Over the past few months XYPRO has begun counting down our Top 10 NonStop Security Fundamentals and now we’ve reached the halfway point on our list. Before we get to the #6 item though, let’s recap the list to-date:
#10 Secure the default system access settings
#9 Set-up strong Safeguard authentication and password controls
#8 Ensure individual accountability (no shared IDs!)
#7 Establish granular control of user activity
As you can see from these first four items, we think it’s essential to have strong NonStop security for access, authentication, and activity—all with individual accountability, of course. While these are solid security fundamentals for any corporate system, they are especially important for HP NonStop systems that, typically, run some of a company’s most mission-critical processes.
So now, with those first four items covered, let’s move on to #6 which is about keeping track of what individuals are actually doing when they are logged on as a privileged user (such as SUPER.SUPER) or as an application owner.
#6: Audit all actions of privileged access usersAs the name implies, privileged access users have system rights and capabilities that are greater than those of typical users and that pose a greater risk to the system if misused, either intentionally or unintentionally. Therefore, it is very important to closely track and audit all actions of privileged access users to ensure compliance, deter fraud, and enable troubleshooting. Here are three key steps to do this:
Enable keystroke logging. Recording the activity of privileged access users (even within utilities or the progress of obey files and macros) enables the necessary auditability and oversight of what these key users are doing. On the NonStop, this is only possible with a third-party solution like XYGATE Access Control (XAC), which can provide keystroke logging in which the characters of every command are recorded to an audit file.
Audit all privileged user actions. In addition to recording activities through keystroke logging, it’s important to review the audit file on a regular basis, usually daily, to detect unexplained, unauthorized or otherwise suspicious activity. Audit all actions taken by any individual performing activities as a privileged ID (such as SUPER.SUPER) or an application owner. One way to ensure this audit information is reviewed is to use XYGATE Merged Audit (XMA) to send NonStop security information to an enterprise SIEM (such as HP ArcSight). XMA, which is bundled with the HP NonStop OS, collects the keystroke audit data and normalizes and merges it with other NonStop security event data. XMA then makes the consolidated data available for local review and/or sends to a SIEM.
Ensure tamper-proof audit trails. Editing or deleting audit files, or modifying the audit process itself, could be a way to cover up inappropriate actions on the system. So, clearly, protecting the audit process and audit files from tampering is essential. There are many different ways to do this. For example: 1) XYGATE Object Security (XOS) can ensure that only the authorized application is able to write to the keystroke logging database in use, 2) archived audit files can be sent off box and, 3) the security information can be sent by XMA to a SIEM.
So that’s #6: Audit all actions of privileged access users. A thorough logging and auditing program for privileged users establishes the means for strong oversight over users with the greatest security access rights and who, therefore, may pose the greatest potential risk to the system.
Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #5. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at: https://www.pcisecuritystandards.org/index.php
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).