When it comes to cybersecurity, data centres unquestionably have it tough. Here, Dave Klein, senior director of engineering and architecture at Guardicore discusses why the data centre is the modern-day hacker’s target of choice and what you can do to protect yours.
Over the last three years there has been a shift from hackers targeting individuals to attacks on enterprise data centres. Whether on premises, in cloud or a hybrid cloud mix, there are core characteristics of data centres that make them higher value targets of opportunity, while also easily penetrable at low risk to the hacker.
Data centres are high-value targets of opportunity because of several factors. Foremost, the applications they host house valuable data and give access to powerful resources.
Probably the most popular reason why data centres are attacked, PII offers attackers the ability to quickly monetise information about individuals en masse. Why attack individual browsers looking for cached bank account or credit card information when you can get hundreds of thousands if not millions at a single time? Far too often it is easy for attackers to find unencrypted or weakly encrypted user account information repositories. There are hundreds of markets on the dark web where attackers sell lists to credit card fraudsters.
Data centres have powerful computing resources that often sit on redundant, high bandwidth links. This makes them perfect environments for attackers, some whom market DDoS (Distributed Denial of Service) for hire or RAT (remote access trojans) for hire services to the wider hacker community. As we have seen over the last two years, hackers sometimes use hijacked resources to mine Monero and other crypto currency -– at the victims’ resources expense. Called cryptojacking, besides being very energy, compute and cooling intensive, it can also damage your data centre gear over time through additional wear and tear.
A company’s intellectual property is something an unscrupulous competitor might want to get their hands on. This is illustrated by government APTs who seek out military, medical, pharmaceutical and other high-tech intel to pass on to their own industries. Sometimes, the espionage is not “black art” but rather captured communications showing what a competitor is bidding on. Guardicore was called by a customer a few years back with just such an issue. One of their competitors had infiltrated a bidding system by compromising an SFTP server. The attackers knew what the company was bidding on, the bid details and price. The company was put to such a competitive disadvantage that its bottom line was significantly impacted.
In the information age, data centres are the heart of enterprises. In addition, most enterprises have adopted DevOps based models that favour speed and agility to meet business needs and to provide competitive differentiation. Often security becomes an afterthought.
The Personally Identifiable Information stored in data centres offers attackers the ability to quickly monetise information about individuals en masse.
Enterprises rely on an ever-expanding list of operating platforms to deliver digital services. Vulnerability management continues to be a major sticking point. With so many vulnerability mapping tools available to attackers, it is easy for them to find vulnerable applications or infrastructure to exploit and to make an initial penetration into a data centre.
In the case of Equifax, a vulnerable Apache Web front end component called Struts2 let attackers in. While enterprises need to do a better job at vulnerability scanning and remediation, they will never totally get ahead.
Furthermore, since most enterprises have interconnected systems with business partners and contractors, they can still be exposed by a weak link in the chain. Target’s famous exploited Point of Sale systems attack of a few years ago, started with a vulnerable data centre application of their refrigeration and HVAC vendor – who was tied to the Target network.
One of the most important tools in today’s data centres is automation. Playbooks such as Puppet, Chef and Ansible are utilised to provision and spin-up workloads. On the one hand this makes it possible for enterprises to be extremely agile and autoscale services and applications accordingly. On the other, often these playbooks don’t include patching, kernel and application update checks. Many enterprises find vulnerabilities are introduced by applications that have been spinning up new instances for several months, or even years, that have become outdated.
While best practices stipulate authentication should include strong passwords combined with two factor authentication, far too often authentication is still only a username and a password. Many breaches start via brute force password attacks. The ‘Butter Attacks’ (discovered by Guardicore Labs) are a great example of this. Attackers targeted data centre SSH servers with brute force password attacks, successfully breaking into thousands of data centres globally. And in mid January 2019, the US DHS issued Emergency Directive 19-01 which discussed foreign state actors who utilised a similar attack on US Government DNS servers with weak passwords.
Once in, hackers take advantage of the biggest flaw found in data centre architectures – inappropriate segmentation of internal systems within the data centre.
The three above methods are the most common ways we see attackers establish a foothold within data centres. Once in, they then take advantage of the biggest flaw found in data centre architectures –inappropriate segmentation of internal systems within the data centre.
The amount of time an attacker remains undetected in the data centre (the “dwell time”) is often so great because appropriate segmentation was never put into place. Had proper segmentation been implemented, then upon gaining access to an SSH server, an attacker wouldn't be able to move laterally as they would be cut off from the rest of the infrastructure and would only be able to do “allowable things”.
Better vulnerability management is critical for data centre security. The use of automation, adding OS, application and kernel vulnerability and patch management checks to automated scripts, will assist greatly.
Furthermore, two factor authentication and strong password policies across the board will also help. But the most critical step IT teams should take is to incorporate segmentation within data centres. Even the simplest first steps, segmenting critical components and applications within data centres from other sections, will significantly reduce the data centre attack surface.