Most organizations understand why you need to put a lock on your server room door. An old rule of security is that if an attacker can physically access the server, the attacker can quickly compromise all the information on that server. What most organizations don’t seem to understand is that they need to make systems administrator’s workstations secure as well. If someone can get to a systems administrator’s workstation, they can get to all the data located on the server!
Most networks are protected well against outside threats. Of course, as many people who read about security know, not all security threats come from the far side of the firewall. Many security threats come from within the organization. One threat might be an employee who is attempting to steal trade secrets to sell to competitors, or it just might be Bob from marketing wanting to find out what Jeff in the next cubicle is taking home a year by getting access to the HR department’s shared folder. Normally Bob can’t do that because he’s restricted by NTFS and shared folder permissions. However, if Bob spends a little time reading on the Internet, he might learn a few ways around such restrictions.
Many organizations put their systems administrators out in cubicle land. This makes sense to most managers. Offices are a sign of status and although they are responsible for mission critical equipment, most systems administrators aren’t that high up on the totem pole. Bob from marketing might walk past the system administrator’s cubicle several times a day on his way to the donut vending machine. This is the problem with cubicles. Although they provide a cheap way of housing employees, they are quite difficult to secure.
For example: Systems administrators regularly type important passwords into their workstations. These passwords can be for the most simple situations, such as unlocking the screen after coming back from a donut break, through to complex situations such as entering an administrative password to connect to a mission critical server via RDP.
If a systems administrator’s workstation is located in an area that other staff members, such as Bob, can easily access, it is possible that a hardware keylogger, such as Keyghost’s product could be installed without the systems administrator knowing. A hardware keylogger is a small device that sits between the keyboard and the computer and records all keystrokes that are entered. A quick search of google will allow you to find many different varieties for all sorts of budgets. Unless you specifically check the back of your computer each time you sit down to it, it is unlikely that you’d notice that a keylogger had been attached.
It is even possible to purchase keyboards built by most vendors that have been refitted by specialist companies to include keyloggers. So even if you examined the connection at the back of the computer, unless there was an identifying mark on your keyboard (like a donut and coffee stain) you wouldn’t notice that your keyboard had been switched. Most companies have a standard hardware setup, so Bob would know what keyboard to purchase and it would just be a matter of him switching over a sysadmin’s keyboard without being caught. Especially easy if Bob decides to work back late one night when no-one is around.
Outfitting computers with a smart card is one possible solution, as Bob would need the smartcard and the password to gain access. Another is to put systems administrator’s workstations into a lockable office where they aren’t as easy to physically compromise or to generally restrict access to the are that houses the IT department. It all depends on your organization’s security needs.