” If you do not know where you are going, every road will get you nowhere “
The historical result of implementing business process interconnectivity (BPIC) products such as IBM’s WebSphere in an “out-of-the-box” manner without security measures, and without knowledge of today’s more stringent regulatory environment, has led to the increased risk of failed audits on a variety of recently enacted regulatory measures. These measures, which were all passed well after the initial growth of BPIC, include the Healthcare Insurance Portability & Accountability Act (HIPAA) enacted in 1996, the Sarbanes Oxley Act (SOX), passed in 2002, and the Payment Card Industry Data Security Standard (PCI DSS) enacted in 2006.
As these new regulations were unknown until fairly recently, many companies have not had the time or inclination to invest in securing their BPIC, given that they had passed all relevant audits up to this point. The fact that BPIC had historically been considered nothing more than network plumbing, and as a result was always out of scope of annual security audits, has further contributed to the likelihood of a failed audit.
Today, companies seeking compliance with these new regulatory measures must secure their BPIC network layer. However, it has been determined that most current WebSphere installations (over 90%) are not configured to properly utilize built-in product functionality that reduces and/or eliminates security threats. Additionally, the default configuration of WebSphere allows anonymous administrative access to the command server (console), thereby permitting arbitrary remote code execution abilities to unknown users across the network. The implication of these security voids is relatively easy hacking of a layer that is all too often not being adequately protected.
At Evans Resource Group, our proprietary methodology, assessment, and penetration toolset has been specifically developed to analyze and assess the current, pervasive data exposure that exists in many installations of WebSphere due to mis- or non-configuration of appropriate security measures. This program of assessment and remediation of the BPIC network layer includes detailed analysis of critical security gaps and the extent of BPIC vulnerability.
The information provided by our toolset goes beyond traditional, non-effective perimeter-based testing methods and is the first step to applying meaningful controls at the BPIC level to help you achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), Healthcare Insurance Portability and Accountability Act (HIPAA), Graham Leach Bliley Act (GLBA), Basel II Accord, European Union Data Directive 95/46/EC, and the Federal Information Security Management Act (FISMA).