1 System Programming Topic 19 Software Vulnerabilities Topic 19: Software Vulnerabilities.
Top Security Vulnerabilities on IBM i - LISUG · Top Security Vulnerabilities on IBM i • IBM i is...
Transcript of Top Security Vulnerabilities on IBM i - LISUG · Top Security Vulnerabilities on IBM i • IBM i is...
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 1
© HelpSystems. Company Confidential.3/16/2016 1
Top Security Vulnerabilities on IBM iCarol Woodbury
VP, Global Security Services, HelpSystems
© HelpSystems. All Rights Reserved.3/16/2016 2
Top Security Vulnerabilities on IBM i
• IBM i is one of the most securable systems available—but
unless you actually use the features IBM has provided, the
system is vulnerable.
• Tonight we will talk about:
– The top vulnerabilities on the system today
– How to address them using the operating system itself
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 2
© HelpSystems. All Rights Reserved.3/16/2016 3
IBM i has MANY layers of defense
• Provided with IBM i
– Hardware storage protection
– Signed OS
– Separation of OS from Application Layer
• You must implement
– Security level
– Strong passwords
– Encrypted sessions, back-ups, disk, data at rest
– User capabilities
– Access control settings
– Auditing / Logging
• Additional layers are available
– Exit programs
– Additional encryption solutions
– Two-factor authentication
© HelpSystems. All Rights Reserved.3/16/2016 4
Why do we need to have this discussion …?
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 3
© HelpSystems. All Rights Reserved.3/16/2016 5
Drunk the Kool-aid
… that IBM i is Secure
© HelpSystems. All Rights Reserved.3/16/2016 6
Reality …
IBM i is secure-ABLE
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 4
© HelpSystems. All Rights Reserved.3/16/2016 7
The business is expecting:
• Data integrity
• Availability of data
• Compliance with laws and regulations
• Data confidentiality
It’s quite likely that if the business realized how exposed their
data was they’d demand better protection.
© HelpSystems. All Rights Reserved.3/16/2016 8
The Business of Security
• Business and IT together must determine
– What data to secure
– Which security measures to implement
– Where to implement them
• Decision must be
– Cost effective
– Appropriate for what’s being protected
– Effectively assist in the effort to reduce risk to an acceptable
level
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 5
© HelpSystems. All Rights Reserved.3/16/2016 9
9
Auditing
© HelpSystems. All Rights Reserved.3/16/2016 10
Auditing
QAUDCTL = *NONE
• No auditing means that no actions are logged, meaning
none of these vulnerabilities can be investigated effectively
Save strategy for receivers
• Audit journal receivers are not saved
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 6
© HelpSystems. All Rights Reserved.3/16/2016 11
Passwords that Don’t Expire
© HelpSystems. All Rights Reserved.3/16/2016 12
Non-expiring passwords
• QPWDEXPITV set to *NOMAX
• Password expiration interval in the user profile is set to
*NOMAX (rather than *SYSVAL)
Biggest offenders: Administrators!
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 7
© HelpSystems. All Rights Reserved.3/16/2016 13
Remediation
• Set the QPWDEXPITV to 90 or less
• Ensure all profiles used for sign on are
PWDEXPITV(*SYSVAL)
– Administrators, programmers, vendors, upper management,
end users, etc.
• Set IBM-supplied profiles to PASSWORD(*NONE)
• Set QSECOFR to STATUS(*DISABLED)
© HelpSystems. All Rights Reserved.3/16/2016 14
Running at the wrong password level - QPWDLVL
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 8
© HelpSystems. All Rights Reserved.3/16/2016 15
QPWDLVL
System value
0 Default
Character set: A-Z, 0-9, $, @, # and _
Maximum length: 10
Passwords are stored in both all upper and all lower
case as well as a version used for NetServer
1 Same as level 0 but gets rid of old NetServer
password
2 Character set: Upper / lower case, all punctuation
and special characters, numbers and spaces
Maximum length: 128
Keeps NetServer password, encrypts with old and
new algorithms
Sign on screen changed to accommodate longer
password, CHGPWD and CRT/CHGUSRPRF pwd
field changed
3 Same as level 2, but only one version of the
password is stored
Requires an IPLConsiderations before changing – IBM i Security Reference manual
© HelpSystems. All Rights Reserved.3/16/2016 16
Password fields at QPWDLVL 2/3
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 9
© HelpSystems. All Rights Reserved.3/16/2016 17
Limited Capabilities *NO
© HelpSystems. All Rights Reserved.3/16/2016 18
Profiles with LMTCPB(*NO)
• Default on CRTUSRPRF
• Allows users to enter commands on a command line
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 10
© HelpSystems. All Rights Reserved.3/16/2016 19
Profiles with LMTCPB(*NO)
© HelpSystems. All Rights Reserved.3/16/2016 20
Enter … Attention program
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 11
© HelpSystems. All Rights Reserved.3/16/2016 21
What happens at signon…?
© HelpSystems. All Rights Reserved.3/16/2016 22
Profiles with LMTCPB(*NO)
• Open a Dos Window
• Enter command
rmtcmd crtdir '/home/SkyViewTest' //system_name
• This will bring up a prompt to login – or will run if the user’s
already logged into that workstation.
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 12
© HelpSystems. All Rights Reserved.3/16/2016 23
Remediation
• Make sure EVERY profile is set to LMTCPB(*YES) unless
they specifically should be able to run commands.
– even if they should not be able to be used for sign on (e.g.,
service accounts)
© HelpSystems. All Rights Reserved.3/16/2016 24
Service accounts
• PASSWORD – no default
• INLPGM(*NONE)
• INLMNU(*SIGNOFF)
• LMTCPB(*YES)
• ATTNPGM(*NONE)
• SPCAUT- only what’s required
• TEXT – make it meaningful
• Don’t over-use
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 13
© HelpSystems. All Rights Reserved.3/16/2016 25
Default Passwords
© HelpSystems. All Rights Reserved.3/16/2016 26
Profiles with a default password
• Password = Profile name by default when creating a new
user profile
• Risk is not reduced just because the password is set to
expire with first use
• IBM-supplied profiles will be the first profiles attempted
because they are well-known
• Vendor profiles are prime suspects
• Accounts are created as a test
– then start to be used
– or forgotten and left on the system
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 14
© HelpSystems. All Rights Reserved.3/16/2016 27
INLPGM and INLMNU are only in effect
when signing on via TELNET
Don’t have your *ADMIN instance started all of the time and/or use APPADMIN to control access to Navigator function
© HelpSystems. All Rights Reserved.3/16/2016 28
*PWDSYSVAL or• *CHRLMTAJC• *CHRLMTREP• *DGTLMTAJC• *DGTLMTFST• *DGTLMTLST• *DGTMAXn• *DGTMINn• *LMTSAMPOS• *LMTPRFNAME – profile name cannot
be contained in the password• *LTRLMTAJC• *LTRLMTFST• *LTRLMTLST• *LTRMAXn• *LTRMINn
• *MAXLENnnn• *MINLENnnn• *MIXCASEnnn• *REQANY3• *SPCCHRLMTAJC• *SPCCHRLMTFST• *SPCCHRLMTLST• *SPCCHRMAXn• *SPCCHRMINn
V7R2• *ALLCRTCHG – password rules must be
followed – even when using CRT or CHGUSRPRF commands.
QPWDRULES
Eliminate default passwords by specifying *LMTPRFNAME and *ALLCRTCHG
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 15
© HelpSystems. All Rights Reserved.3/16/2016 29
Root is Shared
© HelpSystems. All Rights Reserved.3/16/2016 30
Root is shared
• A share to root (‘/’) also shares /QSYS.LIB
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 16
© HelpSystems. All Rights Reserved.3/16/2016 31
Remediation
Root (‘/’) should not be shared!
• CrytoLocker virus a huge threat
If share absolutely cannot be removed:
• Add a ‘$’ to the end of the share name, e.g., share$
– Prevents the share from being discoverable
• Create the share as a ‘read only’ share
• Set QPWFSERVER autl to *PUBLIC *EXCLUDE, authorizing
specific users
– Prevents access to libraries in interfaces such as Windows
Explorer
• Implement object level security!
© HelpSystems. All Rights Reserved.3/16/2016 32
Guest Profile Assigned to the NetServer
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 17
© HelpSystems. All Rights Reserved.3/16/2016 33
NetServer Guest Profile - Properties
Click on the Security tab
Click on Next Start
Guest profiles allow users to connect to the system and access any object with *PUBLIC greater than *EXCLUDE without an IBM i signon
© HelpSystems. All Rights Reserved.3/16/2016 34
Unencrypted Sessions
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 18
© HelpSystems. All Rights Reserved.3/16/2016 35
Unencrypted communications
• Recent break-ins have exploited passwords sniffed from the
network
• PCI DSS requires:
– encrypted sessions for Administrators
– no cleartext passwords
• 5250 sign on via an emulator passes the passwords in cleartext
– only use TLS 1.1 or TLS 1.2 by July 2018
• POODLE vulnerability has shown weakness in SSL – should
be at TLS 1.2 or higher
© HelpSystems. All Rights Reserved.3/16/2016 36
Unencrypted communications
Tutorial:
• Coffee with Carol session on configuring iAccess to use SSL (TLS)
https://www.youtube.com/user/SkyViewPartners1/videos
POODLE:
• Instructions for enabling an SSL counter:– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451
• Instructions for enabling a comm trace that will allow you
to determine which connection(s) use SSL:
– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 19
© HelpSystems. All Rights Reserved.3/16/2016 37
Running at QSECURITY 20 or 30
© HelpSystems. All Rights Reserved.3/16/2016 38
QSECURITY Vulnerability
• Level 20 – by default, all profiles are created with *ALLOBJ
and *SAVSYS special authorities
• Level 30 – can use a job description that names a user
profile to submit a job and elevate privileges
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 20
© HelpSystems. All Rights Reserved.3/16/2016 39
QSECURITY con’t
© HelpSystems. All Rights Reserved.3/16/2016 40
Remediation
-20 0 20 40 60 80 100
Level 10
Level 20
Level 30
Level 40
Level 50
Total Available i5/OS Security Capabilities
QSE
CU
RIT
Y V
alu
e
Run at QSECURITY level 40 or 50
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 21
© HelpSystems. All Rights Reserved.3/16/2016 41
Data is Not Secured
© HelpSystems. All Rights Reserved.3/16/2016 42
Objects are not secured
• Objects – especially files containing PII (Personally
Identifiable Information) or confidential information are not
secured
• Menu “security” is not enough!
• Too many users have *ALLOBJ special authority
• Too many users are a member of a group that owns an
application
• Too many *FILEs at *PUBLIC *CHANGE or *ALL
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 22
© HelpSystems. All Rights Reserved.3/16/2016 43
Data access is more than menus
FTP, ODBC, DDM, SocketsAccounting Menu
1. Accts Receivable
2. Accts Payable
3. Check Requests
Users with legitimate
command line access,
Operators, DBA, Analysts,
Developers
WebSphere and other web apps
Access to data from menus is
tightly controlled
Processes that allow
downloads to a PC or send
data to a Windows Server
Query / SQL
© HelpSystems. All Rights Reserved.3/16/2016 44
In reality, data access is NOT tightly controlled
FTP, ODBC, DDM, Sockets*PUBLIC - *ALL or *CHANGE
Member of the Owning Group
*ALLOBJ special authorityUsers with legitimate
command line access,
Operators, DBA, Analysts,
Developers
WebSphere and other web apps
Processes that allow
downloads to a PC or send
data to a Windows Server
Query / SQL
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 23
© HelpSystems. All Rights Reserved.3/16/2016 45
Too Many Special Authorities
© HelpSystems. All Rights Reserved.3/16/2016 46
Special
Authority
Definition
*AUDIT Configure auditing
*IOSYSCFG Device and communications configuration and management
*JOBCTL Management of any job on the system
*SAVSYS Ability to save and restore any object on the system – or the entire
system regardless of authority to the object
*SECADM Create/Change/Delete user profiles
*SERVICE Ability to use Service Tools
*SPLCTL Access to every spooled file on the system regardless of authority
to the outq – the *ALLOBJ of spooled files
*ALLOBJ All authority to EVERY object on the system!
Too many users with too many Special Authorities
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 24
© HelpSystems. All Rights Reserved.3/16/2016 47
Remediation
• Give special authority only to users whose job function
requires it
• Start with new profiles
– Create template profiles to create profiles – stop copying
existing profiles!
• Do not assign *ALLOBJ to programmers’ profiles
© HelpSystems. All Rights Reserved.3/16/2016 48
Apathy
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 25
© HelpSystems. All Rights Reserved.3/16/2016 49
10. Trust their users9. Users won’t tolerate security restrictions8.Budget restrictions7.Lack of expertise6.Fear5.Denial4.Nothing has ever happened so no worries3.IBM i has never been hacked
http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/ - search for ‘AS400’
2.Stuck in the 20th Century1.Apathy
Why no action is taken
© HelpSystems. All Rights Reserved.3/16/2016 50
Where Do You Start
• Look at types of data your organization uses
– What is the most critical
– Regulated data (Healthcare, credit card information, etc)
– Other private information (PII data)
• Start with the data that will cost the most if the data is not
accurate, not available, not compliant with laws or
regulations or lost or stolen
www.helpsystems.com/professional-security-services 3/16/2016
© HelpSystems, 2015. All Rights Reserved. 26
© HelpSystems. All Rights Reserved.3/16/2016 51
Start somewhere!
Reduce the risk to your organization’s data
© HelpSystems. All Rights Reserved.3/16/2016 52
For more information
• Contact us for more information on our services:
– Managed Security Services (MSS)
– Risk Assessment
– Remediation Services
– Penetration (Pen) testing
www.helpsystems.com/professional-
security-services