I’ve spoken to many audiences in my security career about how nothing good comes of the mindset that “it’ll never happen to me.” Unfortunately, I was reminded of my own vulnerability when I returned from COMMON recently, only to discover that my beloved road bicycle had been removed illegally from my (supposedly) secured underground parking garage. The perpetrator had first gained access to the locked garage building making the chances high that they reside in the same building (insider threat anyone?) But this was no crime of circumstance or simple convenience. They had obviously seen the bike suspended and secured, and made a conscious decision to return better prepared. Then, they had circumvented my deterrent, cutting cleanly through the reinforced braided steel cable that I had carefully wound through the beautiful yellow and black lightweight frame, both 700C racing wheels, and through a steel eyelet embedded several inches into the cement wall.

I immediately filed a police report, but I’m figuring the bike is already miles down the road by now or sold on craigslist. In fact, I only bothered to report its loss so that I could try to make a claim on my insurance. But it’s not just a financial loss. There’s the lost confidence that I have in the security of the garage, and the guarded suspicion with which I am eyeing the other residents of my fairly small community. Most likely, one of them knows all too well what happened and I don’t like knowing that. Although this type of crime is purely for material or financial gain, it tends to make a person question the overall level of security; including the personal safety of a spouse or a child.

I prefer to believe that the vast majority of people are good and honest, and the exceptions are those more driven by greed and selfishness. This personal event has served as a good, albeit painful, reminder that it’s naive to assume that people won’t take advantage of a situation from which they might profit. Sometimes that situation might arise from an easy temptation; sometimes from a deliberate and planned act. Either way, there’s typically both an immediate and a long-term impact. But we need to assume that, sooner or later, it will happen to all of us.

Data theft is typically harder to detect than traditional theft because stolen data continues to reside on the server it was taken from. The latest PowerTech “State of IBM i Security” study reports that more than 10% of IBM i systems still aren’t using the auditing functionality included in the operating system. These companies have zero visibility to security-related events. From my experience, many of the others are collecting events for purposes other than security forensics, and many have no type of procedure or training on how to interpret the data. This leaves only a small contingent that is proactively reviewing the logs and knows how to recognize and escalate a critical event.

When experiencing a corporate breach, many of the same emotions are experienced as in a personal loss. The initial panic of discovery often leads to confusion and, unfortunately, sometimes to blame. This may result in recrimination, and even job loss. There will be costs associated with the remediation and, according to the renowned Ponemon Institute, these costs now exceed $200 per record breached. If the breach requires disclosure to the affected parties, there’s likely to be an accompanying loss of confidence in the corporate brand and it’s tough to put an exact value on that. Sadly, we don’t put much credence on the costs to prevent, nor the costs to remediate and litigate, until we are already in the unenviable position of paying for them.

A common misconception is that all breaches are initiated from outside the perimeter firewall, and are the result of a user operating with malicious intent. The reality is that an estimated 60–70% of data that is lost, stolen, or damaged was caused by a user inside the network. After all, if the user profile and password are the primary security control, you probably have a large number of users who are able to access data—and not all via the approved application mechanism. Many data issues are the result of quite legitimate functions where the user was totally unaware that they were causing an issue. For example, uploading a spreadsheet of data directly to a production file without realizing the spreadsheet was a filtered view.

You should be aware that your regular business insurance may not cover losses incurred as a result of a data breach; especially if it’s determined that the root cause was inadequate security controls. This forces the organization to shoulder the full burden of the cost, which can run into millions of dollars.

While no security infrastructure is ever 100% safe, we can remove the IBM i data from residing on the “low hanging branch” and make it more viable for someone to pick a different target. As I discussed last week, a defense in layers approach can make it easier to detect and shut down events before they cause serious harm. Sure, it’s not free to implement a good security infrastructure, but I can think I am safe in assuring you, in the long run, it’ll be cheaper that the alternative.

Step 1: We acknowledge that it WILL happen to us eventually.

Oh, and if you’re wondering “who is Frank Abagnale?,” you can see a dramatization of his life in the 2002 movie “Catch Me If You Can” starring Leonardo DiCaprio and Tom Hanks. His life as a former confidence trickster led to him becoming one of the world’s authorities on fraud.

My photograph this week is of Baltimore’s beautiful Inner Harbor. On the left you can see the stern of the “Chesapeake,” one of several historic ships docked at the harbor. The Chesapeake served as a floating lightstation between 1930 and 1970, and survived service during two hurricanes strong enough to break its primary anchor chain.

If you would like information on IBM i security topics, or the solutions modules that comprise the PowerTech portfolio, then please contact me at robin.tatam@powertech.com.

Cheers,

- rt

If you’ve been reading my blog for any length of time, you may have heard me talk of defense in layers. For those who might not be familiar with this term, it refers to a security methodology where each layer is deployed with the primary goal of slowing down an intruder until the intrusion has been detected and intercepted. While most people design security with the simple objective to block unauthorized access, no single layer comes with a guarantee. More layers = more chance of success.

I currently am working at a client site in Baltimore, Maryland, and kicked off the week with a day in nearby Washington D.C. My girlfriend, Angela, and I visited some incredibly beautiful and historic places, but one of the highlights was to be able to walk up to within 20 feet of the front door of the White House. Although arguably the most guarded house on the planet, the gates are opened a couple of times a year to a small number of “regular” folk to tour the grounds. We just happened to be in the right place at the right time.

After the Oklahoma City bombing in 1995, the short stretch of Pennsylvania Avenue that passes the house’s north side was closed to thru traffic. This stemmed from concerns of how close the house sits to the street, and is where you’ll see the only evidence of major physical defenses, with retracting ground barricades to prevent anything large or motorized from pulling up outside.

We put our bags through portable x-ray machines, and ourselves through some metal detectors (with seemingly less attention than you get from the TSA at the airport), and then we were in. As we entered the gates, the only overtly visible security presence was a number of armed agents in their crisp police-like uniforms, all of them watching closely from the inner paths and doorways to make sure no one wandered off the approved route.

While most people were checking out the infamous presidential rose garden, I couldn’t help but contemplate how this spectacular mansion is a great example of defense in layers. It starts with a decorative black perimeter fence; a fence that could probably be scaled with a little effort. However, it’s patrolled on the outside by the Secret Service’s own police force (and a few men in suits sitting in the occasional black SUV) who quickly intercept any sign of undesired activity (such as putting one leg of a camera tripod through onto the White House grass! Oops!)

During the time we spent on the grounds, I observed only one lone video camera visibly perched on the northeast corner of the roof of the main house. In fact, once inside, we remarked just how unfortified it all appeared to be. While a rugged show of fortification might act as a deterrent in some situations, objects like the White House and its main occupants will always be a target regardless. But, I think that’s the art of protecting a public figure, as many political and royal figures require their security to be somewhat transparent so that they appear accessible to the people. Numerous subtle “layers” are designed to work together seamlessly to protect and detect, if not necessarily to deter. I think it’s pretty safe to assume that there’s probably a plethora of other advanced controls—underground sensors, infrared cameras, and laser motion detectors—all working together to signal the unauthorized presence of someone on the grounds. I have heard that there are anti-aircraft defenses somewhere on the grounds, and although we didn’t get to go inside (and I’m sure wouldn’t have been given details even if we had). I can imagine that there is some type of fortified underground panic room in case all else fails.

As we left the property, I noticed a shadow moving in a wooded area, and spied a far less visible figure, heavily armed and wearing black combat clothing. It’s not a stretch to believe that maybe one or even two of these defenses could be breached, but the likelihood of anyone getting past without setting off an alert is slim to none. Each event would increase the likelihood of raising the alarm in time to trigger the instant response to secure the core “asset.” In this case, that asset is the President of the United States. In your case, perhaps it’s the credit card file or customer master information.

It’s an invitation to disaster if you are not adequately securing and monitoring your company’s servers and data, and it’s not enough to rely on a single layer of security, such as a user profile and password. IBM i security best practices involves many layers, including object-level security, network exit programs, application controls, and the deployment and use of alerting and reporting tools. The more of these layers you deploy, the more you increase the likelihood that you will prevent—or at least detect—when unauthorized activity is taking place before someone unauthorized gets at, or away with, the asset.

Entering the White House grounds afforded us an unforgettable experience, and being able to photograph such an iconic symbol of American politics up close normally involves being elected. Fortunately, getting information on PowerTech’s portfolio of security layers for IBM i is far easier and doesn’t require a four-year commitment…simply contact me at robin.tatam@powertech.com or visit www.powertech.com.

Cheers,

- rt

Last week kicked off my busiest month since joining PowerTech two years ago. I would certainly never dream of complaining about traveling this much as it started with a trip to St Petersburg, Florida, for COMMON’s Fall meeting. What a great event! More than 300 IBM i professionals to mingle with, many of whom are existing PowerTech or Help/Systems customers. I ended up teaching four sessions on IBM i security, and had fantastic attendance to each—certainly a solid sign that security remains a focus for many organizations. Interestingly, I had a few attendees who came in still reliant on user ignorance to secure their system—hopefully I left them with an altered opinion.

Next, I’m off to Milwaukee to spend some time with the local user group, and to conduct a couple of customer visits. Help/Systems has been a staunch supporter of the local user group community for many years, so if you’d like someone from our family of companies to speak to you about topics ranging from automation, to business intelligence, to security (of course!), just give us a call. I’ll only be back for a few hours before heading out to Baltimore, Maryland, for a two-week services engagement. I’m excited as I’ve never been to Maryland, or nearby Washington D.C., where I’ll be overseeing the setup of a Compliance Monitor infrastructure that spans the nation.

Security news recently has included several noteworthy illegal credit card schemes, including a 16-year-old girl here in Minnesota who was discovered using a card “skimmer” at her McDonalds drive-thru job. This is not the first fast food restaurant to have been hit with this modus operandi—so that Big Mac value meal could end up costing you far more than expected! Other parts of the country also have been experiencing an outbreak of skimming activity, with ATMs remaining a prime target. A New York area bank was hit this past weekend, joining Tampa and Seattle as recently targeted geographies. Experts recommend that consumers be vigilant to any suspicious looking devices or modifications, while card issuers keep struggling to find a way to protect unattended (and sometimes attended!) card devices.

On the flip side of the law, GovInfoSecurity.com recently reported what they called “the largest identity theft bust in history.” The case involves the arrest of more than 100 people, and the cooperation of law enforcement agencies in numerous countries around the world. Commentary on the case included the call to arms about insider threat, something that we at PowerTech have been talking about for years. So many shops still think that their only (or at least biggest) threat comes from outside of the organization. Unfortunately, this often is not the case.

My photograph this week is of a sunset at Clearwater Beach on the Gulf of Mexico, taken last week while I was at COMMON. It’s a spectacularly beautiful area with sandy white beaches and warm waters. We even saw dolphin swimming for fish in the marina.

If you would like information on IBM i security topics, or the solutions modules that make up the PowerTech portfolio, please contact me at robin.tatam@powertech.com

Cheers,

- rt