The Stolen Digital Generation
In the current political climate, no greater need for security has been evident with the rise of global terrorism and politically motivated violence. Increased security measures are not only costly, but are manpower exhaustive and often intrusive.
Furthermore, data, in the most basic sense, has been secure in datacenters with the advent of strong security procedures, access control systems and a myriad of technological advances. Over the last three decades, various forms of metal detection have been used, in some degree, to screen datacenter workers for potential hardware that may have left the center.
In some cases, it has shown progress in stopping some larger items from going undetected. The challenge for the industry though, has always been smaller hard to detect items like thumb drives and mini SD drives.
Recent advances in software algorithms and hardware detection levels have allowed newer, more novel approaches to help organizations secure even more potential threats. Additionally, testing has shown that new systems capable of facial recognition with both biometric recognition and iris scanning, adds another level of critical authorization and advanced screening.
In this discussion, we will highlight the issues many organizations face with older technology and the latest advancements in both object detection, as well as combined threat analysis with biometrics and iris advancements. This paper will explore current issues with both personal security and cyber security.
George S Clason, Businessman and ‘The Richest Man In Babylon’ stated that “In those things toward which we exerted our best endeavors, we succeeded.”
With so many magnificent by-products of innovation, entrepreneurship, genius and bravery, that statement rings true in so many ways and is demonstrated through the technology we use in our daily lives.
In this the technological age, we as humans have achieved some truly amazing feats of advancement. In the short space of the past 130 years, we have come from the horse and cart to the automobile, from phonographs to iPods, we’ve mastered flight, space travel, communication, and of course the internet. We are truly enjoying the golden age of technology.
We have discovered that with every problem, there is a solution.
And with every solution, our instinctive curiosity and intuition causes us to improve and develop these solutions to make them better. That is how we have evolved as a civilized society.
As we come up with answers, we then discover new problems to solve. The wheel may certainly have been invented, but it went through, and still goes through, various stages of improvement to make it an optimal commodity. We are a Research and Development society.
We have created ways to do things through technology, and it has become a valuable part of our day to day lives. Some would argue that it is the ultimate level to Maslow’s hierarchy of needs
1. Cyber Security
The word Cyber Security was unheard of 30 odd years ago, but has now become an industry in itself as we struggle to maintain integrity and privacy. The issue of Data Theft has outweighed the fear of property theft in many cases, and this is what I’m here today to talk about.
McAfee estimates a loss to the global economy of between $400 and $575 billion dollars in cybercrime per year. These figures are based on known data only- it is likely much higher.
An IBM study found the average consolidated total cost of a data breach is $3.8 million, representing a 23% increase from 2013.
• The average cost per record breach is $154,
• for healthcare organizations $363, and
• 47% of data breaches are malicious!
• A further study found that 36% of data breaches were from employee misuse or negligence, while 25 percent were intentional attacks from an insider.
Think about that for a moment.
Let us then ask ourselves the following questions:
• How does data leave the data center, and
• what can we do to minimize these breaches?
2. Physical hacks
Many Data Centres have firewalls and other network security measures to minimize risk, and for the most part these are effective. Cyber Security experts though, claim that the five simplest ways to hack into a data center are by;
1. crawling through void spaces in the data center walls,
2. lock-picking the door,
3. “tailgating” into the building, (tailing other employees)
4. posing as contractors or service repairman, and
5. jimmying open improperly installed doors or windows.
You’re effectively leaving the front door open for thieves!
With emerging trends such as Big Data, bring-your-own-device (BYOD) mobility and global online collaboration sparking an explosion of data, the data center will only become more important to your organization and will continue to be the target of not only breaches, but advanced malware and other cyber-attacks.
Additionally, compromised targets can unwittingly become attackers themselves. At the bidding of cybercriminals who can control comprised systems remotely, the data centers are commandeered as potent weapons in attacks against fresh targets
The emphasis on Data Centre Security is paramount, and whilst hacking and cyber-attacks require their own defence mechanism, today I’m here to address the physical breaches, and how to best counter them within an organization.
3. Front line defence
For those familiar with SAS 70 compliance and audits, the ‘Data Center Physical Security Best Practices Checklist’ below contains a data center physical security best practices program that is quite comprehensive and no doubt costly, time consuming, and resource heavy.
Data Center Physical Security Best Practices Checklist
• Built and Constructed for Ensuring Physical Protection
The exterior perimeter walls, doors, and windows should be constructed of materials that provide Underwriters Laboratories Inc. (UL) rated ballistic protection.
• Protection of the Physical Grounds
The data center should have in place physical elements that serve as battering rams and physical protection barriers that protect the facility from intruders.
• Bullet Resistant Glass
Certain areas within the data center, such as the lobby area and other entrance mechanisms, should be protected by bullet proof or bullet resistant glass.
• Maintenance of Vegetation Flowers
Plants, trees and other forms of vegetation should be appropriately maintained for purposes of not allowing these elements to conceal or hide an intruder.
• Security Systems and 24×7 Backup Power
The data center’s security systems should be functioning at all times, complete with
uninterruptible power supply (UPS) for ensuring its continuous operation.
• Cages, Cabinets and Vaults
These physical structures which house equipment must be properly installed with no loose or moving components, ultimately ensuring their overall strength and rigidity.
• Man Trap
All data centers should have a man trap that allows for secure access to the data center “floor”.
• Electronic Access Control Systems (ACS)
Access to all entry points into and within the data center should be protected by electronic access control mechanisms which allow only authorized individuals to enter the facility. Included within the framework of electronic access control should also be biometric safeguards, such as palm readers, iris recognition, and fingerprint readers.
• Provisioning Process
Any individual requesting access to the data center should be enrolled in a structured and documented provisioning process for ensuring the integrity of the person entering the facility.
• Off-boarding Process
Personnel working for the data center or clients utilizing the facility services must be
immediately removed from systems that have allowed access to the facility itself. This includes all electronic access control mechanism along with removal of all systems, databases, Web portals, or any other type of sign-in mechanism that requires authentication and authorization activities.
All visitors must be properly identified with a current, valid form of identification and must be given a temporary facility badge allowing access to certain areas within the data center. This process must be documented in a ticketing system also.
All exterior doors and sensitive areas within the facility must be hard wired with alarms.
The facility should have a mixture of security cameras in place throughout all critical areas, both inside and out, of the data center. This should include the following cameras: Fixed and pan, tilt, and zoom (PTZ) cameras.
• “Threat Conditions Policy”
Consistent with the rating scale of the Department of Homeland Security, the facility should have a “threat conditions policy” in place whereby employees and customers are made aware of changes in the threat.
• Badge and Equipment Checks
Periodic checks should be done on employees and customers regarding badge access and equipment ownership.
• Local Law Enforcement Agencies
Management should have documented contact information for all local law enforcement officials in the case of an emergency.
• Paper Shredding
A third-party contractor should be utilized for shredding documents on-site, then removing them from the facility, all in a documented fashion, complete with sign-off each time shredding is done.
• Data Center Security Staff
As you can see, this is a comprehensive list of measures that no doubt add to the effectiveness of security, but ultimately ‘Data security starts with physical security.’
4. Layers of Security
The Anixta White Paper suggests a Four Layer approach to Data Center security.
First Layer: Perimeter Security
Second Layer: Facility Controls
Third Layer: Computer Room Controls
Fourth Layer: Cabinet Controls
Not all organisations have the resources to be able to take this approach, and as you can see from the following example, some companies have spent a fortune securing their data.
Example: A top-secret financial data center on the East Coast, an 8-acre facility is a model of a serious approach to physical security with perimeter safeguards such as hydraulic bollards to stop speeding cars and a drainage pond that functions as a moat.
That is the millennial version of a castle with a protected outer layer.
It is the Inner Layers though, that are the most crucial in securing Data.
This is where Entry Control Points (ECPs) can be secured with technological security rather than Human Resources in a cost effective, discreet Threat Detection System (Ronin) that will detect even the smallest of devices such as USBs from entering or leaving a building.
Access control systems act as the primary keys to the castle and should use methods that cannot be shared, such as biometric access. Coupling a key card with biometrics requires the user to match the access card and the biometric such as fingerprint or retinal recognition.
Sharing access is strictly forbidden.
Physical security is broken into two pieces: the physical elements such as cameras, access control systems and locks; and the operational processes such as visitor and contractor policies and general awareness training. If both elements are not addressed, neither will be 100 percent effective.
The most important aspect though, is to be diligent against the biggest threat: People!
Unless you are pro-active in your approach, you will always be a target for theft.
Don’t make the assumption that it will never happen to you.
As stated in the opening sentence “We have discovered that with every problem there is a solution.” As far as reducing the ‘front door’ risk, the focus must be on implementing technologies to assist human resources in detecting security breaches that either introduce, or remove devices such as USBs etc. that intend on stealing data. A small, hidden device may or may not show up on a metal detector, and can definitely be strategically hidden to avoid such measures (internally).
In developing security systems that have;
• pinpoint accuracy of detection,
• simultaneous detection of location, size, & orientation,
• requires minimal manpower to operate and, more importantly,
• is discreet, unobtrusive, and can be hidden
5. Real Time Threat Detection Systems – The Keys To The Castle!
To this point, we have covered the protection and security of data and suggested solutions in maintaining data integrity. But a growing and ever present threat to humanity is the rise of terrorism, violence, and attacks on people and property. Airports, venues, military installations, schools, and government installations to name a few, have all increased security measures in an attempt to minimise harm but opportunistic criminals will always find ways to exploit defences and conduct attacks. Physical security, that is to say security personnel, are a deterrent but can still be overcome by force at close range. Weapons are also easy to conceal, and can avoid detection via personal searches or visual inspection. Knives, guns, pistols etc. are primarily used at close range and require the user to be in close quart range. Explosives on the other hand, can be detonated at distance, keeping the perpetrator out of range.
It is therefore necessary to be able to screen people in large volumes from a distance, and fortunately the technology for this is now available with products that are able to do the following:
• Reduce human error-
• No Dedicated Monitoring
• Simple Training
• Large Traffic Throughput
• One System/Multiple Gates
• Updates Via Cloud
This paper has discussed key issues surrounding both cyber and personal security. As threats continue to increase, so must the capacity to outwit and defeat those who would seek to do harm.
It has highlighted deficiencies in the above-mentioned areas of security and presented possible scenarios for applicable solutions for each.
It is in no way exhaustive, but indicates the main security threats to organisations and people today.