SlideShare a Scribd company logo

DB2 Security Thinking Outside the Box

Jerry Harding
Jerry Harding
1 of 17
Download to read offline
211 N. Union Street, Suite 100 Alexandria, VA 22314 703-717-6574 www.type80.com Thinking Outside the Box Monitoring DB2® Security on z/OS By Jerry Harding Stephen D. Rubin William Buriak A Type80 White Paper
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 2 TABLE OF CONTENTS Contents 1 Executive Summary............................................................................................................................... 3 2 Background............................................................................................................................................ 5 3 The Cost of a Data Security Breach....................................................................................................... 6 4 The Real Security Exposure to DB2 on z/OS........................................................................................ 7 5 Weaknesses in DB2 Application Code.................................................................................................. 8 6 Using DB2 SMF Records as Event Tracking ........................................................................................ 9 7 How to Implement DB2 SMF Audit Trace Records.............................................................................10 8 Thinking “Outside the Box” .................................................................................................................12 9 Summary:..............................................................................................................................................14
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 3 1 Executive Summary The United States recently introduced a universal healthcare system. This program requires the highly sensitive records to be stored on massive computers. Essentially, they will be a “DNA footprint” for millions of Americans. Security for these records should not be thought of as “after the fact” and will require vigilant and pro-active monitoring of security regardless of the host operating system.1 The records are required to be protected according to the Federal Information Security Management Act of 2008 (FISMA, also referred to as US Senate Bill S.3474). FISMA mandates that “the underlying framework that information systems and assets rely on in processing, transmitting, receiving or storing information electronically” have adequate security. It goes on to say, “Meaning security commensurate with the risk and magnitude of harm from loss, misuse, or unauthorized access to or modification of information”. Web connections to data residing on the mainframe DB2 platform through z/OS Web Services, CICS® and TSO® have added functionality to legacy processing and brought transaction processing to new levels. It has also introduced a new perception of vulnerability. Mainframe Security Administrators sometimes view it as opening up the mainframe to “intruders.” The "bad guys" are finding new inventive ways to obtain corporate and personal information and to disrupt a company's business as was done by someone holding the State of Virginia’s medical records hostage and demanding a $10 million dollar payment. Most of the Financial, Healthcare and Pharmaceutical industries keep their vital records on DB2 and other databases residing on the IBM z/OS mainframe platform. Government interests in these corporations will lead to the next wave of exchange of information among them and it is expected that private industries sharing database information with the Government will soon have to comply with the FISMA guidelines. But regardless of the industry and whether or not they fall into the FISMA regulations, every company is at risk of losing information. Security is not always the highest priority in a corporation until it is named in the lead story 1 Your medical information is worth 10-20 times more than your credit card number on the black market, according to a 2014 report by Reuters.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 4 on the evening news or Wall Street Journal and you are requested to testify before Congress. This paper puts its focus on ways to monitor z/OS DB2 database security by thinking outside the box. It will offer alternatives in developing an efficient security framework to monitor security settings and protect confidential data from ‘bad guys’ in an effective and economical manner. This paper will also explore the tools that are available for developing such a security framework. The main focus is placed on security tools that can be used outside the mainframe security framework. The stress on “thinking outside the box” is emphasized as the majority of the traditional tools that fall within the mainframe security setting have failed to meet today’s security, auditing and compliance mandates. It will detail the steps to be taken when setting up log collection and security analysis programs on the mainframe by using economical sources readily available. However, along with mentioning the efficiency of this system, it will also put stress on the need for a new framework as very often traditional measures are found to be incapable of countering security threats of modern days. Finally it will discuss the methods that can be adopted to counter the latest security threats and how these tools work.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 5 2 Background Security teams for z/OS DB2 commonly use security products from IBM and Computer Associates for reporting. They are the first levels of defense. These products either allow or deny a user access to a resource. Unlike UNIX and other operating systems security, it is a simple yes or no decision. If security is denied, a violation event will be recorded on the security log files and in most cases a message will be issued to the primary console. The event may go unnoticed until the System Administrator runs a violation report in response to an incident. DB2 is capable of keeping a separate log file of events throughout its course of normal processing. These log files are a mainframe operating system function called System Management Facility or “SMF®” records. The DB2 SMF records contain information related to many different types of events occurring within the system. The level of granularity depends on configurations of the DB2 audit trace at the individual table level. The SMF records provide data useful for investigating security events and if used in combination with other resources, help investigate possible attacks and breaches for incident response, auditing and compliance purposes. The DB2 SMF records are created in binary format and are not readable by a plain text editor, making online viewing and interpretation almost impossible. Separation of Duties One of the most fundamental aspects of the Sarbanes-Oxley Act of 2002 was the definition of Separation of Duties. Having the same person monitoring security and setting up security is a clear case of a violation of the Act. The Evolving Security Function The Security Administrators in most z/OS environments are responsible for monitoring security. In addition to defining and maintaining users and passwords, they assume the role of chasing down batch reports to answer periodic security, auditing and compliance questions. Some leading mainframe installations are creating independent departments to actively monitor the security using SMF event information. Other installations are placing z/OS security into totally autonomous security groups that monitor Network, UNIX, Windows and other operating systems. Restructuring the mainframe security group (a) allows mainframe events to be monitored from “outside the box” in a centralized repository, (b) introduces new technologies and experience to mainframe computer security experts wishing to expand their careers, (c) allows non-mainframe security technicians to become exposed to what is happening “inside the box”, and is a win/win proposition for the entire organization.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 6 3 The Cost of a Data Security Breach According to a 2015 study by the research organization Ponemon Institute, paid for by International Business Machines Corp., the cost of a data breach increased 23% since 2013. The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. Average figures don’t paint a complete picture. If we look at one large retails loss, you can see the significant impact. Target said the gross expenses from the data breach were $252 million. If you subtract insurance reimbursement, the losses fall to $162 million. Tax deductions lower the net losses tally $105 million. Still a significant loss! Beyond the financial implications a compromise of this nature would also include damage to corporate reputation, loss of customers, and increased regulatory scrutiny let alone the personal damage to the CIO and CEO
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 7 3.1 Personal Liability Information security breaches may go beyond corporate boundaries and expose the corporation to unwanted legal actions. Security exposures derived from the theft of data has led to three class action law suits against the Secretary of Veterans Affairs. The theft was a result of data being transferred to a laptop which was later stolen from a private residence of a VA Contractor. The security breach affected 26.5 million records with a VA estimate of between $100 million and $500 million to prevent and cover possible losses from data theft. 3.2 The Regulators Cometh It is bad enough that you had a data breach, the CEO was canned, and customers hate you. The real pain is only about to begin if your company happens to be in a regulated industry because security breaches reflect poorly on the regulators. They will push for more regulations and greater control. Everything will be verified and checked in great detail for years to come. Gone will be the reasonable assurance and all items will be looked into. Providing data to the regulators, responding to requests, and correcting issues, even minor ones is extremely time consuming and costly. 4 The Real Security Exposure to DB2 on z/OS The most sought after target when attacking DB2 data on the mainframe is to acquire the privilege settings of the DB2 System Administrator. Compromising it and escalating the DB2 privileges to a common user’s ID allows you to attack the DB2 data virtually unnoticed. It is becoming more difficult to do this in the modern days of DB2; however, an emphasis should be placed on monitoring accesses to critical information regardless of whether an individual has or does not have the correct privileges. It is not always safe to assume that a mainframe security product will always protect you. One very good example of this occurred during the performance of a network vulnerability assessment at a large government agency. The network was compromised (with authority of the agency) and a workstation was hacked. Application files related to a process running on the workstation were examined. A mainframe unencrypted DB2 logon ID and password were found. The ID and password were then used to log into the DB2 application on the mainframe with SYSADMIN privileges. This was just an exercise, but if real the damages would be unlimited.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 8 5 Weaknesses in DB2 Application Code There are two major concerns regarding DB2 application code being developed and running on mainframe processors. 1) Random checks of application code being developed using mainframe Web Services seems to be in line with the security guidelines and standards of today but “you don’t know what you don’t know”. Application reviews by the mainframe ISSO are almost non-existent. 2) Many of the DB2 legacy applications were written prior to the 9/11 mentality when it was not cost-justified to change them to fit into the security conscious world we are living in today. The inability to adapt these applications to today’s security awareness posture poses a big problem for many large companies and government agencies around the world. Especially when one considers that the DB2 Data-warehouse containing the key corporate asset ‘data’ is updated, scanned, accessed continuously supporting critical business transactions. There reside the customer files, medical information, credit card records, social security data, financial records, etc., all prime targets for illegal information security breaches. The Government has responded with strict regulations under HIPAA, SOX and Graham Leach, along with financial penalties to corporate officers who fail to comply. Under these pressures it is time for corporate management to raise the bar for security methodologies protecting DB2 on z/OS to the highest level
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 9 6 Using DB2 SMF Records as Event Tracking There are over 100 different types of SMF records reserved by the z/OS operating system for various operational functions. Record numbers above a certain level can be used for vendor products and mainframe application programs. SMF record number eighty (type 80 records) are used by two of the mainframe security products commonly found on the mainframe. A third security product uses an SMF number assigned to it at the installation time of the product (commonly # 231) and DB2 auditing uses SMF record type 102. The SMF records are written to files after the mainframe operating system performs an event. The mainframe Systems Programmer is responsible for defining the size of the primary and secondary SMF files. When the primary file fills, the secondary becomes the primary and the original SMF file is archived. Common to all companies are thousands upon thousands of SMF records that are written daily and in many shops the SMF logs switch once a day, twice a day or perhaps hourly, depending on the customer’s transaction processing volume. The volume of SMF records created cause major difficulties making it impossible to monitor the high volume from one workstation in real-time. Another problem presented is that these SMF records are typically made available with time lags between reports. So for example if batch reporting on DB2 SMF records by a bank are used to protect it from a security breach against credit card information and they are only available at best, on hourly increments, it presents a window of opportunity for a breach. Another problem regarding batch reporting on SMF records is that these historical foundations for security, auditing and compliance batch reporting are not at all cost effective. In fact, the cost of manually reviewing logs is very high. Creation of logs with an aim to provide security is one thing, but actually manually reviewing and printing them is very expensive. Often companies seem to be reluctant in spending huge sums on reviewing these logs. But if a company does not review a log, then what is the purpose of putting efforts in collecting them?
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 10 7 How to Implement DB2 SMF Audit Trace Records SMF log analysis is very important when it comes to monitoring DB2 security, auditing and compliance. One of the best ways to do it is by using the DB2 audit trace facility. The DB2 audit trace facility must be turned on for each table you wish to monitor. This is done by using the AUDIT clause at the time of the CREATE of the table. Additionally, Audit Trace classes must be activated in order to collect the data in the DB2 SMF records. Each class is associated with the type of DB2 events you wish to monitor. The DB2 Audit Trace Classes are as follows: Class One Access attempts that DB2 denies because of inadequate authorization. Class Two Explicit GRANT and REVOKE statements and their results. This class does not trace implicit grants and revokes. Class Three CREATE, ALTER, and DROP statements that affect audited tables, and the results of these statements. Class Four Changes to audited tables. Class Five All read accesses to tables that are identified with the AUDIT ALL clause. Class Six The bind of static and dynamic SQL statements of the following types: INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE statements for audited tables. SELECT statements on tables that are identified with the AUDIT ALL clause. Class Seven Assignment or change of an authorization ID because of the following reasons: • Changes through an exit routine (default or user-written) • Changes through a SET CURRENT SQLID statement • An outbound or inbound authorization ID translation • An ID that is being mapped to a RACF ID from a Kerberos security ticket Class Eight The start of a utility job, and the end of each phase of the utility.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 11 Class Nine Various types of records that are written to IFCID 0146 by the IFI WRITE function. Class Ten (DB2 V9.1) CREATE and ALTER TRUSTED CONTEXT statements, establish trusted connection information and switch user information. Here is a partial list of DB2 security related events commonly monitored: • Access rights • Privilege changes, explicit privilege changes as well as administrative changes • SYSCTRL and SYSADM activity • Changes to authorization • Dropping of tables • Inserting/changing records • Accessing data from unauthorized ID’s • GRANT/REVOKE statements For some classes, other activity within the DB2 audit trail information, important for computer forensics and incident response, is the actual SQL statement that was being performed at the time of the incident. It is a fingerprint to the table, row and column that the user was going after at the time. Unfortunately, it is buried behind a very complex index of binary bit settings within the DB2 SMF audit trail record and difficult to interpret. The DB2 Audit Trace facility is historically known for adding additional CPU overhead. DB2 has gotten progressively better when using this facility with each new release and there has been a drastic reduction on that overhead. The latest IBM statistics indicate that it will introduce less than 10% additional CPU overhead, per transaction, if all of the classes are turned on.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 12 8 Thinking “Outside the Box” The mainframe operating system platform is the premier transaction-processing machine and has always boasted industry-leading security technology. During many years of service, often under the most demanding conditions imaginable, it has survived. It has proven itself time and again, and was awarded the U.S. Government’s highest certification for commercial security. However, in a changing world with an increase in lost trade secrets, theft of personal identity, and wrongdoings by employees, associates and contractors, the strongest security mechanisms are essential. The mainframe security concept of “allow” or “not allow” simply may not be enough. It needs additional safeguards that help protect users and data with features that were not possible until recently. The answer to bringing mainframe security to the next level is; integrating mainframe “yes” or “no” security with existing network security products. The mainframe security professional needs the tools to accomplish this feat in a world where the Reagan-era motto “Trust but Verify” is essential. There are a variety of Log Management and SEIM products supporting DB2 that may already be deployed within your own organizations. These products sit outside the mainframe, on the network, and collect events logging from firewalls, UNIX, Windows and other operating systems. Very seldom does a mainframe Security Administrator tap into these resources. 8.1 Log Management Log Management products are available from commercial vendors including LogLogic, Network Intelligence, Novell, Computer Associates, IBM and others. They are designed to collect raw log data. A partial mainframe solution is to route the console logs directly to the Log Management software. This is only a partial solution because the console logs alone do not contain all of the information required for fully monitoring the mainframe environment. A better approach to Log Management is to use the combination of raw data from console logs, security log files and SMF data. Problems arise when you attempt to send the combined information to the Log Management software because the volume of data traveling across the network creates a lag time. The information does not arrive in a “timely manner” as required by regulatory mandates as a result.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 13 8.2 SEIM Products Supporting DB2 SEIM products collect security events from many sources other than the mainframe. The events are expected to be condensed by agent software executing on a remote device. DB2 SMF records can be excessive in length (the SQL could be 4k alone) and should be filtered or condensed for any SEIM product. The process of reading the security logs and condensing them into warnings and alerts is expected to occur by a remote agent process residing on the mainframe. Doing so saves network traffic overhead and expenses related to storing excess data in the central repository on a mid-range disk device. Commercial vendors for SEIM products such as NetIQ, Intellitactics, IBM, NetForensics, ArcSight and Novell often have remote batch or real-time process to collect DB2 information from the mainframe. One way to leverage money already spent and to get the “employee of the month” award is to think outside the box and to integrate mainframe events into one of the products that your company has already invested in. 8.3 DB2 Mainframe Homegrown Solutions Developing a homegrown agent application to read and monitor the DB2 SMF records, non-DB2 SMF records, console messages, application messages and vendor products is an overwhelming and monumental task. The DB2 SMF records are considered to be one of the most complex record formats and can only be interrupted by a veteran Systems Programmer. Not including the DB2 SMF records in a homegrown solution would produce a highly ineffective result. Another interesting point is that the Sarbanes-Oxley Act of 2002 definition of Separation of Duties specifies that security personnel administrating or monitoring should not be writing security code. In essence, homegrown written code, including log monitors and exits written by a security person within the organization, is in violation of the very audit finding that it was intended to resolve. With that being said; and you decide to proceed, there are some complicated technical and design issues that have to be worked out before you even begin. These issues include: • Asynchronous timing • Unacceptable consumption of CPU and Network resources • Conversion of data from binary to text format • Delivering the information on a timely manner so that it can be immediately acted upon. The complexity and costs related to the development of a homegrown application is often cast aside by management when compared to the cost of purchasing proven software from reliably vendors.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 14 9 Summary: DB2 z/OS is here to stay and will only grow to accommodate data warehousing requirements and corporate business transactions. In the past the security emphasis always seemed to be on distributed systems. However the new Government regulations have leveled the field to include all data, as exampled under the Federal Information Security Management Act (FISMA) of 2008. Every Government computer and network is essentially required to protect its confidential data and any other types of records. These standards are about to spill over into the commercial arena with the fusion of Government and commercial entities. SOX and HIPAA have no computer boundaries regarding the compromise of critical data. Unauthorized changes to patient information or accounting records are all fair game in the eyes of the law. In this paper we have addressed some important issues relating to security breaches. They include how the mainframe platform works towards monitoring security of records, what the pitfalls are in the traditional methods of using DB2 SMF records for event tracking, and how the mainframe platform can be modernized to provide improved security monitoring of important and confidential records. An attack, especially on DB2 z/OS to obtain the privilege settings of the DB2 System Administrator, allows for a stealthy security breach. Therefore, it is no longer efficient or safe to rely solely on batch reporting and mainframe security systems that work strictly inside the mainframe, only recording on incidents where security has been violated. It is now possible to use products to monitor mainframe security from outside the mainframe itself. Among the various kinds of security products that can work sitting outside the mainframe platform are Log Management and SEIM (Security Event and Incident Management) products supporting DB2. Each of these products has their own pros and cons and there is no “one shoe fits all” solution. The important point is that all these solutions are more economical, efficient and faster than the earlier models in countering new types of security threats. So, how will you choose the correct software among the many alternatives? While choosing a particular security product that is able to work sitting outside the mainframe platform, certain factors have to be checked. Here are some criteria that you may consider when evaluating a security product for your company: • Scalable • Ease of use • Room for lateral growth • Real time 24/7 event monitoring • Ease of configuration and installation • Small footprint of mainframe processing and minimum performance impact on mainframe systems
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 15 Although the cost of protecting data effectively is high, the cost of a security breach is even higher considering the new laws governing the compromise of data. Companies can take a sigh of relief now that there is cost effective and comprehensive mainframe software available in the market. These products meet the current needs of the corporations in the area of securing confidential records of their own businesses as well as of their clients, and have all the qualities that are required to counter today’s security threats. They work efficiently with existing mainframe security products and make use of SMF and console messages in appropriate ways. They are capable of tracking DB2 audited events, several types of insider threats, delivering mainframe alerts in real time and easily integrating with other existing security monitors. Proactive companies, having a track record of monitoring security logs from outside the box, are in the forefront of Government requirements and have a solid framework in place to manage DB2 data and its associated risks. Doing so puts them, regardless of their industry, in a better competitive position, with an ideal security posture that will allow them to participate in the very important data-sharing evolution taking place. DB2®, CICS®, SMF® and z/OS® are registered trademarks of International Business Machines. All references to them and field names remain the property of International Business Machines Corporation. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. While we take every care to ensure the accuracy of the information contained in this material, the facts estimates and opinions stated are based on information and sources which, while we believe them to be reliable, are not guaranteed. In particular, it should not be relied upon as the sole source of reference in relation to the subject matter. No liability can be accepted by the authors for any loss occasioned to any person or entity acting or failing to act as a result of anything contained in or omitted from the content of this material, or our conclusions as stated.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 16 About Type80: Type80 Security Software is an IBM Business Partner in software development and was founded by experts in the areas of mainframe z/OS Systems Programming and Information Security. The company draws from a diverse background, from providing cybersecurity training to NATO counter intelligence, conducting enterprise-wide security assessments for companies maintaining the nation's critical infrastructure, and developing high-level mainframe applications for major financial institutions. Our primary software product is called SMA_RT (Security Monitor Alerts in Real-Time). Our SMA_RT software development began in 1998, the product availability was announced in 2002, and awarded a US Patent in 2007, making it the first Real-Time mainframe intrusion detection, z/OS SIEM agent and log event processing software of its kind. SMA_RT has been deployed across four continents with commercial customers in the Financial, Banking, Payment Card Processing, Automobile Importers, Retail Sales, International Hotel/Travel, Corporate Management, HealthCare, Insurance, Educational, Telecommunications and Home Security industries. Please visit our website at www.type80.com and contact us or one of our preferred reseller partners for additional information or if you have any questions on our software. About the Authors: Jerry Harding Jerry Harding is CEO of Type80 Security Software, Inc. He has over 25 years of mainframe Systems Programming experience, providing professional services to commercial clients and government agencies. He also has over 15 years of security experience including providing training to NATO’s Counterintelligence Agency (ACE CI), the Supreme Headquarters Allied Powers Europe (SHAPE), as well as other public and private organizations. Stephen D. Rubin Stephen D. Rubin is the founder and president of MMI. Under his leadership MMI has a track record of 20 years of financial success in creating business markets for information technology services (IT) across North America. Areas of business include training, consulting services, and software. MMI has trained over 3,000 IT students representing over 400 corporations in database design, information security, capacity planning and distributed application development. Professional service engagements have included information security, server consolidation, and the auditing of capacity planning and chargeback methodologies for both public and private sectors. Stephen has authored white papers to drive market recognition and helped create the United States marketplace for a European software start-up client.
Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 17 William Buriak William Buriak has over 25 years of information technology experience with an extensive background in financial services, healthcare, and technical and management consulting. Bill is a Senior Executive with demonstrated experience in planning, developing, and implementing cost effective, innovative solutions to address complex business problems. He has broad recognized experience in managing mainframe systems, Web based, and distributed systems. He has extensive qualifications including vendor management, consensus building, and strategic planning skills. Currently working in the Security Engineering area of a major world bank, Mr. Buriak is responsible for compliance and control of a large number of global products.

Recommended

An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48Resilient Systems
 

Recommended

An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48Resilient Systems
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
ADAM ADLER MIAMI
ADAM ADLER MIAMI ADAM ADLER MIAMI
ADAM ADLER MIAMI AdamAdler10
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsClear Technologies
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Risk neversleeps wps-016
Risk neversleeps wps-016Risk neversleeps wps-016
Risk neversleeps wps-016Jake Lepine
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
INFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PIIINFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PII- Mark - Fullbright
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityChristopher Daza
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Guy Pearce
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4Meg Weber
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate SecretsGuardEra Access Solutions, Inc.
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 
Assignment 2
Assignment 2Assignment 2
Assignment 2Domardine
 
Article on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikosArticle on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikosJyoti Pandey
 

More Related Content

What's hot

Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
ADAM ADLER MIAMI
ADAM ADLER MIAMI ADAM ADLER MIAMI
ADAM ADLER MIAMI AdamAdler10
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsClear Technologies
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionThe Economist Media Businesses
 
Risk neversleeps wps-016
Risk neversleeps wps-016Risk neversleeps wps-016
Risk neversleeps wps-016Jake Lepine
 
You Are the Target
You Are the TargetYou Are the Target
You Are the TargetEMC
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Riskssmithjgdc
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
INFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PIIINFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PII- Mark - Fullbright
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Guy Pearce
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4Meg Weber
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
 

What's hot (20)

Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
ADAM ADLER MIAMI
ADAM ADLER MIAMI ADAM ADLER MIAMI
ADAM ADLER MIAMI
 
Proactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van SymonsProactive Log Management in Insurance by Van Symons
Proactive Log Management in Insurance by Van Symons
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Briefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimensionBriefing paper: Third-Party Risks: The cyber dimension
Briefing paper: Third-Party Risks: The cyber dimension
 
Risk neversleeps wps-016
Risk neversleeps wps-016Risk neversleeps wps-016
Risk neversleeps wps-016
 
You Are the Target
You Are the TargetYou Are the Target
You Are the Target
 
Insurance for Cyber Risks
Insurance for Cyber RisksInsurance for Cyber Risks
Insurance for Cyber Risks
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference Keynote
 
INFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PIIINFORMATION SECURITY STUDY REGARDING PII
INFORMATION SECURITY STUDY REGARDING PII
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutions
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 
White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...White paper cyber risk appetite defining and understanding risk in the moder...
White paper cyber risk appetite defining and understanding risk in the moder...
 

Viewers also liked

Assignment 2
Assignment 2Assignment 2
Assignment 2Domardine
 
Article on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikosArticle on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikosJyoti Pandey
 
What's your approach. ethikos article
What's your approach. ethikos articleWhat's your approach. ethikos article
What's your approach. ethikos articleJyoti Pandey
 
What's your approach. ethikos article
What's your approach. ethikos articleWhat's your approach. ethikos article
What's your approach. ethikos articleJyoti Pandey
 
Presentation pain management
Presentation pain managementPresentation pain management
Presentation pain managementDr Lekan Bello
 
What we measure may deserve a shift in focus...
What we measure may deserve a shift in focus...What we measure may deserve a shift in focus...
What we measure may deserve a shift in focus...Jyoti Pandey
 
Matt Rawson CV 2015
Matt Rawson CV 2015Matt Rawson CV 2015
Matt Rawson CV 2015Matt Rawson
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Matt Johansen
 
모션그래픽 중간발표 _ 박혜진
모션그래픽 중간발표 _ 박혜진모션그래픽 중간발표 _ 박혜진
모션그래픽 중간발표 _ 박혜진semohyejin
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
모션그래픽 기말발표
모션그래픽 기말발표모션그래픽 기말발표
모션그래픽 기말발표semohyejin
 
Considerations for UC and cloud deployments
Considerations for UC and cloud deploymentsConsiderations for UC and cloud deployments
Considerations for UC and cloud deploymentsTodd Landry
 
DB2 Security Thinking Outside the Box
DB2 Security Thinking Outside the BoxDB2 Security Thinking Outside the Box
DB2 Security Thinking Outside the BoxJerry Harding
 
Overview of UNIVERGE 3C
Overview of UNIVERGE 3COverview of UNIVERGE 3C
Overview of UNIVERGE 3CTodd Landry
 

Viewers also liked (15)

Assignment 2
Assignment 2Assignment 2
Assignment 2
 
Article on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikosArticle on Sustainability Rporting in ethikos
Article on Sustainability Rporting in ethikos
 
What's your approach. ethikos article
What's your approach. ethikos articleWhat's your approach. ethikos article
What's your approach. ethikos article
 
What's your approach. ethikos article
What's your approach. ethikos articleWhat's your approach. ethikos article
What's your approach. ethikos article
 
Presentation pain management
Presentation pain managementPresentation pain management
Presentation pain management
 
What we measure may deserve a shift in focus...
What we measure may deserve a shift in focus...What we measure may deserve a shift in focus...
What we measure may deserve a shift in focus...
 
Matt Rawson CV 2015
Matt Rawson CV 2015Matt Rawson CV 2015
Matt Rawson CV 2015
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
모션그래픽 중간발표 _ 박혜진
모션그래픽 중간발표 _ 박혜진모션그래픽 중간발표 _ 박혜진
모션그래픽 중간발표 _ 박혜진
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
모션그래픽 기말발표
모션그래픽 기말발표모션그래픽 기말발표
모션그래픽 기말발표
 
Woodbury sitemap r5
Woodbury sitemap r5Woodbury sitemap r5
Woodbury sitemap r5
 
Considerations for UC and cloud deployments
Considerations for UC and cloud deploymentsConsiderations for UC and cloud deployments
Considerations for UC and cloud deployments
 
DB2 Security Thinking Outside the Box
DB2 Security Thinking Outside the BoxDB2 Security Thinking Outside the Box
DB2 Security Thinking Outside the Box
 
Overview of UNIVERGE 3C
Overview of UNIVERGE 3COverview of UNIVERGE 3C
Overview of UNIVERGE 3C
 

Similar to DB2 Security Thinking Outside the Box

Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?IBM Security
 
Healthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperHealthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperCasey Lucas
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Eileen Presentation
Eileen PresentationEileen Presentation
Eileen Presentationjc06442n
 
Protecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of RecordProtecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of RecordCor Ranzijn
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15James Fisher
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
2010 report data security survey
2010 report data security survey2010 report data security survey
2010 report data security surveyCarlo Del Bo
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - WebFahd Khan
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatChris Ross
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 

Similar to DB2 Security Thinking Outside the Box (20)

Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?Securing Your "Crown Jewels": Do You Have What it Takes?
Securing Your "Crown Jewels": Do You Have What it Takes?
 
Healthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperHealthcare Industry Security Whitepaper
Healthcare Industry Security Whitepaper
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Eileen Presentation
Eileen PresentationEileen Presentation
Eileen Presentation
 
Protecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of RecordProtecting Data Privacy Beyond the Trusted System of Record
Protecting Data Privacy Beyond the Trusted System of Record
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Data Encryption Is Hard To Do Fiberlink
Data Encryption Is Hard To Do FiberlinkData Encryption Is Hard To Do Fiberlink
Data Encryption Is Hard To Do Fiberlink
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
2010 report data security survey
2010 report data security survey2010 report data security survey
2010 report data security survey
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 

DB2 Security Thinking Outside the Box

  • 1. 211 N. Union Street, Suite 100 Alexandria, VA 22314 703-717-6574 www.type80.com Thinking Outside the Box Monitoring DB2® Security on z/OS By Jerry Harding Stephen D. Rubin William Buriak A Type80 White Paper
  • 2. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 2 TABLE OF CONTENTS Contents 1 Executive Summary............................................................................................................................... 3 2 Background............................................................................................................................................ 5 3 The Cost of a Data Security Breach....................................................................................................... 6 4 The Real Security Exposure to DB2 on z/OS........................................................................................ 7 5 Weaknesses in DB2 Application Code.................................................................................................. 8 6 Using DB2 SMF Records as Event Tracking ........................................................................................ 9 7 How to Implement DB2 SMF Audit Trace Records.............................................................................10 8 Thinking “Outside the Box” .................................................................................................................12 9 Summary:..............................................................................................................................................14
  • 3. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 3 1 Executive Summary The United States recently introduced a universal healthcare system. This program requires the highly sensitive records to be stored on massive computers. Essentially, they will be a “DNA footprint” for millions of Americans. Security for these records should not be thought of as “after the fact” and will require vigilant and pro-active monitoring of security regardless of the host operating system.1 The records are required to be protected according to the Federal Information Security Management Act of 2008 (FISMA, also referred to as US Senate Bill S.3474). FISMA mandates that “the underlying framework that information systems and assets rely on in processing, transmitting, receiving or storing information electronically” have adequate security. It goes on to say, “Meaning security commensurate with the risk and magnitude of harm from loss, misuse, or unauthorized access to or modification of information”. Web connections to data residing on the mainframe DB2 platform through z/OS Web Services, CICS® and TSO® have added functionality to legacy processing and brought transaction processing to new levels. It has also introduced a new perception of vulnerability. Mainframe Security Administrators sometimes view it as opening up the mainframe to “intruders.” The "bad guys" are finding new inventive ways to obtain corporate and personal information and to disrupt a company's business as was done by someone holding the State of Virginia’s medical records hostage and demanding a $10 million dollar payment. Most of the Financial, Healthcare and Pharmaceutical industries keep their vital records on DB2 and other databases residing on the IBM z/OS mainframe platform. Government interests in these corporations will lead to the next wave of exchange of information among them and it is expected that private industries sharing database information with the Government will soon have to comply with the FISMA guidelines. But regardless of the industry and whether or not they fall into the FISMA regulations, every company is at risk of losing information. Security is not always the highest priority in a corporation until it is named in the lead story 1 Your medical information is worth 10-20 times more than your credit card number on the black market, according to a 2014 report by Reuters.
  • 4. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 4 on the evening news or Wall Street Journal and you are requested to testify before Congress. This paper puts its focus on ways to monitor z/OS DB2 database security by thinking outside the box. It will offer alternatives in developing an efficient security framework to monitor security settings and protect confidential data from ‘bad guys’ in an effective and economical manner. This paper will also explore the tools that are available for developing such a security framework. The main focus is placed on security tools that can be used outside the mainframe security framework. The stress on “thinking outside the box” is emphasized as the majority of the traditional tools that fall within the mainframe security setting have failed to meet today’s security, auditing and compliance mandates. It will detail the steps to be taken when setting up log collection and security analysis programs on the mainframe by using economical sources readily available. However, along with mentioning the efficiency of this system, it will also put stress on the need for a new framework as very often traditional measures are found to be incapable of countering security threats of modern days. Finally it will discuss the methods that can be adopted to counter the latest security threats and how these tools work.
  • 5. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 5 2 Background Security teams for z/OS DB2 commonly use security products from IBM and Computer Associates for reporting. They are the first levels of defense. These products either allow or deny a user access to a resource. Unlike UNIX and other operating systems security, it is a simple yes or no decision. If security is denied, a violation event will be recorded on the security log files and in most cases a message will be issued to the primary console. The event may go unnoticed until the System Administrator runs a violation report in response to an incident. DB2 is capable of keeping a separate log file of events throughout its course of normal processing. These log files are a mainframe operating system function called System Management Facility or “SMF®” records. The DB2 SMF records contain information related to many different types of events occurring within the system. The level of granularity depends on configurations of the DB2 audit trace at the individual table level. The SMF records provide data useful for investigating security events and if used in combination with other resources, help investigate possible attacks and breaches for incident response, auditing and compliance purposes. The DB2 SMF records are created in binary format and are not readable by a plain text editor, making online viewing and interpretation almost impossible. Separation of Duties One of the most fundamental aspects of the Sarbanes-Oxley Act of 2002 was the definition of Separation of Duties. Having the same person monitoring security and setting up security is a clear case of a violation of the Act. The Evolving Security Function The Security Administrators in most z/OS environments are responsible for monitoring security. In addition to defining and maintaining users and passwords, they assume the role of chasing down batch reports to answer periodic security, auditing and compliance questions. Some leading mainframe installations are creating independent departments to actively monitor the security using SMF event information. Other installations are placing z/OS security into totally autonomous security groups that monitor Network, UNIX, Windows and other operating systems. Restructuring the mainframe security group (a) allows mainframe events to be monitored from “outside the box” in a centralized repository, (b) introduces new technologies and experience to mainframe computer security experts wishing to expand their careers, (c) allows non-mainframe security technicians to become exposed to what is happening “inside the box”, and is a win/win proposition for the entire organization.
  • 6. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 6 3 The Cost of a Data Security Breach According to a 2015 study by the research organization Ponemon Institute, paid for by International Business Machines Corp., the cost of a data breach increased 23% since 2013. The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago The study also reports that the cost incurred for each lost or stolen record containing sensitive and confidential information increased six percent from a consolidated average of $145 to $154. Average figures don’t paint a complete picture. If we look at one large retails loss, you can see the significant impact. Target said the gross expenses from the data breach were $252 million. If you subtract insurance reimbursement, the losses fall to $162 million. Tax deductions lower the net losses tally $105 million. Still a significant loss! Beyond the financial implications a compromise of this nature would also include damage to corporate reputation, loss of customers, and increased regulatory scrutiny let alone the personal damage to the CIO and CEO
  • 7. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 7 3.1 Personal Liability Information security breaches may go beyond corporate boundaries and expose the corporation to unwanted legal actions. Security exposures derived from the theft of data has led to three class action law suits against the Secretary of Veterans Affairs. The theft was a result of data being transferred to a laptop which was later stolen from a private residence of a VA Contractor. The security breach affected 26.5 million records with a VA estimate of between $100 million and $500 million to prevent and cover possible losses from data theft. 3.2 The Regulators Cometh It is bad enough that you had a data breach, the CEO was canned, and customers hate you. The real pain is only about to begin if your company happens to be in a regulated industry because security breaches reflect poorly on the regulators. They will push for more regulations and greater control. Everything will be verified and checked in great detail for years to come. Gone will be the reasonable assurance and all items will be looked into. Providing data to the regulators, responding to requests, and correcting issues, even minor ones is extremely time consuming and costly. 4 The Real Security Exposure to DB2 on z/OS The most sought after target when attacking DB2 data on the mainframe is to acquire the privilege settings of the DB2 System Administrator. Compromising it and escalating the DB2 privileges to a common user’s ID allows you to attack the DB2 data virtually unnoticed. It is becoming more difficult to do this in the modern days of DB2; however, an emphasis should be placed on monitoring accesses to critical information regardless of whether an individual has or does not have the correct privileges. It is not always safe to assume that a mainframe security product will always protect you. One very good example of this occurred during the performance of a network vulnerability assessment at a large government agency. The network was compromised (with authority of the agency) and a workstation was hacked. Application files related to a process running on the workstation were examined. A mainframe unencrypted DB2 logon ID and password were found. The ID and password were then used to log into the DB2 application on the mainframe with SYSADMIN privileges. This was just an exercise, but if real the damages would be unlimited.
  • 8. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 8 5 Weaknesses in DB2 Application Code There are two major concerns regarding DB2 application code being developed and running on mainframe processors. 1) Random checks of application code being developed using mainframe Web Services seems to be in line with the security guidelines and standards of today but “you don’t know what you don’t know”. Application reviews by the mainframe ISSO are almost non-existent. 2) Many of the DB2 legacy applications were written prior to the 9/11 mentality when it was not cost-justified to change them to fit into the security conscious world we are living in today. The inability to adapt these applications to today’s security awareness posture poses a big problem for many large companies and government agencies around the world. Especially when one considers that the DB2 Data-warehouse containing the key corporate asset ‘data’ is updated, scanned, accessed continuously supporting critical business transactions. There reside the customer files, medical information, credit card records, social security data, financial records, etc., all prime targets for illegal information security breaches. The Government has responded with strict regulations under HIPAA, SOX and Graham Leach, along with financial penalties to corporate officers who fail to comply. Under these pressures it is time for corporate management to raise the bar for security methodologies protecting DB2 on z/OS to the highest level
  • 9. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 9 6 Using DB2 SMF Records as Event Tracking There are over 100 different types of SMF records reserved by the z/OS operating system for various operational functions. Record numbers above a certain level can be used for vendor products and mainframe application programs. SMF record number eighty (type 80 records) are used by two of the mainframe security products commonly found on the mainframe. A third security product uses an SMF number assigned to it at the installation time of the product (commonly # 231) and DB2 auditing uses SMF record type 102. The SMF records are written to files after the mainframe operating system performs an event. The mainframe Systems Programmer is responsible for defining the size of the primary and secondary SMF files. When the primary file fills, the secondary becomes the primary and the original SMF file is archived. Common to all companies are thousands upon thousands of SMF records that are written daily and in many shops the SMF logs switch once a day, twice a day or perhaps hourly, depending on the customer’s transaction processing volume. The volume of SMF records created cause major difficulties making it impossible to monitor the high volume from one workstation in real-time. Another problem presented is that these SMF records are typically made available with time lags between reports. So for example if batch reporting on DB2 SMF records by a bank are used to protect it from a security breach against credit card information and they are only available at best, on hourly increments, it presents a window of opportunity for a breach. Another problem regarding batch reporting on SMF records is that these historical foundations for security, auditing and compliance batch reporting are not at all cost effective. In fact, the cost of manually reviewing logs is very high. Creation of logs with an aim to provide security is one thing, but actually manually reviewing and printing them is very expensive. Often companies seem to be reluctant in spending huge sums on reviewing these logs. But if a company does not review a log, then what is the purpose of putting efforts in collecting them?
  • 10. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 10 7 How to Implement DB2 SMF Audit Trace Records SMF log analysis is very important when it comes to monitoring DB2 security, auditing and compliance. One of the best ways to do it is by using the DB2 audit trace facility. The DB2 audit trace facility must be turned on for each table you wish to monitor. This is done by using the AUDIT clause at the time of the CREATE of the table. Additionally, Audit Trace classes must be activated in order to collect the data in the DB2 SMF records. Each class is associated with the type of DB2 events you wish to monitor. The DB2 Audit Trace Classes are as follows: Class One Access attempts that DB2 denies because of inadequate authorization. Class Two Explicit GRANT and REVOKE statements and their results. This class does not trace implicit grants and revokes. Class Three CREATE, ALTER, and DROP statements that affect audited tables, and the results of these statements. Class Four Changes to audited tables. Class Five All read accesses to tables that are identified with the AUDIT ALL clause. Class Six The bind of static and dynamic SQL statements of the following types: INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE statements for audited tables. SELECT statements on tables that are identified with the AUDIT ALL clause. Class Seven Assignment or change of an authorization ID because of the following reasons: • Changes through an exit routine (default or user-written) • Changes through a SET CURRENT SQLID statement • An outbound or inbound authorization ID translation • An ID that is being mapped to a RACF ID from a Kerberos security ticket Class Eight The start of a utility job, and the end of each phase of the utility.
  • 11. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 11 Class Nine Various types of records that are written to IFCID 0146 by the IFI WRITE function. Class Ten (DB2 V9.1) CREATE and ALTER TRUSTED CONTEXT statements, establish trusted connection information and switch user information. Here is a partial list of DB2 security related events commonly monitored: • Access rights • Privilege changes, explicit privilege changes as well as administrative changes • SYSCTRL and SYSADM activity • Changes to authorization • Dropping of tables • Inserting/changing records • Accessing data from unauthorized ID’s • GRANT/REVOKE statements For some classes, other activity within the DB2 audit trail information, important for computer forensics and incident response, is the actual SQL statement that was being performed at the time of the incident. It is a fingerprint to the table, row and column that the user was going after at the time. Unfortunately, it is buried behind a very complex index of binary bit settings within the DB2 SMF audit trail record and difficult to interpret. The DB2 Audit Trace facility is historically known for adding additional CPU overhead. DB2 has gotten progressively better when using this facility with each new release and there has been a drastic reduction on that overhead. The latest IBM statistics indicate that it will introduce less than 10% additional CPU overhead, per transaction, if all of the classes are turned on.
  • 12. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 12 8 Thinking “Outside the Box” The mainframe operating system platform is the premier transaction-processing machine and has always boasted industry-leading security technology. During many years of service, often under the most demanding conditions imaginable, it has survived. It has proven itself time and again, and was awarded the U.S. Government’s highest certification for commercial security. However, in a changing world with an increase in lost trade secrets, theft of personal identity, and wrongdoings by employees, associates and contractors, the strongest security mechanisms are essential. The mainframe security concept of “allow” or “not allow” simply may not be enough. It needs additional safeguards that help protect users and data with features that were not possible until recently. The answer to bringing mainframe security to the next level is; integrating mainframe “yes” or “no” security with existing network security products. The mainframe security professional needs the tools to accomplish this feat in a world where the Reagan-era motto “Trust but Verify” is essential. There are a variety of Log Management and SEIM products supporting DB2 that may already be deployed within your own organizations. These products sit outside the mainframe, on the network, and collect events logging from firewalls, UNIX, Windows and other operating systems. Very seldom does a mainframe Security Administrator tap into these resources. 8.1 Log Management Log Management products are available from commercial vendors including LogLogic, Network Intelligence, Novell, Computer Associates, IBM and others. They are designed to collect raw log data. A partial mainframe solution is to route the console logs directly to the Log Management software. This is only a partial solution because the console logs alone do not contain all of the information required for fully monitoring the mainframe environment. A better approach to Log Management is to use the combination of raw data from console logs, security log files and SMF data. Problems arise when you attempt to send the combined information to the Log Management software because the volume of data traveling across the network creates a lag time. The information does not arrive in a “timely manner” as required by regulatory mandates as a result.
  • 13. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 13 8.2 SEIM Products Supporting DB2 SEIM products collect security events from many sources other than the mainframe. The events are expected to be condensed by agent software executing on a remote device. DB2 SMF records can be excessive in length (the SQL could be 4k alone) and should be filtered or condensed for any SEIM product. The process of reading the security logs and condensing them into warnings and alerts is expected to occur by a remote agent process residing on the mainframe. Doing so saves network traffic overhead and expenses related to storing excess data in the central repository on a mid-range disk device. Commercial vendors for SEIM products such as NetIQ, Intellitactics, IBM, NetForensics, ArcSight and Novell often have remote batch or real-time process to collect DB2 information from the mainframe. One way to leverage money already spent and to get the “employee of the month” award is to think outside the box and to integrate mainframe events into one of the products that your company has already invested in. 8.3 DB2 Mainframe Homegrown Solutions Developing a homegrown agent application to read and monitor the DB2 SMF records, non-DB2 SMF records, console messages, application messages and vendor products is an overwhelming and monumental task. The DB2 SMF records are considered to be one of the most complex record formats and can only be interrupted by a veteran Systems Programmer. Not including the DB2 SMF records in a homegrown solution would produce a highly ineffective result. Another interesting point is that the Sarbanes-Oxley Act of 2002 definition of Separation of Duties specifies that security personnel administrating or monitoring should not be writing security code. In essence, homegrown written code, including log monitors and exits written by a security person within the organization, is in violation of the very audit finding that it was intended to resolve. With that being said; and you decide to proceed, there are some complicated technical and design issues that have to be worked out before you even begin. These issues include: • Asynchronous timing • Unacceptable consumption of CPU and Network resources • Conversion of data from binary to text format • Delivering the information on a timely manner so that it can be immediately acted upon. The complexity and costs related to the development of a homegrown application is often cast aside by management when compared to the cost of purchasing proven software from reliably vendors.
  • 14. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 14 9 Summary: DB2 z/OS is here to stay and will only grow to accommodate data warehousing requirements and corporate business transactions. In the past the security emphasis always seemed to be on distributed systems. However the new Government regulations have leveled the field to include all data, as exampled under the Federal Information Security Management Act (FISMA) of 2008. Every Government computer and network is essentially required to protect its confidential data and any other types of records. These standards are about to spill over into the commercial arena with the fusion of Government and commercial entities. SOX and HIPAA have no computer boundaries regarding the compromise of critical data. Unauthorized changes to patient information or accounting records are all fair game in the eyes of the law. In this paper we have addressed some important issues relating to security breaches. They include how the mainframe platform works towards monitoring security of records, what the pitfalls are in the traditional methods of using DB2 SMF records for event tracking, and how the mainframe platform can be modernized to provide improved security monitoring of important and confidential records. An attack, especially on DB2 z/OS to obtain the privilege settings of the DB2 System Administrator, allows for a stealthy security breach. Therefore, it is no longer efficient or safe to rely solely on batch reporting and mainframe security systems that work strictly inside the mainframe, only recording on incidents where security has been violated. It is now possible to use products to monitor mainframe security from outside the mainframe itself. Among the various kinds of security products that can work sitting outside the mainframe platform are Log Management and SEIM (Security Event and Incident Management) products supporting DB2. Each of these products has their own pros and cons and there is no “one shoe fits all” solution. The important point is that all these solutions are more economical, efficient and faster than the earlier models in countering new types of security threats. So, how will you choose the correct software among the many alternatives? While choosing a particular security product that is able to work sitting outside the mainframe platform, certain factors have to be checked. Here are some criteria that you may consider when evaluating a security product for your company: • Scalable • Ease of use • Room for lateral growth • Real time 24/7 event monitoring • Ease of configuration and installation • Small footprint of mainframe processing and minimum performance impact on mainframe systems
  • 15. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 15 Although the cost of protecting data effectively is high, the cost of a security breach is even higher considering the new laws governing the compromise of data. Companies can take a sigh of relief now that there is cost effective and comprehensive mainframe software available in the market. These products meet the current needs of the corporations in the area of securing confidential records of their own businesses as well as of their clients, and have all the qualities that are required to counter today’s security threats. They work efficiently with existing mainframe security products and make use of SMF and console messages in appropriate ways. They are capable of tracking DB2 audited events, several types of insider threats, delivering mainframe alerts in real time and easily integrating with other existing security monitors. Proactive companies, having a track record of monitoring security logs from outside the box, are in the forefront of Government requirements and have a solid framework in place to manage DB2 data and its associated risks. Doing so puts them, regardless of their industry, in a better competitive position, with an ideal security posture that will allow them to participate in the very important data-sharing evolution taking place. DB2®, CICS®, SMF® and z/OS® are registered trademarks of International Business Machines. All references to them and field names remain the property of International Business Machines Corporation. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. While we take every care to ensure the accuracy of the information contained in this material, the facts estimates and opinions stated are based on information and sources which, while we believe them to be reliable, are not guaranteed. In particular, it should not be relied upon as the sole source of reference in relation to the subject matter. No liability can be accepted by the authors for any loss occasioned to any person or entity acting or failing to act as a result of anything contained in or omitted from the content of this material, or our conclusions as stated.
  • 16. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 16 About Type80: Type80 Security Software is an IBM Business Partner in software development and was founded by experts in the areas of mainframe z/OS Systems Programming and Information Security. The company draws from a diverse background, from providing cybersecurity training to NATO counter intelligence, conducting enterprise-wide security assessments for companies maintaining the nation's critical infrastructure, and developing high-level mainframe applications for major financial institutions. Our primary software product is called SMA_RT (Security Monitor Alerts in Real-Time). Our SMA_RT software development began in 1998, the product availability was announced in 2002, and awarded a US Patent in 2007, making it the first Real-Time mainframe intrusion detection, z/OS SIEM agent and log event processing software of its kind. SMA_RT has been deployed across four continents with commercial customers in the Financial, Banking, Payment Card Processing, Automobile Importers, Retail Sales, International Hotel/Travel, Corporate Management, HealthCare, Insurance, Educational, Telecommunications and Home Security industries. Please visit our website at www.type80.com and contact us or one of our preferred reseller partners for additional information or if you have any questions on our software. About the Authors: Jerry Harding Jerry Harding is CEO of Type80 Security Software, Inc. He has over 25 years of mainframe Systems Programming experience, providing professional services to commercial clients and government agencies. He also has over 15 years of security experience including providing training to NATO’s Counterintelligence Agency (ACE CI), the Supreme Headquarters Allied Powers Europe (SHAPE), as well as other public and private organizations. Stephen D. Rubin Stephen D. Rubin is the founder and president of MMI. Under his leadership MMI has a track record of 20 years of financial success in creating business markets for information technology services (IT) across North America. Areas of business include training, consulting services, and software. MMI has trained over 3,000 IT students representing over 400 corporations in database design, information security, capacity planning and distributed application development. Professional service engagements have included information security, server consolidation, and the auditing of capacity planning and chargeback methodologies for both public and private sectors. Stephen has authored white papers to drive market recognition and helped create the United States marketplace for a European software start-up client.
  • 17. Copyright 2015 and 2016(©) Jerry Harding, Stephen D. Rubin, Inc. and William Buriak All Rights Reserved Worldwide. Page 17 William Buriak William Buriak has over 25 years of information technology experience with an extensive background in financial services, healthcare, and technical and management consulting. Bill is a Senior Executive with demonstrated experience in planning, developing, and implementing cost effective, innovative solutions to address complex business problems. He has broad recognized experience in managing mainframe systems, Web based, and distributed systems. He has extensive qualifications including vendor management, consensus building, and strategic planning skills. Currently working in the Security Engineering area of a major world bank, Mr. Buriak is responsible for compliance and control of a large number of global products.