Wednesday, March 6, 2013

My NonStop system is hack-proof ?

This is a re-post of a blog posting written by comForte CTO, Thomas Burg, that recently appeared in a partner vendor blog but the subject matter dovetails nicely with the theme of security that is being addressed in posts already made to this blog.

While there is a plethora of publicized stories about other platforms being breached, there is no public record of a HP NonStop system being breached. Given the high value of the typical data stored on a NonStop system (credit card transaction logs, healthcare data, high-value financial transactions) this seems somewhat surprising. So why is it that no NonStop system has been hacked?

The writer of these lines thinks it is a combination of obscurity of the platform as well as the fact that so far other platforms have been so much easier to breach. However, this should not become a reason for complacency: with increasing regulatory pressure (PCI, HIPAA, …) other platforms are made more secure which might have attackers reconsider which platforms to target in the first place. For an outsider, there are powerful hacking tools such as ‘nmap’ which will allow them to fully map the server landscape and then go after targets; for an insider the presence of NonStop is often fully known.

We’ll never get hacked

The web site lists publicized data breaches since 2005. These days, there is a about a breach per day (!) – most probably the companies having joined this ‘list of shame’ did not exactly plan to get this kind of publicity. Why are we seeing so much more incidents? First, the tools for an attacker have become more and more sophisticated over the years: these days it is rather common for an attack to consist of multiple stages. Starting with discovery, typically at first a single PC is ‘taken over’ and can then be remote-controlled from the attacker for long period of times. From that PC, other PCs and/or servers are then attacked and taken over – making defense much harder. Second, the attackers themselves are becoming more as well as better organized. Cyber-crime is relatively low risk and high reward; also these days there is more and more state-sponsored cyber-crime.

All that said, there are reasons why well-written security standards (such as PCI) implement “defense in depth”, namely a combination of security practices which ensure the best possible security even if individual components have already been broken. If defense in depth is properly implemented, the unfortunate victims of attacks such as The New York Times, Sony or RSA would not have been under “enemy remote control” for extended period of times.

Applying defense in depth to NonStop security

Here are a couple of security concepts which all should be part of properly securing a NonStop system:

-        Have a security policy in place. Live the policy

-        Have a firewall in place between your PCs and your NonStop system.

-        Encrypt all network traffic to/from your NonStop system

-        Run network-based intrusion detection systems with the sensor being close to the NonStop system

-        Use Safeguard. Put proper ACLs in place for critical files

-        Ensure security-relevant events of your NonStop system are logged to a central logging system (SIEM)

-        Have an active alerting system which reacts to relevant events (repeated password failure for any user, specifically for SUPER users)

-        Track SUPER user usage

-        Record keystrokes of users (ideally all, at least SUPER user group)

-        Have secure passwords. Change them regularly

-        Have periodic security audit. Ideally, these are not only “paper audits” but include penetration testing

I don’t have the time/budget to do all this

Unfortunately, the bad guys out there have all the time in the world and your data is virtual money to them. Think about your total yearly budget for running your NonStop system – just adding a small percentage to better secure the system will in time go a long way on the journey towards better security.

1 comment:

  1. Also remember: