I’ve spoken to many audiences in my security career about how nothing good comes of the mindset that “it’ll never happen to me.” Unfortunately, I was reminded of my own vulnerability when I returned from COMMON recently, only to discover that my beloved road bicycle had been removed illegally from my (supposedly) secured underground parking garage. The perpetrator had first gained access to the locked garage building making the chances high that they reside in the same building (insider threat anyone?) But this was no crime of circumstance or simple convenience. They had obviously seen the bike suspended and secured, and made a conscious decision to return better prepared. Then, they had circumvented my deterrent, cutting cleanly through the reinforced braided steel cable that I had carefully wound through the beautiful yellow and black lightweight frame, both 700C racing wheels, and through a steel eyelet embedded several inches into the cement wall.

I immediately filed a police report, but I’m figuring the bike is already miles down the road by now or sold on craigslist. In fact, I only bothered to report its loss so that I could try to make a claim on my insurance. But it’s not just a financial loss. There’s the lost confidence that I have in the security of the garage, and the guarded suspicion with which I am eyeing the other residents of my fairly small community. Most likely, one of them knows all too well what happened and I don’t like knowing that. Although this type of crime is purely for material or financial gain, it tends to make a person question the overall level of security; including the personal safety of a spouse or a child.

I prefer to believe that the vast majority of people are good and honest, and the exceptions are those more driven by greed and selfishness. This personal event has served as a good, albeit painful, reminder that it’s naive to assume that people won’t take advantage of a situation from which they might profit. Sometimes that situation might arise from an easy temptation; sometimes from a deliberate and planned act. Either way, there’s typically both an immediate and a long-term impact. But we need to assume that, sooner or later, it will happen to all of us.

Data theft is typically harder to detect than traditional theft because stolen data continues to reside on the server it was taken from. The latest PowerTech “State of IBM i Security” study reports that more than 10% of IBM i systems still aren’t using the auditing functionality included in the operating system. These companies have zero visibility to security-related events. From my experience, many of the others are collecting events for purposes other than security forensics, and many have no type of procedure or training on how to interpret the data. This leaves only a small contingent that is proactively reviewing the logs and knows how to recognize and escalate a critical event.

When experiencing a corporate breach, many of the same emotions are experienced as in a personal loss. The initial panic of discovery often leads to confusion and, unfortunately, sometimes to blame. This may result in recrimination, and even job loss. There will be costs associated with the remediation and, according to the renowned Ponemon Institute, these costs now exceed $200 per record breached. If the breach requires disclosure to the affected parties, there’s likely to be an accompanying loss of confidence in the corporate brand and it’s tough to put an exact value on that. Sadly, we don’t put much credence on the costs to prevent, nor the costs to remediate and litigate, until we are already in the unenviable position of paying for them.

A common misconception is that all breaches are initiated from outside the perimeter firewall, and are the result of a user operating with malicious intent. The reality is that an estimated 60–70% of data that is lost, stolen, or damaged was caused by a user inside the network. After all, if the user profile and password are the primary security control, you probably have a large number of users who are able to access data—and not all via the approved application mechanism. Many data issues are the result of quite legitimate functions where the user was totally unaware that they were causing an issue. For example, uploading a spreadsheet of data directly to a production file without realizing the spreadsheet was a filtered view.

You should be aware that your regular business insurance may not cover losses incurred as a result of a data breach; especially if it’s determined that the root cause was inadequate security controls. This forces the organization to shoulder the full burden of the cost, which can run into millions of dollars.

While no security infrastructure is ever 100% safe, we can remove the IBM i data from residing on the “low hanging branch” and make it more viable for someone to pick a different target. As I discussed last week, a defense in layers approach can make it easier to detect and shut down events before they cause serious harm. Sure, it’s not free to implement a good security infrastructure, but I can think I am safe in assuring you, in the long run, it’ll be cheaper that the alternative.

Step 1: We acknowledge that it WILL happen to us eventually.

Oh, and if you’re wondering “who is Frank Abagnale?,” you can see a dramatization of his life in the 2002 movie “Catch Me If You Can” starring Leonardo DiCaprio and Tom Hanks. His life as a former confidence trickster led to him becoming one of the world’s authorities on fraud.

My photograph this week is of Baltimore’s beautiful Inner Harbor. On the left you can see the stern of the “Chesapeake,” one of several historic ships docked at the harbor. The Chesapeake served as a floating lightstation between 1930 and 1970, and survived service during two hurricanes strong enough to break its primary anchor chain.

If you would like information on IBM i security topics, or the solutions modules that comprise the PowerTech portfolio, then please contact me at robin.tatam@powertech.com.

Cheers,

- rt

If you’ve been reading my blog for any length of time, you may have heard me talk of defense in layers. For those who might not be familiar with this term, it refers to a security methodology where each layer is deployed with the primary goal of slowing down an intruder until the intrusion has been detected and intercepted. While most people design security with the simple objective to block unauthorized access, no single layer comes with a guarantee. More layers = more chance of success.

I currently am working at a client site in Baltimore, Maryland, and kicked off the week with a day in nearby Washington D.C. My girlfriend, Angela, and I visited some incredibly beautiful and historic places, but one of the highlights was to be able to walk up to within 20 feet of the front door of the White House. Although arguably the most guarded house on the planet, the gates are opened a couple of times a year to a small number of “regular” folk to tour the grounds. We just happened to be in the right place at the right time.

After the Oklahoma City bombing in 1995, the short stretch of Pennsylvania Avenue that passes the house’s north side was closed to thru traffic. This stemmed from concerns of how close the house sits to the street, and is where you’ll see the only evidence of major physical defenses, with retracting ground barricades to prevent anything large or motorized from pulling up outside.

We put our bags through portable x-ray machines, and ourselves through some metal detectors (with seemingly less attention than you get from the TSA at the airport), and then we were in. As we entered the gates, the only overtly visible security presence was a number of armed agents in their crisp police-like uniforms, all of them watching closely from the inner paths and doorways to make sure no one wandered off the approved route.

While most people were checking out the infamous presidential rose garden, I couldn’t help but contemplate how this spectacular mansion is a great example of defense in layers. It starts with a decorative black perimeter fence; a fence that could probably be scaled with a little effort. However, it’s patrolled on the outside by the Secret Service’s own police force (and a few men in suits sitting in the occasional black SUV) who quickly intercept any sign of undesired activity (such as putting one leg of a camera tripod through onto the White House grass! Oops!)

During the time we spent on the grounds, I observed only one lone video camera visibly perched on the northeast corner of the roof of the main house. In fact, once inside, we remarked just how unfortified it all appeared to be. While a rugged show of fortification might act as a deterrent in some situations, objects like the White House and its main occupants will always be a target regardless. But, I think that’s the art of protecting a public figure, as many political and royal figures require their security to be somewhat transparent so that they appear accessible to the people. Numerous subtle “layers” are designed to work together seamlessly to protect and detect, if not necessarily to deter. I think it’s pretty safe to assume that there’s probably a plethora of other advanced controls—underground sensors, infrared cameras, and laser motion detectors—all working together to signal the unauthorized presence of someone on the grounds. I have heard that there are anti-aircraft defenses somewhere on the grounds, and although we didn’t get to go inside (and I’m sure wouldn’t have been given details even if we had). I can imagine that there is some type of fortified underground panic room in case all else fails.

As we left the property, I noticed a shadow moving in a wooded area, and spied a far less visible figure, heavily armed and wearing black combat clothing. It’s not a stretch to believe that maybe one or even two of these defenses could be breached, but the likelihood of anyone getting past without setting off an alert is slim to none. Each event would increase the likelihood of raising the alarm in time to trigger the instant response to secure the core “asset.” In this case, that asset is the President of the United States. In your case, perhaps it’s the credit card file or customer master information.

It’s an invitation to disaster if you are not adequately securing and monitoring your company’s servers and data, and it’s not enough to rely on a single layer of security, such as a user profile and password. IBM i security best practices involves many layers, including object-level security, network exit programs, application controls, and the deployment and use of alerting and reporting tools. The more of these layers you deploy, the more you increase the likelihood that you will prevent—or at least detect—when unauthorized activity is taking place before someone unauthorized gets at, or away with, the asset.

Entering the White House grounds afforded us an unforgettable experience, and being able to photograph such an iconic symbol of American politics up close normally involves being elected. Fortunately, getting information on PowerTech’s portfolio of security layers for IBM i is far easier and doesn’t require a four-year commitment…simply contact me at robin.tatam@powertech.com or visit www.powertech.com.

Cheers,

- rt

Last week kicked off my busiest month since joining PowerTech two years ago. I would certainly never dream of complaining about traveling this much as it started with a trip to St Petersburg, Florida, for COMMON’s Fall meeting. What a great event! More than 300 IBM i professionals to mingle with, many of whom are existing PowerTech or Help/Systems customers. I ended up teaching four sessions on IBM i security, and had fantastic attendance to each—certainly a solid sign that security remains a focus for many organizations. Interestingly, I had a few attendees who came in still reliant on user ignorance to secure their system—hopefully I left them with an altered opinion.

Next, I’m off to Milwaukee to spend some time with the local user group, and to conduct a couple of customer visits. Help/Systems has been a staunch supporter of the local user group community for many years, so if you’d like someone from our family of companies to speak to you about topics ranging from automation, to business intelligence, to security (of course!), just give us a call. I’ll only be back for a few hours before heading out to Baltimore, Maryland, for a two-week services engagement. I’m excited as I’ve never been to Maryland, or nearby Washington D.C., where I’ll be overseeing the setup of a Compliance Monitor infrastructure that spans the nation.

Security news recently has included several noteworthy illegal credit card schemes, including a 16-year-old girl here in Minnesota who was discovered using a card “skimmer” at her McDonalds drive-thru job. This is not the first fast food restaurant to have been hit with this modus operandi—so that Big Mac value meal could end up costing you far more than expected! Other parts of the country also have been experiencing an outbreak of skimming activity, with ATMs remaining a prime target. A New York area bank was hit this past weekend, joining Tampa and Seattle as recently targeted geographies. Experts recommend that consumers be vigilant to any suspicious looking devices or modifications, while card issuers keep struggling to find a way to protect unattended (and sometimes attended!) card devices.

On the flip side of the law, GovInfoSecurity.com recently reported what they called “the largest identity theft bust in history.” The case involves the arrest of more than 100 people, and the cooperation of law enforcement agencies in numerous countries around the world. Commentary on the case included the call to arms about insider threat, something that we at PowerTech have been talking about for years. So many shops still think that their only (or at least biggest) threat comes from outside of the organization. Unfortunately, this often is not the case.

My photograph this week is of a sunset at Clearwater Beach on the Gulf of Mexico, taken last week while I was at COMMON. It’s a spectacularly beautiful area with sandy white beaches and warm waters. We even saw dolphin swimming for fish in the marina.

If you would like information on IBM i security topics, or the solutions modules that make up the PowerTech portfolio, please contact me at robin.tatam@powertech.com

Cheers,

- rt

Last week was certainly a week to remember in PowerTech-land, as almost 70 IBM i security professionals converged on the Rio All-Suite Hotel and Casino in Las Vegas to participate in the 2011 IBM i Security Event of the Year.

One highlight of the event was a presentation by ethical hacker Sabino Marquez on social engineering. Although I was conducting a simultaneous training session on Network Security in another room, I heard many attendees (and staff!) discussing some of the eye-opening ways that private data is compromised without any real technical breach.

The veritable “Who’s Who” of guest speakers at the event included John Earl of Townsend Security, Pat Botz of Botz & Associates, and Jeff Uehling of IBM. Tom Garcia of Infosight gave an alarming keynote speech on Security in a Web 2.0 World. We certainly appreciate all our guest speakers’ involvement; they brought years of combined security experience on the platform to our conference.

I also would like to thank numerous representatives from PowerTech who committed some long days to ensure that the event went off without a hitch. Jill Martin, Katie Carnicom, and Joyce Hendrickson deserve the most gratitude for their behind-the-scenes organization, as well as Brian Wenngatz and Brian Hebeisen for ensuring that attendees were well cared for. Since returning, I’ve received dozens of e-mails from attendees expressing their appreciation for a great conference. It’s always nice to know that you’ve hosted an event that resonates with its audience.

Of course, we also made time for some fun and prizes at the Ask-the-Experts panel, an evening reception, and a conference-wide game of “Clue” that had an IBM i security theme.

Earlier in the week, a couple of us participated in the ISACA Risk Management conference at Caesars Palace, chatting with hundreds of attendees about topics ranging from auditing to powerful user management on IBM i. Auditors from large organizations across the country were on-site to learn about the latest developments in COBIT-related standards, so it was appropriate that the leader in IBM i security was on-hand as well.

Between the two events, we managed to squeeze in a full day with our annual Advisory Board. During this meeting Matt Bresnan, Help/Systems’ Director of Product Development, shared the PowerTech product roadmap as envisioned over the next 18 months. We gained valuable feedback regarding the prioritizing of upcoming features, based on the current and future security challenges these large organizations face every day.

I have only a few days back in the office—ironically already filled with various customer conversations that started last week—and then it’s off to St. Petersburg to present security sessions and meet more customers at the Fall COMMON event. If you’re going to be there, stop by booth 28 to say “Hi!”

I’ve included a few candid pictures from the security conference, including the opening session, guest speaker John Earl with members of the hosting PowerTech team, and finally some proof that not everyone is taller than Jill Martin, PowerTech’s product support manager.

If you would like information on IBM i security topics, or the solution modules that make up the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

We’re making the last minute preparations for the 2011 Security Event of the Year. Everyone at PowerTech is excited to greet a nearly sold-out crowd with sessions that are critical to IBM i security personnel, including setting up user profiles, encryption, social engineering; and expose them to some of the new PowerTech solutions like Command Security and DataThread. It’s going to be a busy week for all of us, but I’m heading out a few days early to first participate in the annual ISACA Risk Management Conference, followed by a PowerTech Advisory Board meeting.

This week was also the Help/Systems Advisory Board for the popular Robot product line. It was well attended by some influential customers, many of whom also use the PowerTech and SEQUEL Software products. We held breakout sessions to discuss how they currently use these solutions, as well as the directions they’d like to see the brands going. Of course, we also had some fun with a very competitive bowling event.

Next week, I’ll provide a recap of the Security Event, as well as any tips or rumors I hear on the street at ISACA.

If you would like information on IBM i security topics, or the PowerTech security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

I want to take a moment to reflect on the events of September 11, 2001. We are on the cusp of having an entire decade pass since that unbelievable day, and it seems that we continue to struggle to come to terms with this horrific act of terrorism. I believe that will help us always remember.

I recently visited the final resting place of United Flight 93 in Pennsylvania, and it was a little surprising how the memories flooded back like it was yesterday. On the flight from Minneapolis, I was seated next to an off-duty commercial pilot, and we discussed some of the impact on life in the cockpit as a result of that day. I was fortunate to not be affected on a personal level by the devastating loss, but I knew others that were and my heart went out to them. I think everyone who witnessed the live video footage, and contemplated the events surrounding it, was changed forever.

I grew up in England and remember the news stories when the IRA attacked targets in Northern Ireland and London. While that was certainly hard to contemplate sometimes, it was nothing on the scale of the events we saw here. Images of those majestic towers burning still give me goosebumps, and make me yearn for a different outcome even though we already know the unhappy ending.

I first came to the United States in 1988 as a high school foreign exchange student. The first port of call was New York City, and we spent several days in orientation and touring the sights of a city unlike any other. This included a trip to the top of the World Trade Center. Of course, we were just kids and had no idea how pivotal that building would become in history.

I watched a recent TV special that introduced children of the victims. These were kids born into a post-9/11 world; never met by their fathers. It was terribly sad, but in a way shows that something positive can still come from something so tragic. My own children were just toddlers at the time, but still know of the events and the significance to their lives.

I am sure that most of us will take a moment this weekend to remember those who died that day, and the thousands of military families that have been affected since. They deserve our gratitude and our respect. I was originally supposed to fly to a client location on Sunday, Sept. 11, and can only imagine how emotionally moving that journey would have been.

My photograph is one I have shared before but I think is the most appropriate. It is of “The Healing Field” in Des Moines, Iowa, taken on the fifth anniversary of this day. There was a flag for each of the men, women, and child victims, along with a yellow silk ribbon with the name and circumstances that resulted in their inclusion in history. The photograph won an award and remains one of my favorite images to this day.

Have a safe and wonderful weekend with your friends and families.

Cheers,

- rt

As summer embarks on its slow wind down, I wrapped up the month of August with no less than sixteen full product demos and seven compliance assessments. That’s not even counting the week of on-site consulting for a large U.S. retail organization. Not too bad for a month that’s normally filled with vacations and breathing room. Security concerns really seem to be gathering momentum and manifesting themselves in a need to seek out more efficient and cost-effective ways to harden the IT environment.

PowerTech proudly employs expert technical staff; they’re not only experts on our software (of course), but also on the IBM i internal operating security controls. This often proves to be beneficial as we find that many discussions revolve around how our solutions can extend and enhance the existing IBM controls. My strong background in IBM i development allows me to have very granular discussions with customers regarding best practices for securing their application and system environments. If you’re not sure how to get started, or whose responsibility it is to secure that application data, then let PowerTech help you move down the road to being more secure.

In security news, California recently passed Senate Bill 24 to update the original SB 1386. This was one of the first bills in the nation to address breach notification. The updated bill resolves a shortcoming in the original bill that didn’t specify what information the notification recipient should receive. Another requirement says that the state’s attorney general must receive a copy of the notification if the breach affects more than 500 Californians, and information about what the organization has done to protect the individuals whose information was breached. The new law goes into effect on January 1, 2012.

Our offices are busy putting the finishing touches to arrangements for the Security Event of the Year, hosted at the Rio All-Suites Hotel and Casino conference center in Las Vegas, Nevada. There are very few open places remaining, so if you’ve been procrastinating, then you’d better move quickly! If you’re already signed up, we look forward to seeing you there.

For more information on PowerTech, or our line of security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

It’s certainly been an interesting week here in Pittsburgh, Pennsylvania. I’ve been here to kick-off an important customer security engagement, but as we approach the tenth anniversary of the September 11 attacks, I paid a visit the rural community of Somerset where the infamous United Flight 93 crashed so tragically. The physical scars in the dirt healed long ago, and a simple inscribed wall now stands to memorialize the emotional scars that will forever remain with this quiet community, as well the nation. The wall marks the completion of phase one of this beautiful memorial, and will be dedicated by the families of the 40 victims during a ceremony on September 10.

Shortly after arriving back in Pittsburgh, our 8th floor hotel room was rocked by the 5.8 magnitude earthquake that was felt throughout much of the eastern seaboard. The hotel sits on the perimeter of the airport so my first thoughts were of an accident; it was almost a relief to find out that it was the result of natural causes.

Overall, it’s been a very productive trip. We got a great start on the implementation project I came out here for, and I look forward to assisting the corporate team as they continue to secure their complex multi-system environment. Implementation will include deployment of the new batch reporting and distribution features in Compliance Monitor 3, and the command line auditing and controls found in our brand new module, Command Security.

If you’re one of the many already booked to attend the Security Event of the Year in Las Vegas next month, or you’re still contemplating reserving a place, we have some great news! PowerTech has renewed its accreditation with NASBA and will be offering CPE credits for attending sessions. In the future, credits also will be available for other PowerTech education events.

My photo this week—finally—is of Pittsburgh’s highly unique and dramatic skyline. I say finally as, you may recall, I didn’t bother to pack a camera for my visit last year since I didn’t know how cool this city is. Happily, I didn’t make that same mistake again.

For more information on PowerTech, or our line of security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

It’s the height of summer and in the Midwest that means State Fair time. I spent the past weekend in Iowa attending Des Moines’ home of “«insert name of food» on a stick!” Delicacies range from the now seemingly mundane (pork chop) to the more exotic (deep-fried Twinkies), and those that defy any common sense of health (deep-fried bacon)—all on a stick, of course. It’s an incredibly fun place to people watch, and where else can you see an 1175 lb. giant boar, an 1196 lb. pumpkin (yes, the pumpkin was bigger than the winning hog!), and a life-size cow carved entirely out of butter? We enjoyed an evening that included a rockin’ concert by ’80s music legends Heart and Def Leppard, and a spectacular fireworks display.

On a related note, my prayers go out to the families of the victims of the horrific stage collapse at the Sugarland concert at the Indianapolis State Fair on Saturday. These country music superstars were scheduled to appear at the Iowa Fair the very next night, bringing with them the phenomenal show we saw in Nashville earlier this year. It’s hard to fathom how something so entertaining can turn so unbelievably tragic.

Although summer at PowerTech is typically a chance to catch our collective breaths, the recent release of Compliance Monitor 3 and the all-new Command Security has found us doing more product demonstrations than ever! Word also is continuing to spread about our FREE Compliance Assessments, and I have personally done almost a dozen this month alone. I am also excited to share with you that registrations are continuing to come in for the Security Event of the Year in Las Vegas, hosted at the Rio All-Suite Hotel and Casino next month. If you haven’t already secured your place, hurry, as this limited seating event is filling up fast!

Are you currently considering a security engagement, but struggling to get management to commit the necessary resources? Well, you might want to inspire them to act with news of a recent development in a case of an insider breach at CITI. As if the original breach wasn’t painful enough, BankInfoSecurity.com is reporting that CITI has been slapped with a $500,000 fine by FINRA for not reacting appropriately to the “red flags” generated by the activities of Tamara Moon, a branch sales assistant who embezzled almost $750,000 over an eight-year period. Followers should note that this is NOT related to the recent insider breach at CITI that involved the theft of more than $19 million! That breach resulted in the arrest of a former CITI executive in June.

PowerTech has a suite of powerful solutions designed specifically to help organizations combat unauthorized or unnecessary access to data, applications, and servers. These solutions provide functions ranging from privileged account management, to record-level database auditing, to network access control. Of course, PowerTech recommends augmenting automation with procedures to ensure the appropriate reaction when the software discovers events.

For more information on PowerTech, or our line of security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

At Help/Systems, the world’s leader in automation software for Power Systems running IBM i, automation flows through the corporate veins. It was, therefore, inevitable that this would be infused into PowerTech as well.

Hot on the heels of an efficient redesign of its user interface, PowerTech is pleased to announce the addition of batch reporting in Compliance Monitor 3. We’ve enabled the product to define reports that run via a built-in scheduler, or integrate with the popular Robot/SCHEDULE solution. Completed reports can be distributed automatically as e-mail attachments, or stored in the Integrated File System (IFS). Either way, you can secure sensitive report data by choosing strong encryption and password protection. The benefits you gain by being able to schedule and distribute audit journal reports electronically will strike you immediately.

The availability of this valuable upgrade marks another exciting chapter in a powerful solution that’s already helping hundreds of companies achieve and maintain regulatory compliance. Other recent enhancements to Compliance Monitor include the addition of a browser interface; a plethora of new reports, including a MICS category for the gaming industry; and an installation pre-checker.

For an introduction to the all-new Compliance Monitor 3, join me for a FREE Webinar on Wednesday, September 7 at 10 am Central time. Regardless of whether you’ve already discovered the benefits of the leading auditing tool for IBM i, or are still struggling with auditing your system, you won’t want to miss this timely session. Watch for an invitation coming to your inbox soon!

My photo this week is of another classic automobile: a 1967 Pontiac GTO. It seems that I’ve discovered an audience that takes tremendous pride in their possessions, and who appreciates someone working hard to portray that in a photograph. Shoot me a note if you have an amazing car like this, and would like to have it photographed in HD! ☺

For more information on PowerTech, or our growing line of security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt