Network Closet Security Vulnerabilities – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

Network Closet Security – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

 

PCI-DSS Breaches and Data Rack Security

Greetings and welcome back!  In this week’s blog, we begin a new series on PCI-DSS Breaches and Data Rack Security.  Every retailer must keep their systems secure and PCI-DSS standards require strict control on the cyber, physical and operation security of data racks.  But as we shall see in today’s blog, there is a huge gap in what individual retailers believe suffices for PCI-DSS compliance and in actual compliance with these standards.

To begin with, there are 12 individual security requirement categories in PCI and each must be followed carefully to be in compliance.  If a user is in compliance will all 12, statistics show that they will be much less likely to have a breach.  In addition, if a breach does occur, the liability to the user is substantially less if all 12 requirements had been followed carefully.  Unfortunately, many organizations believe that they are complying with these 12 standards when in fact, they are not.

A great example of this comes from the most recent Verizon PCI Compliance Report.  In this report, all users were asked if they were in compliance with all 12 categories of PCI compliance.   Then, users who suffered a breach were asked to provide a post-breach assessment of their actual compliance levels.  It is an eye-opening report to say the least and one thing that jumped out to me was the overall compliance levels in Requirement 12 – Maintaining an Information Security Policy Standard.  As you can see from the chart below, while 65% of overall users had a 3rd party compliance certification for Requirement 12, only 10% of users that were breached were actually compliant in this area.  In other words, those who are relying on a mere certificate are taking enormous risks with their data.

PCI-DSS Data Rack Security Requirements

Let’s look at a couple of areas in Requirement 12 that have lead to some serious data breaches in the past few years.

“Malicious individuals may breach physical security and place their own devices on the network as a ‘back door.’ Personnel may also bypass procedures and install devices.”

It is all-too-common to have a data rack that is not physically secured and where any individual with the will to do so can open the rack door and place a device that can be used as a back-door into a credit card data server.  This type of attack is sometimes known as a Man-In-The-Middle (MitM) attack.  One way that this is done is for a user to place a router that is different from the existing Internet router as described in this excellent research article by Towson University’s computer science department.  By this simple procedure, anyone with even modest hacking skills can create a back door into a retailer’s credit card data servers and can essentially steal data at will.

Another item pointed out in the text of Requirement 12 is that data thieves can create back doors by using existing devices that provide remote access to systems within a data rack.  One way that this is being done is to use the networked Uninterruptible Power Supply (UPS) or Power Distribution Unit (PDU) to create a back door to the credit card server’s data.  Again, the text in Requirement 12 specifically addresses this issue as follows:

Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies

This type of attack has been successfully carried out already in a recent attack that caused millions of dollars in losses as can be seen here.  Because PCI-DSS standards require the use of UPS systems to protect system data, all users should have a UPS and should have a remote monitoring package for their backup power to ensure that their backup systems are working.  However, any remote monitoring system for the UPS MUST be implemented in a way in which no one would have the ability to connect to the UPS without authorization.

Our RackGuardian system is a perfect answer to solving both the Physical Access Security issues that can be used to create a man in the middle attack and in protecting and securely monitoring your Uninterruptible Power Supply.  Please think about these things and, feel free to give us a call to have a confidential discussion about how we can help you become PCI compliant and greatly reduce your chances of having your credit card data stolen.

Until Next Time,

Be Well!