Upload
imigrnt
View
344
Download
1
Tags:
Embed Size (px)
DESCRIPTION
This is one of the three presentations I provided at COMMON 2009 in Reno, NV
Citation preview
Getting Started On The Road To Compliance
IBM i Security
Getting Started On The Road To Compliance
550068
Getting Started On The Road To Compliance
Today's Speaker
Robin Tatam - MSIAS/400 Security Specialist
[email protected](515) 246-4111
http://www.linkedin.com/in/robintatam
Getting Started On The Road To Compliance
Agenda
The Showroom Which Options Did We Get?
Park Where You Don’t Want To Be
1st Gear Finding The On Ramp
2nd Gear Utilize What You Already Have In i And i5/OS
3rd Gear Network Data and System Access
4th Gear New options with IBM i V6R1
5th Gear Other Considerations And Options
6th Gear Ongoing Monitoring & Compliance
Getting Started On The Road To Compliance
Which Options Did We Get?
Included in Base Model
User Profile Management
Resource Level Security
Exit Program Ready
Anti-Virus Ready
Encryption
Event Auditing
Intrusion Detection System
D.o.D. Certification (C2)
IBM i
Getting Started On The Road To Compliance
Which Options Did We Get?
Popular Option Packages
Exit Programs
Anti-Virus
Audit Reporting
Event Monitoring
Compliance Monitoring
You can (and many do!) run without them but you
are a lot safer with them …
IBM i
Getting Started On The Road To Compliance
In Park
Getting Started On The Road To Compliance
A Big Gamble
Your users have the virtual
“keys” to your corporate data
Do you trust them not to even
try to “drive” it?
Would you bet your ENTIRE business (or career) on it?
Getting Started On The Road To Compliance
Hacking For Dummies?
“Security by Obscurity” is no longer a good option …
Of course, was it ever?
Getting Started On The Road To Compliance
ACT NOW …
“It’s time to take ownership of your data, and your servers, and see that security is not an option,but rather a cost of doing business. You should be investing in PROTECTING the very ENGINE that your business relies upon.”
Getting Started On The Road To Compliance
… And Avoid Getting Burned !!
Getting Started On The Road To Compliance
The State of Security 2008
Source: State of iSeries Security 2008
PowerTech uses anonymous Audit Data from their Compliance Assessment tool to compile an Annual Study of Security Statistics
This study — available online — provides a picture of what System i shops are currently doing with their security controls.
And year after year it shows that there is definitely still room (and need) for improvement!
The study sample consists of security-aware environments
Getting Started On The Road To Compliance
The State of Security 2008
Source: State of iSeries Security 2008
This may be more indicative of IBM’s change to the shippedDefault than any concious planning by the customer
Getting Started On The Road To Compliance
The State of Security 2008
Resource security is the only true way to secure your data from ALL access methods.
Unfortunately it can also be daunting to the untrained user; as well as somewhat inflexible so as you can see many people do not change the default of *CHANGE.
Source: State of iSeries Security 2008
Getting Started On The Road To Compliance
The State of Security 2008
Special Authorities are called “Special” for a reason
Getting Started On The Road To Compliance
The State of Security 2008
These problems are not the fault of the ‘end’ user
Getting Started On The Road To Compliance
The State of Security 2008
Of the 70%, very few organizations use automated reporting toolsor, in my experience, are auditing enough events
Getting Started On The Road To Compliance
Don’t Head Down Exposure Road
For 231,000,000 more reasons to turn around, check out http://www.privacyrights.org
Getting Started On The Road To Compliance
1st Gear — Finding The On Ramp
Porsche Cayman S
Getting Started On The Road To Compliance
Document Your Starting Point
Understanding your server’s configuration weaknesses helps define the road ahead, as well as providing a rear-view mirror on your progress.
Getting Started On The Road To Compliance
Develop Your Security Policy
A Security Policy has a two main purposes:
i. Define the standards against which to measure your server compliance
ii. Provide users with operating policy and procedure
Ensure that part ii of the Security Policy is agreed to by the users, via a signed agreement (with annual ‘refreshers’) and a legal usage statement on a 5250 sign on screen.
The construction of the Policy is something that should be done outside of I.T. with executive sponsors — you don’t want I.T. creating policy.
It is the job of the Security Officer to interpret those directives into the settings specific to each server platform.
If you are not sure where or how to start, check out the Open Source Security Policypublished by PowerTech (and included in the MSI Security and Compliance guide), or allow us to help you create one from scratch.
Getting Started On The Road To Compliance
2nd Gear - Base i5/OS
Ferrari 599
Getting Started On The Road To Compliance
User Profiles
A profile/password is the biggest hurdle you can put between a person and your data — so make it count!Don’t think that “my users could not / would not (know how to) do that” — you already handed them a valid log-inEnsure that profiles are created following a process (and deleted the same way). Use default templates, but NEVER default passwords!
Getting Started On The Road To Compliance
User Profiles (cont’d)
Audit ‘powerful’ profiles (those users with command line capabilities and/or special authority)Do NOT give *ALLOBJ to a programmer (not matter how much they cry!)Do NOT make Help Desk users security officers just to reset passwords etc.
Getting Started On The Road To Compliance
System Values
System values are the main properties used to control the way that your system operates, as well as protects itselfThere is a category for security-related values (*SEC)Understand each system value, and it’s effect, before setting. If you need to differ from best practices then document the reason in your security policy
Getting Started On The Road To Compliance
System Values (cont’d)
Have a mechanism to check your current values against their expected value. 3rd party tools do this best, but you can manually print and compareAudit for changes to the system values (audit journal code ‘SV’)After V5R2, you can (and should) ‘lock’ down security system values in SST
Getting Started On The Road To Compliance
Resource Security
Obtain a copy of Authority Progression Algorithm (in IBM security book, or send me an email)Object-level protection works regardless of interfaceUse theory of least access, not the oppositeNever make object owners a real user profile or group profile and don’t have IBM profiles (or your programmers) own objectsSecure Libraries as the first line of defense (*USE on a libraries still permits object deletion)
Getting Started On The Road To Compliance
Resource Security (cont’d)
Secure objects if library-security not granular enoughConsider adopted authority as an access techniqueUse authorization lists to simplify the task if many objectsAudit access to critical objects (and authority failures)Monitor for users to download data, modify and copy it back
Getting Started On The Road To Compliance
Action Auditing
Use CHGSECAUD to perform all necessary setup tasksAuditing uses an audit journal (QAUDJRN) objectUses System value controls to define events to be audited:
QAUDCTL On/Off SwitchQAUDLVL(2) Controls What Actions to Audit
Create a separate library for audit data (stored in Journal Receivers) for easy securing and save/purge
Getting Started On The Road To Compliance
Action Auditing (cont’d)
Journal maintenance is manualMaintain a single profile with Authority to change Auditing options3rd parties enable push alerting and even do your monitoringSet a policy for data retention (short term & long term) for the audit journal data (defer to auditors or legal dept)
Getting Started On The Road To Compliance
3rd Gear - Network Data and System Access
KTM X-BOW
Getting Started On The Road To Compliance
How Does The Network Affect Me?
Don’t worry … simply plug your server in and it
protects your data 100% from any Network Access
Getting Started On The Road To Compliance
How Does The Network Affect Me?
As long as your ‘network’ only has these …
Getting Started On The Road To Compliance
How Does The Network Affect Me?
This is likely to be your single biggest threat — trust me when I say “Fix it NOW”
Resource Security controls WILL protect you regardless of the interface, BUT it has to be implemented properly and does not have flexibility to vary the authority based on the interface being used: it’s ‘One Size Fits All’
Activities that come through the TCP servers are NOT audited — you cannot tell who is downloading (or uploading), running SQL statements, or even executing remote commands
Some servers allow command functions and IGNORE a profile’s 5250 command line restriction
For everyone else …
Getting Started On The Road To Compliance
How Does The Network Affect Me?
IBM wrote ‘hooks’ in to i5/OS (called Exit Points) but leaves the functionality (accept/reject/audit) of the Exit Programs to yourown programmers. Not ALL services are covered (e.g. HTTP)
There are over 30 exit points that deal with network access
Exit programs are not difficult to write, but the recommended way to go is to purchase a commercial application for tested technology, broader functionality and rapid deployment
Oh, did I mention “Fix it NOW”?
Getting Started On The Road To Compliance
A System With Menus & Application Security
Getting Started On The Road To Compliance
An Exit Program Protected System
Getting Started On The Road To Compliance
4th Gear —New Options with IBM i V6R1
Bugatti Veyron
Getting Started On The Road To Compliance
QPWDRULES - New system value to define password syntax
If anything other than *NONE, define password rules and replace QPWDxxxsystem values
Require special characterRequire mixed casePrevent all numeric passwordRequire x number of digitsRequire x number of lettersRequire x number of special characters
Introducing IBM i V6R1
Getting Started On The Road To Compliance
Introducing IBM i V6R1
QPWDCHGBLK - New system value to block password changes after a successful password change
Prevent change of password for x hours:*NONE1 to 99 hours
Password change block not in effect if PWDEXP(*YES) has been specified by the system administrator.
PWDCHGBLK parm also added to the user profile
Getting Started On The Road To Compliance
QPWDEXPWRN — Set password expiration warning intervalWarn user of expiring password7 is the Default1 to 99 days
QLMTDEVSSN — Limit Device SessionRestrict users to active device sessions
0 = Do not limit (existing value)1 = Limit user to one session (existing value)2 to 9 = Limit users to x number of sessions (NEW)
LMTDEVSSN user profile parm also extended with this support
Introducing IBM i V6R1
Getting Started On The Road To Compliance
5th Gear — Other Options
Koenisgsegg CCX
Getting Started On The Road To Compliance
Anti-Virus
Firstly, let’s define a “virus” …Native objects are “immune” to traditional virus attacksIFS objects are just as vulnerable as any PC-server or desktop, so if you use NetServer (Network Neighborhood), Lotus Domino, WebSphere etc. then consider AV carefully as it is required by most standards (e.g. PCI)IBM provides scheduled scans at V5R2 and scan-on-open/close at V5R3+
Getting Started On The Road To Compliance
Anti-Virus (cont’d)
Scan Engine is provided by (two) 3rd party providers — both here at the ExpoDon’t overlook malicious code, trojan horses etc that can affect ANY server including the AS/400IFS can be scanned by PC-engine but 4 significant reasons not to: speed, bandwidth, read/write file shares, and an *ALLOBJ profile requirement
Getting Started On The Road To Compliance
Encryption
Two types: database (at rest) and media (in flight)At-rest encryption is one of the biggest initiatives currently underway and often resembles Y2K in its processAdvanced Encryption Standard (AES) is the new U.S. government standard (replacing TDES); another popular solution is PGP‘Strong’ encryption regarded as 128bit key or better
Getting Started On The Road To Compliance
Encryption (cont’d)
Do NOT encrypt non-secret informationKey management is the ‘key’ to successi5/OS and IBM i has built-in encryption (manually intensive) or you can select 3rd party tools to reduce the effortASP encryption (IBM i V6R1) is probably NOT the ‘silver bullet’ answer (you think) that you have been waiting for …
Getting Started On The Road To Compliance
Other Considerations
SSL connections should always be used (no additional software purchase is required)Consider Single Signon (SSO) to reduce password relianceMonitor for libraries above QSYS (DSPSYSVAL QSYSLIBL)Monitor for user objects in QSYS (PRTUSROBJ)Document your trigger programs (PRTTRGPGM)Document programs that adopt authority (PRTPGMADP)
Getting Started On The Road To Compliance
Other Considerations (cont’d)
Document/watch your job schedule entriesUse profile switching for admins / security officersStay on supported OS & install PTFsPhysically secure the serverAudit yourself occasionally or (better yet) hire an independent expert
Getting Started On The Road To Compliance
6th Gear - Ongoing Compliance
Lamborghini Murcialago
Getting Started On The Road To Compliance
Compliance Reporting
i5/OS has limited reporting capabilities so use commercial applications or your own programsTIP: You must be auditing the required types of information before you can report itUse DSPAUDJRNE to display data if you know the journal codes that you want (e,g, CP = Changes to a user profile). Codes are in Security Manual or in help text of the display
Getting Started On The Road To Compliance
Compliance Reporting
Use CPYAUDJRNE to extract data then query or run programJournal data is unformatted and a little hard to interpretReport on audit journal entries and also static metrics (profile settings, system values etc.)
Getting Started On The Road To Compliance
Policy Adherence
Now that you have a policy, and have your system in a condition of adherence, determining continual ongoing compliance is the final stepAssess new threats, and continue to tune the policy and settings accordinglyPerform periodic reviews of security related settings, user profile parameters
Getting Started On The Road To Compliance
Policy Adherence
Build a process of reports and metrics to be monitored, although doing this manually can be time consuming and hard to doEvaluate the benefit of a native commercial solution to allow the system to more rapidly self-monitor and advise of compliant/non-compliant status
Getting Started On The Road To Compliance
You’re At Maximum RPM
Porsche 911 GT1
Getting Started On The Road To Compliance
Additional Resource
Introduces the Main areas of Compliance on ‘i’
Info on Premium Solution Providers & Solutions
Supplemental CD has trial software, reference materials and sample audit deliverables
http://www.msiinet.com/white-paper/compliance-guide/
Getting Started On The Road To Compliance
Questions