Disaster recovery risk assessment for

cyberterrorism attacks
In recent days, the threat of cyberterrorism attacks seems to loom darker. In this expert
response, learn whether cyberterrorism threats should be feared and how to prepare for
them.
Data center association AFCOM says companies aren't doing enough to prepare cyberterrorism
disaster recovery plans, but how can a security organization make that justification to C-level
executives? On the surface, it seems like a company is much more likely to deal with a security
problem because of an unpatched system or a coding error in a Web application vs. a
cyberterrorism attack.

Whether cyberterrorism is a real threat is subject to ongoing debate. However, if the question
were to be rephrased as: "Are denial-of-service (DoS) attacks (the most common form that
cyberterrorist attacks would take) a viable threat?" then yes, this is something that should be
addressed as part of a disaster recovery/business continuity (DR/BC) plan. This plan doesn't have
to be anything fancy, but it's important to have contact information for the appropriate people at
your ISPs and, if relevant, cloud service providers and application service providers (ASPs) as
well.

However, it is my general opinion that while DoS and distributed DoS (DDoS) attacks are real
threats, they should be categorized as a high impact/low probability threat; so, while it's
important to have a plan to deal with them, they shouldn't be your biggest worry.

Instead, I'd worry about low- to medium-impact/medium- to high-probability threats, as they are
the ones that can eat up resources quickly in the long run. Case in point: Small virus outbreaks,
while relatively low-impact, can be highly disruptive and use up resources that could be focused
on other issues. Likewise, patch management, configuration management and asset management
all can be done with minimal effort, provided the organization has good change control and
operational discipline. Doing this sort of planning right will free up resources to deal with more
troublesome, less probable issues like DoS and DDoS attacks

This document has been classified as INTERNAL by Centenary Bank.

Datacentre security: Why operators must give cyber and physical
threats equal attention
Datacentre operators often talk up the physical security measures they have in place, but
are they at risk of overlooking cyber threats?

Datacentres are built from the ground up to keep people out and ensure the precious data housed
inside their walls is securely protected.

To this end, it’s not uncommon for facilities to be located within non-descript bomb-proof
buildings that are equipped with bulletproof glass and surrounded by huge fences.

If someone manages to breach these defences, the data halls will be protected by biometric security
systems, man-traps and other security protocols, meaning access to the servers is in no way guaranteed.

Physical security is clearly of utmost concern for datacentre operators, but industry watchers
have previously aired concerns about whether the cyber security of their sites are subject to the
same level of due care and attention.

This is of particular note as datacentres represent a hugely lucrative target for hackers, who see
major potential in gaining control of the digital assets they store.

According to Cyren’s 2015 Cyberthreat Yearbook report, successful, business-focused cyber

attacks – including ones against datacentres – have increased by 144% in the past four years.
Meanwhile, the National Security Agency (NSA) claims attacks can cost victims up to $40,000
per hour, so clearly there’s a need to have appropriate security procedures in place.

In a media advisory, published in May 2016, the CEO of co-location provider Aegis Data, Greg
McCulloch, shed some light on why operators seem so preoccupied with the physical security of
their sites.

“While cyber security is of paramount importance when it comes to datacentres, the majority of
this protection is unseen, hidden in lines of code and firewalls. It can be stressed to the client the
multiple layers of cyber security, but all of this is intangible,” he says.

“Physical security features, however, are much more likely to impress and reassure prospective
and existing clients that their data is safe.

“The more layers that a centre can provide between the individual and the data hall, the greater
the likelihood of reducing the risk of a physical breach,” adds McCulloch.

Having around eight layers of physical security is ideal, he claims, and should ensure the
operator is doing all it can to keep the bad guys out.

This document has been classified as INTERNAL by Centenary Bank.

“Typically, eight layers and upwards is ideal with a combination of personnel barriers like guard
posts, physical barriers such as locked doors requiring biometric scans, and security barriers like
man traps in the event of a breach,” continues McCulloch.

“These should all be installed in and around the data hall. For co-location providers storing
multiple clients’ data, each server should be locked and access to these should be provided only
to authorised personnel.”

Equal billing

However, as the move towards cloud continues apace in the enterprise, and the number of
internet-connected devices coming online soars, the cyber security threat level for datacentres
will rise accordingly, says Talal Rajab, head of cyber and national security at trade body
TechUK.

“Datacentres hold critical data that contain critical assets and information, including customer
data and intellectual property,” he says.

“With the emerging big data trend and the advent of internet of things [IoT], the various threats
to datacentres will only increase, meaning security will become an increasing priority for their
customers.”

For this reason, Rajab says it is high time cyber and physical security are given the same levels
of due care and attention by datacentre operators.

“Cyber security procedures in datacentres must be given the same priority as physical security
procedures – in the same way that physical access to a site is restricted to people with special access,”
he says.

“A datacentre has round-the-clock surveillance with permanent security personnel, and a truly
secure datacentre must have a similar strategy in place to protect against cyber threats.

“This can take the form of practices such as privileged network access for special users and
constant network monitoring,” adds Rajab.

Security and service availability

Matt Lovell, CTO at datacentre provider Pulsant, says volumetric attacks – including domain
name system (DNS) and distributed-denial-of-service incidents (DDos) – are a big cyber security
threat to datacentres, and can play havoc with an operator’s ability to meet the terms of their
service-level agreements.

”Maintaining service availability is paramount to all customers and anything that can affect this
needs careful consideration,” he says.

This document has been classified as INTERNAL by Centenary Bank.

“It isn’t just power, cooling that helps to keep the lights on, but also any disruption caused
directly or indirectly by cyber attacks.

“These can be volumetric attacks, like DNS or DDoS, phishing, or exploitation of customer data
or application-related attacks,” adds Lovell.

Along with the threats the IoT and cloud pose to datacentre security, the attack service for
hackers is growing in other ways too.

“There are more customer systems talking to one another, whether that’s analytics, decision
engines, security and payment processes or sharing marketing data. As a result, there is now a
shift in focus to core and network security,” claims Lovell.

Trust is paramount

Cloud hosting firm Iomart operates eight UK datacentres, and its chief technology officer (CTO)
Bill Strain says the organisation uses threat-detection technology to guard against DDoS attacks,
and has invested in ISO certifications and becoming PCI DSS-compliant to show customers how
seriously it takes this issue.

However, Strain adds that it’s also important operators do not overlook the important role staff
play in maintaining the integrity of an organisations cyber defences.

“Successful management of your people and secure management of the physical infrastructure
for your business and your customers is about making sure everything is under your control so
your customers trust you,” he says.

The people element of datacentre security was touched on in the previously mentioned Aegis
Data media advisory, where McCulloch talks up how reassuring the presence of an on-premise
security team can be for security-conscious customers.

“CCTV, security barriers and biometric scanners are all obviously important features [of a secure
datacentre], but nothing makes up for the presence of a human element within the building
24/7/365,” he says.

“Having a team that can be trusted with the security of the site and the protection of the data
stored within will often provide an added level of trust for both clients and datacentre providers
ensuring the safety of information.”

This document has been classified as INTERNAL by Centenary Bank.