29
Fri, Nov
0 New Articles

Case Study: SSA Goes On the Offensive

Case Studies
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

“Today, the growth in computer interconnectivity brings a heightened risk of disruption or sabotage of critical operations.” These are the words of Patrick P. O’Carroll, Jr., Acting Inspector General of the Social Security Administration, delivered as part of his September 22, 2004 testimony before Congress. The subject of the testimony was “Theft of Electronic Data,” and O’Carroll was describing steps being taken by SSA to protect the highly sensitive information that the agency maintains about each American.

It is comforting to know that, while there are some who still don’t fully acknowledge the threat that viruses and malicious code pose to security infrastructures, those keeping watch over our Social Security information do; and they are going on the offensive against the threat.

A History of Protection

Tracing back the roots of SSA uncovers a longstanding determination to act proactively in safeguarding information. In testimony given before Congress on September 11, 2000, John R. Dyer, Executive Director to the Deputy Commissioner and Chief Information Officer, pointed out that:

“SSA has always taken its responsibility to protect the privacy of personal information in Agency files very seriously. The Social Security Board's first regulation, published in 1937, dealt with the confidentiality of SSA records. For 65 years, SSA has honored its commitment to the American people to maintain the confidentiality of the records in our possession. We understand in order to address privacy concerns we need a strong computer security program in place.”

As society becomes more and more intertwined with computers and the Internet at the dawn of the new millennium, SSA is again stepping up to the challenge.

Of course, the threat from viruses—while growing—is not new. Does this mean that going on the offensive at this point in time indicates a slow response to a gathering storm? Not at all. SSA has already tackled the issue of viruses on platforms other than the iSeries. As Dyer indicated in this same 2000 testimony:

“We are well aware of the daily stories about new viruses, hackers, and security breaches and have taken both preventive and enforcement actions to protect information in Social Security files from any wrongful use by our own employees and from any unauthorized access by outsiders.”

This statement came under the heading “New Emerging Concerns”—and indeed it is once again an emerging concern that SSA is taking on with the realization that true protection from viruses threats must include all systems in the organization, including the iSeries and AS/400s. For years the widespread belief has been that the iSeries was immune from viruses. Recent virus activity, however, has forced the iSeries community to rethink its approach to virus protection.

A Multifaceted Danger

As SSA sees it, the threat is much more complex than the traditional idea of someone sitting in a basement sending out a virus by e-mail in hopes of damaging a system or opening up a backdoor with a Trojan Horse. The idea that insiders could be responsibility for theft of or damage to information is very much in the minds of those charged with the task of keeping our Social Security information safe. Addressing the insider issue in his 2004 testimony, O’Carroll explained:

“Although the vast majority of SSA's over 60,000 employees are trustworthy, dedicated civil servants, it only takes one corrupt employees [sic] to compromise the integrity of the Social Security system and undermine the public's confidence in SSA's programs. The illicit demand for SSNs increases the profitability of providing genuine SSNs illegally to fraudulent applicants. Consequently, our investigations have found that a number of SSA employees have succumbed to this temptation.”

It is for this reason that SSA takes a very proactive approach to a wide range of security concerns, with anti-virus being an important part of that protection scheme.

An individual stealing from the inside doesn’t always take the form of someone copying files onto a disk. More shadowy schemes could also be carried out involving the installation of modified—or “patched”—programs that would allow employees or consultants to build themselves a backdoor into even the most protected systems. This would be especially dangerous on a system such as the iSeries that serves as the heart of the overall network.

While there are no reports of any such event taking place at SSA, the agency now has the ability to easily identify any such activity, should it take place, by using the new Object Integrity Scanning (OIS) feature that is built into StandGuard Anti-Virus. If a patched program were put onto the system it would invalidate IBM’s digital signatures; and the change would show up as part of the OIS scan.

Not Just a Government Issue

Protecting Social Security information is great, but it may seem that these types of concerns don’t apply to the average company. But in fact, they do. At the heart of the SSN issue is the problem of identity theft. O’Carroll cites a 2003 study in his Congressional testimony:

“A year ago the Federal Trade Commission (FTC) reported that 27.3 million Americans were victims of identity theft between 1998 and 2003-including 9.9 million people in the study's final year. In 2003, losses to businesses and financial institutions totaled nearly $48 billion, and consumer victims reported $5 billion in out-of-pocket expenses. Clearly, this is a problem that must be brought under control.

Many institutions, including hospitals and some banks and brokerages, use clients' SSNs as an identity confirmation. Other institutions, notably banks, use SSNs as secret passwords that only the owner should know.”

Also think about mortgage companies, the DMV, even universities that use SSNs as student ID numbers. The most sensitive piece of identifying information that Americans have—their social security number—is floating around all over the place. Keeping that number safe requires proactive vigilance. Companies and organizations in all industries have information of similar personal or corporate importance that must be protected.

The Native Advantage

What SSA found in Bytware’s StandGuard Anti-Virus was a powerful yet simple solution to the special needs of the iSeries platform. Leaving the iSeries unprotected can undermine otherwise conscientious efforts on the other platforms within the organization, while even well-intentioned efforts to guard the iSeries using PC-based anti-virus software can leave security exposures open and create new risks. The issue requires a tool that needs no external system in order to operate.

StandGuard Anti-Virus, powered by the industry-leading McAfee scanning engine, provided just the special toolset that was needed. The speed of the solution, the ability to scan files as they are opened and closed (On-Access Scanning), the capability to interface with the OS/400 Mail framework for mail server protection, and the unique Object Integrity Scanning feature that can detect changes made to the operating system by third-party software all come together to provide SSA with a level of thoroughness in information protection that rises to the challenge of the “new emerging concerns” that SSA—and indeed all organizations—face as technology marches forward.

With SSA’s steadfastness and forward-looking security stance we can all rest knowing that our most valuable information is in good, attentive hands.

References

Social Security Online: Testimony Archives of the 106th Congress

Social Security Testimony Before Congress

Testimony given by John R. Dyer, Executive Director to the Deputy Commissioner and Chief Information Officer, on the "Status of Computer Security at Federal Departments and Agencies"—September 11, 2000 http://www.ssa.gov/legislation/testimony_091100.html

Social Security Online: Congressional

U.S. House of Representatives, Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Statement for the Record: “Theft of Electronic Data” Patrick P. O'Carroll, Jr., Acting Inspector General of the Social Security Administration—September 22, 2004 http://www.ssa.gov/oig/communications/testimony_speeches/09222004testimony.htm

 

Christopher Jones is the marketing manager for Bytware, Inc. Prior to joining Bytware, he served as communications manager and editor for a large organization in Tokyo. He writes extensively on a variety of topics.

http://www.mcpressonline.com/articles/images/2002/SSAGoeso00.png

Bytware, Inc.
9440 Double R Blvd, Suite B
Reno, Nevada 89521-5990
Tel: 775-851-2900 or 800-932-5557
Web: www.bytware.com

Christopher Jones

Christopher Jones is principal and creative director of Stellar Debris and works with leading IBM Power Systems developers, including Bytware and PowerTech. He writes on a variety of topics related to the Internet, security threats, and the use of technology. Christopher lives in and works from Tokyo.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: