Más contenido relacionado

Similar a What Does a Full Featured Security Strategy Look Like?(20)

Más de Precisely(20)


What Does a Full Featured Security Strategy Look Like?

  1. What Does a Full-Featured IBM i Security Strategy Look Like? Bill Hammond | Director, Product Marketing John Vriezen | Principal Technology Architect
  2. Housekeeping Webinar Audio • Today’s webcast audio is streamed through your computer speakers • If you need technical assistance with the web interface or audio, please reach out to us using the Q&A box Questions Welcome • Submit your questions at any time during the presentation using the Q&A box. If we don't get to your question, we will follow-up via email Recording and slides • This webinar is being recorded. You will receive an email following the webinar with a link to the recording and slides
  3. The leader in data integrity Our software, data enrichment products and strategic services deliver accuracy, consistency, and context in your data, powering confident decisions. of the Fortune 100 99 countries 100 2,500 employees customers 12,000 Brands you trust, trust us Data leaders partner with us 3 3
  4. Overview • What assets are we securing? • What actions are we securing? • Who’s access needs to be secured? • Security principles • How do we secure these assets and actions? • How do we know we have secured these assets? • How Precisely can help 4
  5. What assets are we securing 5 Proprietary data Customer data Credentials • Trade secrets • Software • Documents • Processes • Data base columns, IFS files • Personally Identifiable Information (GDPR, PCI DSS, etc.) • e.g. Names, addresses, credit card #s, Social Security #’s, etc. • Medical data (HIPAA) • Usernames • Passwords • Account numbers
  6. What actions are we securing? 6 Business actions • Order processing • Accounts Payable • Accounts Receivable Operational actions • Logistics – deliveries, manufacturing • Equipment automation
  7. “Kemuri” Water Company 7 IBM i used for: • Web server • Operation Technology • Supervisory control and data acquisition (SCADA) • Payment web server contained IP address and userid/passwords • Hacked ! (2016) Allows access to valve and flow controls treatment-systems-utility-hack-report
  8. Whose access needs to be secured? 8 • Bad actors • Our employees • Our vendors • Our customers • Intentional breaches • Unintentional breaches
  9. Security Principles Zero Trust Deny by Default Jerome H. Saltzer, Michael D. Schroeder 1975 • Authenticate all who access system, every time • No shared credentials • All users are denied access until/unless explicitly authorized • Public Security = *EXCLUDE Least Privilege Open Design • Users are giving only enough privilege and access to accomplish their tasks • Mechanisms used to secure are not ‘secret’ • Only encryption keys, passwords, etc. are kept secret 9
  10. How do we secure assets? 10 • Authentication • Entry point controls • Authorization • Encryption/Masking • Tokenization
  11. Authentication techniques Factors: • What do you know? • What do you have? • Who are you? • Who do you know? 11 8675309 1 2 3 4 5 6 7 8 9 0 .
  12. Multi-factor Authentication 12 Cyber Security Factors • What do you know? • Username, password • What do you have? • Yubikey, cell phone, FIDO UAF/U2F, etc. • Who are you? • Fingerprint • Who do you know? • “Four eyes” authentication • Where are you? • IP Address • What is the day and time? Which factor failed to pass? DON’T TELL ! MFA can be used after sign on: Use MFA at key application points
  13. Validation Lists instead of User Profiles • IBM i Object type of *VLDL • Used for HTTP server users or other external users • Used by Apache web server • Stores encrypted passwords ‘by design’ • No control over internal encryption key • Passwords should not be stored – only secure hash of salted passwords should be stored. • Allows users to access system via Web or other means without having an IBM i user profile • Do you have a user/password to the server which runs your bank web interface? • External authentication servers can be used instead: Okta, Radius, etc. • Downside: No system level auditing of who is responsible for actions taken, relies on Application Server to log.
  14. Entry Point Controls • IBM has defined exit points to allow additional user or Security vendor control for users accessing system. • Telnet • Sockets • FTP, TFTP • REXEC (remote command execution) • DDM • SQL (ODBC, JDBC) • IBM Command Exit point • Managed via WRKREGINF command to add exit point programs 14
  15. Authorization • Is the authenticated user authorized to perform a requested action or access requested data? • Primarily enforced via IBM i object authorities. • Library based objects (DB2, Programs, commands, menus, etc.) • IFS objects (directories, stream files, symbolic links) • Beware of securing directories only • QDLS folders and documents • Also, can be enforced via exit points
  16. Authorization: Dealing with scale 16 • Consider an example: • 500 user ids • 10,000 object to secure • Deny by Default means 5,000,000 authorizations to consider! • Userids can be authorized by ‘grouping’ them using Group Profiles • Users can be a member of up to 16 groups – 1 Primary group, 15 supplemental groups • Objects can be authorized by ‘grouping’ them using Authorization Lists • User Groupings can then be authorized to Object Groupings • This considerably reduces the complexity of managing authorizations.
  17. Authorization: Groups and Authority Lists • To add a User to one or more groups: • CHGUSRPRF USRPRF(MYPROFILE) GRPPRF(MYGROUP) SUPGRPPRF(SUPPGRP1 SUPPGRP2) • Group profiles are just regular profiles that have been identified as a group for another profile. • To create an authorization list: • CRTAUTL AUTL(MYAUTL) AUT(*EXCLUDE) • To secure an object with an authorization list: • GRTOBJAUT OBJ(MYLIB/MYOBJ) OBJTYPE(*FILE) AUTL(MYAUTL) • CHGAUT OBJ('/MyPath/MyObject') AUTL(MYAUTL) SUBTREE(*ALL) • To connect the authorization list to the group profile: • ADDAUTLE AUTL(MYAUTL) USER(MYGROUP) AUT(*USE) • ADDAUTLE AUTL(MYAUTL) USER(MYGROUP) AUT(*EXCLUDE)
  18. Encryption/Masking 18 • Database Field level encryption • IBM DB2 Field Procedure has support to allow for strong encryption and masking • Selected fields are encrypted in DB2 table storage and in journal entries • When read, fields are decrypted or masked based upon which user is accessing data • Updates are handled seamlessly so that masked data is not written to database. • Encrypted key fields can be problematic for native RPG applications
  19. Encryption Performance 19 • Encryption can add non-trivial overhead to database access and update. • Initial conversion from plain text to encrypted for entire file can take many hours or even days for very large files • ‘Encrypt While Active’ is one technique to allow application up time during encryption migration • Similar to data format migration, but simpler to do • Application down time is negligible
  20. Tokenization Sensitive data is stored external from primary data table Tokens are used to cross reference from primary table to sensitive data table Tokens are generated by Security software to conform to data type 20
  21. How do we know we have secured these assets? • Open-Source Scan • SAST – Static Application Security Testing • DAST – Dynamic Application Security Testing • Threat Modeling • Penetration Testing • IBM i Authority collection 21
  22. How do we know we have secured these assets? • Scans software for known security vulnerabilities • Black Duck software is a primary player • Works best on modern Web technologies • Scan Based on exposure databases: • CVE - Common Vulnerabilities and Exposures ( • List of exposures • NVD - National Vulnerability Database • Same as CVE, but includes patch information • CVSS - Common Vulnerability Scoring System ( • Scoring of exposures. 22 Open-Source Scan
  23. How do we know we have secured these assets? • Static analysis of source code or Java Byte code • Looks for security exposure coding patterns. • Lots of choices for Java, Java Script, C, C++, etc. • Not many (good) choices for RPG • Think of this as a very picky compiler that complains about many poor/risky coding choices 23 Static Application Security Testing
  24. How do we know we have secured these assets? • Dynamic analysis • Automated probing of Web/Network interface attempting to subvert security • Many choices for Web interfaces – (HTTPS, REST, etc.) 24 Dynamic Application Security Testing
  25. How do we know we have secured these assets? • Manual, internal analysis ofapplication/ server design • How is authentication/authorization done? • Are passwords properly hashed? • Is there opportunity for SQL code injection? • Etc. 25 Threat Modeling
  26. How do we know we have secured these assets? • Internal penetration testing • Done by people who ‘know’ the software • External penetration testing • Done by outside experts who know how to look for attacks you didn’t think of 26 Penetration Testing
  27. How do we know we have secured these assets? • IBM 7.3 and 7.4 feature • Object scoped collection added in 7.4 • Logs each object authority look up and reports • Failure to authorize • Successful authorization • Includes how authority was realized: • Public Authority • Private Authority • Authority list • Group authority • Adopted authority • Comparing granted authority for user vs. actual used authority can identify excess authority no longer (or never) needed. 27 IBM i Authority Collection
  28. How do we know we have secured these assets? 28 • SIEM : Security Information and Event Management • Gathers and consolidate security related information from operation systems • Includes ‘normal’ operations • Includes ‘abnormal’ operations • Target repositories: • QRADAR • SPLUNK • Elk • LogRythm • Etc
  29. Authority Elevation 29 • Sometimes, a user temporarily needs additional authority to accomplish a task • Classic Example: IT Help Desk • Options: • Just give the user the authority permanently • Give the user authority temporarily – requires someone with higher authority • Con: Forgetting to retract the authority • Automate the process
  30. Authority Elevation - Automation • User requests additional authority via command • Requires external ‘ticket’ (E.g. Jira, Service Now, etc.) • Ticket must be in proper ‘In progress’ state • User is re-prompted for authentication • Userid/Password/MFA • Activity is logged and captured • Job log • 5250 Screen captures • Elevation can be time limited • Elevation can be limited to single function (e.g. CHGUSRPRF PASSWORD() )
  31. Security by Obscurity 31 • AS/400 to IBM i has benefited from Security by Obscurity for a long, long time • Obscure user interfaces (5250, DDM, EBCDIC, etc.) • Not well known compared to Windows, iOS, Android, Linux • Low number of targets compared to Windows, iOS, Android • Biggest exposures: • IFS Ransomware/malware • Ransomware as a business looking for targets with deeper pockets, more to lose
  32. Example of Security by Obscurity 32 • Medical Pager systems • Used by many modern hospitals • Protocol: POCSAG:!!PDF-E.pdf • Three Frequencies reserved for medical paging • Central broadcast tower at hospital • Enter: RTL-SDR – software defined radio • Realtek chip • Digitizes radio signal • Software decoders for many different protocols • Pagers • ISS: International Space station $30
  33. Software Defined Radio Protocols Protocol Name Type Author URL gr-pocsag GRC Flowgraph Marcus Leech multimode RX (try first!) GRC Flowgraph Marcus Leech simple_fm_rvc GRC Flowgraph Marcus Leech python-librtlsdr Python Wrapper David Basden pyrtlsdr Python Wrapper Roger rtlsdr-waterfall Python FFT GUI Kyle Keen Wireless Temp. Sensor RX Gnuradio App Kevin Mehall QtRadio SDR GUI Andrea Montefusco et al. gqrx SDR GUI Alexandru Csete rtl_fm SDR CLI Kyle Keen merged in librtlsdr master SDR# SDR GUI Youssef Touil and Windows Guide or Linux Guide tetra_demod_fft Trunking RX osmocom team and the HOWTO airprobe GSM sniffer osmocom team et al 33
  34. How Precisely can help
  35. Assure Security for IBM i • Defending against the increasing sophistication and complexity of today’s security threats, including malware requires a comprehensive, multi-layered approach. • The key is to maximize the strength of each layer of your defenses, and then ask: “If this layer is breached, what do I have in place to prevent further damage?” • Assure Security delivers market-leading IBM i security capabilities that help your organization successfully comply with increasingly stringent cybersecurity regulations and effectively address current and emerging security threats. 35
  36. 36 36 Assure Security Data Privacy Assure Encryption Assure Secure File Transfer Assure Monitoring and Reporting Assure Db2 Data Monitor Access Control Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Monitoring Malware Defense Assure System Access Manager Assure Elevated Authority Manager Assure Multi-Factor Authentication Assure Monitoring and Reporting Assure Encryption Assure Security addresses top security concerns
  37. 37 Access Control • Prevent unauthorized logon • Manage users’ system privileges • Control and restrict access to data, system settings, and command line options Monitoring • Automate security and compliance alerts and reports • Monitor and block views of sensitive data • Integrate IBM i security data into SIEM solutions Malware Defense • Harden all systems and data against attacks • Automate and integrate security technologies and management • Design for depth and resilience if one or more defenses fail Assure Security: Addressing Critical zSecurity Challenges Data Privacy • Encrypt IBM i data • Secure encryption key management • Tokenization and Anonymization • File transfer security for Data in Motion
  38. Questions?

Hinweis der Redaktion

  1. This slide is from the point of view of business data.
  2. Need to know from credentials which specific person is accessing system. Not one of several.
  3. Realtek RTL2832U 45 protocols listed on this one web page.