Introducing The VanguardianThe Vanguard Marketing Department is proud to officially announce the Vanguardian Quarterly News. The Vanguardian will feature important Vanguard and industry information, press releases, corporate events, new product offerings and general interest stories.

The Vanguardian represents a way to distribute important information to Vanguard customers and prospects with the latest updates and relevant news.

If you would like to suggest a topic of interest, or any Vanguard news please contact the Vanguard Marketing Department directly.

Volume 1C Issue 1C Published Quarterly Edition: July 2017

Vanguard Cyber Bob is a Cyber Security Super Hero – representing the expertise, knowledge and skills required to investigate, troubleshoot, isolate, remediate and resolve any cyber-security challenge.

What is Vanguard Cyber Bob?

Vanguard Cyber Bob symbolizes every employee at Vanguard, committed to our customers, their enterprises and the security and protection of their data.

Vanguard Cyber Bob represents our value proposition of AGILITY | SERVICE | KNOWLEDGE and INNOVATION.

Why Vanguard Cyber Bob?

The world needs a cyber-security super hero, with all the cyber-attacks, ransomware and cyber terrorism, companies, governments and enterprises today need a partner they can trust, a partner they turn to for help and guidance, a partner capable of investigation, resolution and preparation for the next cyber crisis.

https://www.go2vanguard.com/cyber-bob-videos/

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

Who is Vanguard Cyber Bob?Vanguard Cyber Bob represents the Vanguard Cyber Security Expert – epitomizing the industry’s leading Security Experts at Vanguard Integrity Professionals.

In this edition:• Who is Cyber Bob?• What is GDPR?• Press Releases• Shows and Events• The Cost of a Data Breach• Top Ten Assessment Findings• Vanguard Security & Compliance

What is GDPR?General Data Protection Regulation (GDPR)

Personal data is defined as any information relating to an identified or identifiable person. This includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the person. This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific person. There is no distinction between personal data about an individual in their private, public, or work roles – all are covered by this regulation.

Companies will be required to “implement appropriate technical and organizational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data.

Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree of risk associated with the data held and might include:• Pseudonymisation and/or encryption of personal data.• Ensure the ongoing confidentiality, integrity, availability and resilience of systems.• Restoring the availability and access to data in a timely manner following a physical or technical incident.• Introducing a process for regularly testing, assessing, and evaluating the effectiveness of the system or systems.

GDPR (cont.)An important element of the regulation requires consent to be given by the individual or person whose data is held.

Organizations will need to be able to show how and when consent was obtained.

Individuals must be able to withdraw consent at any time and have a right to be forgotten, if that data is no longer required for the reasons for which it wascollected, and it must be erased.

Companies must report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

In the event of a personal data breach, companies must notify the appropriate supervisory authority “without delay and, where feasible, not later than 72 hours after having become aware of it” if the breach is likely to “result in a risk for the rights and freedoms of individuals”.

CYBER UPDATE

CYBER TIP

GDPR

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

Awareness – Education – Preparation

Cyber Terrorism is not going away!

Cybersecurity is a way of LIFE!

Vanguard 2017 Press Releases

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE ENHANCED MULTI-FACTOR AUTHENTICATION SOLUTION - January 17, 2017

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE VANGUARD INCOMPLIANCE™ PERFORMING MILLIONS OF CRITICAL COMPLIANCE CHECKSJanuary 31, 2017

VANGUARD INTEGRITY PROFESSIONALS AT SHARE 2017 IN SAN JOSE - February 9, 2017

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE VANGUARD ADMINISTRATOR™ HELPING TO REDUCE THE CHANCE OF SECURITY BREACH February 22, 2017

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE WEBINAR February 28, 2017

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE VANGUARD ADVISOR™ HELPING ELIMINATE SECURITY EXPOSURES March 21, 2017

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

Vanguard Events

SHARE Providence 2017 – Providence, RI August 6-11, 2017

AFCEA Homeland SecurityWashington, D.C. – September 12-14, 2017

CSX 2017 North America – Washington, DC October 2 – 4, 2017

GSE UK Conference 2017 – United Kingdom November 7 – 8, 2017

VANGUARD SECURITY & COMPLIANCE™ 2017

March 28th, 2017

VANGUARD INTEGRITY PROFESSIONALS AT CACS

2017 IN LAS VEGAS - April 4th, 2017

VANGUARD INTEGRITY PROFESSIONALS ANNOUNCE

VANGUARD ANALYZER™ PROVIDES EXPERT-LEVEL

VULNERABILITY ASSESSMENTS - April 18th, 2017

VANGUARD INTEGRITY PROFESSIONALS COMMITED

TO THE STRENGTHENING OF CYBERSECURITY WHILE

RANSOMWARE TAKES CENTER STAGE

May 17th, 2017

VANGUARD INTEGRITY PROFESSIONALS AT EURO

CACS 2017 IN MUNICH, GERMANY

May 23rd, 2017

VANGUARD INTEGRITY PROFESSIONALS AT 2017

AFCEA DEFENSE CYBER OPERATIONS SYMPOSIUM

June 6th, 2017

CYBER TIP

A Password is like a toothbrush...Use

it everyday, change it regularly and

NEVER SHARE it with friends!

2017 The Cost of a Data Breach

The global cost of data breach decreases. The average cost of data breach decreased 10percent and the per capita cost decreased 2.9 percent. However, the average size of a databreach (number of records lost or stolen) increased 1.8 percent.. Last year the average total cost increased 5.4 percent, and the average size of a databreach increased 3.2 percent.

Data breaches are most expensive in the United States and Canada and least expensive inBrazil and India. The average per capita cost of data breach was $225 in the United States and$190 in Canada. The lowest cost was Brazil ($79) and India ($64). The average totalorganizational cost in the United States was $7.35 million and $4.94 million in the Middle East.The lowest average total organizational cost was in Brazil ($1.52 million) and India ($1.68 million).

Certain industries have more costly data breaches. The average global cost of data breach per lost or stolen record was $141. However, health care organizations had an average cost of $380 and in financial services the average cost was $245. Media ($119), research ($101) and public sector ($71) had the lowest average cost per lost or stolen record.

Organizations in certain countries are more likely to have a data breach. Throughout thepast four years, this research has studied the likelihood of one or more data breaches over a 24-month period. South Africa and India have the highest estimated probability of occurrence.Germany and Canada have the lowest probability of a data breach in the next 24 months.

Detection and escalation costs are highest in Canada and lowest in Brazil. Data breachcosts to detect and escalate the incident are forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management andboard of directors. The average detection and escalation costs for Canada was $1.46 million. Incontrast, the average cost for detection and escalation for Brazil was $0.43 million.

The United States and the Middle East spend the most on post data breach response. Postdata breach response activities include help desk activities, inbound communications, specialinvestigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions. In the United States, these costs were $1.56 million and $1.43 million in the Middle East.

Companies in the Middle East and Canada have the highest direct per capita costs and theUnited States has the highest per capita indirect costs. The Middle East and Canada had thehighest direct per capita cost (both $81). These costs refer to the direct expense outlay toaccomplish a given activity such as engaging forensic experts, hiring a law firm or offering victims identity protection services. The United States had the highest indirect per capita cost ($146).

Report Highlights

• $3.62M average total cost of data breach.

• 10% one-year decrease in average total cost.

• $141 average cost per lost or stolen records.

• 11.4% one-year decrease in per capita cost.

• 27.7% likelihood of a recurring data breach over the next two years.

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

June 2017 Ponemon Institute Report

The United States and the Middle East spend the most on post data breach response. Postdata breach response activities include help desk activities, inbound communications, specialinvestigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions. In the United States, these costs were $1.56 million and $1.43 million in the Middle East.

Malicious or criminal attacks target Middle East and U.S. organizations. Fifty-nine percent ofbreaches in the Middle East and 52 percent of breaches in the United States were due to hackers and criminal insiders. Only 40 percent of data breaches in Italy and South Africa were due to malicious attacks. Italian and ASEAN organizations have the highest percentage of human error at 36 percent and 35 percent, respectively. German and Indian organizations were most likely to experience a data breach caused by a system glitch or business process failure (34 percent and 33 percent, respectively).

The more records lost, the higher the cost of the data breach. Cost analysis reveals arelationship between the average total cost of data breach and the size of the incident. In thisyear’s study, the average total cost ranged from $1.9 million for incidents with less than 10,000compromised records to $6.3 million for incidents with more than 50,000 compromised records. Last year the cost ranged from $2.1 million for a loss of less than 10,000 records to $6.7 million for more than 50,000 records.

The faster the data breach can be identified and contained, the lower the costs. For thethird year, our study reports the relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences. The mean time to identify (MTTI) was 191 days, with a range of 24 to 546 days. The mean time to contain (MTTC) was 66 days with a range of 10 to 164 days. Both the time to identify and the time to contain were highest for malicious and criminal attacks (214 and 77 days, respectively) and much lower for data breaches caused by human error (168 and 54 days, respectively).

Hackers and criminal insiders cause the most data breaches. Forty-seven percent of allbreaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $156. In contrast, system glitches cost $128 per record and human error or negligence is $126 per record. Companies in the United States and Canada spent the most to resolve a malicious or criminal attack ($244 and $201 per record, respectively). India spent far less ($78 per record).

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

The Top Ten Assessment Findings most prevalent in z/OS RACF systems audited by Vanguard Integrity Professionals By Brian Marshall – Vice President R&D

In today’s age of penetrations and exfiltration of customer data, a security assessment of your mainframe security server is required. Vanguard security assessments include a rigorous review of security policies, procedures and cover more than 170 security configuration controls.

From the last 200 RACF and z/OS security assessment reports conducted by Vanguard Integrity Professionals, we analyzed the results so we could categorize and learn from the most common security findings. The list included in this article shows the top ten most prevalent security findings across over 200 assessments.

Top Ten Security Assessment FindingsLet’s start with the list that shows the percentage of shops, the findings that occurred, followed by the severity category of the finding.

The severity categories are defined as follows:• SEVERE (needs immediate remediation) • HIGH (needs plan of remediation for some

point in the relatively near future)• MEDIUM (needs plan of remediation for

some point in the future) • LOW (should be remediated when time and

resources permits)

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

“Top Ten” Assessment Finding #1Finding: Excessive Number of User ID’s with No Password Interval

Risk: Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users.

Recommended Best Practice and Remediation: Review each of the personal user profiles to determine why they require NOINTERVAL. Their passwords should adhere to the company’s policy regarding password changes. If the user ID is being used for started tasks or surrogate, it should be reviewed and changed to PROTECTED.

PERCENTAGE FINDING SEVERITY

“Top Ten” Assessment Finding #2Finding: Inappropriate Usage of z/OS UNIX Superuser Privilege UID(0).

Risk: Since the UNIX environment is the z/OS portal for critical applications such as file transfers, web applications, and TCPIP connectivity to the network, the ability of these superusers to accidentally or maliciously affect these operations is a serious threat. No personal user IDs should be defined with an OMVS segment specifying UID(0).

Recommended Best Practice and Remediation: The assignment of UID(0) authority should be minimized by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and one or more profiles in the UNIXPRIV class rather than granting UID(0) authority.

“Top Ten” Assessment Finding #3Finding: Improper Use or Lack of UNIXPRIV Profiles.

Risk: Without the UNIXPRIV profiles defined, administrator IDs would require superuser ability through the assignment of UID (0). The ability of these superusers to accidentally or maliciously affect the operation of your z/OS UNIX system is a serious threat.

Recommended Best Practice and Remediation: Review the SUPERUSERs’ activity to determine if granular profiles may be defined in the UNIXPRIV class that will grant the required level of access to a subset of resources. Refine the access list and define more granular profiles based upon the superuser functions that the users with UID(0) need.

“Top Ten” Assessment Finding #4Finding: Sensitive Data Sets with UACC Greater than NONE.

Risk: Data sets that are protected by a RACF profile with a UACC greater than READ allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have a UACC of ALTER.

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

Recommended Best Practice and Remediation: Identify sensitive data sets. Review each of these profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. Ensure there are no undefined started tasks using these data sets before changing the UACC to NONE. From an Advisor extract that includes an IPL, run a Data Set Access by User ID report with Log Reason NRD.

“Top Ten” Assessment Finding #5Finding: Critical Data Set Profiles with UACC of READ

Risk: Data sets that are protected by a RACF profile with a UACC of READ will allow most users with system access to read or copy sensitive and critical data residing in these data sets.

Recommended Best Practice and Remediation: Review each of these profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with READ access.

“Top Ten” Assessment Finding #6Finding: Started Task IDs are not Defined as PROTECTED IDs.

Risk: RACF will allow the user ID to be used for the started task even if it has been revoked, but some started tasks may either submit jobs to the internal reader (and those jobs will fail because the associated userid has been revoked) or may issue a RACROUTE REQUEST=VERIFY macro for the user ID and that will also fail.

Recommended Best Practice and Remediation: Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define started task user IDs as PROTECTED for those tasks that do not require a password.

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

“Top Ten” Assessment Finding #7Finding: Excessive Access to the SMF Data Sets.

Risk: The ability to READ SMF data enables someone to identify potential opportunities to breach your security. If UPDATE or higher access is granted, a risk of audit log corruption exists. Access control for the unloaded data is critical to ensure a valid chain of custody.

Recommended Best Practice and Remediation: Ensure that access authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing and ensure that UPDATE and higher accesses are being logged.

“Top Ten” Assessment Finding #8Finding: Excessive Access to z/OS UNIX File System Data Sets.

Risk: z/OS UNIX HFS and ZFS file systems are contained in local MVS data sets. These data sets need to be RACF protected. Anyone that has at least READ access to the z/OS File System data sets can make a copy and possibly view the contents of the z/OS UNIX files.

Recommended Best Practice and Remediation: Determine which users have a legitimate need to access the USS File System data sets. Then create appropriate access lists and set the UACCs to NONE. Also, review the Global Access Table to make sure it does not have any entries that override the data set profiles that might give an access higher than NONE.

“Top Ten” Assessment Finding #9Finding: Excessive Access to APF Libraries.

Risk: UPDATE or higher access to an APF library can allow an individual to create an authorized program to bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff.

Recommended Best Practice and Remediation: Review the protection of all APF libraries. Remove or change inappropriate access list entries and ensure that all UPDATE activities are logged to SMF.

“Top Ten” Assessment Finding #10Finding: Unauthorized Started Task IDs are Defined as TRUSTED.

Risk: Trusted started tasks bypass RACF checking. It is vital that this attribute is not granted to unauthorized started tasks which could then obtain unauthorized access to the system. The TRUSTED attribute should be specified only for those IBM supplied started tasks that execute as part of the z/OS operating system.

Recommended Best Practice and Remediation: Specify UAUDIT for the user IDs assigned to each started task defined as TRUSTED to cause SMF logging of data sets and resources accessed. Each of these started tasks will need to be reinitiated for the UAUDIT attribute to take effect. For some started tasks, this may imply a requirement to re-IPL z/OS. From the SMF log information, permit access to each of these started tasks to only the data sets and resources that they actually require. Once this has been done, the TRUSTED attribute can be removed.

Summary: To ensure critical assets are properly protected, organizations need to perform regular mainframe security assessments. If your organization hasn’t had a security assessment performed on its mainframe, the information in this article is a good place to start. If you or your organization is interested in a more complete set of guidelines for securing a z/OS RACF mainframe, you may want to review the DOD DISA STIGs which cover many different hardware and software platforms including the Z System and the associated security servers, ACF2, Top Secret and RACF.

2017 – The Vanguardian News – Vanguard Integrity Professionals – For Internal Use Only

100 Days Until Vanguard Security & Compliance – Conference 2017.

Register Today at www.go2vsc.com

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

Volume 1C Issue 1C Published Quarterly Edition: July 2017

2017 – The Vanguardian News – Vanguard Integrity Professionals – Customer News

+1.702.794.0014

New Vanguard Solutions

Did you know Vanguard

was featured in the

USA Today Homeland

Security?

SPECIAL EDITION

Vanguard Multifactor Authentication now supports DUO and Ping Identity…

What are DUO and Ping?Duo and Ping are Tokenless two-factor authentications solutions with a simple one-time response from a smart phone or an easy-to-use passcode.