Because high-availability and fault-tolerant systems need strong security
Over the last several months, we’ve covered some very important concepts in our Top 10 countdown of NonStop security fundamentals— you can review items #4 to #10 on XYPRO’s website and LinkedIn page. Now, we’ve reached #3 on the list.
Throughout much of the first seven security fundamentals, the focus was on effectively managing access to the HP NonStop server and controlling and monitoring user access and activity. Obviously, those are absolutely must-have security requirements for mission-critical systems. Now, however, let’s consider the data that’s being processed or stored on NonStop systems.
Given the high-value business applications and processes that are often run on NonStop servers (such as those related to payments, financial services, telco, healthcare, energy, manufacturing, etc.), it’s likely that there is a significant amount of sensitive data that must be protected. And this data—whether it’s credit card information, payment transactions, health information, social security numbers, customer details or some other type of sensitive information—is the most high-value target for hackers and cyber-criminals.
Keeping sensitive data safe is the topic for NonStop Security Fundamental #3.
#3: Protect sensitive data
Two very effective approaches to protecting data-at-rest and in-transit are encryption and tokenization:
1. Encryption. Encryption is the process of using an algorithm to securely transform data into a meaningless form using a secret key. Data can only be accessed in live form by the trusted system that has the appropriate authority to use the private or secret key to decrypt it. Encryption of electronic data typically uses the Advanced Encryption Standard (AES). AES is an industry-proven standard that was announced in 2001, by the U.S. National Institute of Standards and Technology (NIST). Traditional modes of AES significantly alter the original format of the data and so have a big impact on data structures, schemas, and applications. For example, encrypting a standard credit card number with traditional AES-CBC mode will result in a string containing non-numeric data, which may also vary in length from the original card number. This obviously creates a major implementation problem for companies seeking to use AES. To address this issue, a new mode of AES, called “Format-Preserving Encryption” (FPE), or AES-FFX mode, has been introduced which strongly encrypts live data while retaining the original format of the data. This replaces the data in the live system with a functional equivalent field which cannot be reversed without the associated key. With the FPE mode of AES, data can be encrypted without having to then change database schemas and applications to accommodate the encrypted data. FPE is often used for “Personally Identifiable Information” in transit and storage as a standards-recognized protection and compliance control, or for credit card capture from POS ecosystems or e-commerce platforms.
2. Tokenization. Tokenization does not transform data but instead randomly maps a live data field to a functionally equivalent surrogate value (i.e., a “token”) which replaces the real data. Since tokens do not represent actual data, they can be shared and stored without risk of data loss. To convert a token back to real data, a system (or application) needs to use the tokenization server which hosts the random mapping table to return the token to its original value. First generation tokenization systems used a database for this mapping approach. Tokens can also retain the original format requirements so the impact on existing data structures and applications is mitigated and, since the token can only be reversed exclusively by the token server itself, systems using tokens may be taken out of scope for compliance purposes (e.g., PCI-DSS compliance). However, a major disadvantage of traditional tokenization has been the complexity of managing token databases (such as handling token “collisions”, backup and recovery, scalability and performance). Next generation tokenization solutions are available that address these issues. For example, XYPRO offers Voltage Security “Secure Stateless Tokenization” (SST) which removes the need for a token database and enables higher-performance, lower costs and simplified deployment. Also, by eliminating token databases, SST takes away high-value data targets for hackers and reduces the risk of data breach. Notably, Voltage SST runs natively on HP NonStop, IBM z/OS and Open systems.
For some companies, modifying their NonStop application (like BASE24 or Connex) to use encryption or tokenization is a major challenge and has prevented them from fully protecting their data. For these types of NonStop server users, XYPRO has developed XYGATE Data Protection (XDP) which enables NonStop applications to use Voltage encryption and tokenization without changes to the application.
So, that’s #3: Protect Sensitive Data. Data can be an organization’s most valuable treasure and it’s a major target for cyber-criminals. News headlines are full of stories about data breaches and stolen information—often from some of the world’s leading technology companies. Encryption and/or tokenization are critical solutions for protecting sensitive data, reducing the scope of regulatory compliance, and neutralizing the impact of a data breach.
Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #2. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).
Friday, July 18, 2014
Tuesday, June 24, 2014
Why We Love Summer Internships (And You Should, Too!)
For the last several years here at XYPRO, we have been developing a summer internship program and we’re thrilled with the results!
A XYPRO Internship is not an ordinary “fetch coffee” internship. The XYPRO Internship Program provides motivated and qualified students an opportunity to gain real, hands-on experience, receive valuable on-the-job training and to learn about the variety of roles involved in running a software development company. We also value mentorship as an extremely important function of a successful internship. Mentors allow interns to develop and grow in the areas they’re most interested in. Each one of our interns are partnered with a mentor, either a developer, engineer, administrator or manager to best guide them down their areas of interest.
We have happily discovered that the type of student that applies for an internship is generally a self-starter already. At XYPRO, we are very lucky to be surrounded by many colleges and universities from which we recruit for our intern program and for several years now, we have been enjoying the benefits of recruiting from a pool of highly motivated students that bring enthusiasm, curiosity and boundless energy into the company. With their youth comes a perspective and life experience that has never NOT used computers in their everyday life. In their minds, literally anything can be accomplished with technology.
Many of our interns have ended up staying on for an extended period of time while they finish school and some have even been brought on board and are now full-time employees! It’s a win-win situation. XYPRO benefits from their go-get-em attitude while at the same time introducing a whole new generation to the world of HP NonStop and Information Security.
Steve Tcherchian, CISSP XYPRO Technology
A XYPRO Internship is not an ordinary “fetch coffee” internship. The XYPRO Internship Program provides motivated and qualified students an opportunity to gain real, hands-on experience, receive valuable on-the-job training and to learn about the variety of roles involved in running a software development company. We also value mentorship as an extremely important function of a successful internship. Mentors allow interns to develop and grow in the areas they’re most interested in. Each one of our interns are partnered with a mentor, either a developer, engineer, administrator or manager to best guide them down their areas of interest.
We have happily discovered that the type of student that applies for an internship is generally a self-starter already. At XYPRO, we are very lucky to be surrounded by many colleges and universities from which we recruit for our intern program and for several years now, we have been enjoying the benefits of recruiting from a pool of highly motivated students that bring enthusiasm, curiosity and boundless energy into the company. With their youth comes a perspective and life experience that has never NOT used computers in their everyday life. In their minds, literally anything can be accomplished with technology.
Many of our interns have ended up staying on for an extended period of time while they finish school and some have even been brought on board and are now full-time employees! It’s a win-win situation. XYPRO benefits from their go-get-em attitude while at the same time introducing a whole new generation to the world of HP NonStop and Information Security.
Steve Tcherchian, CISSP XYPRO Technology
Pictured are some of our current and former XYPRO interns, including Drew (center) my former intern and new IT Systems Administrator
Monday, April 21, 2014
XYPRO NonStop Security Fundamentals Top 10 List – #4
Because high-availability and fault-tolerant systems need strong security
Alright, we’ve reached #4 on our list of Top 10 NonStop Security Fundamentals—items #5 to #10 are posted on XYPRO’s website and LinkedIn page.
Previously, in the #5 entry, we discussed how to strengthen access management using Role-based Access Control (RBAC). RBAC was about managing users’ access rights—now let’s take the discussion a step further and talk about securing NonStop system resource objects, such as volumes, subvolumes, files, devices, subdevices, processes and subprocesses. How to protect those objects takes us to the #4 item in our Top 10 List:
#4: Dynamically secure all NonStop system resource objectsSafeguard provides the ability to tightly restrict access to Guardian operating system objects, but can become a major management challenge to administer. OSS operating system objects can be secured with standard UNIX “rwx” security or with POSIX ACLs, but these approaches also create a lot of management overhead, have signifi¬cant shortcomings and do not result in a totally secure system.
To fully secure NonStop system resource objects and reduce administrative workload, we recommend these steps:
1. Use wildcarding to reduce the number of ACLs needed and proactively protect objects. Rather than trying to manage with static, reactive Safeguard mechanisms, use dynamic rules with wildcarding that can vary based on the characteristics of each access attempt. Wildcarding greatly increases the flexibility of ACL rules and reduces the number of ACL rules needed.
Third-party solutions, like XYGATE Object Security (XOS), can deliver this type of wildcarding and dynamic rule functionality. XOS provides grouped object access records that contain wildcard security rule specifications which are applied consistently to objects in the group. Importantly, the security rules apply even to objects that may not yet even exist when you set your security policy—thus enabling the proactive protection of new objects (as opposed to retroactively applying security rules to objects after they’ve been created).
One North American credit card company manages their entire network of HP NonStop servers with XOS with less than 300 XOS access control rules. Previously, when using Safeguard, over a million Safeguard ACLs were required.
2. Secure objects with any object attribute. Traditional security ACLs are applied against objects based on the object name alone. This is a limiting approach and ignores many other factors of an object that may be relevant to applying security, such as object age or object type. However, third-party solutions like XOS allow for objects to be secured not only by name, but by any other object attribute (alone or in conjunction with others). For example, using XOS, authorization to purge saveabend files could be given to users based on multiple criteria (OBJECT name, OBJECT age, and OBJECT type). A similar rule using Safeguard, Guardian, or OSS would not be possible or practical. With this approach, a single XOS rule can take the place of tens, hundreds, and even thousands of Safeguard ACLs.
3. Use the OSS SEEP to increase security protection for OSS. As of February 2013, with the H06.26/J06.15 release of the NonStop operating system, HP now includes a Security Event Exit Process (SEEP) within the OSS environment. The OSS SEEP can be used by third-party solutions, like XOS, to provide NonStop OSS security that is more flexible and granular than previously available. Now, OSS subsystems can take advantage of the same levels of security and configurability that have been used for many years on the Guardian subsystem. In fact, with XOS, Guardian and OSS object security can be maintained together in a single file.
While we’re on OSS, let’s quickly talk about auditing. OSS object access auditing can be done in Safeguard if “audit-client-oss” is turned on. However, that Safeguard function is unnecessarily broad (it’s really an all or nothing type of capability) and using it creates a massive amount of audit data—access to all OSS objects is audited. A better option is to use a third-party solution, such as XOS, that allows for very granular auditing of OSS object access.
4. Unify NonStop security management across different nodes and operating systems. Effectively maintaining common security rules across homogenous production systems is very important but can be very difficult to manage with just Safeguard. Maintaining consistency using Safeguard requires keeping ACLs consistent across every node and the same ACL change must be made separately to every node. Furthermore, with Safeguard there is no good way to make sure that the ACLs across nodes are consistent. However, with a NonStop security solution like XOS, all the rules are in a single file; that file can be easily maintained on one node and then moved to all the other nodes when a change is required. Also, if a new node is brought up, instead of having to create thousands of Safeguard ACLs to properly secure the new node, the single XOS file can be installed and the new node is instantly (and consistently) protected.
It’s worth emphasizing the need for unified security management in NonStop. To properly secure the NonStop system without a third-party solution, security admins have to deal with Guardian file security, Safeguard ACLs, OSS standard security, and OSS POSIX ACLs—that’s a lot of complexity to manage and increases costs and security risks. On the other hand, with solutions like XOS, security admins can secure both Guardian and OSS from a single point.
So, that’s #4: Dynamically secure all NonStop system objects. Obviously, resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.
Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).
Friday, March 14, 2014
XYPRO NonStop Security Fundamentals Top 10 List – #5
Because high-availability and fault-tolerant systems need strong security
Okay, so now we’re to the top five items on our list—items #6 to #10 are posted on XYPRO’s website and LinkedIn page.
Throughout the earlier items on our Top 10 List, the concept of access control came up rather frequently (either directly or indirectly), so let’s focus a bit more on it. As described in XYPRO’s HP NonStop Server Security Handbook, “Access Control is the whole array of tools and procedures used to limit, control, and monitor access to information and utilities. Access control is based on a user’s identity and membership in predefined groups. Access control makes it possible to control the use, availability, integrity, and confidentiality of objects and information on the HP NonStop Server.”
Clearly, access management is very important. However, it can be a daunting challenge to individually manage all the various access privileges for every user. The effectiveness of even an excellent security access management plan can be weakened when its corresponding administrative overhead is too high. With this in mind, we come to the #5 NonStop Security Fundamental:
#5: Strengthen access management with role-based access control (RBAC)Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. The security system then makes access decisions according to the user’s role.
The idea here is quite simple: using role-based access can reduce management overhead and facilitate the implementation and enforcement of standardized access rules—all of which strengthens security access management.
While possible, setting up RBAC with Safeguard requires extensive administration. Third-party solutions, like XYGATE Access Control (XAC), provide a more manageable method of implementing RBAC. The single, major difference between XAC and Safeguard RBAC is the ability to define control by job function in XAC. Safeguard simply isn’t architected for role-based control whereas a solution like XAC is designed for it.
Using ACLGROUPs for RBAC. As with all XYPRO products, XAC is developed around the concept of ACLGROUPs. ACLGROUPs allow you to define control based on job function (database administrator, systems administrator, security administrator, etc.). You start by defining roles THEN you add users to those roles. Users can have zero or more roles. Access is granted based on the role as opposed to the user.
For example, ACLGROUPS can be used to provide different access rights, based on role, to SQLCI functions. Let’s say all database administrators are assigned to the “DBA” group and need full access to SQLCI functions. To enable this, a rule is written in the DBA ACLGROUP to allow this role unfettered access to SQLCI and all other database manipulation functions and utilities. However, system administrators may only need read-only access to SQLCI; therefore, their ACLGROUP (let’s call it “SYSADMIN”) is written to allow just read-only access to SQLCI (with PURGE, UPDATE, DROP, ALTER and CREATE disabled) . Now, managing individual users’ access is as simple as assigning them the appropriate roles—ACLGROUP rules will then correctly determine access rights.
The RBAC in this example requires only a small number of rules in XAC that can be applied to zero or more users using wildcards/regular expressions—and that can be extended to aliases. Once the rules are in place, you can add or remove users’ access to functions at any time.
Doing this in Safeguard requires a unique rule per user per subsystem/binary/program. Safeguard does NOT have the ability to limit access to specific commands within a subsystem as XAC does. So, while possible, RBAC in Safeguard, requires extensive manual intervention and an enormous amounts of rules—and every change introduces an opportunity for human error that could lead to stability issues.
Don’t forget auditing! Using XAC for RBAC provides another important benefit: XAC auditing can also be done at a much lower level. Safeguard can record what userid accessed what object at what time, but little else. With XAC, exact commands and output can be logged with non-repudiation (XAC can be configured to prompt for the users password before allowing sensitive commands).
A major note for alias users: Safeguard auditing and protection are always based on the underlying userid. Safeguard does not treat aliases as unique, only the underlying userid. XAC (and all XYGATE modules) can differentiate between aliases and grant/revoke access and audit based on userid and/or alias.
Alright, well that’s #5: Strengthen access management with role-based access control (RBAC). RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.
Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).
Saturday, February 15, 2014
XYPRO Engineering Team Building – doing the Robot!
As part of our annual corporate kick-off event, this year the entire engineering team took part in a full day team building exercise. Taking over all the available space at our Simi Valley headquarters, we were split up into color-coded groups, each of which included members of different parts of the engineering team. Armed with a Lego Mindstorm EV3 kit, each group was presented with a series of tasks (requirements), which consisted of pre-constructed courses on which the robots needed to navigate a maze and move obstacles around the course . The challenge? Design and build a robot that would be able to complete the tasks by the end of the day.
Structured roughly along the lines of our Software Development Life Cycle (SDLC), time was allocated for requirements definition, project planning, design, development and unit testing, QA testing, and deployment.
Things got off to an energetic start with each team doing a good job of dealing with 600+ Lego pieces, learning the software used to program the robots, and planning out the approach. Would some teams jump straight into robot building, with others spending more time documenting requirements and planning? Each team allocated their tasks well so everyone was kept busy, but what factor would planning things out early play? Would those who made that early effort see a payoff later in the day…?
As the day progressed, some very different approaches were becoming apparent, and the teams were realizing that completing all three challenges was going to be difficult, if not impossible. The teams naturally started with challenge #1 which wasn’t necessarily the easiest. Some gentle “guidance” by the mentors to evaluate all the challenges and focus on the easiest challenge first proved helpful and soon each team was making solid progress on that challenge.
With 90 minutes to go before “deployment”, each team was given some time to QA their robots on the actual challenge courses. Some teams’ robots completed the challenge on the first try, others needed tweaking, but all had something ready to attempt the challenges. Each team returned back to their workshops to complete final tweaks before deployment .
The moment of truth, the “Deployment Phase.” Each team must now present their robot, outline the approach they took to the challenges, and detail what worked (and what didn’t!). Scores were based on how well they worked together as a team, how well they presented their solution, and of course, how well their robots completed the challenges.
Each team gave an entertaining and informative presentation describing their efforts during the day, the approach they’d taken, and the robot they’d designed. Some of the teams that jumped straight into building their robots found that some more time on initial design would’ve been helpful. Each team presented a robot that was able to complete at least one of the challenges, and as such, all should be very proud of their efforts.
This exercise reinforced the importance of planning, particularly when confronted with such a daunting task (600+ pieces! Understanding requirements!!! A new programming environment!! Difficult challenges!!! Ridiculously short timeframes!!!). It also reminded us of the value of working together as a team, which really was the main point.
At the end of the day, the Blue team (or “Team Teal” as they renamed themselves) won, narrowly defeating the Yellow team by only one point! Congratulations to all the teams, on what was a fun and very constructive day. Bring on Kick-Off Challenge 2015
Structured roughly along the lines of our Software Development Life Cycle (SDLC), time was allocated for requirements definition, project planning, design, development and unit testing, QA testing, and deployment.
Things got off to an energetic start with each team doing a good job of dealing with 600+ Lego pieces, learning the software used to program the robots, and planning out the approach. Would some teams jump straight into robot building, with others spending more time documenting requirements and planning? Each team allocated their tasks well so everyone was kept busy, but what factor would planning things out early play? Would those who made that early effort see a payoff later in the day…?
As the day progressed, some very different approaches were becoming apparent, and the teams were realizing that completing all three challenges was going to be difficult, if not impossible. The teams naturally started with challenge #1 which wasn’t necessarily the easiest. Some gentle “guidance” by the mentors to evaluate all the challenges and focus on the easiest challenge first proved helpful and soon each team was making solid progress on that challenge.
With 90 minutes to go before “deployment”, each team was given some time to QA their robots on the actual challenge courses. Some teams’ robots completed the challenge on the first try, others needed tweaking, but all had something ready to attempt the challenges. Each team returned back to their workshops to complete final tweaks before deployment .
The moment of truth, the “Deployment Phase.” Each team must now present their robot, outline the approach they took to the challenges, and detail what worked (and what didn’t!). Scores were based on how well they worked together as a team, how well they presented their solution, and of course, how well their robots completed the challenges.
Each team gave an entertaining and informative presentation describing their efforts during the day, the approach they’d taken, and the robot they’d designed. Some of the teams that jumped straight into building their robots found that some more time on initial design would’ve been helpful. Each team presented a robot that was able to complete at least one of the challenges, and as such, all should be very proud of their efforts.
This exercise reinforced the importance of planning, particularly when confronted with such a daunting task (600+ pieces! Understanding requirements!!! A new programming environment!! Difficult challenges!!! Ridiculously short timeframes!!!). It also reminded us of the value of working together as a team, which really was the main point.
At the end of the day, the Blue team (or “Team Teal” as they renamed themselves) won, narrowly defeating the Yellow team by only one point! Congratulations to all the teams, on what was a fun and very constructive day. Bring on Kick-Off Challenge 2015
Tuesday, December 24, 2013
DBIR 2013 Blog Part III – What does this all mean to me?
In this blog series, we've been discussing the 2013 Verizon DBIR, which includes the following facts:
In the most recent blog entry of this series we covered some key observations from the report. In this blog we'll look at what those observations mean to HP NonStop server users, and draw some final conclusions. Note that the full report is available here: http://www.verizonenterprise.com/DBIR/2013/
Key observations from the last blog, with their relevance for NonStop users:
Most Attacks Still Use Basic Techniques
The vast majority of attacks exploited weak or stolen credentials, and were considered "low" or "very low" in difficulty (on the VERIS scale which Verizon uses to categorize breaches).
NonStop relevance: Protect "the basics" - implement strong user authentication; implement (and enforce) password management processes; enforce a policy of minimum required access; ensure no shared accounts (especially SUPER) and keep track of all privileged user activity with keystroke logging. These relatively simple steps will ensure that the types of attacks that Verizon observed in over 70% of cases will fail.
14% of breaches were insider attacks
The majority of insiders committing sabotage were former employees using old accounts or backdoors not disabled, and the vast majority of IP theft cases committed by internal people took place within 30 days of announcing their resignation.
NonStop relevance: Ensure your NonStop user provisioning is integrated with your Enterprise Identity Management system, if you have one - that way as users are decommissioned at the enterprise level, they're also decommissioned on the NonStop. Integrate your NonStop with a Security Incident Event Management (SIEM) solution. That way any suspicious activity can be viewed at an enterprise level, and may be clearer as a result. The "basic" protections above also apply here.
Data at rest is most at risk
66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)
NonStop relevance: Protect your data at rest, with encryption or tokenization. Note that Volume Level Encryption (VLE) doesn't really provide the requisite level of protection, as once a user is signed on to the NonStop, their access is based on standard Guardian/Safeguard rules - the "encryption" becomes transparent to them. VLE is really best used to protect entire disks from theft.
Types of attack vary depending on industry and region
37% of breaches affected financial institutions, banks are often subjected to ATM skimming
NonStop relevance: As many NonStop users are banks or other financial institutions, the findings in this report are particularly relevant. The recommendations should be carefully studied and applied where it makes sense in customers' environments.
Spotting a breach isn't always easy, or quick
66% of breaches in the report took months, or even years, to discover. 69% of breaches were spotted by an external party, with 9% being spotted by customers!
NonStop relevance: This is where using a SIEM gives some real benefits. By aggregating all security events across the enterprise and presenting them in a normalized fashion, it can be a lot easier to notice anomalies. It's critical for NonStop users to gather and forward all NonStop-based security events and forward them to the enterprise SIEM, if one is present, to ensure that any clues from the NonStop regarding a possible breach are included in the analysis.
As you can see, and as we've mentioned in earlier blogs, looking after the security fundamentals is probably the best "bang for your buck" in terms of securing your critical, NonStop-based applications and their data. To further underscore this, the PCI DSS v3.0 standard has just been published, and it includes an increased focus on the basics, as hinted at in earlier PCI announcements.
XYPRO has been developing products, and providing solutions, to assist our customers to meet their many and varied security requirements for over 30 years. We have solutions to address all the points summarized in this blog, and more - if you'd like more information on anything you've read here, or anything else that comes from the Verizon DBIR, please contact your sales representative https://www.xypro.com/xypro/contact, or email me at andrew.price@xypro.com.
| • | 621 confirmed data breaches studied in detail |
| • | 19 contributors, including government agencies, private security organizations and consulting companies |
| • | 44 million records compromised |
| • | The largest and most comprehensive data breach study performed each year |
| • | 75% of attacks were opportunistic - not targeted at a specific individual or company - with the majority of those financially motivated |
| • | 37% of breaches affected financial institutions |
In the most recent blog entry of this series we covered some key observations from the report. In this blog we'll look at what those observations mean to HP NonStop server users, and draw some final conclusions. Note that the full report is available here: http://www.verizonenterprise.com/DBIR/2013/
Key observations from the last blog, with their relevance for NonStop users:
Most Attacks Still Use Basic Techniques
The vast majority of attacks exploited weak or stolen credentials, and were considered "low" or "very low" in difficulty (on the VERIS scale which Verizon uses to categorize breaches).
NonStop relevance: Protect "the basics" - implement strong user authentication; implement (and enforce) password management processes; enforce a policy of minimum required access; ensure no shared accounts (especially SUPER) and keep track of all privileged user activity with keystroke logging. These relatively simple steps will ensure that the types of attacks that Verizon observed in over 70% of cases will fail.
14% of breaches were insider attacks
The majority of insiders committing sabotage were former employees using old accounts or backdoors not disabled, and the vast majority of IP theft cases committed by internal people took place within 30 days of announcing their resignation.
NonStop relevance: Ensure your NonStop user provisioning is integrated with your Enterprise Identity Management system, if you have one - that way as users are decommissioned at the enterprise level, they're also decommissioned on the NonStop. Integrate your NonStop with a Security Incident Event Management (SIEM) solution. That way any suspicious activity can be viewed at an enterprise level, and may be clearer as a result. The "basic" protections above also apply here.
Data at rest is most at risk
66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)
NonStop relevance: Protect your data at rest, with encryption or tokenization. Note that Volume Level Encryption (VLE) doesn't really provide the requisite level of protection, as once a user is signed on to the NonStop, their access is based on standard Guardian/Safeguard rules - the "encryption" becomes transparent to them. VLE is really best used to protect entire disks from theft.
Types of attack vary depending on industry and region
37% of breaches affected financial institutions, banks are often subjected to ATM skimming
NonStop relevance: As many NonStop users are banks or other financial institutions, the findings in this report are particularly relevant. The recommendations should be carefully studied and applied where it makes sense in customers' environments.
Spotting a breach isn't always easy, or quick
66% of breaches in the report took months, or even years, to discover. 69% of breaches were spotted by an external party, with 9% being spotted by customers!
NonStop relevance: This is where using a SIEM gives some real benefits. By aggregating all security events across the enterprise and presenting them in a normalized fashion, it can be a lot easier to notice anomalies. It's critical for NonStop users to gather and forward all NonStop-based security events and forward them to the enterprise SIEM, if one is present, to ensure that any clues from the NonStop regarding a possible breach are included in the analysis.
As you can see, and as we've mentioned in earlier blogs, looking after the security fundamentals is probably the best "bang for your buck" in terms of securing your critical, NonStop-based applications and their data. To further underscore this, the PCI DSS v3.0 standard has just been published, and it includes an increased focus on the basics, as hinted at in earlier PCI announcements.
XYPRO has been developing products, and providing solutions, to assist our customers to meet their many and varied security requirements for over 30 years. We have solutions to address all the points summarized in this blog, and more - if you'd like more information on anything you've read here, or anything else that comes from the Verizon DBIR, please contact your sales representative https://www.xypro.com/xypro/contact, or email me at andrew.price@xypro.com.
Monday, December 2, 2013
Back In Training – NonStop Technical Bootcamp 2013
XYPRO has just returned from a very exciting few days in San Jose, attending the second annual NonStop Technical Bootcamp. The event was held at the San Jose Doubletree hotel, as it was last year, although this year the venue was bursting at the seams! It turns out that, whilst the number of vendors and HP representatives was roughly the same as last year, user attendance was up over 200% from last year – a sure sign that the event is going from strength to strength. The majority of new user attendees this year came from the Asia-Pacific/Japan region, but there were attendees from Russia, Japan, Taiwan, Israel, UAE, South Africa, Brazil and more.
There had been rumours of a big announcement coming from HP at this years’ event, and the opening general session was packed, (in spite of the Beer Bust the night before—(which itself is becoming quite a tradition, and a great way to kick off the week). Randy Meyer, in his new role as VP and General Manager of Integrity Servers, jumped pretty quickly to the big news – that HP has committed to bringing the NonStop to x86 (Intel Xeon) processors. This is A BIG DEAL because, as summarised in many other articles, it removes any possible perception of HP’s lack of commitment to the platform, and any FUD (Fear, Uncertainty, Doubt) around the future of the Itanium processor. For the time being, NonStop will be available with both types of processor, and at some point (one presumes) the Xeon-based line will replace the Itanium one.
At XYPRO, we’re very excited about this announcement, for the same reasons that everyone else is. We’re also looking forward to the project to port our software to this new platform,; which, from everything we’ve heard, should be a relatively straightforward exercise.
Both of the main conference days were very busy, with excellent content in the presentations and great traffic past the exhibitor booths – indeed, at times things got pretty crowded in the high traffic areas. There was a rumour going around that next year the event will be in a bigger venue, which will be great.
We took the opportunity to meet one on one with many of our customers – these sessions are always great for getting product feedback, discussing possible enhancements and product direction, and just generally catching up with friendly faces. If for some reason we missed catching up with you, and there’s anything you need to discuss with us, please get in contact with me, or your XYPRO Sales representative, and we’ll line something up.
As the name “Technical Bootcamp” implies, this conference had a major focus on training and on Sunday XYPRO provided 8-hours of pre-conference training on key NonStop security topics. In the first 4-hour session, “Make the Most of your NonStop Security Bundle”, XYPRO’s Dave Teal explained the fundamentals of Audit and Authentication and all the benefits included with the advanced security software included with the OS on HP NonStop servers. Dave described how to easily install, configure, implement and use these valuable solutions and help streamline security audits to meet compliance regulations. In the second 4-hour session, “Everything You Need Know for PCI Compliance on HP NonStop”, XYPRO’s Rob Lesan went through the why's and how's to meet and exceed PCI compliance regulations easily and efficiently while making the whole process simple and non-intrusive. Both sessions were jam-packed with NonStop technical experts looking to increase their security knowledge.
XYPRO presented on both the Monday and the Tuesday. Monday’s presentation, “Industry-standard, enterprise-wide Voltage Encryption and Tokenization – no code changes required!” was done in conjunction with Voltage, and was an overview of XYPRO’s new XYGATE Data Protection (XDP) product and Voltage’s SecureData. XDP utilizes intercept technology to seamlessly allow NonStop applications to encrypt or tokenize sensitive data using Voltage’s SecureData product, without any application code changes. Tuesday’s presentation was with another XYPRO partner, NetAuthority, and covered “Stronger User Security with Advances in Multi-Factor Authentication”. The session discussed the growing threat of cybercrime, the various multi-factor authentication solutions that have been deployed to protect online and mobile users, and new technologies like NetAuthority’s DeviceLink product which provides two-factor authentication without the overhead of hardware tokens, one time passwords, or other intrusive technologies. Both presentations were well attended, and had some great Q&A activity at the end (or in the exhibit area after the session).
Visit the Connect website for additional info on the XYPRO presentations and other Bootcamp sessions. The NonStop Innovations blog also has a lot of the bootcamp presentations along with interviews with a number of vendors, so check that out at http://www.nuwave-tech.com/hp-nonstop-innovations.
On Monday evening XYPRO hosted a dinner celebrating their 30th Anniversary. This event was held at The Table, in San Jose, and saw about 65 of XYPRO’s customers, partners and employees getting together to enjoy some fantastic food, great service, and one or two adult beverages in a casual environment.
Once again, a fantastic event, and we’re looking forward to being “Back in Training” in November, next year – hope to see you there!
XYPRO Technology
info@xypro.com
https://www.xypro.com
There had been rumours of a big announcement coming from HP at this years’ event, and the opening general session was packed, (in spite of the Beer Bust the night before—(which itself is becoming quite a tradition, and a great way to kick off the week). Randy Meyer, in his new role as VP and General Manager of Integrity Servers, jumped pretty quickly to the big news – that HP has committed to bringing the NonStop to x86 (Intel Xeon) processors. This is A BIG DEAL because, as summarised in many other articles, it removes any possible perception of HP’s lack of commitment to the platform, and any FUD (Fear, Uncertainty, Doubt) around the future of the Itanium processor. For the time being, NonStop will be available with both types of processor, and at some point (one presumes) the Xeon-based line will replace the Itanium one.
At XYPRO, we’re very excited about this announcement, for the same reasons that everyone else is. We’re also looking forward to the project to port our software to this new platform,; which, from everything we’ve heard, should be a relatively straightforward exercise.
Both of the main conference days were very busy, with excellent content in the presentations and great traffic past the exhibitor booths – indeed, at times things got pretty crowded in the high traffic areas. There was a rumour going around that next year the event will be in a bigger venue, which will be great.
We took the opportunity to meet one on one with many of our customers – these sessions are always great for getting product feedback, discussing possible enhancements and product direction, and just generally catching up with friendly faces. If for some reason we missed catching up with you, and there’s anything you need to discuss with us, please get in contact with me, or your XYPRO Sales representative, and we’ll line something up.
As the name “Technical Bootcamp” implies, this conference had a major focus on training and on Sunday XYPRO provided 8-hours of pre-conference training on key NonStop security topics. In the first 4-hour session, “Make the Most of your NonStop Security Bundle”, XYPRO’s Dave Teal explained the fundamentals of Audit and Authentication and all the benefits included with the advanced security software included with the OS on HP NonStop servers. Dave described how to easily install, configure, implement and use these valuable solutions and help streamline security audits to meet compliance regulations. In the second 4-hour session, “Everything You Need Know for PCI Compliance on HP NonStop”, XYPRO’s Rob Lesan went through the why's and how's to meet and exceed PCI compliance regulations easily and efficiently while making the whole process simple and non-intrusive. Both sessions were jam-packed with NonStop technical experts looking to increase their security knowledge.
XYPRO presented on both the Monday and the Tuesday. Monday’s presentation, “Industry-standard, enterprise-wide Voltage Encryption and Tokenization – no code changes required!” was done in conjunction with Voltage, and was an overview of XYPRO’s new XYGATE Data Protection (XDP) product and Voltage’s SecureData. XDP utilizes intercept technology to seamlessly allow NonStop applications to encrypt or tokenize sensitive data using Voltage’s SecureData product, without any application code changes. Tuesday’s presentation was with another XYPRO partner, NetAuthority, and covered “Stronger User Security with Advances in Multi-Factor Authentication”. The session discussed the growing threat of cybercrime, the various multi-factor authentication solutions that have been deployed to protect online and mobile users, and new technologies like NetAuthority’s DeviceLink product which provides two-factor authentication without the overhead of hardware tokens, one time passwords, or other intrusive technologies. Both presentations were well attended, and had some great Q&A activity at the end (or in the exhibit area after the session).
Visit the Connect website for additional info on the XYPRO presentations and other Bootcamp sessions. The NonStop Innovations blog also has a lot of the bootcamp presentations along with interviews with a number of vendors, so check that out at http://www.nuwave-tech.com/hp-nonstop-innovations.
On Monday evening XYPRO hosted a dinner celebrating their 30th Anniversary. This event was held at The Table, in San Jose, and saw about 65 of XYPRO’s customers, partners and employees getting together to enjoy some fantastic food, great service, and one or two adult beverages in a casual environment.
Once again, a fantastic event, and we’re looking forward to being “Back in Training” in November, next year – hope to see you there!
XYPRO Technology
info@xypro.com
https://www.xypro.com
Subscribe to:
Comments (Atom)
Posts
