Is Your z/os System Secure?

Similar documents
PROFESSIONAL SERVICES (Solution Brief)

z/os Operating System Vulnerabilities ( )

Under the Hood: Amy DeMartine, Principal Analyst, Forrester Ray Overby, President, Key Resources, Inc. A Mainframe Vulnerability Management Playbook

Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Insurance Industry - PCI DSS

DATA SHEET VANGUARD CONFIGURATION MANAGER TM KEY FEATURES: VANGUARD TAKES THE TARGET OFF YOUR

Analyzer runs thousands of integrity checks for both RACF and z/os Security Server.

VANGUARD INTEGRITY PROFESSIONALS Page 1

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Developing Legacy Platform Security. Philip Young, Information Security Specialist, Visa, Inc. Professional Techniques T21

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

VANGUARD POLICY MANAGERTM

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

VANGUARD Policy Manager TM

NIST Standards and a VCM Implementation

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

TEL2813/IS2820 Security Management

Effective Strategies for Managing Cybersecurity Risks

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

Information Security Policy

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

What's Missing in Mainframe InfoSec: (What We Don't Know We Don't Know)"

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Challenges and Issues for RACF Systems

DATA SHEET. ez/piv CARD KEY FEATURES:

Gujarat Forensic Sciences University

Performing a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals

Eleven Steps to Make Mainframe Security Audits More Effective and Efficient

Configuring zsecure To Send Data to QRadar

Top 12 Mainframe Security Exposures and Lessons From A Real Mainframe Break-In

Carbon Black PCI Compliance Mapping Checklist

DATA SHEET. VANGUARD ez/tokentm KEY FEATURES:

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Are Your Auditors and NIST Security Configuration Controls Driving You Crazy? Configuration Manager Implementation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Penetration testing.

The Control Editor (TCE)

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Cybersecurity for Service Providers

Performing a z/os Vulnerability Assessment. Part 1 - Data Collection. Presented by Vanguard Integrity Professionals

HIPAA Compliance Assessment Module

Introduction to Ethical Hacking. Chapter 1

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

DeMystifying Data Breaches and Information Security Compliance

Security Management Models And Practices Feb 5, 2008

zsc40 Beyond Legacy Security Paul R. Robichaux NewEra Software, Inc. Thursday, May 9th at 9:00 10:15 am Session Number - zsc40 Location Melrose

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

How to Go About Setting Mainframe Security Options

Protect Your Organization from Cyber Attacks

10 FOCUS AREAS FOR BREACH PREVENTION

What every IT professional needs to know about penetration tests

MANEWS Issue Number 21 the Mainframe Audit News

VANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer

The Myth of Mainframe Security

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

How Vanguard Solves. Your PCI DSS Challenges. Title. Sub-title. Peter Roberts Sr. Consultant 5/27/2016 1

Cybersecurity, safety and resilience - Airline perspective

Information Technology General Control Review

Subject: University Information Technology Resource Security Policy: OUTDATED

Addressing penetration testing and vulnerabilities, and adding verification measures

Cyber Risks in the Boardroom Conference

MIS Week 9 Host Hardening

Cybersecurity Today Avoid Becoming a News Headline

EXHIBIT A. - HIPAA Security Assessment Template -

Securing Industrial Control Systems

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Top Ten Critical Assessment Findings in IBM z/os (RACF ) Environment

Skybox Security Vulnerability Management Survey 2012

NOTE: This process is not to be used for Grouping/ Member Classes. Those will be covered in another White Paper.

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

A practical guide to IT security

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

IT SECURITY FOR NONPROFITS

LMS. Laret Melsch Systems

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

INTELLIGENCE DRIVEN GRC FOR SECURITY

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

SDR Guide to Complete the SDR

A Security Review of MVS/RACF: Part 2 Kurt Meiser Payoff

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 1 Introduction to Security

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

Cyber Security. Building and assuring defence in depth

Data Security and Privacy Principles IBM Cloud Services

Building a Case for Mainframe Security

Troubleshooting and Cyber Protection Josh Wheeler

Transcription:

Ray Overby Key Resources, Inc. Info@kr-inc.com (312) KRI-0007 A complete z/os audit will: Evaluate your z/os system Identify vulnerabilities Generate exploits if necessary Require installation remediation Require vendor remediation that installation will apply 2 1

What is a Vulnerability? A weakness in the system Allows an attacker to circumvent installation controls Could be related to hardware configuration Could be related to system configuration parameters Could be related to security system configuration Could be related to system integrity 3 What s an Exploit? An exploit is a way of taking advantage of a vulnerability Exploits are based upon one or more vulnerabilities An exploit contains a check list Follow the directions Perform each step 4 2

What is an exploit? With an exploit, you can bypass the installation controls And gain unauthorized access to data Without proper permissions Without proper logging (SMF) Exploits can be created in your environment Exploits can be imported from outside sources Exploits have requirements to implement 5 Exploit requirements May require certain authorities such as: Ability to submit batch jobs or TSO access Access to assembler and/or linkage editor Access to Rexx Ability to create new or modify existing data sets Will not require: Extra-ordinary security authority 6 3

Exploit requirements May require certain software installed May require certain software levels May require certain features implemented 7 Vulnerabilities Can be Caused By Poor hardware configuration Poor system configuration parameters Poor Security System Controls System Integrity Violations 8 4

Vulnerabilities Can Be exploited by knowledgeable insiders (high level of technical expertise) Script kiddies (low or lower level of technical expertise) Cause Compliance violations Cause loss or modification of confidential information without generating SMF or other log records 9 Vulnerabilities can be caused by: Poor Hardware Configuration Shared DASD, but non-shared security database May allow test system access to production data Poor System Controls Failure to properly secure APF libraries Poor System Configuration Program Properties Table entries 10 5

System Integrity Violations What are they? Why should you care? 11 System Integrity vs. System Security Barry Schrager formed the SHARE Security Project in 1972 To develop security requirements for future IBM Operating Systems Problem that could not be overcome was that any security rules could be bypassed if the defined Operating System Interfaces could be circumvented The Security Project conclusion was There can be no System Security without Operating System Integrity 12 6

Also in 1972 Eldon Worley (original author of IBM s RACF) and Barry Schrager (original author of CA s ACF2) gave a SHARE presentation on their concepts for data security Several IBMers watched for their customers reaction to data security in IBM Operating Systems It must have been good In 1973 IBM announced its Statement of Integrity for OS/VS2 13 IBM s Commitment to z/os Integrity IBM s commitment includes design and development practices intended to prevent unauthorized application programs, subsystems, and users from bypassing z/os security that is, to prevent them from gaining access, circumventing, disabling, altering, or obtaining control of key z/os system processes and resources unless allowed by the installation. Specifically, z/os System Integrity is defined as the inability of any program not authorized by a mechanism under the installation s control to circumvent or disable store or fetch protection, access a resource protected by the z/os Security Server (RACF ), or obtain control in an authorized state; that is, in supervisor state, with a protection key less than eight (8), or Authorized Program Facility (APF) authorized. In the event that an IBM System Integrity problem is reported, IBM will always take action to resolve it. 14 7

Three Security Systems RACF developed by IBM and introduced in 1976 ACF2 developed by SKK and introduced in 1978 (now owned by CA) Top Secret developed by CGA Allen and introduced in 1981 (now owned by CA) ALL DEPEND ON PROPER z/os CONFIGURATION, SECURITY SYSTEM CONTROLS AND SYSTEM INTEGRITY 15 What does it mean? If you have a secure hardware configuration And if you have secure system configuration parameters And if you have secure installation security controls But you don t have integrity you are NOT secure! 16 8

System Integrity Vulnerabilities Are violations of the z/os statement of integrity Cannot be addressed by hardware or system configuration changes Cannot be address by security system controls changes Cannot be remediated by the installation 17 System Integrity Vulnerabilities Independent of the Security System ACF2, RACF or Top Secret Must be remediated by the Code Owner You are dependent on the Code Owner to address them! 18 9

Who is the Code Owner? IBM in the case of the z/os Operating System Vendors for Program Products - could be IBM or other Independent Software Vendors Installation Staff for locally developed Operating System SVCs, System Exits, APF authorized programs, etc.? for code obtained from other sites 19 Lets recap what we have learned Vulnerabilities don t do anything they just are there Vulnerabilities are weaknesses in the system Vulnerabilities could be located in: Hardware configuration System configuration parameters Security implementation Authorized programs (Integrity) 20 10

Lets recap what we have learned Exploits do something Exploits allow a user access to something outside of installation control Exploits are based upon one or more vulnerabilities Exploits don t require any extra-ordinary security authority 21 Lets recap what we have learned Exploits can lead to compliance violations Exploits, and the activity they hide, may not leave any audit trail Exploits based on poor z/os configuration parameters can be remediated by you Exploits based on poor security implementation can be remediated by you Exploits based upon system integrity exposures CANNOT be remediated by you 22 11

Lets recap what we have learned System integrity exposures are the same as not protecting your APF authorized libraries This means that if not properly protecting your APF libraries is a compliance violation then integrity exposures are also.. You have integrity exposures on your systems today! 23 Access a Dataset 24 12

Denied by RACF 913 ABEND!! 25 Run an Exploit 26 13

Now in RACF PRIVILEGED!! 27 Access the Dataset Again 28 14

Now Have Access!! 29 System integrity vulnerability example Similar to poor security system example Write a program to dynamically modify your security credentials System integrity vulnerability does NOT require APF authorized library any load module library will do! You can remediate the poor security system example You cannot remediate the system integrity vulnerability 30 15

Why a Vulnerability Testing Process? Helps safeguard your organization Prevents financial loss through fraud Stops hackers, spies and disgruntled employees Provides due diligence Provides compliance to industry standards (PCI Requirement 11.3), government standards (NIST 800-53), and International Standards (ISO 27001) 31 2008 Strategic Counsel Survey Commissioned by CA Technologies Internal Breaches are Rising 2003 15% of breaches 2006 42% of breaches 2008 44% of breaches The biggest security threats are from the inside! And, they are increasing! 32 16

2010 PacketMotion Survey US Government Agencies surveyed 59% said employees are the biggest threat 18% said outsiders, including contractors, were biggest threat 9% said Hackers & Criminals were biggest threat 77% said foreign government spies could be planted in their agencies 33 Compliance Requirements Penetration Testing Vulnerability Scans We always thought these were for networks and non-mainframe servers because mainframes were inherently secure But, although mainframes are more secure, they still have vulnerabilities 34 17

PCI Requirement 11.3 Guidance Before applications, network devices, and systems are released into production, they should be hardened and secured using security best practices (per Requirement 2.2). Vulnerability scans and penetration tests will expose any remaining vulnerabilities that could later be found and exploited by an attacker. 35 NIST 800-53 Control CA-2 Security Assessments The organization includes, as part of a security control assessment, malicious user testing and penetration testing 36 18

ISO/IEC 27001 15.2.2 Technical compliance checking Information systems should be regularly checked for compliance with security implementation Standards Compliance checking also covers, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose 37 z/os Audit Tools First was SKK s Examine/MVS, now known as CA-Audit Then Vanguard s Analyzer Then Consul s Audit (now part of zsecure) Vanguard s Configuration Manager (DISA STIGs for RACF) Key Resources Vulnerability Analysis Tool for z/os Vulnerability Assessments 38 19

DISA STIGs Compare your z/os Configuration and Security System Controls against a standard Defense Information Systems Agency (DISA) created the Security Technical Installation Guidelines (STIGs) for many platforms Including z/os Systems with RACF, ACF2 and Top Secret http://iase.disa.mil/stigs/stig/index.html 39 Automated DISA STIG Analysis If you are RACF Vanguard s Configuration Manager automatically compares your system s configuration and security controls against the DISA STIG standards Or, DISA supplies a massive REXX Exec that uses CA-Examine to examine your configuration parameters and controls 40 20

But System Integrity Exposures Everything depends on System Integrity It s like locking the front door, but not checking to see if the side windows are open System Integrity exposures can put your system at risk to insiders And according to the surveys, employees are becoming the greatest risk 41 z/os Integrity Exposures Authorized programs, SVCs, PCs, whose sole purpose is to place the caller in an authorized state Errors in the implementation of: Independent Software Vendor Products Homegrown programs Operating System Exits Operating System extensions z/os 42 21

Types of Integrity Exposures Integrity exposures are in authorized programs, SVCs & PCs Store into caller supplied addresses Expose fetch protected storage Branch to caller supplied addresses APF authorized programs that don t require any special authority but do authorized things 43 Installations Create Their Own Vulnerabilities Systems Programmers add vulnerabilities for convenience Or they are added without performing true research and knowledge of the impact of what they are installing on your systems 44 22

A True RACF-L Posting We have a storage area that we obtain at the first CICS address space start up. The area is referenced by all CICS regions - but only a couple do any actual updating. The code we use for this is -- 45 Do you think they have a Vulnerability? LA R1,SVCSAVE HOLD AREA FOR SVC 255 SVC 255 GET INTO SUP. STATE WITH KEY 0 STORAGE OBTAIN,LENGTH=20480,SP=241,KEY=9 ST R1,MVSCSADR STORE AREA ADDR. IN CSAEXT IC R11,=X'80' SPKA 0(R11) CHANGE TO KEY 8 CICS MODESET MODE=PROB SWITCH TO PROBLEM STATE 46 23

Vulnerabilities exist in shared code On the www.cbttape.org website Started as a tape by Connecticut Bank & Trust Contains MVS shareware One great enhancement to ISPF Submitted by a very reputable institution Contains a get me in supervisor state SVC 47 Vulnerabilities may have been added By well meaning Systems Programmers Who wanted a function Who did not think of the implications Who have long since left or retired But they STILL EXIST ON YOUR SYSTEMS!!! 48 24

Vendors Introduce Vulnerabilities One, now fixed, from an ISV was exploitable by an 11 line REXX Exec! Which placed the caller in RACF Privileged State! Sometimes Vendors fix vulnerabilities but you may not have applied the maintenance There are integrity vulnerabilities on your systems today! 49 What do you do? Apply all IBM Integrity fixes Integrity PTFs may be marked integrity, but not critical Many installations apply critical PTFs but not integrity PTFs Pay attention! Require all your ISVs to provide a commitment to System Integrity similar to what IBM has provided for the z/os system itself 50 25

What do you do? Review all installation developed authorized code for integrity exposures Retain outside experts if necessary Review all authorized code obtained from outside the company Retain outside experts if necessary 51 What do you do? Periodically review the state of your z/os system to: Assure that older system integrity issues have been resolved And no new ones have been introduced 52 26

Questions? Key Resources, Inc. www.vatsecurity.com (312) KRI-0007 Info@kr-inc.com 53 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback