Embed Size (px)
Citation preview
Investigating the legacy system challenge of Internet connectivity.
A case study.
Presented by: Martin NormanDirector, Technical Services
www.safestone.com
www.safestone.com
About SafeStonePremier IBM Partner for AS400 / iSeries Security for 15 yearsMember of IBM World Wide Partner in Development ProgramOver 1,500 security software installations world wideHeadquarters in Princeton, New Jersey with offices throughout the world
www.safestone.com
Presentation AgendaDefine the challenge facing the clientDescribe the investigation / audit processSummarize the findingsItemize the main recommendationsConclusion – lessons to be learnt
www.safestone.com
Legacy environment
iSeries 400Inventory optimization applicationMinimal OS/400 expertiseNo security expertise on iSeries 400Security policy in place but not formally applied to the iSeries 400
www.safestone.com
The challenge!
Their software provider has developed a collaborative portal for e-businessThe client’s own vendors will now get Internet based connection into the iSeries 400
www.safestone.com
VendorVendor
RetailerRetailer
www.safestone.com
VendorVendor
RetailerRetailer
Step 1 Step 1 –– authenticateauthenticate
Step 2 Step 2 –– select partnerselect partner
Step 3 Step 3 –– URL and token URL and token issuedissued
Step 4 Step 4 –– connect to partner connect to partner
Step 5 Step 5 –– check token back check token back to portalto portal
Step 6 Step 6 –– check inventorycheck inventory
www.safestone.com
The challenge
How secure is the iSeries 400?What could these new users do?Project was critical to new corporate initiatives – it had to workThe only people with knowledge of how the legacy application worked were also the portal provider
www.safestone.com
The investigation / audit process
www.safestone.com
Methodology
InterviewCompliance auditEvent auditingExit point checkingBeing inquisitive
www.safestone.com
Interviews
Who:Power usersHelp deskOperations personnelSecurity officerAuditorsApplication ownersApplication developers
www.safestone.com
Compliance audit
System valuesNetwork attributesProfile parametersLibrary contentsAuthoritiesOSRs
www.safestone.com
Event auditing
Extract security events from OS audit logsProfile changesProgram adoptsAuthority failuresOwnership changesSignon errors
www.safestone.com
Exit point checking
Monitor requests through the security exit pointsODBCRemote commands and programsFTPTELNETSQLFile transfers
www.safestone.com
Findings
www.safestone.com
Findings
Back-door to command lineHelp desk with “all object” authoritySystem auditing was not in useSystem values were not enforcing corporate policiesExit points not being used
www.safestone.com
Findings ctd.
38 versions of application librariesObject authorities allowed *ALL usersSoftware developers controlled the promotion / introduction of live changesHelp desk confirmed who a “user” was on the phone by checking caller ID
www.safestone.com
Profiles
Wide variety of abuses found:Old profiles (70 never signed on)Too much authorityNon-expiring passwords (many users!)“Package profiles” with default passwordsGeneric profilesSignon password stored in application clientQSECOFR used too regularly
www.safestone.com
Recommendations
www.safestone.com
Recommendations: general comments
Best practices – ISO 17799, GSD 331Use a security management tool to simplify administration of the enhanced securityAppoint an application “owner”
www.safestone.com
Recommendations: profiles
RBAC – Role Based Access ControlDeveloper to recommend good authority structureStrict profile deletion procedures
www.safestone.com
Recommendations: libraries
Reduce number of librariesTo free up spaceLess likely to be copies of live data. Security will be easier to manageIt is less likely that a “rogue” program existsIt is sometimes difficult to identify the correct version of an object or source
www.safestone.com
Recommendations: others
Strict change control proceduresCheck for security events dailyInterface some OS/400 events into their existing Intrusion Detection SystemHelp desk users should be given a menu with the necessary commands on itReference the security policy & warnings on signon screen
www.safestone.com
Recommendations: portal project
Insist upon a very strict agreement about partners profilesSpecial password structuresTerminal based authenticationMonitor requests through the exit points (phase 2 of the project would introduce the control of these requests)
www.safestone.com
ConclusionWhether your partners connect to your legacy applications or not - get your house in orderSecure your dataControl accessAudit the security eventsMonitor the unusual and critical aspects of your systemsEnsure reports are small enough to be useful
www.safestone.com
ConclusionHave a usable, OS specific, security policyKeep the policy currentEducate your usersBe wary of the implications of your actionsDon’t assume – CHECK!
www.safestone.com
For more information contact SafeStone:
Visit our web page: www.safestone.com
Contact us via e-mail: [email protected]
Contact me via e-mail: [email protected]
