Extra! Extra! Extra! Reflecting on Terminal Emulation

As I mentioned in an earlier blog, there are over a dozen vendors selling terminal emulation solutions that allow millions of users to access their mainframe computer systems. Micro Focus is one of these companies, and our mainframe emulators offer security, flexibility, productivity, and Windows 10 certification. Well, most of them do. But before I elaborate on that point, let’s assume that you’re not yet on Windows 10.

Did you know that you could be forced to move to Windows 10 whether you like it or not? Yeah. Microsoft has announced that the latest generation of Intel chips will not support anything less than Windows 10. So, if you buy a new PC for a new hire or as a replacement for a broken or obsolete system, it will be running Windows 10 and chances are high that it cannot be downgraded no matter what Microsoft licenses you have. So unless you have a closet full of systems ready to deploy, you’ll  want to be ready for the Windows 10 upgrade—even if you don’t want to make the move. (But don’t worry; Micro Focus also offers Windows 10 migration tools to help you on your journey – whether or not you are using terminal emulation software.)

Make the Move

Okay, so let’s get back to that terminal emulator thing. Like I said in that same earlier blog, most of our mainframe emulators are completely up to date when it comes to the latest security standards like TLS 1.2 and SHA-2 along with data masking – which are required by the Payment Card Industry (PCI DSS). But even if you are not subject to PCI rules, implementing the latest security standards are just common sense to help mitigate hacking opportunities. We’ve also been hard at work certifying our terminal emulators for Windows 10 compatibility. Well most of them anyway.

Micro Focus has announced publicly that Extra! X-treme won’t be making the move to Windows 10, and older versions of Extra! X-treme do not support the latest and greatest security standards. But we have an offer for you that you can’t refuse. Well, I suppose you can refuse…but why would you want to?

Migration is Easy

We are offering most of our customers a no-charge migration path to Reflection Desktop, our state-of-the-art terminal emulator. Reflection Desktop was designed and developed by many of the same people behind Extra! so of course they know how to implement many of Extra’s best features, while providing a modern terminal emulator that will work now and into the future.

We have designed Reflection Desktop to have an upgrade experience similar to Microsoft Office applications:

  • The Reflection Desktop Classic Interface eliminates the need for retraining end users.
  • Extra! configuration settings will work as is in Reflection Desktop (Keyboard Maps, Hot Spots, Colors, Quickpads).
  • Reflection Desktop will run Extra! Basic macros with no conversion

And to increase security and enhance productivity, Reflection Desktop offers:

  • Trusted locations, which enable you to secure and control where macros are launched from while still allowing users to record and use them as needed.
  • Privacy Filters that allow you to mask sensitive data on mainframe screens without making changes on the host.
  • Visual Basic for Applications support (documentation), giving you better integration with Microsoft Office.
  • Support for the latest Microsoft .Net APIs allowing for more secure and robust customizations.
  • HLLAPI integration allowing you to continue using these applications without rewriting them.

If you still need help with your migration, guidance is available on how to inventory and migrate customizations. And Micro Focus Consulting Services have proven methodologies and experience with successful enterprise migrations. In fact, several of our customers have had successful migrations from Extra! to Reflection Desktop, one of which is detailed here. PS: This global financial firm actually migrated to Reflection Desktop not only from Extra! but also from a handful of terminal emulators from different companies.

Summary

We talked about Windows 10 and up-to-date security, which are important reasons to move to a modern, secure terminal emulator. In fact, there is another driver: Management.

This final driver ties everything together. You have to ensure that your terminal emulation environment is properly configured and that your users are prevented from making changes that can leave you open to hacking or, perhaps worse, allow them to steal critical information.

Reflection is fully integrated with the Micro Focus Host Access Management and Security Server (MSS). Besides helping you to lock down your emulation environment, MSS also lets you extend your organization’s existing identity, authentication, and management system to your mainframe and other host systems.

And there you have it. A modern, secure terminal emulator that will make you ready for Microsoft’s latest operating system, help lock down your mainframes from unauthorized users, and best of all, existing Extra! customers who have maintained licenses can get it for free.

Yahoo! Gone Phishing…..

Yahoo! recently announced that a billion user records were stolen from them. Just another run of the mill hack? Apparently not. You see, more than 150,000 of those records apparently belonged to U.S. government and military employees. And their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals to be used for who knows what. Actually, I have a pretty good guess – and phishing comes to the top of my mind.

What Is A Backup Email Address And Why Do I Care?

Like many other web services, Yahoo! allows customers to set up a recovery email address. If you forget your password or your account is locked, a special link in an email sent to your backup address can be used to recover your credentials. And apparently, many thousands of those backup email addresses ended in .gov or .mil. Yeah, workers with access to US government systems, and the secrets on them.

Yahoo! Did Not Know They Were Hacked…

Many have said that there are two types of companies; those that have been hacked, and those that don’t know that they’ve been hacked. In this case, cyber-security researcher Andrew Komarov kindly let the United States federal government know that he found Yahoo! users’ credentials on the Dark Web, and the feds in turn notified Yahoo! But that wasn’t even the beginning of the nightmare.

In fact, Bloomberg News reviewed the database that Komarov discovered and confirmed a sample of the accounts for accuracy. The thought that employees of government agencies like the National Security Agency may have had their personal information stolen immediately sent chills through the security community.

Since a 2012 Ponemon study showed that “Reusing the same password and username on different websites” came up as number 4 on the list of 10 risky practices employees routinely engage in, the chances are high that the passwords on a hacked user’s Yahoo! account and their backup email account probably are the same.

Komarov also found communications from a buyer for the data, but only if it contained information about a very specific set of people. The buyer supplied a list of ten names of U.S. and foreign government officials and industry executives to the hackers, and if their information was included in the stolen online loot then they had a deal.

… for Three Years!

I may have forgotten to mention that the data actually was stolen in August 2013, creating a 3-year opportunity for bad actors and foreign spies (based on the names in the buyer’s request, Komarov is pretty sure that it came from a government) to identify employees doing sensitive and high-security work here and overseas.

So of course, there are lessons on cyber-hygiene to be learned from this story and in a strange twist of things, Micro Focus has a number of products which can help keep your company and your employees safer from attack.

  1. Don’t reuse passwords. In fact, your company might be able to get rid of most of your application and web-based passwords by implementing secure single sign on or automated sign-on for mainframes. (Access Manager for web, SecureLogin for apps, and Automated Sign-On for Mainframes.
  2. Use different names on your work and personal email accounts. Work might be rlaped@microfocus.com and home might be securityguru@outlook.com. It makes machine-based identity matching harder if not impossible.
  3. Don’t use real security answers. In my case, I treat them like passwords and use random character strings. This is another good reason to use a secure (not online!) password manager with strong encryption.
  4. If at all possible, use multi-factor authentication to access (and recover) your online accounts. And ask your company to use our Advanced Authentication product to implement multi-factor authentication on your internal systems and even your mainframe in case your password is somehow exposed.
  5. Create a backup email address on another personal email service rather than using your work address. If you use Outlook.com, have your backup on iCloud.com. You don’t even need to use your backup address for anything other than account recovery.
  6. Finally, implement least privilege so that if a user’s identity is ever stolen the attacker won’t have access to your entire network. Audit user access to your systems and track what they are doing on them. Install software which can immediately shut down a risky session.

Even though it is not related to this story, another tip is don’t access work and personal email using the same email client. Autocomplete might send your work email out to a friend, which could be mildly regrettable to an international scandal. Micro Focus offers mobile device management that’s secure, scalable, and covers BYOD devices to help separate personal and business information.

Ice Phishing, Whaling, and Social Engineering

Introduction

According to the 1960’s song, “It’s the Most Wonderful Time of the Year”. But it’s also the time to be on the lookout for a cyber-attack posing as an email with the best wishes of corporate executives. In 2016, a fake phishing email sent by JPMorgan was able to dupe 20% of its staff into opening and clicking on a simulated malware link.

There She Blows!

The latest attacks are based on “whaling”—a refined kind of phishing attack in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO. In fact, Whaling is becoming a big enough issue that it’s landed on the radar of the FBI.

Trawling the Network

Whaling hasn’t quite overshadowed regular old phishing, though. A 2016 report by PhishMe states that over 93% of phishing emails are now ransomware. And almost half of those surveyed by endpoint protection company SentinelOne state that their organization has suffered a ransomware attack in the last 12 months. If it’s not ransomware, it’s hackers looking to put other types of malicious code on corporate or public networks or to gain access to passwords belonging to employees or other users. Alarming new types of ransomware, such as Samas or Samsam, will toast your organization just by opening the email—no click required. The dangers are very, very real.

But while it may be impossible to prevent employees from opening phishing emails or clicking on a link, there are ways to create an inoculated environment filled with cyber-hygiene to mitigate the effects of an attack.

Don’t Get Caught

As levels of sophistication of the cyber attacks continue to increase, vigilance is key. Here are a few best practices to keep in mind:

  • Take offline backups of critical information for recovery from ransomware. While “snap copying” live volumes is trendy, you could be snapping ransomware-encrypted files.
  • Implement the security protocol of “least privilege” for all users to minimize access to critical systems and data. Be sure to collect and correlate user entitlements to enforce least privilege.
  • Limit the use of “mapped” drives, which can be encrypted by ransomware. Use secure systems designed for file sharing
  • Implement multi-factor authentication in case user credentials are compromised without forgetting to include strong authentication for your  mainframe systems.
  • Speaking of mainframes, often the locale of some of the most sensitive data in the corporation, ensure that the terminal emulator being used:
    • Is certified on whatever desktop operating system is in use
    • Implements the latest security standards
    • Is configured so that macros can only be run from trusted locations and cannot be used as a point of attack.
  • Ensure that you have a single point of control for all of your identity, access, and security settings, but don’t forget to monitor the people who manage it.
  • If employees use intelligent personal devices such as smartphones and tablets, think about implementing an endpoint management system, which can be remotely disabled (and the device wiped), in case it is lost or compromised.

Conclusion

Good corporate governance and awareness can help prevent  users from clicking on phishing emails, but a more robust approach needs to ensure that IT  can mitigate the risks if they do.

The helpful hints above should hopefully serve to get you through the holidays and provide even a sensible resolution for 2017.

Is The Mainframe a Hacker’s Target?

Business-critical mainframe systems are accessed daily by millions of users. Industry expert Ron LaPedis takes a hard look at the security risks, and explores how to plug the major gaps

A variety of Terminal Emulation solutions enable millions of users to access their mainframe computer systems. The choice of terminal emulation solutions ranges from thin hardware clients, to thick software clients, to thin software clients running in a browser. Most of these clients interpret the data streams being passed back and forth from the host using protocols such as 3270, 5250, VT, X-windows, T27, UTS, or 6530, and reformat it for display on more modern devices such as PCs and tablet devices.

These more modern devices are all connected to the mainframe using standard Internet Protocols – which means that the data can be sniffed or even modified. And not only that, depending on how old the mainframe code is, Personally Identifiable Information (PII) might be displayed. In some cases, this is in violation of HIPAA, PCI DSS, EU Data Protection laws, or other rules and regulations that didn’t exist when that code was written.

Mainframe Security

As a result of serious vulnerabilities within SSL and early TLS, organizations can be put at risk of data breach. In fact, the Payment Card Industry Security Standards Council (PCI SSC) mandated that data communications are to be protected by TLS 1.1 or later (as of June 30, 2016). Even though NIST deprecated (killed off) SSL as of 2014, the 2016 deadline was moved to 2018 to give member organizations extra time; which of course gives hackers extra time too. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.

IAS blog 2

Breaking In

Can we talk about passwords for a moment? Most applications were written in simpler times when 8-character passwords were the norm. And Multi-factor authentication? Forget it!

The chances are that critical mainframe applications (and administrator accounts) are not only limited to 8-character passwords, but 8-character passwords which contain only letters and numbers – taking less than six hours to crack.

And then there are question marks around the use of Java due to its vulnerability-of-the-week history. Many browser-based Terminal Emulation software clients require a specific version of Java running on a specific browser version – which may have its own vulnerabilities. It’s not unreasonable to say that Java is somewhat notorious as a security trap door.

Defending the Estate

Mainframe security matters. Today’s terminal emulation software packages need to be secure, manageable, and easy to use. It doesn’t matter whether users are on thin clients, PC, Mac, or mobile devices. And large number of terminal emulation protocols, along with specialized host software (such as airline reservation systems), must be supported.

Whether internal policy requires a management server on a Linux partition within the mainframe or on an external Host Access Management and Security Server (or MSS), modern mainframe security solutions need to:

  • Centrally manage terminal emulation access to your host systems by using your existing Identity and Access Management systems
  • Easily update terminal emulation user configurations to meet evolving security requirements
  • Quickly validate compliance of terminal emulation for securing sensitive information
  • Ensure that end users could not make changes to their user configuration
  • Partially or fully mask data fields based on the user’s role
  • Enforce data input standards and cross-screen validation
  • Implement long complex passwords and multi-factor authentication.

 A Fresh View On Mainframe Terminal Emulation

Such lofty objectives are, however, not the stuff of dreams. All of this is possible today. Our relentless focus on customer success, Micro Focus has invested to create a new generation of powerful, secure and comprehensive emulation products.

Tackling all the requirements above, additional capabilities include end-to-end encryption of data streams, centralized management, partial or full field masking of sensitive data, multi-factor authentication, integration with Microsoft Office tools, and linkage to other Micro Focus identity management software for user lifecycle management.

Without touching a line of code on the host, you can lock down access to your mainframe, meet industry-specific rules and regulations, and prevent data from being changed or being taken out of the organization through traffic monitoring or impacting the business through modification.

Additionally, power users can now create entirely new ways of viewing and manipulating core business data; again without modifying a line of mainframe code. Creating powerful and user friendly windows or web-based applications from dated green screen applications is just a few clicks away.

The mainframe is a powerful part of organizational value. It must be web and mobile device ready, but also totally secure. Whether organizational security direction is coming from the board,  auditors,  business units, end-users, or more importantly, the customers, Micro Focus provides powerful solutions that can help address these requirements by making access to core mainframe applications secure and friendly.

LaPenis

 

 

 

 

Ron LaPedis

Global Sales Enablement Specialist

Are Your Ex-Employees Insider Threats?

Ron La Pedis reports back from the 2016 RSA Security Conference in San Francisco . If your Ex-Employees are threats to your cyber security what can be done about it?

2016 RSA Security Conference in San Francisco

I was intrigued by Session HUM-R03F at the 2016 RSA Security Conference in San Francisco. At first I thought that the HUM session names meant that the conference organizers finally put together a security comedy track that I could kick back and enjoy.  But after reading the session description, I determined that that the topic was not only no laughing matter, but it hit very close to home.

A long time ago, I was a networking engineer for a mainframe vendor and was reading some system logs to diagnose a problem. I saw a lot of remote logins from one particular account coming in late at night so I looked her up so that I could ask her manager what she might be doing. It turned out that not only did she not work at my organization any longer, she had gone to a competitor.

By reading other logs and matching timestamps, I determined that she was downloading source code for the products that she had worked on previously. When I reported this to my manager, he went to HR and got a list of employees that had been terminated over the past few months and asked me to see if their accounts were still active. To a one, they were – and that’s when A) we discovered that IT was not part of the staff termination process; and B) I started my security career.

lapenispic

Times have changed since then (at most organizations anyway), and IT is included in termination notifications so that the laptop and any USB sticks come back and system access can be disabled for terminated employees.

But sending an email to IT may not remove the insider threat of a terminated employee for many reasons:

  1. Lack of centralized access tracking
  2. Access to cloud accounts such as Salesforce.com and Google Docs
  3. Access to shared, and thus anonymous, privileged accounts such as root
  4. Company- or employee- initiated termination with notice

The first two issues are easily solved by implementing user-centric role-based tools and single sign on (SSO) while the third can be solved through the use of a privileged account control solution. The fourth issue of an employee who knows that they will be leaving your organization will take a hybrid approach.

Let’s take a look back at session HUM-R03F for some details. This session was presented by Dawn Cappelli, Vice President, Information Risk Management and Susan Schmitt, Senior Vice President, Human Resources, both of Rockwell Automation. Their task was to manage the technical and human aspects of insider threats due to reductions in force, outsourcing, global cultural and communication issues, termination for cause and other disciplinary issues.

Their premise is that the human threat to your organization’s information cannot be mitigated unless your IT and HR teams, people managers, processes, and technical tools are people-focused. The main issue is that while it’s impossible to sift through millions of security events, you can use a risk-based approach to filter out the noise and display only the specific events that can point to a threat.

Is an employee acting out of the ordinary? Do you believe that they might be preparing to trash your systems or data, or are they planning to take something with them when they leave? If they do leave, can you tell if and what they may have taken with them?

In a 2013 whitepaper sponsored by Symantec and researched by The Ponemon Institute (disclosure, I am a Fellow of The Ponemon Institute), half of the 3,317 surveyed individuals in six countries say they have taken information, and 40 percent say that they will use it in their new jobs. A study by the Software Engineering Institute says that 50% of insiders who steal IP do it within 1 month of leaving the company, 70% within 2 months, and over 80% take information within 3 months prior to their departure date.

Like the Ponemon study, the analysis shows that organizations can reduce their risk of insider theft of IP through increased review of departing insiders’ actions during a relatively small window of time prior to their departure – if you have the partnerships and tools to do so and you use them before the employee walks out the door.

What can be done?

Many organizations are already running some of these tools, starting with a Security information and event manager (SIEM). But unless you have solutions for identity management, user activity and change monitoring, privileged account management, and data loss prevention (DLP), your SIEM will force you to try to locate a needle in a haystack. Why are these additional products so important?

Identity management enforces real-time identity and access management through policies that do not require human intervention—constant, consistent reconciliation against what role an employee is in and what he or she can access. An access review tool will let you collect then slice and dice user account information based on attributes such as groups, entitlements or high-risk applications. By integrating access review with your identity manager you can automate revocation for a closed-loop approach to user access.

A user activity and change monitoring solution enables your cyber security professionals to detect and respond to potential breaches in real time. This system can provide intelligent alerting of unauthorized configuration changes to systems and applications, or access and changes to critical files, all linked to a specific user account.

Privileged account management locks down named or shared administrator and root accounts and helps customers demonstrate that they are in control over who can access their environment with privileged entitlements. It helps them automatically track who is accessing which account, on which system and at what time. Additionally, intelligent, real-time keystroke or screen video logging will tell you exactly what they did with that account.

One way to protect privileged entitlements is to allow users to “check out” a password from a secure password vault for a specific period of time, then check it back in when they are done with it. Because Micro Focus Privileged Account Manager supports real-time keystroke logging, the session can be automatically terminated and the user’s access revoked if they are caught performing a risky activity, such as accessing restricted data or stopping a service.

Auditors can view recorded keystrokes and if an event requires further analysis, a workflow process escalates the event to the appropriate managers who can take immediate action.

Data loss prevention managers are available with various feature sets. Depending on the solution(s) that you install, a DLP can watch which files are being accessed or to where they are being moved, prevent the attachment of removable media on servers, desktops, and laptops, or can manage or prevent the copying of files to removable media, email, or cloud services.

Summary

Your IT and HR teams, people managers, and processes need to be partners. You need to be aware of changes in your employees’ behavior that could signal that they are about to sabotage systems or download confidential information. And while IT can respond to breaches, it cannot be their responsibility to allow or deny access; that should be up to your line of business managers – which means that you need access management tools in place that allow policies to be set by GUI and not by unintelligible strings of technospeak. Those tools better be in place before an employee who wants to harm your organization starts planning their exit.


LaPenis

 

 

 

 

Ron LaPedis

Global Sales Enablement Specialist

Rockin’ Role-Based Security – Least Privilege

With over 40,000 attendees, 500 exhibitors, and hundreds of sessions, this year’s RSA Security Conference was the place to be for anyone interested in keeping their networks, systems, and information safe from threats, including insider threats; which in turn got me thinking about least privilege.

The “between a rock and a hard place” discussion at this year’s RSA Security Conference was the battle between Apple and the FBI to unlock an iPhone that was used by one of the San Bernardino shooters. But with over 40,000 attendees, 500 exhibitors, and hundreds of sessions, other topics were discussed as well.

RonLaPenisImage

According to a survey done at the conference by Bromium, 70% of a sampling of attendees stated that users are their biggest security headache. This jives with previous surveys; which means that users were, are, and probably will continue to be one of the biggest security holes that organizations face.

Whether the “user” is an actual employee (the insider threat) or a cyber criminal who’s appropriated the credentials of an employee (making a guest appearance as the insider threat) is immaterial. Employees are our biggest threat, not only because they can maliciously or unintentionally cause data breaches, but because they are not equipped to deal with the tactics of cybercriminals, who covet their credentials – especially those of insiders with privilege. In either case, your employee is still a threat to your organization. So how do you eliminate threats from your users? You can’t!

IAS blog 2

Just like you cannot stop a hurricane, you cannot eliminate cyber threats. But just as you can harden buildings and build surge barriers to protect against hurricane damage, you can use appropriate user management and access controls to prevent or mitigate a breach caused by a cyber threat.

Let me postulate that the best way to prevent a breach is to not allow the actor (or threat) to access the information that they are targeting. In plain English, this means least privilege. Rather than giving your employees access to everything and anything, use proper access controls and user management to lock down your employees so that they can only access the systems and information that they specifically need to perform their jobs. You are not eliminating the threat, but rather are trying to minimize it through compartmentalization. For example, marketing people don’t need access to your finances, so lock them out. Similarly, programmers should never be granted access to production systems except in extreme circumstances. And have you even considered time- or location- based access? When should your employees have access to key information and where should they be sitting when they are allowed to access it? Should I be able to download the plans for a new product after hours from a country different from my office?

When an employee changes roles, ensure that their access changes with them – without a time lag which could give them to attack. Using an Identity Lifecycle Manager (ILM) tied to your HR database would be a good way to ensure proper initial provisioning along with ongoing access maintenance. An employee’s access lifecycle needs to stay congruent with their HR lifecycle. If your ILM also includes an analytics engine that can pop up nonsensical or out-of-the-ordinary access grants, so much the better.

But you cannot just buy an ILM and tell your board that your work is done. An ILM is useless unless you know what each role should be allowed to access. And that means working with your business units to define the roles within them.

Don’t accept that departments need dozens to hundreds of roles; that just means someone is being lazy. Nor do you want too few roles, forcing the system into a large number individual access grants. Like Goldilocks and her three bears, there is a “just right” which you will need to work out.

This is where access risk scoring might help you out. A risk score provides a means for determining or calculating risk for users, applications, business roles, or permissions. If the risk is low, perhaps you don’t need to create another role that manages access to a specific resource. But if the risk is high and you have to split the user population, then another role might be needed.

Finally, you want to combine least privilege with automated role changes, policy-based access, and change monitoring. This powerful combination can help to ensure that users don’t have access to what they shouldn’t and allow you to determine if someone is doing something out of the ordinary with something that they can access. By combining user activity and change monitoring you can watch how users (especially privileged users like sysadmins) use the rights they’ve been granted. It helps you spot and address unauthorized activity with concise, easy-to-read alerts that provide the “who, what, when and where” of unauthorized activity.

LaPenis

 

 

 

Ron LaPedis

Global Sales Enablement Specialist

This post was originally published on the NetIQ Cool Solutions blog site on April 21 2016