Everywhere we go these days the topics below are being discussed, not only in IT circles, everywhere.
- On-Line confidentially
- Malware and viruses
Who among us hasn’t been concerned about the Equifax breach and the subsequent fraudulent verification site? Remember a couple of years ago when Target and Home Depot POS systems were hacked within weeks of each other and during the holidays? I spent so much time without my credit and debit cards I actually was forced to regress into using cash (gasp!) at physical stores to complete Christmas shopping. It was not a heartwarming holiday experience to say the least especially in the grip of a typical New York December.
We have become smarter about data! Finally. The ramifications of our reliance on credit/debit cards and mobile devices have wrought implications on our personal identity security. In response many of us have made changes in how we divulge and store our personal data. We use stronger encryption on our home wireless networks, check for HTTPS and the lock icon before entering payment information, guard our SSN numbers, even refuse to allow our driver’s license to be copied without good cause. This awareness and proactive behavior is crucial as we allow electronic transactions to take over our financial lives.
Of course, these trends haven’t gone unnoticed by our employers or the businesses we deal with. Security was an overwhelming focus of many of the conferences I attended this year and I have been asked often about penetration testing and ethical hacking protocols. If you are an IBM i professional you are aware of the debate over the safety of the system. You have heard, “there has never been a single line of malicious code run on an i.” However, you probably have also heard about the security threats to our organizations and the adage that the system is the most “securable” not necessarily properly secured. Responsible and knowledgeable professionals are needed to configure, monitor, and respond to the threats we face on our platform.
As we look at the headline grabbing/fear inspiring stories recurrent patterns emerge. First and foremost, the greatest threat to our organization comes from within. Anyone reading this blog surely has at least one example from personal experience of using back doors and working around an application or system setting to achieve a goal that was prohibited. This is the same mentality we see in one of the most common data manipulation techniques. FTP files off the system, modify the data, FTP back altering the original tables. As FTP isn’t logged on the IBM i the way legitimate changes are in Db2 this is an easily exploited vulnerability. How often do we have a health check or a security assessment performed only to ignore the findings? We will change the settings or amend the authorizations just as soon as we have time. Or worse, we make recommended changes and jobs stop running properly, an important user gets locked out, or business is interrupted in some way and we change everything back quickly. This tends to lead to becoming fearful of trying to address security issues at all. No one wants to be responsible for interruptions and outages especially when it seems to indicate lack of ability or competence in our skill set. As a result default passwords remain unchanged while Bertha in the warehouse keeps her *ALLOBJ authority (in spite of being woefully ignorant of the implications and prone to walking away from her workstation while signed in with the screen unlocked.) We can’t even begin to implement best practices until we are honest about our own worst practices.
I doubt I was the only one who reviewed what happened at Equifax and had little difficulty seeing how easy it would be to have been involved. Whose responsibility was it to maintain the Apache Struts infrastructure? Obviously not upper management who couldn’t spell PTF much less know what was released and why, nor if applicable to their system. The developers in the trenches? Maybe, but if the task wasn’t assigned to someone specifically who would assume the responsibility? IT Management? They would have visibility to what is needed and relevance to the environment but how hard is it to prioritize routine updates? Especially when downtime and off hours effort is needed? How often do we say “After we catch up, after this deadline, when someone comes back from vacation…”
We need to educate ourselves about threat intelligence. One of the very foundations of quality assurance itself is the impossibility of eliminating risk entirely. We all accept varying degrees of exposure at all times in our connected culture. My kids are on line every night to complete homework and collaborate via Google Docs on an iPad provided from their school. I control the heating and air conditioning of my house from my smart phone regardless of where I am in the world although my mom can’t understand the interface well enough to control in person. I share photos with far off friends and family creating a crystal clear indicator that I am on vacation and my home is empty. We – as business and individuals – trade security for efficient productivity and convenience every day. Using my above example involving FTP; how many would answer “there is a legitimate business need for transferring files and I have to get my orders/update inventory/allocate resources/etc.”? I take a risk every time I use a credit/debit card but remain as committed to Amazon Prime and paying at the pump when I buy gas as the next person.
So, what exactly is Threat Intelligence? Simply put it is knowledge based on evidence about risks, hazards, or menaces we face. More importantly it means using that insight to inform our responses to same. We can’t protect ourselves against a threat we can’t comprehend exists or deny affects us. We need to think about how current threats will evolve and impact business in the years to come. Further as we plan, design, andimplement security conscious secure systems with complimentary applications we need to be realistic.
The most potent opportunity for exploitation is the combination of inadequate measures in our infrastructure technically, an authorized user who is careless or disenfranchised, and a corporate culture that is blind to these factors and their ramifications.
The experts at iTech have produced a new guide 5 Tips for Monitoring IBM i Critical Events to help you ensure that you are monitoring some of the most critical IBM i events. Get your copy here.