DBIR 2013 Blog Part II – Data at Rest is Most at Risk

In the last blog in this series, we introduced the 2013 Verizon DBIR, which includes the following facts:

•	621 confirmed data breaches studied in detail
•	19 contributors, including government agencies, private security organizations and consulting companies
•	44 million records compromised
•	The largest and most comprehensive data breach study performed each year
•	75% of attacks were opportunistic – not targeted at a specific individual or company – with the majority of those financially motivated
•	37% of breaches affected financial institutions

In this blog we’re going to look at the report in more detail and see what trends and patterns it shows us.  Note that the full report is available at http://www.verizonenterprise.com/DBIR/2013/

Key observations from the report include:

Most Attacks Still Use Basic Techniques

•	76% of network intrusions exploited weak or stolen credentials.
•	Over 78% of attack techniques were considered “low” or “very low” in difficulty (on the VERIS scale which Verizon uses to categorize breaches).

14% of breaches were insider attacks

•	Lax internal practices often make gaining access easier
•	Over 50% of insiders committing sabotage were former employees using old accounts or backdoors not disabled
•	Over 70% of IP theft cases committed by internal people took place within 30 days of announcing their resignation

Data at rest is most at risk

•	Of 621 cases Verizon investigated, none involved data in transit
•	66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)

Types of attack vary depending on industry and region

•	Small retailers in USA subject to attacks on poorly configured remote systems to access POS data
•	Banks subjected to ATM skimming and web application attacks
•	POS attacks much less frequent in Europe than AP and Americas
•	As we mentioned in the last blog, 37% of breaches affected financial institutions

Spotting a breach isn’t always easy, or quick

•	66% of breaches in the report took months, or even years, to discover.  Note also that this problem is getting worse – in the previous years’ study, this figure was 56%
•	69% of breaches were spotted by an external party, with 9% being spotted by customers!

We can see from this summary how important it is to look after the basics – implement secure passwords, ensure employees have access to only the data/systems they require, practise good housekeeping with users, protect sensitive data at rest, and be aware of the types of attack that are prevalent for your industry and region.

Interestingly, the good folks at the PCI Security Council seem to be heading to the same conclusions.  Highlights of the upcoming PCI DSS v3.0 specification have just been published by the council, and they indicate a focus on fundamentals.  “For good security, you have to do the basic stuff first,” says Bob Russo, general manager of the PCI Security Standards Council. “In 90% of the breaches we see, the cause is failure to do the basic things like creating strong passwords and monitoring data.”

In the next blog we’ll look at conclusions and recommendations, and see how this all applies to NonStop users.

What do you think – have you read the DBIR?  How relevant is it to your organization and your role?  Let us know via the comments section below, or by emailing me at andrew.price@xypro.com.

NonStop Security Fundamentals Top 10 List – #9

Because high-availability and fault-tolerant systems need strong security

Previously, we started our countdown of the top 10 NonStop Security Fundamentals with “Secure the default system access settings” in the #10 spot. This week we’ll continue on to #9 on our list.

#9: Set-up strong user authentication and password controls

Establishing strong user authentication and password management controls are critical aspects of any security program and are a major requirement for meeting PCI DSS compliance. Safeguard provides the core functionality necessary to do this and there are additional tools available for extended capabilities and advanced requirements.

Requirement 8 of PCI DSS deals with user identification and password management and is a useful guide even if you’re not subject to PCI compliance—let’s use it as framework for discussion.

PCI DSS 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data.

Providing each user with a unique userid establishes individual accountability within the system. While Safeguard provides the ability to add new users with unique userids, it also has certain privileged userids (e.g., SUPER.SUPER) that by default allow shared access (i.e., no individual accountability). To fully meet this PCI requirement and ensure individual accountability for all users, consider an add-on security solution. For example XYGATE Access Control (XAC) can be deployed to grant users role based access via their own, unique userids while granting and auditing privileged access. Furthermore, XAC can be used to allow an individual user to perform only a restricted subset of what SUPER.SUPER is allowed to do.

PCI DSS 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric

Passwords are the most common method for authenticating a user, and Safeguard has standard support for them and also has password management controls (more on that later). To simplify user management or improve user experience, many companies choose to integrate aspects of NonStop user authentication with an enterprise-service such as Active Directory. One way to do this is through XYGATE User Authentication (XUA) which has an LDAP interface for the NonStop. XUA enables companies to use enterprise services and reduce password management overhead and improve users’ experience by reducing password management overhead.

PCI DSS 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.

It is widely accepted that usernames and passwords alone do not provide sufficiently strong authentication—and this is particularly true when it comes to authenticating users from outside the network. To address this security concern, two-factor (a.k.a., multi-factor) authentication has been developed and is required by PCI for remote access.

A common approach for second-factor authentication is the use of a token device, like RSA SecurID. Support for this capability is available through add-on solutions such as XUA. XUA provides additional logon controls beyond what is available through Safeguard, and supports authentication using RSA SecurID.

PCI DSS 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

Protecting passwords during transmission is accomplished by using the secure communications capabilities that are part of the NonStop operating system (SSL or SSH).

To protect stored passwords, Safeguard should be configured to encrypt passwords using the most secure algorithm:
• PASSWORD-ENCRYPT = ON
• PASSWORD-ALGORITHM = HMAC256

PCI DSS 8.5: Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows: (subparts 8.5.1 – 8.5.16)

Requirement 8.5 actually has 16 sub-parts relating to different aspects of user identification, authentication and password management. Generally, Safeguard provides the necessary tools to control userids and manage passwords but there are a couple key gaps that need to be addressed.

Firstly, the password reset process must be strengthened. While Safeguard allows the reset of user passwords (or this might be done through an enterprise service), PCI 8.5.2 requires that a user’s identity be verified before the reset. To meet this requirement, a company must implement some process or mechanism to confirm identity when a reset is requested. One way to achieve this verification is through XYPRO solutions which can present a user-specific challenge question to the Help Desk along with the expected answer that the user requesting the reset should provide. Furthermore, Safeguard password changes are always local. To do network password changes, NonStop customers will need an add-on product like XYGATE Password Quality (XPQ).

Secondly, the session timeout process must be hardened. PCI 8.5.15 requires re-authentication if a session has been idle for more than 15 minutes. However, NonStop’s native timeout mechanism (TACL configuration) can only timeout a session if the user is at a TACL prompt and users can easily bypass this. XYPRO’s XAC solution solves this problem by forcing timeout of XAC-controlled sessions whether at a TACL prompt or within a utility.

Lastly, many of the aspects of PCI DSS 8.5 fall into the general area of user and password administration—ensuring a strong password format, enforcing password changes, removing inactive/terminated users, failed attempt lockout and duration, etc.—and Safeguard has the ability to do this. However, depending on the number of users, the management overhead for this administration may be high and tools have been developed to assist. For example, XPQ provides password management capabilities which strengthen security while easing administrative effort.

So that’s #9 on our list—set-up strong user authentication and password controls. Do you agree/disagree? Let us know what you think.

In our next post, we’ll discuss NonStop Security Fundamental #8.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at:https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).