Wednesday, April 23, 2014

What happens when the tide goes out? comForte wraps NonStop in an extra layer of insulation!

A chance reading of a recent headline posted to the industry blog, ATMmarketplace, made me rethink the importance of covering our systems in even more insulation – after all, when security breaches are reported, we don’t want to be seen inadequately prepared!

In a recent post to the ATM Industry Association web site, ATMmarketplace, Triton Systems CEO, Daryl Cornell, published a short feature under the heading, Who's swimming naked? This heading is a reference to the famous quote by Berkshire Hathaway Inc. CEO, Warren Buffett, "It's only when the tide goes out that you learn who's been swimming naked.” Cornell then writes about how, “If Canada's experience with EMV implementation is any indication, we're about to find out which ISOs might be lacking clothes.”

Independent Sales Organization (“ISO”) in this context “is an organization that deploys ATMs and POS terminals at merchants, gas stations, hotel lobbies, etc. In the USA, ISOs must be sponsored by a financial institution” according to one reference I checked, and I suspect the term is in wide use elsewhere. And how will we be able to tell which ISOs are naked (in Canada)? According to Cornell, “Here's how to tell if you are exposed: Your priority is to tackle Windows XP ATM upgrades before moving to EMV upgrades on CE machines.”

While it hasn’t quite reached panic proportions, across the ATM industry, support for Windows XP has come to an end. Operators need to upgrade to Windows 7 (yes, Windows 7 and not 8), even as the broader financial community is looking to move to EMV – so which project goes first and at what cost?  Clearly, EMV is becoming a priority here, in North America, following recent incursions by the bad guys bent on pilfering as much of our money as they could.

The clock has expired on the Windows XP issue and from here on out, all involved are aware that when it becomes a case of correcting a bug originating in Windows XP, the required fix will cost a lot of money. Microsoft will likely to be in no hurry to correct, no matter the service charges involved. However, it does raise the bigger question of just how do we protect our networks, and by implication, ourselves?

But sticking with Windows XP seems every bit as poor a decision as being slow to embrace EMV. But can we do both? And does it really matter? Perhaps the most important observation is that security in all its guises has taken center stage with IT professionals everywhere. Clearly concerned about the potential damages from not being adequately insulated from even the most rudimentary of attacks, those in IT are working with partners and vendors alike to better cover themselves no matter the extent or source of a potentially catastrophic incursion. 

A recent case in point? While the ATM industry is wrestling with the dual problems of EMV and Windows XP’s expiration along comes a potentially worse situation this time involving network security - the Heartbleed bug. According to the web site,, “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.” Again, after panic initially set in across the media, and to some extent within the general public, measures are being taken to mitigate the concerns of all parties.

According to recent email exchanges and web site updates, comForte CTO, Thomas Burg, made the observation that, “Unfortunately, Heartbleed is a VERY bad vulnerability, unmatched in scale and potential impact. A well-executed ‘defense in depth’ strategy will make things easier for your organization – but your security folks will probably be busy rolling out fixes and having you change your passwords for a while.” When it came to the full product suite available from comForte, Burg then added, “If you are using any comForte product, EXCEPT for the TOP product, you are also NOT affected.” I also took the opportunity to check in with the developers at Infrasoft and they too confirmed that neither uLinga nor maRunga were affected in any way.

Heartbleed has global impact, as too does the withdrawal of support for Windows XP. To a lesser extent, EMV is restricted to just North America, as other regions have already embraced EMV. However, as HP CEO, Meg Whitman, related in a recent webinar on the HAVEn initiative, for all involved in IT, “we are in an arms race” and with each fix developed, the bar only gets raised a little higher and the bad guys will continue to exploit weaknesses. As Burg so rightly observed, “A well-executed ‘defense in depth’ strategy” remains key when defending against all security threats and developing a holistic approach, encompassing every component involved in any transaction path, is becoming increasingly important.   

Fortunately, for all involved with NonStop, should the tide indeed go out, today’s modern NonStop systems will not be among those swimming naked, and comForte’s expertise in security is widely known even inside HP where today security components provided by comForte have been integrated with the NonStop Operating System (OS). As comForte Marketing VP, Thomas Gloerfeld, told me, “protecting transactions destined for NonStop flowing across any network are an important consideration today for any NonStop user and as part of having a global perspective on every component a transaction may interact with, remains a priority and one well understood by all within comForte.”

Gloerfeld then added, “The analogy with swimmers being caught out as the tide recedes, may depict what happens when necessary steps are put off for any reason, but whether it’s a case of an OS coming to an end of life, the roll-out of an industry-standard being delayed, or the detection of a potentially devastating network bug, we do have the expertise and today, modern NonStop systems everywhere are the recipients of our skills.”

What happens when the tide goes out may bring a wry smile to many of our faces, but Warren Buffett wasn’t joking and made his now-famous observation about hedge funds. When Buffett made the statement, it was the Economist, in the article Indecent exposure, countered with, “If someone has staked all his wealth on a leveraged fixed-income hedge fund, then he is too stupid to deserve to be rich.” Harsh words indeed coming from the Oracle of Omaha. However, leaving even the most robust of systems - including NonStop systems of course - without an extra layer of security to better insulate them from attack begs the same question being asked of the companies involved; should they deserve to remain in business!   

No comments:

Post a Comment