informa
/
Risk
News

Server-Jacking

Don't forget to secure your server hardware in case of physical theft

3:26 PM -- It's 1 a.m. and I'm backing up one of my client's servers, which got me thinking about the security of backups. Even though I'm using Secure Shell (SSH) to encrypt the data in transit, the resulting files on the backup server aren't encrypted. The backup server is hardened against attack, with minimal services running and very tight firewall rules protecting it. But what if someone broke in and stole the server hardware?

While it's unlikely that my server will get stolen, it's not unheard of for thieves to target the hardware instead of trying to break in through the network to steal the data. Sometimes physical attacks are simply easier. Last month, CI Host, a Chicago-based colocation company, had its data center broken into for the fourth time in two years. The burglars made off with at least 20 data servers.

Could your organization handle a physical attack against your servers? Do you have security guards, or just an alarm system that alerts a monitoring service or law enforcement? Aside from physical protections, are you encrypting the data on the hard drives, either through full-disk, file-based, or application-based encryption? Depending on your industry, or if you must comply with PCI, there may be specific requirements on how and what encryption to use.

Ultimately, it comes down to having a complete risk assessment that evaluates the protections in place to secure your company's valuable data. Is the data your company stores valuable enough that someone would risk burglarizing your data center to gain access? Don't forget about the backups. If you're backing up off-site -- either by transporting tapes off-site or transferring data over the Internet -- make sure the tapes, the data in transit, and the resulting backup files are encrypted.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5