Compliance is a fundamental consideration when getting started with IBM i. Since your system will likely handle at least some records that fall within the scope of U.S. regulations, such as HIPAA or SOX, monitoring and tracking data access controls is paramount.
What happens when there are holes in the network? Your organization takes on the risk of not only falling out of compliance, but also dealing with major financial and reputational damage caused by a data breach.
In this compliance 101 primer, we'll look at three high-profile breaches from the past year, each of which shows what can go wrong when data oversight isn't up to snuff. Along the way, we'll discuss some basic fixes that can help shore up network defenses.
Target: The Limits of PCI Compliance
Last winter, retailer Target suffered a breach that may have affected one-third of the U.S. population. Malware entered stores' point-of-sale terminals and lifted payment card information. An investigation revealed attackers may have gained access to Target's system by way of an HVAC contractor.
A few months before the intrusion, Target passed a PCI audit. Why didn't compliance shield it from a breach? Part of the reason is the slow evolution of PCI DSS and other standards. In the time between updates, the threat landscape can change dramatically. Plus, meeting the bare minimum for compliance doesn't guarantee that data is safe.
Security experts have long warned that compliance cannot be confused with security. Target’s breach perfectly illustrates this point.
The takeaway and the fix: Don't settle for basic compliance. Install and regularly update anti-virus software, and use real-time database monitoring to keep tabs on complex systems. Utilize monitored profile swaps on IBM i to control system access. Vet the supply chain, including third parties, for potential weak points.
eBay: The Risks of Loosely Secured Credentials
In May, the majority of eBay's 145 million users were affected after criminals gained access to a company database containing encrypted passwords as well as email and physical addresses. Many customers were instructed to reset their logins to avoid the risk of unauthorized transactions.
Hackers had compromised a handful of eBay employee credentials. Accordingly, they could authenticate into eBay's systems and attain the same permissions as legitimate workers, allowing them to remain undetected for at least a month.
The takeaway and the fix: Establish access controls for sensitive data, implementing two-factor authentication if necessary. Make use of IBM i's network intrusion detection system to screen for a wide range of anomalies that could indicate that intruders have broken in. Set up IBM i file and object auditing to monitor access to cardholder data.
Variable Annuity Life Insurance Company: The Importance of Restricting File Access
An ex-adviser to this organization made off with details on more than 774,000 customers, stored on a thumb drive. It was the second time that Variable Annuity Life Insurance Company suffered a breach involving unauthorized downloads onto physical storage, with the first occurring in 2006.
VALIC didn't learn of the theft for years; the worker left in 2007 and the heist was only discovered and revealed to the company by law enforcement. The stolen data included full and partial Social Security numbers. After notifying potential victims, VALIC offered identity theft recovery services.
The takeaway and the fix: Follow standardized change control procedures to govern database usage. Restrict the number of highly privileged users. Implement IBM i monitoring for file integrity that encompasses application data and configuration controls, looking for unauthorized modifications to and corruption of sensitive files.