So you’ve locked down you network and have a great ISMS program protecting you from the electronic threats. But what if steal-to-order organised criminals take a sledge hammer to the exterior wall of you data centre, pull out a number if network and servers from your racks? have you considered physical security in the same way?
Back in February 2011 Vodafone had just such an incident happen (read more). Organised criminals struck the unmanned data centre, breaching an exterior wall and stealing specific devices from the data centre. The site was protected by a remote security company but this team failed to detect or failed to respond to the incident in enough time to prevent the loss of the equipment and subsequent network outage.
Lets consider the Vodafone attack. Firstly the data centre equipment is very expensive networking equipment and relatively mobile (once removed from the racking). The impact of the device’s was 12 hours of downtime for 100,000 customers, which should be considered for its financial, operational, regulatory and reputation impacts.
Secondly the threat and tactics. The attack was well organised and appeared to have known the placement of the equipment within the data centre. It is fair to assume with this level of preparation this was a well organised criminal team with a steal-to-order objective. The tactics were very direct, drive onto the site and using manual tools breach through the exterior wall.
What can we learn from this?
- Consider the pure value of the physical asset.
- As part of DR recovery include plans for loss of the entire physical equipment not just it’s recovery.
- When thinking about security around the egress and ingress points you must consider the rest of the perimeter, walls, floors, ceilings.
- Add additional controls which increase the time an attacker has to spend getting to the asset.
- Ensure that detect and response happens early and fast. All the delaying controls in the world does nothing if you are not responding.