“Today, the growth in computer interconnectivity brings a heightened risk of disruption or sabotage of critical operations.” These are the words of Patrick P. O’Carroll, Jr., Acting Inspector General of the Social Security Administration, delivered as part of his September 22, 2004 testimony before Congress. The subject of the testimony was “Theft of Electronic Data,” and O’Carroll was describing steps being taken by SSA to protect the highly sensitive information that the agency maintains about each American.
It is comforting to know that, while there are some who still don’t fully acknowledge the threat that viruses and malicious code pose to security infrastructures, those keeping watch over our Social Security information do; and they are going on the offensive against the threat.
A History of Protection
Tracing back the roots of SSA uncovers a longstanding determination to act proactively in safeguarding information. In testimony given before Congress on September 11, 2000, John R. Dyer, Executive Director to the Deputy Commissioner and Chief Information Officer, pointed out that:
“SSA has always taken its responsibility to protect the privacy of personal information in Agency files very seriously. The Social Security Board's first regulation, published in 1937, dealt with the confidentiality of SSA records. For 65 years, SSA has honored its commitment to the American people to maintain the confidentiality of the records in our possession. We understand in order to address privacy concerns we need a strong computer security program in place.”
As society becomes more and more intertwined with computers and the Internet at the dawn of the new millennium, SSA is again stepping up to the challenge.
Of course, the threat from viruses—while growing—is not new. Does this mean that going on the offensive at this point in time indicates a slow response to a gathering storm? Not at all. SSA has already tackled the issue of viruses on platforms other than the iSeries. As Dyer indicated in this same 2000 testimony:
“We are well aware of the daily stories about new viruses, hackers, and security breaches and have taken both preventive and enforcement actions to protect information in Social Security files from any wrongful use by our own employees and from any unauthorized access by outsiders.”
This statement came under the heading “New Emerging Concerns”—and indeed it is once again an emerging concern that SSA is taking on with the realization that true protection from viruses threats must include all systems in the organization, including the iSeries and AS/400s. For years the widespread belief has been that the iSeries was immune from viruses. Recent virus activity, however, has forced the iSeries community to rethink its approach to virus protection.
A Multifaceted Danger
As SSA sees it, the threat is much more complex than the traditional idea of someone sitting in a basement sending out a virus by e-mail in hopes of damaging a system or opening up a backdoor with a Trojan Horse. The idea that insiders could be responsibility for theft of or damage to information is very much in the minds of those charged with the task of keeping our Social Security information safe. Addressing the insider issue in his 2004 testimony, O’Carroll explained:
“Although the vast majority of SSA's over 60,000 employees are trustworthy, dedicated civil servants, it only takes one corrupt employees [sic] to compromise the integrity of the Social Security system and undermine the public's confidence in SSA's programs. The illicit demand for SSNs increases the profitability of providing genuine SSNs illegally to fraudulent applicants. Consequently, our investigations have found that a number of SSA employees have succumbed to this temptation.”
It is for this reason that SSA takes a very proactive approach to a wide range of security concerns, with anti-virus being an important part of that protection scheme.
An individual stealing from the inside doesn’t always take the form of someone copying files onto a disk. More shadowy schemes could also be carried out involving the installation of modified—or “patched”—programs that would allow employees or consultants to build themselves a backdoor into even the most protected systems. This would be especially dangerous on a system such as the iSeries that serves as the heart of the overall network.
While there are no reports of any such event taking place at SSA, the agency now has the ability to easily identify any such activity, should it take place, by using the new Object Integrity Scanning (OIS) feature that is built into StandGuard Anti-Virus. If a patched program were put onto the system it would invalidate IBM’s digital signatures; and the change would show up as part of the OIS scan.
Not Just a Government Issue
Protecting Social Security information is great, but it may seem that these types of concerns don’t apply to the average company. But in fact, they do. At the heart of the SSN issue is the problem of identity theft. O’Carroll cites a 2003 study in his Congressional testimony:
“A year ago the Federal Trade Commission (FTC) reported that 27.3 million Americans were victims of identity theft between 1998 and 2003-including 9.9 million people in the study's final year. In 2003, losses to businesses and financial institutions totaled nearly $48 billion, and consumer victims reported $5 billion in out-of-pocket expenses. Clearly, this is a problem that must be brought under control.
Many institutions, including hospitals and some banks and brokerages, use clients' SSNs as an identity confirmation. Other institutions, notably banks, use SSNs as secret passwords that only the owner should know.”
Also think about mortgage companies, the DMV, even universities that use SSNs as student ID numbers. The most sensitive piece of identifying information that Americans have—their social security number—is floating around all over the place. Keeping that number safe requires proactive vigilance. Companies and organizations in all industries have information of similar personal or corporate importance that must be protected.
The Native Advantage
What SSA found in Bytware’s StandGuard Anti-Virus was a powerful yet simple solution to the special needs of the iSeries platform. Leaving the iSeries unprotected can undermine otherwise conscientious efforts on the other platforms within the organization, while even well-intentioned efforts to guard the iSeries using PC-based anti-virus software can leave security exposures open and create new risks. The issue requires a tool that needs no external system in order to operate.
StandGuard Anti-Virus, powered by the industry-leading McAfee scanning engine, provided just the special toolset that was needed. The speed of the solution, the ability to scan files as they are opened and closed (On-Access Scanning), the capability to interface with the OS/400 Mail framework for mail server protection, and the unique Object Integrity Scanning feature that can detect changes made to the operating system by third-party software all come together to provide SSA with a level of thoroughness in information protection that rises to the challenge of the “new emerging concerns” that SSA—and indeed all organizations—face as technology marches forward.
With SSA’s steadfastness and forward-looking security stance we can all rest knowing that our most valuable information is in good, attentive hands.
References
Social Security Online: Testimony Archives of the 106th Congress
Social Security Testimony Before Congress
Testimony given by John R. Dyer, Executive Director to the Deputy Commissioner and Chief Information Officer, on the "Status of Computer Security at Federal Departments and Agencies"—September 11, 2000 http://www.ssa.gov/legislation/testimony_091100.html
Social Security Online: Congressional
U.S. House of Representatives, Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Statement for the Record: “Theft of Electronic Data” Patrick P. O'Carroll, Jr., Acting Inspector General of the Social Security Administration—September 22, 2004 http://www.ssa.gov/oig/communications/testimony_speeches/09222004testimony.htm
Christopher Jones is the marketing manager for Bytware, Inc. Prior to joining Bytware, he served as communications manager and editor for a large organization in Tokyo. He writes extensively on a variety of topics.
Bytware, Inc.
9440 Double R Blvd, Suite B
Reno, Nevada 89521-5990
Tel: 775-851-2900 or 800-932-5557
Web: www.bytware.com
More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online