One of my favorite books about information security is Ghost in the Wires, by Kevin Mitnick.
Kevin, of course is one of the notorious early hackers whose exploits are brilliant and quite entertaining. If you have not already done so, add that book to your reading list. This post however is not a book review.
I was reminded of Kevin’s book the other evening when my son went dashing to the door in the middle of the night to make sure that he locked it. Normally, like all teenagers, he just eventually goes to sleep. However, this time, the memory of the horror movie he was watching prior to going to bed startled him enough to make him double check that door. We have all experienced that, haven’t we? THE KILLER IS IN THE HOUSE!
What was it about that event that reminded me of Mitnick’s book?
A lot of Mitnick’s exploits began with bypassing physical security mechanisms. Early in the book, he describes how one of his “pen testers” would pop a ceiling tile to gain access to an office through the dropped-ceiling that is so common in many of the office buildings today.
Fortunately, most data center architects are wise to this trick and they build their surrounding walls from floor to the concrete ceiling, not the drop ceiling. During a recent data center walk-through, an auditor asked me to open a ceiling tile to prove that this was the case. (Auditors clearly have trust issues.)
One thing that auditors have never checked is the exiting procedure, and this is something that I have seen overlooked by the most seasoned data center employees. Next time you see your sysadmin or any other authorized data center employee exiting a secured area, observe what they do.
Does your staff simply leave the secured area, relying on that satisfying *click* sound of the door-locking mechanism as the door closes behind them, or do they stop and check to make sure that door is actually locked? A simple push is all it takes to make sure that door is secure.
Incidentally, does the door to your data center pull open from the outside? If it does, then it, indicates that the hinges are on the outside, resulting in an improperly installed door with an easily defeated locking mechanism.
Data center? What data center?
In our new “everything in the cloud” cyber world, most data centers have been reduced to a small room with some networking equipment. In a sense, many of the “server rooms” of the pre-cloud era have taken a dramatic step further back in time, resembling more of a storage closet setup reminiscent of the early days of network computing.
These down-sized infrastructure rooms create a new problem; the rooms are devalued since the belief is that the important data is not stored there. However, for most small to medium sized businesses, that room represents the single point of failure in an office environment.
How is the door to that now glorified broom closet secured? Is the staff that enters that space authorized and trained in physical security protocol? What is the possibility of that non-technical employee actively checking the door security after it closes?
With so many of us distracted by the threat of nation state actors and all the perils of remote cyber-attacks, it is easy to overlook a simple step in physical security that could make us sleep just a bit easier each night.