XYPRO NonStop Security Fundamentals Top 10 List – #5

Because high-availability and fault-tolerant systems need strong security Okay, so now we’re to the top five items on our list—items #6 to #10 are posted on XYPRO’s website and LinkedIn page.

Throughout the earlier items on our Top 10 List, the concept of access control came up rather frequently (either directly or indirectly), so let’s focus a bit more on it. As described in XYPRO’s HP NonStop Server Security Handbook, “Access Control is the whole array of tools and procedures used to limit, control, and monitor access to information and utilities. Access control is based on a user’s identity and membership in predefined groups. Access control makes it possible to control the use, availability, integrity, and confidentiality of objects and information on the HP NonStop Server.”

Clearly, access management is very important. However, it can be a daunting challenge to individually manage all the various access privileges for every user. The effectiveness of even an excellent security access management plan can be weakened when its corresponding administrative overhead is too high. With this in mind, we come to the #5 NonStop Security Fundamental:

#5: Strengthen access management with role-based access control (RBAC)

Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. The security system then makes access decisions according to the user’s role.

The idea here is quite simple: using role-based access can reduce management overhead and facilitate the implementation and enforcement of standardized access rules—all of which strengthens security access management.

While possible, setting up RBAC with Safeguard requires extensive administration. Third-party solutions, like XYGATE Access Control (XAC), provide a more manageable method of implementing RBAC. The single, major difference between XAC and Safeguard RBAC is the ability to define control by job function in XAC. Safeguard simply isn’t architected for role-based control whereas a solution like XAC is designed for it.

Using ACLGROUPs for RBAC. As with all XYPRO products, XAC is developed around the concept of ACLGROUPs. ACLGROUPs allow you to define control based on job function (database administrator, systems administrator, security administrator, etc.). You start by defining roles THEN you add users to those roles. Users can have zero or more roles. Access is granted based on the role as opposed to the user.

For example, ACLGROUPS can be used to provide different access rights, based on role, to SQLCI functions. Let’s say all database administrators are assigned to the “DBA” group and need full access to SQLCI functions. To enable this, a rule is written in the DBA ACLGROUP to allow this role unfettered access to SQLCI and all other database manipulation functions and utilities. However, system administrators may only need read-only access to SQLCI; therefore, their ACLGROUP (let’s call it “SYSADMIN”) is written to allow just read-only access to SQLCI (with PURGE, UPDATE, DROP, ALTER and CREATE disabled) . Now, managing individual users’ access is as simple as assigning them the appropriate roles—ACLGROUP rules will then correctly determine access rights.

The RBAC in this example requires only a small number of rules in XAC that can be applied to zero or more users using wildcards/regular expressions—and that can be extended to aliases. Once the rules are in place, you can add or remove users’ access to functions at any time.

Doing this in Safeguard requires a unique rule per user per subsystem/binary/program. Safeguard does NOT have the ability to limit access to specific commands within a subsystem as XAC does. So, while possible, RBAC in Safeguard, requires extensive manual intervention and an enormous amounts of rules—and every change introduces an opportunity for human error that could lead to stability issues.

Don’t forget auditing! Using XAC for RBAC provides another important benefit: XAC auditing can also be done at a much lower level. Safeguard can record what userid accessed what object at what time, but little else. With XAC, exact commands and output can be logged with non-repudiation (XAC can be configured to prompt for the users password before allowing sensitive commands).

A major note for alias users: Safeguard auditing and protection are always based on the underlying userid. Safeguard does not treat aliases as unique, only the underlying userid. XAC (and all XYGATE modules) can differentiate between aliases and grant/revoke access and audit based on userid and/or alias.

Alright, well that’s #5: Strengthen access management with role-based access control (RBAC). RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

XYPRO Engineering Team Building – doing the Robot!

As part of our annual corporate kick-off event, this year the entire engineering team took part in a full day team building exercise. Taking over all the available space at our Simi Valley headquarters, we were split up into color-coded groups, each of which included members of different parts of the engineering team. Armed with a Lego Mindstorm EV3 kit, each group was presented with a series of tasks (requirements), which consisted of pre-constructed courses on which the robots needed to navigate a maze and move obstacles around the course . The challenge? Design and build a robot that would be able to complete the tasks by the end of the day.



Structured roughly along the lines of our Software Development Life Cycle (SDLC), time was allocated for requirements definition, project planning, design, development and unit testing, QA testing, and deployment.




Things got off to an energetic start with each team doing a good job of dealing with 600+ Lego pieces, learning the software used to program the robots, and planning out the approach. Would some teams jump straight into robot building, with others spending more time documenting requirements and planning? Each team allocated their tasks well so everyone was kept busy, but what factor would planning things out early play? Would those who made that early effort see a payoff later in the day…?



As the day progressed, some very different approaches were becoming apparent, and the teams were realizing that completing all three challenges was going to be difficult, if not impossible. The teams naturally started with challenge #1 which wasn’t necessarily the easiest. Some gentle “guidance” by the mentors to evaluate all the challenges and focus on the easiest challenge first proved helpful and soon each team was making solid progress on that challenge.

With 90 minutes to go before “deployment”, each team was given some time to QA their robots on the actual challenge courses. Some teams’ robots completed the challenge on the first try, others needed tweaking, but all had something ready to attempt the challenges. Each team returned back to their workshops to complete final tweaks before deployment .



The moment of truth, the “Deployment Phase.” Each team must now present their robot, outline the approach they took to the challenges, and detail what worked (and what didn’t!). Scores were based on how well they worked together as a team, how well they presented their solution, and of course, how well their robots completed the challenges.



Each team gave an entertaining and informative presentation describing their efforts during the day, the approach they’d taken, and the robot they’d designed. Some of the teams that jumped straight into building their robots found that some more time on initial design would’ve been helpful. Each team presented a robot that was able to complete at least one of the challenges, and as such, all should be very proud of their efforts.

This exercise reinforced the importance of planning, particularly when confronted with such a daunting task (600+ pieces! Understanding requirements!!! A new programming environment!! Difficult challenges!!! Ridiculously short timeframes!!!). It also reminded us of the value of working together as a team, which really was the main point.





At the end of the day, the Blue team (or “Team Teal” as they renamed themselves) won, narrowly defeating the Yellow team by only one point! Congratulations to all the teams, on what was a fun and very constructive day. Bring on Kick-Off Challenge 2015

DBIR 2013 Blog Part III – What does this all mean to me?

In this blog series, we've been discussing the 2013 Verizon DBIR, which includes the following facts:

•	621 confirmed data breaches studied in detail
•	19 contributors, including government agencies, private security organizations and consulting companies
•	44 million records compromised
•	The largest and most comprehensive data breach study performed each year
•	75% of attacks were opportunistic - not targeted at a specific individual or company - with the majority of those financially motivated
•	37% of breaches affected financial institutions

In the most recent blog entry of this series we covered some key observations from the report. In this blog we'll look at what those observations mean to HP NonStop server users, and draw some final conclusions. Note that the full report is available here: http://www.verizonenterprise.com/DBIR/2013/

Key observations from the last blog, with their relevance for NonStop users:

Most Attacks Still Use Basic Techniques

The vast majority of attacks exploited weak or stolen credentials, and were considered "low" or "very low" in difficulty (on the VERIS scale which Verizon uses to categorize breaches).

NonStop relevance: Protect "the basics" - implement strong user authentication; implement (and enforce) password management processes; enforce a policy of minimum required access; ensure no shared accounts (especially SUPER) and keep track of all privileged user activity with keystroke logging. These relatively simple steps will ensure that the types of attacks that Verizon observed in over 70% of cases will fail.

14% of breaches were insider attacks

The majority of insiders committing sabotage were former employees using old accounts or backdoors not disabled, and the vast majority of IP theft cases committed by internal people took place within 30 days of announcing their resignation.

NonStop relevance: Ensure your NonStop user provisioning is integrated with your Enterprise Identity Management system, if you have one - that way as users are decommissioned at the enterprise level, they're also decommissioned on the NonStop. Integrate your NonStop with a Security Incident Event Management (SIEM) solution. That way any suspicious activity can be viewed at an enterprise level, and may be clearer as a result. The "basic" protections above also apply here.

Data at rest is most at risk

66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)

NonStop relevance: Protect your data at rest, with encryption or tokenization. Note that Volume Level Encryption (VLE) doesn't really provide the requisite level of protection, as once a user is signed on to the NonStop, their access is based on standard Guardian/Safeguard rules - the "encryption" becomes transparent to them. VLE is really best used to protect entire disks from theft.

Types of attack vary depending on industry and region

37% of breaches affected financial institutions, banks are often subjected to ATM skimming

NonStop relevance: As many NonStop users are banks or other financial institutions, the findings in this report are particularly relevant. The recommendations should be carefully studied and applied where it makes sense in customers' environments.

Spotting a breach isn't always easy, or quick

66% of breaches in the report took months, or even years, to discover. 69% of breaches were spotted by an external party, with 9% being spotted by customers!

NonStop relevance: This is where using a SIEM gives some real benefits. By aggregating all security events across the enterprise and presenting them in a normalized fashion, it can be a lot easier to notice anomalies. It's critical for NonStop users to gather and forward all NonStop-based security events and forward them to the enterprise SIEM, if one is present, to ensure that any clues from the NonStop regarding a possible breach are included in the analysis.

As you can see, and as we've mentioned in earlier blogs, looking after the security fundamentals is probably the best "bang for your buck" in terms of securing your critical, NonStop-based applications and their data. To further underscore this, the PCI DSS v3.0 standard has just been published, and it includes an increased focus on the basics, as hinted at in earlier PCI announcements.

XYPRO has been developing products, and providing solutions, to assist our customers to meet their many and varied security requirements for over 30 years. We have solutions to address all the points summarized in this blog, and more - if you'd like more information on anything you've read here, or anything else that comes from the Verizon DBIR, please contact your sales representative https://www.xypro.com/xypro/contact, or email me at andrew.price@xypro.com.

Back In Training – NonStop Technical Bootcamp 2013

XYPRO has just returned from a very exciting few days in San Jose, attending the second annual NonStop Technical Bootcamp. The event was held at the San Jose Doubletree hotel, as it was last year, although this year the venue was bursting at the seams! It turns out that, whilst the number of vendors and HP representatives was roughly the same as last year, user attendance was up over 200% from last year – a sure sign that the event is going from strength to strength. The majority of new user attendees this year came from the Asia-Pacific/Japan region, but there were attendees from Russia, Japan, Taiwan, Israel, UAE, South Africa, Brazil and more.

There had been rumours of a big announcement coming from HP at this years’ event, and the opening general session was packed, (in spite of the Beer Bust the night before—(which itself is becoming quite a tradition, and a great way to kick off the week). Randy Meyer, in his new role as VP and General Manager of Integrity Servers, jumped pretty quickly to the big news – that HP has committed to bringing the NonStop to x86 (Intel Xeon) processors. This is A BIG DEAL because, as summarised in many other articles, it removes any possible perception of HP’s lack of commitment to the platform, and any FUD (Fear, Uncertainty, Doubt) around the future of the Itanium processor. For the time being, NonStop will be available with both types of processor, and at some point (one presumes) the Xeon-based line will replace the Itanium one.

At XYPRO, we’re very excited about this announcement, for the same reasons that everyone else is. We’re also looking forward to the project to port our software to this new platform,; which, from everything we’ve heard, should be a relatively straightforward exercise.

Both of the main conference days were very busy, with excellent content in the presentations and great traffic past the exhibitor booths – indeed, at times things got pretty crowded in the high traffic areas. There was a rumour going around that next year the event will be in a bigger venue, which will be great.

We took the opportunity to meet one on one with many of our customers – these sessions are always great for getting product feedback, discussing possible enhancements and product direction, and just generally catching up with friendly faces. If for some reason we missed catching up with you, and there’s anything you need to discuss with us, please get in contact with me, or your XYPRO Sales representative, and we’ll line something up.

As the name “Technical Bootcamp” implies, this conference had a major focus on training and on Sunday XYPRO provided 8-hours of pre-conference training on key NonStop security topics. In the first 4-hour session, “Make the Most of your NonStop Security Bundle”, XYPRO’s Dave Teal explained the fundamentals of Audit and Authentication and all the benefits included with the advanced security software included with the OS on HP NonStop servers. Dave described how to easily install, configure, implement and use these valuable solutions and help streamline security audits to meet compliance regulations. In the second 4-hour session, “Everything You Need Know for PCI Compliance on HP NonStop”, XYPRO’s Rob Lesan went through the why's and how's to meet and exceed PCI compliance regulations easily and efficiently while making the whole process simple and non-intrusive. Both sessions were jam-packed with NonStop technical experts looking to increase their security knowledge.

XYPRO presented on both the Monday and the Tuesday. Monday’s presentation, “Industry-standard, enterprise-wide Voltage Encryption and Tokenization – no code changes required!” was done in conjunction with Voltage, and was an overview of XYPRO’s new XYGATE Data Protection (XDP) product and Voltage’s SecureData. XDP utilizes intercept technology to seamlessly allow NonStop applications to encrypt or tokenize sensitive data using Voltage’s SecureData product, without any application code changes. Tuesday’s presentation was with another XYPRO partner, NetAuthority, and covered “Stronger User Security with Advances in Multi-Factor Authentication”. The session discussed the growing threat of cybercrime, the various multi-factor authentication solutions that have been deployed to protect online and mobile users, and new technologies like NetAuthority’s DeviceLink product which provides two-factor authentication without the overhead of hardware tokens, one time passwords, or other intrusive technologies. Both presentations were well attended, and had some great Q&A activity at the end (or in the exhibit area after the session).

Visit the Connect website for additional info on the XYPRO presentations and other Bootcamp sessions. The NonStop Innovations blog also has a lot of the bootcamp presentations along with interviews with a number of vendors, so check that out at http://www.nuwave-tech.com/hp-nonstop-innovations.

On Monday evening XYPRO hosted a dinner celebrating their 30th Anniversary. This event was held at The Table, in San Jose, and saw about 65 of XYPRO’s customers, partners and employees getting together to enjoy some fantastic food, great service, and one or two adult beverages in a casual environment.

Once again, a fantastic event, and we’re looking forward to being “Back in Training” in November, next year – hope to see you there!

XYPRO Technology
info@xypro.com
https://www.xypro.com

NonStop Security Fundamentals Top 10 List – #6

Because high-availability and fault-tolerant systems need strong security

Over the past few months XYPRO has begun counting down our Top 10 NonStop Security Fundamentals and now we’ve reached the halfway point on our list. Before we get to the #6 item though, let’s recap the list to-date:

#10 Secure the default system access settings
#9 Set-up strong Safeguard authentication and password controls
#8 Ensure individual accountability (no shared IDs!)
#7 Establish granular control of user activity

As you can see from these first four items, we think it’s essential to have strong NonStop security for access, authentication, and activity—all with individual accountability, of course. While these are solid security fundamentals for any corporate system, they are especially important for HP NonStop systems that, typically, run some of a company’s most mission-critical processes.

So now, with those first four items covered, let’s move on to #6 which is about keeping track of what individuals are actually doing when they are logged on as a privileged user (such as SUPER.SUPER) or as an application owner.

#6: Audit all actions of privileged access users

As the name implies, privileged access users have system rights and capabilities that are greater than those of typical users and that pose a greater risk to the system if misused, either intentionally or unintentionally. Therefore, it is very important to closely track and audit all actions of privileged access users to ensure compliance, deter fraud, and enable troubleshooting. Here are three key steps to do this:

Enable keystroke logging. Recording the activity of privileged access users (even within utilities or the progress of obey files and macros) enables the necessary auditability and oversight of what these key users are doing. On the NonStop, this is only possible with a third-party solution like XYGATE Access Control (XAC), which can provide keystroke logging in which the characters of every command are recorded to an audit file.

Audit all privileged user actions. In addition to recording activities through keystroke logging, it’s important to review the audit file on a regular basis, usually daily, to detect unexplained, unauthorized or otherwise suspicious activity. Audit all actions taken by any individual performing activities as a privileged ID (such as SUPER.SUPER) or an application owner. One way to ensure this audit information is reviewed is to use XYGATE Merged Audit (XMA) to send NonStop security information to an enterprise SIEM (such as HP ArcSight). XMA, which is bundled with the HP NonStop OS, collects the keystroke audit data and normalizes and merges it with other NonStop security event data. XMA then makes the consolidated data available for local review and/or sends to a SIEM.

Ensure tamper-proof audit trails. Editing or deleting audit files, or modifying the audit process itself, could be a way to cover up inappropriate actions on the system. So, clearly, protecting the audit process and audit files from tampering is essential. There are many different ways to do this. For example: 1) XYGATE Object Security (XOS) can ensure that only the authorized application is able to write to the keystroke logging database in use, 2) archived audit files can be sent off box and, 3) the security information can be sent by XMA to a SIEM.

So that’s #6: Audit all actions of privileged access users. A thorough logging and auditing program for privileged users establishes the means for strong oversight over users with the greatest security access rights and who, therefore, may pose the greatest potential risk to the system.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #5. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at: https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

NonStop Security Fundamentals Top 10 List – #7

Because high-availability and fault-tolerant systems need strong security

Recent studies have shown that hackers (both internal and external) often use relatively simple attack methods and that it’s as important as ever to follow basic security best practices. Therefore, it makes sense that the first three items in our Top 10 list were about establishing a base level of security within the NonStop system:

#10 Secure the default system access settings
#9 Set-up strong Safeguard authentication and password controls
#8 Ensure individual accountability (no shared IDs!)

Now that we’ve covered those broader fundamentals, this week we’ll get into a more “granular” security topic—controlling user activity at different levels within the NonStop system.

#7: Establish granular control of user activity

A fundamental IT security challenge is to provide users with only the system access and privileges they need to do their jobs (least privilege or Role Based Access Control RBAC).  Allowing users to have system access and privileges greater than their job requires presents a significant security risk—particularly on the NonStop which typically has mission-critical applications running and sensitive information being processed or stored.  The risk is not only from intentionally malicious activity but also from the possibility of an unsophisticated (or stressed or rushed) user, when given too much power, not realizing the ramifications of their actions.

So, to protect the NonStop, it’s important to establish more granular control of what users can do within multiple areas within the system.  Let’s specifically look at four areas: user, process, CMON, and spooler.

User. The system access a user may have, and actions a user may take, are determined by their identity and their membership in predefined groups. When a user attempts to access an object, Safeguard checks the object’s Access Control List (ACL) to either grant or deny specific access privileges to the underlying object. Third-party solutions are available to improve the NonStop’s access management and increase the granularity of control (to the sub-command level, for instance). For example, XYGATE Access Control (XAC) acts as a sentry between users and programs or utilities and, based on configuration settings defined in XAC’s Access Control List (ACACL), user requests to programs or utilities are granted or denied. Furthermore, XAC’s “allow” and “deny” features restrict commands within programs and utilities to the sub-command level for separation of duties and efficient job performance. An example of this would be giving a user privileged access to FUP running as SUPER.SUPER in order to perform their job duties but specifically denying any use of the LICENSE command.

Process. Processes are a type of Safeguard object and, obviously, they need to be managed closely. As with the “User” area discussed above, Safeguard manages access to processes with ACLs. Again, third party solutions can assist with process security and management; XYGATE Process Control (XPC) behaves similarly to XAC in that it sits between the user and the process they wish to manage. The difference lies in that the object is a process and privileges such as the ability to stop, suspend, alter priority, activate and debug the process can be granted to the user ID, whether or not they are the owner of that process. The benefit of this is that if the owner of a process is not present and an action must be taken for the good of the system (stop a runaway process for example), other authorized users can take these actions under their own logon, without having to share userids.

$CMON. The NonStop server has an interface to a user-supplied Command Monitoring Process named $CMON. While the $CMON program is not HP-supplied, it’s recommended that every NonStop system use a $CMON either written by the customer or supplied by a third-party (such as the XYGATE supported $CMON module). When a $CMON is present, messages are sent to the $CMON to verify logon requests and process start requests. The $CMON process can provide many functions for both security and performance reasons:

• Control the CPU and the priority of the request
• Control who can logon to specific ports
• Verify a userid’s request to run a requested program
• Audit the request
• Ensure that the location and priority of all processes is only controlled via $CMON

Note that not having a $CMON presents a serious risk because, if a $CMON is not present, an unauthorized $CMON could be added to the system.  The unauthorized $CMON might be used simply to monitor the system or it could be designed with malicious intent (such as stopping, denying or slowing services).

Spooler.   The HP NonStop server spooler subsystem is a set of utilities that provides an interface to the system’s print facilities.  The spooler receives output from applications and stores it on disk where it can be viewed or sent to a print location for printing.  Clearly, access to the spooler needs to be managed to protect sensitive data on disk and to keep it from being printed (print outs being one way to extract stolen data).  Furthermore, users with PERUSE access to a job can access the job output’s contents.  To protect this area, limit access to spooler utilities to only those users requiring it for their job function.  Third-party solutions, such as XYGATE Spoolcom Peruse (XSP), are available to improve security of the spooler, simplify task management and administration and allow for delegation of authority.

So that’s #7: Establish granular control of user activity. Increasing the granularity of control builds on security concepts discussed in earlier blog posts and goes deeper into specific system areas which need closer security management.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at: https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

NonStop Security Fundamentals Top 10 List – #8 Because high-availability and fault-tolerant systems need strong security

This week we’re moving to a simple yet critical fundamental of NonStop security—ensuring individual accountability. While aspects of this were touched upon in both the #10 and #9 NonStop Security Fundamentals, we feel individual accountability is an important enough concept to rate its own entry on the list.

#8: Ensure individual accountability (no shared IDs!)

The NonStop system is shipped with certain shared userids that can be used for privileged or non-privileged access (like SUPER.SUPER or NULL.NULL). However, security best practices and industry regulations, like PCI DSS, require users to have unique userids so that there is clear accountability. This also facilitates effective auditing, remediation and management of individual user rights and access.

These are some areas that must be addressed:

Eliminate shared userids. In the #9 blog we talked about PCI DSS Requirement 8.1 which required all users to have unique userids in order to ensure individual accountability—eliminating the use of shared userids is an extension of that concept. Shared userids, particularly for privileged userids, provide too much access and too little accountability.

Eliminate aliases to privileged userids. Aliases are only available in Safeguard environments and are used to provide alternate user names that can be used to log on to the system. Aliases should not be assigned to privileged userids (like SUPER.SUPER) because the alias gains all the underlying userid’s privileges and Safeguard provides limited auditing of the alias activity. Third-party products like XYGATE Access Control (XAC) can eliminate the need for aliases and provide more extensive auditing. Note, if a company wishes to continue using aliases, any XYGATE module can be configured to restrict the alias’s privileges separately from those of the underlying userid.

While we’re on the topic of userids, let’s cover two additional points about managing personal userids in order to have effective NonStop security with clear accountability:

No personal userids in the SUPER group. Anyone with a personal ID in the group number 255 is a SUPER group member. SUPER group members can set and reset the system time, manage all jobs in the SPOOLER or in PERUSE (regardless of who owns them), and perform all commands within SCF, FUP and several other powerful utilities.

No personal userids assigned to the 255 member of any group.The group member number 255 is the Group Manager ID and should never be assigned as a personal userid. Some of the risks associated with the Group Manager ID are:

• Group Managers can ADD, Alter, Delete userids in their own group if Safeguard is not present or is not configured to prevent it.
• Group Managers can “log down” to the userid of any member of the same group without a password unless prevented by Safeguard.
• Group Managers can PROGID any program owned by a group member.
• In Safeguard, the group manager of the Primary Owner of any object’s Protection Record can also modify any Safeguard Protection Records owned by members of the same group.

Well, that’s #8: Ensuring individual accountability (no shared IDs!). It’s not just an important security best practice but also a PCI DSS requirement.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #7

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at:https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).