My NonStop system is hack-proof?

This Guest Blog is written by Thomas Burg, CTO of comForte, a leading provider of security solutions for HP NonStop systems. This is part of the TIC blog series on A.I.M. (“Assess”, “Innovate”, “Modernize“). This particular article focuses on “Assessing your Security”.

How secure is your NonStop?

While there is a plethora of publicized stories about other platforms being breached, there is no public record of a HPE NonStop system being breached. Given the high value of the typical data stored on a NonStop system (credit card transaction logs, healthcare data, high-value financial transactions) this seems somewhat surprising. So why is it that no NonStop system has been hacked?

The writer of these lines thinks it is a combination of obscurity of the platform as well as the fact that so far other platforms have been so much easier to breach. However, this should not become a reason for complacency: with increasing regulatory pressure (PCI, HIPAA, …) other platforms are made more secure which might have attackers reconsider which platforms to target in the first place. For an outsider, there are powerful hacking tools such as ‘nmap’ which will allow them to fully map the server landscape and then go after targets; for an insider the presence of NonStop is often fully known.

“We’ll never get hacked”

The web site http://www.privacyrights.org/data-breach lists publicized data breaches since 2005. These days, there is a about a breach per day (!) – most probably the companies having joined this ‘list of shame’ did not exactly plan to get this kind of publicity.

Why are we seeing so much more incidents? First, the tools for an attacker have become more and more sophisticated over the years: these days it is rather common for an attack to consist of multiple stages. Starting with discovery, typically at first a single PC is ‘taken over’ and can then be remote-controlled from the attacker for long period of times. From that PC, other PCs and/or servers are then attacked and taken over – making defense much harder. Second, the attackers themselves are becoming more as well as better organized. Cyber-crime is relatively low risk and high reward; also these days there is more and more state-sponsored cyber crime.

All that said, there are reasons why well-written security standards (such as PCI) implement “defense in depth”, namely a combination of security practices which ensure the best possible security even if individual components have already been broken. If defense in depth is properly implemented, the unfortunate victims of attacks such as The New York Times, Sony or RSA would not have been under “enemy remote control” for extended period of times.

“I don’t have the time/budget to do all this”

Unfortunately, the bad guys out there have all the time in the world and your data is virtual money to them. So, think again! Think about your total yearly budget for running your NonStop system – just adding a small percentage to better secure the system will in time go a long way on the journey towards better security.

Applying defense in depth to NonStop security

Here are several security concepts which all should be part of properly securing a NonStop system:

• Have a security policy in place. Live the policy

• Have a firewall in place between your PCs and your NonStop system.

• Encrypt all network traffic to/from your NonStop system

• Run network-based intrusion detection systems with the sensor being close to the NonStop system

• Use Safeguard. Put proper ACLs in place for critical files

• Ensure security-relevant events of your NonStop system are logged to a central logging system (SIEM)

• Have an active alerting system which reacts to relevant events (repeated password failure for any user, specifically for SUPER users)

• Track SUPER user usage

• Record keystrokes of users (ideally all, at least SUPER user group)

• Have secure passwords. Change them regularly

• Have periodic security audit. Ideally, these are not only “paper audits” but include penetration testing

Feedback please

Do you find this blog helpful? Let us know what you think, and how we can make it even better. Don’t forget, you can subscribe to our blogs to get automatic email notification when a new blog is available.

Thomas Burg has an extensive background in systems programming, networking, and security. For more than 30 years, Thomas has worked with a range of computing platforms, including Windows, UNIX, and HP NonStop. Burg is Chief Technology Officer for comForte, a software vendor specializing in security, connectivity, and modernization solutions for the HP NonStop market. At comForte, he has helped guide the company’s strategic product direction and orchestrated a range of technology initiatives, such as the company’s SSL/SSH encryption suite, which was ultimately adopted by HP within the NonStop OS.

TIC Software, a New York-based company specializing in software and services that integrate NonStop with the latest technologies, including Web Services, .NET and Java. Prior to founding TIC in 1983, Phil worked for Tandem Computer in technical support and software development.