Testing physical security at modern data centre sites
Problem
A large data centre requested a physical pen test of two sites to test their current physical and technical security measures.
The objectives were to test the internal due diligence of new customers, deploy an ‘eavesdropping device’ on an internal network and the potential to disrupt the Building Management System (BMS). Being relatively new sites, they were built to the latest standards with modern security measures.
Response
The team created a pseudonym company which was interested in taking space within the data centre and were subsequently invited to their head office to undertake a site visit of a data centre. Little to no due diligence was conducted on the team. There were several opportunities during both visits to deploy an eavesdropping device.
Secondly, the team exploited weaknesses in third-party contractors entering the site. This enabled the team to freely gain access to the site and in particular the building management system.
Outcome
Immediate improvement in the process of contractors working on site. A new policy was written and implemented to improve due diligence checks on potential clients. Regular tests are now conducted on the client’s data centres globally, and wider security risk management consultancy to consult on the risks.