Common 2009 Getting Started On The Road To Compliance

Getting Started On The Road To Compliance

IBM i Security


550068


Today's Speaker

Robin Tatam - MSIAS/400 Security Specialist

[email protected](515) 246-4111

http://www.linkedin.com/in/robintatam

mailto:[email protected]


Agenda

The Showroom Which Options Did We Get?

Park Where You Don’t Want To Be

1st Gear Finding The On Ramp

2nd Gear Utilize What You Already Have In i And i5/OS

3rd Gear Network Data and System Access

4th Gear New options with IBM i V6R1

5th Gear Other Considerations And Options

6th Gear Ongoing Monitoring & Compliance


Which Options Did We Get?

Included in Base Model

User Profile Management

Resource Level Security

Exit Program Ready

Anti-Virus Ready

Encryption

Event Auditing

Intrusion Detection System

D.o.D. Certification (C2)

IBM i


Which Options Did We Get?

Popular Option Packages

Exit Programs

Anti-Virus

Audit Reporting

Event Monitoring

Compliance Monitoring

You can (and many do!) run without them but you

are a lot safer with them …

IBM i


In Park


A Big Gamble

Your users have the virtual

“keys” to your corporate data

Do you trust them not to even

try to “drive” it?

Would you bet your ENTIRE business (or career) on it?


Hacking For Dummies?

“Security by Obscurity” is no longer a good option …

Of course, was it ever?


ACT NOW …

“It’s time to take ownership of your data, and your servers, and see that security is not an option,but rather a cost of doing business. You should be investing in PROTECTING the very ENGINE that your business relies upon.”


… And Avoid Getting Burned !!


The State of Security 2008

Source: State of iSeries Security 2008

PowerTech uses anonymous Audit Data from their Compliance Assessment tool to compile an Annual Study of Security Statistics

This study — available online — provides a picture of what System i shops are currently doing with their security controls.

And year after year it shows that there is definitely still room (and need) for improvement!

The study sample consists of security-aware environments




This may be more indicative of IBM’s change to the shippedDefault than any concious planning by the customer



Resource security is the only true way to secure your data from ALL access methods.

Unfortunately it can also be daunting to the untrained user; as well as somewhat inflexible so as you can see many people do not change the default of *CHANGE.




Special Authorities are called “Special” for a reason



These problems are not the fault of the ‘end’ user



Of the 70%, very few organizations use automated reporting toolsor, in my experience, are auditing enough events


Don’t Head Down Exposure Road

For 231,000,000 more reasons to turn around, check out http://www.privacyrights.org

http://www.privacyrights.org/


1st Gear — Finding The On Ramp

Porsche Cayman S


Document Your Starting Point

Understanding your server’s configuration weaknesses helps define the road ahead, as well as providing a rear-view mirror on your progress.


Develop Your Security Policy

A Security Policy has a two main purposes:

i. Define the standards against which to measure your server compliance

ii. Provide users with operating policy and procedure

Ensure that part ii of the Security Policy is agreed to by the users, via a signed agreement (with annual ‘refreshers’) and a legal usage statement on a 5250 sign on screen.

The construction of the Policy is something that should be done outside of I.T. with executive sponsors — you don’t want I.T. creating policy.

It is the job of the Security Officer to interpret those directives into the settings specific to each server platform.

If you are not sure where or how to start, check out the Open Source Security Policypublished by PowerTech (and included in the MSI Security and Compliance guide), or allow us to help you create one from scratch.


2nd Gear - Base i5/OS

Ferrari 599


User Profiles

A profile/password is the biggest hurdle you can put between a person and your data — so make it count!Don’t think that “my users could not / would not (know how to) do that” — you already handed them a valid log-inEnsure that profiles are created following a process (and deleted the same way). Use default templates, but NEVER default passwords!


User Profiles (cont’d)

Audit ‘powerful’ profiles (those users with command line capabilities and/or special authority)Do NOT give *ALLOBJ to a programmer (not matter how much they cry!)Do NOT make Help Desk users security officers just to reset passwords etc.


System Values

System values are the main properties used to control the way that your system operates, as well as protects itselfThere is a category for security-related values (*SEC)Understand each system value, and it’s effect, before setting. If you need to differ from best practices then document the reason in your security policy


System Values (cont’d)

Have a mechanism to check your current values against their expected value. 3rd party tools do this best, but you can manually print and compareAudit for changes to the system values (audit journal code ‘SV’)After V5R2, you can (and should) ‘lock’ down security system values in SST


Resource Security

Obtain a copy of Authority Progression Algorithm (in IBM security book, or send me an email)Object-level protection works regardless of interfaceUse theory of least access, not the oppositeNever make object owners a real user profile or group profile and don’t have IBM profiles (or your programmers) own objectsSecure Libraries as the first line of defense (*USE on a libraries still permits object deletion)


Resource Security (cont’d)

Secure objects if library-security not granular enoughConsider adopted authority as an access techniqueUse authorization lists to simplify the task if many objectsAudit access to critical objects (and authority failures)Monitor for users to download data, modify and copy it back


Action Auditing

Use CHGSECAUD to perform all necessary setup tasksAuditing uses an audit journal (QAUDJRN) objectUses System value controls to define events to be audited:

QAUDCTL On/Off SwitchQAUDLVL(2) Controls What Actions to Audit

Create a separate library for audit data (stored in Journal Receivers) for easy securing and save/purge


Action Auditing (cont’d)

Journal maintenance is manualMaintain a single profile with Authority to change Auditing options3rd parties enable push alerting and even do your monitoringSet a policy for data retention (short term & long term) for the audit journal data (defer to auditors or legal dept)


3rd Gear - Network Data and System Access

KTM X-BOW


How Does The Network Affect Me?

Don’t worry … simply plug your server in and it

protects your data 100% from any Network Access



As long as your ‘network’ only has these …



This is likely to be your single biggest threat — trust me when I say “Fix it NOW”

Resource Security controls WILL protect you regardless of the interface, BUT it has to be implemented properly and does not have flexibility to vary the authority based on the interface being used: it’s ‘One Size Fits All’

Activities that come through the TCP servers are NOT audited — you cannot tell who is downloading (or uploading), running SQL statements, or even executing remote commands

Some servers allow command functions and IGNORE a profile’s 5250 command line restriction

For everyone else …



IBM wrote ‘hooks’ in to i5/OS (called Exit Points) but leaves the functionality (accept/reject/audit) of the Exit Programs to yourown programmers. Not ALL services are covered (e.g. HTTP)

There are over 30 exit points that deal with network access

Exit programs are not difficult to write, but the recommended way to go is to purchase a commercial application for tested technology, broader functionality and rapid deployment

Oh, did I mention “Fix it NOW”?


A System With Menus & Application Security


An Exit Program Protected System


4th Gear —New Options with IBM i V6R1

Bugatti Veyron


QPWDRULES - New system value to define password syntax

If anything other than *NONE, define password rules and replace QPWDxxxsystem values

Require special characterRequire mixed casePrevent all numeric passwordRequire x number of digitsRequire x number of lettersRequire x number of special characters

Introducing IBM i V6R1



QPWDCHGBLK - New system value to block password changes after a successful password change

Prevent change of password for x hours:*NONE1 to 99 hours

Password change block not in effect if PWDEXP(*YES) has been specified by the system administrator.

PWDCHGBLK parm also added to the user profile


QPWDEXPWRN — Set password expiration warning intervalWarn user of expiring password7 is the Default1 to 99 days

QLMTDEVSSN — Limit Device SessionRestrict users to active device sessions

0 = Do not limit (existing value)1 = Limit user to one session (existing value)2 to 9 = Limit users to x number of sessions (NEW)

LMTDEVSSN user profile parm also extended with this support



5th Gear — Other Options

Koenisgsegg CCX


Anti-Virus

Firstly, let’s define a “virus” …Native objects are “immune” to traditional virus attacksIFS objects are just as vulnerable as any PC-server or desktop, so if you use NetServer (Network Neighborhood), Lotus Domino, WebSphere etc. then consider AV carefully as it is required by most standards (e.g. PCI)IBM provides scheduled scans at V5R2 and scan-on-open/close at V5R3+


Anti-Virus (cont’d)

Scan Engine is provided by (two) 3rd party providers — both here at the ExpoDon’t overlook malicious code, trojan horses etc that can affect ANY server including the AS/400IFS can be scanned by PC-engine but 4 significant reasons not to: speed, bandwidth, read/write file shares, and an *ALLOBJ profile requirement


Encryption

Two types: database (at rest) and media (in flight)At-rest encryption is one of the biggest initiatives currently underway and often resembles Y2K in its processAdvanced Encryption Standard (AES) is the new U.S. government standard (replacing TDES); another popular solution is PGP‘Strong’ encryption regarded as 128bit key or better


Encryption (cont’d)

Do NOT encrypt non-secret informationKey management is the ‘key’ to successi5/OS and IBM i has built-in encryption (manually intensive) or you can select 3rd party tools to reduce the effortASP encryption (IBM i V6R1) is probably NOT the ‘silver bullet’ answer (you think) that you have been waiting for …


Other Considerations

SSL connections should always be used (no additional software purchase is required)Consider Single Signon (SSO) to reduce password relianceMonitor for libraries above QSYS (DSPSYSVAL QSYSLIBL)Monitor for user objects in QSYS (PRTUSROBJ)Document your trigger programs (PRTTRGPGM)Document programs that adopt authority (PRTPGMADP)


Other Considerations (cont’d)

Document/watch your job schedule entriesUse profile switching for admins / security officersStay on supported OS & install PTFsPhysically secure the serverAudit yourself occasionally or (better yet) hire an independent expert


6th Gear - Ongoing Compliance

Lamborghini Murcialago


Compliance Reporting

i5/OS has limited reporting capabilities so use commercial applications or your own programsTIP: You must be auditing the required types of information before you can report itUse DSPAUDJRNE to display data if you know the journal codes that you want (e,g, CP = Changes to a user profile). Codes are in Security Manual or in help text of the display


Compliance Reporting

Use CPYAUDJRNE to extract data then query or run programJournal data is unformatted and a little hard to interpretReport on audit journal entries and also static metrics (profile settings, system values etc.)


Policy Adherence

Now that you have a policy, and have your system in a condition of adherence, determining continual ongoing compliance is the final stepAssess new threats, and continue to tune the policy and settings accordinglyPerform periodic reviews of security related settings, user profile parameters


Policy Adherence

Build a process of reports and metrics to be monitored, although doing this manually can be time consuming and hard to doEvaluate the benefit of a native commercial solution to allow the system to more rapidly self-monitor and advise of compliant/non-compliant status


You’re At Maximum RPM

Porsche 911 GT1


Additional Resource

Introduces the Main areas of Compliance on ‘i’

Info on Premium Solution Providers & Solutions

Supplemental CD has trial software, reference materials and sample audit deliverables

http://www.msiinet.com/white-paper/compliance-guide/


Questions

Technology

Common 2009 Getting Started On The Road To Compliance