Wednesday, February 27, 2013

How safe is your JukeBox?

Everyone is curious and wants to see what we have and our security “sieve” needs plugging.  For the NonStop community, addressing security may be driven by those apart from traditional LOB managers and IT Directors …

Attending this year’s ATM Industry Association event held in Scottsdale, Arizona, it wasn’t hard to see how much emphasis there was on security. As the very first speaker acknowledged, the “sudden immersion into EMV migration by the ATM industry is the number one issue across all stakeholders”. After years of blindly assuming chip-based smart cards would simply go away, they haven’t and now America is catching up to the rest of the world.

Among the more interesting stands in the exhibition hall was that featuring a very basic product from Sydney, Australia. Following a rash of smash and grab ATM robberies by thieves utilizing stolen cars to ram malls and stores doorways and then roping freestanding ATMs to the back of the vehicle, after seeing more than 200 ATMs stolen the physical security of ATMs came into question. Lockit Systems (Aust.) Pty. Ltd. came up with specially made bolts that would deform on impact and would make the removal of any protected ATM impossible.

According to Richard Gould, Lockit Systems Director, “since we introduced this solution, there has been a dramatic reduction in such attempts with not one of the ATMs using our solution falling into the hands of would-be thieves. While nothing on the same order of magnitude has happened in America, there are still the occasional amateurs who try it, with the latest attempt taking place in San Diego while the ATMIA event was under way. Crashing through the doors of the local Hooters restaurant the young thieves unfortunately mistook a nearby JukeBox for an ATM, lassoing it behind their vehicle before fleeing the scene.

EMV adoption, and making sure you simply cannot carry off the ATM itself, represent different takes on protecting valuable resources, be it personal information or simply cash. However, it’s still a surprise to many of us within IT just how little real effort is being made to address security top to bottom. Len Rust is an Australian based industry watcher who publishes an eNewsletter, the Rust Report, and in the issue of February 25, 2013, his editorial focused on security with the headline warning that
more security breaches will happen.

Headlines are splashed across front pages and business journals on a regular basis where banks, media companies and government web sites have been attacked,” Rust observed. “The pace, scale and intensity of attacks have dramatically increased over the past year and are likely to continue to accelerate. Cloud, mobile and social media continue to gain attention and rightly so because of the disruptive changes they bring about on both the supply and buy sides of the market. One of the many consequences of these trends is the pull through effect on security software and services.”

It’s not so much that the landscape is changing, or that it is all the fault of the internet, but for far too long many IT professionals have simply been too smug in their belief that it couldn’t happen to them. “With the increase in data, devices and connections security challenges are increasing in number and scope. They fall into three major categories: external threats, internal threats and compliance requirements,” Rust continued in his editorial. “In the past threats mainly came from individuals working independently. However, these attacks are becoming increasingly more coordinated and launched by groups ranging from criminal enterprises to organized collections of hackers and hacktivists. Motivations are no longer limited to seeking profit, but sometimes can include prestige or even espionage.”

Perhaps thinking about protecting our IT infrastructure and data isn’t as much about getting a clear view of a landscape that may have been trashed as it is about plugging all the holes in the façade we have erected around our IT operations that is more a sieve like than a shield. Perhaps one of the more telling observations by Rust was that “despite continuing investments in network perimeter technologies, respondents were not confident that they are employing the right technologies to secure their high-value data. As budgets remain tight, security officials are confronted with how best to allocate their resources to ensure security of their high-value data in an increasingly perimeter-free world.” None of this of course is lost on the NonStop community, as since the introduction of the earliest applications NonStop systems were always in the middle of networks, passing data from one end point to another.

In general terms, most NonStop users are poorly prepared to fend off attacks, and the more NonStop embraces standards and open systems the more it moves into the mainstream when it comes to the underlying middleware and services it now supports. While the basics have been addressed, when it comes to addressing “external threats, internal threats and compliance requirements” far too many IT and Line of Business (LOB) managers are clinging more to hope that their vendors will address it than to anything of substance.  All too often, when it comes to NonStop, efforts to bolster the security of NonStop are seriously underfunded. And while throwing up firewalls and encrypting messages delivered to the network are being actively pursued, compliance seems to be a mixed bag of expectations, particularly within the NonStop community.

Nowhere is this more obvious than when it comes to PCI compliance among the many financial institutions running solutions on NonStop.
Perhaps, as the fortunate restaurant owners in San Diego were relieved to hear, the wrong system will come under attack and the NonStop solutions will be spared. “Probably the most effective way of changing the landscape is to educate the PCI auditors who in the past did not know much about NonStop,” was how comForte marketing head, Thomas Gloerfeld, summed it up for me in a recent email exchange. “It will likely be internal agencies within a company that encourage and indeed fund more systemic approaches to security and we are seeing such changes already.”

From comForte’s perspective, “
the massive shift towards SSL was driven by auditors no longer accepting unencrypted Telnet/FTP and long-term, I see the same thing happening with data at rest and with PCI 3.4 where tokenization will come to the fore and where compensating controls will no longer be accepted,” comForte CTO, Thomas Burg, acknowledged. “Even as we see security projects being seriously underfunded, it may be these same auditors rather than company executives who truly drive security best practices.”

It’s never an easy topic to address, and before looking at solutions many within IT must first acknowledge that there is a problem. Waiting for others to address will satisfy few who are concerned about potential vulnerabilities. However, when the situation arises and the risks assessed, vendors like comForte will prevail. Not every hole will be plugged, but the opportunity to change the sieve to a shield may well be worth all the energies expended and just perhaps, it will be someone else’s landscape that is trashed!

No comments:

Post a Comment