As we close in on the final few days of the holiday shopping season, retailers are doing whatever they can to attract shoppers to their digital and physical checkout lines. Helping someone find just what they’re looking for—and winning customer loyalty—can quickly put a smile on a merchant’s face; but few things can wipe it away faster than an electronic data breach. So while retailers should be focused on reaching their target audiences, they’ll also need a plan for thwarting the thieves who have customer data in their sights.

Consumers Should Be Cautious

Just as stores stock their shelves with the latest and greatest products, and entice shoppers with eye-popping discounts and promotions, criminal minds are working overtime to set up clever traps for customer data.

From the consumers’ perspective, they’ll need to be particularly cautious about clicking on offers that seem too good to be true. This is even more important on social media websites and mobile devices, as malicious links are less likely to arouse suspicion due to the truncated formatting. Shoppers should also be aware of the sensitivity of personal information they’re providing to gain access to daily deals, loyalty programs, and other holiday-themed promotions. Even if the offers are legitimate, recent events have shown that even name-brand companies can fall victim to cybercriminal ruses.

With that said, retailers have an obligation to address risks on their end. Poor training or malicious employee plots can allow credit card skimming scams and other dangers to go undetected for far too long—especially among companies that rely on an influx of seasonal workers to meet demand.

Retailers Need Smart Defenses

There are plenty of ethical, legal, and commercial reasons for improving data security systems this time of year. On the one hand, customers have an expectation of privacy and regulators have reinforced these rights with compliance standards. And if that weren’t enough, stores should know that even minor instances of theft can have a considerable impact on brand reputation.

As a result, retail data theft prevention starts with reviewing PCI compliance standards and implementing internal policies and practices that address each objective. From encrypting all points of payment—whether cash register terminal or e-commerce website—to training new hires in best practices, companies have a clear blueprint to follow.

However, even the best compliance frameworks may be a step behind clever criminals. As a result, stores should be meticulously auditing transaction reports during the seasonal rush so they can detect any anomalous activity that slipped through the cracks before it snowballs into something more serious.

Don’t let data thieves sap the holiday spirit from your business. If you’d like to learn more about IBM i security or PowerTech’s security solutions for e-commerce, send me an mail at robin.tatam@powertech.com or visit www.powertech.com.

Cheers and Happy Holidays!

—rt

The United States recently recognized the many sacrifices made by our veterans of foreign wars past and present. I was fortunate enough to witness a display of service dedication and enviable patriotism at a U.S. Air Force Veterans Day celebration. Hosted at Nellis Air Force Base in Las Vegas, Nevada, the exciting show included demonstrations of military might using F-14 Tomcat, F-15 Eagle, F-16 Fighting Falcon (aka Viper), and the awesome F-22 Raptor aircraft. The USAF “Thunderbirds” aerial display team calls Nellis home, and were on hand to show off just how skilled and talented our Air Force men and women are.

I am here in Las Vegas to meet with some of PowerTech’s customers in the gaming and hospitality industry, as well as to attend the annual ISACA risk management conference. Attended by auditors and security personnel, I’m spending my time chatting with attendees about the strengths and potential configuration weaknesses of the IBM i environment. Many of them were enjoying the pre-defined reports for the MICS (Minimum Internal Control Standards). In fact, one customer expressed that they had easily passed their MICS audit as the report category aligned perfectly with the regulatory mandates. Of course, MICS is not the only regulatory standard we can help with. Many of our customers came to us seeking help with PCI, SOX, and HIPAA, and we have compliance solutions to help with all of them, as well as virtually any regulatory standard based on the popular COBiT and ISO frameworks.

During the show, I ran through a presentation of “fun” security facts about IBM i and its forebears. I used our popular “State of IBM i Security” study as the basis for these startling facts; however, based on the disbelieving stares and remarks from the viewers, it seems that many auditors continue to have no idea that the IBM i OS ships with a surprisingly open configuration. I apologize to anyone who might now be on the hot seat to answer additional, deeper questions from their auditor!

My photo this week is of a heritage flight performed during the Nellis air show. I love this image as it showcases several generations of military aircraft and the aviators that risk their lives to fly them into combat. It’s also a representation of how military (and general aircraft) technology has advanced over the decades.

If you’d like to learn more about IBM i security or PowerTech’s “insider” security solutions, send me an mail at robin.tatam@powertech.com or visit www.powertech.com.

Cheers!

—rt

Since 1776, the United States has marked its independence on the fourth of July in a celebration commonly accompanied by firework extravaganzas. In England, fireworks are traditionally ignited on November 5 to celebrate what’s commonly known as “Guy Fawkes Night.”

On this day in 1605, Guy “Guido” Fawkes conspired with 12 accomplices to ignite 20 barrels of gunpowder in an attempt to blow up the House of Lords as part of an insider breach designed to kill King James I and restore a catholic Monarch. It’s a tale of that has mesmerized Britons for centuries, and ends with the discovery, capture, and gruesome execution of the conspirators after supposed-sympathizers were warned to stay away from Parliament on the day of the attack. The story is the source of the following poem, and is widely-considered to be the inspiration for the movie V for Vendetta.

“Remember, remember the fifth of November, the gunpowder treason and plot. I know of no reason why the gunpowder treason should ever be forgot…”

(Interestingly, NBC television was hacked earlier this morning and their videos page was replaced with a looping audio clip and text reciting this infamous verse!)

In the modern computer world, experts often cite legitimate users as one of the most dangerous sources of threat. Not only do these users have physical access to the business, but they typically receive access to internal corporate systems within their first week of employment. Sadly, according to PowerTech’s 2012 “State of IBM i Security” study, we know that many users are only controlled by their user credentials.  Once the sign on process is complete, users often have the authority to illegally download data to a local device (PC, flash drive, etc.) as well as the ability to execute commands.

IBM i contains controls that allow command line usage to be restricted. This is a limitation commonly imposed on users, but more than 66% of shops do not audit or block users who attempt to run commands through other interfaces, such as FTP and REXEC. In addition, permissive public and private authorities mean that a user may only need to know—or browse—the name of a file to view and even modify its contents.

Sadly, organizations all-too-often bury their corporate heads in the security sand when it comes to the threat posed by insiders. Last week I heard from the representative of an organization at IBM Power Systems University (formerly IBM Tech) about his management’s total dismissal of the risk associated with their entire user community having *ALLOBJ special authority! To stem the growing prevalence of these types of breaches, it is critical that user activities be monitored so that they can be held accountable. This includes powerful users like administrators, programmers, and security officers!

Fortunately, there are step that can be taken to prevent your own internal “gunpowder plot” from blowing up, and we’re happy to give guidance on ways to prevent users from simply undermining your corporate security policies.

On my way out of Las Vegas after the event last week, my flight was temporarily delayed by the departure of Air Force One. It was an awesome sight to see such a magnificent airplane—looking resplendent in its unmistakable Presidential livery—rolling down the runway. It was eerie that there wasn’t an ounce of movement outside the terminal building, but it was announced that even ground crews are prohibited from being outside during takeoff and landing—presumably as that’s when this flying fortress is at its most vulnerable.

Speaking of Presidential comings and goings, today is Election Day in the United States. President Obama and Governor Romney are about to wrap up their (seemingly endless) election campaigns and the world is holding it’s collective breath to know who has been elected President of the United States. Regardless of your political affiliation, hopefully everyone who is eligible to vote was able to exercise that freedom. Regardless of who is sworn into office at the next inauguration on January 20, expect Federal cyber-terrorism legislation to be part of their agenda.

If you’d like to learn more about IBM i security or PowerTech’s “insider” security solutions, send me an mail at robin.tatam@powertech.com or visit www.powertech.com.

Cheers!

—rt

For kids, Halloween entails dressing up as a witch, goblin, or super-hero and going door-to-door in a quest for a sack full of candy and treats. For adults—depending on age—it’s a chance to party in an outrageous outfit or to revel in the joy of watching the kids. For a number of organizations, the fall of 2012 has unfortunately turned into a far more real nightmare.

After a highly controversial movie trailer was posted to YouTube earlier this year, an organization known as izz ad-din Al Qassam publicly announced it would target U.S. institutions with a series of distributed denial of service (DDoS) attacks. The group claimed the video was anti-Islamic, and that the attacks would continue until the video was removed from the Internet. Holding true to their word, victims now include a veritable “Who’s Who” of financial institutions: Bank of America, Capital One (twice!), Chase, Wells Fargo, and HSBC Holdings.

Cyber-terrorism experts are cautioning organizations that the political message may be a front designed to divert attention away from more traditional fraudulent activities. While banks battle to restore their online presence, criminals could be exploiting the distraction to conduct other nefarious tasks. Only time will tell if the victimized organizations will suffer serious criminal consequences from these activities.

In another scary story, TD Bank has begun the process of notifying customers about two backup tapes lost in March of this year. The tapes contain account information and Social Security numbers for more than 73,000 customers in Massachusetts—although as many as 267,000 could be affected. The length of time that’s passed since the disappearance—plus the fact that the data was unencrypted—will likely leave the bank vulnerable to additional legal consequences. In an ironic coincidence, VSECU, a Vermont-based credit union, began notifying it’s customers of two unencrypted tapes that were recently discovered missing.

The State of South Carolina reported this week that it was recently breached to the tune of 3.6 million Social Security numbers and 387,000 credit and debit cards, including 16,000 that were (inexplicably) unencrypted. Interestingly, state officials said that they were made aware of the cyberattack by the Secret Service—although they did not disclose the details of how it was discovered. Investigations have already uncovered the fact that several attacks were attempted in August and September before data was successfully accessed.

Barnes & Noble, a national book retailer, became the latest victim of criminal tampering after point of sale (PoS) devices in 63 stores across nine states were compromised. This follows a similar PoS breach in Michaels stores in 2010, as well as an increasing incidence of ATM and pay-at-the-pump device tampering. B&N immediately removed the pin pads from most of its 700 stores and is working with the FBI.

This ongoing flurry of criminal activity (plus others that I have omitted) shows that no matter how many regulations and controls are put in place, there’s still a possibility (or should I say probability?) that an organization will experience a catastrophic data loss at some point. Once this reality is accepted, it’s important to develop controls to minimize the risk to an acceptable level, to design an incident response plan to react appropriately to the discovery of a compromise, and to ensure lessons are learned from the mistakes of others.

If you’d like to learn more about IBM i security or PowerTech’s anti-Halloween security solutions, send me an mail at robin.tatam@powertech.com or visit www.powertech.com.

Bruhahaha!

—rt

Security typically operates so that users who are not granted authority have no authority. IBM i security, however, has a unique concept known as *PUBLIC. This is a default authority that is assigned to a user that has no specific authority of their own, and it often leads to unexpected access to objects. It’s critical that this authority be clearly understood to ensure that the environment is well-secured.

Many people shy away from implementing an object-level security model due to the confusion that occurs when a user is “mysteriously” denied access to an object. In reality, the operating system determines authority using a decision flowchart. Assuming that the user does not have *ALLOBJ special authority, then the checking progresses in search of any specific (private) authority—either authorizing or preventing access if such authority is found. If no specific authority exists for a user the operating system checks the user’s group profiles for *ALLOBJ and private authority. If none of these are satisfied then the public authority is used.

I would recommend downloading the IBM i Security Reference Manual for more information regarding the decision flowchart, or send me an e-mail and I’ll send you a one-page .pdf version of it. While a good understanding of the entire flowchart is important, today’s focus is on the final allocation of *PUBLIC authority in a native (Qsys.lib) environment, and where that authority comes from.

Public authority is assigned every time a new object is created. Create commands have an authority (AUT) parameter which designates the authority that *PUBLIC will be given. Four standard authority templates are available: *EXCLUDE, *USE, *CHANGE, or *ALL, plus a special value of *LIBCRTAUT. An example can be seen in Figure 1.

Figure 1: Public authority example as seen on the Create Physical File (CRTPF) command

Granting *EXCLUDE authority might seem counter-intuitive, but it’s often necessary to facilitate a user or group being controlled more tightly than *PUBLIC. However, best practices mandate that a deny-by-default model be adopted, which entails *PUBLIC having the least privileges. Only users with a demonstrated business requirement to access objects should be granted permission.

The create commands default to a special value of *LIBCRTAUT which instructs IBM i to defer to an authority attribute on the library where the object is being created. The library’s authority (AUT) parameter permits designation of the same four authority templates as the create commands. A special value of *SYSVAL instructs IBM i to defer again; this time to the QCRTAUT system value. An example of this library attribute is shown in Figure 2.

Figure 2: New object authority value attribute on a library

The system value is the final referral point and permits the administrator to specify one of the four authority templates. The main controversy with *PUBLIC authority comes from the fact that IBM ships the QCRTAUT system value with a value of *CHANGE. This is sufficient to invoke a program and to read, update, and delete data in a file.

I recommend that the create commands remain at their default value of *LIBCRTAUT to defer the decision to the library. Then, rather than deferring to the system value, each library should be given the appropriate authority that will be granted to any new objects. This permits each library to maintain its setting appropriate to the type of objects and application that it contains. While auditors may still focus their attention on the QRTAUT system value, this will only be pertinent to libraries that do not have their own specific authority value.

If every new hire in a corporate environment was handed a key to the human resources filing cabinets, we would all remark what a ridiculous scenario it was. But, when a new user is given credentials to a server that has open *PUBLIC authority, we are basically doing that very thing. Objects should be created with very limited—if any—public authority, and then access should be granted privately to the appropriate users or group profiles.

Permissive public authority can expose data to users with access to network-initiated interfaces, such as FTP and ODBC, as well as users with command line access and the ability to use powerful utilities such as SQL and DFU. As previously mentioned, public authority should be very tightly controlled and authorized users granted the necessary permission. Establishing the correct level of public authority now can prevent data breaches later.

If you’d like to learn more about IBM i security or PowerTech security solutions, send me an email at robin.tatam@powertech.com or visit www.powertech.com.

Cheers!

—rt

One of the things that I love about IBM i is that when you think that you’ve learned all there is to learn, you realize that you’ve barely scratched the surface. No matter whether it’s operations, programming, or, of course, security, there is a wealth of functionality just waiting to be tapped.

This also means that it’s rare to encounter companies that have a good handle on all areas. Specialists will often be hired to supplement internal staff and to provide skills that are not easily found. When I’m hired by a company to assist with a security or compliance initiative, I love it when I’m paired with a technician who is thirsty for knowledge and willing to learn. In turn, I have often found that I pick up some tidbit in some discipline that I am may be less familiar with.

I recently returned from COMMON’s fall education event, where people from all over the country gathered to learn about topics ranging from web enablement to OS migrations; performance analysis to high-availability. It’s an unparalleled opportunity to network with peers from every industry and every discipline, and I always enjoy meeting first-time and repeat attendees. A good number of the attendees also came to talk about security and many disclosed that they worked for organizations impacted by a regulatory compliance mandate, such as PCI or SOX.

Interestingly, an overwhelming number of the conversations I had while I was in Columbus revolved around the desire to manage privileged accounts. SOX compliance dictates that programmers and administrators should not be able to access production data without oversight and separation of duties. Similarly, PCI mandates that privileged account access should only be permitted on an as-needed basis with support for separate accounts for higher level access. This was the very reason that PowerTech invented the application category for profile-swapping applications. Riding on a little-known operating system facility, Authority Broker charted new territory around the idea of revoking privileges from a user’s profile and granting access when necessary; all without requiring that a user sign on with alternate credentials. It was such a unique application that it was met with customer acclaim, garnered an award, and was even distributed on IBM’s OS/400 media.

Authority Broker is one of PowerTech’s most innovative solutions, and remains one of our most popular. It’s truly a great way to resolve the “battle” between regulatory restriction and the necessity for powerful user access. It’s an often-copied, rarely-matched solution that auditors trust and users love. Paired with PowerTech Command Security, a new command monitoring and control solution, you truly have a unique tool with which to address privileged account access.

If you were one of the visitors to the Help/Systems booth in Columbus last week, it was great to chat with you. If you were in town to spend time learning more about security, then I hope you left feeling that you accomplished your goal and are now ready to approach that security project you have been contemplating. Thank you also to attendees of the COMMON annual meeting in Anaheim earlier this year for voting to give another one of my sessions an award in Columbus. I look forward to seeing you all in Austin next April.

If you’d like to learn more about PowerTech security solutions, send me an email at robin.tatam@powertech.com or visit www.powertech.com.

Cheers!

—rt

Credit: Meet Minneapolis

Summer has all but come and gone, signalling time for everyone to gather in Minneapolis for the 2012 Help/Systems Solutions Summit. Keynote speakers Trevor Perry, Bob Tipton, and Alison Butterhill are coming prepared to share their vision of IBM i. The session agenda is incredibly exciting! Packed with timely content from leading industry thought-leaders such as Kent Milligan, Steve Finnes, and Jeff Uehling; attendees are assured to get all of their critical I.T. questions answered. The conference will follow a full day of workshops, and several different advisory boards that are comprised of various brand leaders and numerous large customers.

PowerTech is proud to have blazed the way for this conference with our hugely successful “Security Event of the Year” at the Rio casino and Resort in Las Vegas in 2011. That unique event represented the massive ongoing investment that PowerTech has been making in the IBM i security industry for more than 16 years, and was met with critical acclaim.

When PowerTech was acquired by Help/Systems in 2008, some industry “observers” (read competitors) gleefully predicted the demise of the most famous and respected brand in IBM i security. They offered commentary that the purpose of the acquisition was for Help/Systems to drain maintenance revenue from the existing customer-base. In light of the amount of long-term planning and investment we were engaging in, this was absurd. This planning was not only designed to maintain the brand, but grow it to an unprecedented level. But this rhetoric was also something that we monitored carefully as we knew that our customers were the targets of those comments. We finally had to send a cease-and-desist letter to one company for the wildly inaccurate statements that they were making along these lines.

All of our employees take tremendous pride in all of the brands that now comprise the Help/Systems family. I typically work more than 10 hours each day planning, strategizing, and executing on the future of the PowerTech solutions. But I’m far from alone in this mission! I’m joined by an entire team of professionals who program, market, and support our growing line of solutions. The acquisition in 2008 simply enabled us to plug into the resources of the world leader in software solutions for IBM i.

When I’m brought in to speak to organizations around the world, part of my value statement is to help them to envision IBM i security beyond the “basics,” like user profile settings, system values, and even (gasp!) software solutions. It’s about taking a holistic approach to the mitigation of risk and the reduction of cost and overhead to accomplish it. This is a level of service that most software companies simply can’t offer.

As we finalize preparations for our agenda-packed week here in Minneapolis, ask yourself whether you are looking for (yet another) software vendor, or a partnership with an organization that is uniquely positioned to engage its customers. We invest in our customer relationships with regional events, blogs, newsletters, educational Webinars, and instructor-led classes. The encouragement and support of my company permits me to be the co-president of the Minneapolis IBM i user group (along with Chuck Losinski, a colleague from the “Robot” brand), as well as a security subject matter expert for COMMON. None of these things would be possible if all we saw was dollar signs from maintenance revenue.

If you’d like to engage with a security team that is fully invested in your success, then visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

—rt

Fans of a good story often debate whether books are more immersive than their visual Hollywood brethren. A book stimulates the human imagination to generate its own special effects, but I have to admit that there are times when I just want to sink into the couch with a chilled glass of wine and a bucket of popcorn and let a skilled director feed the story to me.

One of these mindless escapes is entitled Gone in 60 Seconds and stars Nicholas Cage and Angelina Jolie. As the tale unfolds we are introduced to a retired car thief who has to steal 50 exotic cars in 12 hours to repay the debt of a fool-hardy younger brother. The name of the movie comes from the ability for this master criminal to break in and “boost” any vehicle in less than 60 seconds—almost faster than I can get in and start my own car with keys!

Movieland abounds with tales of spectacular thefts, but sometimes a dramatic real-world crime comes along that makes its own mark on the landscape. While the movie involved the coordinated theft of numerous hard-to-steal cars, a 2008 cybercrime is back in the news and giving it a run for its money.

Earlier this month, the first U.S. sentence was handed down to Sonya Martin for her involvement in a global attack involving RBS WorldPay, an Atlanta-based payments processor. During the operation, Martin lead a team of “runners” in Chicago who used debit cards she had manufactured to withdraw approximately $80,000 in funds from numerous ATMs. Her team coordinated with others in a global cash-out that drained a cool $9 million from U.S. bank accounts; ironically, also in just 12 hours.

Behind the scenes, highly-sophisticated hackers compromised RBS WorldPay’s network to access and decrypt payroll account information, which was then provided to the teams ahead of time. The hackers then monitored withdrawals from more than 2,000 ATMs in real time to raise account balances and ATM withdrawal limits. Once the heist was complete, they attempted to destroy data to remove traces of their illegal activity. Fortunately, RBS WorldPay discovered the breach and notified law enforcement.

This brazen crime was unusual because it involved a sophisticated hack as well as an incredibly well-coordinated withdrawal operation spanning 208 cities. Hackers typically focus on electronic transfers as they allow for more currency to be obtained and provide more anonymity to the criminals.

Of course, the movie criminal walked away scot-free at the end. In the real-world story, a coordinated effort by international law enforcement agencies has resulted in numerous arrests and indictments globally. In this first U.S. ruling, Martin received a sentence of 30 months in jail and another five years of supervised release. She has also been ordered to pay $89,000 in restitution. Details about how the hackers pulled off this dramatic heist has not been made public, but one of the ring-leaders—a Russian hacker—avoided jail time by turning informant and paying compensation to the bank.

This stirs up a couple of discussion points: Are the arguably light sentences being handed down for these crimes providing any real deterrent, or are more criminals simply waiting in the wings to take their place? And should every company implement some type of detection and warning system to give timely notification of attempts to gain illegal access to data. There are a lot of varying opinions, but one conclusion is obvious: As these attacks become more and more sophisticated, no organization is safe.

So why is the title of my blog offering an additional 60 seconds? I was curious how this crime compared to the fictional movie heist and how frequently a car would have to be boosted over that same 12-hour period to net the equivalent profit obtained by these cybercriminals. I used the average cost of a new car (approximately $25,000 USD) and ran some calculations. The result? If a new vehicle were stolen non-stop every two minutes for 12 hours straight, the total value would add up to $9 million. You’d also be in possession of no less than 360 brand new cars!

If you’d like help boosting your security initiative, or need a security solution that can trigger an alarm if someone tampers with your data, visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

—rt

Recently, Jordan, my teenage son, and I had the unforgettable experience of operating (the term “driving” just doesn’t do it justice) a Cold War-era British FV433 Abbott military vehicle. Military pundits might argue that this is technically a self-propelled 105-millimeter howitzer gun, but, to the layman like me, this bad-boy is a tank!

Our adventure started in the gun range, firing several fully-automatic machine guns and the awe-inspiring Barrett M82 semi-automatic sniper rifle. Known affectionately as the “Light Fifty,” the M82 fires .50 caliber BMG ammunition that can penetrate brick walls and vehicle engine blocks with an effective range that exceeds one mile! Variants of this gun are used by police forces and military agencies around the world to disable vehicles, parked aircraft, and unexploded ordinance. Amazingly, Jordan pierced the target’s bulls-eye from 75 yards out, generating the loudest gunshot that I’ve ever had the pleasure of almost being deafened by!

In trained hands this equipment is designed to be deadly to the enemy. In untrained hands this equipment could easily be deadly to everyone! While a tank is probably going to resist damage from a little wayward steering at the hands of an amateur like me, the damage that could be inflicted on the surrounding environment while operating the Abbott, or the M82, could be substantial. We quickly discovered that the key to allowing members of the general public to safely engage in such fun activities was to maintain an extremely controlled environment and the oversight from people that know exactly what they are doing (translation: “follow our rules without question, or leave!”).

I won’t attempt to make myself sound tough by suggesting that operating an authorization list or firing off a new user profile carries any potential to be life-threatening; however, collateral damage can definitely be inflicted upon an application and its data if a security model is not well designed and correctly deployed (or not deployed at all). Users need to operate in a closely controlled environment to ensure that they don’t accidentally or maliciously damage their surroundings.

Being skilled in IBM i security is not a discipline that’s commonly found within most organizations. Confusion abounds whether a group profile or an authorization list should be used (answer: both), what *ALLOBJ means, and the easiest way to interrogate those cryptic audit journal entries. Based on the 2012 “State of IBM i Security” study’s assessment of public access to application libraries, it’s readily apparent that there are remarkably few people who understand how object-level security really works.

I was surprised to discover that operating a tank can be accomplished by virtually anyone. But doing it successfully (i.e. avoiding a collision with the trees that lined the wooded trail) took a little training and a lot of oversight by an experienced handler. Sure, configuring IBM i security can also be done by anyone, but having help from experts will help you avoid the “trees” on your path to compliance.

Despite the entertaining nature of the day, I developed an even higher respect for the professionals who operated these vehicles. We toured—if you can call viewing such a tiny cabin “touring”—a British Chieftain tank, discovering that its four man crew was equipped to survive inside unbelievably cramped and barebones quarters for up to 10 days! It remained incredibly claustrophobic, even with some of the original equipment removed. In fact, the gun would recoil a mere inches from the gunner’s abdomen. Minimal visibility meant that the crew was required to be able to do their entire job in complete darkness. At night, even faint lights meant risk of becoming a target. Reaction time was the key to staying alive in these 50 ton behemoths, so the massive turret was designed to rotate 180 degrees in a mere 30 seconds. This was a potentially deadly operation for the loader as the ammunition storage areas remained stationary and could result in the amputation of any human limb that might be reaching into them at the time.

Of course, as with security, there is much more to operating a tank in battle than simply making it go forward and turn like we managed to do. We have to assess the battlefield and strategize about where the greatest risk may originate from. We must be highly responsive and take advantage of every capability at our disposal to help us keep our sights on the “enemy” and protect our data. And we need good leadership to ensure that the initiatives are coordinated.

Most organizations operate their security defenses with minimal staffing resources. It’s critical that they’re utilized efficiently and not bogged down running reports or weeding through thousands of log entries. Synergizing IBM i’s own integrated controls with battle-proven commercial solutions can help identify an attack before it gets out of hand, saving valuable time and improving the responsiveness of security staff.

During my weekend outing, we repeatedly heard the term “HUA,” which translates to some variant of Heard! Understood! Acknowledged! I think this is a term that should be adopted in our security policy to confirm users understand and abide by the rules!

If you’d like help firing off your own security initiative, or need reconnaissance on how PowerTech’s line of security solutions can help you defend your data, visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

—rt

The Merriam-Webster dictionary defines a fallacy as “a false or mistaken idea.” Unfortunately, the list of fallacies related to IBM i security is a pretty long one. My list of “faves” includes:

• IBM Power Systems servers running IBM i are totally secure.
• You can’t get a virus on an IBM i server.
• The users don’t know how to use ODBC and FTP.
• «Insert name of long-time employee here» would never do anything bad.

I’ll resist the urge to write the answers upside down in parenthesis. For those that are curious, or have possibly uttered any of those statements, the reality is: No, they’re not (unless you do a lot of configuration); Yes, you most certainly can; It’s easier than it looks; and maybe not maliciously, but don’t bet your business on it.

In today’s highly-regulated world, compliance fallacies are also becoming more common. In a conversation with some of my customer-facing team members last week, I heard numerous examples of a business mind-set that could (and most likely, will) result in a painful reality check:

• Security and compliance are the same thing.
• I don’t have to worry as my IBM i is not in scope of the regulatory mandate.
• I’m already compliant. (Variations: I passed my audit. / The auditors didn’t find anything.)

Surprisingly, these types of comments are sometimes heard coming from the mouths of global enterprises; organizations whose radar signatures as breach targets approach the size of a small planet!

Regardless of the size of your business, build a goal-oriented project plan as the first step of a security initiative. This will likely be comprised of tasks such as:

1. Determining known vulnerabilities
2. Assigning risk
3. Performing cost/benefit analysis for mitigation
4. Determining impact and overlap with regulatory compliance initiatives

I often speak to organizations whose sole focus is on achieving compliance. Sadly, they’re overlooking the fact that there’s a big difference between being secure and being compliant. Mandates are typically just guidelines that spell out the minimum that should be done. The irony is that, while the goal of most regulatory mandates is to make your business more secure, if you concentrate entirely on compliance there’s a good probability that you won’t be totally secure. But if you set out to become as secure as possible, then compliance is usually a short journey from there.

Compliance is definitely a motivator, but using it as your driving force can be problematic. Regulatory mandates are usually not I.T. centric—and never IBM i centric—so compliance isn’t always intuitive. In fact, one of the frustrations I hear uttered by I.T. staff around the world is that many simply don’t know what they’re supposed to do. There’s nothing in PCI, HIPAA, or SOX documentation that says “set QALWOBJRST to *NONE”, or that it’s okay to have up to seven users with *ALLOBJ special authority. Auditors walk in the door and demand that we “harden” our server security, but don’t tell us how to do it.

Don’t make the mistake of believing that compliance is a destination, or that PowerTech can only help during the initial approach. Yes, we have great solutions to uncover configuration vulnerabilities, but the benefits of PowerTech security solutions don’t end with achieving compliance. Solutions such as PowerAdmin, DataThread, and Network Security are all designed to live on to help an organization be more secure (and compliant) and to maintain that state indefinitely. After all, regulatory mandates are designed to reduce the risk of an integrity violation from ever happening, and that’s not something that’s simply going to happen through wishful thinking. And, like it or not, compliance can’t be achieved and subsequently maintained from a one-time effort. Success comes when valuable, time-saving controls are introduced and well-designed security procedures become ingrained into the corporate culture as a way of life.

No-one should believe that becoming compliant won’t be expensive, or time-consuming. But the alternative can be far, far worse. Take the case of BlueCross BlueShield of Tennessee, who recently agreed to pay $1.5 million to the U.S. Department of Health and Human Services to settle a case involving the theft of 57 unencrypted hard drives. These drives contained protected health information on more than one million subscribers. The settlement is in addition to the estimated $17 million BCBSTN has spent on investigation, notification, and protection efforts! This is just one of numerous examples where organizations opted not to spend the money up front, but spent it (many hundred-fold) after the fact.

Even if regulatory mandates aren’t applicable (although I would offer that every organization has a responsibility to answer to someone), then we still need to maintain the business value and integrity of our server and data assets. After all, if the applications are not able to function then we’re in trouble. And, if the data that defines the recipe for the businesses “secret sauce” walks out the door then that door might get locked—permanently!

PowerTech has lived in the IBM i security space for sixteen years, and has the expertise and resources to contribute to long-term security and compliance initiatives. In fact, only one of our products is designed with the initial assessment of vulnerability in mind. It’s called, unsurprisingly, Compliance Assessment, and it’s tied to a free service that we perform for the IBM i community. Every other solution in the ever-growing PowerTech portfolio is designed to manage and maintain ongoing security and compliance—even if regulatory mandates don’t pertain to you.

If you previously thought achieving compliance meant that PowerTech solutions were no longer necessary, or that the absence of a regulatory mandate meant no benefit from a product with “Compliance” in its name, give me a call—you might be surprised how we can help! We’re a leader in the IBM i security business, and compliance falls nearby as a subset of that.

I’m excited to announce that Help/Systems, our parent organization, was recently named to The Star Tribune’s 2012 list of “Top 100 workplaces” in Minnesota. The inclusion is based on employee surveys, and demonstrates that Help/System’s employee culture reflects the way we approach our business relationships.

Registrations have been rolling in for Help/Systems’ 2012 Solutions Summit. Enroll now to secure your place and a chance to discuss security, automation, and business intelligence topics with industry leaders.

If you’d like more information on PowerTech’s security solutions, visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

—rt