October is Cybersecurity Awareness Month, and as organizations face an ever-evolving landscape of cyber threats, building a robust security posture is even more crucial. By incorporating good security practices and protocols, organizations can enhance their ability to protect sensitive data, prevent security breaches, and detect and respond to incidents. Here are our seven key recommendations to help bolster your security efforts.

1. Avoid friction points with a centralized approach to incident response.

Teams that operate in silos and follow manual processes make mistakes and create unnecessary delays. By bringing together incident management capabilities, organizations can efficiently detect, report, and respond to security incidents in a consistent and timely manner. This facilitates seamless communication, enhances incident resolution, and minimizes the impact of breaches.

2. Remain diligent with change management practices.

A strong security posture requires diligent change management practices. It’s essential to streamline the process for security-related changes such as system updates or access control modifications. By automating workflows and adhering to established change management procedures, vulnerabilities introduced during system changes can be minimized, ensuring a secure environment.

3. Maintain good management of security assets and configurations.

Proper management of security assets and configurations is critical to mitigating risks. Organizations need to maintain accurate, up-to-date information about hardware, software, network devices, and user access rights. With comprehensive asset and configuration management, security teams gain enhanced visibility, enabling them to monitor, track, and secure critical resources effectively.

4. Streamline the remediation process with automation-driven vulnerability management.

Integrated vulnerability scanning tools help identify and prioritize vulnerabilities across an organization’s infrastructure. By automating vulnerability assessments and linking them with asset management, the remediation process is streamlined. It enables security teams to prioritize patches or mitigation actions based on risk severity and impact. This helps organizations stay ahead of emerging threats and maintain a resilient security posture.

5. Ensure efficient request fulfillment.

Security-related requests, such as access control or security policy exceptions, need to be managed efficiently. Make sure you can facilitate the management of these requests through standardized and automated workflows. By ensuring that security controls are followed, organizations can reduce the risk of unauthorized access or policy violations, further enhancing their security posture.

6. Be prepared for a continual state of compliance.  

Operations teams must continuously meet compliance and audit requirements. Automating workflows to document, track, and report on security-related activities helps demonstrate adherence to security policies, industry standards, and regulatory obligations. This ensures organizations are in a continual state of compliance and are prepared for audits.

7. Leverage good knowledge management for informed decision-making.

Create a centralized knowledge hub for security documentation, procedures, and best practices that is easily accessible to security personnel, empowering them with valuable information during incident response and security operations. By harnessing this knowledge base, organizations make informed decisions, share insights, and provide access to relevant resources, leading to a more proactive security posture.

Conclusion

Your business operations teams play a pivotal role in building a strong security posture across organization. It’s imperative to stay ahead of evolving cyber threats by continuing to embed security practices within your operations management process to help accelerate the journey towards a resilient security posture. This is a powerful way to safeguard your digital assets, protect sensitive information, and maintain the trust of your stakeholders.

BMC Helix and Security

With BMC Helix, you have a powerhouse behind you to build a strong security posture across your organization. BMC Helix helps align IT and security teams around common workflows for handling security incidents, enables your teams to prioritize and remediate critical vulnerabilities, and systematically addresses compliance violations through an integrated and automated approach across your multi-cloud environment.

Find out more about how BMC Helix can help you ensure a Security First Mindset.
https://www.bmc.com/it-solutions/secops-security-operations.html

Vulnerability management for servers and network devices is a challenging and critical task. Today, a variety of solutions are available for security operations (SecOps) engineers to detect, identify, and remediate vulnerabilities. Since these solutions often provide variable levels of information, like only reporting open vulnerabilities and excluding mitigated vulnerabilities, manual remediation is sometimes required.

The BMC Helix Automation Console is a hybrid solution deployed in the cloud that uses an on-premises automation engine to remediate security vulnerabilities on servers as well as network devices. It integrates with leading vulnerability scanners to collect data for IT resources located on-premises and in the cloud, and works with discovery solutions to identify blind spots that need to be scanned.

After consolidating the vulnerability scanner data collected, the solution uses advanced analytics to transform that data into actionable information, map vulnerabilities to assets and patches, help determine priorities, and automate patch acquisition and deployment to remediate security exposures. BMC Helix Automation Console also offers closed-loop change management, managing compliance with regulations and policies and automating the remediation of out-of-compliance conditions.

With a recent product update, the solution imports, identifies, and closes vulnerabilities, regardless of the scanner, for a single scan or multiple recurring XML scans. Leveraging REST APIs, the solution can also remediate and close vulnerabilities imported using APIs by:

• Previewing and analyzing vulnerabilities that were reported in the previous scan but considered remediated (/api/v2/violations/close/auto-closure/vats/preview)
• Allowing the user to actually close them (/api/v2/violations/close/auto-closure/vats)

Auto-closure of externally remediated vulnerabilities using BMC Helix Automation Console significantly improves the accuracy and status of all open vulnerabilities, helping to keep the vulnerability dashboard clean and up-to date.

To learn more about BMC Helix Automation Console and the vulnerability auto-closure capability, refer to the product documentation.

In spite of the longstanding perception that the mainframe is inherently secure, a full 91 percent of organizations with mainframes have experienced a compromise or breach of sensitive data in the last five years. For more than a quarter of organizations, it’s happened between six and 25 times. That’s according to The Essential Holistic Security Strategy, a recent report by Forrester Consulting, commissioned by BMC.

It’s no surprise that hackers are finding their way into this critical enterprise system; today’s connected mainframe is a long way from the isolated data centers of the past. And with the recent surge in work-from-home, its vulnerability has only increased. When it comes to mainframe security, there’s clearly more work to do. But is it getting done?

The Forrester Consulting report, based on a survey of 310 companies, as well as interviews with security and mainframe decision-makers, examines the current state of mainframe security in the enterprise, how it has changed over the past year, and the characteristics of the most well-prepared organizations. Topics discussed in the report include:

• The strategies and priorities of security and mainframe decision-makers—and how they differ between “Ready” and “Not Ready” organizations
• Adoption trends and supporting technologies for Zero Trust
• Overcoming barriers to security and operations alignment to enable SecOps
• Recommendations for advancing mainframe security readiness

Ready or not

While many organizations are increasingly aware of the risks facing their mainframe environments, Forrester’s analysis finds that over the past year, “companies overall have decreased their mainframe security readiness.” In fact, while most teams realize that their data isn’t safe, only 29 percent of survey respondents are taking steps to actively secure their mainframes—a decline of 12 percent from a year ago.

To gain insight into trends in security strategy optimization, Forrester categorized respondents according to their readiness to respond to mainframe-related security events. By comparing organizations in the “Ready” and “Not Ready” groups, the firm underscores the measures that define the most effective security teams. For example, “Not Ready” organizations tend to focus narrowly on detection, security monitoring, and threat intelligence, while “Ready” companies are taking a more holistic approach that includes building an internal culture of collaboration between security and operations teams, hiring additional IT security staff, and investing in mainframe security.

Extending Zero Trust to the mainframe

As companies move to close the mainframe security gap, many are emphasizing active security measures. Asked about their top security priorities over the coming year, 81 percent of survey respondents cited security orchestration automation and response (SOAR), while 76 percent named extended detection and response (XDR).

Zero Trust was considered a high or critical priority by 71 percent of respondents—and 84 percent of respondents agreed that it is important to include the mainframe in a holistic Zero Trust strategy.

Organizations that have already or plan to adopt a Zero Trust approach for their mainframe name benefits such as the ability to detect breaches, stop malware propagation within the mainframe, and prevent mainframe breaches.

Solving SecOps silos and friction

While Forrester underscores the importance of achieving alignment between mainframe and enterprise security teams, organizational barriers continue to impede progress on SecOps. More than half of respondents report friction between these teams, and a similar number find that their operations are too siloed to work together effectively. Addressing these challenges is high on the agenda for the coming year, with 81 percent of organizations prioritizing the integration of security functions and improving security detection and response. Both measures will help security and operations teams collaborate more successfully while also protecting the mainframe against active threats.

Forrester’s analysis concludes with recommendations that advise mainframe and security leaders to:

• Work smarter—not harder—to reduce risk
• Hone their Zero Trust practices
• Bridge silos between security and operations teams
• Govern the mainframe as just another internet-connected device

To explore Forrester’s findings in depth, download the full report, The Essential Holistic Security Strategy: Mainframe Security Is Dangerously Absent From Enterprise Strategy.

Today, the global economy is heavily centered on digital technology—and the value of data held by individuals and entities is now valued at a high premium.

As a result, cybercrime has become more and more sophisticated, especially where organized groups invest in skills, tools, and processes to take down targets and monetize the looted information. Be it government agencies, research institutions, or corporates, wherever valuable data can be found, these groups take their time to:

• Investigate, infiltrate, and extract data
• Extort a ransom
• Damage IT systems

This type of long-term attack by specialist groups is called an advanced persistent threat (APT).

A report by ENISA, the EU Agency for Cybersecurity, showed that attacks conducted by APTs on EU institutions, bodies, and agencies increased by 30% in 2021. Just recently, the Red Cross detailed such an attack where personal data belonging to over 500,000 people was compromised. The attack was discovered on 18^th January, but it was determined that the intrusion occurred on 9^th November.

In this article, let’s do a deep dive on APTs including who they are and how they structure their attacks, and, more importantly, how to protect ourselves from such entities.

What is an APT?

An APT is a calculated network attack on any organization. These threats occur when a hacker, or group of hackers, establishes a foothold inside an enterprise network. APTs go undetected for prolonged periods of time, allowing for sensitive data to be mined.

The term APT references the type of attack—multi-stage in nature—but over time has been used to characterize the groups or the tools in use. The primary goal of APTs is data theft, but there is increasing evidence of other objectives such as:

• Ransomware
• Espionage
• Systems disruption
• Crypto mining

So, who is conducting APTs? The characteristics of such attacks indicate that the main players are well-funded entities who have the time, muscle, and laser-focused attention to get to their goal.

There is significant evidence that some of these groups are state sponsored entities, like APT27 and Winnti that are alleged to be Chinese sponsored, with the former recently flagged by the German government for attacks on government agencies. The US CISA has also raised an alert about Iranian sponsored APTs exploiting Fortinet and Microsoft Exchange vulnerabilities.

Trend Micro’s 2021 mid-year cybersecurity report listed the following groups (with interesting coined names) actively involved in ATP attacks:

• Team TNT targeted AWS credentials and Kubernetes clusters for crypto mining.
• Water Pamola targeted e-commerce shops in Japan with XSS script attacks.
• Earth Wendigo targeted Taiwan institutions webmail with malicious JavaScript backdoors.
• Earth Vetala targeted institutions in the Middle East using remote access tools to distribute malicious utilities.
• Iron Tiger targeted institutions in Southeast Asia using a SysUpdate malware variant.

Lifecycle & characteristics of an APT

While no two APTs are the same, in general, advanced persistent threats operate in a systematic manner. The lifecycle of an APT happens in five stages, as listed below:

Stage 1: Targeting/Reconnaissance

Initially, an enterprise is targeted by hackers who seek to accomplish a singular agenda. Infiltrating occurs through identified weaknesses in the network, web assets, or other resources that hackers can gain access to.

Attackers will also use information from the internet and social media to identify contacts of potential victims to be targeted through social engineering attacks such as spear phishing.

Stage 2: Entry

Hackers gain access using SQL injections, RFIs, or implementing phishing scams that enable entry via user access points. Exploiting zero-day vulnerabilities in unpatched systems is fast becoming the go-to entry method for most APTs:

• The Red Cross attack involved exploiting an unpatched critical vulnerability in Zoho ManageEngine ADSelfService Plus (CVE-2021-40539).
• The ATP attack on a U.S. municipal government webserver involved exploitation of vulnerabilities on a Fortigate appliance, and the creation of an account with the username “elie” to enable further malicious activity.

Once inside a network, hackers will often create a backdoor by uploading malware that allows repeatable entry. In Germany, APT27 used the malware variant HyperBro remote access trojan to backdoor their networks from compromised commercial companies. Additional attacks may be used to create a smoke screen that allows hackers time to gain access undetected.

(Understand how vulnerabilities work.)

Stage 3: Discovery

Entry into the system is the first milestone for a hacker launching a calculated APT attack. The next involves taking steps to avoid detection. To do this, hackers will map out the organization’s infrastructure and launch additional attacks to the system, geared at gaining access to user accounts higher in the hierarchy. The higher in the hierarchy a malicious cyber attacker can get the better the access to sensitive information.

Post-exploitation activities identified in the Red Cross attack included compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

Stage 4: Capture

An infrastructure left vulnerable from multiple cyber-attacks is easier to move around in undetected. Under these conditions, hackers begin capturing data over an extended period of time. Capture can also include

• Building stable remote control
• Establishing communication with command-and-control centers

The hackers involved in the Red Cross attack deployed offensive security tools which allowed them to disguise themselves as legitimate users or administrators.

Stage 5: Data exfiltration

Once identified, infiltrators can deploy malware extraction tools to steal desired data. Usually this means creating “white noise attacks” to cover cyber attackers who want to mask their intentions. They also mask their entry point, leaving it open for further attacks.

An alternative is ransomware, where the ATP will encrypt the victim’s enterprise data and demand payment in cryptocurrency in exchange for decryption keys.

Identifying APTs: What to look for

If an enterprise business has been hit with an APT, it can be hours, days, or longer before they discover the problem. But time is of the essence when it comes to protecting your organization.

Monitoring your infrastructure for these signs can help you stay ahead of hackers who try to establish a foothold in your network:

Increase in late-night logging

Are employees suddenly logging in late at night? This could be a warning sign that your system has been exposed to cyber attackers gaining access to your employee’s log ins at night when no one is around to stop them.

What to do: If enterprise business leaders see this kind of activity, it should be a red flag to further investigate for vulnerabilities.

Trojans are prolific in the network

When hackers access a computer in a network, they often install a trojan which gives them total control over that machine, even after passwords have been updated for security.

What to do: If enterprise organizations have a network full of trojans, they should consider the possibility the network is under attack from an APT.

Unexpected data bundles

One way cyber attackers move data is by putting large amounts of data into bundles before shipping it out of the system.

What to do: Identifying unexpected bundles of gigabytes of data is a good indicator to check your enterprise infrastructure.

Unexpected data flows

One way to spot an APT is to look for unexpected flows of data. These could be computer to computer, server to server, in or out of network. In order to identify whether an information flow is unauthorized or unexpected, you have to know what’s reasonably expected within your current infrastructure.

What to do: Define reasonable expectations for data flows and monitor for discrepancies.

Final thoughts

Advanced persistent threats are complicated, calculated, long-game attacks that can have devastating effects on an enterprise business and, unfortunately, cannot be easily predicted. However, enterprise organizations don’t have to be at the mercy of APTs. You can implement strategies that include:

• Continuous automated patching
• Advanced endpoint detection and response monitoring systems
• Multi-factor authentication and strong password protection mechanisms
• Response planning to create a big picture of what to do if a breach occurs

Deploying AI and ML based security solutions can be highly effective in detecting anomalous behavior, which is one of the hallmarks of an APT attack.

Related reading

• BMC Security & Compliance Blog
• AI Cyberattacks & How They Work, Explained
• Introduction to Vulnerability Management
• Risk Assessment vs Vulnerability Assessment: How To Use Both
• What is CVE? Common Vulnerabilities and Exposures Explained
• Business Continuity Planning: How To Create & Maintain BCPs

In today’s digital world, technology disruption for even a few hours can result in significant financial consequences to your business. According to Gartner, the average cost of IT downtime is $5,600 per minute. (That’s more than $300,000 per hour!) For large organizations, that number tops half a million dollars.

It’s no wonder that having a well-designed and effectively maintained disaster recovery plan in place will substantially increase your ability to recover lost data and return to normal operations as quickly as possible.

So, let’s look at strategies for developing a disaster recovery plan that will protect your organization.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

Business Continuity Planning vs Disaster Recovery Planning:

Business continuity planning (BCP) and disaster recovery planning (DRP) are sometimes used interchangeably. And while they are interconnected, the two are different concepts:

• Business continuity planning is the overarching strategy that covers the entire company to ensure that mission-critical functions can continue during and after unforeseen events. Such events could include natural disasters, death or illness of a company executive, a security breach, and more.
• Disaster recovery planning is actually a subset of overall business continuity that helps ensure organizational stability following an impact to IT only. Examples include disruption to servers, desktops, databases, applications and so on.

(Compare business continuity to business resiliency.)

Goals of disaster recovery planning

When crafting the right disaster recovery plan for your business, it’s important to first assess the goals you’d like the plan to accomplish. The purpose of the DR plan is to protect users and the business from financial, legal, privacy and security related repercussions of a disaster incident.

Let’s look at the key reasons to plan for disaster recovery.

Mitigating risk

To contain the extent and scope of the disaster impact. Conduct a thorough risk assessment and evaluate various targets. Design the DR plan to isolate mission-critical systems and streamline the risk mitigation and remediation pipeline.

Reducing disruptions

Service availability is critical to business success. A primary goal of a DR plan is to ensure that systems return to normal and optimal performance soon after downtime. Metrics such as Mean Time to Recovery (MTTR) should be optimized within disaster recovery planning.

Reducing economic impact

Prioritize MTTR of IT assets based on the perceived business value. An optimal disaster recovery strategy is focused on:

• Systems that directly impact the cost of downtime
• Critical services such as infrastructure and healthcare applications
• The wide extent of the user base

Preparing for disasters

Getting ready for disasters waiting to happen. Cyberattacks are getting more sophisticated by the day—which means you can always improve your ability to handle the next wave of security threats.

Understanding cybersecurity posture

Cybersecurity is hard. It is time and resource intensive. You need to:

• Get started with the right cybersecurity strategy
• Secure the most important IT assets
• Identify new vulnerabilities
• Patch zero-day exploits as soon as they are found

It’s also important to neither overestimate nor underestimate your cybersecurity strength. Understanding your cybersecurity posture helps optimally allocate resources to prepare for and respond to disaster incidents when needed.

Achieving regulatory compliance

Organizations should be well prepared in adapting to the changing regulatory environment. A disaster recovery plan should be a part of the compliance strategy as it alleviates risk and provides a systematic approach to recover from disaster situations. Critically, compliance is mandatory for organizations in certain industries, including:

• Healthcare
• Finance
• Defense
• Infrastructure

(Understand governance, risk & compliance, known as GRC.)

Maintaining brand loyalty, reputation & user trust

Internet users today are increasingly aware of their rights to data security, privacy, and control. A DR plan ensures that your users maintain access to their data even when disaster strikes.

As a result, service providers maintain trust and brand loyalty necessary to survive the competitive Internet market landscape.

Who creates the Disaster Recovery Plan?

Now let’s look at creating the plan itself.

Before you begin mapping out your DRP, it’s important to have the right people in place to lead the charge. To this end, establish a disaster recovery plan committee which includes key decision makers from across the entire organization:

• Top management
• IT management
• Human resources
• Finance
• Security
• Vendor management

Collectively, these individuals will be responsible for outlining, implementing, testing, and maintaining the disaster recovery plan.

How to create a Disaster Recovery Plan

A disaster recovery plan can include an exhaustive set of actionable guidelines for all employees responding to a disaster situation that may impact corporate IT networks and systems. The Disaster Recovery Planning (DRP) document is your roadmap to implementation—as such, you should update it regularly and store it a safe, accessible storage location in event of emergency. (If it’s in the cloud, but your internet is down, how can you access it?)

You can follow a Disaster Recovery Planning document template given below to ensure that your workforce can easily understand and adopt the systematic actionable guidelines to protect against disasters:

Step 1: Define goals

Identify your business goals. Associate a business value to your services, systems, departments and organizational functions, and how IT availability impacts various business operations.

Step 2: Define responsibilities

Who is in charge of what? Develop an organizational chart and define the responsibility of each individual involved in executing a DR plan.

Step 3: Prioritize application assets

Identify critical applications and assets. Focus your DR efforts in order of priority based on business value, user impact, legal requirements, ease of recovery, and other applicable factors.

Step 4: Describe asset details

Maintain an exhaustive directory providing details on every asset including vendor details, models and serial number, cost, number, and other relevant details.

Step 5: Define backup plan

Describe the frequency and schedule of backups. Different libraries and directory objects may be processed for backup at different schedules and volumes based on data storage and transfer cost, speed, business, and legal value.

Step 6: Define recovery procedure

Define actionable guidelines focused on three key elements:

• Physical damages: emergency response to fire incidents or natural disasters.
• Data backup: Execution guidelines of the data backup plan.
• Recovery: Restoration of data assets from backup storage locations.

Step 7: Plan for mobile & hot sites

Establish alternative (hot) and mobile facilities to handle the DR operations while the home site is reestablished. This is particularly useful when physical disasters are involved.

Step 8: Establish restoration guidelines & framework

As the data is recovered from backup sites, how to reestablish the original site, systems, and operations to an optimal state.

Step 9: Test, test, test

Thoroughly test and evaluate your DR plan. Perform DR drills and training sessions to prepare your workforce for potential emergency situations.

Step 10: Continual Improvement

Continuously assess, improve and update your DR plan. Keep your records and procedure up to date with respect to risks and resources available to the organization.

Time is critical for disaster recovery

If your organization hasn’t created a disaster recovery plan or hasn’t made it a priority to maintain or improve upon it, then time is of the essence. No business can afford to have an ineffective response to unforeseen circumstances, and once a disaster occurs it’s too late. A disaster recovery plan can be the difference between the survival of your business or becoming another statistic.

To avoid costly delays in service, plan your disaster strategy by thinking about goals, performing necessary audits, planning for contingencies and partnering with a third-party vendor, if needed.

Related reading

• BMC IT Operations Blog
• BMC Security & Compliance Blog
• Disaster Recovery for the Cloud
• What Is Threat Remediation? Best Practices for Remediating Threats
• Worst Data Breaches Today: Critical Examples
• The Basics of Business Continuity Management (BCM)

Cybercrime is predicted to inflict $6 trillion worth of damages globally by the end of 2021 and $10.5 trillion annually by the year 2025, growing at 15% annually. This already makes cybercrime the third largest economy after the U.S. and China and, perhaps, the greatest (illicit) wealth transfer.

The damages are larger than any natural or other man-made disasters. Cybercrime is seen as a real threat in the business world and in fact given rise to the popular adage: your cybersecurity strategy is your business strategy.

Considering that cybercrime is a real threat facing all business organizations and cyber-attacks are inevitable, what can you do to mitigate risks?

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

What is threat remediation?

Threat remediation refers to the active cybersecurity activity of identifying and eradicating a threat vector.  It is a key component of the cybersecurity strategy that deals with the security posture of your organization, how well your organization is capable of:

1. Responding to cyberattacks
2. Containing the damages
3. Eliminating the threat altogether

This final step in the security defense kill chain is what differentiates threat remediation from threat mitigation—threat mitigation involves actions on reducing the risk of threats instead of eradicating and remediating the threat altogether.

For example, your corporate network may be compromised due to a zero-day exploit in your network identity and security control devices. The threat remediation exercise would involve ongoing monitoring for anomalous behavior.

Considering the fact that the security vulnerability in the security control devices has not been identified and cybercriminals are already able to gain unauthorized access to your network, security monitoring systems would flag the vulnerable devices and prompt the responsible authorities to apply the necessary remediation measures to eliminate the threat. In this case, replacing the vulnerable device or installing a security patch to the firmware will entirely eliminate the threat.

Threat remediation best practices

So how do you remediate cybersecurity threats effectively? The following threat remediation best practices can help boost your cybersecurity posture and eradicate persistent threats facing your organizations.

Build security from the ground up

Threat remediation requires certain provisions within the systems such as:

• Business continuity
• High availability
• Capacity to upgrade and patch without impacting operations

This is only possible when security is built into the systems from the ground up. Instead of treating security as layers of defense that can be installed at later stages, build resilient systems that can be modified and improved to remediate security risks.

(See how DevSecOps bakes security into software development.)

Discover & categorize assets

Identify and track your IT workloads, systems, and information assets—IT discovery. Organize a database of records that updates in real-time and keeps track of system and configuration changes.

Evaluate business value & risk

Once you understand where your IT assets are located and how they behave, you can isolate critical assets based on business value and associated risks.

(Learn about the crucial practice of IT asset management.)

Monitor & scan

The next step is to identify potential vulnerabilities and exploits in the IT network. Scanning and monitoring the network is an ongoing process that looks into network traffic behavior and data logs using advanced AI-powered pattern recognition systems.

Prioritize vulnerabilities

Monitoring data can be overwhelming and not all vulnerabilities pose the same risk levels. It is important to quantify the impact risk of vulnerabilities and focus remediation efforts only on the most urgent risks.

(Try the impact, urgency, priority matrix.)

Create a remediation process & frameworks

The threat remediation approach can include a variety of countermeasures. Frameworks such as the Cyber Risk Remediation Analysis (CRRA) help adopt a range of Tactics, Techniques and Procedures (TTPs) associated with specific threats with the following approach:

• Select TTPs to mitigate
• Identify plausible counter measures
• Assess countermeasure merit
• Identify optimal countermeasure solution
• Prepare recommendations

Automate the process

Enforcing a systematic threat remediation framework at scale without delays and human errors can be challenging. Automating the process not only speeds up the process, but also enables a data-driven approach to threat remediation.

Automation systems can be used to experiment with various TTPs and extract insights to help optimize the remediation efforts on an ongoing basis.

Improve continuously

The threat landscape is constantly evolving. No single threat remediation strategy can guarantee optimal results over the long haul. It’s important to constantly monitor the systems, identify threats, and future-proof both the threat remediation systems as well as your overarching cybersecurity strategy.

Set the culture & provide training

A majority of threat remediation can come simply by nurturing a culture of security awareness and best practices at the workplace. These activities, among many, can go a long way in maintaining an effective cybersecurity posture:

• Providing regular training programs
• Rewarding behavior of secure operations
• Preventing malpractices such as shadow IT

The best threat remediation is proactive & automated

Threat remediation should be viewed as an active approach to cybersecurity measures. It refers to the process by which risk is assessed, indicators are identified, and warnings are flagged, prioritized, and resolved in a cyclical fashion. Effective threat remediation considers context, makes available actionable data and is part of an overall cybersecurity program that includes more traditional measures like preventive anti-virus software and raising employee cybersecurity awareness.

Threat remediation processes can be automated with a vulnerability management system—such as BMC Helix Operations Management. The most valuable threat remediation software must provide relevant information about threats in a way that relevant people can easily access and consume them. It should be able to resolve priorities without human interaction.

Related reading

• BMC Security & Compliance Blog
• What Is Zero Trust Network Access? ZTNA Explained
• The MITRE ATT&CK Framework Explained
• AI Cyberattacks & How They Work
• Security Analytics: An Introduction
• Top IT Security, InfoSec & CyberSecurity Conferences

Consumers rely on businesses to deliver customized services in exchange for their personally identifiable information. Consumers participate in this exchange through trust and reliance upon the service provider to protect their sensitive information.

This information—in the wrong hands—has the potential to inflict tangible losses to both parties.

Business organizations therefore invest significant resources to protect consumer data as part of regulatory compliance objectives and a defense mechanism against growing security threats. The threats, however, are growing in sophistication, defeating some of the most technologically advanced enterprises to compromise valuable consumer data.

(This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.)

What is a data breach?

A data breach occurs when information is accessed and taken from a system without the consent of the operator. Bad actors seek to obtain sensitive data, and once acquired, they can often sell it to the highest bidder. Usually, the target is personal identification information (PII).

There are many ways for a data breach to happen, from old-fashioned hardware theft to cleverly engineered AI phishing scams. Information theft is so profitable, in fact, that it is worth the time for criminals to continue to innovate new ways to steal that data. This is why every year we see an uptick in data breaches, especially targeting well-known and otherwise trusted organizations.

(Understand information security in detail.)

4 Major Data Breaches from 2020-2021

This year was no different: a diverse range of organizations with a vast pool of end-users fell prey to cybersecurity incidents.

The following list contains some of the top data breaches of the past year or so, in terms of number of consumers affected, impact in the industry, criticality, and nature of consumer data compromised as well as the acknowledged security stature of the affected business organization.

SolarWinds

Impact: Thousands of large private companies and high-security governmental departments were left vulnerable to Russian hackers.

Revealed: December 2020

Story: SolarWinds is a major US company that provides IT software to 33,000 customers, including large corporations and government entities. Hackers added malicious code to one of their software systems, which then transferred to every customer during a regular system update. The malicious code allowed hackers to install even more malware and ultimately spy on companies and organizations, including the U.S. Department of Homeland Security and the Treasury Department.

SITA

Impact: Frequent flyer data from numerous airlines worldwide were exposed.

Revealed: March 2021

Story: Hackers accessed data through the company SITA’s Horizon Passenger Service System. Not all affected airlines utilize SITA’s system, but their frequent flyer information was accessible due to their connection through the Star and Oneworld Alliance.

Facebook

Impact: The personal information of 533 million Facebook users was found posted online by a hacker, including names, birthdays, phone numbers, locations, and email addresses.

Revealed: April 2021

Story: According to Facebook, the stolen data had been originally scraped a few years ago due to a vulnerability that the company patched in 2019. Cybercriminals could use the exposed data to impersonate people to both:

• Gain access to even more sensitive information
• Convince people to hand over login information, orchestrating very convincing phishing scams

The data was posted on a hacking forum for free, allowing almost anyone to access it. The breach affected people from 106 different countries.

T-Mobile

Impact: Compromised the personally identifiable information of more than 50 million previous and current customers.

Revealed: August 2021

Story: A 21-year-old hacker by the name of John Binns accessed T-Mobile’s servers and pulled the personal data from millions of previous and current customers. A breach of this magnitude at a phone company is particularly troubling—so, so many two-factor authentication checks for other services go through one’s mobile phone.

What to do in the event of a data breach?

The way things are going, the question is not if a breach will happen, but when. Data theft is incredibly lucrative and that makes it a worthwhile endeavor for bad actors to continue to innovate how it is done.

Of course, there are many things an organization should do if there is a breach on their end, including:

• Informing your customers of the breach and its included risks
• Providing some harm mitigation, such as free credit monitoring

As an individual, once you catch wind of a breach that may have affected you, there are a few things you can do to protect yourself from further risk.

Monitor your correspondence

When a company’s data is compromised, they might reach out to inform users of the situation. Be sure to verify via the organization’s secure website or a direct telephone call that the information in the email is correct and not a phishing scam.

It is also important to monitor any unfamiliar communications or unexpected bills that might come your way. Be extra wary when responding to requests for information or password resets.

Confirm what data was stolen

All data breaches expose users to potential hazards, but some data is more sensitive than others. For example:

• Email addresses and telephone numbers can open the victim to phishing scams and access to login information.
• A stolen social security number can cause a lot more damage—loans and mortgages could be taken out in your name, without your knowledge.

Verify what information was stolen so you can take the correct measures to protect yourself.

Keep an eye on your financial accounts

Pay attention to your bank and credit card statements to make sure there are no unfamiliar charges posted to them. Many providers allow you to set up alerts to new activity, which will help you stay on top of things as they occur.

Activate fraud alerts

A fraud alert can let lenders know that you are a potential victim of fraudulent activity. This will put a note on your credit reports and ensure that lenders contact you before any line of credit is opened in your name. If you initiate an alert with any of the big three credit reporting agencies (TransUnion, Experian, or Equifax) it will translate to the other two and stay active for 90 days.

Regularly check your credit report

Whether you do so through one of the big three, or if you utilize Annualcreditreport.com for free, it is a good idea to monitor your credit report on a regular basis. This is especially true if you know you may have been the victim of a breach so you can keep an eye out for any unusual activity.

From an Internet consumer perspective, it is important to understand the risks associated with performing transactions, sharing information, or even browsing social media online. It is recommended not to rely on the Internet companies as your last line of defense, but to personally walk the extra mile in protecting your online presence and watching out for any suspicious activity associated with your online or financial accounts.

Related reading

• BMC Security & Compliance Blog
• DataOps Explained: Understand how DataOps leverages analytics to drive actionable business insights
• What Is Threat Remediation? Threat Remediation Explained
• DevSecOps: Combining Development, Security & Operations
• Data Ethics for Companies
• Top IT Security, InfoSec & CyberSecurity Conferences To Attend

Privileged users have access to the most sensitive areas of your mainframe environment. To keep them protected and help prevent credential theft or threats from a malicious insider, you need to go beyond monitoring solutions alone. BMC is excited to announce two new, innovative detection capabilities for BMC AMI Security that will enhance enterprises’ ability to monitor, detect, and respond to threat activities involving privileged users: Unix System Services (USS) privilege enrichment and Supervisor Call (SVC) screener.

Unix System Services (USS) privilege enrichment

Ever wonder if there are new superusers in your Unix subsystem? What if a user suddenly became a superuser with keys to the kingdom and you weren’t aware of it? If a tree falls and no one hears it, did it really produce a sound? (The answer is yes.)

From a security perspective, USS can be a valuable resource for attackers on the mainframe. While the intricacies of z/OS and its numerous applications might be foreign to an attacker, the Unix subsystem offers a familiar environment in which attackers can explore and experiment.

Security teams must maintain visibility into and situational awareness of changes in permissions and access. With the addition of USS privilege enrichment, BMC AMI Security now gives mainframe enterprises that visibility and situational awareness, including visibility into a key subset of privileged users. In addition, BMC AMI Security integrates with modern security information and event management (SIEM) solutions to ensure security teams can leverage this and other critical mainframe security intelligence within their respective analytics engines.

Supervisor Call (SVC) screener

In addition to privileged users, security teams must also have visibility into privileged “calls” on the mainframe. A call is simply the process of executing another predefined routine or set of instructions. Even without access to a privileged account, an adversary can intercept an authorized SVC and use it do anything they want on the mainframe. Thankfully, BMC AMI Security now checks for anomalous SVCs to ensure they are not misused, continually scanning the SVC table to ensure that SVCs are only present in sensitive areas of the mainframe and no other areas where an attacker could leverage them for nefarious purposes.

The features above are just two of many capabilities BMC AMI Security provides to detect and respond to threats on the mainframe. To learn more about how USS privilege enrichment and SVC screener work, read our new BMC whitepaper here. To learn more about how BMC AMI Security helps enterprises detect and respond to threats on the mainframe, watch this video.

The headlines keep on coming. British Airways data breach: thousands of customers given more time to claim compensation. Amazon data breach fears, European e-ticketing platform Ticketcounter extorted in data breach, Oxfam Australia supporters embroiled in new data breach. And on and on it goes.

While these breaches don’t specifically relate to mainframes, it’s clear we are living in dangerous times. Especially when the mainframe continues to be the processing and transactional heart of so many organizations and is increasingly viewed as a hub for innovation. In every location where our team carries out a security audit or penetration test, we always expose significant, previously unknown security concerns. So, why is the mainframe at risk to this degree?

The people who truly “know the mainframe” and understand it have traditionally been a small group. This complexity has led most everyone else to conclude that it’s virtually secure by default. It’s not. There’s also a general lack of understanding around the detail of mainframe security by the very people tasked with keeping it secure. This leads to vulnerabilities.

As an example, individuals may not properly understand the risks involved in giving someone a superuser privilege. We have workplaces where employees are given read access to everything. But in the mainframe world, if you can read something—especially data—you can copy it. If you can copy, you can download. And if you can download, you can potentially exfiltrate the data.

In addition, the average person can’t just buy a mainframe, install the software, and start testing it. The technology is still too costly and too tightly controlled to be reverse engineered. But that’s changing as more information is shared online. Knowledge about the platform and how it can be hacked is becoming more widespread.

With that backdrop in mind, I want to share the top threats we’ve identified in the course of our work.

1. Too many users with escalated privileges. In this situation, the Superuser privilege can be inappropriately used, granting users excessive access to system services and OMVS/USS (Unix System Services) resources and data. This means data can be easily copied, deleted, or held to ransom, and the ramifications can be huge. With read access so often the norm, instead, the default access should actually be none. This is about applying the principle of least privilege (PoLP).

2. Privilege escalation vulnerabilities. Many enterprises grant excessive access to libraries and authorized datasets. This increases the risk of someone accessing your files to elevate their own permissions on the system. That could mean taking yourself from problem state, where normal user/applications run, to supervisor state: a supposedly “protected” and authorized elevated state in which a user has free rein to do all the clever stuff—or to make mischief. In the non-mainframe world, this would be called getting route-level privileges. If bad actors can get to that state, they gain the ability to read and write all data, including memory.

3. Default passwords and weak password management. Password insecurity is rife; it’s been estimated that it would take a hacker less than a second to crack eight of the ten most commonly used passwords. Password vaults are not commonly used. Organizations should not solely rely on passwords and must ensure strong password controls, avoiding static passwords and ensuring they are changed regularly. For mainframe privileged users, multi-factor authentication (MFA) is a must.

4. Access to sensitive and cryptographic data. Additional processes, procedures, and rigor are urgently required around protecting cryptographic data and keys. Read access to the database allows it to be copied and downloaded. Data set profiles that are poorly configured allow read, update, and control access. This means data can be copied, updated, or downloaded. Once downloaded, offline password-cracking tools can reveal passwords in the database.

5. “Faceless” accounts. This is another possible attack vector for hackers that occurs when the organization needs an account for a system task but there’s no real person or actual user associated with it. These accounts often come with system-level privileges. They typically have a password that is rarely changed and, if they do have a password, it’s usually easy to guess. Have you protected all of your “faceless” accounts properly and are they appropriately defined?

In most cases, weak controls and inadequate security measures are exacerbated by a number of factors. These can include insufficient headcount; inadequate resourcing or a lack of in-house skills combined with poor system configuration; and processes that are no longer fit-for-purpose or simply not in place. Many sites are running outdated (or have a complete absence of) appropriate security tools and technologies.

The best way to start securing your mainframe is to work towards a Zero Trust culture. And when you’re tackling a specialist area like this, you may need additional firepower. Few people would attempt to rewire their house or apartment and deal with the dangers of electricity without having the right tools on hand—or, indeed, without being an experienced and accredited electrician. Instead, we pick up the phone or head online to find someone who knows what they’re doing.

With so much at stake, it may be time to call in the experts.

The line between security and compliance is easily blurred. Sometimes they feel like a moving target. Maybe you’ve asked yourself one of these burning questions:

• How do we create comprehensive security programs while meeting compliance obligations?
• Is checking the compliance box really enough?
• How does all this enable the business to function and move forward?

These questions shape the direction of an organization and ultimately cause it to succeed or fail.

So, in this article, let’s clarify the differences between IT security and IT compliance.

What is IT security?

Security officers follow industry best practices to secure IT systems, especially at the organizational or enterprise level. Security pros are constantly looking at how to both:

• Prevent attackers from harming the company IT infrastructure and business data
• Mitigate the amount of damage that is done when an attack is successful

In the past, administrators would take a purely technical approach and rely heavily on systems and tools to protect their network. Today, though, things have changed.

Due to increased specialization and technical know-how, IT security is not limited to a single field or discipline. Instead, there are multiple areas such as architecture and infrastructure management, cybersecurity, testing, and especially information security—arguably the most critical policy for any organization.

Information security (InfoSec) is exercising due diligence and due care to protect the confidentiality, integrity, and availability of critical business assets, something security pros know as the CIA Triad. Any IT security program must take a holistic view of an organization’s security needs and implement the proper physical, technical, and administrative controls to meet those objectives.

Taking the three key functions of confidentiality, integrity, and availability, organizations can implement effective InfoSec protocols. But what does CIA actually mean?

Here are three key sections in understanding how InfoSec must be managed.

• Confidentiality. Company information can be sensitive information—customer data, proprietary information, innovations in the works. It is the duty of IT security to protect this information. Ensuring that only the correct and authorized user(s) and system(s) can read, change, and use data is key.
• Integrity. Information and the system it is contained in must be correct. Having integrity means knowing that what is stored is correct and the system has measures to ensure that.
• Accessibility. Systems and information need to be available when they are needed. If a system isn’t available, it can’t be relied on.

Two additional properties, authentication and non-repudiation, are also vital to IT security.

(Learn more in our IT security policy explainer.)

How IT security looks today

Traditionally, security professionals would rely on devices like firewalls and content filters along with network segmentation and restricted access. But as modern threat agents became more and more sophisticated, the tools that security analysts and officers have to use become more complex too.

Old-school technical controls cannot account for:

• 95% of cyber-security breaches coming from human error
• 45% coming from hacking, including technically adept threat agents exploiting vendor-created backdoors or executing remote code

Today, security professionals need to have a fuller kit of tools to battle against malicious outside threats.

The concept of IT Security comes down to employing certain measures to have the best possible protection for an organization’s assets. At the heart of all good IT security protocols is the CIA triad.

(Explore the roles of Chief Information Security Officer and the security team.)

What is IT compliance?

IT compliance is the process of meeting a third party’s requirements with the aim of enabling business operations in a particular market or aligning with laws or even with a particular customer.

Compliance sometimes overlaps with security—but the motive behind compliance is different. It is centered around the requirements of a third party, such as:

• Industry regulations
• Government policies
• Security frameworks
• Client/customer contractual terms

Let’s say that IT security is a carrot. it motivates the company to protect itself because it is good for the company. IT Compliance, then, is the stick—failure to effectively follow compliance regulation can have serious effects on your business.

Often, these external rules ensure that a given organization can deal with complex needs. Sometimes, compliance requires an organization to go beyond what might be considered reasonably necessary. These objectives are critical to success because a lack of compliance will result in:

• At minimum, a loss of customer trust and damage to your reputation.
• At worst, legal and financial ramifications that could result in your organization paying hefty fees or being blocked from working in a certain geography or market.

Areas where compliance is a key business concern:

• Countries with data/privacy laws like GDPR, the California Consumer Privacy Act, and more
• Markets with heavy regulations, such as healthcare or finance
• Clients with high confidentiality standards

These areas almost always demand a high level of compliance. Importantly, IT compliance can apply in domains other than IT security. Complying with contract terms, for example, might be about how available or reliable your services are, not only if they’re secure.

When is compliance necessary?

When you need to comply with certain regulations depends on many factors:

• Your industry
• Your company’s size or location
• The customers you serve
• Many other factors

Many laws outline very specific criteria that a business must meet—but they don’t apply to everyone. For example:

• HIPAA is a U.S. law that defines how the healthcare industry protects and shares personal health information.
• SOX is a financial regulation in the U.S. that applies to a broad spectrum of industries.
• Payment Card Industry Data Security Standards (PCI-DSS) are a group of security regulations that protect consumer privacy when personal credit card information is transmitted, stored, and processed by businesses.
• ISO 27001, on the other hand, is not a law but a standard that companies can opt into by aligning with these InfoSec standards.

Other standards you must comply might not be law or opt-in—some might originate directly with your customers. A high-profile client may require the business to implement very strict security controls in order to award their contract.

Compliance & GRC

Compliance is only one section of a greater scheme of ensuring an organization is compliant with industry, government, or other regulations. These are summed up in the acronym GRC:

• Governance. Before compliance is possible, organizations need to make plans that are directed and controlled. Setting direction, monitoring developments, and evaluating outcomes are all key to effective governance.
• Risk. Danger is everywhere and it needs to be recognized. Compliance needs for risks to be identified, analyzed, and controlled as much as is possible.
• Compliance. When appropriately governed and risk-managed, an organization can evaluate its compliance. Standards are not just set but evaluated and managed at every step.

Comparing IT security & IT compliance

Security is the practice of implementing effective technical controls to protect company assets. Compliance is the application of that practice to meet a third party’s regulatory or contractual requirements.

Here is a brief rundown of the key differences between these two concepts. Security is:

• Practiced for its own sake, not to satisfy a third party’s needs
• Driven by the need to protect against constant threats to an organization’s assets
• Never truly finished and should be continuously maintained and improved

Compliance is:

• Practiced to satisfy external requirements and facilitate business operations
• Driven by business needs (rarely technical needs)
• “Done” when the third party is satisfied

At first glance, it’s easy to see that a strictly compliance-based approach to IT security falls short of the mark. This attitude focuses on doing only the minimum required in order to satisfy requirements, which would quickly lead to serious problems in an age of increasingly complex malware and cyberattacks.

How security & compliance work together

We can all agree that businesses need an effective IT Security program. Robust security protocols and procedures enable your business to go beyond checking boxes and start employing truly effective practices to protect its most critical assets.

This is where concepts like defense-in-depth, layered security systems, and user awareness training come in, along with regular tests by external parties to ensure that these controls are actually working. If a business were focused solely on meeting compliance standards that don’t require these critical functions, they would be leaving the door wide open to attackers who prey on low-hanging fruit.

While compliance is often seen as doing only the bare minimum, it’s useful in its own right. Compliance is an asset to the business—it isn’t just hoops you must jump through. Becoming compliant with a respected industry standard like ISO:27001 can:

• Bolster your organization’s reputation
• Garner new business with security-minded customers

Compliance can also help to identify any gaps in your existing IT security program which might not have otherwise been identified outside of a compliance audit. Additionally, compliance helps organizations to have a standardized security program, as opposed to one where controls may be chosen at the whim of the administrator.

Secure & comply: both business-critical

The astute security professional will see that security and compliance go hand in hand and complement each other in areas where one may fall short.

• Compliance establishes a comprehensive baseline for an organization’s security posture.
• Diligent security practices build on that baseline to ensure that the business is covered from every angle.

With an equal focus on both of these concepts, a business will be empowered to not only meet the standards for its market but also demonstrate that it goes above and beyond in its commitment to digital security.

Related reading

• BMC Security & Compliance Blog
• SecOps vs InfoSec: An IT Security Comparison
• Embracing SecOps with a BMC Helix & BMC AMI Security Integration
• The MITRE ATT&CK Framework Explained
• Top IT Security, InfoSec & CyberSecurity Conferences
• AI Cyberattacks & How They Work, Explained