Cookie policy: This site uses cookies (small files stored on your computer) to simplify and improve your experience of this website. Cookies are small text files stored on the device you are using to access this website. For more information on how we use and manage cookies please take a look at our privacy and cookie policies. Some parts of the site may not work properly if you choose not to accept cookies.

sections

Stray visitors can blow your data center wide open

  • Print
  • Share
  • Comment
  • Save

A data center – even just your average one – is rife with advanced technology and machinery. It’s the brains of any organization’s IT infrastructure, and the gateway to accessing its information. Although accessing this “digital nervous system” would seem a logical first step for would-be attackers, oftentimes it can only be done when physical access to the assets are achieved – or sometimes it’s just easier to do it this way than hacking your way in.

It sounds like plotline to some Hollywood cyber-thriller, but it’s the type of thing that occurs often enough, and its people like Peter Wood who are prolific at hatching such schemes. But Wood does not sneak into a company’s data centers to plant malware on a network, hoping to cash in somehow on a bounty of information. He’s the CEO of penetration testing firm First Base Technologies, and Wood and his team make their salaries from would-be victims who contract the consultancy to probe their defenses – both physical and digital. 

Simulated criminal attacks
“My role is to lead a team that does simulated criminal attacks against organizations”, Wood explained to the audience at this week’s DCD Converged event in London. His team then goes about identifying the key vulnerabilities an organization may have – much like any criminal would – and then, after executing a series of infiltration attempts, provides feedback to the client on approaches to close potential security gaps.

Addressing the issue of unsupervised visitors at any data center site is perhaps the most crucial aspect that needs addressing, which becomes even more difficult if an organization co-locates their data center functions or outsources them altogether.  “The single biggest threat on premises is someone who has not been escorted at all times”, Wood advised.  “We need to encourage the confidence to ask who people are, and report it”, he added. 

He then explained how an attack on the network would differ, but oftentimes a physical infiltration can help lead to a digital one, or is required to gain access to network resources of more hardened networks. Take, for example, the computer virus Stuxnet, which requires implantation into a target environment via an infected USB flash drive. Stuxnet attacks industrial programmable logic controllers (PLCs), and back in 2010 it was discovered that the virus caused the destruction of centrifuges at Iran’s Natanz uranium enrichment facility – setting the Iranian nuclear program back approximately five years or more.

Attack Anatomy
Whether it’s a physical or logical attack – or a combination of both – there are some common threads in their execution. Wood then provided the general steps for how an attack takes place:

• Background research
• Social engineering (phishing, for example)
• Taking control of an end point
• Explore the network
• Find data
• Exfiltrate (steal) data

“These steps are not rigorously followed by any criminal gang or security researcher”, Wood warned. Instead they are just commonly involved in the average infiltration process – and sometimes they will occur in a completely different order. “Most attacks are not really advanced, but they are multi-vectored,” he added. 

Attackers gather intel through many routes, including esxamining premises on Google maps and Street View, for example. Finding corporate email addresses through internet searches on sites like LinkedIn is an easy source of information gathering, and these same portals can provide access to staff names and job titles – enhancing the information arsenal of any prolific social engineer. Plus, once you find the email structure of an organization, you can use names to generate emails for nearly anyone in an organization, which helps attackers execute phishing and more targeted spearphishing campaigns designed to help gain access to a network.

These are key shortcomings that most organizations suffer from, Wood contended. He recommends increased staff education on phishing/spearphishing, and refraining from the use of corporate emails on professional social networking sites.

In a test spearphishing campaign First Base was hired to conduct, Wood and his team came back with 41 recipient email credentials within 15 minutes. “This stuff is quite boring to do, but so effective”, he said.

“It’s scary simple to gain access to systems that are protected by some of the most rigorous security controls available”, Wood lamented. “[The human] approach to being friendly and helpful (and the majority of people are) is what criminals take advantage of.”

Another issue he highlighted is that too much information is protected by a single security control, such as a Windows network login credential. “Our thrust toward single sign-on and single Windows passwords is the death of network security”, he declared. 

Wood advised that would-be cybercriminals look to compromise systems via paths of least resistance. “The criminals and other attackers see themselves as a business as well”, he remarked, based on his experience. “They may not have the same moral underpinnings, but they are looking to achieve their goals successfully.” 

“[Cybercriminals]”, he added, “will not take the sexiest or most technical route available, unless it is the most effective.” Most of the time, he continued, “they are looking to compromise systems with the least amount of damage.”

Related images

  • Peter Wood at DCD Converged in London

Have your say

Please view our terms and conditions before submitting your comment.

required
required
required
required
required
  • Print
  • Share
  • Comment
  • Save

Webinars

  • Next Generation Data Centers – Are you ready for scale?

    Wed, 24 Aug 2016 16:00:00

    This presentation will provide a general overview of the data center trends and the ecosystem that comprises of “hyperscale DC”, “MTDC”, and “enterprise DC”.

  • White Space 46: We'll always have Paris

    Fri, 15 Jul 2016 10:35:00

    This week on White Space, we look at the safest data center locations in the world, as rated by real estate management firm Cushman & Wakefield. It will come as no surprise that Iceland comes out on top, while the US and the UK have barely made the top 10. French data center specialist Data4 is promoting Paris as a global technology hub, where it is planning to invest at least €100 million. Another French data center owned by Webaxys is repurposing old Nissan Leaf car batteries in partnership with Eaton. Brexit update: We’ve also heard industry body TechUK outline an optimistic vision of Britain outside the EU – as long as the country remains within the single market and subscribes to the principles of the General Data Protection Regulation.

  • Powering Big Data with Big Solar

    Tue, 12 Jul 2016 18:00:00

    The data center industry is experiencing explosive growth. The expansion of online users and increased transactions will result in the online population to reach 50% of the world’s projected population, moving from 2.3 billion in 2012 to an expected 3.6 billion people by 2017. This growth is requiring data centers to address the carbon impact of their business and to integrate more renewable resources into their projects. Join First Solar to learn: -Why major C&I companies are looking to utility-scale solar as a viable addition to their energy sourcing portfolios. -How cost-effective utility-scale solar options can support datacenters in securing renewable supply. -Case study of how a major data center player implemented solar into their portfolio

  • DC Professional - Meet John Laban

    Tue, 12 Jul 2016 15:25:00

    John has worked in the Telecommunications and Information Transport Systems (ITS) industry for over 35 years, beginning his career at the London Stock Exchange as a BT telecommunication technician. Believing there was a general lack of quality in the ITS industry, John was driven to "professionalize" the ITS industry – starting with a professional diploma programme for the Telecommunications Managers Association – which led to him becoming the first BICSI RCDD in the UK and soon after, a BICSI Master Instructor teaching RCDD and Technician programmes. Find out more about John and upcoming sessions here https://www.dc-professional.com/people/284/

  • White Space 45: Waste Not

    Sun, 10 Jul 2016 15:50:00

    In this episode of White Space, we look back at the news of the week with a special guest Adrian Barker, general manager for EMEA at RF Code and specialist in sensors and data.

More link