[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

Skeeve Stevens skeeve+ausnog at eintellegonetworks.com
Sun Sep 25 23:06:49 EST 2016


Hey Chris,

This is something I've done several presentations (behind closed doors) on
this topic at a few events in the past.  We don't normally talk about it
too openly, so as not to give ideas to people. I've even done a couple of
pentest/tiger teams on DCs over the years, mostly in Asia where we've used
this technique to achieve an end result.

But... I don't think we should theorise in an open forum giving anyone
ideas on how you could abuse this situation.

I'd even scrub the archives of this if possible.


...Skeeve

*Skeeve Stevens - Founder & The Architect* - eintellego Networks Pty Ltd
Email: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.com

Cell +61 (0)414 753 383 ; Skype: skeeve ; LinkedIn: /in/skeeve
<http://linkedin.com/in/skeeve> ; Expert360: Profile
<https://expert360.com/profile/d54a9> ; Keybase: https://keybase.io/skeeve

On Sun, Sep 25, 2016 at 8:48 PM, chrismacko80 <chrismacko80 at gmail.com>
wrote:

> Dear Industry Colleagues,
>
> In the last week, in reflection of previous data centre tours I have
> undertaken across the country and the risks that face us all within
> the IT industry, a concern came to mind in our physical security layer
> in relation to data centre facilities. It is my understanding
> currently in Australia (and for other countries as per discussions
> with colleagues), colocated computer equipment provided by customers
> is not inspected nor scanned for any potentially damaging substances
> before being installed within data centres, by organisations providing
> these services. At times, singular servers may be extremely bulky, and
> there may also be occasions when customers provide multiple racks
> fully equipped that is positioned within the data centre without any
> closer inspection apart from basic identification checks, as per
> understanding of information provided from some of our largest data
> centres. Considering this, I feel it's a risk that we don't scan
> equipment as it is being delivered/installed, similar to airports, in
> particular when it has been delivered locally.
>
> It's my understanding as an industry we spend billions each year
> securing our data security layer within data centres, however it
> appears that even with the strictest data centre audits (including by
> government risk assessors), these have not scrutinised this risk to
> any degree. I'm not aware if the Attorney General's department nor our
> federal or state governments perform any such checks when equipment is
> being installed into their own data centre facilities. I also don't
> believe I ever saw any such risk considered under any data centre
> rating specification. As a point, what good is bullet-proof glass
> within the foyer of a data centre and specific outline of the
> construction of a goods lift, when there is a greater threat for
> potentially damaging substances to be wheeled into a data centre
> within equipment without scrutiny.
>
> I would also ask the question whether our financial market is exposed
> in any way to this risk, and whether the Australian Stock Exchange
> sufficiently scans computer equipment delivered for installation into
> its' data centre facilities in particular by third party customers. I
> don't know the answer. I hope they do, if not, the question really
> needs to be asked, why not?
>
> Quoting from ASX document
> (http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
> which is available on their website currently;
>
> "The Australian Liquidity Centre (ALC) is a state-of-the-art data
> centre and financial markets community located just outside Sydney’s
> CBD. It enables ASX customers to connect with each other and the
> Australian and global financial markets like never before.
>
> Offering one central location for fast, simple connection to the
> financial markets community, the ALC provides low latency connectivity
> options to domestic and global liquidity sources, ASX market data and
> all ASX markets.
>
> The ALC is designed to maximise the potential of its community. It
> houses all of ASX’s primary trading, clearing and settlement systems
> as well as providing hosting facilities for its customers which
> include buy and sell-side firms, market infrastructure and liquidity
> venues, information and technology vendors, and infrastructure and
> network service providers."
>
> I've reached out to several colleagues within the industry, who also
> agree the lack of scanning of potentially damaging substances is a
> serious concern, I'd ask that you consider your thoughts on this risk
> in regards to safeguarding our technology and investments made by all
> involved, and what you believe should be done to address this risk
> moving forward.
>
> Kind regards,
>
> Chris Macko
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160925/c302cde3/attachment.html>


More information about the AusNOG mailing list