Top Ten Security Vulnerabilities on IBM i - ocean400.org · Top Ten Security Vulnerabilities on IBM i Carol Woodbury ... Total Available i5/OS Security Capabilities ue ... •Compliance

© HelpSystems. Company Confidential. 11/19/2015 1

Top Ten Security Vulnerabilities on IBM i Carol Woodbury

VP, Global Security Services, HelpSystems

[email protected]


Top 10 Security Vulnerabilities on IBM i

• IBM i is one of the most securable systems available—but

unless you actually use the features IBM has provided, the

system is vulnerable.

• Tonight we will talk about:

– The top 10 vulnerabilities on the system today

– How to address them using the operating system itself


• Provided with IBM i – Hardware storage protection – Signed OS – Separation of OS from Application Layer

• You must implement – Security level – Strong passwords – Encrypted sessions, back-ups, disk, data at rest – User capabilities – Access control settings – Auditing / Logging

• Additional layers are available – Exit programs – Additional encryption solutions – Two-factor authentication

IBM i has MANY layers of defense


Why do we need to have this discussion …?


Drunk the Kool-aid

… that IBM i is Secure


Reality …

IBM i is secure-ABLE


8

Vulnerability #10

No Auditing


• 10.A No auditing means that no actions are logged, meaning none of these vulnerabilities can be investigated effectively

• 10.B Audit journal receivers are not saved

#10 – QAUDCTL = *NONE


Vulnerability #9b

Root is Shared


• A share to root (‘/’) also shares /QSYS.LIB

#9b – Root is shared


Root (‘/’) should not be shared!

If share absolutely cannot be removed:

• Add a ‘$’ to the end of the share name, e.g., share$

– Prevents the share from being discoverable

• Create the share as a ‘read only’ share

• Set QPWFSERVER autl to *PUBLIC *EXCLUDE, authorizing specific users

– Prevents access to libraries in interfaces such as Windows Explorer

• Implement object level security!

#9b - Remediation


Vulnerability #9a

Guest Profile Assigned to the NetServer


#9a - NetServer Guest Profile - Properties

Click on the Security tab

Click on Next Start

Guest profiles allow users to connect to the system and access any object with *PUBLIC greater than *EXCLUDE without an IBM i signon


Vulnerability #8

Limited Capabilities *NO


• Default on CRTUSRPRF

• Allows users to enter commands on a command line

#8 – Profiles with LMTCPB(*NO)




Open a Dos Window

• Enter command

rmtcmd crtdir '/home/SkyViewTest' //system_name

• This will bring up a prompt to login – or will run if the user’s already logged into that workstation.



• Make sure EVERY profile is set to LMTCPB(*YES) unless they specifically should be able to run commands.

– even if they should not be able to be used for sign on (service accounts)

#8 - Remediation


Vulnerability #7

Default Passwords


• Password = Profile name by default when creating a new user profile

• Risk is not reduced just because the password is set to expire with first use

• IBM-supplied profiles will be the first profiles attempted because they are well-known

• Vendor profiles are prime suspects

• Accounts are created as a test, then start to be used

#7 – Profiles with a default password


#7 – Default passwords

Don’t have your *ADMIN instance started all of the time and/or use APPADMIN to control access to Navigator function


*PWDSYSVAL or • *CHRLMTAJC • *CHRLMTREP • *DGTLMTAJC • *DGTLMTFST • *DGTLMTLST • *DGTMAXn • *DGTMINn • *LMTSAMPOS • *LMTPRFNAME • *LTRLMTAJC • *LTRLMTFST • *LTRLMTLST • *LTRMAXn • *LTRMINn

• *MAXLENnnn • *MINLENnnn • *MIXCASEnnn • *REQANY3 • *SPCCHRLMTAJC • *SPCCHRLMTFST • *SPCCHRLMTLST • *SPCCHRMAXn • *SPCCHRMINn

V7R2 • *ALLCRTCHG

QPWDRULES


Vulnerability #6

Passwords that Don’t Expire


• QPWDEXPITV set to *NOMAX

• Password expiration interval in the user profile is set to *NOMAX (rather than *SYSVAL)

Biggest offenders: Administrators!

#6 – Non-expiring passwords


• Set the QPWDEXPITV to 90 or less

• Ensure all profiles used for sign on are PWDEXPITV(*SYSVAL)

– Administrators, programmers, vendors, upper management, end users, etc.

• Set IBM-supplied profiles to PASSWORD(*NONE)

• Set QSECOFR to STATUS(*DISABLED)

#6 - Remediation


Vulnerability #5

Unencrypted Sessions


• Recent break-ins have exploited passwords sniffed from the network

• PCI DSS requires:

– encrypted sessions for Administrators

– no cleartext passwords • 5250 sign on via an emulator passes the passwords in

cleartext

• POODLE vulnerability has shown weakness in SSL – should be at TLS 1.2 or higher

#5 – Unencrypted communications


Tutorial: • Coffee with Carol session on configuring iAccess to

use SSL (TLS) https://www.youtube.com/user/SkyViewPartners1/videos

POODLE: • Instructions for enabling an SSL counter:

– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451

• Instructions for enabling a comm trace that will allow you to

determine which connection(s) use SSL: – http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594

#5 – Unencrypted communications

https://www.youtube.com/user/SkyViewPartners1/videos

https://www.youtube.com/user/SkyViewPartners1/videos

http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451








Vulnerability #4

Running at QSECURITY 20 or 30


• Level 20 – by default, all profiles are created with *ALLOBJ and *SAVSYS special authorities

• Level 30 – can use a job description that names a user profile to submit a job and elevate privileges

#4 – QSECURITY Vulnerability


#4 – QSECURITY con’t


#4 – Remediation

-20 0 20 40 60 80 100

Level 10

Level 20

Level 30

Level 40

Level 50

Total Available i5/OS Security Capabilities

QSE

CU

RIT

Y V

alu

e

Run at QSECURITY level 40 or 50


Vulnerability #3

Data is Not Secured


• Objects – especially files containing PII (Personally Identifiable Information) or confidential information are not secured

• Menu “security” is not enough!

• Too many users have *ALLOBJ special authority

• Too many users are a member of a group that owns an application

• Too many *FILEs at *PUBLIC *CHANGE or *ALL

#3 – Objects are not secured


Data access is more than menus

FTP, ODBC, DDM, Sockets Accounting Menu

1. Accts Receivable

2. Accts Payable

3. Check Requests

Users with legitimate

command line access,

Operators, DBA, Analysts,

Developers

WebSphere and other web apps

Access to data from menus is

tightly controlled

Processes that allow

downloads to a PC or send

data to a Windows Server

Query / SQL


In reality, data access is NOT tightly controlled

FTP, ODBC, DDM, Sockets *PUBLIC - *ALL or *CHANGE

Member of the Owning Group

*ALLOBJ special authority Users with legitimate

command line access,

Operators, DBA, Analysts,

Developers

WebSphere and other web apps

Processes that allow

downloads to a PC or send

data to a Windows Server

Query / SQL


Vulnerability #2

Too Many Special Authorities


Special

Authority

Definition

*AUDIT Configure auditing

*IOSYSCFG Device and communications configuration and management

*JOBCTL Management of any job on the system

*SAVSYS Ability to save and restore any object on the system – or the entire

system regardless of authority to the object

*SECADM Create/Change/Delete user profiles

*SERVICE Ability to use Service Tools

*SPLCTL Access to every spooled file on the system regardless of authority

to the outq – the *ALLOBJ of spooled files

*ALLOBJ All authority to EVERY object on the system!

Too many users with too many Special Authorities


• Give special authority only to users whose job function requires it

• Start with new profiles

– Create template profiles to create profiles – stop copying existing profiles!

• Do not assign *ALLOBJ to programmers’ profiles

#2 – Remediation


Vulnerability #1

Apathy


10. Trust their users 9. Users won’t tolerate security restrictions 8. Budget restrictions 7. Lack of expertise 6. Fear 5. Denial 4. Nothing has ever happened so no worries 3. IBM i has never been hacked 2. Stuck in the 20th Century 1. Apathy

Why no action is taken


• Data integrity

• Availability of data

• Compliance with laws and regulations

• Data confidentiality

It’s quite likely that if the business realized how exposed their data was they’d demand better protection.

The business is expecting:


• Business and IT together must determine – What data to secure

– Which security measures to implement

– Where to implement them

• Decision must be – Cost effective

– Appropriate for what’s being protected

– Effectively assist in the effort to reduce risk to an acceptable level

The Business of Security


• Look at types of data your organization uses

– What is the most critical

– Regulated data (Healthcare, credit card information, etc)

– Other private information (PII data)

• Start with the data that will cost the most if the data is not accurate, not available, not compliant with laws or regulations or lost or stolen

Where Do You Start


Start somewhere!

Reduce the risk to your organization’s data


• Contact us for more information on our services:

– Managed Security Services (MSS)

– SkyView Security Check-up

– Remediation Services

– Penetration (Pen) testing

[email protected]

www.helpsystems.com/professional-security-services

For more information

mailto:[email protected]

http://www.helpsystems.com/professional-security-services





Top Ten Security Vulnerabilities on IBM i - ocean400.org · Top Ten Security Vulnerabilities on IBM i Carol Woodbury ... Total Available i5/OS Security Capabilities ue ... •Compliance

Documents