One data center management team learned the hard way that bugs can be a menace — or, to be more specific, the people who hunt them. And we’re talking about real, six-legged bugs, not the computer kind.
It started last November when NetSPI, a Minneapolis-based penetration testing firm, was hired to do a test by a company that owned several colocation facilities. NetSPI’s job was to use social engineering to physically breach the data center, with the objective to get into one of their facilities and into a position where they could access the networks.
“This was a highly secured facility,” said Dalin McClellan, senior security consultant at NetSPI. “All the doors have retina scanners and badge readers. And there are man traps. You go through the door into a small room and wave to wait for the first door to close before you can open the second door and come in.” That means that McClellan’s team couldn’t just follow someone into the building. Worse yet, there are only two employees who work at the facility, plus a security guard. Strangers would immediately stick out. “Plus, we only had a week to prepare,” said McClellan.
Normally, what NetSPI would conduct deep research on the facility, find out about all the external visitors who are allowed in, collect copies of stationary and get sample email, and connect with the employees via social media or other channels. They typically start with Google, the company’s own website, LinkedIn, and then proceed to learning anything and everything they can about the facility and about the people who work there.