Network Closet Vulnerabilities – Cybersecurity

Greetings and welcome back!  In today’s blog we will look at the problem of cybersecurity in network closets and small server rooms.  This is of particular importance to those who fall under the requirements of HIPAA, PCI-DSS or Gramm Leach Bliley as they make no distinction in where the data is located or the size of the data room.  In fact, while larger data centers often have layers of physical and cybersecurity, smaller network closets and server rooms have little, and in some cases no meaningful physical or cybersecurity.

There are a large group of smaller network rooms whose only cybersecurity is an inexpensive firewall box, which is easily evaded by a hacker.  Hackers or professional cyber criminals do not like to leave a trail to follow so, once they enter a network they often look for a device in which to hide-out while they explore the network and look for targets from which to steal data.  We have found that a favorite place to hide for these criminals in inside the network card of a Rack UPS or Power Distribution Unit (PDU).  In fact, one of the most spectacular data thefts in the past couple of years was executed through the Rack PDU of a cloud service provider.  This excellent article shows how the Rack PDU’s were used as a jumping-off-point into the servers in order to steal data.

In addition to using a Rack UPS or PDU as a hiding place from which to launch an attack on the servers within that rack, these networked power units can also be used to shut down servers and even to destroy the data in the servers.  The widely-publicized Ukrainian Power Plant hack was an excellent example of how a UPS system can be used to shut down and then wreak havoc on servers.  In this case, Malware was used to program two UPS units to shut down at exactly the same time, cutting power to all critical servers and desk tops in the power plant.

If your systems are covered under security regulations, they must have backup power systems and, if they have backup power systems, they also must be protected from hackers.  It is wishful thinking to assume all cyberattacks on a server will be from the front-door.  In today’s world of increasingly sophisticated bad guys, back doors to servers – such as those offered by UPS and PDU systems – make perfect cover for a data thief.

Fortunately, RackGuardian was designed from the ground-up to both monitor your network/server room power and environment and to provide full firewall protection at the same time.  That’s because RackGuardian includes a private network port on which to query any SNMP or Modbus system securely in its own cyber-safe envelope.  The RackGuardian seals-off all units that it monitors because its second network port pushes data to the cloud but it will not accept ANY attempts to connect with it.  All of your SNMP and Modbus systems that are being monitored by RackGuardian are invisible to the outside world because there is no way to get through the RackGuardian to see them.

If you have network closets and server rooms that need to be protected, please don’t just protect the front-door of your servers, protect the back door of your UPS and PDU units and keep the bad-guys at bay!

Until Next Time,

Be Well!

 

PCI-DSS Requirements for Backup Power Security

Greetings and welcome back!  In today’s blog we are going to look at a critical segment of PCI-DSS security that is often overlooked: PCI-DSS Requirements for Backup Power Security.  To begin with, PCI PIN Security Requirements and Testing Procedures require the use of an Uninterruptible Power Supply (UPS) as given in the following section:

32-5 All access-control and monitoring systems (including intrusion-detection systems) are powered through an uninterruptible power source (UPS).

This makes good sense because, in the event of a power failure, if security access control and monitoring systems are offline, someone could easily force their way into a network closet and your data rack and simply pick up the server and walk out with it.  Needless to say, you must have enough power to ride-through a significant power outage but, how much backup power is enough?  PCI-DSS standards do not say but, it is interesting to note that the FCC now requires telecom providers to supply 8 hours of backup power to any IP-based telephone system or line.  While that may seem like a long time, consider this: the loss of power for a utility customer in the US can average nearly 5 hours in length as this annual report from the US Energy Information Agency shows.

PCI-DSS Requirements for Backup Power Security

Let’s take a look at the detail of this chart.  The total time of an outage is broken down into “non major events” and “major events”.  Non major events tend to be local outages caused by such things as a blown transformer within a utility system.  Major events are normally related to weather such as significant thunderstorms.  As the graph shows, major events are always longer, on average, than are non-major events within a utility’s own system.  But, even the best performance for outages – from municipally owned utilities – shows a nearly one hour power outage for a system-caused problem and the municipal utility average for a major event was 2 hours.

The long and short of this is that, if you fall under PCI-DSS, you need to backup the security systems protecting your server’s data for a minimum of 2 hours.  If you are within an investor-owned utility’s service area, the average outage with a major event is 3.5 hours and with a co-op, its nearly 5 hours.  So, if you fail to provide the proper backup and someone simply walks in and steals your server, you would be liable under the “reasonable man” concept of law from any credit card lawsuits that result from this type of data loss.

In addition to purchasing a UPS with sufficient battery backup time, you also need to monitor that UPS and its battery time.  Why do you need to do this?  The answer is that batteries, whether in your car or in a UPS, degrade over time.  With each passing year they provide less and less ability to generate the power that you need.  In addition, batteries degrade with each cycle in which they are used.  So, if your site is located in an area where there are lots of power flickers, those sub-second flickers actually cause the UPS to go onto battery and will also affect the backup battery life.

Fortunately, most UPS system provide a serial or network port that allows you to monitor the battery conditions and ensure that you will have the necessary battery backup time if it is needed.  Our RackGuardian product was designed with securing a rack and protecting its power systems from physical, operational or cyber problems.  RackGuardian integrates with any type of card-key or biometric door locking system, allowing you to be fully compliant with PCI-DSS physical security requirements.  In addition, RackGuardian plugs into the network or serial port of your UPS as well as your Rack Power Distribution Unit (PDU) to secure these systems from a cyber or physical attack and to monitor their system integrity.  RackGuardian’s exclusive and patented power analytics will provide you with an early warning to any problem with your battery system, ensuring that you have the battery backup time available when you need it.

Think about these things a bit and, we would be more than happy to have a confidential discussion about protecting your data and your backup power systems.  In fact, our experts can actually help you choose the best power system for you from the numerous sources available to us.  So, until next time,

 

Be Well!

Cyber Attack Using Rack PDUs as a Backdoor to Server Data

Greetings and welcome back!  This month we look at something that we have been predicting for some time, a Cyber Attack Using Rack PDU’s as a Backdoor to Server Data.  There was an excellent article on this in Identity Week last month.  In this article, it discusses an attack on DDoS protection firm Staminus.  In this attack, the intruders managed to do all of the following:

  • Bring down Staminus’ entire network
  • Reset routers to factory settings
  • Stole Staminus’ databases and dumped the contents online

The attackers were brazen to say the least as they actually posted how they hacked Staminus with an online post.  The two key factors they mentioned in their attack were:

  • Use one root password for all the boxes
  • Expose PDUs to WAN with telnet authority

The first mistake is all-too-common for any type of equipment.  If you use the same password for everything, a hacker only needs to break it once and they are in.  The second problem is the specific reason that we built RackGuardian.  Here, they used an open Telnet port on rack PDU’s to gain backdoor access into the servers in the rack.  I will add that, whether a hacker uses Telnet, FTP or SNMP, each of these ports is normally open on a rack PDU and each has minimal security.

So what can you do once you gain access into a rack PDU?  Plenty!  You can immediately traverse to the servers in the rack if they are on the same sub net.  If they are on a different subnet, you will first need to go to the switch and then back again.  In this case, its not clear which they did as they also had the open passwords on the switches and routers.

The long and short is that a rack PDU makes a perfect camoflauge as a sniper nest to extract data from a server without easily being observed.  After all, who expects data to be coming from a rack PDU?

The moral of the story is clear: You MUST secure your rack PDU’s and RackGuardian is the only product that is specifically built with this purpose in mind.  Cyber Attack Using Rack PDUs is a real threat to every organization.  RackGuardian does all the things that you need to protect your rack systems from harm.  It plugs into the Ethernet ports of your Rack PDU, UPS and other systems and it provides full monitoring of the power and environment in your rack – while it secures all of your rack power and environmental systems from being used as hacker targets.

Think about this and, we would be more than happy to have a confidential conversation about how to protect your rack systems.

Until next time,

Be Well!

 

 

Data Theft Using Rack PDUs

Welcome back. Last time, we looked at the general manner about how data in a rack rack can be compromised via an SNMP DDoS attack . This week, in our second part, we look at Data Theft Using Rack PDUs.  This includes the specifics of how an SNMP attack can be launched to actually steal information from your servers via your rack PDU.

The first and most important thing to understand is that, in today’s cyber world, the majority of large-scale and/or sophisticated cyber theft involves the use of Malware. Malware is planted in obscure places in order that suspicions are not aroused. The better the Malware is hidden, the better its chances of success.  When a well-positioned Malware implantation is successful, data theft often goes undetected for months before being discovered.  In fact, according to the Ponemon Institute, more than 90% of successful cyber attacks are discovered more than 3 months after they began!

We have been fortunate enough to have run cybersecurity tests on many different brands of small UPS’s and PDU’s and the results have been eye-opening.  We have been able to view actual activities of cyber criminals and have learned how they carry out their craft. In the specific Malware attack that we will focus on today, SNMP devices within close proximity to valuable data are implanted with Malware and that Malware is then used to discover and ultimate launch an attack on a data source.  That data source can be servers, storage systems, copiers and printers because all are managed with SNMP.

How is the Malware planted? Normally via phishing or via implanting the Malware on a mobile device that is carried into a data center or data room. In other words, much of this Malware is implanted within devices without the knowledge of a user. But, in today’s BYOD world, once a device is infected, its easy for the Malware in that device to look for a target system to infect.

An SNMP device makes a near perfect device in which to implant Malware for the following reasons:

  • SNMP is the most universally used management protocol
  • SNMP devices broadcast their presence to other SNMP devices on the network
  • SNMP devices are easily compromised due to SNMP’s lack of security (yes, please read previous blogs to see that even SNMPv3 is vulnerable)

Now let’s discuss what we have seen in the world. We have seen live scans that show the SNMP ports of rack UPS and PDU systems being penetrated by cyber criminals. We have then seen Malware implanted on these systems. That Malware then scans for other SNMP devices on the network looking for sensitive data and, finally, when the data is located, it is copied and sent from the UPS or PDU to a remote server owned by the cyber criminal. Amazingly enough, these Botnets are so well built that they even load their own file management system to protect the stolen data and this all happens on the SNMP chip of a UPS or PDU. Amazing!

Some might read this an think that they are protected because they have a firewall. I would politely point out in reply that Sony had firewalls; Home Depot had firewalls and Target had firewalls. All three of these companies were robbed of valuable data through the use of Malware that was planted deep within their networks. In all of these cases, it took considerable time after the infection occurred to realize that they had been stolen-blind. In all 3 cases, it was far to late to stop enormous damage from being done.

If we are to successfully battle cyber theft, we must realize two things:

  1. Just because you can’t see it doesn’t mean that its not there. Think about Malware as a tiny virus that is only visible under an electron microscope. Only a few even own an electron microscope, let alone know where to look for the virus.
    You must be vigilant to block all known means of Malware entry. Please realize that this is no game. The cyber criminals, including nation-states, are happy when people think their Malware couldn’t be inside of their systems.
  2. If you have critical data in a rack, you need to block access to the SNMP management ports on your UPS, PDU and other rack power and environmental infrastructure. But, at the same time, you still need to manage that infrastructure. It is that unique combination of cyber protection and management of operational and physical data that are the key features of the RackGuardian system.

Please think about these facts and we are more than happy to have a confidential discussion of protecting your Rack PDU and UPS units to protect your data.

Until Next Time,

Be Well!