Archive for the ‘Tips and Tricks from Techies’ Category

Reloads are from MARS?

Tuesday, May 28th, 2013
XYPRO partnered with MERLON (www.merlon.com) some time ago to assist our customer base with their database needs.  The MERLON suite of products simplifies access to NonStop data and helps automate one of the most time consuming tasks on the system:  reorgs.

XYPRO partnered with MERLON (www.merlon.com) some time ago to assist our customer base with their database needs.  The MERLON suite of products simplifies access to NonStop data and helps automate one of the most time consuming tasks on the system:  reorgs.

Index levels too high?  Block splits getting you down?  Database just not performing like it used to?  If you change the oil in your car, why don’t you perform similar maintenance on your database?

Depending on the size and complexity of your NonStop database, the task of deciding what needs maintenance and when goes from too many hours per week to all of them and beyond.  NonStop SQL objects (tables and indexes, both MX and MP) have been architected from the beginning to be distributed.  This is great for performance (think MAP/REDUCE from them smart boys at Google), but it’s a killer for maintenance.  If your tables were one physical object, maintaining them would be a snap, but your performance would be like that of Oracle.  Since our objects are distributed, so is our maintenance.  Don’t treat all your objects the same, they most likely have unique performance characteristics and require individual attention.

MARS simplifies all this by doing the heavy lifting, sifting and sorting for you.  And it will manage your valuable host resources as well.  Simply configure it on day one, and let it manage your reload schedule from then on.

Not sure what needs a reorg?  Worried about overloading TMF?  Not enough scratch tapes in the middle of the night?  MARS scans any or all of the structured objects on your host on a schedule that you define and allows you to decide what qualifies for a reload.  MARS also does a more efficient job of scanning your structured objects by sampling rather than scanning large objects (again, based on YOUR requirements).  MARS currently monitors the following resources and allows operations staff to decide all thresholds for MARS activity:  CPU utilization, TMF transaction rate, audit trail capacity, available scratch tapes, and disk dump space.

XYPRO uses MARS in-house to manage a growing number of SQL and Enscribe objects in our multiple environments.  It improves performance and greatly reduces the amount of time normally allocated to database maintenance.

Check the XYPRO website for more information. For a demonstration of the power of MARS, contact your local XYPRO sales representative at https://www.xypro.com/xypro/contact

Rob Lesan

Professional Service Manager

XYPRO Technology Corporation

www.xypro.com

Still believe that OSS security isn’t as robust or as easy to maintain as Guardian?

Sunday, May 5th, 2013

XYGATE Object Security (XOS) Active and Dynamic RBAC make static ACL’s and policy implementers for Safeguard and OSS redundant.

Taking advantage of the recently released OSS Security Event Exit (SEEP) by HP, XYPRO now offers an upgrade to our standard XOS product that applies security dynamically and instantaneously for both Guardian and OSS environments, virtually eliminating the need to manage complex Guardian, Safeguard and OSS security.

Using simple Role Based Access Control rules, XOS applies security at the time of request based on logical object and user groupings and extends access decision criteria to any object attribute rather than just the object name.

Click here to learn more about XYGATE Object Security and how you can reduce your security management load and massively improve the level of security on your NonStop server at the same time…

https://www.xypro.com/xypro/resources/news_full

To arrange a free evaluation, contact your local XYPRO Sales Rep:  https://www.xypro.com/xypro/contact

Barry Forbes

VP of Sales & Marketing

XYPRO Technology Corporation

www.xypro.com

Strong Authentication. The Device Is The Key™

Monday, July 30th, 2012
NetAuthority irrefutably identifies and authenticates connected devices.
In today’s world of mobility, cloud computing, virtual workforces, social networks, and online businesses, stronger authentication for identity and access management is more critical than ever. Security vulnerabilities are skyrocketing and malicious attacks are being unleashed in unprecedented numbers with increasing sophistication, resulting in massive information and economic losses.
Identity and Access Management has historically focused on the attributes of a person’s identity. User ID and passwords are still often the only form of authentication used by organizations.   Traditional forms of multi-factor authentication are not designed to address the explosive growth in internet-connected devices and online activity and are unable to meet the needs of scalability, ease of use, affordability, and mass-deployment that the online-connected world requires.
Today’s organizations are faced with the following challenges:
•             Knowing the devices that are connected to applications and networks without owning them
•             Knowing that the devices accessing the network are actually in the hands of authorized users
•             Implementing access authentication solutions that are secure, cost-effective, easy-to-use, and highly scalable
•             Implementing access authentication solutions that provide flexibility and multi-dimensional security that complements existing systems and infrastructure
•             Ensuring that regulatory compliance requirements and security best practices are addressed
NetAuthority’s Device Authentication Services addresses these issues and more through:
•             Irrefutable identification of the device via its Dynamic Device Key and links the user with the identified device, for strong authentication security.
•             Notifications and alerts providing organizations with immediate visibility to unauthorized users attempting to gain access, unauthorized devices, and more.  Organizations are now empowered to quarantine or even blacklist devices for greater security.
•             Flexible, mass-deployable, user transparent, and cost-effective strong authentication solution, unlike other “something I have” authentication methods.
•             Secure service API to interface with existing user management systems,monitoring systems,and log management solutions to leverage prior investment
•             SaaS-based service, so strong authentication can easily be implemented based on an organization’s assessment of risk and information assets.
•             Satisfying regulatory and best practices requirements for strong authentication and compliance.
NetAuthority’s Device Authentication Service provides strong authentication security with unprecedented control and visibility to both the Who and What is accessing online applications, accounts and information.
To learn more about our Device Authentication Service for strong authentication and compliance, please contact us at netauthority@xypro.com
Barry Forbes
VP of Sales & Marketing
XYPRO Technology Corporation
www.xypro.com

NetAuthority irrefutably identifies and authenticates connected devices.

In today’s world of mobility, cloud computing, virtual workforces, social networks, and online businesses, stronger authentication for identity and access management is more critical than ever. Security vulnerabilities are skyrocketing and malicious attacks are being unleashed in unprecedented numbers with increasing sophistication, resulting in massive information and economic losses.

Identity and Access Management has historically focused on the attributes of a person’s identity. User ID and passwords are still often the only form of authentication used by organizations.   Traditional forms of multi-factor authentication are not designed to address the explosive growth in internet-connected devices and online activity and are unable to meet the needs of scalability, ease of use, affordability, and mass-deployment that the online-connected world requires.

Today’s organizations are faced with the following challenges:

•  Knowing the devices that are connected to applications and networks without owning them

•  Knowing that the devices accessing the network are actually in the hands of authorized users

•  Implementing access authentication solutions that are secure, cost-effective, easy-to-use, and highly scalable

•  Implementing access authentication solutions that provide flexibility and multi-dimensional security that complements existing systems and infrastructure

•  Ensuring that regulatory compliance requirements and security best practices are addressed

NetAuthority’s Device Authentication Services addresses these issues and more through:

•  Irrefutable identification of the device via its Dynamic Device Key and links the user with the identified device, for strong authentication security.

•  Notifications and alerts providing organizations with immediate visibility to unauthorized users attempting to gain access, unauthorized devices, and more.  Organizations are now empowered to quarantine or even blacklist devices for greater security.

•  Flexible, mass-deployable, user transparent, and cost-effective strong authentication solution, unlike other “something I have” authentication methods.

•  Secure service API to interface with existing user management systems,monitoring systems,and log management solutions to leverage prior investment

•  SaaS-based service, so strong authentication can easily be implemented based on an organization’s assessment of risk and information assets.

•  Satisfying regulatory and best practices requirements for strong authentication and compliance.

NetAuthority’s Device Authentication Service provides strong authentication security with unprecedented control and visibility to both the Who and What is accessing online applications, accounts and information.

To learn more about our Device Authentication Service for strong authentication and compliance, please contact us at netauthority@xypro.com

Barry Forbes
VP of Sales & Marketing
XYPRO Technology Corporation

www.xypro.com

Cybercrime Costs Continue to Dramatically Rise

Wednesday, August 10th, 2011

The recent HP-sponsored study on cybercrime costs (“The Second Annual Cost of Cybercrime Study”, conducted by the Ponemon Institute http://bit.ly/ql8JXP) produced a wealth of interesting and valuable data on the increasing costs of cybercrime.  Some of the key points of the study, which looked at a sample of 50 US organizations, included:

  • The average annualised cost of cybercrime to each company was $5.9M, ranging from $1.5M to $36.5M
  • These figures represent a 56% increase over the inaugural study conducted last year
  • The number of attacks increased by 45% from last year’s study.  The companies studied were affected by a total of 72 attacks each week – an average of 1.4 attacks per company per week
  • 90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and web-based attacks
  • Average time to resolve cyber attacks was 18 days, with an average cost of $416,000 per attack – a 67% increase from 2010
  • Smaller companies are not immune from cyber attacks, and in fact these attacks cost smaller companies more on a per capita basis
  • Deploying SIEM solutions can mitigate the impact of cyber attacks.  Organizations with SIEM solutions in place realized a saving of 25% because of the ability to quickly detect and contain cybercrimes.
  • Companies that deployed a Governance, Risk and Compliance (GRC) program saw significantly reduced costs associated with cyber crime when companies that did not have a GRC program.  Average costs for the GRC group were $6.8M versus $9.4M for the non-GRC group

Perhaps the most interesting fact to come from the study was:

…recovery and detection are the most costly internal activities, highlighting a significant cost-reduction opportunity for organizations that are able to automate detection and recovery through enabling security technologies.

Reading between the lines of this summary, a few things come to light.  A large number of cyber attacks are “inside jobs”.  Malicious code, stolen devices and other forms of attack are only practical when conducted by insiders.  As such, putting controls in place within the enterprise is critical.  As mentioned in my last blog, ensuring that employees have the ability to do the tasks related to their jobs, and nothing more, is of utmost importance.  Tracking commands issued and security events at a granular level to allow for quick identification of cyber attacks is key to reducing the number and duration of attacks, and therefore the cost.  SIEM devices, whilst extremely useful, need to have data fed to them from all systems and applications in the enterprise to ensure early detection of issues.

Additional methods of detection should also be considered – have critical files had attributes changed?  Have users been given access that they previously did not have? Have privileged programs, that may be malicious, been installed?

In the NonStop environment, only the XYGATE security suite from XYPRO provides all these capabilities, in an integrated, centrally managed solution.  XYGATE Access Control ensures that only the necessary levels of access to system resources are granted.  All commands and subcommands are audited.  XYGATE Merged Audit integrates consolidated audit data on the NonStop, to give a unified view of all security activity.  It optionally feeds that data to SIEM devices, allowing the NonStop to participate in the single view of the enterprise.

Perhaps most importantly, XYGATE Compliance PRO monitors a wide range of data on your NonStop, and alerts you when aspects of your system configuration fall outside previously defined boundaries, including unauthorised PROGID’ed programs, users with unauthorized access and unauthorized files on system volumes. Compliance PRO can also compare files from one scan to another, alerting the security administrator if the file size changes, or if the security configuration from two systems that previously matched are now different.

So, as the incidence and costs of cybercrime continue to rise, it becomes even more important to pay attention to your critical data and applications, and the users who are able to access them.  Automating as much of this process as possible is important in reducing the time for detection, and therefore the costs of these incidents.   XYPRO can help with this – please contact me at andrew_p@xypro.com or your local XYPRO representative for more information.

Andrew Price
Director, Product Management
XYPRO Technology Corporation

Hard on the outside, soft and chewy on the inside…

Monday, July 11th, 2011

The title refers to a great quote from a recent Tom Kemp article on Forbes.com http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/, explaining that the old way of securing a computer system (let only trusted people logon, then let them do whatever they want), no longer suffices.  Of course, on NonStop we’ve always had more control over our users than that, but it’s worth considering whether further improvements to security are in order.

These days, with SOX, HIPAA and PCI regulations insisting that we more closely monitor all actions performed by all users, the “hard on the outside, chewy on the inside” approach is not enough.  Guardian and Safeguard allow some level of control over file access, and utility program execution, but do not give the fine-grained access control, nor the necessary level of auditing, that is required.

The XYGATE Access PRO suite, and the Access Control module it includes, greatly extend the basic access control capabilities providing by the native NonStop security subsystem.  NonStop security administrators can control the specific commands and subcommands that each user can issue from any NonStop utility program.  Users can also be granted access to specific commands that would normally be outside their capabilities, meaning that shared access to Super and Manager IDs is no longer required for those users to be able to do their job.  All commands are audited, and full keystroke logging is also supported.

Once you have implemented more granular access control, the next step in securing your system is to put a good level of auditing in place.  The PCI Data Security Standard (DSS) requirement 10, for example, states “Track and monitor all access to network resources and cardholder data”.  What this means will be specific to your application and environment, but again, it will require more than the standard Guardian/Safeguard levels of security to achieve compliance.

XYGATE Access PRO supports all this functionality, and has done so since 1990, back when PCI was just a glimmer in someone’s eye.  Whilst the NonStop has always had an enviable security record, my new colleagues at XYPRO have constantly been thinking of ways to ensure that our customers reduce their risk of finding themselves on the front page due to a security incident.  For more information on XYGATE Access PRO, see https://www.xypro.com/index.php?id=24 or contact me at andrew_p@xypro.com.

Andrew Price
Director, Product Management
XYPRO Technology Corporation

Overwhelmed with PCI reporting requirements? XSW (part 3 of 3)

Monday, January 25th, 2010

PCI compliance requires a diverse set of specific checks and reports on many different parts of an HP NonStop system; databases, security access, application models, networks, encryption, users, and so on.  Manual HP tools each have unique export formats; some in a report-type format, but most as unstructured text, which is usually not helpful at all.  In fact, trying to create manual PCI reports for an HP NonStop system is a recipe for losing your hair!

Using XYPRO’s Security Compliance Wizard (XSW) you can load this diverse data into a consistent and query-able format, cutting PCI reporting down to size. XSW can then be used to create PCI reports in a standard printable format, regardless of whether the data concerns Users, Safeguard, disk files, PATHWAY, OSS files and directories, SQL/MX or Network information.

To start off, XSW provides you with over a hundred standard PCI reports and cross-references the PCI naming conventions to HP NonStop terminology, making it easier for you to complete the PCI reporting task.  For cycles of compliance, as required for PCI, XSW automatically provides this service and gives consistency to the reporting and checking. So save your hair and time and get XSW!

-Ellen Alvarado
NonStop Security Specialist

Use XSW create Safeguard access reports

Thursday, January 7th, 2010

(part 2 of 3)

If you are trying to make sense out of your tens of thousands of Safeguard records and ACLs, don’t expect Safeguard to help you. There is no HP tool that provides any level of extraction, except streamed text, and none to analyze access maps from Safeguard.

Using XYPRO’s Security Compliance Wizard (XSW) can create Safeguard access maps in minutes!  XSW can generate Safeguard access maps for users or user groups and the access that is granted or denied across Safeguard ACL types, including patterns.  These reports are a primary requirement of PCI, SOX and HIPAA.

-Ellen Alvarado
NonStop Security Specialist

Auditing the HP NonStop Server: Stop the Bad Dreams!

Wednesday, November 11th, 2009

Ever had a bad dream about an upcoming audit?  The one in which you’re told you must be prepared to assist the auditors? The HP NonStop Server is not familiar territory to many auditors, which can cause a lot of anxiety for them and you.  Moreover, there are times when an auditor must tackle the audit of a NonStop server immediately, without adequate time to read the appropriate reference manuals:  HP NonStop Security: A Practical Handbook, Securing HP NonStop Servers In An Open Systems World: TCP/IP, OSS and SQL and The Security Management Guide. You may have read them, or looked up a topic or two – but you probably don’t know them by heart, which only adds to your stress level. 

You are not alone.  The following is intended to help you educate your auditor, and lead you toward gathering the pertinent information that will be needed to conduct the audit—so you can say goodbye to your bad dreams!

The Basics  

Security on the NonStop server starts with the operating system, Guardian.  Guardian provides a basic level of security that deals with users and diskfiles and provides limits on the READ, WRITE, EXECUTE and PURGE operations.  Users in system management, operations, security, and change control generally deal with Guardian environment using the TACL command interpreter program.  Guardian supports the OSS ‘personality’ which is a UNIX-like extension that can be used in place of the TACL environment using a program called OSS Shell or osh.

Safeguard is the HP supported security system that can be used to manage users, object access control lists (ACLs), auditing and security event exit processes (SEEPs).  XYPRO’s proven products allow for easy use of Safeguard to manage users and object ACLsand for use of SEEPs to significantly extend Safeguard functionality.  Many companies in all industries around the globe use these products to not only reduce stress but to also boost security administration accuracy and productivity.

$CMON is an optional Guardian extension that allows for control of the logon operation and the program run operation.  It does not require Safeguard to be used.  $CMON must either exist on the NonStop server or there must be security controls to prevent its use.

Users are given access by creating Guardian or Safeguard userids.  Guardian is no longer recommended because it does not support many features available in Safeguard, most important of which is Password Expiration.  Userids are specified as a groupnumber, usernumber and as a groupname, username.  The groupnumber is between 0 and 255 and once the first user has been assigned to a group, the groupname will be set for all userids in the group.  The usernumber is between 0 and 255, and the username must be unique within the group.  There is one userid that must be on the system: 255,255, which is usually called SUPER.SUPER.

For More Info:

You can view the complete article highlighting the questions and answers surrounding some of the most common problems found on the HP NonStop server by emailing lisap@xypro.com , enter “Audit NonStop Server” in the subject line. 

When a more thorough audit is planned you may want to consider using a checklist where each Security Requirement is clearly identified, and the sources of such requirement are provided. You will find a complete checklist on  https://www.xypro.com/.  If you follow it closely and are able to “check” every item…you may find yourself PCI, SOX (Cobit), HIPAA, and SB1386 compliant and happy to invite your Auditor in. Isn’t that a dream?!

Use XSW to save time and money for HP NonStop file reports and compliance

Wednesday, October 14th, 2009

Part 1 of 3

Why would you even think of using DSAP for PCI, SOX, HIPAA or other security compliance reports?  Yes you can create DSAP reports on HP NonStop Guardian files, such as PROGID, LICENSE, files greater than some size, security settings or owners, but killing hours and hours of your time. Creating these reports for a just a single node would take hours and what you would have is a pile of useless paper! I feel sorry for the wasted trees.

Using XYPRO’s Security Compliance Wizard (XSW) can save you all that grief and time to generate PCI, SOX, HIPAA or other security compliance reports. Don’t waste your time! XSW can automatically create these custom reports for you in minutes, instead of hours or days.  In addition, it can be streamlined to identify only changed files, thus saving many hours of analysis work. XSW can collect from multiple systems and generate combined reports from the multiple systems, something you just can’t do with any other tool.

-Ellen Alvarado
NonStop Security Specialist

How to Resist a Dictionary Attack:

Wednesday, October 7th, 2009

Password Quality is Key
If you’re a security or network administrator, then you probably already know that withstanding a dictionary attack is a common security requirement. For those who may not know, a dictionary attack refers to the general technique of trying to guess some secret, usually a password, by running through a list of likely possibilities, often a list of words from a dictionary.
So, what type of password can resist a dictionary attack?  Well, one that is not a word that can be found in any dictionary, of course!   Simply put, the best defense against a dictionary attack is a strong password composed of a combination of different types of characters.
Password Quality is Key!

Password quality is so critical that it is a PCI compliance requirement. Further, password quality plays a key role in resisting even a brute force attack because password cracking programs, used for such attacks, work by applying all the common variations of every word in the dictionary.  They generate character sequences working through all possible one-character passwords, then two character, then three character, etc.  The variations of words are encrypted and then the resulting hashes are compared to the hashes in the password file being cracked.  If the hashes match, the password is known.

Our Solution

XYPRO’s Password Quality (XPQ) software has helped numerous users effectively resist a dictionary attack.  XPQ provides a wide range of password strengthening techniques, forcing users to create passwords that are able to withstand a dictionary attack. XPQ can be configured to require the following of users when creating or changing their passwords:

•    Include both upper and lower case characters
•    Include special characters in the password
•    Include control characters in the password
•    Include letters and numbers in the password
•    Do not include any part of the user’s logon ID in the password
•    Use password length of up to 64-characters long

What’s more, the rules can be mixed and matched to meet any site’s password quality requirements.  Along with a minimum password length, periodic password expiration, and password history tracking, passwords created with XPQ-enforced rules would be virtually unbreakable via a dictionary attack.

In addition to enforcing Password Quality rules, XPQ offers yet another approach to withstanding a dictionary attack – generated passwords.  If XPQ is configured to take advantage of this function, the generated passwords always match your configured quality rules and, therefore, are not vulnerable to a dictionary attack.  Because many dictionary attacks target privileged userids such as SUPER.SUPER or the application owners, companies could establish a policy of always using generated passwords for their privileged userids.

The Proof is in the Numbers
The table below shows the amount of time* a successful brute force attack takes, depending on the combination of characters used in the password.

table_dictionary1

*The numbers should not be interpreted as actual time.  The speed of the attack depends on multiple factors including computing resources, password encryption level, etc.  However the table is a good illustration of how important enforcing password quality rules is for brute force attack resistance. Source for statistics and calculations:  http://geodsoft.com/howto/password/cracking_passwords.htm

As the table shows, cracking a “simple” seven-character password would take 22.3 hours, while the same seven-character password composed of mixed case characters extends the attack time to 3.91 months. Adding numbers and symbols to the password, extends the time needed to process all possible combinations to more than two years.  So, if a password is also changed regularly, this can mean an extended state of security against an attack.

Bottom line: Don’t let your system and critical data be left vulnerable to attack due to easily decoded passwords. Maximize XPQ to keep your passwords up to par!
Want to learn more? Visit us at www.xypro.com