[ISN] Data center robbery leads to new thinking on security

From: InfoSec News (alerts@private)
Date: Tue Jan 08 2008 - 00:06:11 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9056058 

[Backround at: http://www.infosecnews.org/hypermail/0711/13951.html - WK]


By Patrick Thibodeau
January 07, 2008
Computerworld

Last October, a data center in Chicago owned by Web hosting and 
collocation vendor C I Host Inc. was robbed by two masked men, who 
pistol-whipped a lone IT staffer working the graveyard shift and then 
held him hostage for two hours while stealing computer equipment.

It's rare for data centers and their employees to be attacked in such a 
brutal way. Typically, IT facilities are designed with physical security 
in mind, featuring protections such as steel doors, security guards and 
electronically controlled access mechanisms.

But the armed robbery at the Chicago data center has changed how 
Christopher Faulkner, CEO of Dallas-based C I Host, views security. 
Faulkner said this month that he no longer thinks data centers are as 
secure as IT managers believe they are, and that he sees what happened 
at his company as a warning of what may lie ahead for other 
organizations.

"The second someone crosses the line to armed robbery [risking] a 25- to 
50-year prison sentence to steal some servers, we're in different realm 
of security now," he said.

When Faulkner tours other data centers, he looks at their security 
measures with a much different eye than he did before the robbery at his 
facility. He imagines someone a robber, or a terrorist who is determined 
to steal or destroy the equipment there.

Most data centers don't have metal detectors or bomb-detection systems, 
according to Faulkner, who also said that he has never been patted down 
by a security guard when entering a data center. "How do they know I 
don't have five handguns on me, strapped down with explosives?" he 
asked. "They don't know."

There have been a few scattered reports of robberies at other data 
centers, including one last year in London. But William DiBella, 
president of AFCOM, an Orange, Calif.-based professional association for 
data center managers, said that he sees little chance of robberies 
becoming a trend at IT facilities.

Data centers are far from a low-hanging fruit for robbers, DiBella 
contended. "Most data centers are very well-hidden and secure," he said. 
Moreover, he said, companies simply aren't going to risk intrusions, for 
an obvious reason: "Lose data and you can lose the business."

Nonetheless, Faulkner thinks that data center operators really haven't 
planned for the worst possible occurrences, such as terrorist attacks. 
"Data center security, in the past five years, has been about the show 
for the customer," he said. "If somebody is committed to dying, it's 
going to be very hard to stop them."

Since the robbery in Chicago, Faulkner has added new security measures, 
most of which he declined to specify. The hosting firm, which has two 
other data centers in Dallas and Los Angeles, also now trains its 
staffers on how to respond if a similar incident happens again. He said 
the training can be boiled down to this message: "fully cooperate" with 
any intruders.

"These are computer geeks," Faulkner said of his employees. "I am not 
going to be in a business where I'm going to tell someone that their 
son, daughter or husband was killed for some computers."

C I Host's Chicago data center is in a leased building. The robbers used 
a hook to lower an old-fashioned fire escape on the side of the building 
in order to gain access. A guard from a security company wasn't at his 
post, Faulkner said, adding that the robbers waited in a hall for the 
lone employee who was on duty at the time to leave the data center.

Once the robbers accosted and subdued the worker, they swiped his 
employee badge through a scanner and entered his security PIN code on a 
keypad outside the door to the data center. The security system then 
prompted them for a fingerprint scan, which the employee was forced to 
do, according to Faulkner.

The robbers stole servers and networking equipment that belonged to a 
collocation customer and that Faulkner estimated would cost between 
$50,000 and $100,000 if bought new. Police in Chicago haven't made any 
arrests in the case thus far, he said.

Faulkner has hired a private investigation firm to conduct its own 
inquiry. One of the things the investigators are likely to look at is a 
break-in at the same data center in 2005. In that incident, someone 
broke into the facility during the night by cutting through a wall, an 
effort that may have taken seven hours to complete. At the time, the 
data center was managed at night; it was after the break-in that 
overnight staffing was added, Faulkner said.

One of the changes that Faulkner has made since the robbery in October 
is dropping the use of an outside security firm and hiring an armed 
guard who works directly for the company. "We can control more of what 
he does," the CEO said.

But Faulkner added that he doesn't feel entirely comfortable with the 
idea of having someone in the data center with a loaded handgun, and 
that he doesn't know if even an armed guard could have thwarted the 
robbers.

John Watters, chairman and CEO of iSight Partners Inc., a Dallas-based 
security consulting and analysis firm, said that physical security 
improvements inside data centers haven't changed much over the past five 
years or so and aren't keeping pace with data and network security 
efforts.

"Physical security budgets aren't growing," Watters said. "As people 
have gone through extreme measures to secure logical access points to 
data, they have been remiss to provide the same level of tenacity to the 
human and physical aspects."

Among the problems that Watters sees is the separation between physical 
and logical security at many companies. For instance, if someone swipes 
a card to gain access to a data center but doesn't log into a system 
within a given time, that may be an indication that something is out of 
the ordinary. But if both types of controls aren't part of an overall 
security management system, the data center staff may never be aware of 
such an anomaly.

And that could help open the door to intruders, according to Watters. 
"The good adversary attacks your weak link," he said.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Tue Jan 08 2008 - 00:24:47 PST