Upload
ca-technologies
View
439
Download
0
Embed Size (px)
Citation preview
Castle Walls Under Digital Siege:Risk-based Security and z/OS
Kevin Segreti
Mainframe
Union Bank of California
MFT09S
@jcherrington
#CAWorldJeff Cherrington
CA Technologies
2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
The mainframe remains the most securable platform in the data center. However, like medieval castles, their walls are no longer impregnable. Learn more about how applying risk-based security to z/OS helps you anticipate attacks and compromises before they occur, so you can enhance your walls of protection to your mission-critical data.
Kevin SegretiUnion Bank of California
Assistant Vice President
Jeff CherringtonCA Technologies
Sr. Director, Mainframe Security
3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
WHAT DO CASTLES HAVE TO DO WITH THE MAINFRAME?
ARMS RACE – CIRCA THE MIDDLE AGES
QUESTION & ANSWER
SAPPERS AND SOCIAL ENGINEERING
WHY THE NORDEA HACK IS THE MAINFRAME GUNPOWDER
PROTECTING YOUR CASTLE – A RISK-BASED APPROACH
1
2
3
4
5
6
4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How History Bears on Protecting the Mainframe Today
Those who cannot remember the past are
doomed to repeat it.
George Santayana
A smart [person] learns from their own
mistakes; a wise [person] learns from the
mistakes of others.
Only a fool learns from his own mistakes.
The wise [person] learns from the
mistakes of others.
Paraphrased from
AnonymousOtto von Bismark
“”
“
”
“
”
5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Comparing Castles and Mainframes
Purpose Castle Mainframe
Accumulation of WealthCentralized repository for the most valuable assets of the day
Centralized repository of the critical assets that define an enterprise’s value
AdministrationFocal point for information aggregation, focus for analysis of gathered intelligence for decision making
Focal point for information aggregation, focus for analysis gathered intelligence for decision making
ProtectionProgressively more sophisticated architecture protecting against progressively more sophisticated attacks
Progressively more sophisticated architecture protecting against progressively more sophisticated attacks
6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What Can the History of Castle TechnologyTell Us About Managing the Mainframe
Arms Race did not originate in the 20th century.
Castle fortifications and counters developed by attackers to overcome them replicate the last 50 years of the mainframe in many ways.
Learning from that history offers direction for the future of the mainframe.
7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Beginning – Walls and a Single Gate…
Earliest Mainframe Isolated in the glass house
with physical access control
Earliest Castles Forts – a single wall with a guarded gate
© International Business Machines Corporation (IBM)
8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Some Direct Correlations
Mainframe CA ACF2 and, later, IBM RACF and CA Top Secret set the standard for “gate-keeping”
of electronic resources.
Castles Still required entry and exit of people,
requiring guards at the gates.
9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mainframe Forcing entry onto the network
gave access to the console.
Castles Rams battered the gates and, once
down, the castle was open.
Earliest Attacks – Bluntest of Forces
10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Escalation – Higher, Thicker Walls Lead to More Sophisticated Engineering of Attacks
Castle builders reinforced gates, heightened-thicken walls…
Attackers devised more sophisticated means of brute force
11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What’s a Sapper?
Direct brute force was not the only or, sometimes, even the most effective means for opening a breach in the castle wall.
Soldiers – miners, really –called “sappers” tunneled beneath the walls to weaken their foundations.
12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Social Engineers are Mainframe “Sappers”
While the precise mechanics of large scale breaches seldom come fully to light, nor quickly
Still, some report or speculate that social engineering to obtain credentials lies at the root of recent major breaches
Data Source: Click on image to link to the informationisbeautiful.net web page
13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mainframe external security managers offer no greater protection against social engineering than other IAMs
Once a privileged account is compromised, the foundation of all protections is destroyed
Social Engineers Tunnel Underneath Mainframe Protections
14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Some Direct Correlations
Mainframe As connectivity increased, we surrounded
the mainframe with firewalls.
Castles Once walls alone were not
enough, moats were added.
Request a web page
Stateful Packet Inspection Firewall
This was requested by a computer on the home network, deliver it.
This was not requested by a computer on the home network, drop it..
1
3
2
2
Internet
Here’s the web file transfer you asked for.
1
Here’s the web page you asked for.
15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Gunpowder Changed Everything
The advent of gunpowder reduced the cost of attack, while increasing its efficiency
Even the mightiest castle could no longer be considered impregnable
16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How the Nordea Hack is the Mainframe’s Gunpowder
Even the mightiest castle could no longer be considered impregnable…
Pirate Bay co-founder Gottfrid Svartholm Warg was charged with hacking the IBM mainframe of Logica, a Swedish IT firm that provided tax services to the Swedish government, and the IBM mainframe of the Swedish Nordea bank, the Swedish public prosecutor said.
"This is the biggest investigation into data intrusion ever performed in Sweden," said public prosecutor Henrik Olin.
Besides Svartholm Warg, the prosecution charged three other Swedish citizens.
17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What Do These People Have in Common?
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Matching Tools To Threats Threat of data breach – data-centric protection
supplementing user and resource management
Threat of network attack – increased perimeter defenses and more frequent penetration testing
Threat of compromised privileged user accounts
– Event drive alerts for sensitive transactions
– Frequent, automated analysis of user activity
– Additional authentication factors
Protection of Mainframe Assets Must Be a Risk-based Approach
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Focused shifted from solely keeping attackers out, to identifying attackers before they arrived Identifying attacks before they occur required
new strategies, techniques, and tools…
Protecting Castles’ Contents Changed
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
Tech TalkIsn’t one authentication mechanism on z Systems™
enough?
11/18 – 4:30pm
Mainframe Content Center
Mainframe
Theater
Panel Discussion: Is Complacency Around Mainframe
Security a Disaster Waiting to Happen?
11/18 – 3:45pm
Mainframe Theater
Tech Talk The Known Unknown – Finding lost, abandoned, and
hidden regulated data on the Mainframe
11/19 – 12:15pm
Mainframe Content Center
MFX26SHow to Increase User Accountability by Eliminating the
Default User in Unix System Services
11/19 – 1:00pm
Breakers I
MFX47STop 10 things you shout NOT forget when evaluating
your security implementation
11/19 – 2:00pm
Breakers I
21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow Conversations in the Mainframe Content Center
CA Data Content Discovery
CA ACF2 ™ for z/OS
CA Top Secret® for z/OS
CA Cleanup
CA Auditor
Product X
Theater # location
Advanced Authentication –Nov 18th @ 4:30pm
The Known Unknown -
Nov 19th @ 12:15pm
22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
Terms of this Presentation
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA
World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer
references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in
this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such
release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-
available basis. The information in this presentation is not deemed to be incorporated into any contract.
24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15