PowerNews: January 2012
Resolve to Take Security Seriously in 2012
By Robin Tatam, Director of Security Technologies
Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. Privacyrights.org, a consumer advocacy organization, reports that 2011 witnessed a staggering 547 breaches involving more than 30 million records. Companies ranged from small non-profits to industry giants such as Bank of America, Sony, and Epsilon. Interestingly, 86 of those breaches (involving almost 120,000 records) involved insiders with some level of legitimate access. With mitigation costs now surpassing an estimated $200 per record breached, we’re talking about some pretty serious money!
With all of the current investment and focus on legislative compliance, how is this still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, too many companies focus on achieving compliance at the expense of security.
Guidelines Are Simply a Beginning
A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But, do we let newly “certified” drivers loose on busy highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to consider.
One flaw in the guidelines is the assumption that everyone else is adhering to the same rules—something that every speed limit sign and red light camera shows isn’t true. Experienced drivers understand that many things aren’t included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and improvise—sometimes with little or no warning—to avoid an unplanned disaster.
The same is true of computer security. Regulations like Sarbanes-Oxley and HIPAA were never meant to intricately detail how to protect your IBM i database from misuse. These two common regulations (and many others) are basic guidelines regarding access to critical business data. Focusing solely on satisfying compliance can be misguided, and might lead an organization to assume they are secure. In 2011, hundreds of new organizations joined the ranks of those that discovered the reality of making this assumption.
Don’t Sacrifice Security for Compliance
Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation by an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that you don’t rely on compliance directives as the sole guideline to protecting data access.
Using the analogy of new drivers, testing is important to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and employing good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.
Make the Commitment Today
Businesses need to get smarter and become more committed to security. They must allocate a budget to assess and mitigate the largest risks and acknowledge that controls probably will be compromised at some point. The goal is to develop a plan to address possible breach scenarios BEFORE you find yourself in the middle of one. The plan should include the deployment of technology for the timely detection and alerting of a problem, and training of employees designated to respond and react. This is not just theoretical—a number of recent breaches involved warning signs that were not responded to correctly. Many employees never receive adequate training on their company’s security tools, leading to a false sense of security by management.
Look at the Big Picture
Don’t secure only the data at rest in the data center; look at the entire data lifecycle. And, expect the unexpected. Many of last year’s breaches involved collecting credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!
For most organizations, corporate budgets have been established for the upcoming year. If yours doesn’t include money for security-related projects, focus on fully leveraging your existing investments and staff resources for now. Ensure that employees are trained and are optimizing their tools. Remember, while we hope that this year is a vast improvement over last, it’s never too early to start planning for next year.
In 2012, let’s start taking security more seriously.
—————————————————————————————-
Generate and Distribute Audit Reports Automatically
By Robin Tatam, Director of Security Technologies
Remember the humorous MasterCard commercials from a few years ago? In my mind, I see one of them going like this:
- State-of-the-art, 64-bit, multi-core Power7 hardware: $225,000
- Highly securable IBM i operating system: $100,000
- Discovering you can generate and distribute audit reports automatically: PRICELESS
This joke probably isn’t too funny to anyone who’s responsible for generating audit reports from IBM i. Despite the server’s incredible security infrastructure, auditing remains primarily a thankless, manual chore. And, let’s face it, any task that’s thankless and manual probably won’t get done. Even with a commercial audit tool, a user must decide what reports to run, and then compile and interpret the results.
A Basic Audit Scenario
A common report request from auditors is for a list of the powerful users on the system. Your first question is likely to be “what is a powerful user?” Unfortunately, there’s no official auditor’s dictionary (wouldn’t that be nice!)—each auditor has different criteria.
Maybe you can omit IBM-supplied profiles, disabled profiles that haven’t signed on for at least 45 days, and any profiles without a password. They’ll ask for each of those reports separately. Then, don’t forget to include the users from all 15 production IBM i partitions, preferably on a single report so it’s easier to process.
Here’s one way to accomplish this task:
Step 1: Run IBM’s user profile report (PRTUSRPRF) to dump the configuration data for ALL defined users. Print a hard copy of the report, or figure out how to use Navigator for i to download it to your PC.
Step 2: Manually review each user profile to see if it meets the auditor’s criteria—and hope you don’t have too many profiles to deal with! Don’t forget special authorities of the sixteen possible group profiles the user might belong to in case any authority is inherited. Oh, and the report doesn’t include the number of days since prior sign-on, so you’ll have to determine what the date was 45 days ago, and check that manually. And, you’ll also have to manually exclude the “known” users from the report each time.
Step 3: Document the name of the users that remain.
Step 4: Return to Step 1 and repeat for the next server.
Step 5: Aggregate the results into a single report (somehow) and distribute it to the auditor (somehow) in a secure manner.
Step 6: Prepare to prove to the auditor that the information hasn’t been tampered with (since you’re likely to be one of those powerful users). Also, expect to be asked for a lot more than one simple report.
This is a fictitious scenario, but it’s not unrealistic. It doesn’t take very long to realize that the process is tedious, time-consuming, and expensive; not to mention error-prone and arguably considered self-policing.
A Basic Audit Scenario (Revised)
Compliance Monitor has the reports you need. Powerful (and modifiable) filters you can apply to the data make child’s play out of creating custom audit reports. And, its assessment scheduling and distribution function allows you to run reports at regular intervals across multiple systems and distribute them on completion.
Let’s take another look at that scenario, now using Compliance Monitor 3:
Step 1: Point and click to select the systems to assess.
Step 2: Point and click to select from the hundreds of available reports.
Step 3: Specify the run schedule (optional) and distribution requirements.
Step 4: Sit back and relax.
You can send the reports automatically via e-mail as individual files, or bundled into a password-protected (and encrypted) zip file. Report files can be editable, or PDFs that are digitally signed to reassure auditors that the information hasn’t been tampered with. If you prefer, you can place the reports in the IFS for the user to access.
Compliance Monitor offers batch scheduling and e-mail distribution of audit reports. (Click to enlarge)
Compliance Monitor eliminates the burden of audit reporting. Its hundreds of report options give visibility to static information, such as user profiles and system values, as well as dynamic events recorded into the security audit journal, QAUDJRN. Priceless—YES!
—————————————————————————————-
Q & A with Paulie Culin
Dear Paulie,
Some of my Authority Broker reports are blank, even though I know there was activity during the requested time period. What would cause this?
A: Authority Broker records its activities to the security audit journal, QAUDJRN. When you request an Authority Broker activity report, the journal receivers on your system are checked for the entries that correspond to the date and time range specified. If the receivers that contain those entries have been removed from your system, the report will be blank. You’ll need to restore the receiver(s) to get the information you want.
You should consider automating your Authority Broker reports to prevent future problems. Schedule the LEVENTRPT command in a job scheduler, such as Robot/SCHEDULE. Press F4 to display the command prompt panel and complete the command parameters.
Dear Paulie,
How can I determine if the latest version of Compliance Monitor will run on my system?
A: Compliance Monitor Version 3 includes a Windows executable “pre-checker” utility (CM3CHECKER) that determines if your system meets the product’s prerequisites. You can run the pre-checker prior to a new install or an upgrade. The pre-checker uses an installation wizard to send a save file to your system, where you can restore it and run the program. When it completes, it generates a spooled file that identifies any prerequisites you might be missing.
The pre-checker also is available as a separate download from the PowerTech website.
—————————————————————————————-
Learn more with PowerTech Webinars and online training.