in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Center In Chicago Is Broken Into (Twice!): Why Hard Disk Encryption Should Be Considered Even When You’ve Got Cages and Security Guards

An article in theregister.co.uk mentions how a Chicago-based data hosting center, C I Host, was broken into twice.  The more recent case was about a month ago, on October 2nd, when armed robbers (!) broke into the facility by “cutting into the reinforced walls with a power saw.”  The night manager present was tasered and struck with a blunt instrument.  Then, the robbers made off with equipment belonging to C I Host and their customers, including servers.

 

In the ensuing days, C I Host turned the robbery into a major PR fiasco, taking several days to admit that there was a breach at the location.  In the meantime, they told affected customers that servers were down, routers were not working, etc.—anything but the truth.  What was management thinking?  Were they planning on surreptitiously replacing the customers’ machines?  What about the data on those machines?  Copy them over from back ups?  What about the serial numbers on the machines themselves?  Leasing companies follow up on those periodically to ensure there is no fraud, last time I checked.  And it’s not as if they didn’t expect (irate) customers to call in.  I mean, when your company’s a rack of servers, load balancers, and other stuff…well, it just doesn’t take much time to notice that something is very wrong.

 

Disaffected customers say that their (and their company’s) reputations have taken quite a hit.  I can imagine that would be the case, although, I would hope that their customers are more indulgent with criticisms.  After all, it’s not C I Host’s customers’ fault.

 

Commentators have been having a field day.  Someone even managed to find the police reports regarding old break-ins at the same facility and posted copies of them on the internet.  Others visited the hosting center’s website and commented on the various images used for advertising, meant to inspire confidence in the security and uptime of the facility. (Apparently, the images didn’t inspire a lot of confidence; most of the comments are quite negative.  Plus, I get a lot of 404 error messages when I follow the image links, so it looks like someone got busy pulling pages, which is only logical and expected.)

 

Others who have used the facility and actually visited the facility have attempted to provide some balanced observations to the situation, pointing out that the location was in a nice, quiet neighborhood.  Several restaurants exist in the area, and are open until very late into the night, so a loud, forced entry is not attractive to criminals.  Also, they point out that datacenters are loud by nature (from my observations, Bose and other noise-cancelling headset makers seem to be making a killing), so it’s not unconceivable that someone would be able to operate a electric saw without anyone noticing, once they're inside the building.

 

Of course, comparisons to the physical security of other data centers, private or otherwise, were brought up by commentators.  Some used to work for banks on Wall Street, or at least saw their setup, and mentioned how everything was underground, behind bulletproof glass, with armed guards.  Well, sure.  I mean, banks can afford it.  However, if your average datacenter were to go to those lengths, they probably wouldn’t be charging $99 per month for co-location services. 

 

The armed security guards? Money.  Automatic weapons on security guards?  More money.  Insurance in case something goes wrong?  Moolah.  Going underground?  Mucho dinero (much, much more than reaching into the heavens.  It’s always easier and cheaper to build up than to build down). Underground implies hitting the water table at some point, so money for waterpumps that are on 24/7, which is extra electricity that’s not required for above-surface datacenters.  More stuff to breakdown means more maintenance, means more money.  For the level of “professionalism” that some of the commentators are asking for, a small web-based venture would have to be well‑established and in the black before it could even begin to think about a datacenter.  Bye-bye, safety-minded entrepreneurship.  I hope your garage can be hooked up to a T1.

 

However, the point regarding physical security shouldn’t be lost.  In this day and age of digital crimes, I think a lot of people are forgetting about the more ordinary aspects of security.  Stealing an IBM mainframe in the 70’s wouldn’t have been easy.  Fast forward 30 years, and machines are so much smaller that physically lifting them is an everyday occurrence, as the various laptop and computer thefts over the past year have shown.  And apparently, from the above story, your run-of-the-mill barriers such as walls and cages are not protection enough if a criminal really wants to steal something, which is not a surprise.  And if you want extraordinary physical protection, it will cost one an arm and a leg (and then some) to prevent something that, chances are, won’t happen.  I mean, who thinks of breaking into a datacenter?  Cameras all over the place; security guards (regardless of whether they’re effective guards or not); walls and steel wire cages; locked cabinets…it’s just a lot of effort.  It’d be easier to just throw a brick through a Best Buy window and swipe a bunch of machines.

 

Of course, the physical security is ultimately to protect the data, and not only the physical assets, since the data is truly the business.  The servers that got stolen from C I Host…did they perchance hold credit card numbers for recurring monthly bills?  Is there information that can be used for phising and other internet-based scams?  Now that criminals have taken the whole kit and caboodle, what measures will protect the data?

 

An easy solution to protect the data in such situations is encryption, offered by services such as AlertBoot, that protect the machines at the pre-boot layer.  Since the stolen servers were cut off their power supply, they’ll have to boot up at some point, and without the correct username and password, it will be impossible to get to the data.  Indeed, the owner of the machines could ensure that no one ever gets to the data after the theft by denying access to the machine by any user—this way, even if the perpetrators were to try and guess the correct username and password, they wouldn’t be able to access the machine.

 
<Previous Next>

EMS Laptop Missing: Approximately 30,000 Potentially Affected By Lack of True Endpoint Security

Corporate Espionage And Data Security

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.