Home Security BREACH AFTER BREACH, BUT WHAT IS THE LESSON?

BREACH AFTER BREACH, BUT WHAT IS THE LESSON?

by Henry Fonseca

[vc_row][vc_column width=”1/2″][vc_empty_space][vc_column_text]Stop me if you’ve heard this before: “BREAKING NEWS – Massive data breach of Company XYZ, millions of customers’ data compromised, extent of the breach still unknown!”. Cue the generic PR emails attempting to reassure the masses that “everything in our power is being done to investigate this breach”, but most importantly to appease regulators in order to avoid massive fines.

 

 

Sounds familiar right? That’s because data breaches in the business sector have increased from 20% in 2005 to a whopping 55% in 2017, according to a recent study published by the ITRC (Identity Theft Resource Center). It seems like every other week there is a new report of a massive data breach, to the extent that we have become completely desensitized to this news. It’s simply no longer shocking.

Take the latest example, the Marriot hack, which took place over a period of four years (2014 to 2018). Marriott has not finished identifying the information that was compromised, but believes the database contains information on up to 500 million guests! The information includes some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates. To say that a lot of personal information was compromised would be the understatement of the year

This is scary stuff, to know that an organization this large, with these many resources, took their cyber-security for granted and was compromised for so long, without a single clue that a breach of this magnitude was taking place. The financial repercussions are clear, a July 2018 study of the “Cost of a Data Breach”, sponsored by IBM Security and independently conducted by Ponemon Institute, LLC, determined that the average cost of a data breach is $3.86 MM US. This figure includes the unexpected and unplanned loss of customers following a data breach, the size of the breach, the number of records lost or stolen and post-data breach costs, including the cost to notify victims.

That number is massive and so is the loss of confidence from customers and the market. The industries that were targeted the most were, not surprisingly, the financial services sector, industrial & manufacturing, technology, retail and the public sector.

 

After digesting all of this information, what lessons can we learn? How can you prevent a breach from happening to you? There is one clear answer, you must HARDEN your system!

 

THE IMPORTANCE OF HARDENING YOUR NONSTOP PLATFORM

What is Security Hardening?

In simple terms, security hardening involves applying best practices to your system and verifying that these practices are in place. A major objective of Compliance, security hardening involves the implementation of a series of measures designed to make a system less vulnerable to attacks. A “hardened” system will have better security layers making it more difficult to be compromised.

Obvious security recommendations, such as the use of strong passwords, are helpful measures when trying to prevent breaches or hacks. However, implementing stronger defenses, such as ensuring strong OSS access permissions, can be more challenging to carry out without correct guidance. Information regarding security hardening practices tends to be scattered, difficult to analyze and execute.

 

Why is Security Hardening Important?

A system which has not been properly hardened against an attack is increasingly a tangible and quantifiable risk.

Security breaches, loss of personal data, stolen credit card information, etc., have all become daily occurrences in the modern world and, as NonStop systems move into the x86 platform, more applications will likely be ported to OSS. This means that after an x86 migration, the availability of open source tools being placed in environments in which they could not previously be placed will increase dramatically.

Ensuring that your system is hardened will not only make it more resistant to attacks, but will also prevent internal users from making unintended mistakes that can cause loss or damage.

Hardening a system is not only relevant when trying to prevent potential breaches or insider attacks but also to avert “drift and decay” of security settings that have already been implemented. Drift and decay occurs when security settings that had been applied in accordance with corporate and legal policies (baseline security) were changed over time and due to various reasons but were not reset to their intended values. This means that a system that was once secure might now have vulnerabilities ranging from orphan files and orphan users to file and directory settings that are no longer compliant with policy. You can no longer rely on the “set-it-and-forget-it” mentality.

Even if an OSS environment is limited to IBM MQ or SQLMX, for example, creating and applying a general OSS security policy is strongly recommended given that OSS system environments which have not been properly secured can easily be hacked.

One of the key challenges facing the NonStop platform is limited expert availability. An expert user must handle all of the NonStop’s critical operations and also train non-experts to perform general tasks in order to alleviate their workload. CSP understands this and has developed a tool that was built to do that work for you – Protect-X®.

Let the Expert Handle It! – Automated Expert Compliance with Protect-X®

Protect-X® is a highly advanced, browser-based security hardening & compliance solution for NS, NS-X and Linux servers. Protect X was built using agent-less design so there is nothing to install on your NonStop servers. All security is managed off-platform, via very fast and very strong encrypted connections.

Protect-X® is a powerful tool that can be completely customized to suit your specific needs. It places all the power in your hands, but simplifies and automates many of the routine tasks.

 

Protect-X® user interface

 

One of the key advantages of Protect-X® is that once configured, non-experts can ensure compliance standards are being properly maintained. Any changes requested must be authorized by an expert administrator before they can be implemented.

The use of Protect-X® is completely roles-based. This allows for an expert to delegate and assign tasks to non-experts by assigning them a customizable role. Non-expert users can then confidently carry out day-to-day functions with ease.

Protect-X® Highlights:

  • Offers role-based compliance hardening for SAFEGUARD™️ & OSS users
  • Ensures compliance via “Verify & Explain” access features
  • Developed using cross-platform agentless design; deploy on Win, Mac, Linux, etc…
  • Includes improved reporting
  • Enabled for multi-factor authentication

With Protect-X® you can also easily compare your systems’ settings against industry-standard hardening policies, gaining a quick visual overview of compliance vulnerabilities. It supports OSS hardening and permissions management, as well as SAFEGUARD™️™️ Globals compliance and User, Alias and Group management. The latest version, 4.0, supports Guardian file permission management, offers Guardian user & alias hardening, supports multi-factor authentication, and delivers enhanced file & user access reports.[/vc_column_text][/vc_column][vc_column width=”1/2″][vc_empty_space][vc_column_text]

Protect-X® Hardening screen

 

The Protect-X® interface makes it easy to view current system details and adjust settings as necessary to bring them in compliance with accepted or locally-set standards. Compliance checks and reports may be run either on a one-time or regularly scheduled basis. Any system changes are subject to the Protect-X® role-based, change management function, allowing responsibility for security activities to be distributed among many users while retaining overall administrative control. All changes, whether just proposed or implemented, are captured in the system audit log, which can be forwarded to your SIEM system.

Request a Test Drive of Protect-X® Today!

 

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a security measure that requires two or more methods of authentication, from independent categories of credentials, to verify a user’s identity for a login or other transaction.

In other words, multi-factor authentication verifies that the person attempting to perform a transaction is who they say they are, by requiring two or more pieces of evidence (factors) to an authentication request.

These factors can be categorized into the following:

  • Possession – Something only the user has, e.g. token
  • Inherence – Something only the user is, e.g. fingerprint/biometrics
  • Knowledge – Something only the user knows, e.g. password

The authentication mechanisms used for MFA should be independent of one another such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

 

Why is Multi-Factor Authentication so critical on NonStop?

Multi-Factor Authentication (MFA) is increasingly becoming one of the more critical security requirements to comply with regulations such as PCI 8.3 and GDPR, as well as to provide superior safety measures over easily compromised single password methods. Any application that has access to the cardholder environment must include Multi-Factor Authentication, from legacy Pathway applications to the latest RESTful interfaces, effective MFA must be provided for tools and applications that have the potential to access these environments.

The authentication mechanisms used for MFA should be independent of one another such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

 

What does PCI say about Multi-Factor Authentication?

One of the key changes to PCI DSS is an update to requirement 8.3, which now calls for organizations to strengthen their access security with MFA instead of the previously stated two-factor authentication. By changing the terminology of requirement 8.3, two forms of authentication are now the minimum requirement.

As detailed in PCI DSS version 3.2, any individuals with non-console administrative access to Cardholder Data Environment (CDE) must authenticate using MFA. “Non-console administrative access” means that the system is accessed over a network, as opposed to the system’s local screen and keyboard. This applies regardless of whether the individual is an employee or third-party IT support personnel.

An Exciting New Solution for MFA: CSP Authenticator+

 

 

Multi-Factor authentication has become vital in ensuring secure access to systems. The new CSP Authenticator+ provides a RESTful interface to support multi-factor authenticated logins to NonStop systems.

A ground-breaking new feature of Authenticator+ is that we added support for different primary authentication methods such as RADIUS, Active Directory, Oracle ID Manager, Open LDAP and RSA cloud. Primary authentication has been enabled for any applications that supports LDAP. User Rights Synchronization is now available, making it easier than ever before to integrate a NonStop system into the corporate authentication platform.

CSP Authenticator+ can be used as a SAFEGUARD™️ Authentication SEEP or with Pathway and Non-Pathway applications. Methods supported include RSA SecurID, Email, Text Message, Google Authenticate and Radius. You can now enable MFA logins for different applications, making them more secure!

CSP Authenticator+ resides on the NonStop Platform and uses an OSS “bridge” to connect via a RESTful interface to the CSP Authenticator+ web server. Almost any application, including TACL, can now easily support Multi-factor authentication.

CSP Authenticator+ Workflow

 

Key features include:

  • Support primary and secondary (MFA) authentication factors
  • Provides a RESTful interface for MFA login
  • Can be used as SFEGUARD™️ Seep or with Pathway & Non-Pathway applications
  • Self-hosted web application
  • Resides on NonStop platform

For more information on CSP solutions visit www.cspsecurity.com
For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com

We Built the Wiki for NonStop Security®
Regards,
The CSP Team
+1(905) 568 – 8900[/vc_column_text][/vc_column][/vc_row]

You may also like