vanguard two factor authentication solutions...vanguard security & compliance 2016 source:...
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
Vanguard Two Factor
Authentication Solutions
Dustin Hayes
Professional Services Consultant
VSS07
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authentication
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
©2016 Vanguard Integrity Professionals, Inc. 2
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. LinOTP is a registered trademark of LSE Leading Security Experts GmbH. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. YubiKey is a registered trademark of Yubico AB. Other company, product, and service names may be trademarks or service marks of others.
©2016 Vanguard Integrity Professionals, Inc. 3
VANGUARD SECURITY & COMPLIANCE 2016
Topics
• Why utilize Two Factor Authentication
• An Industry of Terms
• How Vanguard Addresses
– Vanguard ez/PIV Card Authenticator™
– Vanguard ez/Token™
– Vanguard Tokenless Authentication™
• Review
VANGUARD SECURITY & COMPLIANCE 2016
Source: Information is Beautiful - World's Biggest Data Breaches
Why Utilize Two Factor
"A year ago,
cybersecurity experts
were calling 2013 'the
year of the data breach'
only to find 2014 had far
worse in store"
Atlantic Council
"100% of breaches
examined included an
exploitation of a user id
and password that was
compromised."
Mandiant 2014 Data
Breach Report
VANGUARD SECURITY & COMPLIANCE 2016
Still not convinced?
©2016 Vanguard Integrity Professionals, Inc. 6
- What can you find on the internet these days? After the recent IoT DDOS Attack Andrew McGill (senior
associate editor at The Atlantic) wanted to know more [2]
“[T]he internet is huge! There are around a couple billion public IPv4 addresses
out there; any one of those might have a server, a desktop computer, or a
toaster plugged in at the other end. Even if the manufacturer of my gadget gave
it a dumb and easily guessed password, wouldn’t it be safe in this sea of
anonymity? How would the hackers find me?”
So he created a test using a “fake web toaster” Question: How Long after he turned on his internet toaster until the
attempts at hacking started?
“I switched on the server at 1:12 p.m. Wednesday, fully expecting to wait days—or
weeks—to see a hack attempt. Wrong! The first one came at 1:53 p.m. The next hacking
attempt, from a different IP address and using different login credentials,
came at 2:07 p.m. Another came at 2:10. And then 2:40. And 2:48. … more than 300
different IP addresses … by 11:59 p.m.”
- “In 2010 the Electronic Frontier Foundation conducted a scan to
gather data on the use of encryption [SSL/TLS on the internet].
The process took two to three months…” [3]
- “In 2013 a team of researchers at the University of Michigan
believed they could do better… announced ZMap… a tool that
allows an ordinary server to scan every address on the Internet in
just 44 minutes.” [3]
- Its now 2016 and the current documentation for ZMap states that
“With a single machine and a well provisioned network uplink,
ZMap is capable of performing a complete scan of the IPv4
address space in under 5 minutes” [4]
- If you don’t feel like, or are not comfortable in Linux. Its also the
time of ‘big data’ so someone else is running this and you can just
query the results
What can you find on the internet?
[4]
[5]
"first they ignore you, then they threaten to sue you, then they deny the vulnerability,
then you p0wn them” [6]
[7]
What Can you find Anything … if you want to spend the time looking
VANGUARD SECURITY & COMPLIANCE 2016
Sources for the last slide
• [0] World’s Biggest Data Breaches – http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• [1] “The Inevitability of Being Hacked” By Andrew McGill
– http://www.theatlantic.com/author/andrew-mcgill/
• [2] “Here’s what you find when you scan the entire Internet in an hour” By Timothy B Lee – https://www.washingtonpost.com/news/the-switch/wp/2013/08/18/heres-what-you-find-when-you-scan-the-entire-
internet-in-an-hour/
• [3] ZMap
– https://zmap.io/
• [4] Metasploit Framework for z/OS® FTP Exploitation – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb
• [5] Script to enumerate TSO UserID
– https://github.com/zedsec390/NMAP/blob/master/tso-enum.nse
• [6] International Journal of PoC||GTFO – https://www.alchemistowl.org/pocorgtfo/
• [7] JCL Adventure with Network Job Entries
By Soldier of Fortran – https://www.alchemistowl.org/pocorgtfo/pocorgtfo12.pdf (Topic 6, PDF Page32)
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
When I say "Two-Factor" I mean;
• Multifactor Authentication • Knowledge Factors - User KNOWS
• Possession Factors - User HAS
• Inherence Factors - User IS
• Two-Factor Authentication • A combination of two DIFFERENT factors above
An Industry of Terms
VANGUARD SECURITY & COMPLIANCE 2016
An Industry of Terms
I am not referring to;
• Two-Step Verification • A type of Multi-Factor, involves two subsequent but
dependent checks
• BOTH checks can be from the same factor
• Strong Authentication • More of a "Generic Term", with multiple meanings
depending on context of use
• Is this a "Strong Authentication"?
[!_Ðust1nP@$$w*rdIsL0ng]
VANGUARD SECURITY & COMPLIANCE 2016
• Two-Factor Authentication Solutions
• Vanguard ez/PIV Card Authenticator
• Vanguard ez/Token
• Vanguard Tokenless Authentication
How Vanguard Can Help - Overview
VANGUARD SECURITY & COMPLIANCE 2016
Smart Card Strength using your existing infrastructure and investment
Real-time verification of Card (Account) Status,
including centralized account de-provisioning
The Justification
Achieve NIST FIPS 201 Regulatory Requirements
Key Feature Delivers Smart Card
authentication capabilities to
z/OS, without requirement for
direct TCP/IP connectivity to
your mainframe.
Benefit from centralized
account management
including de-provisioning for
lost, stolen, or terminated
cards
PIV Cards
CAC Cards
JAVA® Cards/SmartCards
Out of Band Deployment Options, with simple
"end user self-registration"
Selectively determine which users and/or
applications require Smart Card Authentication
Vanguard ez/PIV Card Authenticator
VANGUARD SECURITY & COMPLIANCE 2016
PIV Validation Occurs and a RACF® PIV Pass is generated.
Vanguard ez/PIV Card Authenticator – Validation
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/PIV Card Authenticator -
Configuration
• Key Configuration Parameters
– PIVREG Value: $PIVCARD (New Class)
– Controlling Profile: PIVCARD.ENABLE
– Class Defined by: PIV_AUTH_CLASS
– Excluding STCs: PIV_EXCL_JNAME
– Including STCs: PIV_INCL_JNAME
• Key Auditing Parameters
– Successful: PIVCARD.SUCCESSFUL.LOGON
– Failure: PIVCARD.FAILED.LOGON
– Excluded (bypass): PIVCARD.EXCLUDED.LOGON
• Where: PDS Member:
– Your Defined Class
– HLQ.V221.VANOPTS(VIPTOKEN)
VANGUARD SECURITY & COMPLIANCE 2016
Manual Registration • PIV card PIN Validation
• Creates a unique signature based on PIV card Certificates for each z/OS user
• Designed for when direct network communication is not available to end-users
Signature can be sent to administrator of system for entry into user profile.
Or loaded manually into TSO or CICS® registration applications.
Vanguard ez/PIV Card Authenticator –
Manual Registration
VANGUARD SECURITY & COMPLIANCE 2016
• Requires RACF User id • PIV card PIN Validation • IP address of z/OS system • Creates a unique signature based on PIV card Certificates and automatically
enters the information into the RACF user profile correctly.
Vanguard ez/PIV Card Authenticator –
Semi-Auto Registration
VANGUARD SECURITY & COMPLIANCE 2016
Simple user interface User provides
• RACF ID
• RACF Password
• PIV Card Pin.
Vanguard ez/PIV Card Authenticator –
Generating PIV Pass
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/PIV Card Authenticator – Login
If Card /PIN is validated PivPass will be generated. Enter PIV Password in the Password field of z/OS enable logon such as; TSO, CICS, DB2®, IMS™, etc.
VANGUARD SECURITY & COMPLIANCE 2016
Standard PIV Validation
• PIN Validation
• Card Validation
• Certificate Validation
• FASC-N Validation
• OCSP Validation
All PIV Validation must pass from External PIV provider prior to Generating a PIVPass
Vanguard ez/PIV Card Authenticator – Validation
VANGUARD SECURITY & COMPLIANCE 2016
Eliminates the need for users to remember
passwords
Two-factor security solution that integrates RSA tokens and RACF for authentication
Key Features Authenticate through either
ActiveIdentity or RSA SecurID
token to logon to the
mainframe via TSO, CICS,
IMS™ or any other application
that utilizes RACF
authentication.
Perform new PIN and Next
Token Code operations through
a web interface.
Now with 2 new features
• Pre and Post exit
processing
• Aliasing processing in
RACF
Requires no changes to logon screens
Dynamically choose which users will be
authenticated with either ActiveIdentity, SafeSign,
RSA SecurID®, YubiKey®, OAUTH (HOTP/TOTP),
and/or native RACF
The Justification
Enables you to select which users will or will not
require a PIN number
Force users with elevated privileges to utilize two-
factor authentication
Vanguard ez/Token
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - Overview
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - Configuration
• Key Configuration Parameters
– Controlling Profile: SECUREID.ENABLE
– Class Defined by: SECURE_AUTH_CLASS
– Excluding STCs: SECURID_EXCL_JNAME
– Including STCs: SECURID_INCL_JNAME
– RACF PW Also: SECURID_REQUIRED_RACF_PSWD
• Key Auditing Parameters
– Successful: SECURID.SUCCESSFUL.LOGON
– Failure: SECURID.FAILED.LOGON
– Excluded (bypass): SECURID.EXCLUDED.LOGON
• Where: PDS Member:
– Your Defined Class
– HLQ.V221.VANOPTS(VIPTOKEN)
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - Use Options
Standard Options:
<PIN><TOKENCODE> (Hard Token)
<PASSCODE> (Soft Token)
<TOKENCODE> (No PIN Required)
Require RACF Password:
<RACFPW><SEPERATOR><PIN><TOKENCODE>
<RACFPW><SEPERATOR><PASSCODE>
<RACFPW><SEPERATOR>< TOKENCODE >
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - OAUTH/YubiKey
• Initiative for Open Authentication – OATH
http://www.openauthentication.org/
– HOTP - HMAC-Based One-Time Password Algorithm (RFC 4226)
Also known as EOTP - Event-based One-time Password Algorithm
– TOTP – Time-based One-time Password Algorithm (RFC 6238)
• YubiKey Cloud (or Onsite) Authentication
• Provided though LinOTP Linux Server – By LSE
– Open Source Edition is Free
– Enterprise Subscriptions Available
https://lsexperts.de
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - Overview OAUTH/YubiKey
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - OAUTH/YubiKey Examples
• All OAUTH methods require both RACF Password AND OTP Code
• Utilizes the Passphrase Interfaces to simplify end user use
– But still authenticates using the RACF Password
• Examples of Authentication String
RACF Password
6-8 Characters
OTP Code
6 Characters
My12R@CF844622
RACF Password
6-8 Characters YubiKey Code
44 Characters
My12R@CFcccccceiicnhlklknihnieihjejctenfevkbidbbbfnf
• OATH
• YubiKey
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - LinOTP Configuration
• Key Configuration Parameters
– Controlling Profile: EZTOKEN.LINOTP
– Class Defined by: LINOTP_AUTH_CLASS
– Excluding STCs: LINOTP_EXCL_JNAME
– Including STCs: LINOTP_INCL_JNAME
• Key Auditing Parameters
– Successful: LINOTP.SUCCESSFUL.LOGON
– Failure: LINOTP.FAILED.LOGON
– Excluded (bypass): LINOTP.EXCLUDED.LOGON
• Where: PDS Member:
– Your Defined Class
– HLQ.V221.VANOPTS(VIPTOKEN)
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard ez/Token - OAUTH Supported Tokens
• Just some of your options
• More? ...Just contact us and let us know what do you have today
VANGUARD SECURITY & COMPLIANCE 2016
Most cost-effective and convenient way to add a
higher level of security to corporate networks and
data
Strength and security of two-factor authentication without the physical token
Key Feature Delivers strong authentication
capabilities by generating and
sending a one-time, one-use,
time sensitive passcode to a
communication device that a
user already possesses: user’s
cell phone, PDA, Blackberry
and more.
No need to deploy and administer expensive
physical tokens
Generates a one-time, one-use password to a
“virtual token,” the user’s cell phone, each time a
sign on is attempted
The Justification
Cryptographically generated passcodes that
expire within a short specified period of time
Vanguard Tokenless Authentication
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication –
Configuration
• Key Configuration Parameters
– Configuration Profile: EZTOKEN.SECUREID (Grouping)
– Controlling Profile: EZTOKEN.SECUREID (Member)
– SSIGNON Value: VTTFA in Class(PTKTDATA)
• Where: PDS Member:
– Your Defined Member/Grouping Class
– HLQ.V221.VANOPTS(VIPTOKEN)
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication – Overview
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication –
Administration
Simple Web Based Admin Interface
• Setup users to use Vanguard Tokenless Authentication
• Change Tokenless Type (Password + Token or Token Only)
• Change Deliver Address (Cell Phone / E-Mail)
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication –
Use (E-Mail/SMS)
• Enter UserID
• Enter Password
• Receive E-Mail/SMS
• Enter Tokenless
Code
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication –
Use Vanguard PasswordReset™ (Multi Factor Authentication)
• Open Website
• Click [Send Token]
• Enter RACF User & Password
• Answer Vanguard PasswordReset Questions
• Receive Tokenless Code to use as Password on device
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Tokenless Authentication –
Use Vanguard PasswordReset (Two Step Authentication)
• Open Website
• Click [Get Token]
• Enter RACF User & Password
• Answer Vanguard PasswordReset Questions
• Receive Tokenless Code to use as Password
VANGUARD SECURITY & COMPLIANCE 2016
How Vanguard Can Help - Demo
Live Demo
VANGUARD SECURITY & COMPLIANCE 2016
Two-Factor Authentication Solutions
• Vanguard ez/PIV Card Authenticator
• Smart Cards, CAC Cards, PIV Cards
• Vanguard ez/Token
• RSA, ActivIdentity, SafeSign, OAUTH (TOTP/HOTP),
YubiKey, more coming soon…
• Vanguard Tokenless Authentication
• No existing enterprise solution currently exists
How Vanguard Can Help - Review
VANGUARD SECURITY & COMPLIANCE 2016
Questions