In this article, I will examine the issue of physical attacks on data centers and server rooms and explore the methods used to counteract them.
Data centers' physical security is crucial for protecting against various information threats. This involves implementing systems for fire protection, dust and contaminant control, and managing employee access, among other measures. All of these are essential for preventing data leaks and unauthorized access.
When you combine all the requirements, you get an extensive list of measures:
- Competent planning of the data center location
- Perimeter management
- Using a list of employees for authorized access
- Access control to the hardware and software
- Response to incidents (fires and other emergencies)
- RFID equipment inventory
- Compliance with the Information Security Management System standard
- Resource reservation (Internet, electricity, water, heating, ventilation, and air conditioning)
- Use of video surveillance systems, etc.
A comprehensive data center security plan is not just a necessity, but a must. It requires a holistic approach encompassing traditional physical security measures and digital external attack surface management to identify and mitigate potential threats associated with connected assets and devices.
By proactively identifying and addressing potential flaws in your infrastructure, you can significantly reduce your vulnerability, even if you've invested heavily in physical security measures.
Organizations often enlist the help of red teams to identify such vulnerabilities. These teams, which specialize in evaluating security aspects, including the effectiveness of social engineering techniques, can help uncover potential entry points for unauthorized access to protected premises.
Data center designers are not just architects, but crucial players in data center security. They take specific 'preventive preparations' to mitigate potential issues, ensuring that the data center is designed with security in mind. By using a proactive approach like penetration testing, these weaknesses can be identified and addressed before attackers can exploit them.
Security Risks from Architectural and Design Flaws
The most critical risk is choosing a communications architecture within a data center and considering the routes for placing auxiliary and communications equipment. It is vital that an experienced team handles the design to ensure security and efficiency.
Areas with drop ceilings and false floors require special attention. These features can create a security risk because the room's upper and lower boundaries do not match the visible ceiling or floor. Attackers can exploit this by removing ceiling tiles in an adjacent room to access a more secure area where data center equipment is installed, using the space between the floor and ceiling or through ventilation openings. These openings in data center ceilings are often quite spacious, making them vulnerable to such breaches.
Data centers and server rooms typically use a complex ventilation system to supply fresh air, remove exhaust air, and create excess pressure to prevent harmful substances and dust from entering the facility. Designing such systems is often handled by a separate group, independent of the main data center designers. Consequently, they may apply different security requirements to ensure the integrity and safety of the ventilation systems.
Consequently, drop ceilings and false floors often have wide service passages designed to be strong enough for maintenance or cleaning. Sometimes, data center employees use these passages to return to secure areas, such as keys, if they forget something inside. Additionally, temporary storage is sometimes arranged within raised floors.
Therefore, installing obstacles inside these passages is recommended to ensure that any tampering does not go unnoticed. Removable metal fences or wire mesh can serve as effective deterrents.
It is not recommended to use drywall for barriers, as it often creates the illusion of security without providing actual protection. Drywall cannot ensure complete safety in these situations.
Of course, a determined attacker could still cut the wire or break through the grill to access the data center. However, installing additional sensors can provide a good defense against such incidents. Additionally, it is crucial to keep the detailed plan of technical passages strictly confidential.
Please remember that neglecting roof maintenance can also cause a slippery slope. Imagine a rogue seeking access rappelling through a neglected roof. In this case, roofing software could help identify potential weak spots before leaks (and unwanted visitors) spring a surprise. For a truly comprehensive security approach, consider integrating data center security systems with building automation or management systems. This allows for centralized monitoring and control of physical security measures alongside environmental factors that could impact data center equipment.
Entrance Door Lock Security
Picking a lock is a well-known and common tactic, often seen as a sport among attackers. Additionally, specialized kits for breaking various types of modern locks are readily available online. With the help of these kits, almost anyone can open a standard door lock.
Combination locks are also common. A well-known trick to bypass these locks is the hidden installation of wireless cameras. Red teams frequently use this method to assess the security of premises. Using a video camera makes it possible to observe the code being entered to access the server room.
It is recommended to use electronic locks that open with a smart card or biometrics, as they offer higher security. However, it is important to remember that software and hardware can read codes from smart cards. This can be done discreetly, especially if employees leave their smart cards on their desks.
In addition, placing the hinges and spring door closing mechanism inside the room is always recommended. When installed outside, they can be easily removed.
Assessing Alternative Entrances for Vulnerabilities
The first thing red team experts ask is whether the company has an emergency or service entrance. Accessing these entrances is often much easier than through the main, guarded one. Additionally, employees are often unknowingly used as "accomplices" by attackers.
For example, a common method of illegal entry is to pose as an equipment installer or a pizza delivery person. Impersonating a delivery worker when bringing equipment or supplies to the office is also often effective. People are usually very kind, often holding the door for you when you bring a box of paper into the office.
When all else fails, there are more social engineering tricks to try. Many buildings have a smoking area nearby. If you sit there, talk to someone, and observe the employees, you will quickly become familiar with the area and the staff. If you are on crutches or talking on the phone, people will also often hold the door for you to help you get inside because they do not want to seem rude.
One way to reduce this risk is to install a turnstile on the service entrance, allowing only one person to enter at a time. However, you will often also need a security guard to ensure people have their badges with them. You should also avoid leaving even the tiniest gaps between doors. An attacker can gather a lot of additional information by peeping through the crack, allowing them to choose the right moment and find the best way to open the door.
Challenges of Social Engineering Tactics
Running social engineering experiments can be a tough pill to swallow for red-team security researchers. It often means tricking people, which can gnaw at a researcher's sense of ethics.
Here is an example from an audit at an energy company where a red team expert experienced the kindness of a "very nice woman" for seven days. He managed to get inside, find an unoccupied desk, and plug his laptop into a wall outlet. When he encountered issues connecting to the internal network, an elderly woman nearby noticed and asked if she could help.
The expert explained that he wanted to connect his laptop to the network but could not, mentioning that he would be working there for a few days as an intern. The woman contacted IT support and asked them to help connect the intern to the corporate network. She was very nice, and they chatted regularly. When the fake "internship" ended, she even brought homemade cookies and wished him success. The expert felt terrible about spending a week deceiving such a kind person.
Unlike ethical hackers, cyber attackers will not hesitate to exploit someone's kindness. Training employees in information security literacy is crucial to combat social engineering.
Conclusion
I have only discussed the most obvious ways to check data centers and server rooms for physical security. Ensuring security is a complex task. While brute-force attacks are not very common, it is still essential to be prepared for them and other threats, such as malware on flash memory sticks spread near the data center.
