hiperstation application audit: privileged user or insider risk
TRANSCRIPT
1
Hiperstation Application Audit:
Privileged User or Insider Risk?
Steven D Murray and Charlie Foord
2
DATA SECURITY LANDSCAPE
Stephen D Murray
3
Privileged Users
• Privileged users are employees with high levels of authority over company’s technology
• Include:
– Database administrators
– Developers
– Support technicians
– Operations individuals
– Client-facing personnel
– Back office staff
– Contractors or other third party partners
– And more!
4
• 25% of employees have unnecessary privileged access to company data1
• Typically results from
• Membership in group with privileged access; receive authority by default
• Role changes; retain access that is no longer required
• Unnecessary privileged access can leave companies open to insider risk of data breaches
Privileged User Data Access
1 Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company from Ponemon Institute LLC, May 2014
5
Types of Insider Risk
1. Fraudulent use of data
– Profits individual committing fraud
– Most common type of insider risk
2. Malicious exposure of data
– Goal = damage company
– Typically committed by disgruntled employees
6
Types of Insider Risk
3. Inappropriate use of data
– Information collected without malice but outside of role
– Example: employee views famous customer’s shopping habits for amusement
4. Inadvertent data exposure (blagging/pretexting)
– Information learned through role, but inadvertently shared with external individuals
– Example: employee unintentionally reveals too much internal information to journalist while trying to be helpful
7
The Risk Is Real
April 3, 2014
BBC news reports Scottish police
officers are being investigated for
breaching data protection laws
whilst on duty
• Six individuals convicted in 2013
• 55 other open cases
“It would be a ‘major concern’ if information were passed to criminals”
- Labour's Justice spokesman
8
The Risk is Real
Nearly 2,500 breaches of confidentiality by NHS each year1
1 According to an investigation by a privacy campaign group. BBC, November 2014.
Number of Cases Result
50 Data posted on social media
103 Data lost or stolen
236 Data shared via email, letter or fax
251 Data inappropriately shared with third party
EXAMPLES
9
The Threat: Privileged User Abuse
Source: Raytheon White Paper
10
Combating the Risk
• Limit number of privileged users
– More users = higher risk
– Avoid blanket rights
– Modify rights when roles change
• Periodically review security rules and enforcement
• Continually educate staff on data protection and risks of exposing information
• Insure yourself with Application Auditing
11
• Monitor applications to ensure security and data integrity
Application Auditing
12
Application Auditing
• Monitors applications to ensure security and data integrity
• “Big Brother” connotation, but actually protects employees and company by keeping record of activities
13
Application Auditing
• Deters individuals from committing fraud by increasing likelihood of being caught
– Decreases malicious risk
• Monitors applications to ensure security and data integrity
• “Big Brother” connotation, but actually protects employees and company by keeping record of activities
14
• Protects data security
Application Auditing
• Deters individuals from committing fraud by increasing likelihood of being caught
– Decreases malicious risk
• Monitors applications to ensure security and data integrity
• “Big Brother” connotation, but actually protects employees and company by keeping record of activities
15
Application Auditing Benefits
• Provides insight into actual application use
– Actual use might differ from IS’s perception
– Better design future maintenance and development plans to reflect actual usage
16
• Can provide forensic evidence for court cases if data breach occurs
– Logs show what was exposed, by who and when
Application Auditing Benefits
• Provides insight into actual application use
– Actual use might differ from IS’s perception
– Better design future maintenance and development plans to reflect actual usage
17
Application Auditing Benefits
• Assist customer support reps solve problems faster
– No longer need to recreate client’s problem
– View log to see issues leading up to and occurring during error
• Can provide forensic evidence for court cases if data breach occurs
– Logs show what was exposed, by who and when
• Provides insight into actual application use
– Actual use might differ from IS’s perception
– Better design future maintenance and development plans to reflect actual usage
18
• Provides insight into actual application use
– Might differ from IS’s perception
– Better design future maintenance and development plans that reflect actual usage
• Can provide forensic evidence for court cases if data breach occurs
– Logs show what was exposed, by who and when
• Assist customer support reps solve problems faster
– No longer need to recreate client’s problem
– View log to see issues leading up to and occurring during error
Application Auditing Benefits
• Identify patterns by setting up automated search to proactively look for issues before they occur
19
USE CASE: FRAUD
Charlie Foord
20
• Charlie (telesales rep) takes phone order
– Uses CICS application to enter name, address, product, quantity and credit card details
Use Case: Fraud
21
• One day later, police contact company with claim that credit card was used fraudulently
• Police know credit card number and that it was used at company
• Doug (company security manager) is asked to investigate:
– Who took order within company
– What details were captured
– When order was placed
– Any other relevant details available
Use Case: Fraud
22
• Doug accesses Hiperstation, which audits all mainframe applications including order processing CICS system
Use Case: Fraud
23
• Leverage Hiperstation’s application auditing component to search for specific order by choosing audit file from day that order was placed and entering credit card number into search string
Use Case: Fraud
24
Use Case: Fraud
• Search shows session that used credit card with exact screen and order details including who placed order and when
• Company can also provide audio logos of call from here
Session Using Credit Card Number
Credit Card Number
Employee who took order
25
Use Case: Fraud
• Report also shows second session using same credit card number
26
• Second order details show Steven (another telesales rep) used same credit card to process this order
• Proved that Charlie was innocent
• Information and audio logs for both sessions can be provided to police
Use Case: Fraud
Second Session Using Credit Card Number
27
• Using Hiperstation, security manager can document sessions
Use Case: Fraud
28
• Simple PDF captures all relevant data
• Can be leveraged in police investigation and as forensic evidence in court
Use Case: Fraud
29
USE CASE: IMPROVING EMPLOYEE EFFICIENCY
Charlie Foord
30
• While investigating fraud case, Doug noticed Steven uses twice as many screens as Charlie
– Steven’s transactions are more resource intensive and use more CPU than other employees
Use Case: Increasing Employee Efficiency
31
• Doug investigates further and sees error messages on each of Steven’s screens prompting him to enter another field
• Rather than filling out screen completely and pressing <enter>, Steven uses <enter> like <tab>, increasing required resources to execute transaction
• Lazy practices cause extra transactions to run
• Doug can now train Steven on how to more efficiently enter orders
Use Case: Increasing Employee Efficiency
32
USE CASE:
IDENTIFYING AND SOLVING PROBLEMS
Charlie Foord
33
• Doug also noticed that Steven experienced system failure
• Can set up search on “abend” to locate error
Use Case: Identifying and Solving Problems
34
• Results show screens prior to abend and details on what product was being ordered
• Can investigate data validity
• Helps quickly diagnose problems
Use Case: Identifying and Solving Problems
Screen prior to Abend
35
Additional Benefits of Hiperstation
• Don’t have to be skilled on mainframe to identify issues or gather information within Hiperstation
• Didn’t need ISPF or 3270 screens to process initial fraud request
• All of these features are inherent functions of Hiperstation
36
• Is not Big Brother
• Deters fraud and malicious acts
• Ensures data security as breaches can be found and dealt with quickly and effectively, minimizing impact on reputation and finances
• Facilitates understanding of actual application usage that can be used to improve user experience and for future development
• Provides forensic evidence for court cases as needed
• Enables customer support to resolve client issues without recreating problem
• Gain information needed to react to events and set up proactive searches for breaches
Application Auditing with Hiperstation
37
• Allows companies to protect privileged users and reduce insider risk of data breaches
Hiperstation Application Auditing
38