Vanguard Two Factor Authentication Solutions...VANGUARD SECURITY & COMPLIANCE 2016 Source: Information is Beautiful - World's Biggest Data Breaches Why Utilize Two Factor "A year ago,

SECURITY & COMPLIANCE CONFERENCE 2016

Vanguard Two Factor

Authentication Solutions

Dustin Hayes

Professional Services Consultant

VSS07

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authentication

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

©2016 Vanguard Integrity Professionals, Inc. 2


Legal Notice

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. LinOTP is a registered trademark of LSE Leading Security Experts GmbH. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. YubiKey is a registered trademark of Yubico AB. Other company, product, and service names may be trademarks or service marks of others.



Topics

• Why utilize Two Factor Authentication

• An Industry of Terms

• How Vanguard Addresses

– Vanguard ez/PIV Card Authenticator™

– Vanguard ez/Token™

– Vanguard Tokenless Authentication™

• Review


Source: Information is Beautiful - World's Biggest Data Breaches

Why Utilize Two Factor

"A year ago,

cybersecurity experts

were calling 2013 'the

year of the data breach'

only to find 2014 had far

worse in store"

Atlantic Council

"100% of breaches

examined included an

exploitation of a user id

and password that was

compromised."

Mandiant 2014 Data

Breach Report


Still not convinced?


- What can you find on the internet these days? After the recent IoT DDOS Attack Andrew McGill (senior

associate editor at The Atlantic) wanted to know more [2]

“[T]he internet is huge! There are around a couple billion public IPv4 addresses

out there; any one of those might have a server, a desktop computer, or a

toaster plugged in at the other end. Even if the manufacturer of my gadget gave

it a dumb and easily guessed password, wouldn’t it be safe in this sea of

anonymity? How would the hackers find me?”

So he created a test using a “fake web toaster” Question: How Long after he turned on his internet toaster until the

attempts at hacking started?

“I switched on the server at 1:12 p.m. Wednesday, fully expecting to wait days—or

weeks—to see a hack attempt. Wrong! The first one came at 1:53 p.m. The next hacking

attempt, from a different IP address and using different login credentials,

came at 2:07 p.m. Another came at 2:10. And then 2:40. And 2:48. … more than 300

different IP addresses … by 11:59 p.m.”

- “In 2010 the Electronic Frontier Foundation conducted a scan to

gather data on the use of encryption [SSL/TLS on the internet].

The process took two to three months…” [3]

- “In 2013 a team of researchers at the University of Michigan

believed they could do better… announced ZMap… a tool that

allows an ordinary server to scan every address on the Internet in

just 44 minutes.” [3]

- Its now 2016 and the current documentation for ZMap states that

“With a single machine and a well provisioned network uplink,

ZMap is capable of performing a complete scan of the IPv4

address space in under 5 minutes” [4]

- If you don’t feel like, or are not comfortable in Linux. Its also the

time of ‘big data’ so someone else is running this and you can just

query the results

What can you find on the internet?

[4]

[5]

"first they ignore you, then they threaten to sue you, then they deny the vulnerability,

then you p0wn them” [6]

[7]

What Can you find Anything … if you want to spend the time looking


Sources for the last slide

• [0] World’s Biggest Data Breaches – http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

• [1] “The Inevitability of Being Hacked” By Andrew McGill

– http://www.theatlantic.com/author/andrew-mcgill/

• [2] “Here’s what you find when you scan the entire Internet in an hour” By Timothy B Lee – https://www.washingtonpost.com/news/the-switch/wp/2013/08/18/heres-what-you-find-when-you-scan-the-entire-

internet-in-an-hour/

• [3] ZMap

– https://zmap.io/

• [4] Metasploit Framework for z/OS® FTP Exploitation – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb

• [5] Script to enumerate TSO UserID

– https://github.com/zedsec390/NMAP/blob/master/tso-enum.nse

• [6] International Journal of PoC||GTFO – https://www.alchemistowl.org/pocorgtfo/

• [7] JCL Adventure with Network Job Entries

By Soldier of Fortran – https://www.alchemistowl.org/pocorgtfo/pocorgtfo12.pdf (Topic 6, PDF Page32)



When I say "Two-Factor" I mean;

• Multifactor Authentication • Knowledge Factors - User KNOWS

• Possession Factors - User HAS

• Inherence Factors - User IS

• Two-Factor Authentication • A combination of two DIFFERENT factors above

An Industry of Terms


An Industry of Terms

I am not referring to;

• Two-Step Verification • A type of Multi-Factor, involves two subsequent but

dependent checks

• BOTH checks can be from the same factor

• Strong Authentication • More of a "Generic Term", with multiple meanings

depending on context of use

• Is this a "Strong Authentication"?

[!_Ðust1nP@$$w*rdIsL0ng]


• Two-Factor Authentication Solutions

• Vanguard ez/PIV Card Authenticator

• Vanguard ez/Token

• Vanguard Tokenless Authentication

How Vanguard Can Help - Overview


Smart Card Strength using your existing infrastructure and investment

Real-time verification of Card (Account) Status,

including centralized account de-provisioning

The Justification

Achieve NIST FIPS 201 Regulatory Requirements

Key Feature Delivers Smart Card

authentication capabilities to

z/OS, without requirement for

direct TCP/IP connectivity to

your mainframe.

Benefit from centralized

account management

including de-provisioning for

lost, stolen, or terminated

cards

PIV Cards

CAC Cards

JAVA® Cards/SmartCards

Out of Band Deployment Options, with simple

"end user self-registration"

Selectively determine which users and/or

applications require Smart Card Authentication

Vanguard ez/PIV Card Authenticator


PIV Validation Occurs and a RACF® PIV Pass is generated.

Vanguard ez/PIV Card Authenticator – Validation


Vanguard ez/PIV Card Authenticator -

Configuration

• Key Configuration Parameters

– PIVREG Value: $PIVCARD (New Class)

– Controlling Profile: PIVCARD.ENABLE

– Class Defined by: PIV_AUTH_CLASS

– Excluding STCs: PIV_EXCL_JNAME

– Including STCs: PIV_INCL_JNAME

• Key Auditing Parameters

– Successful: PIVCARD.SUCCESSFUL.LOGON

– Failure: PIVCARD.FAILED.LOGON

– Excluded (bypass): PIVCARD.EXCLUDED.LOGON

• Where: PDS Member:

– Your Defined Class

– HLQ.V221.VANOPTS(VIPTOKEN)


Manual Registration • PIV card PIN Validation

• Creates a unique signature based on PIV card Certificates for each z/OS user

• Designed for when direct network communication is not available to end-users

Signature can be sent to administrator of system for entry into user profile.

Or loaded manually into TSO or CICS® registration applications.

Vanguard ez/PIV Card Authenticator –

Manual Registration


• Requires RACF User id • PIV card PIN Validation • IP address of z/OS system • Creates a unique signature based on PIV card Certificates and automatically

enters the information into the RACF user profile correctly.


Semi-Auto Registration


Simple user interface User provides

• RACF ID

• RACF Password

• PIV Card Pin.


Generating PIV Pass


Vanguard ez/PIV Card Authenticator – Login

If Card /PIN is validated PivPass will be generated. Enter PIV Password in the Password field of z/OS enable logon such as; TSO, CICS, DB2®, IMS™, etc.


Standard PIV Validation

• PIN Validation

• Card Validation

• Certificate Validation

• FASC-N Validation

• OCSP Validation

All PIV Validation must pass from External PIV provider prior to Generating a PIVPass

Vanguard ez/PIV Card Authenticator – Validation


Eliminates the need for users to remember

passwords

Two-factor security solution that integrates RSA tokens and RACF for authentication

Key Features Authenticate through either

ActiveIdentity or RSA SecurID

token to logon to the

mainframe via TSO, CICS,

IMS™ or any other application

that utilizes RACF

authentication.

Perform new PIN and Next

Token Code operations through

a web interface.

Now with 2 new features

• Pre and Post exit

processing

• Aliasing processing in

RACF

Requires no changes to logon screens

Dynamically choose which users will be

authenticated with either ActiveIdentity, SafeSign,

RSA SecurID®, YubiKey®, OAUTH (HOTP/TOTP),

and/or native RACF

The Justification

Enables you to select which users will or will not

require a PIN number

Force users with elevated privileges to utilize two-

factor authentication

Vanguard ez/Token


Vanguard ez/Token - Overview


Vanguard ez/Token - Configuration


– Controlling Profile: SECUREID.ENABLE

– Class Defined by: SECURE_AUTH_CLASS

– Excluding STCs: SECURID_EXCL_JNAME

– Including STCs: SECURID_INCL_JNAME

– RACF PW Also: SECURID_REQUIRED_RACF_PSWD


– Successful: SECURID.SUCCESSFUL.LOGON

– Failure: SECURID.FAILED.LOGON

– Excluded (bypass): SECURID.EXCLUDED.LOGON





Vanguard ez/Token - Use Options

Standard Options:

<PIN><TOKENCODE> (Hard Token)

<PASSCODE> (Soft Token)

<TOKENCODE> (No PIN Required)

Require RACF Password:

<RACFPW><SEPERATOR><PIN><TOKENCODE>

<RACFPW><SEPERATOR><PASSCODE>

<RACFPW><SEPERATOR>< TOKENCODE >


Vanguard ez/Token - OAUTH/YubiKey

• Initiative for Open Authentication – OATH

http://www.openauthentication.org/

– HOTP - HMAC-Based One-Time Password Algorithm (RFC 4226)

Also known as EOTP - Event-based One-time Password Algorithm

– TOTP – Time-based One-time Password Algorithm (RFC 6238)

• YubiKey Cloud (or Onsite) Authentication

• Provided though LinOTP Linux Server – By LSE

– Open Source Edition is Free

– Enterprise Subscriptions Available

https://lsexperts.de


Vanguard ez/Token - Overview OAUTH/YubiKey


Vanguard ez/Token - OAUTH/YubiKey Examples

• All OAUTH methods require both RACF Password AND OTP Code

• Utilizes the Passphrase Interfaces to simplify end user use

– But still authenticates using the RACF Password

• Examples of Authentication String

RACF Password

6-8 Characters

OTP Code

6 Characters

My12R@CF844622

RACF Password

6-8 Characters YubiKey Code

44 Characters

My12R@CFcccccceiicnhlklknihnieihjejctenfevkbidbbbfnf

• OATH

• YubiKey


Vanguard ez/Token - LinOTP Configuration


– Controlling Profile: EZTOKEN.LINOTP

– Class Defined by: LINOTP_AUTH_CLASS

– Excluding STCs: LINOTP_EXCL_JNAME

– Including STCs: LINOTP_INCL_JNAME


– Successful: LINOTP.SUCCESSFUL.LOGON

– Failure: LINOTP.FAILED.LOGON

– Excluded (bypass): LINOTP.EXCLUDED.LOGON





Vanguard ez/Token - OAUTH Supported Tokens

• Just some of your options

• More? ...Just contact us and let us know what do you have today


Most cost-effective and convenient way to add a

higher level of security to corporate networks and

data

Strength and security of two-factor authentication without the physical token

Key Feature Delivers strong authentication

capabilities by generating and

sending a one-time, one-use,

time sensitive passcode to a

communication device that a

user already possesses: user’s

cell phone, PDA, Blackberry

and more.

No need to deploy and administer expensive

physical tokens

Generates a one-time, one-use password to a

“virtual token,” the user’s cell phone, each time a

sign on is attempted

The Justification

Cryptographically generated passcodes that

expire within a short specified period of time

Vanguard Tokenless Authentication


Vanguard Tokenless Authentication –

Configuration


– Configuration Profile: EZTOKEN.SECUREID (Grouping)

– Controlling Profile: EZTOKEN.SECUREID (Member)

– SSIGNON Value: VTTFA in Class(PTKTDATA)


– Your Defined Member/Grouping Class



Vanguard Tokenless Authentication – Overview



Administration

Simple Web Based Admin Interface

• Setup users to use Vanguard Tokenless Authentication

• Change Tokenless Type (Password + Token or Token Only)

• Change Deliver Address (Cell Phone / E-Mail)



Use (E-Mail/SMS)

• Enter UserID

• Enter Password

• Receive E-Mail/SMS

• Enter Tokenless

Code



Use Vanguard PasswordReset™ (Multi Factor Authentication)

• Open Website

• Click [Send Token]

• Enter RACF User & Password

• Answer Vanguard PasswordReset Questions

• Receive Tokenless Code to use as Password on device



Use Vanguard PasswordReset (Two Step Authentication)

• Open Website

• Click [Get Token]

• Enter RACF User & Password

• Answer Vanguard PasswordReset Questions

• Receive Tokenless Code to use as Password


How Vanguard Can Help - Demo

Live Demo


Two-Factor Authentication Solutions

• Vanguard ez/PIV Card Authenticator

• Smart Cards, CAC Cards, PIV Cards

• Vanguard ez/Token

• RSA, ActivIdentity, SafeSign, OAUTH (TOTP/HOTP),

YubiKey, more coming soon…

• Vanguard Tokenless Authentication

• No existing enterprise solution currently exists

How Vanguard Can Help - Review


Questions

Documents

Vanguard Two Factor Authentication Solutions...VANGUARD SECURITY & COMPLIANCE 2016 Source: Information is Beautiful - World's Biggest Data Breaches Why Utilize Two Factor "A year ago,