[Backround at: http://www.infosecnews.org/hypermail/0711/13951.html - WK]
By Patrick Thibodeau
January 07, 2008
Last October, a data center in Chicago owned by Web hosting and
collocation vendor C I Host Inc. was robbed by two masked men, who
pistol-whipped a lone IT staffer working the graveyard shift and then
held him hostage for two hours while stealing computer equipment.
It's rare for data centers and their employees to be attacked in such a
brutal way. Typically, IT facilities are designed with physical security
in mind, featuring protections such as steel doors, security guards and
electronically controlled access mechanisms.
But the armed robbery at the Chicago data center has changed how
Christopher Faulkner, CEO of Dallas-based C I Host, views security.
Faulkner said this month that he no longer thinks data centers are as
secure as IT managers believe they are, and that he sees what happened
at his company as a warning of what may lie ahead for other
"The second someone crosses the line to armed robbery [risking] a 25- to
50-year prison sentence to steal some servers, we're in different realm
of security now," he said.
When Faulkner tours other data centers, he looks at their security
measures with a much different eye than he did before the robbery at his
facility. He imagines someone a robber, or a terrorist who is determined
to steal or destroy the equipment there.
Most data centers don't have metal detectors or bomb-detection systems,
according to Faulkner, who also said that he has never been patted down
by a security guard when entering a data center. "How do they know I
don't have five handguns on me, strapped down with explosives?" he
asked. "They don't know."
There have been a few scattered reports of robberies at other data
centers, including one last year in London. But William DiBella,
president of AFCOM, an Orange, Calif.-based professional association for
data center managers, said that he sees little chance of robberies
becoming a trend at IT facilities.
Data centers are far from a low-hanging fruit for robbers, DiBella
contended. "Most data centers are very well-hidden and secure," he said.
Moreover, he said, companies simply aren't going to risk intrusions, for
an obvious reason: "Lose data and you can lose the business."
Nonetheless, Faulkner thinks that data center operators really haven't
planned for the worst possible occurrences, such as terrorist attacks.
"Data center security, in the past five years, has been about the show
for the customer," he said. "If somebody is committed to dying, it's
going to be very hard to stop them."
Since the robbery in Chicago, Faulkner has added new security measures,
most of which he declined to specify. The hosting firm, which has two
other data centers in Dallas and Los Angeles, also now trains its
staffers on how to respond if a similar incident happens again. He said
the training can be boiled down to this message: "fully cooperate" with
"These are computer geeks," Faulkner said of his employees. "I am not
going to be in a business where I'm going to tell someone that their
son, daughter or husband was killed for some computers."
C I Host's Chicago data center is in a leased building. The robbers used
a hook to lower an old-fashioned fire escape on the side of the building
in order to gain access. A guard from a security company wasn't at his
post, Faulkner said, adding that the robbers waited in a hall for the
lone employee who was on duty at the time to leave the data center.
Once the robbers accosted and subdued the worker, they swiped his
employee badge through a scanner and entered his security PIN code on a
keypad outside the door to the data center. The security system then
prompted them for a fingerprint scan, which the employee was forced to
do, according to Faulkner.
The robbers stole servers and networking equipment that belonged to a
collocation customer and that Faulkner estimated would cost between
$50,000 and $100,000 if bought new. Police in Chicago haven't made any
arrests in the case thus far, he said.
Faulkner has hired a private investigation firm to conduct its own
inquiry. One of the things the investigators are likely to look at is a
break-in at the same data center in 2005. In that incident, someone
broke into the facility during the night by cutting through a wall, an
effort that may have taken seven hours to complete. At the time, the
data center was managed at night; it was after the break-in that
overnight staffing was added, Faulkner said.
One of the changes that Faulkner has made since the robbery in October
is dropping the use of an outside security firm and hiring an armed
guard who works directly for the company. "We can control more of what
he does," the CEO said.
But Faulkner added that he doesn't feel entirely comfortable with the
idea of having someone in the data center with a loaded handgun, and
that he doesn't know if even an armed guard could have thwarted the
John Watters, chairman and CEO of iSight Partners Inc., a Dallas-based
security consulting and analysis firm, said that physical security
improvements inside data centers haven't changed much over the past five
years or so and aren't keeping pace with data and network security
"Physical security budgets aren't growing," Watters said. "As people
have gone through extreme measures to secure logical access points to
data, they have been remiss to provide the same level of tenacity to the
human and physical aspects."
Among the problems that Watters sees is the separation between physical
and logical security at many companies. For instance, if someone swipes
a card to gain access to a data center but doesn't log into a system
within a given time, that may be an indication that something is out of
the ordinary. But if both types of controls aren't part of an overall
security management system, the data center staff may never be aware of
such an anomaly.
And that could help open the door to intruders, according to Watters.
"The good adversary attacks your weak link," he said.
Visit InfoSec News