Editor's Note: HP 3000 shops which are on the move will be encountering greater challenges in security. Whether it's a move to Windows, to Unix, or to Linux, all non-3000 environments carry greater risk of breaches. Certified Information Security Professional Steve Hardwick explains the investigation and penetration testing that will be needed to secure any enterprise that's migrating away from the obscure-but-less risky MPE operating environment.
By Steve Hardwick
CISPP, Oxygen Finance
First of a series
When making a move in the HP 3000 environment, your first order of business is to understand the security solutions that are currently in place. Many organizations conduct a security assessment in response to a specific regulation, such as a compliance initiative. However, using a broader risk assessment approach can result in a much stronger security posture.
For example, a HIPAA assessment — common in the 3000 healthcare billing environments — may only be directed toward healthcare information. Other users may not be included in that assessment, so would pose as a target for would be hackers. Among the wealth of information regarding how to approach a security assessment — many auditors provide security assessment services — one good free tool is a publication from NIST, a guideline for the Federal government that’s been in place for several years.
SP800-30 has just undergone a revision and a September 2012 version is now available at the NIST website. This document gives a good framework for a general risk assessment. It can form the basis of assessments for specific compliance projects. There is also SP800-63, a more in-depth overview of password and authentication methodologies and vulnerabilities.
An important part of risk assessment methodology is testing. The next countermeasure to look at is penetration testing, or pentesting. Penetration testing actively seeks vulnerabilities within a security architecture.
Unfortunately, in most cases this type of testing is limited to testing technical security countermeasures only. One common approach is network scanning. Network scanning involves presenting network data that’s specifically designed to exploit technical vulnerabilities within a network.
A second type of penetration testing is physical: trying to exploit physical weaknesses within the environment. This type of pentest launches social engineering attacks (trying to trick users into revealing password information through phishing) and searches for physical copies of password information. Pentesting, especially physical, can be a very revealing tool that highlights physical password vulnerabilities.
User training is one countermeasure that is often overlooked. What’s more, this testing can be badly delivered. A lot of user training is dedicated toward telling users what not to do, without explaining the justification for the instruction. This can easily result in users not taking any ownership in the overall security solution. The common response is that the training is viewed as a check-mark on a compliance report, and has little overall value.
IT managers show users the value of security training by showing the impact of a lax approach to security. All too often, security training is a reactive response rather than a proactive response. This results in a view that the training is punitive. When coupled with a good penetration testing philosophy, users can understand how easy it is to gain unauthorized access to their systems.
Other Physical Countermeasures
It can be fairly simple to steal usernames and passwords of individuals by shoulder-surfing. It may seem that the solution to this is fairly simple: make sure no one can see you type in your credentials. You can show your users certain steps to take that facilitate this. First, positioning the computer screen in a way that prevents this type of attack.
However, with mobile devices this may not be so straightforward. There are display solutions which limit the off-angle view from the screen, in order to help reduce shoulder surfing. User training can help prevent this type of attack. This is a key area to include in a physical pentest.
Controlling information as it leaves the corporate environment is also part of physical security. This falls into two areas. Physical transfer of information while in use, as well as decommissioning of computer equipment.
Physically transferring information is typically employed when using back-up media such as tapes. However, it can also include mobile devices, especially any with magnetic storage. One of the best tools for protection is encryption of data while it is at rest. In the case of back-up media and laptops, this involves encrypting any security data that is on the systems — not just user data.
A second option is removing the need to physically transport the data, using electronically transferred back-ups. Quite often a laptop can be lost or stolen. Even if the thief's target was not the data it contains, such a theft can surely compromise it and constitute a security breach.
One caveat regarding encryption: care needs to be taken in storage of encryption keys. The keys should be afforded the same level of protection as a password.
With regard to decommissioning equipment, prior encryption of the data significantly reduces this exposure. In many regulations, loss of encrypted data may not constitute a breach. The best policy is to have a disposal policy that renders any decommissioned machine or media useless. There are a lot of commercially available solutions that securely overwrite the data, or there are physical destruction methods.
One of my personal experiences involved receiving a replacement laptop hard drive. When I ran an unformat program, I found out that the previous owner was the CEO. I immediately returned the drive without viewing any of the data. (Incidentally, using an unformat command was not a violation of my acceptable use policy.)
Next time: Technical Countermeasures