May 12, 2017
Is your data an easy target for social engineering hacks? For a process called ‘penetration testing’ a credit bureau recently hired a security company (run by a well-known former cybercriminal skilled in a variety of break in techniques) – to devise ways to breach security in their IT systems, to look for openings in firewalls, services or VPNs (virtual private networks) and even try some ‘social engineering’ – connect with company employees and get them to inadvertently reveal proprietary information. The team of hackers targeted the bureau’s mother lode – the data centre. The easiest way in, it so turned out, was the human factor with a little bit of technical trickery. A HID (human interface device) hidden in a leather planner once in close proximity to a data centre employee picked up the ID code from the employee access badge. Then it was simply a matter of cloning the badge and the team was in. Social engineering attacks are targeted and are usually a string of innocuous events involving different people. And not that easy to detect.
Preventing the “hack”Most office buildings use access cards and readers to control entry. As a basic access control tool they serve the purpose. The card codes carry specific user information and allow you to restrict movement throughout your facility based on individualized access levels. But, securing your data centre shouldn’t stop there. Ideally, you should have as many of these safeguards as possible:
- Two-factor authentication like access card and pin number or biometrics combinations for sensitive areas.
- A man-trap; a hallway that, once the first door is opened, the second door is sealed until the first is closed. This is to eliminate someone holding the door open to your data centre.
- Individually locked cabinets. This is a basic tip, but again, the common weakness in data centre security is the people. In the case of cabinet locking, we have seen convenience win out over common sense in far too many cases.
- Facial recognition. Iris scanners. If you are absolutely securing your facility, have a look at facial recognition software.
Why Data Centre certifications matterDC standards and certifications safeguard against both physical access and remote unauthorized access. When evaluating your colocation provider, or even auditing your on premise facility, here are some of the key standards that will safeguard the physical (and digital) perimeter: ISO 27001 & 27002 SOC 1, 2 & 3 Type II PCI DSS HIPAA What they cover are the access controls, physical security and surveillance and incident response. In particular, you should be evaluating the requirements for:
- Facility Security Controls
- 24/7 Physical Security Monitoring & tape retention
- Cabinet/Cage Perimeter Security: keep in mind the “perimeter” tactic of firewalls keeps away external intruders but not breaches within the wall.
- Badge and Biometrics
- Annual Compliance Audit Reports
- Security Incident Response Notification.
- Security challenge process to gain building access. This challenge is performed in person by a 24/7 security guard and requires the visitors to be photographed upon entry.
- CTV system throughout the perimeter and within the data centre rooms document visitor movements which are also monitored by the security team.
- Access cards for server rooms individualized and limited to where the client machines reside.