Developing Legacy Platform Security. Philip Young, Information Security Specialist, Visa, Inc. Professional Techniques T21

Similar documents
VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Insurance Industry - PCI DSS

Is Your z/os System Secure?

Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

How to Go About Setting Mainframe Security Options

NIST Standards and a VCM Implementation

Eleven Steps to Make Mainframe Security Audits More Effective and Efficient

Analyzer runs thousands of integrity checks for both RACF and z/os Security Server.

PROFESSIONAL SERVICES (Solution Brief)

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Securing Mainframe File Transfers and TN3270

VANGUARD INTEGRITY PROFESSIONALS Page 1

Are Your Auditors and NIST Security Configuration Controls Driving You Crazy? Configuration Manager Implementation

What's Missing in Mainframe InfoSec: (What We Don't Know We Don't Know)"

DATA SHEET VANGUARD CONFIGURATION MANAGER TM KEY FEATURES: VANGUARD TAKES THE TARGET OFF YOUR

VANGUARD Policy Manager TM

Performing a z/os Vulnerability Assessment. Part 1 - Data Collection. Presented by Vanguard Integrity Professionals

VANGUARD POLICY MANAGERTM

DATA SHEET. ez/piv CARD KEY FEATURES:

VANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

Performing a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals

LOWER THE COST OF PROVIDING z/os SERVICES

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

To Audit Your IAM Program

EView/390z Insight for Splunk v7.1

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

Tutorial: Lessons From A Real Mainframe Break-In Over the Internet

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

MANEWS Issue Number 21 the Mainframe Audit News

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Compliance Audit Readiness. Bob Kral Tenable Network Security

How Vanguard Solves. Your PCI DSS Challenges. Title. Sub-title. Peter Roberts Sr. Consultant 5/27/2016 1

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

Google Cloud & the General Data Protection Regulation (GDPR)

Top Ten Security Vulnerabilities in z/os Security Doug Behrends Sr. Professional Services Consultant Vanguard Integrity Professionals

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Top 12 Mainframe Security Exposures and Lessons From A Real Mainframe Break-In

INFORMATION ASSURANCE DIRECTORATE

NOTE: This process is not to be used for Grouping/ Member Classes. Those will be covered in another White Paper.

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

DUNS CAGE 5T5C3

Configuring zsecure To Send Data to QRadar

Automated Sign-on for Mainframe Administrator Guide

=============================================== ===============================================

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Bsafe/Enterprise Security Enhancements v.6.1

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

z/os Operating System Vulnerabilities ( )

Cybersecurity & Privacy Enhancements

Removing ID. The Solution: The Issue: The Problem:

2018 Defense Service Catalog

Post exploit goodness on a Mainframe

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

athene Getting Started Guide

CIS Top 20 #5. Controlled Use of Administrative Privileges

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Risk Management Framework for DoD Medical Devices

Defense Security Service Industrial Security Field Operations National Industrial Security Program (NISP) Authorization Office (NAO)

Version 9 Release 1. IBM InfoSphere Guardium S-TAP for IMS on z/os V9.1 User's Guide IBM

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Auditing DB2 on z/os. Software Product Research

DATA SHEET. VANGUARD ez/tokentm KEY FEATURES:

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Top Ten Critical Assessment Findings in IBM z/os (RACF ) Environment

Meeting RMF Requirements around Compliance Monitoring

Security Operations & Analytics Services

Building a Case for Mainframe Security

zsc40 Beyond Legacy Security Paul R. Robichaux NewEra Software, Inc. Thursday, May 9th at 9:00 10:15 am Session Number - zsc40 Location Melrose

Standard Development Timeline

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Popping a shell on a mainframe, is that even possible?

CoreMax Consulting s Cyber Security Roadmap

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

EView/390 Management for HP OpenView Operations Unix

Import and Export libpcap, Sniffer and OSAENTA Traces

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

AGENDA. A New Look at Mainframe Hacking And Penetration Testing 01/11/2016. World Class z Specialists

Cyber Security Awareness for SmallSat Ground Networks

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges

IoT & SCADA Cyber Security Services

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Vanguard Configuration Manager Customization and Use

Information Technology Procedure IT 3.4 IT Configuration Management

CYBERSECURITY RESILIENCE

CompTIA SY CompTIA Security+

ForeScout Extended Module for Tenable Vulnerability Management

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Off-Line The SC Midlands Chapter of the Information Systems Audit & Control Association

The Control Editor (TCE)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

One Identity Quick Connect for Mainframes QCMF Bridge

16898: A Forensic Analysis of Security Events on System z, Without the Use of SMF Data

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CompTIA Cybersecurity Analyst+

Transcription:

Developing Legacy Platform Security Philip Young, Information Security Specialist, Visa, Inc. Professional Techniques T21

About Me Philip Young Always interested in IT security Started with Audit Ernst & Young 2005 to 2008 Grant Thornton 2008 to 2009 Visa Inc. 2009 to 2013 Transitioned to IT Security August 2013 Brought in to lead Legacy System Security 2

About Me Started researching Mainframe Security Identified lack of discussion and awareness of these systems publicly Recognized knowledge gaps 3

Spoken 4

Legacy?

What comes to mind? When you think legacy 6

7

8

9

10

11

12

13

Legacy Terminology Does your policy specifically outline Legacy? Exception to your policy for these systems? Should you have one in the first place? A blanket policy puts you at risk 14

Risks with Legacy Platforms Lack of institutional knowledge Audit/IS may lack requisite knowledge to adequately assess these systems Brain Drain of qualified individuals No clear security requirements Assumed Secure by enterprise 15

16

17

Interesting Factoids That s me! 18

Key Activities Understand the Operating System Know the OS like you know Windows/Linux Develop Security Requirements Baseline against these requirements Integrate in to Standard Information Security (IS) Policies Patching Logging/Monitoring Configuration Compliance 19

Mainframe OS: z/os

z/os Primary mainframe OS Used by 90% Fortune 100 organizations Current version: z/os V2R1 Released this year 21

Brain Drain 22

Brain Drain RACF Security administrators under 50 RACF Security Administrators over 50 www.rshconsulting.com/surveys/rsh_consulting RACF_Survey_014 Age_RACF-L_Participants.pdf 23

Training/Access Very difficult to come by z/os has 11,000 pages worth of documents you can read! Entire books dedicated to RACF, let alone underlying operating system. Very few in-person or online training for auditors or security professionals 24

Training: Master the Mainframe Teaches coding/developments and operating system concepts Only covers development work No IT Security or Audit focus 25

Understand z/os Uses LPARs and TSOs; DATASETs and OMVSes; TN3270s and RACFs; JCLs and APFs Any Questions? 26

LPAR Logical PARtition = VM The mainframe hardware can be partitioned to run multiple instances I.E. SYS1 & VM9 are what you might name your LPARs 27

TSO Time Sharing Option Command Prompt, primary interface in to z/os Looks like this: READY 28

29

30

Datasets No FILES on the mainframe just DATASETS Starts with an High Level Qualifier then remaining qualifiers SoF.SSN2012.FTP.LOG HLQ Remaining Qualifiers 31

OMVS Open Multiple Virtual Storage Aka UNIX, a required component of the OS Required for certain activities: Networking FTP Web Services 32

33

TN3270 Telnet console used to access z/os An extension on Telnet And therefore clear text Technically in EBCDIC Can support SSL encryption! 34

35

RACF Resource Access Control Facility By IBM Manages all access right provisioning across the entire operating system One dataset contains all security information! Also contains usernames and password hashes Can be replaced by ACF2/TS Access Control Facility 2 (Computer Associates) Top Secret (Computer Associates) 36

JCL Job Control Language Primary interface to submitting commands Input Queue Output Queue 37

JOB CARD Program Typo Parameters 38

APF Authorized Program Facility Programs with this defined can bypass memory access restrictions Bypass RACF Access restricted files/actions 39

Many Many More I could spend months on z/os Get access yourself! Leverage z/os RDz&T program Get access to your development mainframes These systems are accessible and available 40

Build z/os Requirements

Using Standards No single all encompassing guide ISACA: A good guide exists, yet it is incomplete (doesn t cover OMVS). Other guides exists but are from 2003 NIST: No z/os guides exists SANS: RACF and ACF2 guides exists but do not cover the rest of the operating systems 42

Best Available z/os DOD DISA STIG Department of Defense (DoD) Defense Information Systems Agency (DISA) Security Technology Implementation Guide (STIG) Created for z/os! Covers UNIX Covers TCP/IP Covers TSO Cover RACF/ACF2/TopSecret 43

However Controls are too detailed Covers areas not applicable to enterprises DoD specific software/items Requires Customization It s manageable, only 300+ controls! 44

Develop New Security Requirements Use DoD STIG to develop current security requirements Document any/all deviations Review with Subject Matter Experts Conduct baseline against current configuration Establish realistic implementation timelines Certain controls may have significant impact on system resources i.e. implementing SYSLOG may impact storage, networking, etc. 45

Implement Automation Automate configuration compliance review zsecure (IBM) and Vanguard both support automated control testing based on the DoD STIG. Report and follow-up on any deviations from the standard 46

Integrate in to Standard IS Processes

Integrating Include mainframe systems in standard IS processes, including: Deviation from established Security Requirements Logging and Monitoring (SIEM) Patching Vulnerability Scanning Penetration Testing Application Source Code Review 48

Deviation New requirement published and effective Any system which cannot meet the current requirements must have a documented rationale for not following the requirements Including: Risk Mitigation Timeline to meet standard 49

Logging and Monitoring z/os uses SMF and SYSLOG for system logging Export data to SIEM for central monitoring SMF can be exported on a periodic basis or sent in real time with IBM products SYSLOG data can be sent to central syslog servers 50

Logging and Monitoring Setup appropriate alerting based on the platform. z/os Example: Changes to z/os configuration datasets Access to development code JCL sent through FTP TSO brute force attempts Opening of ports Disabling dataset auditing/syslog etc 51

Patching Ensure patching follows standard enterprise patching procedures z/os: APARs are released as they are made applicable to your environment Follow your standard patching requirements to ensure z/os patches are installed in a timely manner 52

Vulnerability Scanning/Pen Test Typically Excluded from these scans/testing If production is too fragile test against development and QA environments Vulnerability scanning will only identify common issues. Likely not z/os specific issues Penetration Testing with properly trained individuals will! 53

Application Source Code Review Ensure Mainframe application follow standard Secure Software Development Lifecycle (SSDLC) program Despite being developed prior to SSDLC critical/core application MUST be reviewed Foreign architecture may pose challenging Manual review required Current tools (e.g. Veracode) do not support most mainframe code types 54

Wrapping Up

It Takes Time If you re starting from scratch it will take years Dealing with politics/entrenched processes Lack of documentation Organic growth over decades Patience and perseverance is key You won t get it right the first time These systems are complex, you will miss things on your first pass 56

Questions? 57

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback