DBIR 2013 Blog Part III – What does this all mean to me?

In this blog series, we've been discussing the 2013 Verizon DBIR, which includes the following facts:

•	621 confirmed data breaches studied in detail
•	19 contributors, including government agencies, private security organizations and consulting companies
•	44 million records compromised
•	The largest and most comprehensive data breach study performed each year
•	75% of attacks were opportunistic - not targeted at a specific individual or company - with the majority of those financially motivated
•	37% of breaches affected financial institutions

In the most recent blog entry of this series we covered some key observations from the report. In this blog we'll look at what those observations mean to HP NonStop server users, and draw some final conclusions. Note that the full report is available here: http://www.verizonenterprise.com/DBIR/2013/

Key observations from the last blog, with their relevance for NonStop users:

Most Attacks Still Use Basic Techniques

The vast majority of attacks exploited weak or stolen credentials, and were considered "low" or "very low" in difficulty (on the VERIS scale which Verizon uses to categorize breaches).

NonStop relevance: Protect "the basics" - implement strong user authentication; implement (and enforce) password management processes; enforce a policy of minimum required access; ensure no shared accounts (especially SUPER) and keep track of all privileged user activity with keystroke logging. These relatively simple steps will ensure that the types of attacks that Verizon observed in over 70% of cases will fail.

14% of breaches were insider attacks

The majority of insiders committing sabotage were former employees using old accounts or backdoors not disabled, and the vast majority of IP theft cases committed by internal people took place within 30 days of announcing their resignation.

NonStop relevance: Ensure your NonStop user provisioning is integrated with your Enterprise Identity Management system, if you have one - that way as users are decommissioned at the enterprise level, they're also decommissioned on the NonStop. Integrate your NonStop with a Security Incident Event Management (SIEM) solution. That way any suspicious activity can be viewed at an enterprise level, and may be clearer as a result. The "basic" protections above also apply here.

Data at rest is most at risk

66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)

NonStop relevance: Protect your data at rest, with encryption or tokenization. Note that Volume Level Encryption (VLE) doesn't really provide the requisite level of protection, as once a user is signed on to the NonStop, their access is based on standard Guardian/Safeguard rules - the "encryption" becomes transparent to them. VLE is really best used to protect entire disks from theft.

Types of attack vary depending on industry and region

37% of breaches affected financial institutions, banks are often subjected to ATM skimming

NonStop relevance: As many NonStop users are banks or other financial institutions, the findings in this report are particularly relevant. The recommendations should be carefully studied and applied where it makes sense in customers' environments.

Spotting a breach isn't always easy, or quick

66% of breaches in the report took months, or even years, to discover. 69% of breaches were spotted by an external party, with 9% being spotted by customers!

NonStop relevance: This is where using a SIEM gives some real benefits. By aggregating all security events across the enterprise and presenting them in a normalized fashion, it can be a lot easier to notice anomalies. It's critical for NonStop users to gather and forward all NonStop-based security events and forward them to the enterprise SIEM, if one is present, to ensure that any clues from the NonStop regarding a possible breach are included in the analysis.

As you can see, and as we've mentioned in earlier blogs, looking after the security fundamentals is probably the best "bang for your buck" in terms of securing your critical, NonStop-based applications and their data. To further underscore this, the PCI DSS v3.0 standard has just been published, and it includes an increased focus on the basics, as hinted at in earlier PCI announcements.

XYPRO has been developing products, and providing solutions, to assist our customers to meet their many and varied security requirements for over 30 years. We have solutions to address all the points summarized in this blog, and more - if you'd like more information on anything you've read here, or anything else that comes from the Verizon DBIR, please contact your sales representative https://www.xypro.com/xypro/contact, or email me at andrew.price@xypro.com.

Back In Training – NonStop Technical Bootcamp 2013

XYPRO has just returned from a very exciting few days in San Jose, attending the second annual NonStop Technical Bootcamp. The event was held at the San Jose Doubletree hotel, as it was last year, although this year the venue was bursting at the seams! It turns out that, whilst the number of vendors and HP representatives was roughly the same as last year, user attendance was up over 200% from last year – a sure sign that the event is going from strength to strength. The majority of new user attendees this year came from the Asia-Pacific/Japan region, but there were attendees from Russia, Japan, Taiwan, Israel, UAE, South Africa, Brazil and more.

There had been rumours of a big announcement coming from HP at this years’ event, and the opening general session was packed, (in spite of the Beer Bust the night before—(which itself is becoming quite a tradition, and a great way to kick off the week). Randy Meyer, in his new role as VP and General Manager of Integrity Servers, jumped pretty quickly to the big news – that HP has committed to bringing the NonStop to x86 (Intel Xeon) processors. This is A BIG DEAL because, as summarised in many other articles, it removes any possible perception of HP’s lack of commitment to the platform, and any FUD (Fear, Uncertainty, Doubt) around the future of the Itanium processor. For the time being, NonStop will be available with both types of processor, and at some point (one presumes) the Xeon-based line will replace the Itanium one.

At XYPRO, we’re very excited about this announcement, for the same reasons that everyone else is. We’re also looking forward to the project to port our software to this new platform,; which, from everything we’ve heard, should be a relatively straightforward exercise.

Both of the main conference days were very busy, with excellent content in the presentations and great traffic past the exhibitor booths – indeed, at times things got pretty crowded in the high traffic areas. There was a rumour going around that next year the event will be in a bigger venue, which will be great.

We took the opportunity to meet one on one with many of our customers – these sessions are always great for getting product feedback, discussing possible enhancements and product direction, and just generally catching up with friendly faces. If for some reason we missed catching up with you, and there’s anything you need to discuss with us, please get in contact with me, or your XYPRO Sales representative, and we’ll line something up.

As the name “Technical Bootcamp” implies, this conference had a major focus on training and on Sunday XYPRO provided 8-hours of pre-conference training on key NonStop security topics. In the first 4-hour session, “Make the Most of your NonStop Security Bundle”, XYPRO’s Dave Teal explained the fundamentals of Audit and Authentication and all the benefits included with the advanced security software included with the OS on HP NonStop servers. Dave described how to easily install, configure, implement and use these valuable solutions and help streamline security audits to meet compliance regulations. In the second 4-hour session, “Everything You Need Know for PCI Compliance on HP NonStop”, XYPRO’s Rob Lesan went through the why's and how's to meet and exceed PCI compliance regulations easily and efficiently while making the whole process simple and non-intrusive. Both sessions were jam-packed with NonStop technical experts looking to increase their security knowledge.

XYPRO presented on both the Monday and the Tuesday. Monday’s presentation, “Industry-standard, enterprise-wide Voltage Encryption and Tokenization – no code changes required!” was done in conjunction with Voltage, and was an overview of XYPRO’s new XYGATE Data Protection (XDP) product and Voltage’s SecureData. XDP utilizes intercept technology to seamlessly allow NonStop applications to encrypt or tokenize sensitive data using Voltage’s SecureData product, without any application code changes. Tuesday’s presentation was with another XYPRO partner, NetAuthority, and covered “Stronger User Security with Advances in Multi-Factor Authentication”. The session discussed the growing threat of cybercrime, the various multi-factor authentication solutions that have been deployed to protect online and mobile users, and new technologies like NetAuthority’s DeviceLink product which provides two-factor authentication without the overhead of hardware tokens, one time passwords, or other intrusive technologies. Both presentations were well attended, and had some great Q&A activity at the end (or in the exhibit area after the session).

Visit the Connect website for additional info on the XYPRO presentations and other Bootcamp sessions. The NonStop Innovations blog also has a lot of the bootcamp presentations along with interviews with a number of vendors, so check that out at http://www.nuwave-tech.com/hp-nonstop-innovations.

On Monday evening XYPRO hosted a dinner celebrating their 30th Anniversary. This event was held at The Table, in San Jose, and saw about 65 of XYPRO’s customers, partners and employees getting together to enjoy some fantastic food, great service, and one or two adult beverages in a casual environment.

Once again, a fantastic event, and we’re looking forward to being “Back in Training” in November, next year – hope to see you there!

XYPRO Technology
info@xypro.com
https://www.xypro.com

NonStop Security Fundamentals Top 10 List – #6

Because high-availability and fault-tolerant systems need strong security

Over the past few months XYPRO has begun counting down our Top 10 NonStop Security Fundamentals and now we’ve reached the halfway point on our list. Before we get to the #6 item though, let’s recap the list to-date:

#10 Secure the default system access settings
#9 Set-up strong Safeguard authentication and password controls
#8 Ensure individual accountability (no shared IDs!)
#7 Establish granular control of user activity

As you can see from these first four items, we think it’s essential to have strong NonStop security for access, authentication, and activity—all with individual accountability, of course. While these are solid security fundamentals for any corporate system, they are especially important for HP NonStop systems that, typically, run some of a company’s most mission-critical processes.

So now, with those first four items covered, let’s move on to #6 which is about keeping track of what individuals are actually doing when they are logged on as a privileged user (such as SUPER.SUPER) or as an application owner.

#6: Audit all actions of privileged access users

As the name implies, privileged access users have system rights and capabilities that are greater than those of typical users and that pose a greater risk to the system if misused, either intentionally or unintentionally. Therefore, it is very important to closely track and audit all actions of privileged access users to ensure compliance, deter fraud, and enable troubleshooting. Here are three key steps to do this:

Enable keystroke logging. Recording the activity of privileged access users (even within utilities or the progress of obey files and macros) enables the necessary auditability and oversight of what these key users are doing. On the NonStop, this is only possible with a third-party solution like XYGATE Access Control (XAC), which can provide keystroke logging in which the characters of every command are recorded to an audit file.

Audit all privileged user actions. In addition to recording activities through keystroke logging, it’s important to review the audit file on a regular basis, usually daily, to detect unexplained, unauthorized or otherwise suspicious activity. Audit all actions taken by any individual performing activities as a privileged ID (such as SUPER.SUPER) or an application owner. One way to ensure this audit information is reviewed is to use XYGATE Merged Audit (XMA) to send NonStop security information to an enterprise SIEM (such as HP ArcSight). XMA, which is bundled with the HP NonStop OS, collects the keystroke audit data and normalizes and merges it with other NonStop security event data. XMA then makes the consolidated data available for local review and/or sends to a SIEM.

Ensure tamper-proof audit trails. Editing or deleting audit files, or modifying the audit process itself, could be a way to cover up inappropriate actions on the system. So, clearly, protecting the audit process and audit files from tampering is essential. There are many different ways to do this. For example: 1) XYGATE Object Security (XOS) can ensure that only the authorized application is able to write to the keystroke logging database in use, 2) archived audit files can be sent off box and, 3) the security information can be sent by XMA to a SIEM.

So that’s #6: Audit all actions of privileged access users. A thorough logging and auditing program for privileged users establishes the means for strong oversight over users with the greatest security access rights and who, therefore, may pose the greatest potential risk to the system.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #5. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at: https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

NonStop Security Fundamentals Top 10 List – #7

Because high-availability and fault-tolerant systems need strong security

Recent studies have shown that hackers (both internal and external) often use relatively simple attack methods and that it’s as important as ever to follow basic security best practices. Therefore, it makes sense that the first three items in our Top 10 list were about establishing a base level of security within the NonStop system:

#10 Secure the default system access settings
#9 Set-up strong Safeguard authentication and password controls
#8 Ensure individual accountability (no shared IDs!)

Now that we’ve covered those broader fundamentals, this week we’ll get into a more “granular” security topic—controlling user activity at different levels within the NonStop system.

#7: Establish granular control of user activity

A fundamental IT security challenge is to provide users with only the system access and privileges they need to do their jobs (least privilege or Role Based Access Control RBAC).  Allowing users to have system access and privileges greater than their job requires presents a significant security risk—particularly on the NonStop which typically has mission-critical applications running and sensitive information being processed or stored.  The risk is not only from intentionally malicious activity but also from the possibility of an unsophisticated (or stressed or rushed) user, when given too much power, not realizing the ramifications of their actions.

So, to protect the NonStop, it’s important to establish more granular control of what users can do within multiple areas within the system.  Let’s specifically look at four areas: user, process, CMON, and spooler.

User. The system access a user may have, and actions a user may take, are determined by their identity and their membership in predefined groups. When a user attempts to access an object, Safeguard checks the object’s Access Control List (ACL) to either grant or deny specific access privileges to the underlying object. Third-party solutions are available to improve the NonStop’s access management and increase the granularity of control (to the sub-command level, for instance). For example, XYGATE Access Control (XAC) acts as a sentry between users and programs or utilities and, based on configuration settings defined in XAC’s Access Control List (ACACL), user requests to programs or utilities are granted or denied. Furthermore, XAC’s “allow” and “deny” features restrict commands within programs and utilities to the sub-command level for separation of duties and efficient job performance. An example of this would be giving a user privileged access to FUP running as SUPER.SUPER in order to perform their job duties but specifically denying any use of the LICENSE command.

Process. Processes are a type of Safeguard object and, obviously, they need to be managed closely. As with the “User” area discussed above, Safeguard manages access to processes with ACLs. Again, third party solutions can assist with process security and management; XYGATE Process Control (XPC) behaves similarly to XAC in that it sits between the user and the process they wish to manage. The difference lies in that the object is a process and privileges such as the ability to stop, suspend, alter priority, activate and debug the process can be granted to the user ID, whether or not they are the owner of that process. The benefit of this is that if the owner of a process is not present and an action must be taken for the good of the system (stop a runaway process for example), other authorized users can take these actions under their own logon, without having to share userids.

$CMON. The NonStop server has an interface to a user-supplied Command Monitoring Process named $CMON. While the $CMON program is not HP-supplied, it’s recommended that every NonStop system use a $CMON either written by the customer or supplied by a third-party (such as the XYGATE supported $CMON module). When a $CMON is present, messages are sent to the $CMON to verify logon requests and process start requests. The $CMON process can provide many functions for both security and performance reasons:

• Control the CPU and the priority of the request
• Control who can logon to specific ports
• Verify a userid’s request to run a requested program
• Audit the request
• Ensure that the location and priority of all processes is only controlled via $CMON

Note that not having a $CMON presents a serious risk because, if a $CMON is not present, an unauthorized $CMON could be added to the system.  The unauthorized $CMON might be used simply to monitor the system or it could be designed with malicious intent (such as stopping, denying or slowing services).

Spooler.   The HP NonStop server spooler subsystem is a set of utilities that provides an interface to the system’s print facilities.  The spooler receives output from applications and stores it on disk where it can be viewed or sent to a print location for printing.  Clearly, access to the spooler needs to be managed to protect sensitive data on disk and to keep it from being printed (print outs being one way to extract stolen data).  Furthermore, users with PERUSE access to a job can access the job output’s contents.  To protect this area, limit access to spooler utilities to only those users requiring it for their job function.  Third-party solutions, such as XYGATE Spoolcom Peruse (XSP), are available to improve security of the spooler, simplify task management and administration and allow for delegation of authority.

So that’s #7: Establish granular control of user activity. Increasing the granularity of control builds on security concepts discussed in earlier blog posts and goes deeper into specific system areas which need closer security management.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at: https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

NonStop Security Fundamentals Top 10 List – #8 Because high-availability and fault-tolerant systems need strong security

This week we’re moving to a simple yet critical fundamental of NonStop security—ensuring individual accountability. While aspects of this were touched upon in both the #10 and #9 NonStop Security Fundamentals, we feel individual accountability is an important enough concept to rate its own entry on the list.

#8: Ensure individual accountability (no shared IDs!)

The NonStop system is shipped with certain shared userids that can be used for privileged or non-privileged access (like SUPER.SUPER or NULL.NULL). However, security best practices and industry regulations, like PCI DSS, require users to have unique userids so that there is clear accountability. This also facilitates effective auditing, remediation and management of individual user rights and access.

These are some areas that must be addressed:

Eliminate shared userids. In the #9 blog we talked about PCI DSS Requirement 8.1 which required all users to have unique userids in order to ensure individual accountability—eliminating the use of shared userids is an extension of that concept. Shared userids, particularly for privileged userids, provide too much access and too little accountability.

Eliminate aliases to privileged userids. Aliases are only available in Safeguard environments and are used to provide alternate user names that can be used to log on to the system. Aliases should not be assigned to privileged userids (like SUPER.SUPER) because the alias gains all the underlying userid’s privileges and Safeguard provides limited auditing of the alias activity. Third-party products like XYGATE Access Control (XAC) can eliminate the need for aliases and provide more extensive auditing. Note, if a company wishes to continue using aliases, any XYGATE module can be configured to restrict the alias’s privileges separately from those of the underlying userid.

While we’re on the topic of userids, let’s cover two additional points about managing personal userids in order to have effective NonStop security with clear accountability:

No personal userids in the SUPER group. Anyone with a personal ID in the group number 255 is a SUPER group member. SUPER group members can set and reset the system time, manage all jobs in the SPOOLER or in PERUSE (regardless of who owns them), and perform all commands within SCF, FUP and several other powerful utilities.

No personal userids assigned to the 255 member of any group.The group member number 255 is the Group Manager ID and should never be assigned as a personal userid. Some of the risks associated with the Group Manager ID are:

• Group Managers can ADD, Alter, Delete userids in their own group if Safeguard is not present or is not configured to prevent it.
• Group Managers can “log down” to the userid of any member of the same group without a password unless prevented by Safeguard.
• Group Managers can PROGID any program owned by a group member.
• In Safeguard, the group manager of the Primary Owner of any object’s Protection Record can also modify any Safeguard Protection Records owned by members of the same group.

Well, that’s #8: Ensuring individual accountability (no shared IDs!). It’s not just an important security best practice but also a PCI DSS requirement.

Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #7

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at:https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

DBIR 2013 Blog Part II – Data at Rest is Most at Risk

In the last blog in this series, we introduced the 2013 Verizon DBIR, which includes the following facts:

•	621 confirmed data breaches studied in detail
•	19 contributors, including government agencies, private security organizations and consulting companies
•	44 million records compromised
•	The largest and most comprehensive data breach study performed each year
•	75% of attacks were opportunistic – not targeted at a specific individual or company – with the majority of those financially motivated
•	37% of breaches affected financial institutions

In this blog we’re going to look at the report in more detail and see what trends and patterns it shows us.  Note that the full report is available at http://www.verizonenterprise.com/DBIR/2013/

Key observations from the report include:

Most Attacks Still Use Basic Techniques

•	76% of network intrusions exploited weak or stolen credentials.
•	Over 78% of attack techniques were considered “low” or “very low” in difficulty (on the VERIS scale which Verizon uses to categorize breaches).

14% of breaches were insider attacks

•	Lax internal practices often make gaining access easier
•	Over 50% of insiders committing sabotage were former employees using old accounts or backdoors not disabled
•	Over 70% of IP theft cases committed by internal people took place within 30 days of announcing their resignation

Data at rest is most at risk

•	Of 621 cases Verizon investigated, none involved data in transit
•	66% of breaches involved data at rest in databases and file servers (the rest was data being processed when it was accessed)

Types of attack vary depending on industry and region

•	Small retailers in USA subject to attacks on poorly configured remote systems to access POS data
•	Banks subjected to ATM skimming and web application attacks
•	POS attacks much less frequent in Europe than AP and Americas
•	As we mentioned in the last blog, 37% of breaches affected financial institutions

Spotting a breach isn’t always easy, or quick

•	66% of breaches in the report took months, or even years, to discover.  Note also that this problem is getting worse – in the previous years’ study, this figure was 56%
•	69% of breaches were spotted by an external party, with 9% being spotted by customers!

We can see from this summary how important it is to look after the basics – implement secure passwords, ensure employees have access to only the data/systems they require, practise good housekeeping with users, protect sensitive data at rest, and be aware of the types of attack that are prevalent for your industry and region.

Interestingly, the good folks at the PCI Security Council seem to be heading to the same conclusions.  Highlights of the upcoming PCI DSS v3.0 specification have just been published by the council, and they indicate a focus on fundamentals.  “For good security, you have to do the basic stuff first,” says Bob Russo, general manager of the PCI Security Standards Council. “In 90% of the breaches we see, the cause is failure to do the basic things like creating strong passwords and monitoring data.”

In the next blog we’ll look at conclusions and recommendations, and see how this all applies to NonStop users.

What do you think – have you read the DBIR?  How relevant is it to your organization and your role?  Let us know via the comments section below, or by emailing me at andrew.price@xypro.com.

NonStop Security Fundamentals Top 10 List – #9

Because high-availability and fault-tolerant systems need strong security

Previously, we started our countdown of the top 10 NonStop Security Fundamentals with “Secure the default system access settings” in the #10 spot. This week we’ll continue on to #9 on our list.

#9: Set-up strong user authentication and password controls

Establishing strong user authentication and password management controls are critical aspects of any security program and are a major requirement for meeting PCI DSS compliance. Safeguard provides the core functionality necessary to do this and there are additional tools available for extended capabilities and advanced requirements.

Requirement 8 of PCI DSS deals with user identification and password management and is a useful guide even if you’re not subject to PCI compliance—let’s use it as framework for discussion.

PCI DSS 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data.

Providing each user with a unique userid establishes individual accountability within the system. While Safeguard provides the ability to add new users with unique userids, it also has certain privileged userids (e.g., SUPER.SUPER) that by default allow shared access (i.e., no individual accountability). To fully meet this PCI requirement and ensure individual accountability for all users, consider an add-on security solution. For example XYGATE Access Control (XAC) can be deployed to grant users role based access via their own, unique userids while granting and auditing privileged access. Furthermore, XAC can be used to allow an individual user to perform only a restricted subset of what SUPER.SUPER is allowed to do.

PCI DSS 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric

Passwords are the most common method for authenticating a user, and Safeguard has standard support for them and also has password management controls (more on that later). To simplify user management or improve user experience, many companies choose to integrate aspects of NonStop user authentication with an enterprise-service such as Active Directory. One way to do this is through XYGATE User Authentication (XUA) which has an LDAP interface for the NonStop. XUA enables companies to use enterprise services and reduce password management overhead and improve users’ experience by reducing password management overhead.

PCI DSS 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.

It is widely accepted that usernames and passwords alone do not provide sufficiently strong authentication—and this is particularly true when it comes to authenticating users from outside the network. To address this security concern, two-factor (a.k.a., multi-factor) authentication has been developed and is required by PCI for remote access.

A common approach for second-factor authentication is the use of a token device, like RSA SecurID. Support for this capability is available through add-on solutions such as XUA. XUA provides additional logon controls beyond what is available through Safeguard, and supports authentication using RSA SecurID.

PCI DSS 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

Protecting passwords during transmission is accomplished by using the secure communications capabilities that are part of the NonStop operating system (SSL or SSH).

To protect stored passwords, Safeguard should be configured to encrypt passwords using the most secure algorithm:
• PASSWORD-ENCRYPT = ON
• PASSWORD-ALGORITHM = HMAC256

PCI DSS 8.5: Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows: (subparts 8.5.1 – 8.5.16)

Requirement 8.5 actually has 16 sub-parts relating to different aspects of user identification, authentication and password management. Generally, Safeguard provides the necessary tools to control userids and manage passwords but there are a couple key gaps that need to be addressed.

Firstly, the password reset process must be strengthened. While Safeguard allows the reset of user passwords (or this might be done through an enterprise service), PCI 8.5.2 requires that a user’s identity be verified before the reset. To meet this requirement, a company must implement some process or mechanism to confirm identity when a reset is requested. One way to achieve this verification is through XYPRO solutions which can present a user-specific challenge question to the Help Desk along with the expected answer that the user requesting the reset should provide. Furthermore, Safeguard password changes are always local. To do network password changes, NonStop customers will need an add-on product like XYGATE Password Quality (XPQ).

Secondly, the session timeout process must be hardened. PCI 8.5.15 requires re-authentication if a session has been idle for more than 15 minutes. However, NonStop’s native timeout mechanism (TACL configuration) can only timeout a session if the user is at a TACL prompt and users can easily bypass this. XYPRO’s XAC solution solves this problem by forcing timeout of XAC-controlled sessions whether at a TACL prompt or within a utility.

Lastly, many of the aspects of PCI DSS 8.5 fall into the general area of user and password administration—ensuring a strong password format, enforcing password changes, removing inactive/terminated users, failed attempt lockout and duration, etc.—and Safeguard has the ability to do this. However, depending on the number of users, the management overhead for this administration may be high and tools have been developed to assist. For example, XPQ provides password management capabilities which strengthen security while easing administrative effort.

So that’s #9 on our list—set-up strong user authentication and password controls. Do you agree/disagree? Let us know what you think.

In our next post, we’ll discuss NonStop Security Fundamental #8.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at:https://www.pcisecuritystandards.org/index.php

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).