[AusNOG] RISK - IT Industry - Concern Over Equipment Being Installed in Data Centre Facilities

Bevan Slattery bevan at slattery.net.au
Mon Sep 26 00:06:03 EST 2016


+1

[b]

> On 25 Sep. 2016, at 11:06 pm, Skeeve Stevens <skeeve+ausnog at eintellegonetworks.com> wrote:
> 
> Hey Chris,
> 
> This is something I've done several presentations (behind closed doors) on this topic at a few events in the past.  We don't normally talk about it too openly, so as not to give ideas to people. I've even done a couple of pentest/tiger teams on DCs over the years, mostly in Asia where we've used this technique to achieve an end result.
> 
> But... I don't think we should theorise in an open forum giving anyone ideas on how you could abuse this situation.
> 
> I'd even scrub the archives of this if possible.
> 
> 
> ...Skeeve
> 
> Skeeve Stevens - Founder & The Architect - eintellego Networks Pty Ltd
> Email: skeeve at eintellegonetworks.com ; Web: eintellegonetworks.com
> Cell +61 (0)414 753 383 ; Skype: skeeve ; LinkedIn: /in/skeeve ; Expert360: Profile ; Keybase: https://keybase.io/skeeve
> 
>> On Sun, Sep 25, 2016 at 8:48 PM, chrismacko80 <chrismacko80 at gmail.com> wrote:
>> Dear Industry Colleagues,
>> 
>> In the last week, in reflection of previous data centre tours I have
>> undertaken across the country and the risks that face us all within
>> the IT industry, a concern came to mind in our physical security layer
>> in relation to data centre facilities. It is my understanding
>> currently in Australia (and for other countries as per discussions
>> with colleagues), colocated computer equipment provided by customers
>> is not inspected nor scanned for any potentially damaging substances
>> before being installed within data centres, by organisations providing
>> these services. At times, singular servers may be extremely bulky, and
>> there may also be occasions when customers provide multiple racks
>> fully equipped that is positioned within the data centre without any
>> closer inspection apart from basic identification checks, as per
>> understanding of information provided from some of our largest data
>> centres. Considering this, I feel it's a risk that we don't scan
>> equipment as it is being delivered/installed, similar to airports, in
>> particular when it has been delivered locally.
>> 
>> It's my understanding as an industry we spend billions each year
>> securing our data security layer within data centres, however it
>> appears that even with the strictest data centre audits (including by
>> government risk assessors), these have not scrutinised this risk to
>> any degree. I'm not aware if the Attorney General's department nor our
>> federal or state governments perform any such checks when equipment is
>> being installed into their own data centre facilities. I also don't
>> believe I ever saw any such risk considered under any data centre
>> rating specification. As a point, what good is bullet-proof glass
>> within the foyer of a data centre and specific outline of the
>> construction of a goods lift, when there is a greater threat for
>> potentially damaging substances to be wheeled into a data centre
>> within equipment without scrutiny.
>> 
>> I would also ask the question whether our financial market is exposed
>> in any way to this risk, and whether the Australian Stock Exchange
>> sufficiently scans computer equipment delivered for installation into
>> its' data centre facilities in particular by third party customers. I
>> don't know the answer. I hope they do, if not, the question really
>> needs to be asked, why not?
>> 
>> Quoting from ASX document
>> (http://www.asx.com.au/documents/professionals/alc-connectivity-guide.pdf)
>> which is available on their website currently;
>> 
>> "The Australian Liquidity Centre (ALC) is a state-of-the-art data
>> centre and financial markets community located just outside Sydney’s
>> CBD. It enables ASX customers to connect with each other and the
>> Australian and global financial markets like never before.
>> 
>> Offering one central location for fast, simple connection to the
>> financial markets community, the ALC provides low latency connectivity
>> options to domestic and global liquidity sources, ASX market data and
>> all ASX markets.
>> 
>> The ALC is designed to maximise the potential of its community. It
>> houses all of ASX’s primary trading, clearing and settlement systems
>> as well as providing hosting facilities for its customers which
>> include buy and sell-side firms, market infrastructure and liquidity
>> venues, information and technology vendors, and infrastructure and
>> network service providers."
>> 
>> I've reached out to several colleagues within the industry, who also
>> agree the lack of scanning of potentially damaging substances is a
>> serious concern, I'd ask that you consider your thoughts on this risk
>> in regards to safeguarding our technology and investments made by all
>> involved, and what you believe should be done to address this risk
>> moving forward.
>> 
>> Kind regards,
>> 
>> Chris Macko
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160926/fe6de995/attachment.html>


More information about the AusNOG mailing list