Archive for October, 2014

Incident Response Planning: Expect the Best, Plan for the Worst and Prepare to be Surprised

Monday, October 27th, 2014

“There are only two types of companies: Those that have been hacked, and those that will be”
FBI Director Robert Mueller 2012

“There are only two types of companies: Those that have been hacked, and those that don’t know they’ve been hacked
Reality 2014

Last month we discussed the cost of incident response and the lack of proper funding to keep up with the ever evolving threat landscape. Since then, multiple breaches and vulnerabilities have hit the news. In fact, as I’m writing this, the industry is being bit by the SSLv3 POODLE, which has incident response teams chasing after the cat again.

A proper Computer Security Incident Response Plan (CSIRP) is critical to minimizing the impact of a security breach and ensuring sustainability of the business. Yet, for most organizations, some of the more challenging aspects of creating a CSIRP is still the lack of preparedness, obtaining high level buy-in and asset classification due to limited visibility into process and data. This can be a dangerous combination.

Research from the Economist Intelligence Unit (EIU) shows that 77% of organizations surveyed have suffered an incident in the last 2 years yet only 17% were fully prepared to respond to those incidents. More than two-thirds had no plan.

Last year, The National Institute of Standards and Technology (NIST) published the cross-industry Computer Security Incident Handling Guide (http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf), which breaks down incident response into four sections:
Preparation, Detection, Containment and Post Incident Activity. Let’s focus this article on Preparation.

Be Prepared
We all know that panic clouds common sense, so you want to be as prepared as possible before an incident. There are obvious things we know we have to do.

• Get executive buy-in
• Make sure network infrastructure maps are up to date
• Understand who is in charge and how to contact them.
• Assign a CISO. Someone needs to make decisions.
• Verify you have adequate logging, auditing and detection on
important assets (See XYPRO’s Top 10 article this month where we
talk about the necessity to log everything
)
• Assess resources and skills to ensure incidents can be detected and
reported properly (can your staff determine what is just noise and
what is a real alert?)
• Review and re-review your security tool configurations (See XYPRO’s
Top 10 NonStop security article on continuously monitoring security
compliance
)
• Document everything (Document, Document, Document!!!!)
• Train personnel, keep your plan updated and execute a test of it at
least once a year

Sure, it’s a thankless job and you probably won’t win any recognition or awards for it, but it’s got to be done and if you don’t do it, who else will? After all, you’re preparing for something that may never happen and CEOs love that! As Ben Franklin said – “By failing to prepare, you are preparing to fail.” Many of my co-workers are getting sick of me repeating that quote.

Ok, those were the obvious ones (man, I hope you thought them obvious) – what are some other important steps for preparation of your CSIRP?

Classifying your Data
Data classification is a very important process to building a secure organization, yet often overlooked as part of the preparation process. Understanding what data you have and attaching a value to its importance and sensitivity will allow you to plan for and allocate the necessary resources and funding to adequately protect it. Industry standards and government regulations, such as HIPAA, PCI-DSS, EPA, EU Privacy Act etc… identify this data and set minimum levels of protection we have to meet, but if you don’t know the types of data your organization has and where it lives, how can you properly protect it and ultimately respond to an attack on it? Do you store PAN data? PII data? CPI data? What is obtained and stored during mergers and acquisitions? Do you know what records HR keeps? What customer data does the marketing team have about customers? It’s a daunting task and no doubt feathers will be ruffled as you gather more information from business unit leaders about what data they’re in charge of, but ultimately, it’s for the protection of that data and the good of the organization.

Studying Breaches
Understanding what you need to protect and the attacks that threaten your organization and industry are critical in formulating a proper incident response plan. Protecting customer data should be the top priority for any company, but the types of attacks that target that data may not be the same from one industry to the next. From banking to retail to manufacturing and beyond – how can you properly protect against and ultimately respond to threats if you don’t understand what those threats are? Malware, APTs, unintended disclosure and insider threats are typically at the top of most lists and understanding these attacks and their patterns within your industry will allow you to better prepare for what’s possibly to come.

Preparing your incident response plan doesn’t have to be a challenge no one wants to touch. There are side benefits to the process. Not only will it allow you company to successfully sustain a breach, but the process itself typically unifies business units for a common purpose and improves internal communication and coordination along the way.

Preparing a CSIRP no longer only applies to large business or government agencies. Symantec’s 2013 Internet Security Threat Report identified that 31% of attacks were against small businesses, those with fewer than 250 employees. In fact, small business was the largest growth area for targeted attacks from the previous year. Security breaches don’t just affect the large organizations you hear about on the news. Incident response is not a static field. Threats are evolving, attackers are getting more sophisticated and more organized. Everyone from the smallest startup to the largest suppliers need to be prepared to properly handle them.

If you’d like additional information or help with NonStop security, please contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

Steve Tcherchian, CISSP
XYPRO Technology
steve@xypro.com

Audit all security-related activity and events. #1 on XYPRO’s Top 10 List of HP NonStop Security Fundamentals

Monday, October 27th, 2014

Because high-availability and fault-tolerant systems need strong security

Finally, we’ve made it to the #1 spot on our Top 10 list! Before we get to that, though, just a reminder that the first nine HP NonStop server security fundamentals cover some incredibly important aspects of NonStop server security and are vital for protecting your mission critical systems and applications—you can review the full list of Top 10 NonStop Security Fundamentals on XYPRO’s website.

So what is THE MOST important fundamental? It’s simple really:

#1: Audit all security-related activity and events

Of course, auditing all NonStop security-related activity and events may seem easier said than done—especially when you have hundreds of thousands (maybe millions) of events occurring daily throughout your NonStop server environment. What you need is a really powerful software solution that allows you to track, filter, manage and report on all NonStop security-related activity.

Good news: You already have the solution you need

Fortunately, HP has partnered with XYPRO to provide just such a solution to all HP NonStop server users. Since August 2010, HP has bundled XYGATE Merged Audit (XMA) with all new J-series and H-series HP NonStop servers. So, if you’ve received new NonStop systems since August 2010, you already have the XMA software and licenses!

Let’s focus on five key aspects of logging and auditing and the capabilities that XMA provides for HP NonStop servers:

1. Consolidate NonStop security event data.
Security event data is created and stored in many places on a NonStop server which can make it difficult to monitor and report on security activity. To resolve that challenge, XMA merges multiple sources of NonStop audit data (for example, Safeguard, XYGATE, EMS, Measure, ACI BASE24® and/or HP’s HLR Telco solution) into a single NonStop SQL/MP database. This merged (and normalized) data can be used for security analyses, alerting, audit reporting and integration with enterprise Security Information and Event Management (SIEM) solutions, like HP ArcSight. Note: an HP NonStop SQL/MP license is not required for the XMA database.

2. Create alerts on important events.
Given the high volume of security events, users need some way to filter out routine activity so they can focus on highly important, unusual or suspicious activity. XMA has advanced filtering capabilities that use pre-defined rules and custom user-defined rules to identify important events. A GUI security event monitor is included with XMA, allowing users to monitor and be notified of events right on the desktop in graphical, acoustical and action-oriented formats. Users can also receive automatic alerts by e-mail or SMS.

3. Run audit reports.
Let’s face it, audit reporting can be a difficult and time-consuming process—yet it is extremely important. XMA enables easy creation of consolidated audit reports to comply with company policies and regulations such as the Sarbanes Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPPA). Users can choose from a wide selection of report templates, use preformatted samples or design new reports for specific needs. Whether generating reports to the NonStop spooler or to a Windows PC, XMA allows the right information to get to the right people at the right time!

4. Integrate with enterprise SIEMs.
In today’s complex security environment, companies need a comprehensive view of security events and information—SIEM solutions, like HP ArcSight, collect security information from many sources in the enterprise and use advanced analytics to identify threats and manage risks. XMA integrates with HP ArcSight and other SIEMs , such as RSA envision and IBM QRadar, enabling the HP NonStop environment to be part of an enterprise security management solution.

5. Learn more about XMA at NonStop Technical Bootcamp.
Please, join us at Bootcamp for the HP sponsored breakout session, “Getting the Most out of XMA and XUA from the new Security Bundle”, presented by XYPRO’s Andrew Price and Rob Lesan.
(Okay, this session isn’t really an aspect of auditing per se but it’s a great way to learn more about XMA, and, as a bonus, you’ll learn about XYGATE User Authentication (XUA) which was added to the NonStop Security Bundle last year).

So that’s our #1 NonStop Fundamental—it can be summarized as “audit everything” to ensure complete visibility of security-related events on the NonStop. This is such an important aspect of security that HP bundles XYPRO’s logging and auditing solution, XMA, with every new HP NonStop server. Please make sure to take full advantage XMA’s power capabilities.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).

XYPRO’s Top 10 HP NonStop Security Fundamentals

Thursday, October 23rd, 2014

Because high-availability and fault-tolerant systems need strong security

Does it make sense to have high-availability and fault-tolerance without strong security? We at XYPRO don’t think so. We recognize that companies run their most important business applications and processes on the NonStop server platform and keeping those assets safe from data loss, tampering and inadvertent harm is mission critical.

XYPRO has been providing HP NonStop server security solutions for over 30 years—we’ve literally written the books on NonStop security—and we’ve assembled an informal “Top 10” list of HP NonStop security fundamentals.

Top 10 NonStop Security Fundamentals (in descending order)

#10: Secure the default system access settings
To facilitate initial configuration and set-up, HP NonStop servers come with a number of default security settings—to have a well-protected HP NonStop system, many of these default settings need to be addressed.

#9: Set-up strong Safeguard authentication and password controls
Establishing strong user authentication and password management controls are critical aspects of any security program and are a major requirement for meeting PCI DSS compliance.

#8: Ensure individual accountability (no shared IDs!)
Security best practices and industry regulations, like PCI DSS, require users to have unique userids so that there is clear accountability. This also facilitates effective auditing, remediation and management of individual user rights and access.

#7: Establish granular control of user activity
Increasing the granularity of control builds on security concepts discussed in earlier HP NonStop fundamentals and goes deeper into specific system areas which need closer security management.

#6: Audit all actions of privileged access users
A thorough logging and auditing program for privileged users establishes the means for strong oversight over users with the greatest security access rights and who, therefore, may pose the greatest potential risk to the system.

#5: Strengthen access management with role-based access control (RBAC)
Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.

#4: Dynamically secure all NonStop system resource objects
Resource objects are key parts of your NonStop system and must be fully secured. While Safeguard provides some capabilities to do this, a best practice approach is to use a third-party tool that enables rule flexibility, expands security attributes and provides strong security to not just the Guardian subsystem but OSS, as well.

#3: Protect sensitive data
Data can be an organization’s most valuable treasure and it’s a major target for cyber-criminals. Encryption and/or tokenization are critical solutions for protecting sensitive data, reducing the scope of regulatory compliance, and neutralizing the impact of a data breach.

#2: Continuously monitor security compliance
Ensuring compliance is a critical aspect of any IT security program and compliance monitoring solutions provide the means to systematically measure, manage and report on a complex and dynamic HP NonStop security environment.

#1: Audit all security-related activity and events
It can be summarized as “audit everything” to ensure complete visibility of security-related events on the HP NonStop. This is such an important aspect of security that HP bundles XYPRO’s logging and auditing solution, XMA, with every new HP NonStop server. Please make sure to take full advantage XMA’s power capabilities.

For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.

You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).