Network Closet Vulnerabilities – Cybersecurity

Greetings and welcome back!  In today’s blog we will look at the problem of cybersecurity in network closets and small server rooms.  This is of particular importance to those who fall under the requirements of HIPAA, PCI-DSS or Gramm Leach Bliley as they make no distinction in where the data is located or the size of the data room.  In fact, while larger data centers often have layers of physical and cybersecurity, smaller network closets and server rooms have little, and in some cases no meaningful physical or cybersecurity.

There are a large group of smaller network rooms whose only cybersecurity is an inexpensive firewall box, which is easily evaded by a hacker.  Hackers or professional cyber criminals do not like to leave a trail to follow so, once they enter a network they often look for a device in which to hide-out while they explore the network and look for targets from which to steal data.  We have found that a favorite place to hide for these criminals in inside the network card of a Rack UPS or Power Distribution Unit (PDU).  In fact, one of the most spectacular data thefts in the past couple of years was executed through the Rack PDU of a cloud service provider.  This excellent article shows how the Rack PDU’s were used as a jumping-off-point into the servers in order to steal data.

In addition to using a Rack UPS or PDU as a hiding place from which to launch an attack on the servers within that rack, these networked power units can also be used to shut down servers and even to destroy the data in the servers.  The widely-publicized Ukrainian Power Plant hack was an excellent example of how a UPS system can be used to shut down and then wreak havoc on servers.  In this case, Malware was used to program two UPS units to shut down at exactly the same time, cutting power to all critical servers and desk tops in the power plant.

If your systems are covered under security regulations, they must have backup power systems and, if they have backup power systems, they also must be protected from hackers.  It is wishful thinking to assume all cyberattacks on a server will be from the front-door.  In today’s world of increasingly sophisticated bad guys, back doors to servers – such as those offered by UPS and PDU systems – make perfect cover for a data thief.

Fortunately, RackGuardian was designed from the ground-up to both monitor your network/server room power and environment and to provide full firewall protection at the same time.  That’s because RackGuardian includes a private network port on which to query any SNMP or Modbus system securely in its own cyber-safe envelope.  The RackGuardian seals-off all units that it monitors because its second network port pushes data to the cloud but it will not accept ANY attempts to connect with it.  All of your SNMP and Modbus systems that are being monitored by RackGuardian are invisible to the outside world because there is no way to get through the RackGuardian to see them.

If you have network closets and server rooms that need to be protected, please don’t just protect the front-door of your servers, protect the back door of your UPS and PDU units and keep the bad-guys at bay!

Until Next Time,

Be Well!

 

Network Closet Security Vulnerabilities – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

Network Closet Security – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

 

Server & Telecom Racks and New York Cybersecurity Law

Greetings and welcome back!  Beginning this week, we are going to dovetail our discussions of the Federal Gramm Leach Bliley Act (GLBA) for financial services companies together with the New York Cybersecurity Regulations for Financial Services Companies.  Because New York is the home to many of the country’s financial services companies, it seems natural to address both the Federal Standards of GLBA with the State Standards for financial companies in one logical set of blogs.  So today, we begin this series by looking at Server & Telecom Racks and New York Cybersecurity Law.

The timing of beginning our discussion is centered around the enforcement of the New York Regulations, which began last week on August 27th.  The NY Cybersecurity regs are an extremely comprehensive set of requirements that cover all in-state and international operations for a financial entity of over $5 million in revenue.  While not having the power to regulate operations in other states, the Department of Financial Services (DFS) in New York makes it clear that any branch office in another state that impacts the operations of a New York office will be dealt with accordingly.  This is a polite way of saying that if security is truly needed in New York then it only makes sense to follow the same procedures for all locations, regardless of location.

To begin with, let’s talk about what the NY Regulations cover.  Specifically, the regulations require securing 6 different types of systems from affecting information stored by a covered entity in 3 different ways.  The 6 types of systems that must be protected are as follows:

500.01 (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

The 3 types of coverage for the information that these systems support are as follows:

500.02 (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.

When we combine these regulations, we see that  the integrity and availability of IT and Telecom systems must be protected by actively securing and monitoring backup power, cooling and physical security systems.  Any interruption in power or cooling to an IT or Telecom system can corrupt or destroy the data that is to be protected.  This means that the following systems must be protected in order to be in compliance with the law:

  • Uninterruptible Power Supply (UPS) and Power Distribution Units (PDU)
  • Cooling Systems for the Data, Network or Telecom Racks
  • Physical Access Systems

These regulations make it clear that your racks of servers and telecom systems together with their UPS, PDU, Cooling and Physical Access systems must be secured and monitored.  While protecting these types of systems in a large data center can be done in a more centralized fashion, the ability to protect distributed racks and support systems is a much more difficult task. These racks are found in places like:

  • Network Rooms and Closets including all IDF and MDF Rooms
  • Telecom Rooms and Closets including PBX and Telecom Switch Rooms
  • Small Server Rooms

Virtually all the systems in these server, network, telecom, power and cooling systems found in these rooms are rack-mounted systems.   Because of this, the security regulations require a rack-based system that is able to both secure and monitor all of these systems.  We designed RackGuardian do be a fully-enabled Smart Firewall unit that both provides integrated firewall security and analytic monitoring for any server, telecom system, UPS, PDU and cooling unit.

In coming blogs, we will discuss the specific ways in which UPS and PDU units have already been used to attack information systems.  We will also address attacks on telephone switching and PBX systems and how they have had disastrous effects on their owners.  In addition, we will take a look at how the GLBA regulations integrate with the New York State regulations and how complementary they are to one another.

If you would like to have a confidential discussion on protecting your server and telecom racks from cyber, physical and operational attacks, we would be happy to work with you to provide the protection and compliance you need for your company.

Until Next Time,

Be Well!

 

Gramm Leach Bliley Requirements for Data Rack Security

Greetings and welcome back!  In this week’s blog we look at the Gramm Leach Bliley Requirements for Data Rack Security.  The Gramm Leach Bliley Act (GLBA) covers security requirements for all organizations that handle confidential information related to loans.  This Act is broad-based and covers everything from data about student loans, auto loans and home mortgages.  In short, just about everyone from college age and above has at least one set of data stored somewhere that is covered by GLBA.

Who are the companies that are specifically covered by GLBA?  These include the following:

  • Insurance companies, brokers and their agents
  • Colleges and universities, student loan providers and brokers
  • Mortgage providers, brokers and title insurance companies
  • Stock brokers, financial advisors and banks

Because GLBA covers such a large group of organizations, many may not be fully aware of the specifics of the GLBA requirements as they relate to the protection of data security.  The protections required by GLBA include:

  • Physical Security of the room and data rack(s) in which data is stored
  • Cybersecurity for all networked devices (regardless of type) that are on the data network
  • Operational Security for all servers and supporting power and environmental systems

Under GLBA Safeguard Rule, all specific security requirements for financial organizations are listed under the Federal Financial Institutions Examination Counsel’s (FFIEC) IT Examination Handbook.  This is literally “The Book” that an examiner uses to judge whether financial records are being kept in accordance with the GLBA.  This book is fully online and can be seen in full here.  Over the next few weeks we will be looking at the specifics in what we will simply refer to as the Handbook.   As we will see, it provides very specific requirements and leaves little to the imagination in the 3 areas of security listed above.

Because the Handbook for GLBA requirements is so specific, courts do not look kindly on the excuse of “I didn’t know about that requirement”.  Its a classic case where the judge says: “Ignorance of the Law is NO Excuse.”  Just as the HIPAA regulations are now very clear and penalties are very harsh, so too, penalties under GLBA are quite severe.  Here is a summary of the penalties for a violation of GLBA:

  • The organization can be for fined for up to $100,000 for each violation. 
  • Officers and directors of the financial institution can be fined up to $10,000 for each violation.
  • Criminal penalties include Imprisonment for up to 5 years IN ADDITION to the fine.
  • Fines and penalties can be DOUBLED if shown that another law has also been violated in the process.

In sum, the Gramm Leach Bliley Act was put in place to protect the private financial information for individuals.  Significant fines have been levied because of data breaches and other actions are likely.  In addition, the government is studying further requirements to GLBA that would require organizations to put in place a written plan to protect customer data and a written plan to respond in case of a data breach.

We want our readers to know that GLBA means business and we at AlphaGuardian mean business as well.  We are the only company that provides full physical, cyber and operational security solutions for GLBA.  The unique blend of both financial and IT backgrounds of the principals of the company allow us to address your needs as no other company can do.  Think about this and, if you would like a confidential discussion on how you can better protect the data that has been entrusted to you, please feel free to give us a call.

Until Next Time,

Be Well!