By Greg Swedosh, CTO, 4tech Software


From Compliance to Resilience: Strengthening Cybersecurity in a Changing Threat Landscape

In today’s fast-paced digital world, cyber threats are increasing at an alarming rate. From data theft to ransomware attacks and disruption of service, the changing cybersecurity landscape is posing challenges for organizations worldwide. The days of NonStop security by obscurity are gone as organizations look to establish an enterprise-wide approach to cybersecurity. The traditional approach of ticking boxes for compliance is no longer enough to protect sensitive data and ensure the continuity of business operations. Instead, a more proactive and comprehensive approach towards cybersecurity is required, one that emphasizes cyber resilience. This article aims to provide insights into cyber resilience for the HPE NonStop server environment and the need to move beyond mere compliance to establish a strong cybersecurity setup that can withstand cyber-attacks. Cyber resilience can be defined as the ability of an organization to maintain essential business operations, quickly recover from cyber-attacks, and adapt to changes in the cybersecurity landscape. It is a holistic approach that goes beyond compliance and focuses on identifying vulnerabilities, mitigating risks, and enhancing the overall security posture. Cyber resilience requires a combination of technical controls, policies, procedures, and human resources that work together to reduce the likelihood and impact of cyber incidents.

Identifying Sensitive Data:

The first step in setting up any kind of model for robust cyber resilience is the need for the organization to identify and locate where their sensitive data resides on the system. If asked, most organizations will tell you that they know where their data resides and point to the confines of their application environment. It is important, however, to determine that your data has not leaked out to other parts of the system, or even to other systems. For example, are you certain that production data has not been taken across to a non-production system for testing or troubleshooting? While procedures forbidding this are typical within most organizations, it is unfortunately still common practice. The plan to clean it up later is also often overlooked. It is only therefore by using an automated data discovery tool that you can really be sure that you know all locations where your sensitive data resides and then do something about it. It is not possible to protect something if you don’t know where it is.

PCI DSS version 4.0 has also added another angle to data discovery and defining the scope of where your sensitive data resides. Not only do you need to ‘prove’ where your sensitive data does reside, you now need to have automated measures in place to prove where it ‘does not’ reside.

Defense in Depth:

Defense in depth is a layered security approach that involves using multiple security measures to protect an organization’s systems and data, and it is vital in the steps towards cyber resilience. It means that instead of relying on a single security solution, a range of measures are used to increase the overall security posture. Each layer provides an additional level of protection, and if one layer fails, the next one can prevent or minimize the impact of the attack. Defense in depth security helps to ensure that if an attack occurs, the organization is better able to detect and respond to the threat, reducing the likelihood of a successful attack. On a NonStop system, there are several standard tools bundled with the operating system which can be used to help set up a strong defense in depth security model. Ssome measures will require additional products from HPE or third-party vendors. The following should all be considered as a vital part of your security regime:

  • Strong authentication – controlling who can access your systems is obviously crucial and so the first point to address is making sure that anybody trying to access the system is challenged strongly to ensure that they are authorized. This includes the use of strong passphrases, and multifactor authentication. The first can be controlled by Safeguard by ensuring long minimum-password-length values. The XYGATE User Authentication (XUA) software that ships with the OS can be used to interface with an RSA authentication or Radius server to provide MFA.

  • Strong access controls to system and data objects – Safeguard should be configured to deny access to any files or subvolumes for any userid that does not specifically need it. “Deny all by default” should be the motto, with access only opened where truly required. Likewise, OSS should be configured with a “deny all by default” approach.

  • Strict control of privileged userids – Organizations should have procedures in place that both restrict and track the usage of userids that have any special powers, such as super.super, application owner userids, security management userids and so on. Several third-party software tools exist that provide the ability for users to perform authorized tasks, that would normally require a privileged userid, from their own userid. This minimizes the usage of powerful userids and makes their usage easier to track. Any use of privileged userids should align with either an incident or a change request.

  • Strict security configuration of subsystems – Many subsystems such as Pathway, the TACL environment, Netbatch and so on, have security parameters that need to be configured. The defaults may not be appropriate.

  • Monitoring of all user sessions – Third party tools are available that provide the ability to monitor all user activity on the system. This is important if ever you need to investigate any sort of security incident.

  • Encryption or tokenization of sensitive data – All sensitive data should be tokenized or encrypted. PCI DSS requirement 3.4 states that sensitive cardholder data must be protected in this manner, but to this point in time many organizations have achieved compliance by using compensating controls to “satisfy” this requirement. With the PCI DSS 4.0 move away from compensating controls, as well as the availability of intercept technology and format preserving tokenization to enable implementation with no application or database changes, organizations should look at moving towards fully complying with this requirement to protect their data. HPE Tokenator can be used to fully protect your sensitive data.

  • Data leak prevention – Early detection is key, so an automated tool that detects and alerts when any sensitive data appears on your systems in unauthorized locations should be considered. HPE PANfinder can monitor your systems in real time and alert if any such data is located.

  • Session encryption – All user sessions, such as TACL, OSH or file transfers should be encrypted. NonStop SSH ships as standard with the NonStop system and should be used. Similarly, any other types of sessions, such as webserver or GUI access, should be encrypted.

  • File integrity and subsystem monitoring – Early detection is key in preventing or minimizing damage caused by cyber-attacks. Measures should be put in place to detect any changes to critical files, such as application programs, configuration files, startup files and so on. This, however, is only part of the job. Subsystem configurations should also be monitored for any changes. You want to know, for example, if a Pathway server has been reconfigured to execute a different program. HPE Integrity Detective provides the ability to fulfil both roles. 

  • “Off box” security logging and real-time security alerting – All security related logs should be shipped off the NonStop to a SIEM device, which can be done using standard XMA. While many organizations deploy such a mechanism, often the job is considered done when the events leave the NonStop. It is imperative that there is strong liaison between the NonStop knowledgeable employees and those responsible for the SIEM to ensure that appropriate security events are alerted upon to ensure early detection of any potential misuse.

  • Periodic external review of security – It’s important to note that defense in depth is not a one-time project, but an ongoing effort that needs to be regularly reviewed and updated to keep up with the evolving threat landscape, changes in technology and changes to the needs of the organization. PCI DSS Version 4.0 mandates that managing and maintaining ongoing compliance is a fundamental task that should form part of your everyday business approach.

The Changing Cybersecurity Threat Landscape:

Over recent years, cyber-attacks have become more sophisticated. Cyber threats are not just limited to data theft but also include ransomware attacks, disruption of service, and loss or corruption of data. Ransomware attacks have become increasingly common, and the cost of a successful attack can be staggering. In May 2017, the WannaCry ransomware attack impacted more than 200,000 computers in over 150 countries, resulting in an estimated cost of over $4 billion. Organizations are typically now looking to establish enterprise-wide defenses against these types of attacks. Traditionally NonStop users have often had an “it couldn’t happen on our platform” approach. But, could it? Remote working has increased the risk of insider attacks due to a lack of oversight, access to company data and in some cases, inadequate security measures. It is certainly technically possible for somebody to encrypt key parts of your system if they have the appropriate access. Telling an internal security team who are trying to put enterprise-wide counter measures in place that, “yes, it is technically possible on the NonStop, but we don’t think it will happen to us” is not really going to fly anymore.

In response to the growing threat of cyber-attacks, the European Union has introduced the Digital Operational Resilience Act (DORA). DORA aims to ensure that the financial sector has a sound cyber resilience framework, covering both the technology and the human aspect of cyber risks. It requires financial institutions to identify and map their IT systems, assess the cyber risks they face, and establish a robust incident response plan. The aim is to minimize the impact of any potential cyber breach by early detection and fast recovery. Other nations are likely to follow with similar regulations.

Cyber resilience:

Cyber resilience is the ability of an organization to prepare for, respond to, and recover from cyber-attacks while maintaining the confidentiality, integrity, and availability of its systems and data. It involves a proactive approach to cybersecurity, focusing not only on preventing attacks but also on detecting and mitigating them quickly to minimize their impact. On the HPE NonStop, TMF online dumps and audit trail dumps are used for taking live copies of critical data and these can be used to recover in case of cyber-attack. It is imperative to know, however, that these have not been tampered with. To do so requires firstly, a monitoring of these dumps for any changes, and secondly, a copy of the dumps being in a place where they cannot be tampered with. HPE Integrity Detective can be used to monitor dump files for any changes. If the dumps located on the attacked system have not been tampered with, they can be used to recover any lost or corrupt data files, which will provide the speediest path for recovery and minimize any down time. If they have been tampered with, the remote copies would need to be used.

Whichever recovery approach is to be used should form part of a well-documented strategy that includes a robust incident response plan, isolated recovery system (physical & logical), immutable backup copies of critical data and files, employee training and awareness to ensure that all relevant staff are aware of their responsibilities. The entire approach should be regularly reviewed.

Cyber resilience is not just about ticking compliance boxes or implementing strong cybersecurity measures. It’s about having a holistic approach to cybersecurity that includes identifying where sensitive data resides, implementing proper defense in depth, and preparing for the worst-case scenario with a robust incident response plan and having suitable supporting mechanisms in place. The threat landscape is constantly evolving, and organizations need to be proactive in their approach to cybersecurity to protect themselves against cyber threats. With the introduction of regulations such as DORA, the importance of cyber resilience is only set to grow, and organizations that take it seriously will be better equipped to face the challenges ahead.