Security is an ongoing activity—a journey rather than a destination. Every ClearPath OS 2200 software release includes security enhancements. At Unisys, we know we can’t rest on our laurels, so we sought external expertise to help us assess Dorado systems in an area whose visibility has risen dramatically in the past few years: data breaches.
The 2011 Verizon data breach report points out that 92% of data breaches stemmed from external agents and 50% used some form of hacking; by the time the 2012 report1 was issued, those numbers had risen to 98% and 81%, confirming our choice of focus area.
Unisys hired Symantec Corporation to evaluate Dorado systems’ resistance to hackers. They looked at two related questions:
To remove any doubt about the role of a firewall in blocking hackers, we created a test environment with the hacker inside the firewall. Furthermore, because of the increasing adoption of the complex IPv6 network protocol, we told Symantec to use both IPv4 and IPv6 network connections.
Symantec gave this task to Erik Kamerling, Lead Penetration Tester for the Security Strategy and Advisory Group at Symantec. He spent twelve days at the Unisys development center in Roseville, Minnesota, assessing the security of ClearPath Dorado systems. He tried to break into both types of Dorado systems—those that use proprietary ASICs and those built on commodity hardware—, using the most advanced techniques known to the Symantec penetration test team. His conclusions, which you can hear from Erik in the video Unisys ClearPath Dorado: The Best Protection, included, “Your enterprise data is well protected in Unisys ClearPath Dorado environments” and “The default defensive posture of OS 2200 is a worthy goal for all vendors of enterprise level systems.”
The Client Facing Document from Symantec is the report of that assessment process. As noted in the report, “this security assessment demonstrates a commitment to continuously enhancing platform security.” Indeed, the Symantec evaluation uncovered a few weaknesses that were immediately corrected and released as part of CP OS 13.1 or planned for the next release. These were minor issues, and you shouldn’t worry if you aren’t running a level that addresses them. If you are concerned, you can get these changes for older levels.
In the Areas of Analysis table, 5 of the 6 areas were classified as “satisfactory,” which Symantec regards as an “A” grade: in Symantec’s words, “Unisys is complying with industry best practices.” In the 6th area, we got “Excellent,” Symantec’s equivalent of an “A+” grade.
As part of our continuous improvement of our products, we found the Symantec evaluation valuable, both for the details of the findings and for the opportunity to observe the work of a master white-hat hacker and incorporate some of his techniques and tools into our test suite for future OS 2200 releases. Furthermore, we found the evaluation valuable in what it didn’t find: any way for a hacker to steal or compromise data on a Dorado system.
We continue to invest in security so we keep being a leader. This evaluation is part of our investment.
1 2012 Data Breach Investigations Report, a study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-Crime Unit, and United States Secret Service, Verizon.