Top Banner
MAY 1, 2013 Robin Tatam, Director of Security Technologies WELCOME
73

IBM i Security Study

Oct 19, 2014

Download

Technology

Learn from 10 years of IBM i audits, including AS400 audits and iSeries audits. This popular study includes recommendations on iSeries security configurations, iSeries user controls, iSeries client access, and other IBM security tips.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: IBM i Security Study

MAY 1, 2013Robin Tatam, Director of Security Technologies

WELCOME

Page 2: IBM i Security Study

2

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Today’s Agenda

Page 3: IBM i Security Study

3

Today’s Speaker

ROBIN TATAMDirector of Security Technologies

[email protected]

Page 4: IBM i Security Study

4

About PowerTech

• Premier Provider of Security Solutions & Services– 16 years in the security industry as an established thought leader– Customers in over 70 countries, representing every industry– Security Subject Matter Expert for COMMON

• IBM Advanced Business Partner• Member of PCI Security Standards Council• Authorized by NASBA to issue CPE Credits for Security Education• Publisher of the Annual “State of IBM i Security” Report

Page 5: IBM i Security Study

5

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Today’s Agenda

Page 6: IBM i Security Study

6

• Legislation, such as Sarbanes-Oxley

(SOX), HIPAA, GLBA, State Privacy Acts

• Industry Regulations, such as Payment

Card Industry (PCI DSS)

• Internal Activity Tracking

• High Availability

• Application Research & Debugging

Why Do I Need To Audit?

Page 7: IBM i Security Study

7

• Is there a company Security Policy? (We’ve got one to help you get started)

• Guidelines and Standards– COBIT– ISO 27002 (formerly known as 17799)– ITIL

Which Standards DoI Audit Against?

Page 8: IBM i Security Study

8

IT Controls—An Auditor’s Perspective

Can users perform functions/activities that are in conflict with their job responsibilities?

Can users modify/corrupt application data?

Can users circumvent controls toinitiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

Page 9: IBM i Security Study

9

The Auditor’s Credo…

Of courseI believe you!

(But you still haveto prove it to me)

Page 10: IBM i Security Study

10

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Today’s Agenda

Page 11: IBM i Security Study

11

Help IT managers and auditors understand IBM i security exposures

Focus on top areas of concern in meeting regulatory compliance

Help IT develop strategic plans to address—or confirm—high risk vulnerabilities

Purpose Of The Study

Page 12: IBM i Security Study

12

PowerTech Compliance Assessment– Launched from a PC– Collects security data– Data for the study is anonymous

Companies are self-selected– More, or less, security-aware?

Study first published in 2003– Over 1,700 participants since inception

Schedule your Compliance Assessmentat www.PowerTech.com

How We CollectThe Data

Page 13: IBM i Security Study

13

YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES

Be A Part of the Study!

(Participation in the Security Study is optional)

Page 14: IBM i Security Study

Simple summary provides auditor & executives with visual indicators

Page 15: IBM i Security Study

15

IBM i registry is reviewedto see if network eventare audited or controlled

Page 16: IBM i Security Study

*PUBLIC authority levelson application librariesare interrogated

Page 17: IBM i Security Study

17

Statistics are retrieved on profile metrics, such as anywith default passwords

Page 18: IBM i Security Study

Review of thesystem values thatimpact security

Page 19: IBM i Security Study

Verify if auditing is active, and what types of audit events are being logged

Page 20: IBM i Security Study

Determine how many users have Special Authorities (admin privileges)

Page 21: IBM i Security Study

21

• System auditing • Privileged users• User and password management• Data access• Network access control• System security values

Six Major Areas of Review

Page 22: IBM i Security Study

22

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Today’s Agenda

Page 23: IBM i Security Study

23

Assessed 101 different systems

A total of:– 109,251 Users – 43,104 Libraries

On average, per assessedsystem there were:

– 1,082 Users– 427 Libraries

State of IBM iSecurity—Overall

Page 24: IBM i Security Study

24

State of IBM iSecurity—Overall

Page 25: IBM i Security Study

25

State of IBM iSecurity—Overall

WARNING:September 30 will be here SOON!

Page 26: IBM i Security Study

26

QSECURITY (System Security Level)

System Value: QSECURITY

No.

of

Syste

ms

Page 27: IBM i Security Study

27

System SecurityLevel Historically

Page 28: IBM i Security Study

28

What Does IBM Say AboutSecurity Level 30?

Page 29: IBM i Security Study

29

Using QUADJRN?

Systems Using the System i Audit Journal

Page 30: IBM i Security Study

30

Audit Settings Historically

Systems Using the System i Audit Journal (2010-2012)

Page 31: IBM i Security Study

31

2010: 1,000,000+

2011: 789,962

2012: 154,404

Top 10 “Invalid Sign-OnAttempts” Found

Page 32: IBM i Security Study

32

10) 7,729

9) 8,333

8) 12,921

7) 19,201

6) 23,183

5) 28,078

4) 147,918

3) 161,427

2) 211,631

1) 567,772

Top 10 “Invalid Sign-OnAttempts” Found

Page 33: IBM i Security Study

33

Top 10 “Invalid Sign-OnAttempts” Found

6.9 million... All undetected!

But there was one that even shocked us!

Page 34: IBM i Security Study

34

What should I look for?

Page 35: IBM i Security Study

35

Too much data

Too many places to look

Manual reporting processes

Audit and IT get locked in a request/respond cycle

What Good Is AuditJournal Data?

Page 36: IBM i Security Study

36

88% of systems were logging audit data but……only 27% of those had a recognized auditing

tool installed

Over 6.9 million invalid sign-on attempts against a single profile!

– Would you be more concerned if you knew it was the QSECOFR profile?

Is Anyone PayingAttention?

Page 37: IBM i Security Study

37

The only library authority that keeps users out is *EXCLUDE

A policy of “Least Privilege” calls for *PUBLIC to be excluded and then authorized users granted the appropriate access

You can (potentially) delete objects with only *USE authority to the library

Library Authority

Page 38: IBM i Security Study

38

Library Authority

Page 39: IBM i Security Study

39

Library Authority—Historically

Page 40: IBM i Security Study

40

When New ObjectsAre Created

Default Create Authority by Library

Page 41: IBM i Security Study

41

Many IBM i applications rely on menu security because…– It’s easy to build– It’s the legacy of many existing business applications

Menu security design assumes:– Access always originates via the menus– No users has command line access– Users have no access to SQL-based tools

Menu security is often accompanied by:– User being a member of group that owns the objects – *PUBLIC is granted broad (*CHANGE) access to data

Network AccessControl

Page 42: IBM i Security Study

42

Network AccessControl

ODBC isn’t rocket science anymore

Page 43: IBM i Security Study

43

Are These Services Running?

Page 44: IBM i Security Study

44

Exit ProgramCoverage

Page 45: IBM i Security Study

45

Special Authority (aka Privileges)

All ObjectThe “gold key” to every object, and almost everyadministrative operation on the system, includingunstoppable data access

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 46: IBM i Security Study

46

Special Authority (aka Privileges)

Security Administration

Enables a user to create and maintain the system

user profiles without requiring the user to be in the

*SECOFR user class or giving *ALLOBJ authority

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 47: IBM i Security Study

47

Special Authority (aka Privileges)

I/O Systems Configuration

Allows the user to create, delete, and manage

devices, lines, and controllers. Also permits the

configuration of TCP/IP, and the start of associated

servers (e.g., HTTP)

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 48: IBM i Security Study

48

Special Authority (aka Privileges)

AuditThe user is permitted to manage all aspects ofauditing, including setting the audit system

valuesand running the audit commands(CHGOBJAUD / CHGUSRAUD)

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 49: IBM i Security Study

49

Special Authority (aka Privileges)

Spool Control

This is the *ALLOBJ of Spooled Files. Allows a user to

view/delete/hold/release any spooled file in any

output queue, regardless of restrictions

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 50: IBM i Security Study

50

Special Authority (aka Privileges)

ServiceAllows a user to access the System Service

Tools(SST) login, although, since V5R1, they also

needan SST login

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 51: IBM i Security Study

51

Special Authority (aka Privileges)

Job Control

Enables a user to be able to start/end subsystems,

manipulate other users’ jobs. Also provides access

to spooled files in output queues designated as

“operator control”

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 52: IBM i Security Study

52

Special Authority (aka Privileges)

Save System

Enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object

* Be cautious if securing objects at only a library level *

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS

Administrator Privileges

Page 53: IBM i Security Study

53

Administrator Privileges

Page 54: IBM i Security Study

54

Administrator Privileges

Best Practices call for<10 users with SPCAUTs

Page 55: IBM i Security Study

55

Powerful Users Historically

Page 56: IBM i Security Study

56

Endless News Reportsof Insider Breaches

Page 57: IBM i Security Study

57

Minimum PasswordLength

System Value: QPWDMINLEN

No.

of

Syste

ms

Page 58: IBM i Security Study

58

Minimum PasswordLength

Not too hard toguess your way in!

System Value: QPWDMINLEN

No.

of

Syste

ms

Page 59: IBM i Security Study

59

Default PasswordsN

o.

of

Syste

ms

Page 60: IBM i Security Study

60

Password Expiration

Password Expiration Period (Days)

No.

of

Syste

ms

Page 61: IBM i Security Study

61

How Many Attempts?

Maximum Signon Attempts Allowed

No.

of

Syste

ms

Page 62: IBM i Security Study

62

Maximum Sign On Attempts Allowed

No.

of

Syste

ms

How Many Attempts?

Let’s hope this wasn’t theserver that experienced 6.9 million invalid attempts

Page 63: IBM i Security Study

63

And Then What?

Default Action for Exceeding Invalid Sign On Attempts

Page 64: IBM i Security Study

64

Inactive ProfilesN

o.

of

Pro

file

s

Page 65: IBM i Security Study

65

5250 Command LineN

o.

of

Pro

file

s

Page 66: IBM i Security Study

66

Security awareness among IBM Iprofessionals is generally low

IBM i awareness among auditprofessionals is generally low

Some of the most valuable data in any organization is on your Power Systems server (System i, iSeries, AS/400)

Most IBM i data is not secured and theusers are far too powerful

The Perfect StormOf Vulnerability

Page 67: IBM i Security Study

67

1. Conduct a Compliance Assessment (free and deep-dive options)

2. Remediate “low-hanging fruit” such as default passwords and inactive accounts

3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc.

4. Perform intrusion tests over FTP and ODC to assess data leak risk

5. Evaluate PowerTech solutions to mitigate risk

The Call To Action

Page 68: IBM i Security Study

68

Comprehensive Security

Solutions for Power Systems

Page 69: IBM i Security Study

69

Today’s Agenda

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Page 70: IBM i Security Study

70

Online Compliance Guide Security Policy

Additional Resources

Page 71: IBM i Security Study

71

Today’s Agenda

• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers

Page 72: IBM i Security Study

72

Questions

Page 73: IBM i Security Study

73

Please visit www.PowerTech.com to access:

• Demonstration Videos & Trial Downloads • Product Information Data Sheets• White Papers / Technical Articles• Customer Success Stories• PowerNews (Newsletter)• Robin’s Security Blog• To request a FREE Compliance Assessment

www.powertech.com (800) 915-7700 [email protected]

Thanks for your time!