Successful Security SIG

Thursday the 8th of October saw XYPRO’s British contingent (Sean and myself, Dan) heading to London for the fourth British Isles Tandem User Group (BITUG) Special Interest Group (SIG) of the year – the subject matter being very close to our heart: security.

The location was Hewlett Packard’s Wood Street offices in Moorgate, central London. If you’re a fan of Google Earth and ever find yourself visiting those offices, make sure you take a quick trip up to the top floor in one of the glass elevators – you’re assured a great view! Back to business: HP deserve a special thanks for providing their facilities, food and refreshments.

The day started off with a Connect/GTUG update (event in Germany on 18th and 19th November, with optional Security Workshop on the 20th). The two day conference element appears to have a feature-packed schedule of around seven different tracks. For any non-German speakers considering a visit, just one of those tracks is in German, so the vast majority will be in English and ideal for international visitors. We’ll update the XYPRO news feeds as soon as the schedule is completed.

Next up was an HP Security update from Iain Liston Brown who covered several products, including the use of XYPRO’s XYGATE Merged Audit (XMA) when using HP’s Compliance Log Warehouse (CLW) with NonStop servers. This was followed by an interesting presentation by James Tomaney of Barclays. Most of the ears in the room pricked up when he broached the successful move from IBM to NonStop for Barclays’ ATM network.

The afternoon saw three vendor presentations, including XYPRO’s Audit in the Enterprise. An interesting point raised was the submissions made to the DataLoss Database website, point your browser toward http://datalossdb.org/ for some rather alarming reading.

Last up was Ron LaPedis’ Volume Level Encryption presentation, exploring the various potentials for NonStop data loss and what can be done to prevent the loss and/or encrypt the data.

It was a shame that the PCI Qualified Security Assessor (QSA) had to pull out of his presentation, as I’m sure that would have made for some useful information, but that didn’t take anything away from what was still a very useful day. Fingers crossed we’ll revisit the subject of PCI compliance on NonStop in a future event – the next one being the BITUG ‘Big SIG’ on 3rd December in London (and education day on 2nd).

With the Security SIG now out of the way, the BITUG team will be turning their attention to dotting the Is and crossing the Ts on the Big SIG plans. Keep your eye on the XYPRO news feeds (LinkedIn, Facebook, Twitter, XYPRO.com etc.) and www.bitug.com   for more info.

Dan Lewis
European Marketing Manager
XYPRO Technology Corporation

Stockholm Calling

The last four months of 2009 sees a relative flurry of activity for the NonStop community in Europe. The first of six different outings in the space of three months started with the Viking NonStop User Group’s (VNUG) annual event. This year it was held in Sweden at the Vidbynäs Slott golf hotel in Nykvarn. That’s about an hour from Stockholm, or more like an hour and a half if you had our taxi driver, whose aptitude for navigation was matched only by our grasp of Swedish - what goes around comes around I guess!

This is XYPRO’s sixth visit to the well run and very friendly VNUG event, which has never been held in the same location twice and switches between Finland and Sweden – sometimes literally, as was the case of the ferry-based conference a couple of years ago!

Day one (28th September) was an optional education or golf day. The accredited education (Troubleshooting in the NonStop OSS Environment) was provided by HP at its Solna office and the golf was on the very picturesque course next to the conference hotel. We were unable to attend either this year, arriving late in the evening on the 28th, but on talking to the golf participants in the bar, it sounds like we were spared a tough afternoon of searching through aggressive rough and the loss of several balls to tricky water hazards!

Days two and three (29th, 30th September) saw the conference proper.  A busy agenda of eight vendor presentations, two slots from HP (interesting to hear about the launch of quad core blades in 2010/2011) user presentations, and an HP Q&A session.

XYPRO’s PCI compliance and enterprise auditing presentation was scheduled in for just after lunch on the 29th. That turned out to be great timing, as everyone left lunch in an upbeat mood after having had some very good food.

Later that day saw all participants divided into teams for the VNUG competition. This involved walking the Vidbynäs Slott grounds answering NonStop-based quiz questions.  An expertly timed beer stop after question four ensured everyone had enough lubrication to complete the full ten questions without any hardship. Proving that my team was paying full attention during the day’s presentations, I found myself in the joint winning team (9 out of 10 correct) and recipient of a rather splendid chopping board and carving kit – which later resulted in a fine from British Airways for overweight baggage, but that’s a different story!  More great food and wine at dinner set the scene for a good evening of business networking and competitions in the pool lounge upstairs...

Day three picked up where the conference part of day two had ended.  HP’s NonStop Programs Marketing Manager, Diana Cortes’ update made for some interesting viewing, including news of the Connect Global NonStop Summit being planned for October or November 2010 in California – exact details are still being finalised.  The conference came to an end mid afternoon on the 30th, with presentation of various vendor and VNUG competition prizes – congratulations to Esa from Nordic Processor who won XYPRO’s prize, a wireless iPod dock.

Our thanks to Tommy Johansson and everyone at VNUG for putting on another excellent event. We’ll hopefully see you again in December for the unofficial ‘VNUG Christmas Beers’ I was talking to Sami about! Failing that, we look forward to VNUG 2010.

See the XYPRO calendar for all upcoming European and global events we’ll be attending. 

Dan Lewis
European Marketing Manager
XYPRO Technology

Use XSW to save time and money for HP NonStop file reports and compliance

Part 1of 3

Why would you even think of using DSAP for PCI, SOX, HIPAA or other security compliance reports?  Yes you can create DSAP reports on HP NonStop Guardian files, such as PROGID, LICENSE, files greater than some size, security settings or owners, but killing hours and hours of your time. Creating these reports for a just a single node would take hours and what you would have is a pile of useless paper! I feel sorry for the wasted trees.

Using XYPRO’s Security Compliance Wizard (XSW) can save you all that grief and time to generate PCI, SOX, HIPAA or other security compliance reports. Don’t waste your time! XSW can automatically create these custom reports for you in minutes, instead of hours or days.  In addition, it can be streamlined to identify only changed files, thus saving many hours of analysis work. XSW can collect from multiple systems and generate combined reports from the multiple systems, something you just can’t do with any other tool.

- Ellen Alvarado
NonStop Security Specialist

How to Resist a Dictionary Attack:

Password Quality is Key
If you’re a security or network administrator, then you probably already know that withstanding a dictionary attack is a common security requirement. For those who may not know, a dictionary attack refers to the general technique of trying to guess some secret, usually a password, by running through a list of likely possibilities, often a list of words from a dictionary.

So, what type of password can resist a dictionary attack?  Well, one that is not a word that can be found in any dictionary, of course!   Simply put, the best defense against a dictionary attack is a strong password composed of a combination of different types of characters. 

Password Quality is Key!
Password quality is so critical that it is a PCI compliance requirement. Further, password quality plays a key role in resisting even a brute force attack because password cracking programs, used for such attacks, work by applying all the common variations of every word in the dictionary.  They generate character sequences working through all possible one-character passwords, then two character, then three character, etc.  The variations of words are encrypted and then the resulting hashes are compared to the hashes in the password file being cracked.  If the hashes match, the password is known

Our Solution
XYPRO’s Password Quality (XPQ) software has helped numerous users effectively resist a dictionary attack. XPQ provides a wide range of password strengthening techniques, forcing users to create passwords that are able to withstand a dictionary attack. XPQ can be configured to require the following of users when creating or changing their passwords:

• Include both upper and lower case characters
• Include special characters in the password
• Include control characters in the password
• Include letters and numbers in the password
• Do not include any part of the user’s logon ID in the password
• Use password length of up to 64-characters long

What’s more, the rules can be mixed and matched to meet any site’s password quality requirements. Along with a minimum password length, periodic password expiration, and password history tracking, passwords created with XPQ-enforced rules would be virtually unbreakable via a dictionary attack.

In addition to enforcing Password Quality rules, XPQ offers yet another approach to withstanding a dictionary attack – generated passwords. If XPQ is configured to take advantage of this function, the generated passwords always match your configured quality rules and, therefore, are not vulnerable to a dictionary attack. Because many dictionary attacks target privileged userids such as SUPER.SUPER or the application owners, companies could establish a policy of always using generated passwords for their privileged userids.


The Proof is in the Numbers
The table below shows the amount of time* a successful brute force attack takes, depending on the combination of characters used in the password.

*The numbers should not be interpreted as actual time. The speed of the attack depends on multiple factors including computing resources, password encryption level, etc. However the table is a good illustration of how important enforcing password quality rules is for brute force attack resistance. Source for statistics and calculations: http://geodsoft.com/howto/password/cracking_passwords.htm

As the table shows, cracking a “simple” seven-character password would take 22.3 hours, while the same seven-character password composed of mixed case characters extends the attack time to 3.91 months. Adding numbers and symbols to the password, extends the time needed to process all possible combinations to more than two years. So, if a password is also changed regularly, this can mean an extended state of security against an attack.

Bottom line: Don’t let your system and critical data be left vulnerable to attack due to easily decoded passwords. Maximize XPQ to keep your passwords up to par!

Want to learn more? Visit us at www.xypro.com