Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Wednesday, 29 September 2010

InfoReck blog, great minds etc...

I'm delighted to have found this blog, written by Robb Reck, because we share a common belief that Compliance does not equal Security, and worse, that Compliance efforts can make you less secure. This post summarises his position and is essential reading for Infosec professionals and CISOs.

InfoReck» Blog Archive » Security Leads to Compliance

Amusingly we both wrote mid-year on the subject of compliance regimes hindering security efforts. I swear I had not read Robb's column before writing mine. Enjoy.

Thursday, 26 August 2010

55% care about PCIDSS

41 of 74 respondents to a poll on Anton Chuvakin's Security Warrior blog put PCIDSS top of their list of concerns. Alright it was a leading question and unscientific, but I'm pleased to see such interest anyway. Maybe this reflects the looming Level 1 deadline for full compliance and regular audits. Maybe it's the fact that the PCI are now collecting fines at an alarming rate. Whatever, up to now we've seen a very slow uptake for a mandatory standard with tough penalties and this is good news. I guess the standard's arrival during a recession has caused a bit of a "wait and see" attitude in the boardroom. But this is risky. PCIDSS is not just another regulation. If you're not compliant, you're at risk of serious fraud, data loss and reputational damage.

You shouldn't comply with PCIDSS to get a tick in the box and a certificate for the lobby. You should do it to preserve your business.

Monday, 12 July 2010

The case for PCI-DSS and Ripped Abs.

I just caught up with this post (which I had squirrelled away to read later with my Google Bookmarks toolbar and just rediscovered). Some nice work here by Bob Tarzey in summing up the main requirements of PCIDSS, the advantages of getting ready and the basic implications of breach. PCI might be the kick that some firms need to re-assess security: the regularity of the audits might just make the difference. It's easy to put off spending money to counter a threat with an Annual Rate of Occurence (ARO) calculated as 0.1 (i.e. every 10 years) - human nature and available time dictate that the auditor landing on your desk every quarter wins hands down.

Check out too the comments on this post, also on The griping about variable approaches from the assessors is to be expected with any new standard, I think this will settle down in time. On the particular issue about voice recordings of CCV2 numbers, I would hope encryption and strong access control over the voice recordings would suffice but would welcome clarification from the PCI on this or any views from QSAs reading this.

In any case, as I have blogged before, don't make compliance with the standard your goal, make good security your goal and you will achieve compliance as a direct consequence. Or as Papa_K puts it rather nicely on that comment thread: "If you prepare for compliance audits like you prepare for a punch in the stomach to prove your abs are strong then you'll not be prepared for the sucker punch."

Thursday, 8 July 2010

New IBM developerWorks blog: zSecurity

I've opened a new blog on the excellent IBM developerWorks platform called zSecurity. My readers who are not interested in System z issues will be delighted, as I will keep System z-specific content to that blog (and it might spill out into wikis later but that's another story) and stick to wider InfoSec stuff here.

zSecurity is here, please take a look and subscribe to the feed if you're interested in RACF, zSecure, Tivoli Security Software for z/OS and Linux on z and Enterprise Security with a Mainframe.

If you're already following me on Twitter as @alanjharrison then you will be happy to know that I will tweet my dW blog updates just as I tweet these Blogger ones, so nothing else to do there.

Thanks for reading, InfoSec people stay here, System z people: see you on dW! Thanks.

Thursday, 1 July 2010

zNext - One Box to Rule Them All?

The hype is building for zNext, the next generation of IBM System z servers. z10 brought unprecedented power, resilience and versatility to the large server market. But the next generation - first dubbed z11 and more recently zNext - is rumoured to be a step change in architecture that some are suggesting will change the datacenter game completely.

We know some stuff already, that the processers will be down from 65nm to 45nm junctions and run around 5GHz giving up to 43000 MIPS [PDF] which represents about a 25% improvement on the z10. So far so impressive, but not earth-shattering.

But more recent rumours from Poughkeepsie have suggested something bigger is happening. The word "Hybrid" has been used in connection with POWER systems, suggesting that the new architecture will cross traditional platform boundaries. And one source told me that Teradata will be in the frame.

A System z that also runs native AIX and Teradata right out of the box? Wouldn't that be groundbreaking?

IBM have now announced the reveal will be in a July 22 webcast to partners. If you can't make it, come back soon, I'll be blogging about it here shortly after. Follow me on Twitter, LinkedIn or by RSS feed to get the news first. Might this be the game-changer, the killer blow to IBM's high-end server opposition, and then some?

Thursday, 24 June 2010

Is there a Mainframe Skills Shortage?

I like Joe Clabby. He tells it like it is. He has responded robustly a number of times now to Gartner advice to move off the mainframe to more "modern platforms". His latest such article is here.

However I think the truth lies between Gartner's doom and gloom predictions and Clabby's upbeat "you've never had it so good" optimism. Don't be under any illusion, decades of in depth knowledge of mainframe systems is going to leave your organisation over the next few years. But where Gartner gets it wrong is their insistence that the solution lies in migrating off the mainframe. They have used that phrase "more modern platfom" many times in recent years and this is starting to look like staggering ignorance of what IBM have been doing with System z for ten years.

There's no need to move off System z for modernity. IBM have brought modernity to System z. You want management GUIs? Check out the Tivoli automation range. You want a visual developer platform? Rational Developer for z (RDz). You want to run Java, C and C++? No problem. You want to consolidate your racks and racks of servers? Virtualise them? z/VM is the worlds most mature hypervisor, add SLES or RedHat Linux for up to 1500 servers in a 30kW box 10 feet square.

But I do think now is the time to modernise your mainframe. To streamline and automate the maintenance and management of the infrastructure. The product set has never been richer and I recommend you take a look. The greybeards will go soon, and while there are a new generation of System z afficionados leaving college as we speak, don't make them suffer needlessly. Enable them to be productive and creative. Simplify, streamline and automate with IBM Software.

Tuesday, 15 June 2010

Secure for Compliance, don't Comply for Security.

It's been all about compliance for the last few years. Wave after wave of legislation has left us reeling, it seems not a week goes by without a recertification, attestation or visit from the auditors. Maybe we're passing our audits, maybe our auditors are giving us glowing reports as our procedures and the evidence of their being followed ticks all the boxes.

But we still get hit by a security incident. Maybe the theft of thousands of customer PINs has been traced to our software support team where a little known privilege has been exploited. Or the recent DoS attack on our web servers was routed via a previously unknown and unpatched print server. Or a rogue trader in our dealing room has been escalating his privileges to allow himself to both raise and authorise payments to his holiday fund.

How did this happen if we're compliant? Perhaps we focussed too narrowly on the specific directions in each piece of legislation, performing a box-ticking exercise on them all (which in practice often means lots and lots of new, labour-intensive processes such as user recertification, dual authority, two-factor authentication, enhanced monitoring, reporting and change control).

Ironically, it is all of this focus on new processes and procedures - implemented with the right intentions: to enforce security policy - that has made us less secure. Because now our technical staff - the experts in the hardware, OS, infrastructure and applications who were previously doing their best to keep ahead of new threats - are now hamstrung with attestations, visits from auditors and recertifying user access rights.

What happened?

Well perhaps the new compliance framework was implemented as a stand-alone instrument, a panacea rather than being used to inform and enhance existing standards and processes. Perhaps not enough thought was given to the extra work involved, or in developing systems and software to enable the new processes, ensuring they have minimal impact on productivity. Perhaps we didn't recognise the things we were already doing that were contributing to compliance, and building on these. Perhaps we saw Compliance as a "New Thing" and sought to implement it as such. In short, we sought compliance for its own sake, and thought that compliance would bring us security. And perhaps we hastened to become compliant with a single piece of legislation such as SOX but didn't build a framework scalable or flexible enough to absorb further controls and threats. And we relied on auditors with little technical knowledge to tell us when we had got it wrong, and their technology-agnostic box-ticking failed us.

We need a new approach to compliance. It's the old approach but better. We need to go back to basics and take a proper technical approach to security. We need to identify and tackle all existing threats against all of our components whether hardware, OS, infrastructure, application or web service(which incidentally needs a sound approach to configuration and change management that should include automated discovery) and a means of identifying and tackling new and emerging threats. We need to let our technical guys have greater input to the process and encourage and enable them to raise security issues and resolve them. And we need to bring back the technical audits.

We need to revisit our Security Policy, ensure it supports all of our security and compliance goals, and then use this to inform lower level documents including standards, baselines, guidelines and procedures so they all hang together. Then we need to implement rigorously, allowing our technical experts to decide what controls are needed to achieve each particular policy objective. And we need to remember to lock in compliance, with as many automated detective and corrective controls as we can - thus achieving Continuous Controls Management at the same time.

To give you a flavour of what I'm talking about, consider RACF. A typical (abriged) SOX control might require that "privileged users are kept to a minimum" and another might say "privileged user activity should be reviewed". Typically, well-known RACF privileges such as SPECIAL would be well covered by this control. The control objective, control details, processes and procedures adopted to implement this control would be comprehensive for SPECIAL users. Evidence is collected and preserved showing that SPECIAL users are well controlled.

Enacting a self-fulfilling prophesy then, SOX auditors come in and report compliance, but only because we are doing what we said we would do and protect SPECIAL users. The SOX auditor will not verify that controlling SPECIAL users is sufficient to achieve the SOX control objective of curbing "privileged users".

In our practical example, our Software Support programmer exploits a lesser-known privilege, say SURROGAT authority to a second SPECIAL user, UID(0) or UPDATE authority to a privileged user's EXEC or HOME library where he plants code (somewhat like a Trojan attack on z). These are all esoteric privileges which generally are not well controlled in a System z environment. But they are privileges nonetheless.

Staying with System z for a moment, we can avoid this situation if we let the RACF Admins and z/OS Sysprogs dictate the controls required. The true vulnerabilities of the system should be tackled, the real threats deterred and the actual risks reduced.

Then we provide evidence upwards, with our hierarchy of documents and a decent control framework we can determine which technical controls contribute to which higher control objectives, and therefore we can demonstrate compliance with each standard, baseline or policy as necessary. If we do it right we can secure once, comply with many.

In short, top-down imposed compliance has not made us more secure. Only a bottom-up approach - informed by the policy but driven by the technology - will work.

We need to Secure for Compliance, not Comply for Security.

Friday, 28 May 2010

RACF Permissions in ITIM

Available now on is some new System z content, written by me about the services Pirean provides for the mainframe platform. I'm passionate about the platform, System z is truly the "ideal server" and provides leadership resilience, availability and security, and a host of other benefits ably described in this blog post from Jonathan Adams on the excellent MainframeZone.

Also on the Pirean System z page you will see a link to a PDF you can download describing the new adapter for Tivoli Identity Manager Pirean has created. I'm very proud of my role in this, and grateful to Stephen Swann and others for their TDI and TIM expertise without which the product would not have seen the light of day.

Wednesday, 19 May 2010

System z roadshow in Atlanta is Go!

I've made it to Atlanta. See you tomorrow for Mission Critical Workloads on z? Full details and registration available here, and see earlier blog post for sneak preview. Abstract from the agenda:
"In this seminar you'll see how Tivoli, StreamFoundry, and Pirean are delivering highly available Linux on System z platforms that support mission critical workloads and how you can develop your own cost effective solution". Looking forward to it.

Monday, 17 May 2010

Find out even more reasons to attend Pulse Comes to You, 27th May

Attend Pulse Comes to You and find how IBM is making major changes to the IT landscape — and how you can be a part of that. At the Grange Hotel, St Paul’s in the heart of London on the 27th May, 2010

And just announced—two-time Olympic gold medalist and co-star of the BBC series On Thin Ice, James Cracknell, will speak at PCTY UK 2010! Don't miss what promises to be an entertaining and inspirational presentation by one of Britain's most successful athletes.

Register via sponsors Pirean here and win an iPad!

Friday, 14 May 2010

Sneak Preview of my US tour next week

I'm off to the states on Monday to speak at an IBM roadshow, and talk about what good IT Security and Service Management looks like. Here's a sneak preview of the slideshow, showing what integrated service management looks like, (C) Pirean Ltd. 2010 all rights reserved.
Come see me in Minneapolis on Tuesday at IBM, 650 3rd Ave South and in Atlanta on Thursday at IBM, 4111 Northside Parkway.

More details and registration here .
See you there?

Monday, 10 May 2010

SaaS is the new TSO

Nice piece from my mate Dancing Dinosaur about SaaS on System z.

"Veteran mainframe data center managers were baffled when SaaS [...] appeared on the scene years ago. That’s what they had been doing for years, for decades, they would tell me. Only, it wasn’t called that then. How is it any different from time sharing, they would ask.

"Conceptually it isn’t very different. However, three things make it different enough: 1) the emergence of the Internet as a ubiquitous connecting fabric that everyone can use; 2) the browser as the universal client; and 3) the advent of services and service orientation. Previously monolithic code is now extracted as identifiable services and made accessible over the Internet via the browser following a requester-responder model. "

I'm not sure I would call myself a Veteran but I did raise an eyebrow or two when I read about some recent "advancements" in the fields of grid and cloud computing. DD's right, in many ways, cloud computing is very like mainframe time sharing (good old TSO), just much prettier. Which is why IBM have worked hard on System z in recent years to position it in the market as the perfect cloud provider. Even if you don't already own one.

Saturday, 8 May 2010

Join Pirean at Pulse Comes To You to understand more about our portfolio for Smarter Tivoli Solutions

A message from our CEO...
PCTY 2010 Pulse Comes to You Optimising the World's Infrastructure 27 May Grange St. Paul's Hotel, London

Join Pirean at Pulse Comes To You to understand more about our portfolio for Smarter Tivoli Solutions.

Register Now

On 27th May at The Grange St. Paul's Hotel in London, PULSE comes to the UK. To celebrate we're offering you the chance to get ahead of the pack and win an Apple iPad* when you register for the event at!

With a focus on helping organisations understand how to survive and thrive in today's difficult environment, Pulse Comes To You will showcase how you could minimise cost and drive greater efficiencies in your organisation. All facets of service management – hardware, software and services – will be covered. Join us and our clients as we share real life experiences of delivering business value with these solutions.

As proud sponsors, Pirean will be on hand to showcase an award winning portfolio of IBM Tivoli services and solutions that could help make your business achieve 'Smarter' End to End IT Service Management.

  • Hear from industry experts and share ideas with your peers
  • Hear from some of the key speakers from the Global Pulse 2010 conference held in Las Vegas – including Al Zollar, General Manager IBM Tivoli® Software
  • Hear what is actually happening in the UK market from an independent analyst speaker
  • Hear the real-live experiences from clients who are driving value with Integrated Service Management solutions.
  • Gain insight into product roadmaps and strategic direction
  • Network with IBM experts and Business Partners
Click below to join Pirean at PCTY2010 and for your chance to win an Apple iPad.

Register Now

We look forward to seeing you there!

Yours sincerely,

Stuart Wilson's signature

Stuart Wilson

Pirean logo

PCTY footer graphic

*Terms and conditions apply, for more information visit

© Copyright IBM Corporation 2010. All Rights Reserved. IBM, the IBM logo,, Smarter Planet and the planet icons, and Tivoli are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at

Thursday, 15 April 2010

Staff ignore security policy to save time

Please do not change your password - The Boston Globe quotes from a Microsoft study that concludes that much of our security policy advice to users is pointless. In the article, Bruce Schneier is quoted as speculating that the employees knew following security policies would cut into their work time. They understood better than the IT department that the risks of not completing their assignments far outweighed any unspecified consequences of ignoring a security rule or three. “People do what makes sense and don’t do what doesn’t,”

This is just what I was talking about last month when I said that we should do more enabling and less eliminating. If you insist people use separate, strong passwords for them all without giving them a simple, secure means of storing and retrieving these passwords on demand wherever and whenever they are needed, then don't be surprised if they ignore the advice and/or write them down. It's gonna happen.

Tuesday, 23 March 2010

Low hanging fruit, outrunning lions and other cliches

It's a fallacy common outside the Infosec world (and to an extent within too, regrettably) that we need to totally lock down our systems and make them impenetrable. Hence the endless debates about optimum password length and strength, key length, multiple-factor authentication - often conducted online between two or more antagonists who swear they are "right", that there is a correct answer. Like we could, say, set all passwords to 14 characters including two each of upper, lower, numeric and national, at all times, cos that's optimal. Like when processing money over £100 we demand a one-time password from a token and two memorable dates. Job done, let's hit the pub.

But it's not like that. Authentication strength comes at a price, and that is usability. If your online bank requires three pieces of personal info, a token and an out of band communication (e-mail, phonecall) just to pay your overdue library fine then your customers will go elsewhere. However if you don't insist on all of these things when they wire £10k to a relative in Africa then they will rightly be suspicious that you are not protecting their money.

In truth, to stay competitive we have to walk a very narrow line between usability and security. Cybercriminals are mostly lazy individuals who go after "low hanging fruit". Make yourself harder to defraud than your immediate competitors and you will avoid a lot of trouble.

It's like an old joke: a safari jeep breaks down in the Serengeti, just a long lens away from a pride of hungry lions. The tour guide takes off his boots and starts putting on Nike running shoes. "You'll never outrun a lion in those" remarks a tourist. "No need," says the guide, "as long as I outrun you."

Thursday, 18 March 2010

System z "never been hacked"?

"I’m not personally aware of any instance where a mainframe has been hacked. However, I think the scarcity of such incidents is due more to a lack of technical expertise by would-be perpetrators than to the sound implementation of controls. [...] It used to be that only those relatively few users with TSO or ROSCOE could manipulate system files and execute routines that could harm the system, but with the introduction of OpenEdition MVS (now z/OS UNIX) and common TCP/IP-based network applications, many organizations, some unknowingly, have opened their systems to a much broader user base, including clients and business partners. This increased connectivity is unfortunately coupled with a lack of upkeep on RACF controls. Newer z/OS capabilities either aren’t being protected or fall under the scope of older, less stringent control settings. "
So said noted System z Security expert Bob Hansel to Stan H. King in the January edition of
z/Journal - The Resource for Users of IBM Mainframe Systems.

What about your system? RACF is impenetrable isn't it? Well, the article begins with the comforting revelation that in a trawl through news archives and trade journals: "When it came to unauthorized mainframe access by outside hackers, there wasn’t a single published report among nearly 850 full-text documents published over the last decade". Nice. But are we relying on Security through Obscurity? Has System z "never been hacked" because of it's relative reticence on the global stage, it's shy retiring nature well behind the corporate firewall and the comparatively closed shop of MVS/RACF experts looking after it worldwide? As that changes, and z owners exploit Unix System Services and Linux for z, will we find we're behind the curve, that the script-kiddies catch up with us and - worst case - they know more about security on the New Mainframe than we do?

Tuesday, 16 March 2010

Human Factors again...

"Hands up all those who have actually received proper Outlook training and/or email etiquette or management training? People still don’t know how to set up sharing of permissions in the folder listing rather than handing over access to their whole Inbox" says Andrea Simmons on the BCS Security Blog in response to the Human Factors in Information Security (HFIS) conference held in February. So true. I know I keep bleating on about it but while you're busy installing two-factor authentication in your payments application your staff are losing, sharing and deleting information through basic lack of awareness and skills, and failures of responsibility and accountability.

While you're patching IE and blocking Facebook, staff are e-mailing eachother huge files of customer data because you have not
a) told them it's wrong
b) enabled effective collaboration through legitimate tools
c) prevented the sharing of data through illegitimate channels.

Educate (the right and wrong ways), enable (the right way), eliminate (the wrong way). Too many security managers do the last point without the first two, which is why they find it so hard.

Monday, 15 March 2010

Anti-Virus and why it's dying...

This worrying report from suggests that AV vendors are missing the point and patching specific exploits not vulnerabilities. Further proof, if any were needed, that defence against cyber attack needs a holistic approach blending everything from policy and people management through perimeter defences down to intrusion detection, malware detection, patching, good application software controls, removable media controls and incident response. We have to get in a room and plan the whole thing. AV is not dead but it is no longer the big gun of our defences as it once was. Quoting Schneier: "antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective". But it's clear that holistic security, as discussed back in 2008 by IBM, is an approach whose time has definitely come.

Get IE8 Now!

If (like me) you just can't live without Internet Explorer - and in my case I've got an excuse as I have a sideline in websites for friends and organisations so I need to prove they work on the worlds most popular browser - there's never been a better time to upgrade to IE8.
Protecting against the Internet Explorer zero day vulnerability | Graham Cluley's blog. There are workarounds for IE6 and 7 users, but I don't see why anyone should delay getting IE8. I appreciate there are corporate managed desktops out there and rolling out non-distruptive upgrades to these is tricky but guys, you've now had 12 months, get it delivered.

Thursday, 11 March 2010

Smarter Tivoli - Managing Compliance on Z

"System z is now a hugely resilient, massively scalable and highly secure server architecture. Native security controls are very strong and resistant to attack, but notoriously difficult both to administer and with which to demonstrate compliance with regulations....."
Read the rest here: Smarter Tivoli - Managing Compliance on Z at, free registration required.

Saturday, 27 February 2010

Sigh... Italian judge makes analogue decision in digital age...

The recent decision by a Milan court to convict three Google executives for violating the privacy of a Down's child whose abuse was posted on YouTube - Google: | Editorial | Comment is free | The Guardian - is depressing but may just be a footnote in history if the Italian government wakes up to its responsibilities under EU law before they have to be reminded. This decision is in violation of recent Eurpoean Law which was specifically drafted to give hosting providers a safe harbour from liability, so long as they remove illegal content once they are notified of its existence, which Google appears to have done, although some are claiming not soon enough.

Whatever, if hosts can be held liable for the content they host then not only do we in the developed and politically stable world lose our favourite work-day pastimes, but the less fortunate in repressive states lose a big tool of democracy. Here's hoping the Italians realise their mistake before less enlightened regimes decide to follow suit.

Friday, 19 February 2010

Buzz lightyears behind?

Google Acknowledges Privacy Issues With Buzz - DarkReading. How disappointing then, that internet giant Google failed so badly to consider security paramount in the design of its new social media app "Buzz". I thought we'd got the message out there, this Homeland Security article was published in 2006 and the mantra "design-in security" goes back far further in the tech community at large.

Google is a great innovator, and the projects they began in-house (their search engine, toolbar and mail service for example) are usually excellent, but with Buzz they seem to be jumping on a bandwagon and doing so too hastily.

While I'm on the subject, Facebook's privacy controls are now an unholy mess. Beware if you use any social media for business, get informed about what you are revealing to the world.

Monday, 1 February 2010

Encourage data security or pay the penalty

The Information Commissioner's office has released details of 800 data security breaches (PDF)reported to it in the last two years. The office is warning that tougher sanctions will follow for organisations that fail to report breaches that subsequently come to light.

Also, the ICO announces in the same press release the increased sanctions applicable to personal data breaches - up to £500,000 for the most serious offences.

Time to review your organiation's handling of laptops and removable media?

In my experience, organisations spend a lot of time and effort on technical data-loss prevention (DLP) solutions while missing the point - that employees don't really want to take data home on a memory stick, but they have no choice. If they were empowered with secure access to their data while away from the office they won't actually need to take anything with them on a thumb drive. Ensure the laptop hard drive is encrypted and protected by a boot-time logon, sure, but if you spend some time and effort on properly enabling remote access to your servers, providing synchronisation and collaboration tools, remote access to e-mail and keep the servers up 24/7 then your employees wil be less inclined to take data home on sticks and disks.

And even more important is connecting your geographically diverse business units. To fail to connect two closely related but separately located departments electronically, such that they have to send CDs to eachother (such as happened in the UK government's child benefit data loss) is just criminal.

Practical security starts with enabling good behaviour through technology, do that and you'll have less bad behaviour to deal with.

Thursday, 28 January 2010

Cloud Nine... er seven

Infoworld have summarised Gartner's assessment of cloud computing security, listing the seven deadly risks of cloud computing. Key among them is number two on the list, Regulatory Compliance. Why indeed would you insist that your traditional service providers comply with regulations and undergo compliance audits, without subjecting cloud service providers to the same level of scrutiny? Indeed you might find you are bound to do so by the regulations in your industry.

Also one of the many perceived benefits of the cloud is availability and resilience of service, but are your cloud service provider's DR capabilities good enough? Are your data, transaction logs and applications all co-located, or are they stored and hosted in multiple, geographically diverse locations? Do they do DR at least as good as you could with traditional architecture?

Practically speaking, does your cloud provider introduce unacceptable security risks?