Mitigating Risks

There’s no denying it: Good intentions alone won’t protect your organization’s critical data. Indeed, according to a recent AIX* security survey conducted by IBM Systems Magazine, a majority of respondents indicated they were either very (55.6 percent) or somewhat (34.8 percent) concerned about the platform’s security (see Figure 1 below).

These numbers may be large for a number of reasons, according to Stephen Dominguez, worldwide AIX security lead for IBM Systems Lab Services. “It could be due to the critical nature of their data, whether it’s credit card numbers or health data. In the case of a data breach, organizations storing such sensitive data can face devastating business consequences, not to mention the stress their customers may experience if their data is sold on the black market and exploited in identity theft.

“The large percentage of concerned participants could also be due to the lack of confidence in their existing security defenses.”

Most organizations would have greater confidence in their security defenses, Dominguez continues, if they approached their information security holisticly, leveraging enterprise risk management and defense in depth strategies.

“Enterprise Risk Management involves identifying all types of security threats and vulnerabilities (and not just those involved with compliance) in an organization, prioritizing and fixing them to reduce risk to an acceptable level. Defense in depth is where an organization implements many layers of security defenses, so if one layer is compromised, other layers will protect an organization’s assets from an attacker,” he says.

Unauthorized Users

According to the survey, the top three current worries regarding security involved authorized system user access or credential abuse, external hackers and unauthorized users, in that order. Clearly, data has the potential of being assaulted from all sides, whether by internal or external actors—and protecting it needs to be taken seriously (see Figure 2 below).

“We’re mostly concerned about unauthorized system users or credential abuse, because any logged-in user can compromise the system if they use the appropriate tools,” notes Enid Vrenozaj, head of IT systems with Societe Generale Albania, a banking organization based in Tirana, Albania.

Of concern, however, is the 54 percent of respondents who reported they don’t have methodologies in place to identify unauthorized users. The remaining 46 percent indicated they use a variety of solutions, including access monitoring tools, active directory audits, biometrics passwords, cognitive passwords and one-time dynamic passwords.

SNS Bank, headquartered in Utrecht, Netherlands, uses the IBM Security Directory Server (SDS), role-based access control (RBAC) and IP access control on AIX to address this issue. As an added layer of defense, it’s also using several firewalls.

When asked what procedures they followed when they uncover unauthorized access, 53.5 percent of respondents said they had no procedures in place, while the remaining 46.5 percent indicated they did. Methods included escalating reports to their security teams, blocking access and determining its origin point, and collecting evidence and notifying their legal departments.

Christian Sonnemans, UNIX* system engineer with SNS Bank, has concerns similar to Societe Generale Albania’s Vrenozaj. However, he notes the bank is worried about both internal and external threats, in keeping with the survey’s top-cited AIX security concerns.

“Most threats come from inside, such as unauthorized users, but we’re also concerned about outside hacks, such as Heartbleed or other SSH and SSL exploits, including known AIX defects,” he says.

And then there’s the double whammy of an external hacker gaining root access. If a hacker can get the credentials of an admin, he or she can use that access to launch a sophisticated, multipronged attack that may not be detected for a long period of time.

“Many hacking groups are well-funded and patient—it’s their job. They’ll just keep probing and probing until they find a vulnerability, and that includes gaining root access and installing malware that can be used to launch even more attacks,” Dominguez says. “But we have a pretty robust tool in AIX, Trusted Execution (TE), that will flag malware, and I hope people are using it.”

SNS Bank certainly is. “We put a lot of effort into implementing Trusted Execution and RBAC, including for our software administrators. We’ve also deployed an SDS LDAP environment, which is also used for storing the extra databases needed for TE and RBAC—in read-only mode,” Sonnemans says.

But thwarting credential abuse is no small feat. In order for administrators to do their jobs, they need almost unfettered access to the entire system. If they don’t, their ability to best perform their day-to-day tasks may be hampered. That said, implementing “the principle of least privilege can be challenging,” Dominguez says. “It’s not a simple task ensuring administrators don’t have too much access, while at the same time making sure you are not providing them too little access for them to do their jobs.”

Security Management

Of the 57.7 percent of respondents that said they haven’t deployed a security and event-management solution, 15.6 percent are using IBM PowerSC*. Notably, the PowerSC solution was recently given a GUI makeover to improve usability. And 26.8 percent use other solutions, including IBM QRadar*, IBM Security Guardium* and IBM Tivoli* Access Manager, as well as a number of third-party and in-house tools (see Figure 3 below).

In a similar vein, when asked if their organizations were using security information and event management (SIEM), 59.3 percent of respondents said no. Those not using SIEM reported using a wide range of solutions, including QRadar, AlienVault and ArcSight.

Dominguez says SIEM is important. “They need to be using an SIEM product of some type. It’s kind of like going to war with just a grenade,” Dominguez says. “There is certain fundamental security tooling that you have to use. If you’re not using it, you’re creating a significant hole in the security of your environment.”

That said, 78.4 percent of respondents have information-security policies in place; the remainder don’t (10.4 percent) or are unsure if they do (11.1 percent).

Societe Generale Albania does, as Vrenozaj explains, “We have password policies, workstation and server hardening, user awareness, and we also use monitoring and auditing in case of issues. We also rely on group recommendations, as in the case of our recommended yearly audits.”

Security Audits

A majority of survey respondents reported conducting regular audits every three months (20.3 percent), every six months (15.6 percent) or annually (26.2 percent).

SNS Bank conducts audits annually, but is also very rigorous between those events. “For all our UNIX servers—AIX and Linux*—we report on monthly basis the security risks and apply fixes every month,” Sonnemans says.

Dominguez remarks, however, that audit quality is equally as important as frequency. He cites the example of a 2009 data breach, and the response of the CEO to PCI compliance assessors.

“He was very upset not just at the PCI auditor, but also the PCI Standards Council. In effect, saying ‘Listen, you need to change your requirements.’ He was specifically referring to the requirement to include end-to-end encryption in their PCI audits,” Dominguez recalls. “He was essentially saying the quality of the PCI assessment process needed to be better, because what PCI had required wasn’t sufficient to prevent a breach. So the quality and depth of the audit is imperative.”

These audits examine a wide array of security-related topics, including policy and governance (65.1 percent of all respondents), end-user security compliance (52 percent), hardware security (58 percent), software security (73.3 percent), network security (70.7 percent), physical security (55.7 percent), authorization (62.2 percent) and access control (60.8 percent).

Societe Generale Albania’s security audits look at, among other issues, security policies, software and network security, authorization, user-access control and logins. SNS’s audits cover access control (authentication and authorization) UNIX settings, standard access rights for users and groups, TE/RBAC security settings, remote access, file transfers, intrusion detection, password policies and SSL/SSH settings, in addition to other issues.

“If you’re not being systematic, there’s a danger that, although you may have a lot of great security defenses, hackers will simply go around them to find the weak link to breach your environment. You probably can’t account for everything, and that’s one of the challenges of security. But the more thorough you are, the better,” Dominguez adds.

Cloud and Mobile

Although not every organization uses the cloud—private or hybrid—those that do have myriad security concerns. Chief among them are keeping all cloud data secure from outside threats, monitoring cloud-security infrastructure and maintaining regulatory compliance.

If a third party is involved in an organization’s cloud presence, users should be vigilant when ensuring their hosted data is secure. This includes not just monitoring and auditing their own IT assets, but also those of the hosting partner.

Mobile computing isn’t an entirely different beast, as indicated by the top three mobile concerns addressed in the survey: data privacy, access control and mobile device lost or theft. SNS has taken pains to attempt to ameliorate those by securing laptops with smart cards and using a secured VPN for internal use. “In case of a loss or theft, there is no data on the mobile device,” Sonnemans adds.

Security Policies

Survey respondents reported using a variety of security-related policies in conjunction. When asked to select all methods they use, 93.7 percent said password/passphrase, 76.1 percent said monitoring and auditing, 71.3 percent said workstation configuration, 66.6 percent said user orientation and awareness, and 46.6 percent said personnel background checks.

Despite the quantity of security-related policies they have in place, a healthy minority of survey takers had little-to-moderate confidence in their organizations’ security plans (see Figure 4 below). On a scale of 1 to 5, with 5 being very confident and 1 not confident, 48.4 percent of respondents fell in the 1-to-3 range. (Of the others, 38.3 percent indicated 4s and 13.3 percent indicated 5s.)

When asked what they think would most help address their security concerns, 57.6 percent of respondents said increased education on current software, strategies and policies in place. Another 14.9 sought greater emphasis from management regarding security threats (see Figure 5 below; click to view larger).

Dominguez agrees, saying, “Help is needed at the executive level in the form of a chief information security officer (CISO) to help ensure the proper security environment is being implemented for their company. The CISO needs to be a strong technical leader who can effectively work with executive management to ensure that their brand is being protected and that their customers’ information is being protected with a high-quality security implementation.”

Now and the Future

No matter how tight security is, however, there are always risks posed by internal and external sources. As a result, it’s crucial organizations take a rigid stance when it comes to security—from the top down—because the future will continue to be fraught with potential security issues.

In fact, when asked which risks they’re most concerned with in the next five years, 302 survey respondents said external hackers, 284 authorized system user access or credential abuse, and 262 unauthorized users. This parallels survey responses regarding current security concerns, indicating security woes aren’t going away and organizations need large-scale efforts to address them.