Top Security Vulnerabilities on IBM i - LISUG · Top Security Vulnerabilities on IBM i • IBM i is...

www.helpsystems.com/professional-security-services 3/16/2016

© HelpSystems, 2015. All Rights Reserved. 1

© HelpSystems. Company Confidential.3/16/2016 1

Top Security Vulnerabilities on IBM iCarol Woodbury

VP, Global Security Services, HelpSystems

[email protected]

© HelpSystems. All Rights Reserved.3/16/2016 2

Top Security Vulnerabilities on IBM i

• IBM i is one of the most securable systems available—but

unless you actually use the features IBM has provided, the

system is vulnerable.

• Tonight we will talk about:

– The top vulnerabilities on the system today

– How to address them using the operating system itself




IBM i has MANY layers of defense

• Provided with IBM i

– Hardware storage protection

– Signed OS

– Separation of OS from Application Layer

• You must implement

– Security level

– Strong passwords

– Encrypted sessions, back-ups, disk, data at rest

– User capabilities

– Access control settings

– Auditing / Logging

• Additional layers are available

– Exit programs

– Additional encryption solutions

– Two-factor authentication


Why do we need to have this discussion …?




Drunk the Kool-aid

… that IBM i is Secure


Reality …

IBM i is secure-ABLE




The business is expecting:

• Data integrity

• Availability of data

• Compliance with laws and regulations

• Data confidentiality

It’s quite likely that if the business realized how exposed their

data was they’d demand better protection.


The Business of Security

• Business and IT together must determine

– What data to secure

– Which security measures to implement

– Where to implement them

• Decision must be

– Cost effective

– Appropriate for what’s being protected

– Effectively assist in the effort to reduce risk to an acceptable

level




9

Auditing


Auditing

QAUDCTL = *NONE

• No auditing means that no actions are logged, meaning

none of these vulnerabilities can be investigated effectively

Save strategy for receivers

• Audit journal receivers are not saved




Passwords that Don’t Expire


Non-expiring passwords

• QPWDEXPITV set to *NOMAX

• Password expiration interval in the user profile is set to

*NOMAX (rather than *SYSVAL)

Biggest offenders: Administrators!




Remediation

• Set the QPWDEXPITV to 90 or less

• Ensure all profiles used for sign on are

PWDEXPITV(*SYSVAL)

– Administrators, programmers, vendors, upper management,

end users, etc.

• Set IBM-supplied profiles to PASSWORD(*NONE)

• Set QSECOFR to STATUS(*DISABLED)


Running at the wrong password level - QPWDLVL




QPWDLVL

System value

0 Default

Character set: A-Z, 0-9, $, @, # and _

Maximum length: 10

Passwords are stored in both all upper and all lower

case as well as a version used for NetServer

1 Same as level 0 but gets rid of old NetServer

password

2 Character set: Upper / lower case, all punctuation

and special characters, numbers and spaces

Maximum length: 128

Keeps NetServer password, encrypts with old and

new algorithms

Sign on screen changed to accommodate longer

password, CHGPWD and CRT/CHGUSRPRF pwd

field changed

3 Same as level 2, but only one version of the

password is stored

Requires an IPLConsiderations before changing – IBM i Security Reference manual


Password fields at QPWDLVL 2/3




Limited Capabilities *NO


Profiles with LMTCPB(*NO)

• Default on CRTUSRPRF

• Allows users to enter commands on a command line






Enter … Attention program




What happens at signon…?



• Open a Dos Window

• Enter command

rmtcmd crtdir '/home/SkyViewTest' //system_name

• This will bring up a prompt to login – or will run if the user’s

already logged into that workstation.




Remediation

• Make sure EVERY profile is set to LMTCPB(*YES) unless

they specifically should be able to run commands.

– even if they should not be able to be used for sign on (e.g.,

service accounts)


Service accounts

• PASSWORD – no default

• INLPGM(*NONE)

• INLMNU(*SIGNOFF)

• LMTCPB(*YES)

• ATTNPGM(*NONE)

• SPCAUT- only what’s required

• TEXT – make it meaningful

• Don’t over-use




Default Passwords


Profiles with a default password

• Password = Profile name by default when creating a new

user profile

• Risk is not reduced just because the password is set to

expire with first use

• IBM-supplied profiles will be the first profiles attempted

because they are well-known

• Vendor profiles are prime suspects

• Accounts are created as a test

– then start to be used

– or forgotten and left on the system




INLPGM and INLMNU are only in effect

when signing on via TELNET

Don’t have your *ADMIN instance started all of the time and/or use APPADMIN to control access to Navigator function


*PWDSYSVAL or• *CHRLMTAJC• *CHRLMTREP• *DGTLMTAJC• *DGTLMTFST• *DGTLMTLST• *DGTMAXn• *DGTMINn• *LMTSAMPOS• *LMTPRFNAME – profile name cannot

be contained in the password• *LTRLMTAJC• *LTRLMTFST• *LTRLMTLST• *LTRMAXn• *LTRMINn

• *MAXLENnnn• *MINLENnnn• *MIXCASEnnn• *REQANY3• *SPCCHRLMTAJC• *SPCCHRLMTFST• *SPCCHRLMTLST• *SPCCHRMAXn• *SPCCHRMINn

V7R2• *ALLCRTCHG – password rules must be

followed – even when using CRT or CHGUSRPRF commands.

QPWDRULES

Eliminate default passwords by specifying *LMTPRFNAME and *ALLCRTCHG




Root is Shared


Root is shared

• A share to root (‘/’) also shares /QSYS.LIB




Remediation

Root (‘/’) should not be shared!

• CrytoLocker virus a huge threat

If share absolutely cannot be removed:

• Add a ‘$’ to the end of the share name, e.g., share$

– Prevents the share from being discoverable

• Create the share as a ‘read only’ share

• Set QPWFSERVER autl to *PUBLIC *EXCLUDE, authorizing

specific users

– Prevents access to libraries in interfaces such as Windows

Explorer

• Implement object level security!


Guest Profile Assigned to the NetServer




NetServer Guest Profile - Properties

Click on the Security tab

Click on Next Start

Guest profiles allow users to connect to the system and access any object with *PUBLIC greater than *EXCLUDE without an IBM i signon


Unencrypted Sessions




Unencrypted communications

• Recent break-ins have exploited passwords sniffed from the

network

• PCI DSS requires:

– encrypted sessions for Administrators

– no cleartext passwords

• 5250 sign on via an emulator passes the passwords in cleartext

– only use TLS 1.1 or TLS 1.2 by July 2018

• POODLE vulnerability has shown weakness in SSL – should

be at TLS 1.2 or higher


Unencrypted communications

Tutorial:

• Coffee with Carol session on configuring iAccess to use SSL (TLS)

https://www.youtube.com/user/SkyViewPartners1/videos

POODLE:

• Instructions for enabling an SSL counter:– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451

• Instructions for enabling a comm trace that will allow you

to determine which connection(s) use SSL:

– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594

https://www.youtube.com/user/SkyViewPartners1/videos

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594




Running at QSECURITY 20 or 30


QSECURITY Vulnerability

• Level 20 – by default, all profiles are created with *ALLOBJ

and *SAVSYS special authorities

• Level 30 – can use a job description that names a user

profile to submit a job and elevate privileges




QSECURITY con’t


Remediation

-20 0 20 40 60 80 100

Level 10

Level 20

Level 30

Level 40

Level 50

Total Available i5/OS Security Capabilities

QSE

CU

RIT

Y V

alu

e

Run at QSECURITY level 40 or 50




Data is Not Secured


Objects are not secured

• Objects – especially files containing PII (Personally

Identifiable Information) or confidential information are not

secured

• Menu “security” is not enough!

• Too many users have *ALLOBJ special authority

• Too many users are a member of a group that owns an

application

• Too many *FILEs at *PUBLIC *CHANGE or *ALL




Data access is more than menus

FTP, ODBC, DDM, SocketsAccounting Menu

1. Accts Receivable

2. Accts Payable

3. Check Requests

Users with legitimate

command line access,

Operators, DBA, Analysts,

Developers

WebSphere and other web apps

Access to data from menus is

tightly controlled

Processes that allow

downloads to a PC or send

data to a Windows Server

Query / SQL


In reality, data access is NOT tightly controlled

FTP, ODBC, DDM, Sockets*PUBLIC - *ALL or *CHANGE

Member of the Owning Group

*ALLOBJ special authorityUsers with legitimate

command line access,

Operators, DBA, Analysts,

Developers

WebSphere and other web apps

Processes that allow

downloads to a PC or send

data to a Windows Server

Query / SQL




Too Many Special Authorities


Special

Authority

Definition

*AUDIT Configure auditing

*IOSYSCFG Device and communications configuration and management

*JOBCTL Management of any job on the system

*SAVSYS Ability to save and restore any object on the system – or the entire

system regardless of authority to the object

*SECADM Create/Change/Delete user profiles

*SERVICE Ability to use Service Tools

*SPLCTL Access to every spooled file on the system regardless of authority

to the outq – the *ALLOBJ of spooled files

*ALLOBJ All authority to EVERY object on the system!

Too many users with too many Special Authorities




Remediation

• Give special authority only to users whose job function

requires it

• Start with new profiles

– Create template profiles to create profiles – stop copying

existing profiles!

• Do not assign *ALLOBJ to programmers’ profiles


Apathy




10. Trust their users9. Users won’t tolerate security restrictions8.Budget restrictions7.Lack of expertise6.Fear5.Denial4.Nothing has ever happened so no worries3.IBM i has never been hacked

http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/ - search for ‘AS400’

2.Stuck in the 20th Century1.Apathy

Why no action is taken


Where Do You Start

• Look at types of data your organization uses

– What is the most critical

– Regulated data (Healthcare, credit card information, etc)

– Other private information (PII data)

• Start with the data that will cost the most if the data is not

accurate, not available, not compliant with laws or

regulations or lost or stolen

http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/




Start somewhere!

Reduce the risk to your organization’s data


For more information

• Contact us for more information on our services:

– Managed Security Services (MSS)

– Risk Assessment

– Remediation Services

– Penetration (Pen) testing

[email protected]

www.helpsystems.com/professional-

security-services

mailto:[email protected]

http://www.helpsystems.com/professional-security-services

Top Security Vulnerabilities on IBM i - LISUG · Top Security Vulnerabilities on IBM i • IBM i is...

Documents

Transcript of Top Security Vulnerabilities on IBM i - LISUG · Top Security Vulnerabilities on IBM i • IBM i is...