Multifactor Authentication for the Mainframe?

Is the password is dead or dying?

Lots of articles talk about the death of passwords. Google aims to kill them off by the end of 2017. According to the company, Android users will soon be able to log in to services using a combination of face, typing, and movement patterns. Apple figured this out long ago (Apple Pay) and continues to move away from passwords. Even the U.S. government is coming to grips with the fact that passwords don’t cut it anymore.

Enter multifactor authentication or MFA. Almost everyone agrees that MFA provides the strongest level of authentication (who you are) possible. It’s great for users, too. My iPhone is a great example. While I like many things about it, Touch ID is my favorite feature. I never have to remember my thumb print (it’s always with me), and no one can steal it (except James Bond). Touch ID makes secure access so easy.

Given the riskiness of passwords and the rise of MFA solutions, I have to ask why it’s still okay to rely on passwords for mainframe access. Here’s my guess: This question has never occurred to many mainframe system admins because there’s never been any other way to authenticate host access—especially for older mainframe applications.

 Are mainframe passwords secure?

When you think about passwords, it’s clear that the longer and more complex the password, the more secure it will be. But mainframe applications—especially those written decades ago, the ones that pretty much run your business—were hardcoded to use only weak eight-character, case-insensitive passwords.  Ask any IT security person if they think these passwords provide adequate protection for mission-critical applications and you will get a resounding “No way!”

As far as anyone knows, though, they’ve been the only option available. Until now. At Micro Focus, we are bridging the old and the new, helping our digitally empowered customers to innovate faster, with less risk. One of our latest solutions provides a safe, manageable, economical way for you to use multifactor authentication to authorize mainframe access for all your users—from employees to business partners.

Multifactor authentication to authorize mainframe access?

It’s a logical solution because it uses any of our modern terminal emulatorsthe tool used for accessing host applications—and a newer product called Host Access Management and Security Server (MSS). Working alongside your emulator, MSS makes it possible for you to say goodbye to mainframe passwords, or reinforce them with other authentication options. In fact, you can use up to 14 different types of authentication methods—from smart cards and mobile text-based verification codes to fingerprint and retina scans. You’re free to choose the best solution for your business.

In addition to strengthening security, there’s another big benefit that can come with multifactor authentication for host systems: No more passwords means no more mainframe password-reset headaches!

Yes, it’s finally possible to give your mainframe applications the same level of protection your other applications enjoy. Using MFA for your mainframes brings them into the modern world of security. You’ll get rid of your password headaches and be better equipped to comply with industry and governmental regulations. All you need is a little “focus”—Micro Focus.

More health, less stealth….

Emerging Access and Authentication Methods for Healthcare

Medical records are now, by and large, available in electronic form – in fact almost 8 in 10 of every physician uses EHR. Conveniently accessing them in a secure and compliant way is the challenge that everyone involved in the Healthcare industry faces. In 2015 the top three healthcare breaches resulted in over 100,000 million compromised records. While full disclosure of these attacks is not fully released, the key for criminals is often stolen credentials whether that be a user, administrator, or someone else with privileged system access. These attacks show bravado and hit the major headlines. Alongside the big hacks, there is a growing rash of small crimes at healthcare facilities like stolen medications, illicitly written prescriptions and theft of targeted individual health care records. For example, in a Cleveland Clinic, four nurses are being accused of stealing patient medications such as Oxycodone (a pain opioid sought after by drug addicts.)

Implementing strong access and authentication controls is the next step healthcare organizations must take to comply with the HIPAA and harden the attack surface from both sophisticated criminals and petty staffer criminal alike. Healthcare organizations are still standardizing on the right approach – let’s take a closer look at some of the technologies that are currently in use and explore them from a security and hackers perspective.

RFID (Radio Frequency Identification)

You may have one and not even know it. RFID technologies make up the majority of the market, most white access badges that you swipe to gain access to a door or potentially a computer have sophisticated micro circuitry built in.  Some of the amazing things that you might not know about RFID are:

  • There is no battery! The circuitry is powered by the energy it receives from the antenna when it is near a card reader.
  • Some RFID chips can contain up to 1K of data, that doesn’t sound like a lot but that is enough to hold your name, address, social security number and perhaps your last transaction.
  • RFID chips can be so small they may be imperceptible, Hitachi has a chip that is 15 x 0.15 millimeters in size and 7.5 micrometers thick. That is thinner and smaller than a human hair.

The good news for security professionals at healthcare organizations is there are many choices and uses for RFID technology.  Cards and readers purchased in mass quantities drive the price down and provide a homogeneous system that may be easy to administer as it becomes part of the onboarding and provisioning process. In addition to door access for staff, RFID cards can be given to patients on check in so that they have another form of identification. The bad news is that hackers are after consistent well-documented systems and they like hacking esoteric data transmissions like the ones that RFIDs use.  Using inexpensive parts that are on my workbench like an Arduino Microcontroller, a criminal could create a system to capture the transmission and essentially clone the data on a card then pose as an insider.


There seem to be an ever-growing array of BioMetric devices like vein readers, heartbeat, iris readers, facial recognition and fingerprint readers.  When implemented properly a live biometric, that is a biometric device that samples both unique physical characteristic and liveliness (pulse for example) is almost always a positive match, in fact, fingerprint reading is used at border control in the US and other countries.   There are hacking demonstrations with molded gummy worm fingers, scotch tape finger lifts and even the supposed cutting off a finger.  Those attacks are on the far end of a practical hack as it is not repeatable or easy for a criminal.  The hurdles that biometrics face are:

  • Near 100% Match – This is a good news as we truly want valid users however skin abrasions, irregular vital signs, and aging are just some factors that make the current set of bio-metrics sometimes create false positives.
  • Processing Time – There are several steps to the fingerprint and biometric authentication process. Reading, evaluating the match then validating with an authentication service can take up to a second.  The process is not instantaneous – I can enter my password faster on my iPhone than I can get a positive fingerprint match.  Doctors and nurses patients simply don’t have the seconds to spare.
  • Convenience – Taking off gloves, staring at a face or retinal reader is simply not an option when staff is serving potentially hundreds of patients a day.

As the technology and processing improve, I think we will see a resurgence in BioMetric in healthcare but for now my local clinic has decommissioned the vein reader.


Bluetooth technology is becoming ubiquitous. It is being built into almost all devices – some estimate that it will 90% of mobile devices by 2018.  Bluetooth is still emerging in the healthcare market which is dominated by RFID, however, there are advantages to Bluetooth over RFID cards:

  • Contactless – Bluetooth low energy relies on proximity rather than on physical contact.  While this might not seem like a huge advantage in a high traffic critical situation such as an emergency room, seconds count.  In addition, systems that require contact such as a card swipe or tap require maintenance to clean the contact.
  • BYOD Cost – For smaller clinics and organizations that are cost conscious using employee devices as a method of authentication may be the way to go as they will not incur the expense and management of cards and proprietary readers.  In fact, a Bluetooth reader can be purchased for as low as little as $4 compared with $100 card readers.
  • BYOD Convenience – Many organizations recognize an added convenience factor in using their employee, partners and customers mobile devices as a method of authentication.  Individuals are comfortable and interested in using their phones as access devices.  Administrators can quickly change access controls just-in-time for access to different applications, workstations and physical locations rather than have to restripe cards.

On the hacker side, Bluetooth signals just like RFID can be cloned however combined with OTP (One Time Password) for another layer of authentication criminals could be thwarted.

I contacted Jim Gerkin Identity Director from NovaCoast and he mentioned that we may see an uptick in small and mid-sized clinics using authentication devices in 2017.  They are looking for cost effective and open standard systems based on FIDO standards.  Bluetooth has the potential to meet requirements from a cost and security perspective again if OTP is used in conjunction.

The good news is that Micro Focus’s Advanced Authentication works with multiple types of authentication methods whether it be legacy systems, RFID, BioMetric and now Bluetooth.  In addition Micro Focus is part of the FIDO alliance which ensures a standardized approach.   I look forward to evaluating emerging authentication technologies in 2017 that may use DNA, speech recognition and other Nano-technology – watch this space!

Yahoo! Gone Phishing…..

Yahoo! recently announced that a billion user records were stolen from them. Just another run of the mill hack? Apparently not. You see, more than 150,000 of those records apparently belonged to U.S. government and military employees. And their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals to be used for who knows what. Actually, I have a pretty good guess – and phishing comes to the top of my mind.

What Is A Backup Email Address And Why Do I Care?

Like many other web services, Yahoo! allows customers to set up a recovery email address. If you forget your password or your account is locked, a special link in an email sent to your backup address can be used to recover your credentials. And apparently, many thousands of those backup email addresses ended in .gov or .mil. Yeah, workers with access to US government systems, and the secrets on them.

Yahoo! Did Not Know They Were Hacked…

Many have said that there are two types of companies; those that have been hacked, and those that don’t know that they’ve been hacked. In this case, cyber-security researcher Andrew Komarov kindly let the United States federal government know that he found Yahoo! users’ credentials on the Dark Web, and the feds in turn notified Yahoo! But that wasn’t even the beginning of the nightmare.

In fact, Bloomberg News reviewed the database that Komarov discovered and confirmed a sample of the accounts for accuracy. The thought that employees of government agencies like the National Security Agency may have had their personal information stolen immediately sent chills through the security community.

Since a 2012 Ponemon study showed that “Reusing the same password and username on different websites” came up as number 4 on the list of 10 risky practices employees routinely engage in, the chances are high that the passwords on a hacked user’s Yahoo! account and their backup email account probably are the same.

Komarov also found communications from a buyer for the data, but only if it contained information about a very specific set of people. The buyer supplied a list of ten names of U.S. and foreign government officials and industry executives to the hackers, and if their information was included in the stolen online loot then they had a deal.

… for Three Years!

I may have forgotten to mention that the data actually was stolen in August 2013, creating a 3-year opportunity for bad actors and foreign spies (based on the names in the buyer’s request, Komarov is pretty sure that it came from a government) to identify employees doing sensitive and high-security work here and overseas.

So of course, there are lessons on cyber-hygiene to be learned from this story and in a strange twist of things, Micro Focus has a number of products which can help keep your company and your employees safer from attack.

  1. Don’t reuse passwords. In fact, your company might be able to get rid of most of your application and web-based passwords by implementing secure single sign on or automated sign-on for mainframes. (Access Manager for web, SecureLogin for apps, and Automated Sign-On for Mainframes.
  2. Use different names on your work and personal email accounts. Work might be and home might be It makes machine-based identity matching harder if not impossible.
  3. Don’t use real security answers. In my case, I treat them like passwords and use random character strings. This is another good reason to use a secure (not online!) password manager with strong encryption.
  4. If at all possible, use multi-factor authentication to access (and recover) your online accounts. And ask your company to use our Advanced Authentication product to implement multi-factor authentication on your internal systems and even your mainframe in case your password is somehow exposed.
  5. Create a backup email address on another personal email service rather than using your work address. If you use, have your backup on You don’t even need to use your backup address for anything other than account recovery.
  6. Finally, implement least privilege so that if a user’s identity is ever stolen the attacker won’t have access to your entire network. Audit user access to your systems and track what they are doing on them. Install software which can immediately shut down a risky session.

Even though it is not related to this story, another tip is don’t access work and personal email using the same email client. Autocomplete might send your work email out to a friend, which could be mildly regrettable to an international scandal. Micro Focus offers mobile device management that’s secure, scalable, and covers BYOD devices to help separate personal and business information.

Twin peaks: #MFSummit2017

Like scaling a mountain, sometimes it makes sense to stop and see how far you have come, and what lies ahead. #MFSummit2017 is your opportunity to check progress and assess the future challenges.

We called the first #MFSummit ‘meeting the challenges of change’ and it’s been another demanding 12 months for Micro Focus customers. Maintaining, or achieving, a competitive advantage in the IT marketplace isn’t getting any easier.

The technology of two recent acquisitions, the development, DevOps and IT management gurus Serena Software and multi-platform unified archive ninjas GWAVA puts exciting, achievable innovation within reach of all our customers. These diverse portfolios are also perfectly in tune with the theme of #MFSummit2017.

Build, Operate, and Secure (BOS)

BOS is the theme of #MFSummit2017 and our overarching ethos. Micro Focus products and solutions help our customers build, operate, and secure IT systems that unite current business logic and applications with emerging technologies to meet increasingly complex business demands and cost pressures.

Delegates to #MFSummit2017 can either focus on the most relevant specialism, the possibilities the other two may offer – or sample all three. This first blog of two focuses on Build.

DevOps – realise the potential

Following keynote addresses from Micro Focus CEO Stephen Murdoch and General Manager, Andy King, Director of Enterprise Solutions Gary Evans presents The Micro Focus Approach to DevOps.

Everyone knows what DevOps is, but what does it mean for those managing enterprise applications?

Gary’s 40-minute slot looks at the potential of DevOps to dramatically increase the delivery rate of new software updates. He explains the Micro Focus approach to DevOps, how it supports Continuous Delivery – and what it means to our customers.


Want to know more about this session, or check out the line-up for the Operate and Secure modules – the subject of our next blog? Check out the full agenda here.

Use the same page to reserve your place at #MFSummit2017, a full day of formal presentations and face-to-face sessions, overviews and deep-dive Q&As, all dedicated to helping you understand the full potential of Micro Focus solutions to resolve your business challenges.

Our stylish venue is within easy reach of at least four Tube stations and three major rail stations. Attendance and lunch are free.

If you don’t go, you’ll never know.

Ice Phishing, Whaling, and Social Engineering


According to the 1960’s song, “It’s the Most Wonderful Time of the Year”. But it’s also the time to be on the lookout for a cyber-attack posing as an email with the best wishes of corporate executives. In 2016, a fake phishing email sent by JPMorgan was able to dupe 20% of its staff into opening and clicking on a simulated malware link.

There She Blows!

The latest attacks are based on “whaling”—a refined kind of phishing attack in which hackers use spoofed or similar-sounding domain names to make it look like the emails they send are from your CFO or CEO. In fact, Whaling is becoming a big enough issue that it’s landed on the radar of the FBI.

Trawling the Network

Whaling hasn’t quite overshadowed regular old phishing, though. A 2016 report by PhishMe states that over 93% of phishing emails are now ransomware. And almost half of those surveyed by endpoint protection company SentinelOne state that their organization has suffered a ransomware attack in the last 12 months. If it’s not ransomware, it’s hackers looking to put other types of malicious code on corporate or public networks or to gain access to passwords belonging to employees or other users. Alarming new types of ransomware, such as Samas or Samsam, will toast your organization just by opening the email—no click required. The dangers are very, very real.

But while it may be impossible to prevent employees from opening phishing emails or clicking on a link, there are ways to create an inoculated environment filled with cyber-hygiene to mitigate the effects of an attack.

Don’t Get Caught

As levels of sophistication of the cyber attacks continue to increase, vigilance is key. Here are a few best practices to keep in mind:

  • Take offline backups of critical information for recovery from ransomware. While “snap copying” live volumes is trendy, you could be snapping ransomware-encrypted files.
  • Implement the security protocol of “least privilege” for all users to minimize access to critical systems and data. Be sure to collect and correlate user entitlements to enforce least privilege.
  • Limit the use of “mapped” drives, which can be encrypted by ransomware. Use secure systems designed for file sharing
  • Implement multi-factor authentication in case user credentials are compromised without forgetting to include strong authentication for your  mainframe systems.
  • Speaking of mainframes, often the locale of some of the most sensitive data in the corporation, ensure that the terminal emulator being used:
    • Is certified on whatever desktop operating system is in use
    • Implements the latest security standards
    • Is configured so that macros can only be run from trusted locations and cannot be used as a point of attack.
  • Ensure that you have a single point of control for all of your identity, access, and security settings, but don’t forget to monitor the people who manage it.
  • If employees use intelligent personal devices such as smartphones and tablets, think about implementing an endpoint management system, which can be remotely disabled (and the device wiped), in case it is lost or compromised.


Good corporate governance and awareness can help prevent  users from clicking on phishing emails, but a more robust approach needs to ensure that IT  can mitigate the risks if they do.

The helpful hints above should hopefully serve to get you through the holidays and provide even a sensible resolution for 2017.

Die Digitalisierung macht uns verwundbar – brauchen wir ein digitales Immunsystem?

Vom weltweiten Angriff auf DSL-Router am letzten November-Wochenende waren auch Hundertausende deutsche Internetnutzer betroffen. Die Angreifer gelangen über eine Sicherheitslücke der Wartungsprotolle TR-069 und TR-064 auf die Router der Telekom-Kunden. Das Bundesministerium für Sicherheit in der Informationstechnik (BSI) sprach von einem „globalen Hacker-Angriff“, bei dem die Telekom nur eins von vielen Ziele gewesen sei. Und wenn auch mittlerweile die Telekom-Router immun sind gegen diese Angriff, so zeigt Vorfall, wie wehrlos Unternehmen und Institutionen noch immer gegen Angriffe aus dem Netz sind. Lesen Sie im Blog, welche aufeinander abgestimmten Maßnahmen notwendig sind, für die Erkennung und Abwehr solcher Cyberangriffe.

Die Lage bleibt angespannt – eine solche Äußerung bedeutet nie etwas Gutes und schon gar nicht, wenn offizielle Stellen der Regierung sie verlauten lassen. Politiker und Sicherheitsexperten benutzen eine solche Ausdrucksweise oft im Zusammenhang abstrakter Gefahren, um die Bevölkerung auf wachsende und sich verändernde Bedrohungen hinzuweisen. Anfang November benutzte das Bundesamtes für Sicherheit  und Informationstechnik (BSI) genau diese Formulierung zur Beurteilung der IT-Sicherheitslage in Deutschland für das laufende Jahr. Die Formulierung, die wie ein mahnender Zeigefinger wirkt, diente dabei vor allem dazu, potenzielle Gefahren nicht naiv zu unterschätzen und entsprechende Vorsorgemaßnahmen präventiv zu treffen sowie das Sicherheitsbewusstsein eines jeden Einzelnen zu sensibilisieren und zu schärfen. Denn gerade in der heutigen Zeit, in der das abstrakte Gefährdungslagebild professionell motivierter Cyber-Kriminalität bedenklich ist, weiß man, dass aufgrund der unterschiedlichsten Methodik solcher Cyber-Angriffe, die Angreifer nur schwer aufzuspüren und ihre Taten kaum zu verhindern sind. Der aktuelle Bericht zur Lage der IT-Sicherheit in Deutschland zeigt, dass in 2016 insgesamt eine zunehmende Professionalisierung der Angreifer und ihrer Angriffsmethoden festgestellt wurde und die Gefährdungslage angespannt bleibt. So ist die Zahl bekannter Schadprogrammvarianten dieses Jahr weiter gestiegen und lag im August 2016 bei mehr als 560 Millionen. Gleichzeitig verlieren klassische bisherige Abwehrmaßnahmen weiter an Wirksamkeit, weil die Schädlinge oft durch die – meist unbeabsichtigte und unbewußte – Mitwirkung von Insidern in die Netzwerke gelangen und somit klassische Schutzmaßnahmen wie Firewalls umgangen werden. Weiterhin wurde für 2016 eine deutliche Zunahme an Sicherheitslücken und Schwachstellen in Soft- und Hardware gegenüber dem Vorjahr konstatiert. Besonders betroffen waren dabei Betriebssysteme wie Apples macOS oder Microsoft Windows 7 aber auch Softwareprodukte wie  Adobe Reader, Adobe Flash sowie Webbrowser. Eine besorgniserregende Entwicklung, denn gerade Schwachstellen in Hard- und Software bieten ein leichtes Einfallstor in Unternehmensnetze und können von Angreifern leicht ausgenutzt werden.


Auch die Bedrohung durch sogenannte „Ransomware“ hat sich deutlich verschärft – Krankenhäuser, Unternehmen aber auch Behörden sind von diesen Angriffen betroffen, bei denen informations-technische  Systeme lahmgelegt werden um „Lösegeld“ zu erpressen. Zu den häufigsten Infektionsvektoren für Ransomware gehören Distributed-Denial-of-Service-Angriffe (DDoS) oder Drive-by-Exploits. Sogenannte DDoS-Angriffe sind im Grunde nichts Neues, sie basieren auf einem relativ simplen Prinzip, dass massenhaft sinnlose Anfragen an Server geschickt werden, so daß dieser überlastet und legitime Anfragen nicht annehmen kann. Angreifer benutzen für diese Angriffe in den seltensten Fällen ihre eigene Infrastruktur, sondern vielmehr gehackte Computer und IoT, die zu Botnetzen zusammengefasst werden. Offene Telnet-Ports ohne Authentifizierung, Standard-Nutzernamen, banalste Sicherheitslücken und vor allem keine Security-Updates lassen IoT zur leichten Beute für Cyberkriminelle werden. Die meisten IoT-Geräte sind in Prozessor- und Storage-Kapazität limitiert – derzeitige Security-Modelle, wie  automatische Installation von Updates, das Einspielen von Security-Patches, das Installieren und Aktualisieren von Antiviren-Software und die Konfiguration von Host-basierten Firewalls, lassen sich daher nicht einfach 1:1 umsetzen. Ausnutzbar werden diese Schwachstellen, weil die fortschreitende Digitalisierung zu einer Vielzahl komplexer Kommunikationsverbindungen geführt hat. Die Schutzmechanismen vernetzter Systeme müssen also darauf ausgerichtet sein, dass ein erfolgreicher Angriff auf eine einzelne, verwundbare Komponente nicht sofort Auswirkungen auf das gesamte System hat.

Doch auch wenn Realität und Anspruch in Bezug auf Sicherheit und Datenschutz vielleicht momentan oft noch diametral auseinandergehen, muss die Entwicklung von künstlicher Intelligenz und Verschmelzung von IT und Industrie weiter vorangetrieben werden – zu groß sind die sich hieraus bietenden wirtschaftlichen und gesellschaftlichen Potenziale. Die Digitalisierung ist eine Schlüsselinnovation, die alle Wirtschaftsbereiche verändert. Wir können uns vor ihr weder abschotten noch sie abwählen. Gerade der starke und innovative deutsche Mittelstand mit zahlreichen Weltmarktführern muss die Entwicklung neuer digitaler Geschäftsmodelle und –prozesse vorantreiben, andere Denkansätze verfolgen um Innovationen zu schaffen – selbst wenn die hundertprozentige und absolute Sicherheit nicht gewährleistet werden kann. Wenn wir heute auf die Erfolgsgeschichte des Automobils zurückblicken, so war auch dies – wie heute die Digitalisierung oder Industrie 4.0 – ein disruptive Technologie, die im Frühstadium längst nicht über die für uns heute selbstverständlichen Sicherheitsstandards verfügte. Die ersten Autos hatten kein Dach, geschweige denn einen Sicherheitsgurt oder sonst irgendwelche Vorrichtungen wie ABS, Airbags oder Bremsassistenten, um den Fahrer zu schützen. Doch auch wenn all diese Features heute Standards in Autos sind – absolute Sicherheit kann der Automobilhersteller nicht garantieren. Sicherheit kann deshalb nur relative Sicherheit bedeuten. Die Automobilindustrie hat es verstanden, das  Paradigma  „relativer“ Sicherheit mit einem sehr hohen Sicherheitsgrad  als  nachprüfbare  Produkteigenschaft (TÜV)  zu  etablieren.

Analog hierzu wird der Informationssicherheit im Zuge der Digitalisierung und der damit einhergehenden Verwundbarkeit von Systemen eine Schlüsselrolle  zuteil. Umfassende Sicherheitskonzepte können hierbei wie eine Art Immunsystem durch Prävention, Detektion und Reaktion die Gefahrenpotenziale von Cyberangriffen abmildern.  Hierfür sind neben gestaffelten und aufeinander abgestimmten Maßnahmen , auch die Einschätzung der Gefahrenlage sowie die Entwicklung neuer Strategien für die Erkennung und Abwehr von Cyberangriffen notwendig.

Prävention schützt

So wie ein intaktes Immunsystem beim Menschen bösartige Zellen erkennt und an einer Ausbreitung hindert, verhindern starke Authentifizierungsverfahren unerwünschte Zugriffe bereits an der Eingangstür und bieten wirksamen Schutz gegen Identitätsdiebstahl. Risikobasierte Zugriffskontrollen berücksichtigen eine Vielzahl von Faktoren um für jedes System und jeden Zugriff das angemessene Sicherheitsniveau zu erreichen – so erhält das Herzstück des Unternehmens den größtmöglichen Schutz, während der Zugriff auf weniger kritische Komponenten nicht durch unangemessene Sicherheitsmaßnahmen eingeschränkt wird.

Detektion – Risiken systematisch und in Echtzeit aufspüren

Auch trotz bester Vorsorge, kann es dennoch passieren, dass man sich mit Viren und Schädlingen infiziert. Aufgabe des Immunsystems ist es dann, schnellstmöglich Angriffe und Veränderungen zu entdecken und Gegenmaßnahmen einzuleiten. Ähnlich verhält es sich, sobald Malware in Systeme eingedrungen ist. Entscheidend wird sein, wie schnell ein Unternehmen den Angriff entdeckt und ob man in der Lage ist, adäquat drauf zu reagieren. Durch Einsatz von Security Information & Event Management-Technologien (SIEM) wird eine Grundkonfiguration für die normalen Aktivitätsmuster in der IT-Umgebung definiert. Auf diese Weise können Auffälligkeiten anhand einer Echtzeit-Sicherheitsanalyse identifiziert werden, ohne genau zu wissen, wonach eigentlich gesucht wird. Change Monitoring Systeme stellen eine sinnvolle Ergänzung zu SIEM-Lösungen dar – sie bieten eine permanente Überwachung geschäftskritischer Dateien und Systeme und liefern bei unbefugten Änderungen aussagekräftige Alarmmeldungen. Dies ermöglicht kurze Reaktionszeiten und reduziert somit das Risiko eines folgenschweren Datenmissbrauchs erheblich.

Reaktion bedeutet Sicherheitssysteme schnell & dynamisch anzupassen

Sicherheit erfordert aber nicht nur eine schnelle Reaktion im Angriffsfall, sondern auch eine schnelle Anpassung der Sicherheitsarchitektur an Veränderungen. Agile Software-Entwicklung, automatisiertes Release Management, standardisierte Cloud-Services – viele Trends wirken als Katalysator für immer kürzere Innovationszyklen. Das „Immunsystem“ der IT muß sich ebenso schnell anpassen – integriert, automatisiert, intelligent und dynamisch sind daher zentrale Attribute einer modernen Sicherheitsarchitektur.


Christoph Stoica

Regional General Manager DACH

Micro Focus

Cyber Monday

Big retailers have been planning ahead for up to 18 months for their share of approximately 2.6 billion dollars of revenue. Cyber Monday started in 2005 by has become one of the biggest online traffic days of the year, Simon Puleo takes a look at the list of how some of our biggest customers have prepared.

‘Twas the night before Cyber Monday and all through the house

everyone was using touchscreens gone was the mouse.

While consumers checked their wish lists with care

in hopes that great savings soon would be there.

The children were watching screens in their beds

while visions of Pikachu danced in their heads.

And Mamma in her robe and I in my Cub’s hat

reviewed our bank accounts and decided that was that!’

Cyber Monday started in 2005 by has become one of the biggest online traffic days of the year.  Black Friday may have started as early as 1951 and between the two shopping holidays generate over $70 BN!  Let’s take a look at the list of how some of our biggest customers have prepared:

1.)    Performance testing.  Did you know that our customers typically start performance testing for cyber-Monday in February, why would they start so early?  Customers are testing more than just peak load, they are testing that sites will render correctly across multiple configurations, bandwidths, devices, and sometimes in multiple regions of the world.  The goals of ecommerce is to enable as many shoppers as possible that includes my Dad on his iPad 2 on a rural carrier and my daughter on her Chromebook in an urban area.   Multiply that by thousands of users and you can see that unfortunately, retailers can’t hire enough of my relatives to help them out. What they do is use a combination of synthetic monitors and virtual users to simulate and assess how a website will perform when 10,000 of users are shopping at the same time.


2.)    New Feature Testing.  Whether you consciously think about it or not you expect and gravitate towards websites that have the latest feature set and best user experience.  What does that mean?  Listing a photo and description is bare bones the best commerce websites not only have reviews, videos, links to social media and wish lists they may actually be responsive to your shopping habits, regional weather and personal interests.  They use big data sets to preclude what you are browsing for and offer you targeted deals too good to pass up!  While that is exciting, it also means that the complexity of code both rendering the browser and behind the scenes has grown exponentially over the years.  Ensuring that new features perform and old code works with legacy systems as well renders correctly over multiple devices is what functional and regression testing is all about.  While a team of testers may track multiple code changes they lean towards automation to ensure that code works on target configurations.

3.)    Offering Federated Access Management What? you’re thinking, user-login was solved ages ago. For sophisticated online retailers using Facebook, Google, Yahoo!, Twitter, LinkedIn or other credentials to gain access is first a method to gain trust, second opens up the potential opportunity for more customers and finally a road to valuable personal data.  Regardless of which advantage a retailer may prioritize developing the ability to enable millions of Facebook users to easily login and check-out with a credit-card equates to new customers and a leg up over legacy competitors.  And, for added amount of trust and security retailers can couple multi-factor authentication at key points of the conversion process.   Simple user login and password for each shopping site is quickly becoming a relic of the past as users opt for convenience over management of many user names and passwords.


These are some of the top methods and solutions that big retailers have implemented for 2016.  The best online commerce professionals know what they are up against and what is at stake for example:

  • In 2014 there were over 18,000 different Android devices on the market according to OpenSignal, that is an overwhelming amount of devices to ensure.
  • At a minimum retailers lose $5600 per minute their websites are down
  • The market is huge a recent estimate put the global amount of digital buyers at 1.6 Billion, that is nearly 1/5 of the world’s population.  Converting even .1% of that number is 160,000 users!
  • Users are fickle and will leave a website if delayed just a few seconds
  • Last year Cyber Monday accounted for $3 billion in revenue, this year we expect even more!

Retailers like Mueller in Germany realize that no “downtime” is critical to keeping both the online and virtual shelving stocked.  Their holistic approach to managing software testing and performance helps them implement new features while keeping existing systems up and running.   It is never too late to get started for this year or preparing for next, consider how Micro Focus has helped major US and European Online Retailers with performance testing, automated functional and regression testing, access management and advanced authentication.

Passwortkrieg – Wer kämpft eigentlich gegen wen?

Das Jahr 2016 brachte spektakuläre Datendiebstähle unfassbarer Dimension ans Tageslicht – Dropbox, Yahoo aber auch staatliche Institution wie RUAG wurden u.a. Opfer der sich immer stärker ausbreitenden professionellen Cyberangriffe. Hinzukommt eine wachsende Unzufriedenheit der Mitarbeiter bezüglich der Zugriffsbereitstellung, was zu einem Wildwuchs bei Zugriffsrechten führt. Im Blog erfahren Sie, wie man diesem Dilemma entkommen kann.

Im Jahr 2016 hat das Thema Datenklau hat eine bislang noch nie da gewesene Dimension erreicht. Datendiebstähle werden zum Alltag, Ransomware zur Norm und wenn ein Onlineportal Millionen Zugangsdaten verliert, überrascht das auch niemanden mehr. 68 Millionen geknackte Nutzerkonten beim Cloudspeicher-Dienst Dropbox, 120.000 gestohlene Kundenzugangsdaten bei der deutschen Telekom und der jüngste  Rekordhack von einer halben Milliarde Nutzerdaten beim Internetdienst Yahoo, dem einstigen Vorzeigeunternehmen der New Economy –  die Liste lässt sich beliebig weiter fortsetzen. Zwischen all diesen Meldungen lagen noch nicht einmal 8 Wochen und man wird das Gefühl nicht los, dass sich Informationen und Berichte über Datendiebstähle sowohl hinsichtlich der Anzahl aber vor allem auch in Bezug auf die Zahl der geknackten Nutzerkonten inflationär mehren. Auffällig ist, dass die erwähnten Datendiebstähle allesamt auf Netzwerkangriffe zurückgehen, die bereits vor 4, beziehungsweise im Falle von Yahoo, vor 2  Jahren erfolgten und die Unternehmen seinerzeit die Auswirkungen dieser initialen Angriffe in der Öffentlichkeit eher herunterspielten. Heute zeigt sich mit dem Auftauchen der seinerzeit beim Angriff erbeuteten eMail Adressen und Passwörter im erst das wahre Ausmaß des Schadens.

Ursächlich für die massiven Fälle des Datendiebstahls waren in den genannten Fällen jeweils geknackte Passwörter privater LinkedIn Accounts. Und trotz steigender Bedrohungslage, gibt es immer noch genügend Mitarbeiter, die allem Anschein zur Folge naiv genug sind und das gleiche, privat genutzte  Passwort auch beruflich  verwenden und somit den Hackern Zugang  zu Unternehmensnetzwerken ermöglichen.  Erstaunlich ist auch, dass sich die öffentliche Empörung der jetzt ans Licht gekommenen, unvorstellbar großen Datendiebstähle  sehr in Grenzen hielt, denn entsprechende Schlagzeilen füllten gerade mal einen Tag lang die Gazetten. Anscheinend zählt der Verlust vertraulicher Daten und Passwörter, bei dem Unzählige schon ihr digitales Leben verloren – zum Glück nur das digitale – schon zur Tagesordnung. Doch nicht nur Unternehmen sind Opfer wachsender Cyberkriminalität, auch staatliche Institutionen geraten zunehmend  ins Visier der Hacker. Der staatseigene Schweizer Rüstungsbetrieb RUAG  und das Schweizer Verteidigungsministerium sind zum Ziel von Hackern geworden und zumindest einer dieser Angriffe war erfolgreich. Laut dem Bericht der Melde- und Analysestelle Informationssicherung (Melani) konnte der Hackerangriff auf das Schweizer Verteidigungsministerium Anfang 2016 noch rechtzeitig entdeckt werden. Der Angriff auf RUAG, begann im Dezember 2014 begann und blieb über ein Jahr lang unentdeckt. Mithilfe eines Schadprogramms gelang es den Angreifern, durch Watering-Hole-Angriffe über präparierte Webseiten eine Erstinfektion zu erreichen. Dies führte dazu, dass die Angreifer eine Schwachstelle im Browser eines Mitarbeiters ausnutzen und Schadsoftware installieren konnten. Im Nachgang kam es auf dem infizierten System zu einer Erweiterung der Benutzerprivilegien und über mehrere Stufen schließlich zur vollständigen Kontrolle über das Active Directory im Unternehmensnetz. Damit erlangten die Angreifer höchstmögliche Benutzerrechte.

Auch das deutsche Bundesamt für Sicherheit in der Informationstechnik (BSI) beklagt jeden Tag mehr als 20 hochspezialisierte Angriffe auf das Regierungsnetz – eine alarmierende Zahl.  Dort spricht man bereits von elektronischem Flächen-Bombardement, Streuverlusten und von Spezialeinheiten zur Bekämpfung  und bedient sich dabei des Vokabulars, welches man eigentlich nur aus dem Verteidigungsministerium kennt.  Der Feind lauert überall und sieht es bei seinen Beutezügen vor allem auf eines ab:

Er sucht die größte Schwachstelle, die ihm ein Eindringen in Unternehmensnetzwerke möglichst unbemerkt erlaubt. Passwörter und Zugangsdaten scheinen dabei das schwächste Glied der Kette zu sein, denn dreiviertel aller Cyberattacken auf Unternehmen sind laut einer neuen Deloitte Studie auf gestohlene oder schwache Passwörter zurückzuführen.

Doch neben dem Kampf gegen immer ausgetüftelterer Cyberattacken und professionelle Hacker  sieht sich die IT-Abteilung noch einer zweiten Front im Passwortkrieg gegenüber – der Front der unzufriedenen Mitarbeiter im eigenen Unternehmen. Denn als Reaktion auf die wachsende Cyberkriminalität mit immer subtileren Angriffsmethoden werden gleichzeitig auch immer restriktivere Maßnahmen bei der Passwortvergabe eingeführt. Keine Namen oder einfache Worte, sondern Zahlen, Buchstaben, Groß- und Kleinschreibung sowie Sonderzeichen sind zu verwenden, mindestens 10 Stellen sollten es sein und möglichst nach 14 Tagen zu erneuern und auf gar keinen Fall ein und das gleiche Passwort für alles zu benutzen  – um hier nur einige der häufigsten Regeln für die Passwortvergabe zu nennen. Schon heute besitzt ein User durchschnittlich 13 Passwörter und greift auf 6 – 10 Applikationen und Webseiten mit Logins pro Tag zu. Glaubt man der Studie von Deloitte wird sich die Zahl der Online Accounts pro Nutzer auf 200 bis zum Jahre 2020 erhöhen. Kein Mensch kann sich mehr all die benötigten verschiedenen und komplizierten Passwörter merken, was unweigerlich zur Folge hat, dass Haftnotizen als Gedankenstützen an Displays kleben oder oftmals das gleiche, meist einfache Passwort für mehrere Logins verwendet wird. Zudem führen diese Passwort-Policies in Unternehmen zunehmend auch zu Frust bei den Angestellten. So stellte das Ponemon-Institut in der jüngst veröffentlichen Umfrage für Identity Governance & Access Management fest, dass bei 38 % der befragten Unternehmen, Mitarbeiter über den aktuellen Prozess für die Zugriffsverwaltung verärgert sind. Und selbst wenn die Benutzer allen strikten Vorgaben bei der Passworterstellung folgen würden und tatsächlich starke und unterschiedliche Passwörter benutzten würden, diese immer noch nicht sicher genug wären. Mittels Social Engineering – auch soziale Manipulation genannt – nutzen Hacker menschliche Schwachstellen aus, um durch gezielte Beeinflussung an vertrauliche Informationen zu gelangen (siehe Blog: Tausche Passwort gegen Schokolade)


Sicherheit muss praktikabel sein

Also, was können Unternehmen tun, um sich vor Identitätsdiebstahl zu schützen? Identitätsbasierte Sicherheitslösungen, wie beispielweise Multi-Faktor-Authentifizierung  können der Schlüssel sein, um sicheren Zugriff auf Anwendungen und Systeme, die Mitarbeiter für Ihr tägliches Arbeiten benötigen, zu gewährleisten. Doch wirklich sicherer wird es nur, wenn es auch einfach ist. Denn während die Erhöhung der Sicherheit das primäre Ziel jeder Authentifizierungslösung sein sollte, ist Benutzerfreundlichkeit nicht minder wichtig für den Erfolg bei Durchsetzung im Unternehmen. Sind die Prozesse für Benutzer zu kompliziert und unbequem, führt dies dazu, dass Anwender Mittel und Wege finden, diese zu umgehen. Das wiederum wirkt sich negativ sowohl auf die Produktivität als auch auf die Sicherheit aus. Wichtig ist es, ein angemessenes Gleichgewicht zwischen den Anforderungen an die betriebliche Handlungsfähigkeit und Sicherheit zu finden. Die Planung eines für sie passendenden Multi-Faktor-Authentifizierungsverfahren sollten Unternehmen jedoch nicht nur an den aktuellen Status Quo Ihrer Anforderungen ausrichten, der Blick sollte sich auch auf zukünftige Bedürfnisse richten. Darüber hinaus ist es wichtig, das die  Zugriffe dynamisch evaluiert und die Sicherheit für den Login adaptiert werden.  Wie Sie Ihr Unternehmen vor Cyberangriffen schützen können zeigen wir auf der  #DiscoverMF Tour, die am 7. Dezember 2016 in Zürich beginnt.

Thomas Hofmann

Systems Engineer – Micro Focus Switzerland


FT Cyber Security Summit 2016

David Mount reports back from the FT Cyber Security Summit 2016 in London, and shares his thoughts on Cyber Security in the enlightening blog. Read on


Last month I was fortunate to be able to carve some time out of my diary to attend the Financial Times Cyber Security Summit in London. The event promised a strong line-up of cyber-security heavyweights – and I mean that in the knowledge and experience sense, rather than in Trump’s view of a cyber-crime protagonist.

The sentiment was clear – the good guys are still losing to the bad guys, and it doesn’t look like it’s going to change any time soon. Nausicaa Delfas, Director of Specialist Supervision at the UK’s Financial Conduct Authority shared some interesting, if unsurprising numbers. Over the past few years, they have seen the number of reported cyber-attacks on financial institutions steadily rise – 5 in 2014, 27 in 2015, and 75 so far in 2016. The pessimist (or perhaps realist) in me makes me think that we’re facing ever increasing armies of cyber-criminals who are better organised, better skilled and better funded than the average target; the optimist in me tries to think that we’re actually getting better at spotting the attacks earlier, and thus able to respond more effectively than before.

IAS blog 2

Whatever the reasons, it’s evident that the good guys will only become truly effective in their mission through effective sharing of information. Indeed, the great military strategist Sun Tzu proclaimed “if you know your enemy and know yourself, you need not fear the results of a hundred battles”. There’s no room for egos in cyber-security. Attacks happen, and one major bank highlighted the empathetic sentiment they received from their customers if they announce they are suffering a cyber-attack such as DDOS.

So let’s not perpetuate the myth that all cyber-attacks are perpetrated by socially awkward teenagers in their bedrooms. Some indeed are, and often as a result of frankly inexcusable and embarrassing approaches to information security. However, many are not. We must change our approach and find the ways to allow cyber-security professionals to truly come together as a team, rather than acting as a loosely grouped collection of skilled individuals. Thankfully, we’re starting to see some initiatives take shape in this space, and during the event there was optimism regarding the UK Government-led National Cyber Security Centre, but much more work is needed on cyber information sharing platforms to provide open, timely access to rich information such as threats, attack vectors and indicators of compromise. As basketball coach John Wooden said – “failure isn’t fatal. But failure to change might be” – a prophecy to the cyber threats of today or tomorrow perhaps?


Geo-fencing: securing authentication?

Micro Focus is leading the industry in geo-fencing and Advanced Authentication with it’s NetIQ portfolio. Simon Puleo looks at this fascinating new area and suggests some potential and very practical uses for this technology in his latest blog

Are you are one of the 500 million users who recently had their account details stolen from Yahoo?

Chances are that criminals will use them for credential stuffing – using automation to try different combinations of passwords and usernames at multiple sites to login to your accounts.

So you’re probably thinking the same as me – that a single username and password is no longer sufficient protection from malicious log-in, especially when recycled on multiple sites.


Is your identity on the line?

Indeed, 75% of respondents to a September 2016 Ponemon study agreed that “single-factor authentication no longer effectively protects unauthorized access to information.”

Biometric authentication is one solution and is already a feature of newer iPhones. However, skimmers and shimmers are already seeking to undermine even this.

Perhaps geo-fencing, the emerging alternative, can address the balancing act between user experience and security? It provides effective authentication and can be easily deployed for users with a GPS device. Let’s take a closer look at what this technology is, and how it can be used.

What is geo-fencing?

Geo-fencing enables software administrators to define geographical boundaries. They draw a shape around the perimeter of a building or area where they want to enforce a virtual barrier.  It is really that easy. The administrator decides who can access what within that barrier, based on GPS coordinates. In the example below, an admin has set a policy that only state employees with a GPS can access systems within the Capitol Building.


Let’s dive deeper, and differentiate between geo-location and geo-fencing. Because geo-location uses your IP it can be easily spoofed or fooled, and is not geographically accurate. However geo-fencing is based on GPS coordinates from satellites tracking latitude and longitude.

While GPS can be spoofed it requires loads of expensive scientific equipment and certain features to validate the signal. Using geo-coordinates enables new sets of policies and controls to ensure security and enforce seamless verification, keeping it easy for the user to log-in and hard for the criminal to break in. Consider the below example:

Security Policy: Users must logout when leaving their work area.

Real-world scenario: Let’s go and get a coffee right now. Ever drop what you are doing, leaving your PC unlocked and vulnerable to insider attacks? Sure you have.

Control: Based on a geo-fence as small as five feet, users could be logged out when they leave their cube with a geo device, then logged back in when they return. It’s a perfect combination of convenience, caffeine and security.

Patient safety, IT security 

This scenario may sound incredible, but Troy Drewry, a Micro Focus Product Manager, explains that it is not that far-fetched. Troy shared his excitement for the topic – and a number of geo based authentication projects he is involved in – with me. One effort is enabling doctors and medical staff to login and logout of workstations simply by their physical location. This could help save valuable time in time-critical ER situations while still enforcing HIPAA policies.

Another project is working with an innovative bank that is researching using geo-fencing around ATMs to provide another factor of validation.  In this scenario, geo-fencing could have the advantage of PIN-less transactions, circumventing skimmers.

As he explained to me, “What is interesting to me is that with geo-fencing and user location as a factor of authentication, it means that security and convenience are less at odds.” I couldn’t agree more. Pressing the button on my hard token to login to my bank accounts seems almost anachronistic; geo-fencing is charting a new route for authentication.

Micro Focus is leading the industry in geo-fencing and Advanced Authentication. To learn more, speak with one of our specialists or click here.


Is Secure File Transfer Protocol (SFTP) Its Own Worst Enemy?

At Micro Focus, our customers are asking for a holistic approach to secure file transfer—one that provides more visibility, flexibility, and control. That’s why we’ve introduced Reflection® for Secure IT Gateway. This new SSH-based solution sits between the user and the SFTP server, and acts as a central point of control. Its job is to track every file going in and out of your enterprise, including who transferred it and what’s in it. David Fletcher investigates further in this blog….

Secure File Transfer Protocol

SFTP has long been a de facto standard for secure file transfer.  Originally designed by the Internet Engineering Task Force (IETF), this extension of the Secure Shell protocol (SSH) 2.0 provides secure file transfer capabilities over the SSH network protocol.

In a nutshell, SFTP encrypts your data and moves it through an impenetrable encrypted tunnel that makes interception and decoding virtually impossible. While incredibly useful for business-to-business data sharing, SFTP poses a problem in our security-conscious world. Oddly enough, the problem is that SFTP works too well.

Let me explain. SFTP works so well that no one can see what’s being transferred—not even the people who need to see it for security reasons. Case in point: Edward Snowden. No matter what your thoughts on the subject, the fact is that Snowden used his privileged user status to transfer and steal sensitive files. Why was he able to do this? Because no one could see what he was doing. As a “privileged user” on the network, he had extensive access to sensitive files—files that he was able to transfer about, as he desired, without detection.


In addition to the threats posed by unscrupulous privileged users, there’s another threat that’s cause for alarm. It’s called Advanced Persistent Threat (APT).  Basically, an APT is a ceaseless, sophisticated attack carried out by an organized group to accomplish a particular result—typically, the acquisition of information. The classic APT mode of operation is to doggedly steal the credentials of privileged users. The purpose, of course, is to gain unfettered access to sensitive or secret data. Once “in,” these APTers can transfer data and steal it without detection.  On a side note, Snowden used some of these APT tactics to steal credentials and validate self-signed certificates to gain access to classified documents.

APTs are often discussed in the context of government, but let me be clear: Companies are also a primary target. Take the recent Wall Street Journal article about a foreign government stealing plans for a new steel technology from US Steel. Such behavior is just the tip of the iceberg when it comes to how far some entities will go to steal information and technology.

Introducing Micro Focus Reflection for Secure IT Gateway

So given that transferring files is an essential business operation, what can you do to protect your organization from these dangerous threats? At Micro Focus, our customers are asking for a holistic approach to secure file transfer—one that provides more visibility, flexibility, and control. That’s why we’re introducing Reflection® for Secure IT Gateway. This new SSH-based solution sits between the user and the SFTP server, and acts as a central point of control. Its job is to track every file going in and out of your enterprise, including who transferred it and what’s in it.   It also provides the ability to essentially offload files and allow for 3rd party inspection and can then either stop the transfer and notify if something seem amiss or complete the transfer as required.

Reflection for Secure IT Gateway comes with a powerful browser-based interface that you can use to accomplish a number of transfer-related tasks:

  • Expose files for inspection by third-party tools
  • Automate pre- and post-transfer actions
  • Grant and manage SFTP administrator rights
  • Provision users
  • Configure transfers
  • Create jobs for enterprise level automation
  • Delegate tasks

Read more about Reflection for Secure IT Gateway or download our evaluation software and take a test drive. Learn how you can continue to benefit from the ironclad security of SFTP while also gaining greater file transfer visibility, flexibility, and control.

Sr. Product Marketing Manager
Host Connectivity
(Orginally Published here)