Mainframe Security Combating Ransomware
Transcript of Mainframe Security Combating Ransomware
Mainframe SecurityCombating RansomwareWith File Integrity Monitoring
Presented By: Al Saurette
(403) 818-8625
GSE UK Conference 2020 Charity
• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
FIM
Engine
Internal
Security
Agenda
• z/OS Ransomware Vulnerability
• A typical attack
• What is file integrity monitoring
• Fixing Security gaps on z/OS
• Breaking news - ATM hack
• Compliance
• Wrap-up and questions
Ransomware
Compliance
Key staff - Career mainframe system programmers and operations management
Principals involved in enterprise software since the early 90s• Products – Beta Harbor, IBM HDC, New Era SAE, BMC ISPW (Compuware)
2014, FIM+ concept started as a verification tool for application rollouts
2017, No mainframe FIM solution existed (Tripwire, Qualys ….)• MainTegrity - started
• Build a product for rock solid security that saves time and effort
Initially breach detection only – now forensics / recovery / change assure / compliance
Making the mainframe relevant through innovation
Agenda
The Threat
Mainframes stats (ATMs and IMS)
• $7.7 trillion credit card payments (annual)
• 29 billion ATM transactions (annual)
• 12.6 billion transactions (daily)
• ATMs & IMS – who knew?
The IT world is increasingly unsafe
• Dark web many millions of userid / PW for sale – Troy Hunt [1]
• Some of them are likely from your company
• Criminals legit credentials - are indistinguishable from regular staff
• 2 phase attack – Compromise backup then attack real target
[1] https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
Steal Credentials
Rogue
Staff
Firewalls & Access ControlRACF, TSS, ACF/2
Bad Guy
Good
Guy
Good
Guy
Good
Guy
Guard the perimeter
• Insiders are past Firewall / Access Control
1. Bad Guys steal credentials (look legitimate)
2. Trusted employees go rogue (disgruntled, gambling, health)
No matter how good your perimeter defences are criminals can get in
Don’t care about Insider Threats – maybe you should
Conventional z/OS security
HackerGain
Access
Key logging Network Sniff
Sys Admin PC
Dark Web UserIDPhishingEmail attachmentEmail LinkNew Attacks
Disk
Backups
Virtual Tape
Database
Ransom Note
Steps in an Advanced
Ransomware Attack[1]
• Reconnaissance
• Penetrate
• Fortify
• Infiltrate
• Spoliation
• Ransom Demand
Anatomy of z/OS Ransomware
CompromiseBackup
EncryptDatabase
[1] Eric Vanderburg: The Six Phases of RansomWare Threat https://www.tcdi.com/6-phases-advanced-ransomware-threat/
Secure Vault
FIM Server
z/OS 2.3 T1
Loadlib Keys
Proclib Keys
Config Keys
Seq file Keys
USS file Keys
Result LogBaseline Saved
FIM – the Basics
z/OS 2.3 T1
Loadlibs (APF)
Proclibs
Configs (Parms)
Seq files
USS
Prod System Agent
File Integrity Monitoring (FIM) Snapshot files at a trusted level (checksum)Save version keys in an encrypted vaultLater take another snapshot and compare
FIM Server
Result Log
Baseline Saved
Trust Vault
z/OS 2.3 T1Loadlib KeysProclib KeysConfig KeysSeq file KeysUSS Keys
9
Validation Scan
z/OS 2.3 T2
Loadlib Keys
Proclib Keys
Config Keys
Seq file Keys
USS file Keys
Validate Success
Time
marches
on
z/OS 2.3 T2
Loadlibs (APF)
Proclibs
Configs (Parms)
Seq files
USS
Prod System
ScanFIM on Windows, Linux, Unix for decades
Tripwire, Qualys, TrustWave
Now on z/OS MainTegrity
Whitelisting
“Use application whitelisting - only allows systems to execute programs permitted by security policy. ” [1]
“Whitelist is a list of discrete entities, …. that are authorized …in a well- defined baseline. ” [2]
• Auto Discover baselines - APF & Program Product Libs (IMS, CICS, DB2 etc)
• Application scan – dynamic baseline build after QA approval
• Support multiple software versions
• Active enforcement – Monitor the whitelist weekly, alert if needed
Benefit:• Malware requires program or parm changes – trigger alert
• Real-time security team alerts – text & email
[1] Protect networks from Ransomware– US Government Inter Agency Documenthttps://www.justice.gov/criminal-ccips/file/872771/download[2] NIST – Guide to Application Whitelistinghttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
Mainframe Whitelist
z/OS 2.3 T1Loadlib KeysProclib KeysConfig KeysSeq file KeysUSS Keys
Secure Vault
Typical FIM services
Create a z/OS fortress
• Whitelisting[1] – discover / monitor key elements
• Real-time access and FIM alerts via email / text
• Forensic data gathering / display – SMF, approvals
• Policy-driven recovery:
• Suspend userid, Quarantine
• Build restore jobs
• Audit records - prove compliance – PCI, NIST, GDPR
• Verify integrity of backups[2] - Checksum
[1] NIST – Guide to Application Whitelisting
[2] European Central Bank, Cyber resilience oversight
Enterprise Design
FIM Enterprise scope Continuous monitoring z/OS, appls subsystems (CICS, DB2, TCP/IP … )
Executables, JCL, Configs, Backups, Logs, Encrypted, USS
Auto-Discovery, Zero Admin
Offload processing to crypto-card / High Availability Design
Build FIM in to share security info
Conclusive proof that whole systems are correct
MF / Open / Cloud tools and SIEMs via REST APIs
Scheduled, on-demand, batch scans
Must support new and existing staff, GUI or 3270
Email & text alerts direct to response team
.Make z/OS the most secure platform in the world
FIM Detection
Alert
Response Team
FIM Forensics GUI
Click Alert
Compare Text
BaselineCurrent
Copy
Line by line compare
What’s affected
Attack Interval
SIEM
FIM
Who, Exact time
Manage, Detect, Respond, Recover
Approved? Why changed
FIMScheduled
On-Demand
Detection
SMFaccesses
Up to the second
FIM Vault
Key 1Key 2
etc
Splunk, QRadar, Others
ITSM
FIM Forensics GUI
Click Alert
Recover
FIM & Recovery
Alert
Response Team
Compare Text
BaselineCurrent
Copy
Line by line compare
What’s affected
Attack Interval
SIEM
FIM
Who, Exact time
Manage, Detect, Respond, Recover
Approved? Why changed
FIMScheduled
On-Demand
Detection
SMFaccesses
Up to the second
FIM Vault
Key 1Key 2
etc
Splunk, QRadar, Others
Escalate
Scan
ITSM
Quarantine
Suspend
Verify Backup
Recovery
Verify Restore
Policy Driven
Assistant
Recover
Quarantine
Suspend
Verify Backup
Recovery
Verify Restore
Policy Driven
Assistant
Alert
Response Team
FIM+ Forensics GUI
Click Alert
Compare Text
BaselineCurrent
Copy
Line by line compare
What’s affected
Attack Interval
SIEM
FIM+
Who, Exact time
Manage, Detect, Respond, Recover
Approved? Why changed
FIM+Scheduled
On-Demand
Detection
SMFaccesses
Up to the second
FIM+ Vault
Key 1Key 2
etc
Splunk, QRadar, Others
Escalate
Scan
SMFLog
Streams
Real-time
Early Warning
Alert
FIM & Real-time Events
ITSM
When an alert is received one click opens the GUI in any browser and displays relevant SMF access data
Automate Forensics
Email,Text
Alert
SMF Access Time System Access Type UserID Component2019/06/29 12:45:32 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V123
2019/06/28 19:27:55 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V122
2019/06/28 14:15:32 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V121
Click 1
Click 2
FIM sends text / email alert
Scan 144 - Backup Checksum - Fail
FailFail
Not just a pretty dashboard – Real Command and Control
IMAGECPY.BANKDB.G00V0123
ServiceNow Info
Change # Reason
NONE No approved change record located for this component at this time
Another click fetches change control info from ServiceNow or Remedy dynamically, without needing mainframe skills.
# Shell script to assign TCP/IP port.
if test -t 1; then
TCP/IP Port 2645 161.185.160.93
exit
Trusted ComponentIncident: SN 2349 Last good: 2019/05/22 09:39:28
# Shell script to assign TCP/IP port.
if test -t 1; then
TCP/IP Port 2645 95.31.18.119
exit
Suspect Component Incident: SN 2349 Error time: 2019/05/22 18:49:03
RussiaNew York
Respond
Click 3
Click 3 can invoke instream file compare to show exactly what line changed.
Click 4
Complete restore can be accomplished by clicking the FIM Recovery Assistant to select and verify all files required
FIM-based Recovery Assistant
H-Recover File #1 2019/05/22 09:39:28
H-Recover File #2 2019/05/22 09:39:28
H-Recover File #99 2019/05/22 09:39:28
...
Provide fast answers instead of questions, when time is crucial
The Bottom Line
Backup Verified or Alert
Send Text - suspend ID
Know who did it
Know what else they did
Know when it started
Automated Forensics
Restore Assistance
Restore compromised data
Hope backups OK
Who should I call?
Who did it?
What else did they do?
When did it start?
Manual SMF searches
What to recover?
Get ready to pay RansomMinutes Weeks
FIM & Access Data* Classic Response
Detect
Recover
Respond
Knowledge + Action = Avoidance, not Ransom
HackerGain
Access
Key logging Network Sniff
Sys Admin PC
Dark Web UserIDPhishingEmail attachmentEmail LinkNew Attacks
Disk
Backups
Virtual Tape
Database
What can FIM do for you?
• Discover what to monitor
• Early Warning
• Real-time Alerts
• Fast reaction – Forensics
• Scope - what else was affected
• Prevented a ransom attack
Ransomware Defeated
Defeat Ransomware & other Malicious exposures – Now!
✓
✓
Breaking News – ATM Hack
Key Points in attack:• Remote access in a card management system is altered
• Likely requires a change to either anti-fraud parameters
or an executable which has been compromised.
• Require knowledge of the card management system
so most likely an ‘inside job”• Most ATM transactions captured by IMS on a mainframe
October 7, 2020
BULLETIN: ATM CASH-OUT THREAT
The PCI Security Standards Council and ATM
Industry Association want to highlight an emerging
threat that requires urgent attention.
What is the threat? ATM “cash-out” attack is an elaborate attack in
which criminals breach a bank or card processor
and manipulate fraud detection controls as well as
customer accounts
Recommended best practices? 1. 24/7 monitoring including File Integrity Monitoring Systems (FIMs)
2. Development and practice of an incident response management system
3. Employee monitoring systems to guard against an “inside job”
4. Strict separation of roles - no one user ID can perform sensitive functions
PCI and FIM
When your Executive goes to sign this, make sure you have done everything you can…
Payment Card Industry Data Security Standard – Process credit/debit Tx?
Sec
10.5.5
Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?
Sec 11.5
Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files?
Without FIM technology you do not comply. Period
Compliant: All sections of PCI DSS complete, all questions answered affirmatively
CPart 3b. Attestation
Signature of Executive Officer __________________________________
Executive Officer Name: _________________________ Date:
Title: _Your CIO, Your CFO, Your CEO
Section 3: …..Part 3. PCI DSS Validation
Proof of Compliance
Audit Report Date: Oct 27, 2020
View Scan Status Date Component System
Compliance Report
On-Demand
Browser ViewTypical
Evidence
for Audit
GDPR is more outcome-based compliance • Article 43 suggests compliance groups - PCI / NIST / ISO 27001• Significant penalties – up to 4% of global turnover • Google received the biggest fine so far in 2020 – €50 million• Over 220 fines in 2020 (over 45 in Oct) for GDPR violations, exceeding €175 million
Companies affected:
Google €50 millionH&M €35 million Telecom Italia €28 million British Airways €22 millionWind €17 million
Only 20% of US, UK, and EU companies are GDPR compliant - 30% yet to start
FIM improves compliance with of PCI / NIST / ISO 27001 so supports Article 32 of GDPR
Ignore at your peril
https://www.iso.org/isoiec-
27001-information-security.html
https://gdpr-info.eu/
GDPR
Banking Cyber Resilience
ECB And other Central Banks [1] now recommend:
• Validate backups with checksums
• Monitor configuration files
• Add new layer of security to legacy systems
• Prevent execution of unauthorized code – Whitelisting
• Isolate affected assets of compromise
• Implement detection systems that that trigger and facilitate
incident response automatically
[1] European Central Bank, Cyber Resilience Oversight Expectations, Dec 2018
https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf
Checksums on Backups
ECB says “Backups should be tested regularly to verify their availability and integrity.” [1]
WHY?:• Provide early warning of an impending Ransomware attack.
• A big ransomware attack could impact the Financial Market stability
SOLUTION:• Full scans for smaller backup datasets
• Sample Scans efficient for terabyte sized backup files
• Creates a key from % of data in the file – User definable
• Sample scans compliments with periodic full scans
• Poly-morphic samples on each scan
• Read only first and last block (Virtual Tape)
[1] European Central Bank, Cyber Resilience Oversighthttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf
CheckSum / HASH
Validation
NIST Framework V1.1Source: NormShield - MainTegrity Inc. Nov 2020
Identify Protect Detect Respond Recover
Asset Management
Business
Environment
Governance
Risk Assessment
Risk Management
Strategy
Access Control
Awareness and
Training
Data Security
Anomalies and
Events
Security Continuous
Monitoring
Detection Processes
Info Protection
Processes
Maintenance
Response Planning
Communications
Analysis
Protective
Technology
Recovery Planning
Improvements
Communication
Mitigate / Improve Recovery Assistant
Stronger controls with FIM*
*
*
*
*
*
*
*
* *Contents
Comparison
*
Select Restore Files
*
*
*
FIM extensions
➢ Whitelists (Baselines)
➢ Verify backup (Checksums)
➢ Ransom early warning
➢ Real-time Alerts
➢ Automated Forensics
➢ Policy-Driven Recovery
➢ Verify restored systems
➢ Audit evidence reports
Backup Checksum
*
Better Security = Better Compliance
*
*Verify Restore
*
Whitelist / Baseline
*
• Thwart would be hackers with Whitelisting and Verified Backups
• React in an instant if problems occur
• Integrate with existing tools - leverage mainframe investments
• Enable the Next Generation of support staff – make the right decisions
• Avoid manual investigation - too much time, effort & skill
• Comply with PCI, NIST, GDPR, Banking cyber-resilience
• Provide crystal clear proof to Auditors
Because tomorrow may well be too late
Because you need to:
Why use FIM now?
Mainframes are High Value targets – Protect them adequately
• At http://conferences.gse.org.uk/2020/feedback/nn
• This session is 3AD
Please submit your session feedback!
Reminder - GSE UK Conference 2020 Charity
• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion