The data center industry should not build security in as an afterthought, but should up its game and be alert to the latest threats to digital infrastructure, security and data center experts said at a DCD Summit held in Singapore last week as part of Interpol World.
“A data center can be held hostage if the digital controls to the UPS and chiller systems are compromised by hackers,” said independent consultant Ka Vin Wong. With control over the mechanical and electrical systems, attackers can issue blackmail demands threatening an induced outage. Wong was speaking at a panel discussion during the “Security for mission critical infrastructure and ICT systems” Summit, drawing on his experience helming colocation providers in Southeast Asia over the past decade.
Data is the new gold
Wong observed that mechanical and electrical systems can be disconnected from the network and manually managed, but his point illustrates the increasing need to harden modern data centers against digital threat vectors.
Everyone needs to play a part in security, and corporations can no longer be insular in their data management, said Chris Church, a senior mobile forensic specialist at Interpol (the International Police Organization). The irony, said Church, is that users and executives often have irrational fears about the cloud, unaware of the extent to which they are using it. He observed: “The best way to get users to use the cloud, is not to mention to them it’s in the cloud. Just get them to sign up for the service.”
Yet many damaging security attacks are not related to the cloud at all. One bank hack was traced to an outsourced IT support team from a neighboring country, said Church. One support staff member got their laptop infected with malware, which remained on the system for an entire year before hackers made their move and got away with a digital heist of $10 million within the span of an hour.
Although overstated, the threat from data leakage through the cloud is very real, and hackers love the cloud as it requires just the user account and password to access the data, said Church. The issue is exacerbated by the fact that almost all (90 percent) of consumers are not aware of what they are storing in the cloud; some apps save a lot more files than users expect.
There are also users who consider themselves unattractive targets, believing that attacks only happen to other people and large organizations. That is a fallacious belief and simply not true, said Church. Data is a commodity like gold, and data such as usernames, passwords and email accounts can change hands to the tune of thousands of dollars, he said.
Start with local intelligence
To identify genuine threats in modern infrastructure, users may need to create a local threat intelligence base, said Florian Lukavsky, the director of SEC Consult Singapore. This is because traditional defensive measures such as proxy servers, intrusion prevention systems (IPS) and antivirus software have repeatedly been proven to fail against targeted attacks.
Moreover, newer approaches using security information and event management (SIEM) software products and services tend to generate a large volume of alerts. Reviewing these manually is like “searching for a needle in a needlestack” he said. As an example, he pointed to the infamous Target hack of 2013, which saw the hackers’ activities flagged but ignored by the security team.
Lukavsky suggested the creation of a fake environment to entrap intruders, using intentionally leaked false information or other measures to tell with high confidence whether a security breach has occurred. This allows for the creation of a local threat intelligence that is unique to the data center environment, allowing security personnel to know with certainty that something is happening within this carefully crafted environment.
He shared a real-life case study where an attacker managed to gain access to such an environment to install ransomware and APT (advanced persistent threat) tools to maintain a presence. The honey pot allowed the team to collect local threat intelligence such as the fingerprints of customized malware, usernames and passwords for backdoor tools, and attack patterns. All these are fed into malware information sharing platform and used to examine other parts of the environment to check if hackers had gained access elsewhere.
Physical security matters too
Finally, a properly secured data center should incorporate a host of capabilities that include a highly controllable environment for personal access, and should offer safeguards to prevent actions that degrade overall security such as buddy punching and tailgating, says Phoon Wai Leong of ERS Group.
And physical access control isn’t just to deter malicious personnel either, he argues. Phoon cited the hypothetical example of a systems engineer running out of available power sockets in one rack, reaching to the next rack for an available slot – and promptly triggering a power trip as an already maxed-out circuit is pushed over the edge.
So how should modern data centers be secured? For a start, authentication systems should be equipped with the requisite data to identify if someone seeking access is a current or former employee, or blacklisted personnel, he said. And systems should ideally incorporate the ability to search, locate and track people in a near real-time manner to strengthen area control for assets and personnel.
Phoon offered practical tips on securing the physical security with the use of two-factor authentication (2FA). An encrypted proximity beacon could be issued upon validation and registration, which should be time synchronized to thwart duplication. In addition, the use of active RFID or Bluetooth dongles can allow the movements of personnel to be tracked for incident response and auditing in the wake of security incidents.
The use of keypad and pin lock should be implemented at various checkpoints within the facility, though facial recognition is increasingly seen as a reliable and cost-effective method of implementing a second factor control. In fact, three-factor authentication should be considered too, suggested Phoon, and can be implemented with a mix of physical tokens, personalized passcodes and biometric authentication.
It will take some time to bring all data centers up to scratch on the security front. But as more systems within the data centers are digitized and networked, this is an area that can no longer be ignored.