Uptime Institute Members say one of their most vexing security concerns is the insider threat — authorized staff, vendors or visitors acting with malicious intent.
In extreme examples, trusted individuals could power down servers and other equipment, damage network equipment, cut fiber paths, or steal data from servers or wipe the associated storage. Unfortunately, data centers cannot simply screen for trusted individuals with bad intent.
Most data center operators conduct background checks. Most have policies for different levels of access. Some may insist that all visitors have security escorts, and many have policies that prevent tailgating (physically following an authorized person through a door to gain access). Many have policies to limit the use of portable memory devices in computer rooms to only authorized work; some destroy them once the work is complete, and some insist that only specific computers assigned to specific worktables can be used.
Yet vulnerabilities exist. The use of single-source authentication of identification (ID), for example, can lead to the sharing of access cards and other unintended consequences. While some ID cards and badges have measures, such as encryption, to prevent them being copied, they can be cloned using specialist devices. In some data centers, multifactor authentication is used to significantly harden ingress and egress access.
The COVID-19 pandemic increased the risk for many data centers, at least temporarily. Some of the usual on-site staff were replaced by others, and routines were changed. When this happens, security and vetting procedures can be more successfully evaded.
However, even before the pandemic, the risk of the insider threat has been growing — and it has changed. Trusted individuals are now more likely to unwittingly act in ways that lead to malicious outcomes (or fail to respond and prevent such outcomes). This is because human psychology tactics are increasingly being used to trick authorized people into providing sensitive information. Social engineering, using deception to obtain unauthorized data or access, is now prolific and becoming increasingly sophisticated.
Tactics can include a mix of digital and physical reconnaissance. The simplest approaches are often the most effective, such as manipulating people using phone or email, and using information available to the public (for example, on the internet).
Social engineering is a concern for all businesses but particularly those with mission-critical infrastructure. A growing number of data center operators use automated security systems to detect anomalies in communications, such as email phishing campaigns on staff and visitors.
However, even routine communication can be exploited by hackers. For example, the host names derived from the headers of an email may contain information about the internet protocol (IP) address of the computer that sent the email, such as its geographic location. Further information about, say, a data center employee can be obtained using online information (social media, typically), which can then be used for social manipulation — such as posing as a trusted source (spoofing caller IDs or creating unauthorized security certificates for a web domain, for example), tricking an employee into providing sensitive information. By surveilling employees, either physically or online, hackers can also obtain useful information at places they visit, such as credit card information used at a restaurant (by exploiting a vulnerability in the restaurant’s digital system, for example). Hackers often gain trust by combining information gleaned from chasing digital trails with social engineering tactics.
Reviews of policies and procedures, including separation of duties, are recommended. There are also numerous cybersecurity software and training tools to minimize the scope for social engineering and unauthorized access. Some data center operations use automated open-source intelligence (OSInt) software to scan social media and the internet for mentions of keywords, such as their organization’s name, associated with terror-related language. Some use automated cybersecurity tools to conduct open-source reconnaissance of exposed critical equipment and digital assets.
The insider threat is impossible to fully control — but it can be mitigated against by adding layers of security.
The full report Data center security: Reassessing physical, human and digital risks is available to members of Uptime Institute. Consider a guest membership here.