IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

Transcription

1 2016 IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

2 Today s Agenda Introductions Regulations on IBM i Conducting the Study The State of IBM i Security Study Questions and Answers 2

3 Today s Speaker ROBIN TATAM Director of Security Technologies robin.tatam@helpsystems.com 3

4 About PowerTech Premier Provider of Security Solutions & Services 19 years in the security industry as an established thought leader Customers in over 70 countries, representing every industry Security Subject Matter Expert for COMMON IBM Advanced Business Partner Member of PCI Security Standards Council Authorized by NASBA to issue CPE Credits for Security Education Publisher of the Annual State of IBM i Security Report 4

5 5

6 Today s Agenda Introductions Regulations on IBM i Conducting the Study The State of IBM i Security Study Questions and Answers 6

7 Why Do I Need to Audit? Legislation, such as Sarbanes-Oxley (SOX), HIPAA, GLBA, State Privacy Acts Industry Regulations, such as Payment Card Industry (PCI DSS) Internal Activity Tracking High Availability Application Research & Debugging 7

8 Which Standards Do I Audit Against? Is there a company security policy? (We ve got one to help you get started.) Guidelines and Standards COBIT ISO (formerly known as 17799) ITIL 8

9 IT Controls an Auditor s Perspective Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt application data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks? 9

10 The Auditor s Credo Of course I believe you! (But you still have to prove it to me) 10

11 Today s Agenda Introductions Regulations on IBM i Conducting the Study The State of IBM i Security Study Questions and Answers 11

12 Purpose Of the Study Help IT managers and auditors understand IBM i security exposures Focus on top areas of concern in meeting regulatory compliance Help IT develop strategic plans to address or confirm high risk vulnerabilities 12

13 How We Collect the Data PowerTech Security Scan Launched from a PC Collects security data Data for the study are anonymous Companies are self-selected More or less security-aware? Study first published in 2004 Over 2,000 participants since inception Schedule your own security scan at 13

14 Be a Part of the Study! YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES (Participation in the Security Study is optional) 14

15 Simple summary provides auditor & executives with visual indicators

16 16 IBM i registry is reviewed to see if network events are audited or controlled

17 *PUBLIC authority levels on application libraries are interrogated

18 18 Statistics are retrieved on profile metrics, such as any with default passwords

19 Review of the system values that impact security

20 Verify if auditing is active, and what types of audit events are being logged

21 Determine how many users have Special Authorities (admin privileges)

22 Six Major Areas of Review System auditing Privileged users User and password management Data access Network access control System security values 22

23 Today s Agenda Introductions Regulations on IBM i Conducting the Study The State of IBM i Security Study Questions and Answers 23

24 State of IBM i Security Overall Assessed 177 different systems throughout 2015 Multiple runs against single servers within 7 days were discarded Settings reviewed from a total of: 238,409 User Profiles 94,066 Libraries That s double the number from 2015! On average, each assessed system had: 1,347 Users 531 Libraries 24

25 25 State of IBM i Security Overall

26 26 QSECURITY (System Security Level)

27 27 QSECURITY (System Security Level)

28 28 What Does IBM Say about Security Level 30?

29 29 Auditing Events?

30 Top 10 Invalid Sign-On Attempts Found Would you detect an Intrusion Attempt? 610,387 This is the number of attempts to access one partition that someone made using an individual profile. 30

31 Top 10 Invalid Sign-On Attempts Found Would you detect an Intrusion Attempt? 610,387 This is the number of attempts to access one partition that someone made using an individual profile. 31

32 Top 10 Invalid Sign-On Attempts Found Systems with a profile that had experienced more than 1,000 invalid attempts 48% Who Is Watching?! 32

33 33 What Should I Look For?

34 What Good Is Audit Journal Data? Mountains of raw data Multiple places to look Frustrating manual reporting processes As a result, auditors and IT often get locked in a request/respond cycle or IT only looks the day before the auditors arrive. 34

35 Is Anyone Paying Attention? 84% of systems had an IBM audit journal (QAUDJRN) 24% of those had a recognized auditing tool installed 18% of servers had the auditing control system turned off 610,000 invalid sign-on attempts against a single profile! Would you be more concerned if it was the QSECOFR profile? 35

36 What is *PUBLIC? *PUBLIC is a special reference to any user that is not explicitly named and given an authority. (Although sometimes referred as anonymous access, the user still needs credentials and is not anonymous to the organization.) 36

37 Deny By Default The one and only library authority that keeps users out is *EXCLUDE. A policy of deny by default calls for *PUBLIC to be excluded and then authorized named users or groups granted the appropriate access. WARNING: A user can (potentially) delete objects with only *USE authority to the library. 37

38 38 Who Cares?

39 39 Library Authority

40 40 When New Objects Are Created

41 41 When New Objects Are Created

42 Network Access Control Many IBM i applications rely on menu security because It s easy to build It s the legacy of many existing business applications Menu security design assumes: Access only originates via the menus No users have command line permission Users have no access to SQL-based tools Menu security is often accompanied by: User being a member of group that owns the objects *PUBLIC is granted broad (*CHANGE) access to data 42

43 Network Access Control ODBC isn t rocket science anymore 43

44 44 Are These Services Running?

45 45 Are These Services Running?

46 A New Function? In the 1990s, IBM supplemented Object Level security with a suite of Exit Points, which are temporary interruptions in an OS process in order to invoke a user-written program. The function of an Exit Program for network access can be anything but security officers typically want it to: Audit (as IBM doesn t) Control (as good object security is often lacking) The Exit Program has to return a pass/fail indicator to the Exit Point. 46

47 47 Exit Program Coverage

48 48 Exit Program Coverage

49 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS All Object The gold key to every object and almost every administrative operation on the system, including unstoppable data access. 49

50 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Security Administration Enables a user to create and maintain the system user profiles without requiring the user to be in the *SECOFR user class or giving *ALLOBJ authority. 50

51 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS I/O Systems Configuration Allows the user to create, delete, and manage devices, lines, and controllers. Also permits the configuration of TCP/IP, and the start of associated servers (e.g., HTTP). 51

52 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Audit The user is permitted to manage all aspects of auditing, including setting the audit system values and running the audit commands (CHGOBJAUD / CHGUSRAUD). 52

53 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Spool Control This is the *ALLOBJ of Spooled Files and allows a user to view, delete, hold, or release any spooled file in any output queue, regardless of restrictions. 53

54 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Service This allows a user to access the System Service Tools (SST) login, although they also need an SST login since V5R1. 54

55 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Job Control This enables a user to start/end subsystems and manipulate other users jobs. It also provides access to spooled files in output queues designated as operator control. 55

56 Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Save System This enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object. * Be cautious if securing objects at only a library level * 56

57 57 Administrator Privileges

58 Administrator Privileges Try to get down to < 10 profiles with SPCAUTs 58

59 59 Endless News Reports of Insider Breaches

60 Endless News Reports of Insider Breaches Spring

61 61 Password vs. Passphrase

62 Password vs. Passphrase Password (10 character maximum) Passphrase (128 character maximum) 62

63 63 Minimum Password Length

64 Minimum Password Length Not too hard to guess your way in! 64

65 65 Password Expiration

66 66 Other Password Rules

67 67 Other Password Rules

68 68 How Many Attempts?

69 How Many Attempts? Let s hope this wasn t the server that experienced 650,000 invalid sign on attempts. 69

70 70 And Then What?

71 Default Passwords Default profiles are banned by compliance mandates, and for GOOD reason! Review and resolve using ANZDFTPWD 71

72 Default Passwords One system had 2,199 users with default passwords. 99 systems had > 30 users with default passwords. 49 systems had > 100 users with default passwords. 72

73 Inactive Profiles Do you have obsolete user profiles? Did you know IBM i has the ability to automatically disable an inactive account? (ANZPRFACT) 73

74 Adopted Privilege Programs can run with: Authority of the caller, plus Authority of the program owner, plus Authority of the program owner of other programs in the stack 74

75 5250 Command Line Limit Capabilities controls what users can do on the system command line Just remember some interfaces (e.g. FTP) don t check the setting before processing some command requests! 75

76 76 Are you AV Scanning?

77 The Perfect Storm Of Vulnerability Some of the most valuable data in any organization is on your Power Systems server (System i, iseries, AS/400). Most IBM i data is not secured and the users are far too powerful. Security awareness among IBM i professionals is generally low. IBM i awareness among audit and compliance professionals is generally low. 77

78 The Call To Action 1. Conduct a Security Scan (free and deepdive options). 2. Remediate low-hanging fruit such as default passwords and inactive accounts. 3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc. 4. Perform intrusion tests over FTP and ODBC to assess risk of data leaks. 5. Evaluate solutions to help mitigate risk. 78

79 Download the Full Study resources white-papers 79

80 (800)