1 00:00:07,040 --> 00:00:07,930 - [Instructor] Now, in this lesson, 2 00:00:07,930 --> 00:00:10,250 I want to go over a couple of things. 3 00:00:10,250 --> 00:00:15,030 Physical attacks against an asset, so, a device. 4 00:00:15,030 --> 00:00:17,330 And also physical attacks against, of course, 5 00:00:17,330 --> 00:00:20,430 an infrastructure or facilities. 6 00:00:20,430 --> 00:00:25,390 So, let's actually start with physical attacks. 7 00:00:25,390 --> 00:00:27,800 So, attackers where they actually 8 00:00:27,800 --> 00:00:29,670 have physical access to a device, 9 00:00:29,670 --> 00:00:31,960 and that whenever they actually can perform 10 00:00:31,960 --> 00:00:34,340 many different types of you know, malfeasance, 11 00:00:34,340 --> 00:00:36,146 and manipulations. 12 00:00:36,146 --> 00:00:39,540 Of course, first thing that you're actually gonna say 13 00:00:39,540 --> 00:00:41,070 is that device theft is actually 14 00:00:41,070 --> 00:00:42,720 one of the most common risks out there. 15 00:00:42,720 --> 00:00:45,860 So if somebody actually can steal your laptop 16 00:00:45,860 --> 00:00:49,274 or your server, and you don't encrypt your hard drive, 17 00:00:49,274 --> 00:00:53,110 of course they can actually do, or obtain, 18 00:00:53,110 --> 00:00:55,170 sensitive information from that system. 19 00:00:55,170 --> 00:00:57,278 A few other attacks and techniques 20 00:00:57,278 --> 00:01:00,050 that I want to share with you. 21 00:01:00,050 --> 00:01:02,250 First one is actually cold-boot attacks. 22 00:01:02,250 --> 00:01:05,220 Basically that's a type of side-channel attack, 23 00:01:05,220 --> 00:01:08,383 where the attacker tries to retrieve the encryption keys 24 00:01:08,383 --> 00:01:11,144 from a running operating system, 25 00:01:11,144 --> 00:01:15,510 after using a cold reboot or a system reload. 26 00:01:15,510 --> 00:01:18,380 Basically, these cold-boot attacks 27 00:01:18,380 --> 00:01:21,120 attempt to compromise the data remnants 28 00:01:21,120 --> 00:01:25,610 of DRAM and SRAM to actually retrieve memory contents 29 00:01:25,610 --> 00:01:27,402 that could actually remain, 30 00:01:27,402 --> 00:01:31,760 could remain on the system or could be readable, 31 00:01:31,760 --> 00:01:35,220 within seconds minutes actually after the system 32 00:01:35,220 --> 00:01:37,513 actually has been powered on, right? 33 00:01:39,000 --> 00:01:42,520 Typically, this type of attack is actually done 34 00:01:43,808 --> 00:01:46,580 by using removable media to boot to a different 35 00:01:46,580 --> 00:01:48,650 operating system, and actually used to dump 36 00:01:48,650 --> 00:01:53,610 the contents of the pre-boot physical memory to a file. 37 00:01:53,610 --> 00:01:56,240 Now another thing that an attacker can do 38 00:01:56,240 --> 00:01:57,560 is actually connect to a serial console 39 00:01:57,560 --> 00:02:00,660 for debugging and to perform reconnaissance 40 00:02:00,660 --> 00:02:02,340 and tampering, right? 41 00:02:02,340 --> 00:02:05,023 Many organizations actually use terminal servers, 42 00:02:05,023 --> 00:02:08,530 serial console servers to actually allow remote access 43 00:02:08,530 --> 00:02:11,920 to the serial port of another device of their network. 44 00:02:11,920 --> 00:02:13,810 Of course, if you can actually compromise that, 45 00:02:13,810 --> 00:02:17,570 you can potentially get access to those systems 46 00:02:17,570 --> 00:02:19,610 through that underlying, other systems 47 00:02:19,610 --> 00:02:22,080 that are connected to that terminal server, 48 00:02:22,080 --> 00:02:24,500 and of course, you know, perform reconnaissance, 49 00:02:24,500 --> 00:02:26,850 see what operating system and application's 50 00:02:26,850 --> 00:02:28,980 actually running, and god forbid, 51 00:02:28,980 --> 00:02:31,264 if actually they can login as an administrator 52 00:02:31,264 --> 00:02:34,360 or as any other user, they can usually perform 53 00:02:34,360 --> 00:02:35,800 other type of attacks. 54 00:02:35,800 --> 00:02:37,718 Now another technique that I want to go over 55 00:02:37,718 --> 00:02:40,609 is JTAG debugging reconnaissance and tampering. 56 00:02:40,609 --> 00:02:44,880 Basically JTAG is a hardware access interface 57 00:02:44,880 --> 00:02:48,550 that basically allows a hardware engineer 58 00:02:48,550 --> 00:02:50,996 or USPN tester to perform debugging 59 00:02:50,996 --> 00:02:53,780 on hardware implementations. 60 00:02:53,780 --> 00:02:56,569 Basically, debuggers can actually use JTAG 61 00:02:56,569 --> 00:02:59,790 access register and then other things 62 00:02:59,790 --> 00:03:02,263 like memory contents and interrupts, 63 00:03:03,640 --> 00:03:05,600 and then obtain information about the system 64 00:03:05,600 --> 00:03:08,343 or even pause or redirect software instructions 65 00:03:08,343 --> 00:03:13,343 or software instruction flows within any given system. 66 00:03:13,540 --> 00:03:16,260 A whole bunch of other attacks can be done 67 00:03:16,260 --> 00:03:19,450 against physical facilities, right, 68 00:03:19,450 --> 00:03:21,330 against your facilities. 69 00:03:21,330 --> 00:03:23,830 Some of these actually can be carried out 70 00:03:23,830 --> 00:03:25,900 to infiltrate the facilities, 71 00:03:25,900 --> 00:03:28,193 or to steal sensitive information from the organization. 72 00:03:28,193 --> 00:03:33,193 Here I'm showing a list of the most common ones, 73 00:03:33,680 --> 00:03:35,720 and specifically the ones that you have to know 74 00:03:35,720 --> 00:03:37,010 for the test. 75 00:03:37,010 --> 00:03:39,120 First one is actually piggybacking or tailgating. 76 00:03:39,120 --> 00:03:41,257 That's actually you working behind somebody 77 00:03:41,257 --> 00:03:45,690 that actually has authorized access to a facility, 78 00:03:45,690 --> 00:03:48,310 and then basically you just get in right after them. 79 00:03:48,310 --> 00:03:50,183 Then the other one is actually fence jumping, 80 00:03:50,183 --> 00:03:53,560 that goes without saying, jumping a fence or a gate 81 00:03:53,560 --> 00:03:56,060 to enter a restricted building or a facility. 82 00:03:56,060 --> 00:04:00,748 Dumpster diving, that means actually that you may search 83 00:04:00,748 --> 00:04:03,344 and attempt to collect sensitive information 84 00:04:03,344 --> 00:04:05,730 literally from the trash. 85 00:04:05,730 --> 00:04:08,280 Also lock picking, as a matter of fact, 86 00:04:08,280 --> 00:04:10,160 lock picking is actually very powerful 87 00:04:12,176 --> 00:04:14,063 among many security enthusiasts and, 88 00:04:14,063 --> 00:04:17,290 as a matter of fact, there's actually lock picking events, 89 00:04:17,290 --> 00:04:19,270 but at the end of the day, yes, 90 00:04:19,270 --> 00:04:22,284 lock bypass is a technique used in lock picking 91 00:04:22,284 --> 00:04:26,849 that can be, have been used for many, many, different years, 92 00:04:26,849 --> 00:04:31,176 and includes different techniques that loading attempts, 93 00:04:31,176 --> 00:04:34,246 using basically a credit card or a similar thing 94 00:04:34,246 --> 00:04:39,246 to close, or rather open, or latch a lock, 95 00:04:40,810 --> 00:04:43,870 or to actually literally pick a padlock 96 00:04:43,870 --> 00:04:46,800 or any type of lock in a door. 97 00:04:46,800 --> 00:04:49,740 Now you also have, the actors in some cases 98 00:04:49,740 --> 00:04:52,060 actually may tamper with egress sensors 99 00:04:52,060 --> 00:04:54,720 to open doors as well. 100 00:04:54,720 --> 00:04:58,252 Another common attack is actually to clone badges 101 00:04:58,252 --> 00:05:03,090 of employees and authorized individuals 102 00:05:03,090 --> 00:05:05,500 to actually enter a restricted facility 103 00:05:05,500 --> 00:05:07,933 or a specific area within a building.