ibm i (iseries, as/400) security: the good, the bad, … i (iseries, as/400) security: the good, the...
TRANSCRIPT
IBM i (iSeries, AS/400) Security:
the Good, the Bad, and the downright Ugly
2016
2
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
4
About PowerTech
• Premier Provider of Security Solutions & Services
– 19 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security Subject Matter Expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
5
6
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
7
• Legislation, such as Sarbanes-Oxley (SOX),
HIPAA, GLBA, State Privacy Acts
• Industry Regulations, such as Payment
Card Industry (PCI DSS)
• Internal Activity Tracking
• High Availability
• Application Research & Debugging
Why Do I Need to Audit?
8
• Is there a company security policy?
(We’ve got one to help you get started.)
• Guidelines and Standards
– COBIT
– ISO 27002 (formerly known as 17799)
– ITIL
Which Standards Do
I Audit Against?
9
IT Controls—
an Auditor’s Perspective
Can users perform functions/activities that are in
conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls to
initiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
10
The Auditor’s Credo…
Of course
I believe you!
(But you still have
to prove it to me)
11
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
12
Help IT managers and auditors
understand IBM i security exposures
Focus on top areas of concern in
meeting regulatory compliance
Help IT develop strategic plans to
address—or confirm—high risk
vulnerabilities
Purpose Of the Study
13
PowerTech Security Scan
– Launched from a PC
– Collects security data
– Data for the study are anonymous
Companies are self-selected
– More or less security-aware?
Study first published in 2004
– Over 2,000 participants since inception
How We Collect
the Data
Schedule your own security scan at
www.helpsystems.com/powertech
14
YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES
Be a Part of the Study!
(Participation in the Security Study is optional)
Simple summary provides
auditor & executives with
visual indicators
16
IBM i registry is reviewed
to see if network events
are audited or controlled
*PUBLIC authority levels
on application libraries
are interrogated
18
Statistics are retrieved on
profile metrics, such as any
with default passwords
Review of the
system values that
impact security
Verify if auditing is active,
and what types of audit
events are being logged
Determine how many users
have Special Authorities
(admin privileges)
22
• System auditing
• Privileged users
• User and password management
• Data access
• Network access control
• System security values
Six Major Areas of Review
23
• Introductions
• Regulations on IBM i
• Conducting the Study
• The State of IBM i Security Study
• Questions and Answers
Today’s Agenda
24
Assessed 177 different systems throughout 2015Multiple runs against single servers within 7 days were discarded
Settings reviewed from a total of:
– 238,409 User Profiles
– 94,066 Libraries
On average, each assessed system had:
– 1,347 Users
– 531 Libraries
State of IBM i
Security—Overall
That’s double the
number from 2015!
25
State of IBM i
Security—Overall
26
QSECURITY
(System Security Level)
27
QSECURITY
(System Security Level)
28
What Does IBM Say about
Security Level 30?
29
Auditing Events?
30
Top 10 “Invalid Sign-On
Attempts” Found
610,387
Would you detect an Intrusion Attempt?
This is the number of attempts to access one partition
that someone made using an individual profile.
31
Top 10 “Invalid Sign-On
Attempts” Found
610,387
Would you detect an Intrusion Attempt?
This is the number of attempts to access one partition
that someone made using an individual profile.
32
Top 10 “Invalid Sign-On
Attempts” Found
48%
Systems with a profile that had experienced
more than 1,000 invalid attempts
Who Is Watching?!
33
What Should I Look For?
34
• Mountains of raw data
• Multiple places to look
• Frustrating manual reporting
processes
As a result, auditors and IT often
get locked in a request/respond
cycle or IT only looks the day
before the auditors arrive.
What Good Is Audit
Journal Data?
35
84% of systems had an IBM audit journal (QAUDJRN)
24% of those had a recognized auditing tool installed
18% of servers had the auditing control system turned off
610,000 invalid sign-on attempts against a single
profile!
Would you be more concerned if it was the QSECOFR profile?
Is Anyone Paying
Attention?
36
*PUBLIC is a special reference to any user that
is not explicitly named and given an authority.
(Although sometimes referred as
“anonymous” access, the user still
needs credentials and is not
anonymous to the organization.)
What is *PUBLIC?
37
The one and only library authority that keeps users out
is *EXCLUDE.
A policy of “deny by default” calls for *PUBLIC to be
excluded and then authorized named users or groups
granted the appropriate access.
WARNING: A user can (potentially) delete objects with
only *USE authority to the library.
Deny By Default
38
Who Cares?
39
Library Authority
40
When New Objects
Are Created
41
When New Objects
Are Created
42
Many IBM i applications rely on menu security because…– It’s easy to build
– It’s the legacy of many existing business applications
Menu security design assumes:– Access only originates via the menus
– No users have command line permission
– Users have no access to SQL-based tools
Menu security is often accompanied by:
– User being a member of group that owns the objects
– *PUBLIC is granted broad (*CHANGE) access to data
Network Access
Control
43
Network Access
Control
ODBC isn’t rocket
science anymore
44
Are These Services
Running?
45
Are These Services
Running?
46
A New Function?
In the 1990s, IBM supplemented Object
Level security with a suite of Exit Points,
which are temporary interruptions in an
OS process in order to invoke a
user-written program.
The function of an Exit Program for network access can be anything–but
security officers typically want it to:
• Audit (as IBM doesn’t)
• Control (as good object security is often lacking)
The Exit Program has to return a pass/fail indicator to the Exit Point.
47
Exit Program
Coverage
48
Exit Program
Coverage
49
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every
administrative operation on the system, including
unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
50
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
51
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
52
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
53
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files and allows a
user to view, delete, hold, or release any spooled file
in any output queue, regardless of restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
54
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools
(SST) login, although they also need
an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
55
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and
manipulate other users’ jobs. It also provides access
to spooled files in output queues designated as
“operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
56
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore
operations on any object on the system, even if there
is insufficient authority to use the object.
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
57
Administrator Privileges
58
Administrator Privileges
Try to get down to < 10
profiles with SPCAUTs
59
Endless News Reports
of Insider Breaches
60
Endless News Reports
of Insider Breaches
Spring
2015
61
Password vs. Passphrase
62
Password vs. Passphrase
Password
(10 character
maximum)
Passphrase
(128 character
maximum)
63
Minimum Password
Length
64
Minimum Password
Length
Not too hard to
guess your way in!
65
Password Expiration
66
Other Password Rules
67
Other Password Rules
68
How Many Attempts?
69
How Many Attempts?
Let’s hope this wasn’t the
server that experienced
650,000 invalid sign on
attempts.
70
And Then What?
71
Default Passwords
Default profiles are banned by compliance mandates, and for
GOOD reason! Review and resolve using ANZDFTPWD
72
Default Passwords
One system had 2,199 users with default passwords.
99 systems had > 30 users with default passwords.
49 systems had > 100 users with default passwords.
73
Inactive Profiles
Do you have obsolete user profiles?
Did you know IBM i has the ability to automatically
disable an inactive account? (ANZPRFACT)
74
Adopted Privilege
Programs can run with:
• Authority of the caller,
plus…
• Authority of the
program owner, plus…
• Authority of the
program owner of other
programs in the stack
75
5250 Command Line
“Limit Capabilities” controls what users can do on the
system command line
Just remember some interfaces (e.g. FTP) don’t check the
setting before processing some command requests!
76
Are you AV Scanning?
77
Some of the most valuable data in any
organization is on your Power Systems
server (System i, iSeries, AS/400).
Most IBM i data is not secured and the
users are far too powerful.
Security awareness among IBM i
professionals is generally low.
IBM i awareness among audit and
compliance professionals is
generally low.
The Perfect Storm
Of Vulnerability
78
1. Conduct a Security Scan (free and deep-
dive options).
2. Remediate “low-hanging fruit” such as
default passwords and inactive
accounts.
3. Review appropriateness of profile
settings: password rules, limit
capabilities (command line), special
authorities, etc.
4. Perform intrusion tests over FTP and
ODBC to assess risk of data leaks.
5. Evaluate solutions to help mitigate risk.
The Call To Action
79
Download the Full Study
www.helpsystems.com/powertech
resources
white-papers