A Modern Twist on Malware Production

January 30, 2012 By

Malware has always been a threat to companies and computer users since the early days of the internet, however while prior malware was often created by individuals and small groups for leisure and fame, today malware makers are operating at an organizational capacity similar to legitimate corporations. This industry has been coined Crime as a Service and as the name implies, encompasses a whole new class of malware creators who do not just create the malware, but provide:  toll free support lines, ongoing updates to take advantage of zero day attacks, integrated product activation to protect against piracy, easy to use control panels complete with statistics about infection rates, and much more.

To get a better idea of the malware landscape, I interviewed Ziv Mador, the director of malware security labs for M86 Security.

Origin and Demographics of Attacks

According to Ziv, the majority of malware development originates in:  Russia, Romania, and a few Eastern European countries mainly because of weak and corrupt governments which are not able to keep organized crime in check. Additionally, many of the support, sales, and logistics of:  malware kits, stolen data, and more also are handled within these regions due to the lax government climate.

As far as attack targets go, while malware typically knows no bounds, Ziv mentioned that in most of his findings Western countries are the most targeted heavily for their wealth. In particular, bank fraud tends to have the highest reward for attackers by allowing them to access large sums of money in the shortest amounts of time. Because of the easy access to funds and limited fraud protection, on the black markets, bank account information tends to sell at prices significantly higher than credit/debit card numbers.

Additionally, as many malware makers prefer to have ongoing revenue, fake antivirus products and pay per install spyware often are integral to many malware makers by providing a fairly simple but effective way of monetizing their victims.

Attack Vectors

Although web browsers have been and remain the largest vulnerability point for end users, recent malware attacks have been shifting towards third party plug-ins such as Flash, Java, and Adobe Acrobat because the plugins tend to be less hardened and therefore provide better closer access to critical system files. Additionally, deploying updates for third-party programs on enterprise networks is significantly harder due to compatibility issues, making them a perfect target for attackers who are aiming for a high infection rate.

Even if you stay away from questionable sites normally associated with malware, today there is a new attack angle which allows infections to spread throughout legitimate websites without the owner or end user knowing. According to Ziv, this new form of attack is known as an iFrame injection and consists of a website being hacked and having a small code injection. Unlike the common depiction of hackers trashing websites and replacing them with obscene pages, today many infections occur in the background without notice. By using malicious code to inject hidden iFrames into a compromised website, malicious parties are able to have scripts download files to visitors in the background without warning.

This type of attack is so prevalent that according to Ziv, before launching an infection campaign, many groups will collect statistics from a few compromised servers and use that data to better target their attacks. While in the past malware used to be most prevalent on pornography and piracy websites, today even visiting a site as respectable as Facebook or Twitter could lead to an infection if a breach were to occur. Currently however, this form of attack is more prevalent on smaller independent websites where the owners fail to update and apply patches in a timely fashion.

Commercialization of Malware

As mentioned earlier in this article, the malware industry has gone from small groups of “hackers” to an industry with estimated transaction values of well over $1 billion USD. In particular the biggest sources of revenue have come from brokering stolen data and also selling malware kits. While in the past creating a virus used to require extensive technical knowledge – today, for around $1,000 USD, you can purchase a “malware kit” complete with:  a GUI for changing settings, ongoing updates for continuing effectiveness,  internal statistics to better target attacks,  and even product activation integrated by the creators to protect their creations from piracy.

This commercialization is not limited to malware.  Today brokers handling stolen data provide toll free support lines to handle reissuing data if it is flagged for fraud (common with credit and debit cards), and call centers exist to  provide criminals access to phone operators with any accent desired.  A crucial service for helping to expedite fraudulent transactions over the phone.

Closing Words

Overall, the details mentioned above are just a small sampling of today’s chaotic environment in computer security. As malware continues to be commercialized and commoditized information technology professionals of virtually every breed will have to learn to place security in the fore front of all projects. Although this article is more of an overview piece, at the least this article should alert you to the fact that today malware is not just being produced by lone wolf hackers. Rather syndicates now control the sphere, and as such, security must be given top priority to combat the increased threat.

Please leave your views and comments on the article in the Data Center Talk Forum

Share on TwitterSubmit to StumbleUpon
Filed Under: Cloud Computing, Networking / Security Tagged With: , , , , , , , , , , , ,

Facility and Site Selections Guidelines for Data Center

December 16, 2011 By

While looking for Facility and site for Data center, some points should be kept in mind:

Locations Related Security Guidelines.

1. Avoid the following:

  • Iconic, trophy, historic, listed, or high-profile sites and/or locations near such sites.
  • Uncontrolled public facilities for vehicles (e.g., tunnels, parking areas, etc.) directly beneath or adjacent to the site.
  • Avoid politically unstable areas.

2. Seek the following:

  • Maximum setback from the street on all facades
  • Maximum physical separation from neighboring buildings
  • Convenient external assembly points
  • Close proximity to emergency services
  • Easy access to major roads or arteries

Facility-related security guidelines

Seek the following in conjunction with a proper facility risk
assessment before signing a lease:

  • Sole building occupancy or sole floor occupancy at a minimum
  • Physical access-controlled building entrances and exits to include parking facilities
  • Structural designs that minimize the risk of progressive collapse in the event of an explosive incident
  • Buildings with appropriate blast mitigation measures
  • Effective acoustic isolation for internal offices/conference rooms next to non-company-controlled space
  • Provisions for proper visitor access and control
  • Elevated and physically secured HVAC air intakes
  • Fire detection/prevention and life safety systems that meet company standards as well as all applicable codes
  • Adequate emergency escape routes
  • Internal space with the potential for segregated mail sorting/distribution
  • Appropriate access controls for on-site parking and preferably not located beneath the building if a multi-tenant facility
  • Provisions for secure equipment storage

For more Please refer our tool section ….

http://datacentertalk.com/category/data-center-tools/

Share on TwitterSubmit to StumbleUpon
Filed Under: Data Center Design, Data Center Management, Data Center Solutions, Networking / Security Tagged With: , , , ,

Web Security Predictions for 2012

December 8, 2011 By

As the year comes to a close it is important for many companies to look back at which security measures have worked and which need improvement. In addition, it is important for IT and Security professionals to gear up for  the ever-changing breeds of digital threats which will be plaguing companies in 2012.

Recently, digital security vendor WebSense published a set of predictions of key security threats for 2012 which is heavily centered on social networks as the major attack vector for traditional malware and social engineering.

Although the Websense report cited a few major security trends, the most disturbing breed for IT Professionals and Administrators is the increase of attacks through social networks. During 2011 a round of social engineering attacks went mainstream in the form of scammers using Facebook Chat to beg friends for money. Usually under the premise that they were overseas and had their wallet stolen so they needed a large sum of money wired to them. In addition, viruses and malware have spread rapidly across real-time web securitynews and sharing sites such as Twitter, as a way to bypass traditional search providers blacklisting malicious sites.

WebSense predicts that these types of attacks will become more prevalent and with companies constantly placing a focus on social media for collaboration, people will come to trust online profiles even more. This surge in online communication means that IT Professionals across the board will have to start familiarizing themselves with social engineering attacks and developing training materials and policies to educate employees about the new threats which can come from inside and outside the workplace.

Aside from social networks, the threat predictions also cited mobile malware becoming more common due to increasing smartphone adoption, and many companies now allowing personal devices to be used for business. Unlike traditional malware, WebSense predicts that many mobile exploits will not only allow malicious parties to view data, but also to use geolocation (via the phone’s GPS) to add a new form of targeted social networking based on the victims location.

The complete report in PDF form can be found here.

 

You can also keep up to date with current trends and technology by visiting Data Centre Talk where we keep you informed on important changes as they occur.

Share on TwitterSubmit to StumbleUpon
Filed Under: Networking / Security Tagged With: , , , , , ,

First Class Security Without a Platinum Price Tag

December 7, 2011 By

When it comes to managing websites, most companies have more than enough on their plate trying to handle their website. Between customer service, security, training, optimization, and more, most companies already overloaded with tasks related to the administration of their websites.

Features Of CloudFlare

Fortunately, a service called CloudFlare provides reasonably priced packages to help website owners secure and optimize their websites. A few of the key features include:  CDN/Caching capabilities, code & script optimization, threat recognition via community intelligence (which helps protect against zero day exploits), streamlined and easy to understand analytics, and an easy to use app system to add additional functionality as needed.

CloudFlare comes in free and professional editions, with an enterprise edition currently in development. For this article, I did my testing using the free edition of CloudFlare, and despite not having the professional capabilities, the service performed very well and compared to many other vendors which nickel and dime clients, I did not feel constrained while using the free plan. Overall the service has an excellent interface which is powerful enough for an IT professional like myself, but it also has helpful tooltips next to virtually every setting so less technical users can have guidance while using the software.

In addition, CloudFlare receives extra praise from me for not plastering the user with ads and banners to upgrade to the professional edition. Unlike the Zynga model of freemium which involves constantly bombarding the user with ads for paid upgrades (I only mention Zynga here as they are known for their in-game ads. I do not mean to compare the services of each), in CloudFlare professional features simply have a “pro” icon next to them, with a upgrade page shown if the user clicks for more information.

Going back to my review, overall, CloudFlare passed my tests with flying colors despite my initial hesitance to use the service on my primary sites owing to my skepticism. The initial configuration simply involved updating my nameservers to the CloudFlare servers. From there, the service automatically recognized my domain settings and asked for confirmation. After that, I simply continued on with my work and checked the control panel 24 hours to see how the service worked.

While there are many features to mention, this review only covers the key features which are applicable to most users.

CloudFlare Analytics

Overall the analytics platform is as easy to use as Google Analytics. Listing key statistics such as threats, bandwidth saved, page requests, search engine crawl stats, and more all on one page, and it allows you to see which areas require the most attention when you first review the data. In addition, CloudFlare classifies the types of threats which were blocked, for example:  spammers, brute force attacks, injections, harvesters, and more all have their own categories so the user can easily differentiate between the severities of the threats.

CloudFlare Security

Moving on to the security capabilities,  CloudFlare acts as a firewall between general traffic and your server via a crowd sourced threat database to help detect traditional threats and zero-day exploits which have not been addressed by traditional security patches. The service also provides website owners an option to inform visitors that their computers are infected, by displaying an error page with a CAPTCHA to access the website as usual and also general information about the situation. In my initial testing on my sites, CloudFlare effectively replaced my usual spam filters with 99.9% accuracy and it also blocked a few suspicious crawlers from indexing parts of my site.

In addition to the added security, CloudFlare also improves site performance through caching and script/code optimization. Essentially “the poor man’s Akami,” CloudFlare markets itself as an alternative to traditional CDNs by caching your publicly available websites across their 13 data centers serving your content from the data center closest to your visitors. In addition, when using the service, your HTML and scripts are compressed using aggressive GZIP compression to improve load times.

As far as scalability goes, while I was skeptical of a free or $20/month service handling high amounts of traffic, a recent case study from CloudFlare discusses how website 2011BlackFridayAds successfully used CloudFlare since September 2011 through the November Black Friday rush by cutting the number of server requests by half a billion, and  saving about 29.3TB of bandwidth. While the study is worth a read, one key point to note is that as CloudFlare currently handles five times the amounts of traffic as Amazon.com, you can be fairly sure that scalability is likely not an issue with CloudFlare.

 

We at DCT would love to hear from you. Do let us know what you think.

Share on TwitterSubmit to StumbleUpon
Filed Under: Data Center Insights, Data Center Reviews, Data Center Solutions Tagged With: , , , , , , ,

Importance of Firewalls and Network Security

November 26, 2011 By

Networking security involves the use of various tools that serve the basic purpose of preventing harmful programs from entering a computer.

Importance of Firewalls, Network Security, Data Center, power calculation, cooling system, fewer generator, Green Data Center, datacenter, data center services, data center management, about data centers, internet data centers, datacenter services, datacenter solutions Business continuity

A firewall blocks programs that you do not want to access your computer. Firewalls and network security ensure that your computer is free from harm. The basic role that a firewall plays is disallowing unauthorized access while letting in everything else.

Exception in Windows Firewall

Each time you install a new program in Windows, it has to ask to make an exception in the Windows Firewall and this is especially the case if the program will be involved with the Internet. At certain times, the firewall is overprotective and it blocks the communication of legitimate programs. You can correct such an over protection by making an exception in the firewall options manually.

Firewall Network Security

The other form of protection that involves firewalls and networking security is known as Unified Threat Management (UTM). This is a form of network security that was introduced in the year 2004 and has been growing since then. It can fit the description of being part of the evolution of a firewall. UTM includes the function of a firewall and has other features such as network intrusion prevention, content filtering, load balancing, gateway antivirus and on-appliance reporting.

Software Firewall Workstation

A common sign displayed by a computer that lacks firewalls and network security is frequent freezing. Many viruses, hacking programs and spyware plague such a computer to slow it down until it freezes. Theoretically, it is a good idea to have a software firewall on every workstation. However, third generation software firewalls usually prevent networks from working normally causing problems that are hard to diagnose.

Default Port Blocking 135-139

Software firewalls are usually configured in a default manner to block ports such as 135-139 resulting in network disconnection and the lack of being able to access critical file shares. In the case of the firewalls becoming corrupted or if a virus infects them, it is usually very hard to restore the connection to the computer and this forces a re-image, repair install or reformat. In order to prevent such a situation, the software firewalls have to be configured.

 Security Breach Protection for Information and Credit Card

Network security and firewalls play an essential role in the network systems of companies that utilize electronic information or credit cards. They allow them to protect data in order to prevent security breaches, which can lead to loss of money, identity theft, stolen records, lawsuits and corrupted information among other things. In order to ensure that networks and firewalls keep threats down, you need to keep updating them.

Hackers and Criminals Attack to Bypass the Firewalls

This is important for the reason that hackers and other online criminals continue revising their tactics of bypassing or breaking through firewalls. There are numerous threats that firewalls and network security protects a computer from. One example is worms and viruses, which are malicious codes that spread when they are inserted into computer systems. Viruses usually come from attachments and worms are usually contained in emails.

Malware Embedding in Source Code

Firewalls and network security also protect computers from Trojan horses. These are malware that enter networks through files that seem harmless and that are usually embedded in a website. The other threats that firewalls and network security protect a computer from include spam, phishing, zombie computers and packet sniffing.

 

You can also keep up to date with current trends and technology by visiting Data Center Talk where we keep you informed on important changes as they occur.

 

Share on TwitterSubmit to StumbleUpon
Filed Under: Networking / Security Tagged With: , , , , , , , , , , , , , , , , , , , , ,

Cloud Computing Backup is Important for Business and IT

November 25, 2011 By

National Institute of Standards and Technology (NIST) defines “cloud computing as an internet-based computing model which enable users to access on-demand a shared pool of configurable computing resources online that can be rapidly provisioned and released with minimal management effort or service provider interaction over networks.”

Computing resources includes various resources such as networks, software, chats, documents, emails, presentations, blogs, applications, storages, servers, application programming interface (API) and others. Users can access these shared data, information, software and many others on-demand self-service within cloud computing from their own devices. They can access from computers, laptops, notebooks, pad tablets, smart phones. Cloud computing is like having secure access to all your resources, applications and data from any network devices.

Why is it Important for Business and IT to have Cloud Computing Backup?

Cloud computing backup services includes various functions such as data protection, server performance, security and compliance, data center resiliency and availability of remotely located data which are handy and practical especially for business to business (B2B) backup services.

There are some issues which might lead you to think about importance of cloud computing backup. Issues that are cost-effective; uploading and controls on sensitive data; reliability of good service provider; data security; moving of servers to cloud; ownership and privacy.

Availability of Cloud Computing Backup with Different Services

There are innovative and popular cloud computing backup on-demand self services that come with different plans for uploading amount of copies of data into online storage over networks. These online backup spaces may or may not give unlimited storage; may have ability to cover more than one computer or more than one device; different transfer speeds and pricings. Some may come with free trial plan to use their online services for limited time.

I have written a few explanations here. [Detailed list of online backup services with their plans is listed in other article - "List of Cloud Computing Backup Services".]

  1. SOS Online Backup (www.sosonlinebackup.com) – comes with 14-15 days trial plan.
  2. Storagepipe (www.storagepipe.com) – Canada online cloud backup services.
  3. MozyHome (www.mozy.com)
  4. MiMedia (www.mimedia.com) – offers folders syncing that designate folders to pair with online storage.
  5. KineticD (www.kineticd.com) – has a remote control capability to iPhones and PCs so users can keep applications backup running on their device.
  6. IDrive (www.idrive.com) – with unlimited storage and at affordable price.
  7. GlobalDataVault (www.globaldatavault.com) – has advanced full featured backup service provider.
  8. DataBarracks (http://www.databarracks.com/) – business backup services with support for different operating systems.
  9. DSCorp.net (www.dscorp.net - www.datastoragecorp.com) – data is completely protected and secured from any kind of accidental attacks.
  10. CrashPlan (www.crashplan.com)
  11. Carbonite 4.0 (www.carbonite.com) – offers unlimited storage.
  12. BackupMyInfo (www.backupmyinfo.com)

Mobiles like iPhones, iPads and Android devices can use these online backup services like SOS Online Backup which offers to add mobile applications.

Protect Data when Disaster strikes – How?

Either save your locally stored data with online backup i.e. upload duplicate copies of your networked-device data or computer data onto online cloud backup or move the whole data server, file server and web server into cloud computing backup.

I will give an example of case study here, nearly similar to cloud computing process but do not take it as a proper example of a cloud computing.

You would upload all your precious family photos to online photo storage, for example, shutterfly.com (online photo album) or Google App Engine over local area networks or wide area networks. In this way, you are saved from threats like loss of data in case of stolen mobile, devices; from fire; virus attack; hard drive black-outs; delete by accident and other accidental kinds. You can share with the world or to some of your friends.

There exists an on-demand self-service online storage for storing music, videos and documents too, for example, Google App Engine.

This is also the same case for small-, medium- businesses and large corporations. They rely on their data and information for running their business, transactions, projects and to hold larger percentage of consumers. It is essential for them to have online backup in cloud computing for secure access all the time.

Future Trends for Cloud Computing Backup

Now, we have got solutions for protection of data i.e. that is online backup storage or cloud computing backup. Users access their shared resources of data, files and folders at any time and anywhere online. Users should take advantage of this advanced technology in their daily use.  They do not have to download and install applications or software on their own device, mobile or computer. All processing and storage is maintained and managed by the cloud server; then data is stored securely away from your premises in the cloud configuration. The data remain intact, safe and available if any disaster or accident strikes your premises or your devices.

Cloud computing backup service is one of such features of cloud computing that upload backup copies of data or upload entire server to the cloud such as email server, file server, web server and file transfer protocol (FTP) server.

Gartner’s Strategic Planning Hypothesis predicts that, “by 2012, about 80% of Fortune 1,000 companies will use Cloud Computing Service in some fashion.” Data virtualization will pick up its momentum as data integration gives way.

 

You can also keep up to date with current trends and technology by visiting Data Center Talk where we keep you informed on important changes as they occur.

Share on TwitterSubmit to StumbleUpon
Filed Under: Storage / Server, Technology Tagged With: , , , , , , , , , , , , , , , , , , , , , ,

Network Security – Denial of Service Attack (DDoS)

November 14, 2011 By

In last several years, Denial of Service attack (DDoS)/ Distributed Denial of Service attack (DDoS) has become one of the most critical threats for internet security, though it’s easily accomplished by the intruders. You can also perform it on other’s network, if you have coding knowledge.

Network Security, DDos attack, service attack (DDoS), Smurf Attack, Fraggle, Tribe Flood Network, Stacheldrah, Mitigation, Data Center, power calculation, cooling system, facebook, fewer generator, Green Data Center, datacenter, data center services, data center management, about data centers, internet data centers, datacenter services, datacenter solutions Business continuity planSimply download DoS attack tools from the internet and do it! Wait! First save your one and then try it. To get rid of this attack, first of all we have to know its consequences.

Typically, an internet connection is established using a methodology named ‘THREE WAY HANDSHAKING’. Following this protocol, at first client pc sends request (SYN) for connection establishment and then receiving this request, server pc responds to it sending an acknowledgement of approval (SYN_ACK) message. Lastly, client pc also sends an acknowledgement (SYN_ACK) message to the server telling it, “I got the message, Thank you” and then if everything is all right, connection establishes.

Description

What happens in case of DoS attack is, a person, whether being inside or outside of a network, makes services unavailable by overflowing the network system that normally provides them. DoS intrusion causes server overrun and resource consumption. This may often prohibits the server from making response to actual clients. It may spoil whole network infrastructure. There are several kinds of DoS attacks. Followings are some examples:

Smurf Attack

One of the earlier DoS strokes on hosts at the network level. A thug generates a huge amount of ICMP ping requests (datagram) with fake source addresses and sends them to the IP broadcast address of a network, i.e., remote LANs broadcast addresses. Most of the hosts connected to the network will send reply for each of the echo. Thus, the network is overwhelmed by fake echo multiplied by the number of connected hosts. Normally the attacker uses largest packets (up to Ethernet maximum) to ensure terrible damage to the target network.

Fraggle

Another DoS attack which follows the same process as Smurf attack. It just sends UDP echo packet in place of ICMP. This invasion can be very serious because of the ‘stateless’ property of UDP. ‘Stateless’ property means there is no acknowledgement mechanism in this protocol, which makes UDP favorable for DoS attack. Attacker swallows up the network by UDP packets. Because of there is no mechanism, receiver can’t identify the fake requests.

Ping of Death

This attack follows the same mechanism but from a new angle. It sends ping request using over-sized packets. You may know that, TCP/IP’s Maximum Transmission Unit (MTU) i.e. maximum packet size is 65,536 octets (as per CISCO). As a result of over-sized pings, the routing device keeps rebooting perpetually or may be freezes up causing a total crash.

Tribe Flood network’/'Tribe Flood Network 2000

More complicated than previous DoS attacks, alternately it is named as ‘IP Spoofing’. It is capable of initiating synchronized DoS attacks from multiple sources to multiple target devices. It accomplishes the violation by imitating itself as an IP address of a network to other IP addresses, which are in the scope of it. In this manner, it misleads the network system by using an approved or trusted internal/external IP address and does massive destruction.

Stacheldraht 

A Distributed DoS program (DDoS), which is actually an assortment of DoS methodologies. It integrates TFN irruption processes along with UDP, TCP/IP, ICMP overflow and Smurf attack. Starting with a huge invasion at the very root level it encrypts all most every communication between server (root), client or any other host in a network. It was written based on TFN tool to be used only on Linux/ Solaris system, but now it is used on any platform by modifying its source code. Scope of describing this attack is limited in this article, as it requires a vast explanation to understand this intrusion.

Mitigation

See, you are in a great danger now! Anyone can destroy your work just in a second, no doubt in that! No worry, accident happens! Let’s try some preventive measures to protect valuable information and to have a flawless communication:

It is not possible to stop communications with all outer world connections. So, first of all, ensure basic traffic filtering. You can control and avoid unexpected foray at a minimum rate by using traffic filtering at your end. Firewall protected networks are much more safe than others in this regard. Contact with your ISP provider to ensure security before doing business through the network.

For ISP providers, it is required to monitor the network closely and review protocols to confirm authenticated communication path. Find solutions to mitigate resource overloading and other compulsions. Before maneuvering the system, scan the whole network architecture considering all kinds of intrusions. Maintain a solid and well-managed mitigation policy.

Make sure the router is well protected by implementing filters in it. To prohibit unauthorized access implement mechanisms like Network Address Translation (NAT), Access List (ACL) etc. NAT decreases overwhelming amount of IP addresses required for a networked environment by concealing certain IP address space. Thus, it lessens the opportunity of Smurfing or IP spoofing. Access list controls addresses who are allowed to connect with the network and who aren’t. These lists are orthodox in preventing IP spoofing, Smurf attacks, DoS TCP/IP floods, DoS ICMP floods or any kind of trace route filtering.

To restrict Smurf or Fraggle attack, configure the router to block broadcast packets emerging outside of the network. You may find slight variations in the router configuration commands. Though, by default, all most every latest router inhibits these broadcasts.

Unicast Reverse Path Forwarding (uRPF) is a methodology which can drop IP packets containing fake source address. It can work in either strict or loose mode. Though, level of its rigidity varies from router to router. Also, don’t forget to configure the ACLs, so that, if uRPF fails, ACL can handle it.

There are other monitoring techniques like: customer/peer notification, Sinkhole, Rate limiting, Back scatter technique, Black hole filtering, net flow monitoring, Advance BGP Filtering etc.

Your task is easy; make sure you are not the victim!

 

You can also keep up to date with current trends and technology by visiting Data Center Talk where we keep you informed on important changes as they occur.

Share on TwitterSubmit to StumbleUpon
Filed Under: Networking / Security Tagged With: , , , , , , , , , , , , , , , , , , , , , ,

Physical Security of a Data Center

November 11, 2011 By

There are numerous complicated documents available such as, the gold standard specs the federal government uses to build embassies and other sensitive facilities, the National Fire Protection Association safety requirements, as well as the infrastructure standards industry groups publish – that provide information to companies on how to design a secure data center. The CSO’s high standards should be making certain that the security of a new data center is built into the design rather than being an ineffectual or expensive afterthought. Learn here how to design functional data centers that will be able to withstand practically anything from corporate espionage artists to natural disasters or terrorism. Though these extra precautions can be costly, they are simply part of building a facility that is secure and can survive even the worst of disasters. Let us discuss nineteen ways to build physical security into a data center.

The Perfect Location

First make sure the location of the center is some distance from the headquarters; about 20 miles should be enough, and it should also be about 100 feet from the main road. Avoid the risk of bad neighbors, chemical facilities, airports or power plants. In addition, do not choose an area prone to earthquakes, floods or hurricanes. Make sure to scrap the data center sign.

Does it have redundant utilities?

Data Centers require two utility sources such as water, electricity, data and voice. You should trace the electricity source back to two separate substations and the water source back to two separate main lines. The two lines ought to be underground and should enter the building from two different points with the main lines of water. If you have difficulty getting these connections, use the anticipated power usage of the data center as a leverage to get the electricity or water company to accommodate the special needs of the building.

The Walls

The walls should be made of one foot thick concrete since this is thick enough to effectively protect against the elements and even explosives. Walls that have a Kevlar lining further boost the effectiveness of the wall. Concrete is not very expensive.

Avoid windows

The data center should have a warehouse-like design and not like that of an office building. If windows must be there, then limit them to administrative areas or break rooms and use glass that is laminated with bomb-resistant material.

Landscaping for Added Protection

Landscaping such as trees, gulleys and boulders can be useful in obscuring security devices like electric fences, and can conceal the building from cars passing nearby or even prevent them from getting close. In addition, the landscapes help beautify the compound of the facility.

A 100 Foot Buffer Zone

You can alternatively use crash proof barriers where it is not possible to have landscaping to protect the facility from vehicles. Bollard planters are not only more attractive but also less conspicuous than other types.

Crash Barriers at Vehicle Entry Points

You can control access to the loading dock and the parking area by having a guard station with staff that handle the retractable bollards. Your green light and raised gate act as visual indications that the bollards have been lowered and the driver can proceed. In situations where you might need extra security, you can leave the barriers up by default and only lower them when someone has been granted permission to enter.

Bomb Detection

For a data center that is highly sensitive or is a likely target, you can have the security guards use mirrors to check for explosives underneath the vehicles, or you can provide them with portable devices for bomb detecting. To respond to a raised threat you can increase the number of vehicles to be checked; for instance employees’ vehicles and delivery trucks.

Limit Entry Points

You can control the building’s access by establishing only one main entrance and a back entrance for the loading dock. This not only secures your facility but also brings down costs.

Fire Doors Exit Only

In line with the fire codes your facility should have emergency exits for fire. Nevertheless, these doors should not have a handle on the outside and should be connected to a loud alarm system so that when they are opened they trigger a response from the security team.

Make use of Plenty of Cameras

You should have surveillance cameras installed all over the data center facility at all exits and entrances and any other access points in the facility. It is ideal to use a combination of pan-tilt-zoom cameras, low-light cameras, standard fixed cameras and motion-sensor devices. The footage should be recorded digitally and stored in an offsite location.

Protect the Building’s Machinery

The mechanical area of the data center which houses uninterpretable power supplies and environmental systems should be kept strictly off limits. If your generators are outside then secure the area using concrete walls. For the two areas, make certain that all repair crews and contractors are escorted by an employee at all times.

Plan for Secure Air Handling

It is important for data center systems to have air-conditioning, ventilating and heating systems that recirculate air instead of drawing it from outside. This would protect people as well as equipment from chemical or biological attack or even from smoke in case there was a fire nearby. For extra caution, have an alarm system in place to detect any biological or chemical contamination. Ensure that nobody can hide and nothing can be concealed in the ceiling and walls. In secure areas of the data center such as the data room itself, make certain the internal walls run all the way from the sub flooring where wiring is normally housed, to the ceiling.

Use Two-Factor Authentication

There should be a biometric identification to sensitive areas of a data center, while you can use access cards in other less sensitive areas.

Prohibit Food in the Computer Rooms

You should provide a common area where your employees or other people can eat in order not to get food on the equipment.  Also install visitors’ restrooms for people who do not have access to secure places in the building.

You can also keep up to date with current trends and technology by visiting Data Center Talk where we keep you informed on important changes as they occur.

Share on TwitterSubmit to StumbleUpon
Filed Under: Data Center Design, Data Center Management, Data Center Resources Tagged With: , , , , , , , , , , , , , , , ,