As a “thank you” for helping me move homes last weekend, I took my kids to Minneapolis’ local theme park, Valleyfair. In my lifetime I have gone through several stages of enthusiasm (or lack thereof) over thrill rides, but my 16-year-old son just can’t seem to get enough of them. The park is home to the Wild Thing, the Power Tower (pictured), and the Corkscrew.

My mind battled back and forth as I attempted to convince myself that I would forever regret if I didn’t “man up” and ride all the rides before we left for the day. After watching my boys ride twice, I finally scraped up enough courage to allow myself to be strapped into the awesome Steel Venom, an inverted shuttle coaster which reaches a maximum height of 185 feet and attains a speed of 68 mph in 3.5 seconds.

It always interests me to see how some people are entirely fearless about going head-to-head with these steel behemoths, and others can’t force themselves to go within 1000 feet. The final push in my case was to visualize the “cost” of not moving ahead: the sheer disappointment of knowing that I had missed out on an unbelievable experience. Not to mention the humiliation from “chickening out” in front of my kids, especially after watching small children ride again and again. I kept telling myself that it was just a ride. It wasn’t life threatening; it was simply fear (okay, terror!) holding me back

This mindset seems to be similar with security. Companies either embrace security prevention and detection, or they are terrified of taking that first step. The cost of not proceeding with a security initiative could be a data breach that ends careers, or even puts a company out of business. Implementing a secure infrastructure isn’t a simple task; it won’t just happen by itself. It takes management deciding that it’s a worthwhile business initiative, and committing the resources to accomplish it—one step at a time.

Fortunately, PowerTech has over fifteen years of experience helping customers who might be feeling overwhelmed at the idea of securing their IBM i server. Our free assessment service is one of our most popular conversations and is a great way for the uninitiated to get started. We have experts who understand IBM i security controls and, of course, we also have the leading suite of security products to supplement and enhance the functions provided by IBM.

For more information on PowerTech, or any of our security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

The widely reported Minnesota state shutdown is finally over, and state services are finally coming back online. Interestingly, the Parks and Recreation department reported taking a record-breaking 4000+ online campsite reservations in 24 hours after reopening their doors! A deadly heat wave passed over the Midwest in recent weeks and is now impacting other parts of the country, so our desire for warmer weather has been tempered with the realties of summer.

On the security front, a breach was reported recently by the Margarita restaurant chain in Huntsville, Texas. It appears that a virus on a compromised point of sale computer enabled criminals to gain access to customers’ credit and debit card numbers—information that was promptly sold.

Privacy Rights, a nonprofit consumer advocacy group, is reporting a staggering 22 million records have already been breached in 2011. This total is believed to underestimate the true total as a many breaches affect an unknown number of records. Dozens of breaches are listed in Privacy Rights’ chronology of breaches in July, including Toshiba, Walgreens, and Morgan Stanley Smith Barney.

Don’t forget that PowerTech is sponsoring the IBM i Security Event of the Year at the Rio All-Suite Hotel and Casino in Las Vegas, Nevada September 22–23. It’s shaping up to be a fantastic event and enrollments are continuing to roll in daily, so don’t miss your opportunity to attend the only conference dedicated to IBM i security.

As one of the most recognized landmarks in the world, my photograph this week probably needs no introduction: spectacular Mount Rushmore in South Dakota. I enjoyed visiting this incredible feat of human engineering for the first time recently, along with the Crazy Horse Memorial and Devil’s Tower in Wyoming. Despite sweltering triple-digit temperatures, we were able to stand in awe of each of these stone marvels. The trip also included stops at the Corn Palace, and the “world famous” Wall Drug, which has to be the most sign-posted visitor attraction on the face of the earth!

For more information on PowerTech, or any of our rock-solid security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

It’s been a busy week here at PowerTech, with the release of a powerful new security module. PowerTech Command Security is a fantastic tool in the battle against unauthorized activities by powerful users. Traditionally, authorized users are able to enter commands on system command lines, while others may even be able to run commands through unmonitored interfaces such as FTP and DDM without having command line permissions. Either way, commands typically are not policed any further. This means that a system operator could accidentally power down a production system in the middle of the day, or a programmer could delete a production file instead of the intended copy in a test library.

Command Security integrates tightly with the IBM operating system to provide additional control over command execution. You can monitor commands selectively (perhaps start with the PWRDWNSYS and CHGSYSVAL commands), including both IBM and non-IBM commands. You then are able to specify flexible conditions including time periods, user names, and even the presence of the profile on an authorization list. Actions can be initiated when these conditions are met. Available actions include overriding command parameters, sending notification of an invocation, and even preventing the command from executing.

For more information on PowerTech Command Security, mark your calendars for August 17 at 10 a.m. CT when I’ll be unveiling its functionality in a free Webinar. Look for registration information coming soon.

In “local” news, the recent Minnesota State government shutdown had the state’s CISO concerned that his IT security talent wasn’t going to want to sit around in employment limbo, especially when working in one of the most in-demand industries. Fortunately, it seems that the two-week shutdown is almost over as the two sides have finally reached a budget compromise, so hopefully his concerns were unrealized.

My photograph this week is of an exquisitely restored 1953 Pontiac Chieftain. I love to take these kinds of images for people as it’s a real challenge to try to do justice to the blood, sweat, and tears that go into their painstaking restoration and gleaming care. Most of these classics were born long before me, and I think it’ll be interesting to see if the cars of today receive the same cult following as some of these powerful behemoths of yesterday. While there are some beautiful automobiles on the road today, I have a feeling that we won’t ever hear cries of “Wow! Check out this beautiful ’06 Geo Prism!” Only time will tell.

For more information on PowerTech, or any of our robust and proven security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

I hope everyone had a fantastic Fourth of July weekend, and enjoyed spending time with friends and family. I always love the fireworks of course, but it’s also a sign to me that summer is finally here to stay!

Although LulzSec, the anti-security organization, might have called it quits recently, a quick check of the “chronology of data breaches” page of the Privacy Rights Clearinghouse (www.privacyrights.org) website shows that things aren’t slowing down. While hacks of the big-name corporations may steal the headlines, they also have a tendency to not be relatable to smaller businesses on Main Street, USA; the “We’re not Sony” syndrome! But, according to privacyrights.org, the list of June breaches wrapped up with the Nashville Zoo website, and even Conor O’Neills Irish Pub in Ann Arbor Michigan—literally found on Main Street.

While I can’t say whether or not Conor runs his quaint little pub on an IBM i server, there are plenty of small- and medium-sized businesses that do. And many of these are still entirely unprotected from unauthorized activity, be it an intruder or the more likely “insider.” Fortunately, PowerTech can help with a complete portfolio of security solutions that scale from the smallest uni-partition systems up the latest powerhouse models. We even offer a popular free assessment service to help companies of every shape and size (and budget) identify their vulnerabilities.

In light of this, it might surprise you to know that the biggest recommendation I can make professionally is not about software. It’s not even about compliance. It’s about acknowledging risk, and then taking some type of action to manage it. Sure, it’s probably going to cost some money, but in the long-term, it’s usually a lot less than you’ll spend cleaning up a spill.

My photo this week is of Minneapolis’ beautiful Stone Arch Bridge, a historical landmark built across the Mississippi in 1883. The bridge provided a rail link until 1978, and then reopened as a footbridge in 1994. It’s one of the most recognized landmarks in Minneapolis, and I am proud to finally have local representation in my gallery.

Lastly, I want to send my best wishes to IBM i security legend John Earl, a good friend and a mentor in this business. John is starting down the road to recovery after discovering last week that he was suffering from a brain tumor. In the short time it took to post this blog entry, John has already undergone brain surgery, left the ICU, and is now home getting stronger (and back to himself) daily. My prayers are with him and his family for a speedy and full recovery in the coming months. If you would like to track John’s remarkable progress or send him an encouraging note, you can visit his CaringBridge website.

For more information on PowerTech, or on any of our protection and detection security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

LulzSec, the organization that recently claimed responsibility for some of the headline-grabbing data breaches at Sony and the US Senate, bid the world farewell and disbanded this week. This news came on the heels of the arrest of a 19-year old UK man who was rumored to have had ties to the group. After their somewhat unconventional social statement attacks, we’ll likely return to the more typical “hacking-for-profit” events.

Speaking of which, I stopped in at the local Michaels craft store the other evening to pick up some new photo frames. When I checked out, I teased the clerk about the safety of swiping my credit card through their point of sale device. I was being facetious, but the recent spate of skimming of credit cards from gas pumps, bank ATMs, and even an employee at a Jack-In-The-Box restaurant who had a skimmer in his pocket at the restaurant drive-thru, has made this a very legitimate concern. What shocked me most was that the employee had no idea what I was talking about! A brief discussion ensued about recent events in Michaels stores across more than 20 states where POS devices were brazenly swapped for compromised devices. I couldn’t believe that the clerk hadn’t been educated to ensure that other locations across the country didn’t fall victim to the same scam. I would like to think that this was an exception, and that there was enough of a response plan in place (at least now) to prevent more cardholder data from being stolen. Understandably, the public isn’t very forgiving when it comes to disclosure of their private and personal information. I shudder to think of the publicity nightmare that a breached organization would face if they didn’t immediately put countermeasures in place and subsequently experienced a repeat of the same type of breach!

Last week I spent a few days up on Lake Superior’s North Shore. I never believed it could rain solidly for three days straight in June, but I was wrong! Although the constant soaking put the kibosh on most of the planned activities, I was at least able to grab a few photographs of the area. Although not the typical idyllic lake photo you might expect of Superior in summer, I felt that the stormy sky and whitecapping lake waves in mine will be a reminder of the time there. Lake Superior is home to some very large taconite mining companies, and some of the distant smoke is coming from one of those operations.

For more information on PowerTech, or on any of our protection and detection security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

The other day, I watched a great movie called “Unstoppable,” starring one of my favorite actors, Denzel Washington (is anyone else shocked that he’s almost 60 years old?) Based on true events, it’s the nail-biting story of an unmanned and out-of-control freight train hammering down the rails pulling a cargo of hazardous materials. Pretty exciting stuff! I’m getting the distinct sense that the world is currently experiencing something similar as security officers scramble to regain control of the recent “freight train” of high-profile security breaches.

Barely a week has been passing between public disclosures and announcements, the most recent coming from ADP, Citi, and the U.S. Senate. A group named LulzSec has claimed responsibility for a number of these breaches as a social or political statement. The fact that this particular organization isn’t looking to profit (or so they say) from these high-tech and high-stake break-ins, doesn’t make them any less serious or costly. Complicated notification laws still have to be complied with, and there is still a public relations nightmare to be handled. Not to mention the additional security controls that have to be implemented and maintained. Interestingly, after a Senate committee chastised Sony and Epsilon for their (lack of) preparedness and responsiveness in handling the attacks on their respective networks, LulzSec decided that they should be taught a lesson in humility.

While scare tactics have been used as a common (yet often ineffective) method for justifying security expenditure, the reality is that this group is exposing organizations of all sizes to the vulnerabilities in their technology. If financial giants such as Citi and Bank of America can be compromised, then it goes to show that many of us are living in a state of denial if we think we are safe as is. Equally dangerous is the mindset that we can’t ever secure our data so why even bother trying. While IBM i does provide some level of anonymity compared to our Windows-based brethren, it’s critical that we fully deploy the controls that IBM has provided as a foundation, and then build layers of protection and detection on top. While there never is any guarantee that someone will not break in, deploying the right controls and tools makes it far less likely. It also makes it easier to detect unauthorized activity in a timely manner, which can make a critical difference. Far too many IBM i shops bury their heads and either assume that no one will ever penetrate that far, or, if they do, they won’t know what they are doing. Both of these ideals can be fatal errors, as it completely overlooks the fact that something as simple as an overly powerful user on the internal network is one of the most common vulnerabilities of all.

Today’s photograph was taken looking back along the famous pier on Santa Monica beach in California. It was a busy time for me in LA last week as I conducted mentoring services for a distribution company, hosted an IBM i security workshop, and visited one of PowerTech’s many international customers. This is the stuff that I most love to do, especially when I see that sharing our security expertise at a workshop already has resulted in three IBM i shops engaging PowerTech for help. The lively pier made me reminisce about the “seaside” that I loved to visit growing up in the south of England, although back then we didn’t have funnel cakes loaded with ice cream and strawberries! In this case, progress is definitely good!

For more information on PowerTech, or any of our protection and detection security solutions, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

PowerTech is pleased to announce the strategic acquisition of the high-performance database monitoring solution, DataThread. After marketing the solution for the past year with technology partner Innovatum, it became clear that DataThread was extremely complementary to our own software portfolio and we’d be well-served by its full-time inclusion in the PowerTech line of security products.

So, what is DataThread? DataThread is an advanced database monitoring solution that provides tracking and auditing of changes (and writes and deletes) made to any file or field on an IBM i system. The auditing capabilities provided by DataThread allow you to comply with stringent regulations such as PCI, Sarbanes-Oxley, HIPAA, and FDA. DataThread also lets you control file updates through an approval process and provides notifications and alerts when changes fall outside defined boundaries.

Imagine if an auditor asked you to provide a list of all the ways that a file on your system is being accessed. Could you answer? What if you’re required to prove which of these accesses updated data in, say, the last 30 days? Would you be able to provide that proof? Unfortunately, most of you would have to answer honestly that you can’t. Imagine if that proof needed to include the before and after values of a field change, and include all recent history of activity on that field! Perhaps critical file updates should be electronically signed to provide accountability, or signed by a manager for separation of duty. The list goes on and on.

DataThread’s incredible power comes from its use of IBM i database technology to ensure full disclosure of data access regardless of the method used. It lets you track changes made through approved applications, as well as others that are traditionally hard to track, such as DFU and SQL. If you fear this will generate an overwhelming amount of activity, rest assured that DataThread’s customizable workflow engine can decide whether to process and retain audit data based on user-selectable criteria—eliminating the risk of an unapproved exception being lost in the myriad of expected activity.

If you would like to learn more about database monitoring and see how DataThread can proactively monitor critical information at the record and field level, join me for a Web-based introduction at 10 a.m. Central time on June 29. As with all of our educational Webinars, you can register online.

For more information on PowerTech DataThread, or our expanding line of high-tech security solutions, feel free to contact me at (952) 563-2768 or robin.tatam@powertech.com.

For questions regarding the acquisition of DataThread, contact Jim Cassens, Help/Systems Director of Business Development, at jim.cassens@helpsystems.com.

Cheers,

- rt

Beleaguered Sony and Epsilon were in the news again last week. Fortunately, this time wasn’t due to another data breach, but instead regarding their testimony before a congressional committee.

Tim Schaaf, president of Sony Network Entertainment, conceded that his organization had been reminded that no one is immune to a cyber attack, and that the compromise on his company’s data assets was unprecedented in size and scope. He also called for a national initiative to help protect consumers and their information.

Both organizations—especially Sony—received criticism for not notifying consumers sooner, but responded by indicating that they had wanted to understand the scope of the breach before making an announcement to the media and general public. A representative for the committee remarked that companies must be required to enhance security measures used to protect “sensitive” data and promptly notify consumers after a breach.

A corporate frustration was expressed about dealing with upwards of 40 different state notification laws. Epsilon’s legal counsel called for federal oversight of breach notification, citing that it’s currently too complicated. This fits in line with a proposed federal data breach notification policy that would supersede the existing state laws. This policy, proposed by the Obama administration, is designed to oversee companies that store or process personally identifiable information (PII) about more than 10,000 individuals during any 12-month period. Although the bill in its current form has its detractors, it indicates the likelihood that there will be some form of federal mandate in the future. Penalties in the currently proposed bill include fines of $1,000 per day per individual

The photograph this week is my own artistic interpretation of the awe-inspiring Lockheed SR-71 that I saw on display last weekend at the Strategic Air Command (SAC) museum in Ashland, Nebraska. Nicknamed the “Blackbird,” this is one of only 20 remaining SR-71s in the world, out of a total of 32 that were built. The first active mission was in 1968 over Vietnam, and its use continued until its retirement in1998. The plane still holds numerous speed and altitude records, including New York to London in 1 hour 54 minutes versus Concorde’s best of 2 hours 52 minutes. Extreme flight conditions required several technological firsts including a titanium skin and specially-designed pressurized suits that were later modified for use by Space Shuttle pilots. With the ability to cruise at over Mach 3 at a ceiling of over 85,000 feet, the “Blackbird” deployed a pretty unique surface-to-air missile defense mechanism: simply speed up and outrun it! While this might have prevented any SR-71 from ever being shot down by enemy forces, you should consider more practical recommendations to apply to your security defenses. Ironically, Lockheed Martin has also been in the news recently for coming under cyber attack—one that is possibly linked to the RSA breach in March!

For more information on PowerTech, or our growing line of our high-tech security solutions for IBM Power Systems running IBM i, please contact me at (952) 563-2768 or robin.tatam@powertech.com.

Cheers,

- rt

I hope everyone had an enjoyable and safe Memorial Day weekend. I had a fantastic time with my family visiting Omaha’s sensational Henry Doorly Zoo, Strategic Air Command museum, and escorting Sydney, my teenage daughter, to see Taylor Swift’s (surprisingly) fantastic show!

Yet another multi-million dollar breach hit the headlines last week when financial giant Bank of America finally admitted to a significant and embarrassing insider attack. This particular incident dates back over twelve months, and that notification delay is raising some eyebrows. Reports indicate that an employee leaked account information and personally identifiable information to a crime ring that used the information for fraudulent activities. Around 300 customers in California and other western states reportedly had their accounts accessed illegally. So far, the Secret Service has arrested 95 suspects in connection with the breach.

This is an expensive reminder of how any organization (in this case, even one that almost certainly has stringent security and compliance standards), can fall victim to the misuse of data by an employee. Ironically, I recently blogged on the challenges and dangers of when “Good Guys Turned Bad Guys.” All too often I talk to companies that are dismissive of the threat of insider breach, or that are struggling with providing a simple ROI analysis to their management team for a security initiative. Some believe their company doesn’t have the same threat profile as an obvious financial target like BofA or electronics powerhouse Sony. (Then again, who would have predicted smaller retail outlets like Michaels craft stores and Hancock Fabrics would become a prime target for fraudsters?) Others claim to have no budget or lack the skills for managing this type of vulnerability, and many are not being forced into acknowledging insider threat by a formal compliance mandate.

If you’ve never heard of Hancock Fabrics, then I’ve made my point. The size of an organization doesn’t matter. We all place a certain level of trust in our own employees. Unfortunately, this often represents the most damaging risk of all. These users have already access to the network, and to the servers that reside on it. Most employees have been handed legitimate credentials to the data that needs to be protected, and have the knowledge of where the “good stuff” is stored. Whether it’s information on your customers and employees, or trade secrets and financials, virtually every company on the planet has data that shouldn’t be disclosed outside the corporate walls. We need to balance restrictions with legitimate access to ensure that the data is usable to those that need it. Otherwise, what’s the point of having it in the first place?

Our 2011 “State of IBM i Security” study reveals that IBM i shops still have too many users with excessive capabilities. This is a firestorm waiting to happen! It’s imperative that users be given only the amount of authority necessary to perform their jobs. Even (or rather especially) power users like administrators, programmers, and security officers need to be controlled—or at least audited. Consider taking away the special authorities and application access they typically enjoy without restriction, and instead provide an audited mechanism for emergency access. If you haven’t seen our award-winning Authority Broker solution, I strongly suggest you take a closer look. Fifteen years in the security business has taught us a thing or two about securing and reducing risk for owners of IBM Power Systems. Take advantage of that experience, before you join Bank of America in the ranks of companies that wished they’d had a better handle on insider threat.

I always tell people that Help/Systems is a great place to work due to the frequent infusion of fun into a hectic work schedule. Last week, a number of employees from the different software brands headed downtown to Target Field to oversee the Seattle Mariners battling our own Minnesota Twins. There had been some good-natured exchanges between PowerTech’s own Seattle-based team and those of us here in Minneapolis, but in the end the Mariners walked away from the mound with a resounding 0-3 victory. Despite the disappointing result for the home team, it was a fun afternoon for everyone (and dramatically warmer than the event last year!) My picture this week is from that game; I hope you enjoy it as much as I enjoyed being there!

Cheers,

- rt

Recently, PowerTech confirmed plans to sponsor the 2011 IBM i Security Event of the Year. This exciting two-day security conference is scheduled for September 22-23 at the spectacular Rio All-Suites Hotel and Casino in Las Vegas, Nevada, and is the only event dedicated to security on the IBM i platform.

Bringing together a growing list of world-renowned subject matter experts, including Pat Botz, Jeff Uehling of IBM, and Townsend Security CEO John Earl, the conference contains a packed agenda of educational sessions, an “ask the experts” panel, and an evening social event. Be ready to bring your most pressing security questions, and to meet and mingle with the speakers, as well as key personnel from market leaders PowerTech and Help/Systems.

Tom Garcia, keynote speaker and CEO of Florida-based security firm, Infosight, will kick it all off with the timely topic of Security Awareness in a Web 2.0 World. Educational tracks through the conference include an Introduction to IBM i Security, Automatic Encryption with V7R1, and Biometric Authentication, as well as numerous sessions on PowerTech’s popular audit and compliance security solutions. Security expert Sabino Marquez, CISSP, CISA, CISM, also will coordinate an eye-opening live security demonstration.

PowerTech is excited to be joining the veritable “Who’s Who” of experts participating in this event, especially in a town synonymous with security and IBM i servers. Don’t miss this perfect opportunity to increase your skills, and bring back critical value to your own organization.

Cost for the two-day conference is value priced at $550, with an additional “early bird” discount available though July 29. The fee includes access to the technical sessions, breakfast and lunch on both days, and admittance to the “Ask the Experts” panel and the evening reception. Accommodations at the Rio are being offered to attendees at a conference rate of only $79 per night.

Space is limited, so register TODAY!

I look forward to seeing you there.

Cheers,

- rt