Targeting the servers

On March 31, 2006 AIG had a server stolen with over 900,000 customer records on the system.  This wasn't a case of a target of opportunity; the thieves had to go in through the ceiling to get the server, so they knew exactly what they were after.  The server was 'protected by a password' which just means it had an OS on it that requires an account and password.  In other words, any enterprise level OS.  The thieves may not have been targeting the data on the server, but it's more likely than not that they knew what the server was used for and were looking specifically for the consumer information on the system.

Yesterday I argued that putting the companies data on the central servers was more secure than having it on laptops , but I should have added the caveat that the companies servers have to be properly secured themselves.  Data Center design is a science and is expensive, but if done correctly, would have prevented AIG from having it's servers stolen.  Where were the close circuit cameras on the data center and why didn't the walls around the data center extend past the ceiling tiles up to the actual roof?  Both of these are basic steps that should be taken when building a server room, just as planning for the power and cooling requirements of the room.

I've worked in too many companies over the years that think securing the servers means putting them in a room with a lock on the door.  That's it, they've done their duty as far as management is concerned.  I even worked at one company where the server room was the space at the top of the stair well next to the telecom equipment. These are the same companies that rely on those computers to do their daily work and would be out of business if the server were stolen or destroyed.  Managerment couldn't be persuaded to do more because they failed to recognize the value of the servers to their business.

We live in a time where the information contained on a server is often more valuable than the server itself.  A server can be easily replaced, the information not so much.  The 900,000+ customer records that AIG lost will most likely cost the company well over $10 Million dollars in notification alone.  It couldn't have cost them more than $100,000 to have properly secured their server room in the first place, maybe $500,000 if this was a major data center for the company.  More likely it would have cost them well under $50,000.  It's hard to provide an ROI on security measure before an incident, but it's relatively easy to show how much the company would have saved by investing in a little security before hand. 

Thieves are starting to target servers.  I don't know if they're doing it for the hardware or the information on the systems at this point, but I can almost guarantee that they will be targeting the information sooner rather than later.  It's no longer a case of taking a laptop or desktop because it was left unattended or close to a door.  Organized crime is going to start taking a look at what can be done with close to a million customer records at their disposal.  The ROI on that proposition is very clear for them.  Especially if they're not targeting all the customers of AIG, but just one or two very rich or influential customers.  And it makes the idea especailly tempting when the affected business is willfully blind to who took the servers and why.