PCI-DSS Requirements for Backup Power Security

Greetings and welcome back!  In today’s blog we are going to look at a critical segment of PCI-DSS security that is often overlooked: PCI-DSS Requirements for Backup Power Security.  To begin with, PCI PIN Security Requirements and Testing Procedures require the use of an Uninterruptible Power Supply (UPS) as given in the following section:

32-5 All access-control and monitoring systems (including intrusion-detection systems) are powered through an uninterruptible power source (UPS).

This makes good sense because, in the event of a power failure, if security access control and monitoring systems are offline, someone could easily force their way into a network closet and your data rack and simply pick up the server and walk out with it.  Needless to say, you must have enough power to ride-through a significant power outage but, how much backup power is enough?  PCI-DSS standards do not say but, it is interesting to note that the FCC now requires telecom providers to supply 8 hours of backup power to any IP-based telephone system or line.  While that may seem like a long time, consider this: the loss of power for a utility customer in the US can average nearly 5 hours in length as this annual report from the US Energy Information Agency shows.

PCI-DSS Requirements for Backup Power Security

Let’s take a look at the detail of this chart.  The total time of an outage is broken down into “non major events” and “major events”.  Non major events tend to be local outages caused by such things as a blown transformer within a utility system.  Major events are normally related to weather such as significant thunderstorms.  As the graph shows, major events are always longer, on average, than are non-major events within a utility’s own system.  But, even the best performance for outages – from municipally owned utilities – shows a nearly one hour power outage for a system-caused problem and the municipal utility average for a major event was 2 hours.

The long and short of this is that, if you fall under PCI-DSS, you need to backup the security systems protecting your server’s data for a minimum of 2 hours.  If you are within an investor-owned utility’s service area, the average outage with a major event is 3.5 hours and with a co-op, its nearly 5 hours.  So, if you fail to provide the proper backup and someone simply walks in and steals your server, you would be liable under the “reasonable man” concept of law from any credit card lawsuits that result from this type of data loss.

In addition to purchasing a UPS with sufficient battery backup time, you also need to monitor that UPS and its battery time.  Why do you need to do this?  The answer is that batteries, whether in your car or in a UPS, degrade over time.  With each passing year they provide less and less ability to generate the power that you need.  In addition, batteries degrade with each cycle in which they are used.  So, if your site is located in an area where there are lots of power flickers, those sub-second flickers actually cause the UPS to go onto battery and will also affect the backup battery life.

Fortunately, most UPS system provide a serial or network port that allows you to monitor the battery conditions and ensure that you will have the necessary battery backup time if it is needed.  Our RackGuardian product was designed with securing a rack and protecting its power systems from physical, operational or cyber problems.  RackGuardian integrates with any type of card-key or biometric door locking system, allowing you to be fully compliant with PCI-DSS physical security requirements.  In addition, RackGuardian plugs into the network or serial port of your UPS as well as your Rack Power Distribution Unit (PDU) to secure these systems from a cyber or physical attack and to monitor their system integrity.  RackGuardian’s exclusive and patented power analytics will provide you with an early warning to any problem with your battery system, ensuring that you have the battery backup time available when you need it.

Think about these things a bit and, we would be more than happy to have a confidential discussion about protecting your data and your backup power systems.  In fact, our experts can actually help you choose the best power system for you from the numerous sources available to us.  So, until next time,

 

Be Well!

PCI-DSS Breaches and Data Rack Security

Greetings and welcome back!  In this week’s blog, we begin a new series on PCI-DSS Breaches and Data Rack Security.  Every retailer must keep their systems secure and PCI-DSS standards require strict control on the cyber, physical and operation security of data racks.  But as we shall see in today’s blog, there is a huge gap in what individual retailers believe suffices for PCI-DSS compliance and in actual compliance with these standards.

To begin with, there are 12 individual security requirement categories in PCI and each must be followed carefully to be in compliance.  If a user is in compliance will all 12, statistics show that they will be much less likely to have a breach.  In addition, if a breach does occur, the liability to the user is substantially less if all 12 requirements had been followed carefully.  Unfortunately, many organizations believe that they are complying with these 12 standards when in fact, they are not.

A great example of this comes from the most recent Verizon PCI Compliance Report.  In this report, all users were asked if they were in compliance with all 12 categories of PCI compliance.   Then, users who suffered a breach were asked to provide a post-breach assessment of their actual compliance levels.  It is an eye-opening report to say the least and one thing that jumped out to me was the overall compliance levels in Requirement 12 – Maintaining an Information Security Policy Standard.  As you can see from the chart below, while 65% of overall users had a 3rd party compliance certification for Requirement 12, only 10% of users that were breached were actually compliant in this area.  In other words, those who are relying on a mere certificate are taking enormous risks with their data.

PCI-DSS Data Rack Security Requirements

Let’s look at a couple of areas in Requirement 12 that have lead to some serious data breaches in the past few years.

“Malicious individuals may breach physical security and place their own devices on the network as a ‘back door.’ Personnel may also bypass procedures and install devices.”

It is all-too-common to have a data rack that is not physically secured and where any individual with the will to do so can open the rack door and place a device that can be used as a back-door into a credit card data server.  This type of attack is sometimes known as a Man-In-The-Middle (MitM) attack.  One way that this is done is for a user to place a router that is different from the existing Internet router as described in this excellent research article by Towson University’s computer science department.  By this simple procedure, anyone with even modest hacking skills can create a back door into a retailer’s credit card data servers and can essentially steal data at will.

Another item pointed out in the text of Requirement 12 is that data thieves can create back doors by using existing devices that provide remote access to systems within a data rack.  One way that this is being done is to use the networked Uninterruptible Power Supply (UPS) or Power Distribution Unit (PDU) to create a back door to the credit card server’s data.  Again, the text in Requirement 12 specifically addresses this issue as follows:

Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies

This type of attack has been successfully carried out already in a recent attack that caused millions of dollars in losses as can be seen here.  Because PCI-DSS standards require the use of UPS systems to protect system data, all users should have a UPS and should have a remote monitoring package for their backup power to ensure that their backup systems are working.  However, any remote monitoring system for the UPS MUST be implemented in a way in which no one would have the ability to connect to the UPS without authorization.

Our RackGuardian system is a perfect answer to solving both the Physical Access Security issues that can be used to create a man in the middle attack and in protecting and securely monitoring your Uninterruptible Power Supply.  Please think about these things and, feel free to give us a call to have a confidential discussion about how we can help you become PCI compliant and greatly reduce your chances of having your credit card data stolen.

Until Next Time,

Be Well!

 

 

 

HIPAA Environmental Monitoring Standards

Greetings and welcome back!  This week we continue our series on the cyber, physical and operational security standards for HIPAA compliance.  Specifically, we take a look at HIPAA Environmental Monitoring Standards for the cooling and protection of the servers where your ePHI is stored.

SECURING ENVIRONMENTAL MONITORING AND CONTROL SYSTEMS

Medical records must be protected from more than just cyber or physical threats. HIPAA Security standards require that they must also be protected from destruction in the event of a natural or environmental event. This is specifically provided for in

HIPAA Section 164.304“Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards…

What are some of the environmental hazards that can cause the downtime, damage or data loss in the electronic information systems?  Here are a few that have been singled out in data environments:

  1. HVAC Cooling failure in server room or network closet resulting in overheated servers and downed ePHI systems
  2. Server cooling fan failure resulting in shutdown of ePHI server
  3. Water leak over servers or network equipment resulting in destruction of ePHI servers and data

All of these environmental problems are real problems that are often cited for failure of Information Systems equipment. As shown in this recent study of IT Systems Failure by the Uptime Institute, environmental-related failure is the 3rd largest cause of system downtime.  If you add “Weather Related” including water from heavy rains, etc, you get over one quarter of all IT system failure is due to environmental causes.

HIPAA Environmental Monitoring Standards

HIPAA requires all covered entities and business partners to have environmental monitoring for the rooms that contain their ePHI but, very few have taken this requirement seriously.  Because over a quarter of all ePHI system failure and data loss is related to environmental causes (and data loss is a HIPAA violation), it is penny-wise and dollar-foolish to fail to provide proper environmental monitoring for your server rooms.

Our RackGuardian system is purpose-built to provide cyber, physical and operational protection for all of your environmental control systems.  Please think about this and feel free to give us a call to confidentially discuss the protection of your critical server and network rooms.

Until Next Time,

Be Well!

 

HIPAA Backup Power Standards for Server Racks

Greetings and welcome back!  This week we continue our series on cyber, physical and operational security standards we take a look at HIPAA Backup Power Standards for Server Racks.  Many entities who are under HIPAA requirements are not unaware that there are exacting operational standards for backup power and environmental control of the servers which contain ePHI.  It is our hope that this blog will bring to light those standards in a way that compliance with these standards will be greatly enhanced.

Let’s focus on the Backup Power Standard and how to be in full compliance with its requirements.

Section 164.308(a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. When a covered entity is operating in emergency mode due to a technical failure or power outage, security processes to protect EPHI must be maintained.”

To begin with, while a small number of organizations find themselves on a power grid segment that rarely goes down, the simple fact is that most every facility has at least one power problem during the year.  Our local utility – PG&E – republished an excellent article entitled: “How to guard computers and sensitive electronic equipment from expensive downtime and unscheduled maintenance” Even though this article is nearly 20 years old, the fact is that power problems have not changed nor have the means needed to protect data from power problems.  The only change is the technology used in these data protection systems has been significantly upgraded in the past few years.

In this article, PG&E sites a number of power problems and solutions but, generally, the problems and solutions fall into 3 categories:

  1. Power outage or transient – requires and Uninterruptible Power Supply (UPS) and potentially a backup generator
  2. Power surge – requires a Power Distribution Unit (PDU) with a surge suppressor

A UPS can provide protection of your data from a power outage or a transient such as a power spike or dip.  However, only what is known as an “on-line” UPS can provide true protection from any type of outage or transient.  An on-line UPS uses what is known as “Double-conversion” technology where a rectifier converts the AC power wave into a DC signal and then an inverter creates a new and clean AC power wave from scratch.  A battery or string of batteries are included in the circuit to provide ride-through AC power during the transient or outage.

The bottom line is that a true on-line UPS can protect your data from improper destruction – a HIPAA requirement – and can provide continuous access to records during an emergency condition – also a HIPAA requirement. The one type of power disturbance that often seems to throw UPS units into fits is a power surge that can happen so quickly, the UPS simply can’t protect the load.  To protect against this problem, high-quality Rack PDU units can provide excellent surge suppression abilities.  While we won’t go into technology specifics here, there is a very good correlation between the price of a Rack PDU and its internal technology so, please don’t be penny wise and dollar foolish in purchasing a PDU.

Now, when you add a backup power and surge suppression system, you will also need to monitor these units to ensure that they are properly protecting your data.  For example, you need to know that the UPS’s battery is available and fully charged and you need to know when the UPS is on battery for a transient.   You also need to know when a power surge has hit your PDU units.  But, while you need to monitor your UPS and PDU’s to be HIPPA compliant, the communications protocol used for this monitoring – Simple Network Management Protocol (SNMP) – is actually non-compliant in-and-of-itself.  This well done university research paper shows just how insecure SNMP monitoring of a UPS and PDU is.  This, then, creates a huge dilemma: How do you monitor your power systems securely if their communications are insecure?

Fortunately, RackGuardian has you covered.  RackGuardian does monitor all UPS and PDU parameters but, it does so inside its CYBER-SAFE COMMUNICATIONS ENVELOPE.  The unit blocks ANY outside attempt to read data or interfere with the power systems while it securely monitors all operational parameters and sends all of its data via an encrypted, secure link to our fully compliant cloud system.  The cloud system uses the same technology that you use to connect with your online banking to ensure HIPAA compliance.  The combination of all these factors means that you can securely monitor and protect you power systems from any type of cyber, physical or operational harm.

In sum, HIPAA requires all covered entities and business associates to support ePHI systems with backup power and power distribution units.  This is requires to keep ePHI from being destroyed by a power problem and to keep ePHI data available during a power emergency.  You must monitor the health of your UPS and PDU systems but, you must do so in a way that does not expose these units to cyber, physical or operational attack.  RackGuardian is the only system that has been purposefully built to protect your UPS and PDU systems from all threats that could wreak havoc on your data.

Please think about your systems and we would be happy to have a confidential discussion about how you can protect your ePHI from all threats.

Until next time,

Be Well!

 

 

HIPAA Physical Security Standards for Server Racks

Greetings and welcome back.  This week we continue our blog series on the  Cyber/Physical/Operational standards for HIPAA and  this week we look at HIPAA Physical Security Standards for Server and Telecom Racks.  As we saw in our last blog, HIPAA breaches continue to grow in number and severity and one of the key reasons for this growth is very poor physical security of electronic Protected Health Information (ePHI).  Let’s use this blog to examine the key physical security standards for HIPAA in order to better understand the types of security that must be put in place to be HIPAA compliant and reduce your chances of a disastrous security breach.

To begin with, please realize that the physical security standards for HIPAA are fairly lengthy so we are posting the first section that deals specifically with the Physical Access Security to your server and telecom rack(s).

A covered entity or business associate must, in accordance with § 164.306:

(a)

(1)Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

The key provision of the HIPAA Physical Security Statute is Physical Access Controls.  These access controls must be implemented to limit access to the electronic information systems and to the facility or facilities in which they are housed.

HIPAA 164.310 requires physical access controls on every server and telecom rack that contains ePHI and on the room in which each is located

What type of access controls are required?  The covered entity or business associate must have a system that accomplishes 2 purposes:

Every HIPAA covered entity must:

  1. Restrict physical access to ePHI from those who do not have access authority
  2. Grant physical access only to those who have written access authority

Simply put, you must have a Physical Access Control System on every room containing ePHI and on the racks containing e-PHI.  Please note that e-PHI is stored in both Electronic Health Records (EHR) servers and on your IP-based phone system which stores messages from patients. If your telecom and EHR servers are located in separate racks, you must either locate them to the same rack within the same room or, insure that all separate racks and their rooms have their own Physical Access Control System.  Failure to safeguard both EHR and telecom servers is a common mistake that violates HIPAA rules.

Putting in a card or biometric access system in an existing server or telecom rack is not difficult and it takes only about 20 minutes to install each one.  The largest brand is resold by AlphaGuardian Networks with the RackGuardian system and all of its features are integrated into our product.   RackGuardian can integrate with a card-access or a biometric access system it controls access to each rack and room and it also logs entries and exits to a room and to each server and telecom rack.

Please remember that nearly half of all HIPAA breaches are physical in nature because there are very few organizations that employ access controls  both at the room-level and on the individual racks containing ePHI.  Also review this chart from last week’s blog to understand the severity of failing to cover yourself for physical breaches – which are now nearly half of all HIPAA violations.

HIPAA Physical Security for Server Racks

 

Now, recall also from last week that nearly half of all physical access and theft violations were from insiders.  If that alarms you, it should, but the facts are that ePHI is worth a lot of money on the open market.  The value in ePHI is both as raw records – worth around $10 per record, and in Ransomware – worth many thousands of dollars per rack.  As physical breaches grow, so do the number and total of HIPAA fines levied against healthcare providers and their business agents.

The Compliancy Group publishes all HIPAA fines levied and settled as of the latest week.  As you can see from the chart below, the total fines for HIPAA violations are skyrocketing and showing no signs of leveling-off.  At the present rate of fines, the total for 2017 will be $41 million and if trends continue, 2018 could approach $75 million.  Please bear in mind that this cost does NOT include the cost of legal settlements with individuals whose records have been breached.  Fines for HIPAA Violations

The long and short of this is that placing a Physical Access Security system on your server and telecom racks and on the room in which they are located is a very small price to be HIPAA compliant and avoid the enormous cost of fines and lawsuits.  Our patented RackGuardian unit is the only system on the market that integrates Physical Access Control for rooms and their server racks together with full Cyber and Operational security.  We would urge every reader to look carefully at this solution and we would be more than happy to have a confidential discussion about how to protect your ePHI from all threats.

Until Next Time,

Be Well!

 

 

HIPAA Breaches and Data Rack Security

Greetings and welcome back!  This week, we begin a look at HIPAA Cyber/Physical/Operational security, specifically addressing the HIPAA Breaches and Data Rack Security.  This last week, the Federal Government’s Health Care Industry Cybersecurity Task Force released a stinging report on the continuing rise in HIPAA breaches and the failure of cyber/physical/operational security solutions being employed.  Over the next few weeks, we hope to address some key points of data protection that are largely ignored by the large companies servicing the HIPAA marketplace.  We will begin this week with an overview of the 3 key aspects of HIPAA security:

  • Cybersecurity
  • Physical Access Security
  • Operational Security

The cyber security, physical security and operational security of your electronic Protected Health Information (ePHI) is all covered by HIPAA and the HITECH Act – where the penalties for HIPAA and there violations receive their teeth.  And as the following graph shows, the actual data breaches reported during 2016 by Health and Human Services reflected a broad variety of indigents from each of these three areas.   As you look at this graph – several things may strike you as surprising:

  1. Unauthorized Physical Access (this means by a person who has been given access to the physical data) and Physical Theft comprise more than 1/3rd of all HIPAA violations.
  2. Unauthorized Cyber Access (again, meaning network access by someone who has been given access to the data) is nearly 1/5th of all HIPAA violations.
  3. Operational Incidents – where data is destroyed or lost accounts for a significant amount of HIPAA violations

HIPAA Regulations for Your Data Rack

 

Thinking about these facts for a minute, let’s now dive one step deeper to seeing exactly where these data breaches have come from. research from Protenus shows, insiders actually accounted for more than 40% of all data breaches!  These are the unauthorized cyber and physical access and part of the physical theft and operation incidents.

Let’s digest all of this information for a minute.  We know from the new government report that HIPAA breaches despite companies spending more money on cybersecurity.  What we have learned from the actual breaches reported last year is the following:

  • 43% of all HIPAA Breaches were Physical or Operational Incidents
  • Most all of these Physical and Operational Breaches were related to Insiders

These facts make it very clear that looking purely at cybersecurity firewalls to protect your organization against data breaches is literally only covering about half of the problem.  The data in your system is largely located at rest and in transit through your data rack in your network room and anyone who can gain access to that rack can steal data at will.  This is exactly the reason that we built RackGuardian – to protect from ALL threats – cyber as well as Physical and Operational.  We encourage the reader to look deeply at the full-spectrum of security protection offered by RackGuardian and we are always more than happy to confidentially chat with you about your own security needs.

Until next time,

Be Well!

TFTP Vulnerabilities for Rack UPS and PDUs

Hello and welcome back! In this week’s blog, we look at a very critical security flaw that exists in many SNMP Cards.  Specifically, we address TFTP Vulnerabilities for Rack UPS and PDUs.

TFTP Vulnerabilities Rack UPS PDU

To begin with, let’s talk about what FTP and its cousin, TFTP is, and why TFTP poses a great security risk to any card with that protocol enabled. FTP stands for File Transfer Protocol, it is a standard means of use by an SNMP Ccommunications card to upgrade its firmware. FTP normally has a basic layer of 1 security password that, while it represents a fairly easy possess to sniff and capture, offers at least some form of security. Unlike FTP, TFTP – or Trivial File Transfer Protocol – has absolutely no login or password options and, hence, anyone with access to the TFTP port on a communications card can gain access to that unit. Here is an excellent overview of TFTP put together by the computer department at the University of Maryland.

This good article from the University of Maryland notes that the only form of security TFTP is to use a setup parameter to limit the origin or type of files that it accepts. Unfortunately, this is of very little help against a hacker of even medium skill level. What makes TFTP so dangerous is that it is normally used for the purpose of upgrading firmware of a communications card. That means that a skilled hacker can download their own code onto your communications card and that card can become a stealth backdoor for surveying and stealing information from your network.

To gauge how easily this could be done, we hired a college intern and gave him the task to create his own version of firmware that would lockout the existing users from a brand-name Uninterruptible Power Supply and give him sole control of that unit. The SNMP card of this unit had TFTP fully functioning and he used that as the key part of his strategy. Here is his quick summary of what he did.

I created a configuration file with new passwords known only to me which gave me authority over all aspects of control of the UPS

Once the configuration file was prepared, it was then added to the home directory of the assigned TFTP server.

The configuration file was then confirmed to have been successfully downloaded using the mfiletransferControlInitiateFileTransfer.

The device then restarted with the new settings applied and at that point, only I was able to communicate and control the UPS. All other users were locked out.

All-in-all, this college intern was able to complete this entire task in just a few hours, without having any knowledge of SNMP cards or similar systems. After studying this, we then saw that there are two very damaging things that a hacker can do to a UPS, a Power Distribution Unit (PDU) or a Computer Room Air Handler/Air Conditioner. These are as follows:

Place a backdoor to feed data to a hacker about all data center equipment, their operating conditions, maintenance, etc.

Place a backdoor to use in gathering and stealing data from servers on the same or adjacent network

I can say that we are aware of specific instances when one of these two items has been done through a UPS SNMP card in a mission critical data facility. Because of this, we have little doubt that this is a tool used by hackers – including nation states and rogue foreign companies – to gain valuable insights on the operations and secrets of various companies and organizations. Because of these facts, we urge the readers of this blog to check and see if you have TFTP enabled on ANY of the communications cards in your data centers, server rooms, network closets or telecom rooms. Please remember that a hacker only needs to enter ONE unit to ultimately have the tools he needs to spy and steal from your organization.

TFTP Vulnerabilities for Rack UPS and PDUs are a widespread problem. A quick survey of major UPS and PDU manufacturers show that ALL of them use TFTP on at least some of their cards. If you have TFTP on any of your communications cards, we would recommend that you place either a RackGuardian (for rack based PDU, UPS and cooling systems) in front of these units to securely monitor them and to firewall the bad guys from every gaining access. If one of your cards has already been compromised, CyberGuardian and RackGuardian are the only two units on the market that will not only keep the bad guys from getting into your systems but, they also keep any malware that has already been implanted from communicating outbound.

Please think about these things this week and, if you would like to have a confidential conversation about protecting your critical power and cooling systems, please feel free to give us a call.

Until Next Time,

Be Well!

Server and Telecom Rack Physical Security Compliance

This week, we continue our series on: The 3 Functions of Rack Security Compliance. As a quick reminder, these 3 functions are the following:

  1. Cybersecurity
  2. Physical Network Security
  3. Operational Security

This week, we focus on the second function of data center security compliance, namely: Physical Network Security. Physical Network Security systems in most data centers are comprised of 3 layers:

  1. Perimeter access security
  2. Rack physical access security

Its important to understand that most physical access security systems use standard protocols to make communication easy. Just like SNMP is the most common protocol used for network management communications, the Wiegand protocol is the most common protocol used for security management communications. Since few have heard of Wiegand, the first question is: what is the Wiegand protocol? The answer is that it is actually a group of standards all under one collective heading. It includes a method of communication between the card or fob reader and the controller unit as well as methods for storing data on both the card or fob and the controller. We are focusing on the communication aspect of the system as that is where much of the vulnerability lies.

Much of what I am sharing today comes from several well documented research projects that target Wiegand-based access systems. Brad Antoneiwicz from the Open Security Research group at Foundstone Security, a part of Intel Security has done excellent research in this area. You may want to link to his blog post about Wiegand vulnerabilities here and you may see an excellent presentation that he did gave that is posted online here. Brad shows in his blog and his presentation that it is easy to establish a man-in-the-middle attack on an card access system. That’s because the process is very easy execute in a small time frame and with limited tools and resources. Just as SNMP is vulnerable to virtual man-in-the-middle (MitM) attacks on network systems, so too card access systems can be attacked by a physical MitM gain entry to data centers and data racks.

With a simple Arduino board and some good logic, Antoneisicz shows us that you can easily gain access to any Wiegand-based card access system. The protocol is trivial to duplicate and you can use something as simple as a battery-powered Arduino to hijack a card access system and gain entrance into a data rack and its valuable data. It turns out that, while some parts of card access systems do offer some level of encryption (for example, the server usually offers https for remote management security) the serial communications from the card reader to the card controller is almost always open to intercept. This allows you to read, communicate and ultimately, hijack the card reader to gain full access to that facility or rack.

For those of you who really want to take a deep dive on the subject of access card reader hacking – including hacking the actual RFID signal from the access card – here is a truly detailed report from Bishop Fox Security.  This presentation was very well received at the DefCon hackers convention in the summer of 2015 and it considered the definitive published work of all the easiest means to hack access security cards.  Everyone who uses a security access card system should familiarize themselves with this report.

So what is the bottom line here? It is that access cards are easily hacked.  The serial communications on a card access system are NOT supervised or encrypted but, are allowed to pass freely in open protocol format from point to point.  Similarly, the RFID signal on an access card floats freely and anyone can grab that signal and use it to create a duplicate card or otherwise hack an access system.   Anyone who can gain access to the wire or wireless data from a card can gain access to whatever that card system is supposed to be protecting.

Fortunately, there is an answer to this huge security hole. Our RackGuardian has an plug-in product known at the EnviroScout which can inspect and supervise ALL communications from the Wiegand-based reader to the controller. If this device sees any signs of tampering, the RackGuardian will immediately send a message to our server and then to our IOS device within 2 seconds of detection.  The combination of instant notification to your mobile device coupled with our on-board analytics to catch any signs of tampering gives you the security that you need in your data center.

As a reader of this blog, you know that security compliance is serious business and its getting more pervasive all the time. We have shown through peer-reviewed research that existing card access systems fail to pass a simple third-party security test. Please consider discussing your physical security needs with one of our experts and lock-down your data center and data racks today.

Until next time,

Be Well!

Server and Telecom Rack Cybersecurity Compliance

Welcome back! We continue this month on the 3 keys for Server and Telecom Rack Security Compliance.  This month’s blog is: Server and Telecom Rack Cyberecurity Compliance. To begin with, whether you remotely host your servers offsite or you have your own data center(s), you need to have the ability to remotely manage the systems in your racks. These systems include the following groups of items:

Processing and Storage
Networking Systems
Power, Environment and Security

All of these systems need to be managed remotely at some point. Each of these systems is typically managed by SNMP from a central console system. Sadly, as this peer-reviewed paper demonstrates, even the supposedly secure SNMPv3 is full of vulnerabilities. That is, both can be taken-over by unauthorized individuals or groups and the results are devastating. As this peer-reviewed paper from Georgia Tech shows, its amazingly east to hack SNMPv3 because of flaws that are inherent in the protocol.  The bottom line is that, while you need to remotely manage your systems to keep them working, the very process of remote management can expose your data to cyber criminals. The question then becomes: What can SNMP exploits do to my data?  The answer can be seen in the chart below:

Server and Telecom Rack Security Compliance

As you can see, it is mainly the power environmental and security systems that are at risk.  Processing/Storage and Networking systems are typically open to ports 80 and 443 and are normally guarded by the perimeter firewall and often by a locally resident firewall.  However, Power Environment and Security systems are normally not protected or, if they are protected, such protection often fails to inspect the SNMP packets being sent to and from these systems. The simple fact is, as Table 1 from the Georgia Tech paper demonstrates, its easy to enter SNMP-enabled systems and change settings in ways that can destroy data stored in the servers and storage systems to which these systems are attached. As the Table also shows, its possible to launch Denial of Service (DoS) attacks through several of these systems, effectively shutting down that network segment and access to its data.

 

Your Data Racks, you need to protect your rack infrastructure. AlphaGuardian’s RackGuardian system is the only system on the market that is uniquely focused on protecting your data by protecting the security of your rack infrastructure. Power systems such as Rack PDU’s and UPS’s, cooling systems such as In-Rack Cooling, and security systems rely on SNMP. Our RackGuardian unit attaches to these systems and locks out ANY attempt to communicate with them.  At the same time, it securely gathers all the information that you need about your power, environment and security via its secure private network port. All information is then sent via an encrypted, push communication to a certificate-based data server. The result is you get all the information that you need for remote rack management while keeping all of your systems – and your data – completely safe.

Please think about this for a bit and let us know how we can help you.

Until next time,

Be Well!

Three Key Functions of Server Rack Security Compliance

Welcome back. This month’s blog is: The 3 Functions of Data Rack Security Compliance. In this week’s blog, we will discuss the 3 Functions and dive into detail on the first Function. In subsequent blogs, we plan to expand and look in detail at each of these 3 Functions. With that said, let’s introduce The 3 Functions of Data Center Security Compliance:

  1. Cybersecurity
  2. Physical Network Security
  3. Operational Security

This week, we will highlight the first of the 3 Functions: Cybersecurity. It today’s world, saying that cybersecurity is the top of the list for security compliance is a rather obvious statement. But, that being said, what we will discuss about flaws in most every cybersecurity strategy is meant to prompt the reader to look at additions to their existing cybersecurity plans. Today, cybersecurity is largely focused on the permitter of the network with the intent of keeping the bad guys out of the servers and networking equipment. That is a critical goal and no one should criticize this. But, as Forrester Research points out:

“Data from Forrester’s annual Forrsights security survey shows that insiders (whether through malicious or accidental actions) were more likely than external attackers to be the cause of breach across North American and European enterprises and SMB’s. Once an attacker gets past the M&M shell of today’s networks, he has insider access to all the resources in the network.”

The problem of insider-originated attacks is only growing worse through the BYOD revolution that extends from data centers to network closets to the networks found in every single office facility. In short, if you have a mobile device that is infected with Malware, you will soon have networks infected with Malware. According to Motive Security Labs, the number of Mobile devices infected with Malware now equals that of Windows laptops. This information clearly shows how easily a data center, network closet or office facility can become infected with Malware.

But Malware needs a place to hide in order to do its job effectively. That’s why, according to the Ponemon Institute’s recently released figures for 2014, over 90% of all Malware infections are not even discovered until 90 days after being compromised. We have found that some of the best hiding places in a network are SNMP-enabled rack power and environmental infrastructure. This includes rack PDU’s, rack UPS’s and rack environmental monitoring systems. All sit in close proximity to servers and data storage systems and, since all SNMP devices communicate easily with one another, an SNMP-enabled server or storage system makes an easy target.

Here is the problem that we have discovered: Everyone is focused on protecting the perimeter, some are looking at traffic on the interior but no one is really focused on the management traffic. It all simply gets a pass. If you try to somehow sort out what is “good” management traffic and what is “bad” management traffic, you get into an endless loop. We believe that we have solved the problem by creating a Smart Firewall that gathers all SNMP data INSIDE the data rack via a secure private port and the Smart Firewall then scans that data for Cyber, Physical and Operational Anomalies and the securely PUSHES all of this data to a management server. In this way, each data rack has its SNMP-enabled infrastructure protected by plugging the management port of each rack device into a private hub and that private hub is then plugged into the private port of the Smart Firewall.

You can then manage from the server by having access to the data that comes form the SNMP ports from each device in each rack. In order to insure the security of the server, we provide a digital certificate-based system to which only a trusted individual can have access. At the end of the day, you get all the SNMP data that you want, you have it presorted by our own systems analytics (say good bye to setting all those alarm set points by hand) and you get instant notification for any statistically significant event on your IOS device.

Please think about how you are managing the Cybersecurity function in your organization. If you have give a pass to SNMP data traffic, please realize that you have given an easy entrance into your data storage systems. That is where our product shines, by protecting all your critical SNMP-based systems, while still allowing you to get all the data that you need to remotely management those systems.

Please think about this and, until next time,

Be Well!