[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

chrismacko80 chrismacko80 at gmail.com
Sun Oct 9 00:43:15 EST 2016 

UPDATE:

Hi guys, realise it's late, been a long night and you all realise the life
of a programmer (which is my background), you're up at all hours. Thought
it important to make my friends aware of a risk I've become aware about in
my industry (technology) while running a large hosting firm and data
centre. I've reached out to security agencies and or technology departments
in Australia, currently waiting to hear back. My email to CSIRO was as
follows (with a few minor definition updates such as those that approached
me and didn't know what ASX was, are you serious!!!!);

Hi Jake,

Thanks for your time today. Andrew Croft from Codan Defence Electronics
suggested I make contact with you guys. My background is in running data
centres, running technology company Intervolve 2007-2016 as CEO/MD.

I have several concerns/risks to discuss with you;

1. Currently Australian Data centres do not scan for potentially damaging
substances. There is generally no processes to test for this kind of risk.
At times individual service may be up to 600 kgs in weight. Customers may
also provide fully equipped racks wheeled into data centres. The data
centre standards including Tia-942 and The Uptime Institute tier ratings do
not include this type of risk being assessed. Neither does PCI compliance,
which are required by APRA on some of it's members and also clients of
banks with high volumes of online merchant transactions. Our financial
markets may also be exposed to this risk, with the ASX (Australian Stock
Exchange) appearing to confirm they allow customers to host equipment from
the same data centre facilities as their own transactions;

I would also ask the question whether our financial market is exposed
in any way to this risk, and whether the Australian Stock Exchange
sufficiently scans computer equipment delivered for installation into
its' data centre facilities in particular by third party customers. I
don't know the answer. I hope they do, if not, the question really
needs to be asked, why not?

Quoting from ASX document
(http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
which is available on their website currently;

"The Australian Liquidity Centre (ALC) is a state-of-the-art data
centre and financial markets community located just outside Sydney’s
CBD. It enables ASX customers to connect with each other and the
Australian and global financial markets like never before.

Offering one central location for fast, simple connection to the
financial markets community, the ALC provides low latency connectivity
options to domestic and global liquidity sources, ASX market data and
all ASX markets.

The ALC is designed to maximise the potential of its community. It
houses all of ASX’s primary trading, clearing and settlement systems
as well as providing hosting facilities for its customers which
include buy and sell-side firms, market infrastructure and liquidity
venues, information and technology vendors, and infrastructure and
network service providers."

I've previously visited a previous ASX data centre location located at 530
Collins Street that is now closed and didn't see any technologies scanning
equipment of this kind.

The banks have also confirmed there is a technology gap in such risks the
provision of client safety deposit boxes/vaults.

2. Collaboration of a new inexpensive technology to enable the state police
departments to track stolen mobile phones and retrieve electronic stolen
property to the rightful owners. It is my personal assertion (and some
within the police department agree), if we enabled police to confiscate
equipment stolen at this level of gateway crime (even without criminal
conviction but a first and final warning) we would stop future escalation
to higher methods of crime for those alleged perpetrators by 70-80%. I'm
certain I can develop the software in under 1000 hours including algorithms
that will assist police to be provided with the safest apprehension points,
and reasons why my software calculates this and how for their consideration.

3. Scanning of Australian airwaves for extremely severe vulnerabilities and
requesting up space owners. One known risk is a issue with Fortinet
hardware devices, I'm aware of many devices within Australia that allow a
secret user administrative encrypted method to gain full administrative
access. The reality is there's no scans to pickup such severe
vulnerabilities.

4. IT risk committee. There really needs to be one made to government
departments and educational institutes, there's really severe gaps in IT
security due to the lack of experience/exposure in the decision makers. We
need more people in this area that have run large data centres that
understand the gaps in facilities and have a thorough understanding of all
facets of online service provision.

These are thoughts and opinions, I'd ask who would be the best person to
discuss this with at CSIRO preferably in Adelaide?

Looking forward to your reply/suggested next steps.

Christopher Edward Macko
(Details Removed)

CSIRO have confirmed they've received my memo and that concerns have been
escalated upward. Currently awaiting contact from various government
agencies and departments over the concerns. Thought it best to share with
you. If it's not relevant to you, that's ok, Chris.
Dear Industry Colleagues,

In the last week, in reflection of previous data centre tours I have
undertaken across the country and the risks that face us all within
the IT industry, a concern came to mind in our physical security layer
in relation to data centre facilities. It is my understanding
currently in Australia (and for other countries as per discussions
with colleagues), colocated computer equipment provided by customers
is not inspected nor scanned for any potentially damaging substances
before being installed within data centres, by organisations providing
these services. At times, singular servers may be extremely bulky, and
there may also be occasions when customers provide multiple racks
fully equipped that is positioned within the data centre without any
closer inspection apart from basic identification checks, as per
understanding of information provided from some of our largest data
centres. Considering this, I feel it's a risk that we don't scan
equipment as it is being delivered/installed, similar to airports, in
particular when it has been delivered locally.

It's my understanding as an industry we spend billions each year
securing our data security layer within data centres, however it
appears that even with the strictest data centre audits (including by
government risk assessors), these have not scrutinised this risk to
any degree. I'm not aware if the Attorney General's department nor our
federal or state governments perform any such checks when equipment is
being installed into their own data centre facilities. I also don't
believe I ever saw any such risk considered under any data centre
rating specification. As a point, what good is bullet-proof glass
within the foyer of a data centre and specific outline of the
construction of a goods lift, when there is a greater threat for
potentially damaging substances to be wheeled into a data centre
within equipment without scrutiny.

I would also ask the question whether our financial market is exposed
in any way to this risk, and whether the Australian Stock Exchange
sufficiently scans computer equipment delivered for installation into
its' data centre facilities in particular by third party customers. I
don't know the answer. I hope they do, if not, the question really
needs to be asked, why not?

Quoting from ASX document
(http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
which is available on their website currently;

"The Australian Liquidity Centre (ALC) is a state-of-the-art data
centre and financial markets community located just outside Sydney’s
CBD. It enables ASX customers to connect with each other and the
Australian and global financial markets like never before.

Offering one central location for fast, simple connection to the
financial markets community, the ALC provides low latency connectivity
options to domestic and global liquidity sources, ASX market data and
all ASX markets.

The ALC is designed to maximise the potential of its community. It
houses all of ASX’s primary trading, clearing and settlement systems
as well as providing hosting facilities for its customers which
include buy and sell-side firms, market infrastructure and liquidity
venues, information and technology vendors, and infrastructure and
network service providers."

I've reached out to several colleagues within the industry, who also
agree the lack of scanning of potentially damaging substances is a
serious concern, I'd ask that you consider your thoughts on this risk
in regards to safeguarding our technology and investments made by all
involved, and what you believe should be done to address this risk
moving forward.

Kind regards,

Chris Macko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161009/ec17d18e/attachment.html>

More information about the AusNOG mailing list