A man in disguise. Armed to the teeth with fake documents, plans to the building, and tablets to help him foam at the mouth and fake a fit in a tight squeeze. This hit has been in the works for weeks. Having called ahead under false pretenses to ensure he’s expected, he walks up the driveway, mentally preparing to break into a high-security data center brimming with critical data and applications… hey is the fire escape door propped open?

Issue 45: Leaving Ukraine

Migrating servers from a war zone

01 Sep 2022

We need to talk about physical security

While cyber takes the headlines, the physical security of data centers can’t be overlooked. While it may seem simple, the access controls that protect your facilities – and the people that roam the facilities – can easily be compromised if a company is lackadaisical in its approach. So, is the physical security of data centers as good as companies make out? “No,” Andrew Barratt, principal consultant, adversary ops, at security firm Coalfire, says simply. “I could probably count on one hand how many are well thought-out. It gets forgotten because it's a presumed commodity. “Everyone thinks all that stuff just works. And then they don't think about the real-world threats to those physical controls.”

Physical security needs thought

Barratt notes that to do physical security well, companies have to really think designs out well and model threats properly. Otherwise, security controls can often become ‘theater;’ looking like they are doing the job, when they are actually easily circumvented either by attackers or the staff meant to be enforcing them.

“Some of the newer data centers, they'll have things that will look cool from a security perspective, but then you'll see people smoking outside the fire escape and you could have just walked in with a packet of cigarettes.” He notes that the poorest levels of security – where simple confidence tricks of wearing high-vis jackets are most likely to work – are in corporate data center facilities which serve one company and its subsidiaries.

“It's much more common that you've got peripheral defense, a bunch of very rudimentary access controls, or you'll see gates that you could sneeze and fall over to get into a building. I've even seen some environments where the security guards themselves would let you in if you just looked like you were struggling with the key card.

“In my experience, the ones that have been really well crafted have normally been designed by folks who are ex-military,” he explains. “They’ve been thought out purely from a military perspective for use as critical national infrastructure environments. Generally, the best people who do this professionally are those with the intentions of getting either government, military, or critical infrastructure hosted with them.”

An example of good design might be in the parking. There should be an area to pre-scrutinize and hold visiting cars before they reach the final car park so they can be rejected without creating gridlock. Another would be gates – it should be impossible for someone to tailgate the person ahead of them. However, this is expensive, and corners are often cut for commercial reasons.

Barratt suggests that instead of ‘crappy solutions’ that may be vulnerable or create a false sense of security in a facility’s personnel, companies should sometimes simply accept the risks.

“It's sometimes better to just not do it and know there’s a risk that people have got to be more vigilant towards personally,” he says.

Rishab Verma, of the penetration testing team at Defense.com/Bulletproof, notes that fire exit doors are often neglected and make an excellent point of both entry and exit. “Sometimes people use it, maybe going to lunch and wanting to get out quick, and it's just left open,” he says. “There is no good security, or access control in place for fire exit doors; I can just simply use the fire exit to get out of the building.”

He notes that a lack of logging can make it harder for companies to track personnel. People should be automagically logged for both entry and exit time, and failure to do so – if, for example, a door was held for them at the exit – should be flagged.

The human factor should be a focus

One of the primary routes for a penetration tester to gain access to a data center is through the people; tricking reception and security staff into letting you in directly, or creating scenarios where they can be fooled or distracted long enough to allow an attacker inside.

“I've lost track of the amount of times I've put on a striped suit and walked into a building because people just think you look important,” says Barratt. “The old school confidence tricks are very successful and hard to defend against.”

09 Nov 2021

Michael Montoya: Equinix's CSO a year on from its 2020 ransomware incident

Equinix CSO Michael Montoya talks to DCD about the company's September 2020 ransomware attack, and how it responded and recovered

Security guards, despite themselves, can often be a weak point in defenses. Often low-paid and outsourced roles, these staff can be over-eager to help for fear of losing their job.

“What really is required is a degree of hostility, in a social environment where people have got a very customer service mindset. The big changing point when it comes to physical security is making them feel like they're actually part of the business and have a valued role,” says Barratt. “You need the CEO to say ‘you can stop me and I'm not going to fire you.’ The CEO even probably needs to make an example of themself occasionally. It requires leadership and good management and actually really good soft skills and team management, so that they don't feel like they can just be bowled over by somebody playing the ‘I'm more important than you’ card.”

Physical security teams operate most effectively when they feel like they're a cohesive part of the overall business and feel empowered. If security guards that are hired help on low pay, and worried about being let go, they aren’t as likely to stay sharp or feel brave enough to challenge people that might be senior to them.

Barratt notes that a CISO he worked with had a portfolio of buildings including data centers, and was concerned about the security guards at his premises.

“On a number of the security tests, the security guards were actually the biggest weakness because they were socially conditioned to be helpful to people; anything that they could do to feel like they were valuable to the business they would try and do.”

What this CISO did was halve his physical security team and triple their pay. They were then split into two teams and made to operate in military-style tactics permanently against one another. They ran a leaderboard and would offer rewards to successful teams.

“It was a really fascinating play because the people were mostly the same but they permanently had a team that was on high alert because they knew their counterparts were always trying to simulate a break in. That level of alert rapidly changed their security team almost overnight to the point they wouldn't trust anybody."

Access controls aren’t impenetrable

Physical access controls such as key cards, biometrics, CCTV, and mantraps can make a facility much harder to break into.

However, many keycard-based systems can be easily circumvented. There are devices that can scan cards in the immediate vicinity, clone them. Some older cards could have their encryption broken to allow attackers to make entirely new profiles for them. Employee mistakes can also make it easier to compromise fixed access controls. Staff should know to keep items such as key cards hidden and secured.

“Depending on the notoriety of the target, users often post pictures online of their key cards on social media,” says Nicky Whiting, director of consultancy at Defense.com. “From there on, it's very simple to create your own key card with a similar layout and print that out on some plastic.”

Eric Florence, cybersecurity consultant at SecurityTech, tells DCD that a small facility he previously worked at conducted regular penetration tests, with one incident involving an attack pickpocketing a security card from an employee.

Keatron Evans, principal security researcher at Infosec Institute, says constantly reminding staff – whether security or more technical roles – of potential security threats is the best way to ensure procedures are followed properly.

“The regularity at which you're reminding them of these things is important,” he says. “When you do a good security awareness campaign, for a month after, the success rate of people blocking attacks and things goes up tremendously. But you go out five to six months later, and it's almost back to where you were in the beginning.”

Evans also points out the importance of screening those given access in the first place to prevent keycards and important information from falling into the wrong hands.

“Companies should do a better job of scrutinizing and background checking because there are cases of people slipping into places through that mechanism. Not just the technical employees, but people like janitors, cleaning crews; anyone that has physical access to the facility.” Sometimes companies make even more basic mistakes that render existing controls moot. Gillian Vanhauwaert, of the penetration testing team at Defense.com/ Bulletproof, notes that one facility had a sign noting gatherings every Wednesday at a certain time. During that gathering, a paper box was put in the door to allow people to walk in and out. “It was advertizing how to get in, so I just had to wait till that time and I just walked in,” she says.

Tricks of the trade: how to break into a data center

Confidence tricks

First and foremost, penetration testers will seek to simply be let in by staff at the facility. Tailgating – the act of closely following someone through a door or gate – is a common technique, as is wearing a hi-visibility jacket and pretending to be a construction worker.

Phil Robinson, principal security consultant and founder of Prism Infosec, tells DCD he was once conducting a physical assessment of an organization that had two sites – the main office building and a data center. The data center seemed reasonably secure, so he gained access to the office via fakes pass and tailgating. After finding an empty office, he found a workstation with the name of a senior member of staff on the login screen.

“I used the desk phone in the office to dial reception and asked for the extension for the data center. They gave me the number and I called the data center, which clearly originated from an internal DDI and I mimicked the local regional accent, announced myself as the person who used the office and said that there was an urgent IT issue and that I’d need access to the IT rack to be able to fix the issue. “

The guard on reception gave me an access number that I could use and said he’d expect me within the hour. I walked to the data center and was signed in within 5 minutes, with no check of my ID. I was escorted to the rack and managed to plug in my pen testing laptop and started exploits against the environment directly from the local data center network!”

Another example goes back to vetting practices, and ensuring visitors on-site - even if expected - shouldn't be left alone for too long, if at all.

“We saw that there was a job being advertised, and we had someone with us that had a profile that fitted that job and had the right credentials,” says Defense.com’s Vanhauwaert. “We made them submit an application and they got in for an interview. We then debriefed that person saying ‘when they ask if you want coffee, you say you want a special kind of coffee that will probably take a while to make, and while they leave you alone you try and look for any kind of port and you just plug this [device] into.’”

“You can act like a new joining employee, go in with a letter that says you're a new employee, that your card’s not been delivered yet and you just need to go in,” adds Defense.com’s Verma. “You then challenge the receptionist that you have a meeting at 10 o'clock at like you're really scared that it's your first day and you need to go in.”

Another example of a confidence trick from Verma is the time he impersonated a council health and safety inspector.

“I sent an email acting like I was from the council, saying ‘we need to do health and safety checks, look at your fire exit doors, etc. Please let me know your availability when I can come in and have a look at the building'. We received a reply back and they said ‘you're more than happy to,’ gave us their availability, we then gave them a call to discuss what to do.”

In this example, Verma was given a tour of the council building, but the staff member was reluctant to provide a tour of the data center. A recent case study from NetSPI, a Minneapolis-based penetration testing firm, detailed how the company was tasked with breaking into a facility owned by a colocation firm with one security guard and two employees.

"We started looking at the vendor list and noticed that they use a very well-known national pest control brand," said Dalin McClellan, senior security consultant at NetSPI. "One of the consultants we work with just had that same company in to work on their home and they had all the confirmation emails. We took those emails and modified them and then we sent a spoofed email that looked like it came from one of the employees at the data center and sent it to the other employee at the data center."

The other employee didn’t notice the email was a fake and gave the OK for the visit. A van was rented and filled with ladders and other hardware. The security guard, expecting a visit, allowed the attackers in, before the colo employee brought the attackers through the building. “We tried [to access customer cages], but the employee said no - but he did let us get into the ceiling tiles to check for pests, where it would have been easy to install microphones, video cameras, or splice a device into the cables."

Breaking in with props and uniforms

If charm and confidence don’t work, get creative. Penetration testers are happy to use props to create diversions or scenarios where they will be let in. “A colleague’s favorite prop to break into buildings was a fake pregnancy belly,” says Defense.com’s Vanhauwaert.

“She'd be very ‘pregnant’ in the latter stages, waddling and struggling with a door and holding a bunch of boxes, and people just open any door for you at that stage.”

Coalfire principal consultant Justin Wynn notes that crutches work similarly well to a fake pregnancy belly: “Props like these are the equivalent of skeleton keys. These props are force multipliers when going solo, but having a team who can run distractions opens a world of opportunities.”

CyberOpz CEO and founder Peter Clay agrees that your best weapon to gain physical access is a pack of cigarettes: “Find out where the smokers go and hang out there as long as possible. "After sharing a cigarette you aren't a faceless stranger but a new friend that shares the forbidden habit, and your new friends are much more likely to open doors for you, let you tailgate into the environment, and share useful information than they would with a ‘stranger.’”

“The second option is ‘Alka Seltzer man.’ One person walks towards the guards and pops two Alka Seltzers in their mouth simulating a seizure. When the guards react to the seizure, a second or third confederate makes their entry. Once they are inside, the ‘seizure’ victim recovers and says that they don't need medical attention and exits the premises.”

Infosec Institute’s Evans says that on a recent test on a bank and data center, the team noticed there seemed to be remodeling work going on – including within the data center – with construction workers coming and going regularly.

“We took some pictures and we went and got some green vests, printed out that logo, and put it on a blank white hard hat and we were able to literally walk into that bank, walk into their data center. We were able to just walk right in there, get in and plug in stuff without any challenge whatsoever just because we looked the part.”

Construction fails

If the people of a data center can’t be tricked into allowing access, sometimes flaws in building design provide a way for penetration testers to gain access.

In a recent series of tweets, penetration tester Andrew Tierney, known as CyberGibbons, revealed how he once broke into a data center via plumbing engineer corridors behind the toilets.

“I needed to gain access from the lesssecure side of a sub-basement floor to the more-secure side,” he said. “By studying the floor plans of the building, I could see what I ended up calling the 'piss corridor' running along the back of the toilets.”

Tierney noted that in buildings with concealed cisterns, rooms can be designed with either panels that fold or a small corridor along the back side for easy access by plumbers. In the pen test in question, the building had been built using the corridor method. In this instance, the toilet corridor bypassed cylinder man-trap gates, and was discovered on publicly accessible planning documents.

“After gaining access to the insecure side, I entered the toilets. Via the accessible cubicle, there was a concealed door into the piss corridor. I opened it, walked along, minding my own business,” he said. “After *really* making sure there wasn't someone else in the other accessible cubicle, I let myself out. And I'm in the toilets on the secure side, in the data center.”

Jacob Ansari, security advocate and emerging cyber trends analyst for security compliance assessor Schellman, has a similar story of construction insecurity: “Many years ago, when I was a little leaner, some colleagues and I got into a less-secure area that was under construction and where the keycard lock didn’t work correctly."

“It shared the same raised floor as the data center, so we found a floor tile puller, lifted up a tile and crawled under the raised floor into the data center space. There’s a photograph of us covered in dust from crawling beneath the raised floor, and it’s one of my favorite moments in my career.”

Attacking data centers with drones

The cheap price and increasing ease with which drones can be bought and flown present new opportunities for potential threat actors to conduct reconnaissance on properties.

“We use drone technology, and in one instance, we found a ceiling access door that was propped open with a brick on top of a data center building. We were of course able to get some people to climb the building, and just walk right into the data centre from the roof,” says Infosec Institute’s Evans.

“If you got a five-storey building, the assumption is the top of it is more protected than the ground, so people tend to not put as much security on the roof.”

Both Evans and Coalfire’s Barratt note, however, that an armed response can quickly deal with any rogue UAVs.

“One of my hobbies is clay pigeons, so I think a 12-gauge would certainly deal with most drones quite quickly; it's cheap, and it's relatively easy to train people with,” jokes Barratt. “But you probably don't want to see people walking around with shotguns just because there might be a random drone.”

How to break into a data center: Pen testers reveal their secrets

Issue 45: Leaving Ukraine

We need to talk about physical security

Physical security needs thought

The human factor should be a focus

Michael Montoya: Equinix's CSO a year on from its 2020 ransomware incident

Access controls aren’t impenetrable

More in Physical Security

At least one subsea fiber cable damaged in the Red Sea, some reports blame Houthi rebels

UK government proposes new data center security regulations

Edge data center security: The challenge of unmanned resiliency

Tags

Unlocking data center profitability: A guide to DCIM solutions

The make vs. buy decision for data center infrastructure management software – A clear choice

2023 Data Center Market Trends: Hong Kong Asia's Connectivity Hub

Emerging Energy Storage Technologies