Server and Telecom Rack Cybersecurity Compliance

Welcome back! We continue this month on the 3 keys for Server and Telecom Rack Security Compliance.  This month’s blog is: Server and Telecom Rack Cyberecurity Compliance. To begin with, whether you remotely host your servers offsite or you have your own data center(s), you need to have the ability to remotely manage the systems in your racks. These systems include the following groups of items:

Processing and Storage
Networking Systems
Power, Environment and Security

All of these systems need to be managed remotely at some point. Each of these systems is typically managed by SNMP from a central console system. Sadly, as this peer-reviewed paper demonstrates, even the supposedly secure SNMPv3 is full of vulnerabilities. That is, both can be taken-over by unauthorized individuals or groups and the results are devastating. As this peer-reviewed paper from Georgia Tech shows, its amazingly east to hack SNMPv3 because of flaws that are inherent in the protocol.  The bottom line is that, while you need to remotely manage your systems to keep them working, the very process of remote management can expose your data to cyber criminals. The question then becomes: What can SNMP exploits do to my data?  The answer can be seen in the chart below:

Server and Telecom Rack Security Compliance

As you can see, it is mainly the power environmental and security systems that are at risk.  Processing/Storage and Networking systems are typically open to ports 80 and 443 and are normally guarded by the perimeter firewall and often by a locally resident firewall.  However, Power Environment and Security systems are normally not protected or, if they are protected, such protection often fails to inspect the SNMP packets being sent to and from these systems. The simple fact is, as Table 1 from the Georgia Tech paper demonstrates, its easy to enter SNMP-enabled systems and change settings in ways that can destroy data stored in the servers and storage systems to which these systems are attached. As the Table also shows, its possible to launch Denial of Service (DoS) attacks through several of these systems, effectively shutting down that network segment and access to its data.

 

Your Data Racks, you need to protect your rack infrastructure. AlphaGuardian’s RackGuardian system is the only system on the market that is uniquely focused on protecting your data by protecting the security of your rack infrastructure. Power systems such as Rack PDU’s and UPS’s, cooling systems such as In-Rack Cooling, and security systems rely on SNMP. Our RackGuardian unit attaches to these systems and locks out ANY attempt to communicate with them.  At the same time, it securely gathers all the information that you need about your power, environment and security via its secure private network port. All information is then sent via an encrypted, push communication to a certificate-based data server. The result is you get all the information that you need for remote rack management while keeping all of your systems – and your data – completely safe.

Please think about this for a bit and let us know how we can help you.

Until next time,

Be Well!

Cyber Attack Using Rack PDUs as a Backdoor to Server Data

Greetings and welcome back!  This month we look at something that we have been predicting for some time, a Cyber Attack Using Rack PDU’s as a Backdoor to Server Data.  There was an excellent article on this in Identity Week last month.  In this article, it discusses an attack on DDoS protection firm Staminus.  In this attack, the intruders managed to do all of the following:

  • Bring down Staminus’ entire network
  • Reset routers to factory settings
  • Stole Staminus’ databases and dumped the contents online

The attackers were brazen to say the least as they actually posted how they hacked Staminus with an online post.  The two key factors they mentioned in their attack were:

  • Use one root password for all the boxes
  • Expose PDUs to WAN with telnet authority

The first mistake is all-too-common for any type of equipment.  If you use the same password for everything, a hacker only needs to break it once and they are in.  The second problem is the specific reason that we built RackGuardian.  Here, they used an open Telnet port on rack PDU’s to gain backdoor access into the servers in the rack.  I will add that, whether a hacker uses Telnet, FTP or SNMP, each of these ports is normally open on a rack PDU and each has minimal security.

So what can you do once you gain access into a rack PDU?  Plenty!  You can immediately traverse to the servers in the rack if they are on the same sub net.  If they are on a different subnet, you will first need to go to the switch and then back again.  In this case, its not clear which they did as they also had the open passwords on the switches and routers.

The long and short is that a rack PDU makes a perfect camoflauge as a sniper nest to extract data from a server without easily being observed.  After all, who expects data to be coming from a rack PDU?

The moral of the story is clear: You MUST secure your rack PDU’s and RackGuardian is the only product that is specifically built with this purpose in mind.  Cyber Attack Using Rack PDUs is a real threat to every organization.  RackGuardian does all the things that you need to protect your rack systems from harm.  It plugs into the Ethernet ports of your Rack PDU, UPS and other systems and it provides full monitoring of the power and environment in your rack – while it secures all of your rack power and environmental systems from being used as hacker targets.

Think about this and, we would be more than happy to have a confidential conversation about how to protect your rack systems.

Until next time,

Be Well!

 

 

Cyber Attacks on Server Rack Systems

We continue our series about how cyber criminals look at your rack systems. This week, we have part 1 of: Cyber Attacks on Server Rack Systems.  To begin with, please realize that cyber criminals always have their eyes on the prize of your data. If they can find key pieces of data, they can sell that data or use that information for their own purposes.

The data that cyber criminals seek includes:

  • Personally Identifiable Information – PII. This data includes names, addresses, social security numbers, credit card numbers, etc. 
  • Corporate Financial Information – FCI. This data includes compiled but unreleased financial data from a company.
  • Intellectual Property – IP. Intellectual property is a much, much larger field than many realize. 

At the end of the day, the vast majority of the data that you own resides in servers and storage systems inside data and telecom racks. Once we realize this, we understand why the rack systems are the prize for the cyber criminal. With that fact established, we must then ask: What can we do to thwart cyber crime? The answer to that question is that, in order to stop a criminal, we must think like a criminal and get inside his mind of how he or she or they operate – I mention “they” because a large amount of cyber activity is generated by nation states who have no qualms about stealing what belongs to others to benefit themselves.

In trying to think like a cyber criminal – a cyber thief really – let’s think about a thief who would break into your home. Chances are 90%+ that the thief will not enter through the front door – which is most often locked and secured – but through a back door or window. That’s no different from a cyber thief. They look for a backdoor to your servers and storage systems. OK, what devices are there in a data rack that could be used as a back door into your servers and storage systems?

If you consider that the servers and storage systems themselves are the front doors, they normally have good security protection for their standard entrance ports. But, most of these devices are remotely monitored for their performance and health. The most common management protocol is SNMP. So, if we can find devices other than servers and storage systems that support SNMP, we have found our suspects for a back door.

There is a short list of devices in your server racks that can be used as a backdoor to your servers and storage systems.  These include:

  • Rack PDU’s
  • Rack Reboot Devices
  • Rack UPS’s
  • Rack Environmental Monitoring Devices

These devices universally employ SNMP and, even if you have SNMP turned-off, a good cyber criminal can gain entrance via another port and turn SNMP on in one of these systems. If you have read the previous blogs, you know that SNMP is very vulnerable, even SNMPv3 is now hackable quite easily by a good cyber criminal. Once the criminal is inside your PDU or other rack back door, its only a matter of pivoting within your data cabinet network to reach one of your servers or storage systems and since most of these system also use SNMP to communicate, if you enter one, you can enter all.

Once a cyber criminal has pivoted from your SNMP device, such as a PDU, to your server, they can gain the data that they need and send it out the back door of your rack PDU or similar system. In fact, these criminals are so good, we have even seen file systems that they put on your PDU, UPS or other device for temporary storage of the documents and data that they are stealing. After all, a document is normally very small is size so, this isn’t much of a challenge.

So, sadly, there you how Cyber Attacks on Server Rack Systems can take place.  It is all-too-easy and all-too-common.  The cyber criminal targets you or your organization, finds a back door and enters, then connects to your servers and storage systems to steal documents. They do this all under the cover of your PDU, UPS or other rack power or environmental system. It is an amazing site to watch and we have seen it countless times.

Next week, we take a closer look at the details of how this is actually done. Please think about these things and, until next time,

Be Well!

Denial of Service Attacks on Data Racks

Greetings. This week’s blog is about SNMP Denial of Service Attacks on Rack PDU’s.  Rack Power Distribution Units, or PDU’s are a standard feature in every rack and are used to distribute the power in a rack via individual power outlets.  Most all PDU’s used in server and telecom racks today are intelligent, in that they use SNMP to communicate their status to a central console or trap receiver.

A Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack can cripple any organization.  DoS attacks seek to overwhelm and overflow the network with large sums of data that will effectively cripple the ability of your network to operate.  In order to launch a DDoS attack, a cyber hacker needs several devices that speak the same protocol language and SNMP is becoming a favorite of hackers.

In terms of sheer numbers, Rack PDU’s are one of the most prevalent devices in your network, trailing only servers and switches. Because of this, they offer a great opportunity to a hacker to launch a very destructive Distributed Denial of Service (DDoS) attack. The fact that so many of your Rack PDU’s are tucked-away in remote server rooms makes them that much more vulnerable to attack.

To get to the heart of this, let’s take a quick look at DDoS and reflection/amplification. The reflection component of this attack happens when someone spoofs one of your active IP addresses as the host point for your SNMP queries. The hacker sends out SNMP requests to lots of devices, like rack PDU’s using your IP address as the spoofed host. That will cause all of those devices to respond to your IP address with data. As the hacker adds more SNMP’s to his request list, the volume grows and can reach into the gigabytes per second. To up-the-ante, the bad guys can used techniques that elicit huge data responses from each SNMP query and may ultimately amplify the original request by well over 1000 times. A nice article and visual picture of this can be found here.

USENIX, the Advanced Computing Systems Association, has identified SNMP as the second largest source for Reflection/Amplification DDoS attacks and they list Power Distribution Units as one of those specific sources that can be easily used in such an attack. Because SNMP, even SNMPv3, is no longer secure as can be seen in this excellent peer-reviewed article, it is clear that your PDU’s provide a good source for DDoS attacks and it is important that you secure them.

We ask all readers of this blog to take a look at how many PDU’s you have under management. We then ask that you consider that you can’t manage what you can’t secure. Please take a look at how RackGuardian can protect each of your critical racks. It is the only system that completely shuts out cyber intruders, while giving you all the management information on your systems that you require.

Until next time.

Be Well!

Cyber Risks of Power Reboot Devices

Welcome back!  This week, we look at a very serious problem with server and telecom racks: Cyber Risks of Power Reboot Devices.  To begin with, having the ability to reboot a server or telecom unit remotely is an extremely handy thing to use and it can save an enormous amount of time and effort.   The problem is that all-too-many of these devices have little if any protection from a cyber criminal using this device against you.

Let’s at the various devices that can be used to remotely power cycle an electrical outlet a little more closely.  Here are the common types of units used for that purpose in order of market penetration:

  • Intelligent Rack PDU’s
  • Rack mounted and small UPS units
  • Remote reboot devices

Rack PDU’s are Vulnerable

Intelligent Rack PDU’s are in high demand and use in server and telecom racks and for good reason.  Most of them can measure power usage, provide reboot capabilities and allow you to better manage your rack systems.  The problem is that Rack PDU’s rely on SNMP as their primary form of communication.  SNMP was a great protocol in its day but, the most recent version – v3 – is now 15 years old!  That brings me to a simple question: Would you trust a 15 year old piece of software or “secure protocol” to manage your critical systems?  I think the answer is: NO.

SNMP Communications are Vulnerable

To make the point clearly, there was an excellent study done by a group at Georgia Tech University on the security of SNMPv3 specifically for the units listed above: PDU’s, UPS’s and Reboot Devices.  The study is available here and proves beyond any doubts that rack servers and telecom units connected to these systems are highly vulnerable.  Please note that the research report also shows that Distributed Denial of Service (DDoS) attacks can be launched by using these SNMP devices.  SNMP devices are being increasingly used in DDoS attacks because of their prevalence and ability to be used in an amplification scheme as the SANS Institute points out.

Its clear from these reports that using any version of SNMP natively presents a risk to the systems being powered with these PDUs and UPSs.  In fact, its clear that power systems being managed by open SNMP ports are not in compliance with Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley and other data standards.

Remote Reboot Devices are Extremely Vulnerable

While PDU’s and UPS’s that use SNMP are clearly vulnerable, there is actually one last item that we need to examine: Remote Reboot Devices.  We have examined several popular brands of Remote Power Reboot Devices and most of them allow control via simple HTTP access.  Please remember that HTTP has NO ENCRYPTION and all your logins and passwords are passed over your network in clear text.  Now for the kicker; because the purpose of these devices is REMOTE rebooting, you primarily use them from outside your facility.

If you login via HTTP to a reboot box over the Internet (the most common use of a reboot box) you are passing your login and password as PLAIN TEXT for anyone in the world to see.

I would encourage every reader of this blog to think about these facts and how secure your facility needs to be.  If you are covered under any data security standard, you must place a protective system between your rack PDU, UPS or Reboot device and your network.  Even if you are not under a security standard, if you use a Remote Reboot Device, you are just taking your server’s life and data into anyone’s hands who wants to take the effort to sniff your traffic.

RackGuardian was built from the ground-up to protect your rack assets from cyber or physical hackers.  At the same time, its patented remote control features provide a FULLY ENCRYPTED reboot authorization process with 2-Factor Authentication.  Please give us a call to confidentially discuss your rack security needs.  We are here to help you meet your compliance standards while continuing to give you the remote management capabilities that you need.

Until Next Time,

Be Well!

Comprehensive Server & Telecom Rack Protection

Greetings and welcome to our blog.  In this installment, we are going to look at how you can provide Comprehensive Server & Telecom Rack Protection for your systems.  To begin with, let’s define what we mean by “comprehensive protection”.  We define this as:

Protecting the entire rack contents from environmental, physical security and cybersecurity vulnerabilities.

In today’s blog, we are going to take a look at the first area of needed protection for your racks: environmental protection.  Rack monitoring products are nearly as old as server and telecom racks themselves.  Normally, these systems provide the ability to monitor the temperature and humidity of your rack and some also offer the ability to monitor the power being distributed in your rack by your PDU’s.  These are all good things but, as the systems that you place in your racks become increasingly critical and expensive to own and operate, basic environmental information is of limited value to actually help you operate your rack-based systems in the most secure and efficient manner.  Let’s look at the kind of environmental information that can truly help you maximize your system’s reliability and operation.

  • Rack Energy Efficiency – Two years ago, the Department of Energy released and excellent study on small server and telecom room energy use. Among the findings in this study were that:
    • The Power Usage Efficiency (PUE) of small server rooms was measured at over 2.0 on several sites and the average was 1.85.
    • The wasted energy accounts for thousands of dollars in wasted cooling energy for every server room per year.
    • The inefficient cooling of server rooms and resultant hot spots leads to equipment failures and other reliability problems
  • Rack Backup Power Availability – Battery monitoring products have become almost standard for large data centers because users know that the failure of a UPS battery can have catastrophic consequences.  However, the smaller UPS units that protect server and telecom rooms have very minimal software capabilities to manage the backup battery.  Its a fair question to ask: If you purchase a UPS, how much battery time does it have at the present time?  Very few software products give you an accurate look at that number and that creates a huge problem for the servers that you are trying to protect with the UPS.
  • Rack Environmental Hazard Protection – Leak detection systems, like battery monitors, are common and nearly standard at all data centers.  But again, they seldom are used in small server or telecom rooms.  That is a huge problem because the fact is, whereas racks in data centers have very little chance of having water touch them directly, server rooms and telecom closets are often located with in close proximity to water and drain pipes within a commercial office.  This makes the possibility of water-related system and data loss a very real possibility.

We are pleased to say that our patented RackGuardian product is the only one on the market that can truly solve each of these problems.  To begin with, our patented energy management functions will actually tell you where to best place the servers and equipment in your racks to allow for the least airflow resistance and therefore, the most efficient and reliable cooling.  We have proven that this results in lowered cooling costs for your server and telecom rack sufficient to pay for the RackGuardian in less than 2 years.

In addition, another patented features of our RackGuardian is its ability to manage battery conditions for even the smallest UPS unit.  Our proprietary technology will allow you to know when your UPS batteries are becoming weak.  Every UPS battery will eventually fail, just as your car battery fails.  Its just a matter of when.  RackGuardian’s ability to spot weakness early in the battery process will allow you to replace your batteries and keep your UPS operating in a manner in which you expect.

Lastly, the RackGuardian offers the Flexi-Pad liquid sensor that is built just for data cabinets.  Traditionally, leak detection has been done by cables which simply do not work in a data rack environment.  The Flexi-Pad is a leak detection sheet that simply fits underneath your servers or on top of your servers.  Our on-board analytics have the ability to communicate with the Flexi-Pad to spot any sign of a liquid at its earliest point.

Best yet, RackGuardian’s on-board analytics virtually eliminate false alarms while it ensures that every real alarm will reach you instantly.  AlphGuardian’s patented iOS App can put a system alarm onto your phone in less than 2 seconds and its acknowledgment features insures that you have received the alarm.  We ask that you would think about these powerful features in conjunction with your server or telecom racks and give us a call to let us show you how we can protect your systems and pay back your investment quickly.

Until next time,

Be Well!