How Safe Is Your Data Center? Hacking Expert Demonstrates Security Weaknesses
by Stephanie Faris on Tuesday, April 11 12:00
Avoiding security breaches is a top priority for security administrators.
They invest in top-quality software and monitor and manage their servers on a daily basis.
But all of that work doesn't take into account physical access to those servers.
Recently, well-known hacker Kevin Mitnick presented at the Data Center World conference in Los Angeles on the topic of data center security. After serving time for infiltrating two prominent business systems, Mitnick began a career as a consultant and today he works with Fortune 500 companies, as well as the FBI. His superior hacking skills can provide the hacker's perspective to these businesses, identifying costly vulnerabilities.
The Identification Badge Weakness
During his presentation, Mitnick discussed the one security feature that is the staple of most IT departments' physical security efforts. Realizing the importance of keeping these areas safe from unauthorized personnel, departments often secure them with access badges. Mitnick described how he infiltrated a business's data center through its proximity cards as a cautionary tale to others.
To gain entry, Mitnick first posed as someone interested in leasing office space to get a tour of the building. During the tour, he was able to clone the salesperson's access card using a reading device in a matter of seconds, which would let him create a duplicate card to get into the building. Once he had that, he could enter the building anytime he wanted, at which point he used his device reader to clone the card of a data center employee while standing next to him in the bathroom. With this, he had access to the data center, where he could physically access the sensitive servers whenever he wanted.
The Human Factor
With his years of experience, Mitnick has seen that the "human factor" is the number one security risk for any business. To clone the cards, he used social engineering, which involves manipulating people into giving him the information necessary to hack into systems. He also pointed to the leak of sensitive emails related to Hillary Clinton's campaign last year as demonstrating the vulnerabilities. Cybercriminals are well aware of the human factor and use it to their advantage when they can.
By being aware of these vulnerabilities, IT departments can take measures to protect their server rooms and data centers. In the coming years, physical identification will likely move toward biometrics, making it more difficult for expert criminals to gain access. Until that technology is in place, though, IT departments need to educate their employees on safeguarding their credentials and setting complex passwords to keep risk at a minimum. Administrators also can help mitigate these risks by setting strict password policies at the server level as part of their standard operating procedures.
Security breaches will always be a concern for businesses, but awareness is the first preventive step they can take. When employees are trained well and networks are secured at the server level, cybercriminals have a much more difficult time committing a breach. Over time, biometrics will make this even easier, ensuring that both physical and virtual access to servers is locked down to only those who have been authorized.