CCSS Helps Detects Fraud with New Database Monitor
January 11, 2012 Alex Woodie
It’s a well established fact that the majority of fraud reported by companies is not perpetrated by hackers coming in over the Net, but is actually the work of employees and other insiders with access to internal systems. Combating this type of fraud requires a multi-pronged approach, including strong security configurations and powerful tools. The IBM i world just got another fraud-fighting tool last month when CCSS announced the availability of its new database monitoring solution.
The new database monitoring capabilities were delivered as part of QMessage Monitor (QMM) version 7, a major new release of CCSS’ real-time message monitoring software for the IBM i server. QMM has always had coverage for QAUDJRN, where many critical IBM i messages are displayed, and which provided a degree of security protection. But with version 7, QMM now gains a new database monitoring component that notifies IT managers in real time when unauthorized activity occurs in DB2/400 (DB2 for IBM i).
While the QAUDJRN coverage shows some attempts at fraud, IBM i shops will get a much more detailed picture of fraudulent activity with the new database monitor in QMM, CCSS says. With properly configured detection rules, the new database monitoring feature will show IT managers the exact users, files, libraries, and IP addresses that are involved in fraudulent activity.
The new security capability will be useful for adding an additional layer of protection on particularly sensitive files, such as payroll and personal employee data, says CCSS product manager Paul Ratchford. “There’s tremendous value in being able to pin-point the exact files, libraries, users and IP addresses they are interested in,” he says in a press release. “Suspicious activity has no place to hide on the system.”
The new software is configured by setting up client lists, behavior rules, and escalation lists. The client list can be a single IP address or a range of IP addresses. The behavior rules cover various activities that can be performed on an entire database file or a particular record (such as reading, writing, deleting, or updating); actions performed on file members; the setting of a library list; and using SQL to access DB2/400. Finally, the escalation lists control which IT manager gets notified when a breach is detected.
When a breach is detected, the software kicks into action. CCSS gives the example of an unauthorized user who has selected all of the records in a payroll file. Soon after the user takes this action, QMM would send the IT manager an alert message that gives him details of the activity, including the user, action, file details, and job details. Additional information available includes the parameters and rules associated with the user and their client list, including the top three programs in the call stack and the SQL command actually run when SQL access is being used, CCSS says.
All of this information is automatically generated soon after the actual breach, which makes QMM an effective tool for auditors as it reduces the time required to investigate possible breaches.
QMM 7.0 is available now. For more information, see the vendor’s website at www.ccssltd.com.