial crimes.

In addition to using physical attacks to break through corporate security systems, physical attacks are also widely used in commercial crimes and espionage, with a more concealed process and higher threat level.

For example, in the 1940s, the Soviet Union used a listening device named 'Golden Lips' to eavesdrop on the US Embassy in the Soviet Union for seven years. During this period, several ambassadors served, and the embassy was renovated and redecorated, but this listening device remained securely in place on the embassy wall.

The eavesdropper is hidden in a wooden American national emblem gifted by the Soviet Union. After receiving the gift, the embassy's technical personnel conducted a detailed inspection and concluded that it could not be an eavesdropper because no batteries were found.

However, the 'Golden Lips' eavesdropper uses radio frequency identification technology. This is a radio communication technology with the characteristic that it can work without power. The 'Golden Lips' has a coil component inside, which automatically generates current through electromagnetic induction after receiving external radio signals, thus enabling the device to work without batteries. When there is no external radio signal, this device will not work and will not send any radio signals, making it very concealed and difficult to detect.

In addition, there is another神奇 eavesdropping technology called laser eavesdropping in the commercial environment.

The principle is to use a laser generator to produce a very thin laser beam, which is emitted to the glass of the room being eavesdropped. When people talk in the room, the glass vibrates slightly due to the change in indoor sound, and the laser reflected from the glass contains the vibration information of the indoor sound waves. People can receive and demodulate the sound signal at a certain position outside the room using a special laser receiver, thereby eavesdropping on the conversation inside.

Since the laser eavesdropping device does not need to be placed in the room of the person being monitored, it is difficult to be detected. Early laser eavesdroppers require great stability and are often implemented in a relatively fixed location. It is said that during the Gulf War, American intelligence personnel used laser eavesdropping technology in Iraq to capture the voices of senior Iraqi military leaders from the rearview mirrors of moving cars, and gained full information of the conversation inside through technical processing.

In addition to eavesdropping, there are many other attack methods used in commercial crimes, including the use of spy cameras, installing tracking devices on cars or bodies, installing recorders on keyboards, and using wireless jammers to interfere with competitors' bidding defense, etc. With the continuous development of the economy, the frequency of the emergence of commercial crime methods is increasing, which deserves the attention of enterprises.

Conclusion

With the development and integration of the cybersecurity industry, the complexity of network attacks is rapidly rising, and a successful network attack often involves multiple steps. In this process, physical attacks often appear as a stepping stone or backdoor for network attacks, and they also show a rapid rising trend.

The reason for this is that the overall capability of the cybersecurity system is gradually improving, increasing the cost of a single network attack, forcing attackers to choose cheaper attack paths. At this time, the not-so-obvious physical security has become a new breakthrough point. Especially, many enterprises have a sense of disconnection between physical and cybersecurity, which gives attackers an opportunity to take advantage.

Currently, as the national HW action is about to launch, it is believed that the attacks targeting the physical security part will also gradually increase. After all, cybersecurity is an integrated project with a significant短板 effect.

At this moment, enterprises should also turn their attention back appropriately to the physical security that has been forgotten in the corner.