Network Closet Vulnerabilities – Cybersecurity

Greetings and welcome back!  In today’s blog we will look at the problem of cybersecurity in network closets and small server rooms.  This is of particular importance to those who fall under the requirements of HIPAA, PCI-DSS or Gramm Leach Bliley as they make no distinction in where the data is located or the size of the data room.  In fact, while larger data centers often have layers of physical and cybersecurity, smaller network closets and server rooms have little, and in some cases no meaningful physical or cybersecurity.

There are a large group of smaller network rooms whose only cybersecurity is an inexpensive firewall box, which is easily evaded by a hacker.  Hackers or professional cyber criminals do not like to leave a trail to follow so, once they enter a network they often look for a device in which to hide-out while they explore the network and look for targets from which to steal data.  We have found that a favorite place to hide for these criminals in inside the network card of a Rack UPS or Power Distribution Unit (PDU).  In fact, one of the most spectacular data thefts in the past couple of years was executed through the Rack PDU of a cloud service provider.  This excellent article shows how the Rack PDU’s were used as a jumping-off-point into the servers in order to steal data.

In addition to using a Rack UPS or PDU as a hiding place from which to launch an attack on the servers within that rack, these networked power units can also be used to shut down servers and even to destroy the data in the servers.  The widely-publicized Ukrainian Power Plant hack was an excellent example of how a UPS system can be used to shut down and then wreak havoc on servers.  In this case, Malware was used to program two UPS units to shut down at exactly the same time, cutting power to all critical servers and desk tops in the power plant.

If your systems are covered under security regulations, they must have backup power systems and, if they have backup power systems, they also must be protected from hackers.  It is wishful thinking to assume all cyberattacks on a server will be from the front-door.  In today’s world of increasingly sophisticated bad guys, back doors to servers – such as those offered by UPS and PDU systems – make perfect cover for a data thief.

Fortunately, RackGuardian was designed from the ground-up to both monitor your network/server room power and environment and to provide full firewall protection at the same time.  That’s because RackGuardian includes a private network port on which to query any SNMP or Modbus system securely in its own cyber-safe envelope.  The RackGuardian seals-off all units that it monitors because its second network port pushes data to the cloud but it will not accept ANY attempts to connect with it.  All of your SNMP and Modbus systems that are being monitored by RackGuardian are invisible to the outside world because there is no way to get through the RackGuardian to see them.

If you have network closets and server rooms that need to be protected, please don’t just protect the front-door of your servers, protect the back door of your UPS and PDU units and keep the bad-guys at bay!

Until Next Time,

Be Well!

 

Gramm Leach Bliley Requirements for Data Rack Security

Greetings and welcome back!  In this week’s blog we look at the Gramm Leach Bliley Requirements for Data Rack Security.  The Gramm Leach Bliley Act (GLBA) covers security requirements for all organizations that handle confidential information related to loans.  This Act is broad-based and covers everything from data about student loans, auto loans and home mortgages.  In short, just about everyone from college age and above has at least one set of data stored somewhere that is covered by GLBA.

Who are the companies that are specifically covered by GLBA?  These include the following:

  • Insurance companies, brokers and their agents
  • Colleges and universities, student loan providers and brokers
  • Mortgage providers, brokers and title insurance companies
  • Stock brokers, financial advisors and banks

Because GLBA covers such a large group of organizations, many may not be fully aware of the specifics of the GLBA requirements as they relate to the protection of data security.  The protections required by GLBA include:

  • Physical Security of the room and data rack(s) in which data is stored
  • Cybersecurity for all networked devices (regardless of type) that are on the data network
  • Operational Security for all servers and supporting power and environmental systems

Under GLBA Safeguard Rule, all specific security requirements for financial organizations are listed under the Federal Financial Institutions Examination Counsel’s (FFIEC) IT Examination Handbook.  This is literally “The Book” that an examiner uses to judge whether financial records are being kept in accordance with the GLBA.  This book is fully online and can be seen in full here.  Over the next few weeks we will be looking at the specifics in what we will simply refer to as the Handbook.   As we will see, it provides very specific requirements and leaves little to the imagination in the 3 areas of security listed above.

Because the Handbook for GLBA requirements is so specific, courts do not look kindly on the excuse of “I didn’t know about that requirement”.  Its a classic case where the judge says: “Ignorance of the Law is NO Excuse.”  Just as the HIPAA regulations are now very clear and penalties are very harsh, so too, penalties under GLBA are quite severe.  Here is a summary of the penalties for a violation of GLBA:

  • The organization can be for fined for up to $100,000 for each violation. 
  • Officers and directors of the financial institution can be fined up to $10,000 for each violation.
  • Criminal penalties include Imprisonment for up to 5 years IN ADDITION to the fine.
  • Fines and penalties can be DOUBLED if shown that another law has also been violated in the process.

In sum, the Gramm Leach Bliley Act was put in place to protect the private financial information for individuals.  Significant fines have been levied because of data breaches and other actions are likely.  In addition, the government is studying further requirements to GLBA that would require organizations to put in place a written plan to protect customer data and a written plan to respond in case of a data breach.

We want our readers to know that GLBA means business and we at AlphaGuardian mean business as well.  We are the only company that provides full physical, cyber and operational security solutions for GLBA.  The unique blend of both financial and IT backgrounds of the principals of the company allow us to address your needs as no other company can do.  Think about this and, if you would like a confidential discussion on how you can better protect the data that has been entrusted to you, please feel free to give us a call.

Until Next Time,

Be Well!

PCI-DSS Requirements for Backup Power Security

Greetings and welcome back!  In today’s blog we are going to look at a critical segment of PCI-DSS security that is often overlooked: PCI-DSS Requirements for Backup Power Security.  To begin with, PCI PIN Security Requirements and Testing Procedures require the use of an Uninterruptible Power Supply (UPS) as given in the following section:

32-5 All access-control and monitoring systems (including intrusion-detection systems) are powered through an uninterruptible power source (UPS).

This makes good sense because, in the event of a power failure, if security access control and monitoring systems are offline, someone could easily force their way into a network closet and your data rack and simply pick up the server and walk out with it.  Needless to say, you must have enough power to ride-through a significant power outage but, how much backup power is enough?  PCI-DSS standards do not say but, it is interesting to note that the FCC now requires telecom providers to supply 8 hours of backup power to any IP-based telephone system or line.  While that may seem like a long time, consider this: the loss of power for a utility customer in the US can average nearly 5 hours in length as this annual report from the US Energy Information Agency shows.

PCI-DSS Requirements for Backup Power Security

Let’s take a look at the detail of this chart.  The total time of an outage is broken down into “non major events” and “major events”.  Non major events tend to be local outages caused by such things as a blown transformer within a utility system.  Major events are normally related to weather such as significant thunderstorms.  As the graph shows, major events are always longer, on average, than are non-major events within a utility’s own system.  But, even the best performance for outages – from municipally owned utilities – shows a nearly one hour power outage for a system-caused problem and the municipal utility average for a major event was 2 hours.

The long and short of this is that, if you fall under PCI-DSS, you need to backup the security systems protecting your server’s data for a minimum of 2 hours.  If you are within an investor-owned utility’s service area, the average outage with a major event is 3.5 hours and with a co-op, its nearly 5 hours.  So, if you fail to provide the proper backup and someone simply walks in and steals your server, you would be liable under the “reasonable man” concept of law from any credit card lawsuits that result from this type of data loss.

In addition to purchasing a UPS with sufficient battery backup time, you also need to monitor that UPS and its battery time.  Why do you need to do this?  The answer is that batteries, whether in your car or in a UPS, degrade over time.  With each passing year they provide less and less ability to generate the power that you need.  In addition, batteries degrade with each cycle in which they are used.  So, if your site is located in an area where there are lots of power flickers, those sub-second flickers actually cause the UPS to go onto battery and will also affect the backup battery life.

Fortunately, most UPS system provide a serial or network port that allows you to monitor the battery conditions and ensure that you will have the necessary battery backup time if it is needed.  Our RackGuardian product was designed with securing a rack and protecting its power systems from physical, operational or cyber problems.  RackGuardian integrates with any type of card-key or biometric door locking system, allowing you to be fully compliant with PCI-DSS physical security requirements.  In addition, RackGuardian plugs into the network or serial port of your UPS as well as your Rack Power Distribution Unit (PDU) to secure these systems from a cyber or physical attack and to monitor their system integrity.  RackGuardian’s exclusive and patented power analytics will provide you with an early warning to any problem with your battery system, ensuring that you have the battery backup time available when you need it.

Think about these things a bit and, we would be more than happy to have a confidential discussion about protecting your data and your backup power systems.  In fact, our experts can actually help you choose the best power system for you from the numerous sources available to us.  So, until next time,

 

Be Well!

PCI-DSS Breaches and Data Rack Security

Greetings and welcome back!  In this week’s blog, we begin a new series on PCI-DSS Breaches and Data Rack Security.  Every retailer must keep their systems secure and PCI-DSS standards require strict control on the cyber, physical and operation security of data racks.  But as we shall see in today’s blog, there is a huge gap in what individual retailers believe suffices for PCI-DSS compliance and in actual compliance with these standards.

To begin with, there are 12 individual security requirement categories in PCI and each must be followed carefully to be in compliance.  If a user is in compliance will all 12, statistics show that they will be much less likely to have a breach.  In addition, if a breach does occur, the liability to the user is substantially less if all 12 requirements had been followed carefully.  Unfortunately, many organizations believe that they are complying with these 12 standards when in fact, they are not.

A great example of this comes from the most recent Verizon PCI Compliance Report.  In this report, all users were asked if they were in compliance with all 12 categories of PCI compliance.   Then, users who suffered a breach were asked to provide a post-breach assessment of their actual compliance levels.  It is an eye-opening report to say the least and one thing that jumped out to me was the overall compliance levels in Requirement 12 – Maintaining an Information Security Policy Standard.  As you can see from the chart below, while 65% of overall users had a 3rd party compliance certification for Requirement 12, only 10% of users that were breached were actually compliant in this area.  In other words, those who are relying on a mere certificate are taking enormous risks with their data.

PCI-DSS Data Rack Security Requirements

Let’s look at a couple of areas in Requirement 12 that have lead to some serious data breaches in the past few years.

“Malicious individuals may breach physical security and place their own devices on the network as a ‘back door.’ Personnel may also bypass procedures and install devices.”

It is all-too-common to have a data rack that is not physically secured and where any individual with the will to do so can open the rack door and place a device that can be used as a back-door into a credit card data server.  This type of attack is sometimes known as a Man-In-The-Middle (MitM) attack.  One way that this is done is for a user to place a router that is different from the existing Internet router as described in this excellent research article by Towson University’s computer science department.  By this simple procedure, anyone with even modest hacking skills can create a back door into a retailer’s credit card data servers and can essentially steal data at will.

Another item pointed out in the text of Requirement 12 is that data thieves can create back doors by using existing devices that provide remote access to systems within a data rack.  One way that this is being done is to use the networked Uninterruptible Power Supply (UPS) or Power Distribution Unit (PDU) to create a back door to the credit card server’s data.  Again, the text in Requirement 12 specifically addresses this issue as follows:

Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies

This type of attack has been successfully carried out already in a recent attack that caused millions of dollars in losses as can be seen here.  Because PCI-DSS standards require the use of UPS systems to protect system data, all users should have a UPS and should have a remote monitoring package for their backup power to ensure that their backup systems are working.  However, any remote monitoring system for the UPS MUST be implemented in a way in which no one would have the ability to connect to the UPS without authorization.

Our RackGuardian system is a perfect answer to solving both the Physical Access Security issues that can be used to create a man in the middle attack and in protecting and securely monitoring your Uninterruptible Power Supply.  Please think about these things and, feel free to give us a call to have a confidential discussion about how we can help you become PCI compliant and greatly reduce your chances of having your credit card data stolen.

Until Next Time,

Be Well!

 

 

 

HIPAA Backup Power Standards for Server Racks

Greetings and welcome back!  This week we continue our series on cyber, physical and operational security standards we take a look at HIPAA Backup Power Standards for Server Racks.  Many entities who are under HIPAA requirements are not unaware that there are exacting operational standards for backup power and environmental control of the servers which contain ePHI.  It is our hope that this blog will bring to light those standards in a way that compliance with these standards will be greatly enhanced.

Let’s focus on the Backup Power Standard and how to be in full compliance with its requirements.

Section 164.308(a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. When a covered entity is operating in emergency mode due to a technical failure or power outage, security processes to protect EPHI must be maintained.”

To begin with, while a small number of organizations find themselves on a power grid segment that rarely goes down, the simple fact is that most every facility has at least one power problem during the year.  Our local utility – PG&E – republished an excellent article entitled: “How to guard computers and sensitive electronic equipment from expensive downtime and unscheduled maintenance” Even though this article is nearly 20 years old, the fact is that power problems have not changed nor have the means needed to protect data from power problems.  The only change is the technology used in these data protection systems has been significantly upgraded in the past few years.

In this article, PG&E sites a number of power problems and solutions but, generally, the problems and solutions fall into 3 categories:

  1. Power outage or transient – requires and Uninterruptible Power Supply (UPS) and potentially a backup generator
  2. Power surge – requires a Power Distribution Unit (PDU) with a surge suppressor

A UPS can provide protection of your data from a power outage or a transient such as a power spike or dip.  However, only what is known as an “on-line” UPS can provide true protection from any type of outage or transient.  An on-line UPS uses what is known as “Double-conversion” technology where a rectifier converts the AC power wave into a DC signal and then an inverter creates a new and clean AC power wave from scratch.  A battery or string of batteries are included in the circuit to provide ride-through AC power during the transient or outage.

The bottom line is that a true on-line UPS can protect your data from improper destruction – a HIPAA requirement – and can provide continuous access to records during an emergency condition – also a HIPAA requirement. The one type of power disturbance that often seems to throw UPS units into fits is a power surge that can happen so quickly, the UPS simply can’t protect the load.  To protect against this problem, high-quality Rack PDU units can provide excellent surge suppression abilities.  While we won’t go into technology specifics here, there is a very good correlation between the price of a Rack PDU and its internal technology so, please don’t be penny wise and dollar foolish in purchasing a PDU.

Now, when you add a backup power and surge suppression system, you will also need to monitor these units to ensure that they are properly protecting your data.  For example, you need to know that the UPS’s battery is available and fully charged and you need to know when the UPS is on battery for a transient.   You also need to know when a power surge has hit your PDU units.  But, while you need to monitor your UPS and PDU’s to be HIPPA compliant, the communications protocol used for this monitoring – Simple Network Management Protocol (SNMP) – is actually non-compliant in-and-of-itself.  This well done university research paper shows just how insecure SNMP monitoring of a UPS and PDU is.  This, then, creates a huge dilemma: How do you monitor your power systems securely if their communications are insecure?

Fortunately, RackGuardian has you covered.  RackGuardian does monitor all UPS and PDU parameters but, it does so inside its CYBER-SAFE COMMUNICATIONS ENVELOPE.  The unit blocks ANY outside attempt to read data or interfere with the power systems while it securely monitors all operational parameters and sends all of its data via an encrypted, secure link to our fully compliant cloud system.  The cloud system uses the same technology that you use to connect with your online banking to ensure HIPAA compliance.  The combination of all these factors means that you can securely monitor and protect you power systems from any type of cyber, physical or operational harm.

In sum, HIPAA requires all covered entities and business associates to support ePHI systems with backup power and power distribution units.  This is requires to keep ePHI from being destroyed by a power problem and to keep ePHI data available during a power emergency.  You must monitor the health of your UPS and PDU systems but, you must do so in a way that does not expose these units to cyber, physical or operational attack.  RackGuardian is the only system that has been purposefully built to protect your UPS and PDU systems from all threats that could wreak havoc on your data.

Please think about your systems and we would be happy to have a confidential discussion about how you can protect your ePHI from all threats.

Until next time,

Be Well!

 

 

Cyber Attack On UPS Uninterruptible Power Supplies

Greetings and welcome back!  In this month’s blog, we look at one of the largest cyber attacks of 2016: The Ukrainian Power Plant attack.  This destructive incident included a highly targeted Cyber Attack on UPS Uninterruptible Power Supplies in 2 control rooms that supported the plant.  There are several excellent online reports of this incident, one by the SANS Group and several by online tech magazines, including this one from Wired.

The Wired Magazine report, in a timeline of the attack shows that 2 UPS units in separate control rooms were reconfigured to schedule them to shutdown at a specific time.  This is easily accomplished with most any smaller UPS that is used for network closets and server rooms.  Also, as amazing as it may seem, it is relatively straightforward to shutdown a UPS with little effort or security in most systems.  That’s because most systems allow SNMP access and, as we have shown in this blog before, even the so-called “secure” SNMPv3 is now easily hackable with off-the-shelf tools.  This well-done research report by the Georgia Institute of Technology provides excellent background to these vulnerabilities in SNMPv3.

In addition to SNMP access, most all SNMP cards used in UPS units have open ports for the minimally secured Telnet, FTP and HTTP ports.  A hacker of low-skill could easily sniff the traffic on those ports waiting to capture the passwords.  But, we have found it all too common that the manufacturer’s default passwords for SNMP cards have never even been changed.  That makes entering a UPS as easy as taking candy from a baby.  Here is an example of a UPS unit which is fully exposed online and how easy it is to schedule a shutdown of that system:

Uninterruptible Power Supply UPS Cyber Attack

 

In the case of the Ukrainian control room UPS units, there was no direct exposure to these systems online.  It took a hacker of some degree of skill to enter their network and, once that was done, it was likely a much lesser problem to find the UPS.  The hackers then coordinated an attack on the power plant breakers with the timing of the UPS shutdown to cut off all power generation to the outside world and simultaneously to shut down all critical operations of the control rooms related to the power plant.  The end result was to leave the power customers in the dark and also to leave the power plant control systems in the dark.  It was because of the downed UPS that it took hours to figure out what was happening and how to begin to restore power and operations.

I would now ask any worker or manager in a process, power plant or other control room: Is Your UPS Secured Against A Cyber Attack?  RackGuardian was built specifically to protect UPS, PDU and other systems that support data and telecom racks.  RackGuardian is a self-contained monitoring and protection system that supports any SNMP-based UPS and PDU units.  We encourage anyone who is responsible for ensuring the power in your control rooms to give us a call and we would be happy to discuss your needs privately.

Until Next Time,

Be Well!