I use to work at Exodus (my story here), which became Cable and Wireless, which is now Savvis. Back in the first web boom Exodus was a high flying web host, for premiere brands. We had the top web brands, ya know: Yahoo, Weather Channel, eBay, Pets.com, and a ton of porn sites (little known secret).
We emphasized uptime, fat pipe, and hardened security, both digital and physical. As a result, we installed countless devices from bioreaders of palms, to ‘man traps’ that would trap someone in a tube if their exiting weight was greater than their entering weight.
I recently found out during one of my lab days (full day evaluation of a vendor –including scenario testing) with community platform vendors, that some brands are putting them to the test when it comes to security.
This one particular community platform vendor was being evaluated by a large Fortune 1000 company, who was very concerned about security. As a result, they tried to break into the building where the servers were, the Colocation center. The tried various tactics from manipulation, giving excuse to get in, or looking for unlocked doors.
On a related note, one of the vendor employees told me about his experience where he saw that an air conditioning unit was plugged into the outside of the colo, which he unplugged, and it stopped functioning. I guess the system was not redundant with backup fail safes.
Given that our personal data is all over the web in Facebook, LinkedIn, Google Docs, Peoplesoft, Siebel, SalesForce, your bank, what have you done to test the security and ensure the physical realm is secure? Not much I’ll bet, we just rely on blind faith as users in many cases to ensure we’re protected. I trust my bank (but cannot confirm) that my data is truly safe.
I know of a vendor that is actively engaged in such social engineering tests. One of the best stories I heard from him was bringing a few pizza boxes to a data center: inside one box was a laptop.
A hungry security guard let him in, where the notebook was quietly plugged into the network and various exploits run. I can imagine the client that paid for this test was not pleased.
Security tests must focus on physical plant and personnel. Failing to do so is just as bad as leaving a server wide open!
The other approach is to leave post-it notes on all the things or things of other customers in a data center you shouldn’t be able to touch on a sales tour. That always gets security teams in a happy mood or charges filed.
If you want the kind of hosting that is ultra-compartmentalized and hardened, you have to pay for it. Otherwise, you operate within risk parameters and buy accordingly.
As for your bank, you place infinitely more trust in the teller than you do their hosting provider. Your data is only as safe as the people working there. I’d say the same is true for e-banking without traditional tellers.
That is quite the thought provoking post. What are the legal ramifications of testing your service provider’s security capabilities. How far can you go? Is it a good idea for a provider to ask people to try and test their security?
Being a former CSO for a 20,000 staff firm, my most successful breaches of security involved either a telephone or post-it note.
Jonathan, I call that approach ‘armadillo security’, meaning hard on the outside, soft on the inside. The most carefully-maintained $100,000 firewall does no good if someone can simply move a ceiling tile and gain complete and unfettered access to the entire datacenter… 😉
I’m all for due diligence… But, maliciously probing for faults and bringing an HVAC system down… I’ll stick with holding my data center to their QoS marks.
You won’t catch me unplugging my vendors’ stuff just to see what happens. I’d press charges on a guy like that. Wish there was a “rest of the story” bit on this one. Like… DID the facilties’ operator press charges? What would have happened in the event it caused damage to colo’d assets? etc.
This would be a fun (and profitable) company to run “Security Breach Testing” where the sole premise is to do analysis on the weaknesses of physical security of eCompanies.
Gerald
I don’t think they pressed charges, as they had no idea who did it. The individual unplugged it, then called the operations team to ask if the air conditioning was running well for the data center. (To the best of my memory)
Jonathan great story. Mitch great stuff, “Armadillo” eh?
Oh, and hopefully, this isn’t what you bank’s data center looks like:
http://royal.pingdom.com/?p=323
🙂
Isn’t the jargon phrase for such security testing ‘red teaming’?
That is quite the thought provoking post. What are the legal ramifications of testing your service provider's security capabilities. How far can you go? Is it a good idea for a provider to ask people to try and test their security?