Patrick Quirk is the Vice President and General Manager of Converged Systems at Emerson Network Power.
For more than two weeks at the height of the 2013 holiday shopping season, hackers stole the personal information of some 70 million shoppers from a major U.S. retailer. Forty million credit and debit card numbers were compromised in a massive IT security breach that cost the company and consumer banks and credit unions hundreds of millions of dollars and nearly 500 individuals—including the retail giant’s president and CEO—their jobs.
Precise estimates of the financial impact are impossible to make. We know the company’s profits dipped precipitously in the fourth quarter of 2013 compared to the year before, but how much of that was driven by consumer reaction to the mid-December crisis is uncertain. When you factor in lingering lack of trust and the real costs associated with covering fraud charges and pending litigation, the final price tag almost certainly tops $1 billion—and it’s not hard to imagine it at twice that.
And that’s just one example. Major breaches at other retailers, banks and businesses make it clear that data security remains a serious problem.
The Unexpected Loophole
In the original example, the hackers gained access through an HVAC vendor. That revelation was chilling for CIOs who already spend sleepless nights worrying about organizational data security and “traditional” cyber attacks. Intrusion through the HVAC system brought to mind Mission Impossible-style assaults with black-clad criminals slithering through air ducts. The reality was far less cinematic—and far more dangerous.
It all started with a malware-laced email phishing attack sent to employees at that HVAC vendor. The vendor had access to the retailer’s network login credentials in order to remotely monitor energy consumption and temperatures at various stores where their HVAC systems were deployed. The phishing attack turned up those credentials, and the hackers used them to access the store’s corporate network and, specifically, the company’s payment systems.
Secure From Top to Bottom, and Then Some
It’s a reminder that security starts with access control—both physical and virtual—and includes access granted to those inside and outside your organization. Think about secure facilities with gates at the parking entrance, bollards closer to the buildings, key card access at entry doors, security officers in the lobby, and so on. Effective security is layered, and IT security is no different.
A truly secure system requires vigilance. Best practices dictate layers of IT security commonly referred to as “defense in depth,” with protocols in place managing network access. Organizations must manage and rotate credentials and establish auditing systems so they can know who should be accessing the network and when. Any activity outside of the norm should trigger an alert.
Even Business System Security audits, required by law for financial institutions, don’t protect companies from all the potential risks. If critical infrastructure systems are not properly configured—and if infrastructure providers are not vigilant in their own security practices—they can provide an unexpected open door. In many cases, these systems are flying below the radar of the CIOs or CISOs of the world. But even if their own security protocols are current and robust, are they sure the same can be said about their vendors with access to their network?
It Can Happen to You, Buckle Down on Security
Despite the rash of breaches, there remains an industry-wide naïveté when it comes to these types of security concerns. Companies with remote access to physical infrastructure systems often fail to realize those systems can be used as gateways to business-sensitive corporate networks. As a result, their security protocols can be lax.
Of course, it’s easier said than done. Virtually everything in the data center—not just servers, but critical infrastructure systems including power, cooling and monitoring—has Web interfaces and therefore IP addresses. Administrators and operators often network them so they can be accessed remotely, but too often security is overlooked altogether in this process. That leaves hundreds of thousands of embedded and low-level management systems vulnerable to exploitation by anyone in the world with the right skills and motivation. And there are plenty with just the right combination of both to be dangerous.
Case in point: Undetected for several weeks, hackers penetrated 90 servers in one banking giant’s computer network. They accessed personal customer data along with a list of every application and program the bank used to protect its servers, creating a nightmare scenario where hackers could exploit potential security flaws in those programs to execute similar attacks in the future.
Stay Away From Risky Business, Separate Network Segments
There has been a belief in the past that you only need a logical or virtual separation between networks in order to keep them fully secure, but that’s risky at best and unrealistic at worst. If you’re granting access to the same physical networks, all it takes is one unseen open door and the entire network is vulnerable. The best security is when you have physically separated and truly independent network segments, and we recommend keeping management infrastructure on a separate physical network.
Responsible technology partners should not only understand these threats themselves, they should be aware of current best practices in data security and work with their customers to activate the appropriate levels of access control, auditing and alerting when installing any new systems. It’s a complex problem, but the right partners can help cut through that complexity and ensure your network—and your business—do not become the next victims.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.