Hello Security Specialist
It's good to see you again! In this newsletter we have some interesting articles about new developments in the IT Security World. We hope you find the articles useful and we look forward to welcoming you to our website where you can find much more information.You can also contact us using this link.
PROTECTION FOR DATA ACROSS EVERY LAYER OF THE ENTERPRISE
Enterprise data security today means adding defense-in-depth, layers of security that protect data at its core as well as across physical infrastructure (i.e. networks, servers, endpoints). Armoring data is what PKWARE is all about. PKWARE is a trusted name with nearly 30 years in encryption, digital signing and authentication, and performance-based compression. The PKWARE Smart Encryption PlatformTM is an open architecture security platform that helps organizations reduce the impact of a breach, meet corporate compliance goals, and avoid application development complexity.
Smart Encryption from PKWARE is 100% standards based and integrates the most vetted cryptographic technologies available to support both structured and unstructured data. The Smart Encryption Platform integrates with all commonly used key service layers, stores and types to keep in place investments in existing infrastructure and policies.
This means faster deployment, lower total cost of ownership and support for all your existing security investments.
Read more here
The Dutch “Wet bescherming persoonsgegevens (Wbp)” or Protection of Personal Data Law together with an increasing awareness of the dangers of divulging personal data are the greatest drivers for a healthcare related Dutch government organization to adopt technology used to encrypt attachments (and sometimes the text) of emails distributed both in and externally.
An increasing number of similar organisations are turning their attention to protecting data by using encryption as European laws and directives are being implemented on a national level.
For a long time SSL/TLS was trusted to encrypt information sent over the internet, but this is not enough. Even if you discount the Heartbleed vulnerability ‘line encryption’ is not sufficient to guarantee the security of data distributed via the public internet. In order to protect the data after it has reached its destination data has to be held in an encrypted form until the intended recipient decrypts it using his or her ‘key’. A key can be a password, passphrase or a private software key such as used in PKI or PGP.
SecureZIP was the considered choice of this organization due to its flexibility and use of recognized standards for encryption. SecureZIP is also FIPS 140-2 compliant, which is an important information processing standard adopted by many government organisations.
The past few years have seen an increasing growth of SecureZIP for Windows Desktop in the Benelux. SecureZIP from PKWARE is a utility for compression and encryption of data and is available on all major ICT platforms from mainframe to mobile.
Supported by our partners SkyView Partners and RazLee SRC is now able to provide Managed Security Services (MSS) on IBM AIX and Linux as well as IBM i. For more information on these services please contact us.
by Carol Woodbury, President, SkyView Partners, Inc
Many of you are daunted by the security aspects of the Integrated File System (IFS), but there are a few things that—whether you're comfortable or not—you should not ignore.
One function that's available in the IFS is the ability to create a share. A file share allows you to map a drive and make what is shared available directly as a mapped drive on your PC or on a network server. File shares are not typically a security risk as long as the share is mapped at the directory whose contents are being shared. What is a risk is when root is shared. That's because, when root is shared, all of the /QSYS.LIB file system is also shared; in other words, all libraries are also shared and available for manipulation in Windows Explorer. This becomes a huge security risk, especially if you have not implemented good access controls on your database files. Why? Because the files can easily be overwritten with garbage or deleted by dragging and dropping them into the trash bin.
You can somewhat reduce the risk of sharing root by adding a dollar sign ($) to the end of the share name. This prevents the share name from being broadcast. Unfortunately, most people just add $ to the word root, as in root$ is the share name. Obviously, this is totally unimaginative and very easily guessed. If you're going to attempt to hide the share name, use a non-obvious name! Another way to add some protection is to use the QPWFSERVER authorization list that's shipped with the operating system. Users with authority to this list are able to see libraries in iNavigator as well as lists such as those presented in Windows Explorer. However, if the user has no authority to the list, then the QSYS.LIB file system (that is, libraries) will be hidden from these views. This has no effect on the actual authority the users have to these libraries; it's just a control for who can see them in this "list" view. The default *PUBLIC authority of the QPWFSERVER authorization list is *USE. Change it to *EXCLUDE to eliminate non-*ALLOBJ users' view of libraries. Authorize users or groups to the list if they have a business need.
Read the rest of this article here
It's not often you will find me enthusing over a presentation but this must be the best one I have seen in ages. So I must share it with you. In this YouTube video of a very recent webinar, Carol Woodbury explains how IT and Security staff have such a difficult time persuading their colleagues from the 'business' part of the organisation just how important it is to secure the organisations data. You can watch this video using this link here.
When discussing solutions for security and compliance with ICT staff I often have to use arguments to heighten the awareness of my discussion partner to the vulnerabilities of a system like the IBM i to the encroaches of a serious cyber criminal. During a recent conversation on this subject with a colleague from an ICT service provide, before I began talking about specific vulnerabilities and how to resolve them my colleague became very agitated and accused me of ‘spreading fear’ in order to sell products.
I was rather surprised with this viewpoint at first, knowing I was talking to someone with many years of experience in ICT but then I realized that many of his formative ICT years were spent in a homogenous IBM Midrange environment. This was an environment which was almost completely enclosed. Shut off from the outside world. While hacking a computer has never been impossible, in the early situation access to the system was gained via physical connections, Twinax and Token Ring allowed ‘Dumb Terminals’ to work via secured applications which were designed to fence the user into an selected environment and prevent him or her from straying outside that environment. External communications were based on leased telephone-lines, X.25 protocol and other exotic devices. Any hacker was a professional; he had to know the system very well in order to gain access.
Then of course TCP/IP arrived on the commercial scene and the Internet and the AS400 opened up to this world. This exposed the AS400 to all sorts of IP savvy professional and amateur hackers who no longer needed Twinax terminals or 5250 emulation to do their work. Opening the AS400 to FTP, Telnet, ODBC, SSH, etc literally opened up the system to the world, for good and bad. Of course IBM provides us with the means to secure these ‘new’ portals to the AS400 but these can often be complicated and require broad expertise in order to reach an adequate state of protection. My colleague was obviously aware of these developments which have taken place over the last twenty years or so, but still seemed to be locked into a false sense of security nurtured in the early days when IBM Midrange systems gained a well deserved reputation for reliability, robustness and security. Unfortunately my colleague is not the only IBM i user with this attitude.
I rebutted his accusation by telling him I am not spreading fear, but spreading awareness.
By Stephen R. Cheney