1

Hiperstation Application Audit:

Privileged User or Insider Risk?

Steven D Murray and Charlie Foord

2

DATA SECURITY LANDSCAPE

Stephen D Murray

3

Privileged Users

• Privileged users are employees with high levels of authority over company’s technology

• Include:

– Database administrators

– Developers

– Support technicians

– Operations individuals

– Client-facing personnel

– Back office staff

– Contractors or other third party partners

– And more!

4

• 25% of employees have unnecessary privileged access to company data1

• Typically results from

• Membership in group with privileged access; receive authority by default

• Role changes; retain access that is no longer required

• Unnecessary privileged access can leave companies open to insider risk of data breaches

Privileged User Data Access

1 Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company from Ponemon Institute LLC, May 2014

5

Types of Insider Risk

1. Fraudulent use of data

– Profits individual committing fraud

– Most common type of insider risk

2. Malicious exposure of data

– Goal = damage company

– Typically committed by disgruntled employees

6

Types of Insider Risk

3. Inappropriate use of data

– Information collected without malice but outside of role

– Example: employee views famous customer’s shopping habits for amusement

4. Inadvertent data exposure (blagging/pretexting)

– Information learned through role, but inadvertently shared with external individuals

– Example: employee unintentionally reveals too much internal information to journalist while trying to be helpful

7

The Risk Is Real

April 3, 2014

BBC news reports Scottish police

officers are being investigated for

breaching data protection laws

whilst on duty

• Six individuals convicted in 2013

• 55 other open cases

“It would be a ‘major concern’ if information were passed to criminals”

- Labour's Justice spokesman

8

The Risk is Real

Nearly 2,500 breaches of confidentiality by NHS each year1

1 According to an investigation by a privacy campaign group. BBC, November 2014.

Number of Cases Result

50 Data posted on social media

103 Data lost or stolen

236 Data shared via email, letter or fax

251 Data inappropriately shared with third party

EXAMPLES

9

The Threat: Privileged User Abuse

Source: Raytheon White Paper

10

Combating the Risk

• Limit number of privileged users

– More users = higher risk

– Avoid blanket rights

– Modify rights when roles change

• Periodically review security rules and enforcement

• Continually educate staff on data protection and risks of exposing information

• Insure yourself with Application Auditing

11

• Monitor applications to ensure security and data integrity

Application Auditing

12

Application Auditing

• Monitors applications to ensure security and data integrity

• “Big Brother” connotation, but actually protects employees and company by keeping record of activities

13

Application Auditing

• Deters individuals from committing fraud by increasing likelihood of being caught

– Decreases malicious risk

• Monitors applications to ensure security and data integrity

• “Big Brother” connotation, but actually protects employees and company by keeping record of activities

14

• Protects data security

Application Auditing

• Deters individuals from committing fraud by increasing likelihood of being caught

– Decreases malicious risk

• Monitors applications to ensure security and data integrity

• “Big Brother” connotation, but actually protects employees and company by keeping record of activities

15

Application Auditing Benefits

• Provides insight into actual application use

– Actual use might differ from IS’s perception

– Better design future maintenance and development plans to reflect actual usage

16

• Can provide forensic evidence for court cases if data breach occurs

– Logs show what was exposed, by who and when

Application Auditing Benefits

• Provides insight into actual application use

– Actual use might differ from IS’s perception

– Better design future maintenance and development plans to reflect actual usage

17

Application Auditing Benefits

• Assist customer support reps solve problems faster

– No longer need to recreate client’s problem

– View log to see issues leading up to and occurring during error

• Can provide forensic evidence for court cases if data breach occurs

– Logs show what was exposed, by who and when

• Provides insight into actual application use

– Actual use might differ from IS’s perception

– Better design future maintenance and development plans to reflect actual usage

18

• Provides insight into actual application use

– Might differ from IS’s perception

– Better design future maintenance and development plans that reflect actual usage

• Can provide forensic evidence for court cases if data breach occurs

– Logs show what was exposed, by who and when

• Assist customer support reps solve problems faster

– No longer need to recreate client’s problem

– View log to see issues leading up to and occurring during error

Application Auditing Benefits

• Identify patterns by setting up automated search to proactively look for issues before they occur

19

USE CASE: FRAUD

Charlie Foord

20

• Charlie (telesales rep) takes phone order

– Uses CICS application to enter name, address, product, quantity and credit card details

Use Case: Fraud

21

• One day later, police contact company with claim that credit card was used fraudulently

• Police know credit card number and that it was used at company

• Doug (company security manager) is asked to investigate:

– Who took order within company

– What details were captured

– When order was placed

– Any other relevant details available

Use Case: Fraud

22

• Doug accesses Hiperstation, which audits all mainframe applications including order processing CICS system

Use Case: Fraud

23

• Leverage Hiperstation’s application auditing component to search for specific order by choosing audit file from day that order was placed and entering credit card number into search string

Use Case: Fraud

24

Use Case: Fraud

• Search shows session that used credit card with exact screen and order details including who placed order and when

• Company can also provide audio logos of call from here

Session Using Credit Card Number

Credit Card Number

Employee who took order

25

Use Case: Fraud

• Report also shows second session using same credit card number

26

• Second order details show Steven (another telesales rep) used same credit card to process this order

• Proved that Charlie was innocent

• Information and audio logs for both sessions can be provided to police

Use Case: Fraud

Second Session Using Credit Card Number

27

• Using Hiperstation, security manager can document sessions

Use Case: Fraud

28

• Simple PDF captures all relevant data

• Can be leveraged in police investigation and as forensic evidence in court

Use Case: Fraud

29

USE CASE: IMPROVING EMPLOYEE EFFICIENCY

Charlie Foord

30

• While investigating fraud case, Doug noticed Steven uses twice as many screens as Charlie

– Steven’s transactions are more resource intensive and use more CPU than other employees

Use Case: Increasing Employee Efficiency

31

• Doug investigates further and sees error messages on each of Steven’s screens prompting him to enter another field

• Rather than filling out screen completely and pressing <enter>, Steven uses <enter> like <tab>, increasing required resources to execute transaction

• Lazy practices cause extra transactions to run

• Doug can now train Steven on how to more efficiently enter orders

Use Case: Increasing Employee Efficiency

32

USE CASE:

IDENTIFYING AND SOLVING PROBLEMS

Charlie Foord

33

• Doug also noticed that Steven experienced system failure

• Can set up search on “abend” to locate error

Use Case: Identifying and Solving Problems

34

• Results show screens prior to abend and details on what product was being ordered

• Can investigate data validity

• Helps quickly diagnose problems

Use Case: Identifying and Solving Problems

Screen prior to Abend

35

Additional Benefits of Hiperstation

• Don’t have to be skilled on mainframe to identify issues or gather information within Hiperstation

• Didn’t need ISPF or 3270 screens to process initial fraud request

• All of these features are inherent functions of Hiperstation

36

• Is not Big Brother

• Deters fraud and malicious acts

• Ensures data security as breaches can be found and dealt with quickly and effectively, minimizing impact on reputation and finances

• Facilitates understanding of actual application usage that can be used to improve user experience and for future development

• Provides forensic evidence for court cases as needed

• Enables customer support to resolve client issues without recreating problem

• Gain information needed to react to events and set up proactive searches for breaches

Application Auditing with Hiperstation

37

• Allows companies to protect privileged users and reduce insider risk of data breaches

Hiperstation Application Auditing

38