It’s not uncommon to hear wisdom such as “if an attacker has physical access to a PC, you’ve lost the battle,” or, “if a Trojan makes it past the defenses, it’s all over.”
While those are dire situations for a security manager, the defeatist attitude is a dangerous one. Though it's true that an attacker with administrator privileges anywhere on the network is in a very strong position, the fight's only over if you give up.
In these situations, it's good to take a leaf from the pages of history. Sun Tzu's The Art of War (www.chinapage.com/sunzi-e.html) and Miyamoto Musashi's Go Rin No Sho (A Book of Five Rings) (www.samurai.com/5rings) should be required reading for IT security professionals, but there are more recent examples that apply.
By the first week of September, 1940, the largest air battle in history was nearly over. The Luftwaffe's policy of attacking ground facilities had brought the RAF to its knees, and the conclusion appeared inevitable. Yet a combination of strategic error and stubborn persistence from the likes of Air Chief Marshal Dowding and Prime Minister Winston Churchill eventually gave victory to the Allies in a remarkable reversal of fortune, and the Battle of Britain was won (www.xrefer.com/entry/498833). The land invasion was cancelled, and the stage set for the Allied counterattack onto the continent.
The concept of a last line of defense is one that is wrapped up in the concept of perimeter security: the central theme of which dictates that there is a line at which an attacker must be held. If he crosses it, he has won. Of course security at the perimeter is important, but - as is well known - many companies rely on it exclusively. If you do, any penetration beyond the perimeter is immediately a disaster, instead of just another incident needing response and defensive action.
The notion of sole reliance on perimeter security is a dangerous one: it suggests a hard shell but soft interior, which will immediately yield before an attack penetrating the outside defenses. How quickly we forget the Maginot Line: that border of bunkers, artillery and fortifications protecting France from Nazi invasion, and in which the French put their faith, believing it could never be breached and that the heartland was safe. That was until the Blitzkrieg dodged around it entirely, striking through Holland in the north and thence directly into the soft interior beyond.
There are several reasons why reliance on perimeter security is a flawed model, two of which are relevant here. First, you are vulnerable to an attack on any front you neglected to defend (war-dialing and war-driving are examples of this in practice), and second, attacks generating from inside that perimeter have had the hard work done for them before they even begin. As we all know, by far the majority of attacks are initiated from inside the organization - inside the perimeter.
But while the issue of the security model is relevant, more important to me is the attitude implicit in any statement like "if he's got physical access, you've lost." Of course you haven't, the fight just got harder. So you rely on safeguards - encryption of critical local data, revocation of certificates, egress filtering to block traffic from the compromised host. After all, while it's true that if I have a local copy of your password files I can guarantee successful cracks given enough time and resources, that's largely true of any attack. Any security mechanism can be broken, given enough time to study the target, and sufficient resources to coordinate an attack.
So put in defensive mechanisms which will slow the attack, and give you time to respond. Use network controls that will, in effect, place the subsequent springboard attacks back outside the perimeter. Ensure that forensic services are available to determine what the attacker did before, during and after the local compromise, and how similar attacks can be prevented. Even if you can't stop the attack this time, at least you can collect the evidence and continue the fight with your local law enforcement agency.
And harden your interior! Assume the perimeter is breached: would your intrusion detection system or IPsec save you from a compromised PC? What about a compromised server or router? Harden the interior as much as you can. An attacker with physical access to a device does have an overwhelming advantage, but that does not guarantee success unless you have already decided you are beaten. Be prepared to retreat, avoid a rout at all costs. Encourage a fighting mentality among your security staff, and equip them with the tools to continue the battle even when in retreat, and you'll be a much tougher target.
Make the security manager your organization's Dowding, and the CIO your Churchill, coordinating resources against attack even when it looks hopeless. There can be no point of surrender, so put any perceived 'last line of defense' out of your mind. You've only lost when the attacker has achieved every objective and got away scot free, so keep fighting to the end.
Jon Tullett is U.K. and online editor for SC Magazine (www.scmagazine.com).