Whenever a virus is unleashed or a phishing scam claims its latest victims, the media gets to work scaring the world about the dangers of cyber security. Rarely, however, is another serious, and more old-fashioned, form of attack discussed: hardware theft someone picking up a server and taking it away undetected.
"Sometimes we spend so much time worrying about cyber attacks that we forget about the basic problem of physical threats," said Pete Lindstrom, research director at the Malvern, Pennsylvania-based research firm Spire Security. "Information security professionals are distracted by worms and viruses, physical security guards monitor the entrances and exits to buildings, and facilities personnel are spread thin trying to keep the entire site up and running."
Will Schmit, proprietor of Anchor Desktop Security in Albuquerque, N.M., agrees with Lindstrom. Schmit has been a locksmith for more than 20 years and now customizes computer security hardware for healthcare and utility clients. He's been fighting an uphill battle to convince IS organizations to take better care of the physical side of security.
"Servers with the whole cookie jar have to be taken seriously. The guy with the most to lose has the most to save." Will Schmit, Anchor Desktop Security
"It has been a difficult task illuminating the public of the dangers of data loss as computers have been getting cheaper every year," says Schmit. "It usually takes a data theft for people to reach for answers."
For example, U.K.-based online bookseller WH Smith's Web site crashed when a thief strolled away with a server. And a stolen server at a regional office of the Canadian Customs and Revenue Agency compromised the personal data of 120,000 individuals.
So what steps can be taken to deter theft or prevent it all together? Let's examine some simple actions and technologies that can make your server room more secure.
Not surprisingly, various levels of physical protection can be attached to servers. Cables and base plates are better than nothing and probably good enough for laptops and PCs. But when it comes to mission-critical servers, server entrapment hardware is the way to go.
"With today's servers costing in the neighborhood of $799 to $10,000 (or more) each, server entrapment prevents theft of the unit, the internal components, and the data," says Dedrick Martin, Western Region Sales Manager for AnchorPad Security, an Anaheim, Calif.-based company specializing in physical computer security products. "No plate system or security cable can provide that level of security."
AnchorPad units typically consist of a steel case glued or bolted to the floor, pick-resistant locks, and steel straps to prevent the removal of individual components. The basic choice is the Universal Tower Entrapment ($155) or the higher-end XL Covert model ($250). The latter option fits most servers and gives users more mounting and locking options. For quantities of 50 or more, AnchorPad can manufacture custom-measured units.
For those with very specific needs, customization is available at a price. Anchor Desktop Security (not to be confused with AnchorPad Security) sells units from $900 to $2,000. Instead of trying to make the servers fit into the security box, Schmit designs them to meet organizational needs. It takes into account requirements, such as extra ventilation, secure storage for server keyboards, tamper sensors, cellular phone links, fire protection, and liquid cooling equipment. Further, if, for example, the server must be mounted on a wall seven feet off the ground or has to be a specific color, it is built that way.
Such equipment is not for everyone, though. Small businesses or servers with less than mission-critical data are probably the best candidates for the $200 answers from the likes of AnchorPad. Schmit reports that the largest user of what he calls "real deal" entrapments are in the power, telecommunications, and data network industries. They are buying the products to protect their gear in remote locations or keep confidential information safe.
"Servers with the whole cookie jar have to be taken seriously," says Schmit. "The guy with the most to lose has the most to save."