Cookie policy: This site uses cookies (small files stored on your computer) to simplify and improve your experience of this website. Cookies are small text files stored on the device you are using to access this website. For more information on how we use and manage cookies please take a look at our privacy and cookie policies. Some parts of the site may not work properly if you choose not to accept cookies.

sections

Stray visitors can blow your data center wide open

  • Print
  • Share
  • Comment
  • Save

A data center – even just your average one – is rife with advanced technology and machinery. It’s the brains of any organization’s IT infrastructure, and the gateway to accessing its information. Although accessing this “digital nervous system” would seem a logical first step for would-be attackers, oftentimes it can only be done when physical access to the assets are achieved – or sometimes it’s just easier to do it this way than hacking your way in.

It sounds like plotline to some Hollywood cyber-thriller, but it’s the type of thing that occurs often enough, and its people like Peter Wood who are prolific at hatching such schemes. But Wood does not sneak into a company’s data centers to plant malware on a network, hoping to cash in somehow on a bounty of information. He’s the CEO of penetration testing firm First Base Technologies, and Wood and his team make their salaries from would-be victims who contract the consultancy to probe their defenses – both physical and digital. 

Simulated criminal attacks
“My role is to lead a team that does simulated criminal attacks against organizations”, Wood explained to the audience at this week’s DCD Converged event in London. His team then goes about identifying the key vulnerabilities an organization may have – much like any criminal would – and then, after executing a series of infiltration attempts, provides feedback to the client on approaches to close potential security gaps.

Addressing the issue of unsupervised visitors at any data center site is perhaps the most crucial aspect that needs addressing, which becomes even more difficult if an organization co-locates their data center functions or outsources them altogether.  “The single biggest threat on premises is someone who has not been escorted at all times”, Wood advised.  “We need to encourage the confidence to ask who people are, and report it”, he added. 

He then explained how an attack on the network would differ, but oftentimes a physical infiltration can help lead to a digital one, or is required to gain access to network resources of more hardened networks. Take, for example, the computer virus Stuxnet, which requires implantation into a target environment via an infected USB flash drive. Stuxnet attacks industrial programmable logic controllers (PLCs), and back in 2010 it was discovered that the virus caused the destruction of centrifuges at Iran’s Natanz uranium enrichment facility – setting the Iranian nuclear program back approximately five years or more.

Attack Anatomy
Whether it’s a physical or logical attack – or a combination of both – there are some common threads in their execution. Wood then provided the general steps for how an attack takes place:

• Background research
• Social engineering (phishing, for example)
• Taking control of an end point
• Explore the network
• Find data
• Exfiltrate (steal) data

“These steps are not rigorously followed by any criminal gang or security researcher”, Wood warned. Instead they are just commonly involved in the average infiltration process – and sometimes they will occur in a completely different order. “Most attacks are not really advanced, but they are multi-vectored,” he added. 

Attackers gather intel through many routes, including esxamining premises on Google maps and Street View, for example. Finding corporate email addresses through internet searches on sites like LinkedIn is an easy source of information gathering, and these same portals can provide access to staff names and job titles – enhancing the information arsenal of any prolific social engineer. Plus, once you find the email structure of an organization, you can use names to generate emails for nearly anyone in an organization, which helps attackers execute phishing and more targeted spearphishing campaigns designed to help gain access to a network.

These are key shortcomings that most organizations suffer from, Wood contended. He recommends increased staff education on phishing/spearphishing, and refraining from the use of corporate emails on professional social networking sites.

In a test spearphishing campaign First Base was hired to conduct, Wood and his team came back with 41 recipient email credentials within 15 minutes. “This stuff is quite boring to do, but so effective”, he said.

“It’s scary simple to gain access to systems that are protected by some of the most rigorous security controls available”, Wood lamented. “[The human] approach to being friendly and helpful (and the majority of people are) is what criminals take advantage of.”

Another issue he highlighted is that too much information is protected by a single security control, such as a Windows network login credential. “Our thrust toward single sign-on and single Windows passwords is the death of network security”, he declared. 

Wood advised that would-be cybercriminals look to compromise systems via paths of least resistance. “The criminals and other attackers see themselves as a business as well”, he remarked, based on his experience. “They may not have the same moral underpinnings, but they are looking to achieve their goals successfully.” 

“[Cybercriminals]”, he added, “will not take the sexiest or most technical route available, unless it is the most effective.” Most of the time, he continued, “they are looking to compromise systems with the least amount of damage.”

Related images

  • Peter Wood at DCD Converged in London

Have your say

Please view our terms and conditions before submitting your comment.

required
required
required
required
required
  • Print
  • Share
  • Comment
  • Save

Webinars

  • Powering Big Data with Big Solar

    Tue, 12 Jul 2016 18:00:00

    The data center industry is experiencing explosive growth. The expansion of online users and increased transactions will result in the online population to reach 50% of the world’s projected population, moving from 2.3 billion in 2012 to an expected 3.6 billion people by 2017. This growth is requiring data centers to address the carbon impact of their business and to integrate more renewable resources into their projects. Join First Solar to learn: -Why major C&I companies are looking to utility-scale solar as a viable addition to their energy sourcing portfolios. -How cost-effective utility-scale solar options can support datacenters in securing renewable supply. -Case study of how a major data center player implemented solar into their portfolio

  • Smart Choices for your Digital Infrastructure

    Tue, 28 Jun 2016 10:00:00

    Your data centre is a key part of successfully transforming and building your digital business. The challenge today is to create a highly reliable, flexible, scalable and cost-effective digital infrastructure. Your cabling system is an important element in the creation of that infrastructure. Attend and learn how to: - Piece together different elements of standards, technical specifications and physical properties in order to choose the right networking equipment - Reduce the time and labour spent maintaining, repairing or installing cabling by adopting improved design and management practices.

  • White Space 40:

    Thu, 2 Jun 2016 14:00:00

    White Space 40: We look back at the industry news with Zahl Limbuwala, co-founder and CEO at Romonet – a recent DatacenterDynamics Award winner for innovation in the data center industry.

  • White Space 39: Attacks on power and cooling

    Tue, 17 May 2016 08:25:00

    This week on White Space, we talk about the security of Industrial Control Systems – the systems that control your CRAC or PDUs. If these devices are connected to a network, attackers can reach them, and shut down a facility. Special guests Ed Ansett and George Rockett.

  • White Space 38: Leaving Las Vegas

    Tue, 10 May 2016 13:25:00

    This week we talk about: Tax Break for a data center Efficiency standards News form the Las Legad event - EMC World The Dell/EMC merger. And much more...

More link