MAY 1, 2013Robin Tatam, Director of Security Technologies
WELCOME
2
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
4
About PowerTech
• Premier Provider of Security Solutions & Services– 16 years in the security industry as an established thought leader– Customers in over 70 countries, representing every industry– Security Subject Matter Expert for COMMON
• IBM Advanced Business Partner• Member of PCI Security Standards Council• Authorized by NASBA to issue CPE Credits for Security Education• Publisher of the Annual “State of IBM i Security” Report
5
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
6
• Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
• Industry Regulations, such as Payment
Card Industry (PCI DSS)
• Internal Activity Tracking
• High Availability
• Application Research & Debugging
Why Do I Need To Audit?
7
• Is there a company Security Policy? (We’ve got one to help you get started)
• Guidelines and Standards– COBIT– ISO 27002 (formerly known as 17799)– ITIL
Which Standards DoI Audit Against?
8
IT Controls—An Auditor’s Perspective
Can users perform functions/activities that are in conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls toinitiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
9
The Auditor’s Credo…
Of courseI believe you!
(But you still haveto prove it to me)
10
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
11
Help IT managers and auditors understand IBM i security exposures
Focus on top areas of concern in meeting regulatory compliance
Help IT develop strategic plans to address—or confirm—high risk vulnerabilities
Purpose Of The Study
12
PowerTech Compliance Assessment– Launched from a PC– Collects security data– Data for the study is anonymous
Companies are self-selected– More, or less, security-aware?
Study first published in 2003– Over 1,700 participants since inception
Schedule your Compliance Assessmentat www.PowerTech.com
How We CollectThe Data
13
YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES
Be A Part of the Study!
(Participation in the Security Study is optional)
Simple summary provides auditor & executives with visual indicators
15
IBM i registry is reviewedto see if network eventare audited or controlled
*PUBLIC authority levelson application librariesare interrogated
17
Statistics are retrieved on profile metrics, such as anywith default passwords
Review of thesystem values thatimpact security
Verify if auditing is active, and what types of audit events are being logged
Determine how many users have Special Authorities (admin privileges)
21
• System auditing • Privileged users• User and password management• Data access• Network access control• System security values
Six Major Areas of Review
22
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
23
Assessed 101 different systems
A total of:– 109,251 Users – 43,104 Libraries
On average, per assessedsystem there were:
– 1,082 Users– 427 Libraries
State of IBM iSecurity—Overall
24
State of IBM iSecurity—Overall
25
State of IBM iSecurity—Overall
WARNING:September 30 will be here SOON!
26
QSECURITY (System Security Level)
System Value: QSECURITY
No.
of
Syste
ms
27
System SecurityLevel Historically
28
What Does IBM Say AboutSecurity Level 30?
29
Using QUADJRN?
Systems Using the System i Audit Journal
30
Audit Settings Historically
Systems Using the System i Audit Journal (2010-2012)
31
2010: 1,000,000+
2011: 789,962
2012: 154,404
Top 10 “Invalid Sign-OnAttempts” Found
32
10) 7,729
9) 8,333
8) 12,921
7) 19,201
6) 23,183
5) 28,078
4) 147,918
3) 161,427
2) 211,631
1) 567,772
Top 10 “Invalid Sign-OnAttempts” Found
33
Top 10 “Invalid Sign-OnAttempts” Found
6.9 million... All undetected!
But there was one that even shocked us!
34
What should I look for?
35
Too much data
Too many places to look
Manual reporting processes
Audit and IT get locked in a request/respond cycle
What Good Is AuditJournal Data?
36
88% of systems were logging audit data but……only 27% of those had a recognized auditing
tool installed
Over 6.9 million invalid sign-on attempts against a single profile!
– Would you be more concerned if you knew it was the QSECOFR profile?
Is Anyone PayingAttention?
37
The only library authority that keeps users out is *EXCLUDE
A policy of “Least Privilege” calls for *PUBLIC to be excluded and then authorized users granted the appropriate access
You can (potentially) delete objects with only *USE authority to the library
Library Authority
38
Library Authority
39
Library Authority—Historically
40
When New ObjectsAre Created
Default Create Authority by Library
41
Many IBM i applications rely on menu security because…– It’s easy to build– It’s the legacy of many existing business applications
Menu security design assumes:– Access always originates via the menus– No users has command line access– Users have no access to SQL-based tools
Menu security is often accompanied by:– User being a member of group that owns the objects – *PUBLIC is granted broad (*CHANGE) access to data
Network AccessControl
42
Network AccessControl
ODBC isn’t rocket science anymore
43
Are These Services Running?
44
Exit ProgramCoverage
45
Special Authority (aka Privileges)
All ObjectThe “gold key” to every object, and almost everyadministrative operation on the system, includingunstoppable data access
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
46
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
47
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP)
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
48
Special Authority (aka Privileges)
AuditThe user is permitted to manage all aspects ofauditing, including setting the audit system
valuesand running the audit commands(CHGOBJAUD / CHGUSRAUD)
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
49
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files. Allows a user to
view/delete/hold/release any spooled file in any
output queue, regardless of restrictions
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
50
Special Authority (aka Privileges)
ServiceAllows a user to access the System Service
Tools(SST) login, although, since V5R1, they also
needan SST login
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
51
Special Authority (aka Privileges)
Job Control
Enables a user to be able to start/end subsystems,
manipulate other users’ jobs. Also provides access
to spooled files in output queues designated as
“operator control”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
52
Special Authority (aka Privileges)
Save System
Enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
53
Administrator Privileges
54
Administrator Privileges
Best Practices call for<10 users with SPCAUTs
55
Powerful Users Historically
56
Endless News Reportsof Insider Breaches
57
Minimum PasswordLength
System Value: QPWDMINLEN
No.
of
Syste
ms
58
Minimum PasswordLength
Not too hard toguess your way in!
System Value: QPWDMINLEN
No.
of
Syste
ms
59
Default PasswordsN
o.
of
Syste
ms
60
Password Expiration
Password Expiration Period (Days)
No.
of
Syste
ms
61
How Many Attempts?
Maximum Signon Attempts Allowed
No.
of
Syste
ms
62
Maximum Sign On Attempts Allowed
No.
of
Syste
ms
How Many Attempts?
Let’s hope this wasn’t theserver that experienced 6.9 million invalid attempts
63
And Then What?
Default Action for Exceeding Invalid Sign On Attempts
64
Inactive ProfilesN
o.
of
Pro
file
s
65
5250 Command LineN
o.
of
Pro
file
s
66
Security awareness among IBM Iprofessionals is generally low
IBM i awareness among auditprofessionals is generally low
Some of the most valuable data in any organization is on your Power Systems server (System i, iSeries, AS/400)
Most IBM i data is not secured and theusers are far too powerful
The Perfect StormOf Vulnerability
67
1. Conduct a Compliance Assessment (free and deep-dive options)
2. Remediate “low-hanging fruit” such as default passwords and inactive accounts
3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc.
4. Perform intrusion tests over FTP and ODC to assess data leak risk
5. Evaluate PowerTech solutions to mitigate risk
The Call To Action
68
Comprehensive Security
Solutions for Power Systems
69
Today’s Agenda
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
70
Online Compliance Guide Security Policy
Additional Resources
71
Today’s Agenda
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
72
Questions
73
Please visit www.PowerTech.com to access:
• Demonstration Videos & Trial Downloads • Product Information Data Sheets• White Papers / Technical Articles• Customer Success Stories• PowerNews (Newsletter)• Robin’s Security Blog• To request a FREE Compliance Assessment
www.powertech.com (800) 915-7700 [email protected]
Thanks for your time!
Top Related