Under the prevailing threat of ransomware, physical security is being forgotten

All too often, organisations become so focused on securing their networks against hacking that they fail to consider the wider implications of what could happen should an unauthorised person gain physical access to their data.

This issue was thrust into the spotlight in November when it was discovered that the backup copy of the Oxford and Cambridge Club's membership database had been stolen from a locked room in their London headquarters. This password-protected database included the names, addresses, phone numbers and bank details of some 5,000 members.

"Organisations which handle personal data have a duty under the law to ensure that they take appropriate technical and organisational measures to keep it secure," said a spokesperson for the UK's data watchdog, the Information Commissioner's Office, which is currently investigating the incident.

Server rooms as an afterthought

With the European Union's General Data Protection Regulation (GDPR) coming into force in a matter of weeks, organisations will soon be held far more accountable for any negligence in protecting their customer's data, along with stiffer penalties.

Previously, smaller to medium-sized companies, which have not had the budget or floor-space to allow for a dedicated server room, have often been lax in the site security element of their data protection strategy. It's not uncommon for a server to be kept in a storeroom, and even for that door to be left unlocked and wedged open on hot days in order to keep the server cool.

I even came across one company that kept their server in the boiler room their argument being that it was the only windowless and lockable room in the building, which is a fair point. However, it was also hot and humid in there. The server managed to cope until the boiler developed a leak and flooded the room.

A server room should be treated as the nerve centre of the entire company. If anything disrupts a server, the entire organisation could be shut down for hours, or even days, leading to significant financial cost and disruption to services.

The server itself can be a target, not just the data

When planning network security, it is vital to ensure that it is protected from both external attacks, such as by hacking, as well as internal interference. As most network security is outward facing, if someone has access to the server, they will automatically have bypassed most of the organisation's defences.

"Servers store data, which is the primary asset that hackers are after. Even if the server itself does not have data on it, it may be used for recon or to connect to other systems that have data," explains Merritt Maxim, principal analyst at Forrester. "Protecting the rooms that servers reside in is vitally important."

Ideally, organisations should store their server in a dedicated server room, which is properly air-conditioned to maintain the ideal operating environment for the hardware.

Access to server rooms can be limited by the simple expedience of locking the door. However, in order to fully maintain access control and accountability, organisations might also consider using swipe cards, key-pad locks or even biometric locks, to record the comings and goings of each member of staff into that room.

Keypad locks are easy to use, but they'll need to be changed each time an employee who has access to the server room leaves the organisation. Also, staff could share the combination with other employees (although this can be mitigated by security awareness training) and it doesn't track the comings and goings of each employee.

Dedicated cards provide greater accountability of who accesses the server room than keypad locks, however, there's a tendency for employees to forget to hand these back in when moving to a new company, potentially creating a blind spot in an organisation's security. A potential workaround to this is to allow swipe access only from certain employee's Photo ID cards, which can be disabled once they exit the company.

A biometric alternative

Biometrics such as palm-prints or voice print can be dedicated to each employee needing access and thus can't be shared, as well as allowing access to the room to be properly logged. However, organisations will need to ensure that departing staff are removed from the access list.

"Barring the obvious magnetic strip key card locks, companies should certainly consider biometric access, whether it is finger, facial, hand or other types of biometrics, to enable access to the facility", explains Maxim.

"The addition of video cameras, at or near the door, can connect the access with some footage, which could be helpful if a card is being shared amongst the team you can identify not only whose card is being shared but also the individual who entered the room at that time.

"As these cameras improve and have facial recognition systems, they may even be able to detect automatically in the video feed who is about to go in."

Walk-by attacks

If an organisation doesn't have the space or budget for a dedicated server room, or has outgrown their server room, then a hardware audit is needed to identify the most sensitive infrastructure.

"In a large organisation there are often inventory issues, where they may not know where all the server boxes are," says Maxim. "Some boxes could be at an engineer's desk, and not in a designated facility, because they are set up for a certain application that is running there."

In these cases, organisations should consider investing in server racks with lockable doors at the front and back. While this won't prevent a determined criminal from accessing the server, it will prevent any so-called "walk-by" attacks, as well as unauthorised tampering that may occur for a variety of reasons.

Organisations should also lock down the USB ports of the server, either by switching them off entirely or by dedicating them to only work with specific USB sticks, thus preventing people from loading malicious software onto the server.

Care should also be taken when storing the backup drives of the company data. All too often, backup data is stored on a hard drive that is left in a personal bag or drawer. All backups should be securely stored on an encrypted hard drive in a fire-proof safe, and preferably off-site.

With criminals becoming increasingly aware of the value of a data, as well as the greater accountability organisations will face with the introduction of GDPR, it is now more important than ever to ensure the physical security of servers and backup drives.

Image: Shutterstock