admini – Page 123 – CyberSecurity Institute

Five Ways To (Physically) Hack A Data Center

Posted on May 17, 2010December 30, 2021 by admini

“Over the years, you can spend millions of dollars protecting your network, but [many organizations] are leaving the front door wide open. They are missing huge gaping holes” in their physical security of the data center, says Jones, who will discuss his findings at the conference today in Sao Paulo, Brazil.

“These are the top ways we get in.”

One of the flaws in the physical design of most data centers is their drop ceilings and raised floors, Jones says. “The walls don’t go all the way up [to the ceiling] or down [to the floor],” he says. The drop ceiling leaves a void for an intruder to remove a ceiling tile from a nearby area and then crawl to the data center from above it. “You can crawl down carefully to where you need to drop down,” Jones says.

And raised floors — built for cabling and cooling purposes — can also be physically exploited, he says. “With a raised floor, there’s a gap between the installed floor and the concrete bottom of the building,” he says. Jones says crawling in via ceiling tiles or through raised floor gaps are easy ways to get inside without getting noticed or doing any damage to the structure. “I’ve seen employees take advantages of these weaknesses” for things like going back to get keys they left in the office, he says.

The best fix is to fill those gaps with sheet rock, he says. Some organizations opt to lay metal fencing or chicken wire there as well, but Jones acknowledges that a determined intruder could merely cut the wire and gain entry into the data center.

Social engineering expert and penetration tester Steve Stasiukonis, founder and vice president of Secure Network Inc., says these gaps are “brilliant” ways to get inside the data center. If there’s sheetrock in the way, he says, it’s easy to cut a hole in it and squeeze inside. “A lot of government facilities have a ‘code of silence room’ [where] they have to make sure the sheetrock goes to the roof and there’s a barrier so no one can climb over the ceiling tiles,” says Stasiukonis, who doesn’t perform any carpentry-type breaches on behalf of his clients because it’s too destructive to the data center environment.

Another common physical weakness in the data center is the door lock: Jones says he sees many weak locks and unprotected door latches at the data center threshold. “Most data centers have cheap, regular key locks on their doors,” he says. He says his team sometimes installs small wireless cameras you can purchase from a spy shop that snoops on keyed-entry doors to learn the code when someone enters the data center. Proximity access keys are best, according to Stasiukonis, because they also authenticate the user who enters the data center and provides an audit trail of the person’s comings and goings.

Jones and Stasiukonis both swear by “tailgating” as a foolproof way to get into the building — or even the data center — via legitimate employees. The only ways to mitigate this type of unauthorized entry is to have either turnstile-based badge entry, where only one person can get in at a time and with a badge, or with some sort of rotating door, he says.

If the company loses a lot of money [due to an intrusion], they might not have a job anymore,” Jones says.

Then there’s the classic social engineering ploy of posing as a technician, salesperson, cleaning crew, or contractor as a way to gain entry into the building without raising suspicion or being questioned. “It shouldn’t cost any extra money for the contractor to fix it.

http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=224900081&cid=RSSfeed

IT People Still Hazy About Clouds, Study Says

Posted on May 12, 2010December 30, 2021 by admini

“Cloud computing applications hold a great deal of promise for organizations, but regarding their adoption as a fait accompli and expecting IT to accommodate their use is an approach fraught with risk,” Ponemon says.

While some organizations might be pushing ahead with cloud implementations, however, some are drawing the line at their most sensitive data, Ponemon reports.

http://www.darkreading.com/securityservices/security/management/showArticle.jhtml?articleID=224701726

New Services Could Signal Shift In SaaS Security Offerings

Posted on May 12, 2010December 30, 2021 by admini

Broad cloud security services had to wait on the maturation of security technologies and for demand in the marketplace to grow, observers say. Meanwhile, more focused security services are springing up to help small and midsize businesses cope with complexity.

“Security has gotten much more complicated,” says John Pescatore, vice president of business intelligence firm Gartner. Another sign of maturity: In the past, the fuzzy status of managed and cloud security services’ compliance to various regulations kept some companies away. “A lot of people are attracted to these security-as-a-service offerings because, as part of it, they get the reporting needed by regulations,” he observes.

Starting in June, the company will offer antivirus, anti-spam, anti-malware, and URL filtering services for no charge to existing Secure Gateway customers.

Where Verizon aims to sell services to enterprises, the goal of Symantec’s HEP is to ease management of the company’s endpoint security products for small and midsize businesses.

Large enterprises are not as interested in SaaS offerings because they lose some control and flexibility, says George Tomic, distinguished engineer for Symantec Hosted Services.

http://www.darkreading.com/securityservices/security/perimeter/showArticle.jhtml?articleID=224701664

EMC Announces Cloud Storage Networking Strategy

Posted on May 10, 2010December 30, 2021 by admini

At the EMC World 2010 show here May 10, EMC officials announced a converged networking strategy aimed at data centers. The strategy includes expanded networking services, analysis tools for assessing converged networking efforts, and extended reseller agreements with Brocade and Cisco Systems.

In a question-and-answer session with reporters and analysts after his keynote address at the show, EMC CEO Joe Tucci said that as enterprises grow the use of data center virtualization technologies and start their migration to private cloud computing environments, demand for converged networks will increase. In a federated environment, Tucci said, multiple data centers will be viewed as a single pool of resources, and IT administrators will be looking to move workloads and stored data around that pool.

Those services include network assessment, planning and implementation, with support for a number of protocols, from FCoE (Fibre Channel over Ethernet), CEE (Converged Enhanced Ethernet), iSCSI and NAS (network-attached storage).

In the third quarter, EMC also will start selling 10 Gigabit Ethernet switches from Brocade and Cisco, among other networking vendors.

In a report issued May 10, Charles King, an analyst with Pund-IT Research, said EMC’s SAN (storage-area network) experience and its partnerships with the likes of Cisco and Brocade puts it in a good position to help enterprises in their push for more converged networking environments.

http://www.eweek.com/c/a/Enterprise-Networking/EMC-Networking-Strategy-Includes-Cisco-Brocade-Partnerships-147031/

Accuvant Unveils New Data-Centric Security Framework

Posted on May 6, 2010December 30, 2021 by admini

The framework consists of five steps that begin with data ownership and classification and end with a clear and effective data protection program that enables incidents and breaches to be properly handled.

“The first step of Accuvant’s Data-Centric Security Framework is to understand and inventory our clients’ sensitive data handling and critical system ownership.

From this, we can determine the effectiveness of the current security program and system controls, and recommend the services and technologies that should be implemented to close the gap to get them where they need to be,” said Doug Landoll, director for Accuvant’s Risk and Compliance Management team.

“Defining what sensitive information exists, where it resides and how it must be protected is the underlying principle of Accuvant’s Data-Centric Security Framework, and ensures that our clients can make the most efficient use of their security dollars.”

Accuvant’s Data-Centric Security Framework is a departure from traditional DLP projects in that most are centered on the technology and assume that the organization has already defined its data, developed policies and put critical controls in place. Accuvant’s Data-Centric Security Framework turns this concept on its head and instead focuses on the sensitive data first, with a review of the existing controls and pragmatic use of available DLP tools and technology thereafter.

Step 2 – Locate: This step is for organizations that want to discover the location of all in-scope sensitive data assets, such as credit card data.

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=224900104

Cloud computing risks outweigh benefits, survey finds

Posted on April 8, 2010December 30, 2021 by admini

Business leaders at enterprises have been moving the organization to cloud computing to cut costs by outsourcing the management of IT infrastructure.

The down economy has driven many firms to consider cloud-based services, including utility-type computing offered by Amazon’s EC2 utility service and Microsoft’s Azure cloud computing platform.

The risks identified included the ability of hackers to infiltrate cloud computing platforms and use the cloud infrastructure to attack other machines as well as insecure application programming interfaces (APIs) that can leave holes that lead to data leakage. Robert Stroud, vice president of ISACA, said the survey results shouldn’t be surprising given that IT professionals, especially members of ISACA, take a cautious approach to new technologies and carefully measure cloud computing risks, he said. “A good training regime and process automation can go a long way towards making risk a consideration, but also making it be accepted,” said Stroud, vice president of IT service management strategy at New York-based CA Inc. said.

Only 10% of respondents’ organizations plan to use cloud computing for mission-critical IT services and one in four (26%) do not plan to use it for any IT services.

“For mission critical data we’re just starting on that journey,” Stroud said.

Regulations, standards obstruct cloud adoption Compliance is a major hindrance causing enterprises to take a slow approach to many cloud-based projects, said Jim Reavis, co-founder and executive director of the Cloud Security Alliance. About half of those surveyed said IT risk and compliance related projects will receive roughly the same investment in 2010 as in 2009. For example, the group has worked with the PCI Security Standards Council to develop a framework — a cloud controls matrix — to determine a reasonable set of controls that a cloud-based provider must implement versus the controls that must be implemented by the enterprise.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1508319,00.html?track=sy160&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+techtarget%2FSearchsecurity%2FSecurityWire+%28SearchSecurity+%3A+Security+Wire+Daily+News%29