Will it Go Round in Circles?

You may remember me from such hits as renaming NonStop TM/MP back to NonStop TMF or promoting RDF/ZLT (Zero Lost Transactions). You might remember my PowerPoint slide stating, “Like Cheerios are part of a complete breakfast, workforce recovery is part of a complete disaster recovery plan.” Or you might just remember me from Mr. Ed.

Along with many of the HP NonStop product managers, I took an enhanced retirement package from HP in 2005 and became a gold badge retiree. But I haven’t been as retired as I would have hoped.

Switching between business continuity and security (or sometimes both at the same time), I’ve worked for SanDisk, Citrix, NetApp, Sungard Availability Services, and am now a global enablement specialist for Micro Focus.

But no matter where I worked, I couldn’t seem to make a clean break from my old Tandem days. At NetApp I was responsible for marketing their encrypted enterprise storage – which supports HPE NonStop. I was hired as the workplace recovery product manager at Sungard Availability Services, which offers recovery services for HPE NonStop. And even though Micro Focus hired me primarily as a security practitioner, I was given host connectivity as a backup domain, which includes 6530 terminal emulation.

So here I am, eleven years later – and no matter what Compaq tried to do, NonStop and other mainframes are not yet dead. In fact, according to SHARE, coming to San Jose from March 5-10, 96 of the world’s top 100 banks, 23 of the 25 top US retailers, and 9 of 10 of the world’s largest insurance companies are running on mainframes and over 30 billion business transactions per day are processed on them.

Unlike my days in Cupertino, work is now an activity, not a place; and I can do my job just about anywhere in the world, either on the web or on mobile devices. I might even be supported by IoT (Internet of things) appliances. But mainframes, including HPE NonStop servers, don’t talk to most of these devices and lack the security required by the payment card industry (PCI DSS) and the European Union (GDPR), and other industry and government regulations. This leads to a rich NonStop partner ecosystem including companies like CAIL, Carr Scott, comForte, ETI-Net, GoldenGate (now part of Oracle) Gravic, Xypro, and many more.

As I have said many times, security is a lot more than a software package. Companies need policies and procedures in place which let their employees know what is, and is not acceptable behavior. But more than that, companies need exicitin’ training to let their employees know why these policies exist in the first place. In the early days of Tandem HR, Jimmy said that their policies should be printed on grey paper since most of them addressed grey areas.

Changing my password every 30 days is certainly grey as there is no proof that doing that increases security. In fact, evidence suggests that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. But password guessing is not really a problem. Phishing, which encourages users to divulge their passwords, is a very real and major problem. So let me switch gears completely and talk about phishing attacks.

Phishing, Spear Phishing, and Whaling

Phishing is the act of sending an email to one or more people, fooling them into clicking on a link which then installs malware or takes them to a website where they are tricked into filling in their user name and password. Spear Phishing and Whaling are variations, with very specific targets.

While it’s easy to write a policy telling your employees to not open phishing emails, spear phishing attacks are on the rise and are becoming more sophisticated. Verizon’s 2015 Data Breach Report states that 23% of included recipients were found to have opened phishing messages and no less than 11% clicked on corresponding attachments. In addition, if a hacker sends out 10 emails, there is an astonishing 90% chance that at least one person will fall victim to their attack.

How do you address this problem? Appropriate training. And by appropriate, I don’t mean forcing your employees to read a memo or watch a boring PowerPoint-driven webinar. I mean through gamification and entertainment. Many companies make software which sends and tracks phishing emails to see who opens them and clicks on links. While shaming individuals might seem like a fun activity, it also can lead to disgruntled employees, thus rendering your program worse than useless.

In session HUM-T11 at the recent RSA Security conference in San Francisco, Emily Heath, the Global CISO at AECOM, talked about the use of phishing software along with scoring at a group level. By pitting business leaders against each other, she lowered the phishing click rate by 300% in 18 months. In a nutshell, each business leader received a private listing of their employees who succumbed to a simulated phishing attack, and a leaderboard at the business level was published. Since business leaders tend to be competitive, every one of them had incentive to not be the last person on the list, thus helping their employees to understand the risks of clicking on a phishing email as well as what a phishing email looks like.

Session HUM-W03R talked about how to change behaviors at the enterprise scale through an education program based on movie trailers. Well, not just any movie trailers. Christine Maxwell, the Governance, Risk and Compliance Director at BP, showed us how the BP marketing team put together training videos based on well-known genres, such has comedy, horror, and film noir. While viewers laughed or sweated their way through the videos, they actually learned the business-related consequences of violating the company’s security policies. That is, how clicking on a phishing email or letting someone use their password could have far-reaching consequences to BP’s entire business, and not just their own career. With the well-known holes in SCADA software, it could be possible to blow up an entire power plant if a key employees’ credentials got out.

Summary

NonStop servers, like all mainframes, are not going away. They have uptime and processing power advantages that puny “industry standard servers” don’t and never will have. Yet they cannot talk to modern devices and don’t meet many of the latest security standards. And even if they did, just one employee falling for a phishing attack can bring down an entire company.

But gamification, excitin’ training, and friendly competition can help your employees understand the risks of not following security policies and how to detect when they are being targeted to divulge their insider credentials. And there you have it until next time.

Ron LaPedis <ron.LaPedis@microfocus.com>