Your SlideShare is downloading. ×
0
WELCOME

MAY 1, 2013
Robin Tatam, Director of Security Technologies
Today’s Agenda

•
•
•
•
•
•

2

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
...
Today’s Speaker

ROBIN TATAM
Director of Security Technologies
952-563-2768

robin.tatam@powertech.com

3
About PowerTech

•

Premier Provider of Security Solutions & Services
–

16 years in the security industry as an establish...
Today’s Agenda

•
•
•
•
•
•

5

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study
...
Why Do I Need To Audit?

•
•

Industry Regulations, such as Payment
Card Industry (PCI DSS)

•

Internal Activity Tracking...
Which Standards Do
I Audit Against?

• Is there a company Security Policy?
(We’ve got one to help you get started)

• Guid...
IT Controls—
An Auditor’s Perspective

Can users perform functions/activities that are in
conflict with their job responsi...
The Auditor’s Credo…

Of course
I believe you!
(But you still have
to prove it to me)

9
Today’s Agenda

•
•
•
•
•
•

10

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study...
Purpose Of The Study

Help IT managers and auditors
understand IBM i security exposures
Focus on top areas of concern in
m...
How We Collect
The Data

PowerTech Compliance Assessment
– Launched from a PC
– Collects security data
– Data for the stud...
Be A Part of the Study!

YOUR PC

YOUR IBM i SERVER

YOUR VULNERABILITIES

(Participation in the Security Study is optiona...
Simple summary provides
auditor & executives with
visual indicators
IBM i registry is reviewed
to see if network event
are audited or controlled

15
*PUBLIC authority levels
on application libraries
are interrogated
Statistics are retrieved on
profile metrics, such as any
with default passwords

17
Review of the
system values that
impact security
Verify if auditing is
active, and what types of
audit events are being
logged
Determine how many users
have Special Authorities
(admin privileges)
Six Major Areas of Review

•
•
•
•
•
•

21

System auditing
Privileged users
User and password management
Data access
Netw...
Today’s Agenda

•
•
•
•
•
•

22

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study...
State of IBM i
Security—Overall

Assessed 101 different systems
A total of:
– 109,251 Users
– 43,104 Libraries

On average...
State of IBM i
Security—Overall

24
State of IBM i
Security—Overall

WARNING:
September 30 will be here SOON!

25
No. of Systems

QSECURITY
(System Security Level)

System Value: QSECURITY

26
System Security
Level Historically

27
What Does IBM Say About
Security Level 30?

28
Using QUADJRN?

Systems Using the System i Audit Journal

29
Audit Settings Historically

Systems Using the System i Audit Journal (2010-2012)

30
Top 10 “Invalid Sign-On
Attempts” Found

2010: 1,000,000+
2011: 789,962
2012: 154,404

31
Top 10 “Invalid Sign-On
Attempts” Found

10)
9)
8)
7)
6)
5)
4)
3)
2)
1)

32

7,729
8,333
12,921
19,201
23,183
28,078
147,9...
Top 10 “Invalid Sign-On
Attempts” Found

But there was one that even shocked us!

6.9 million... All undetected!

33
What should I look for?

34
What Good Is Audit
Journal Data?

Too much data
Too many places to look
Manual reporting processes
Audit and IT get locked...
Is Anyone Paying
Attention?

88% of systems were logging audit data but…
…only 27% of those had a recognized auditing
tool...
Library Authority

The only library authority that keeps users out
is *EXCLUDE
A policy of ―Least Privilege‖ calls for *PU...
Library Authority

38
Library Authority—
Historically

39
When New Objects
Are Created

Default Create Authority by Library

40
Network Access
Control
Many IBM i applications rely on menu security because…
– It’s easy to build
– It’s the legacy of ma...
Network Access
Control

ODBC isn’t rocket
science anymore

42
Are These Services Running?

43
Exit Program
Coverage

44
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

Special Authority (aka Privileges)
*ALLOBJ

*SECADM

*IOSYSCFG

*AUDIT

*SPLCTL

*SERVICE

*JOBC...
Administrator Privileges

53
Administrator Privileges

Best Practices call for
<10 users with SPCAUTs

54
Powerful Users Historically

55
Endless News Reports
of Insider Breaches

56
No. of Systems

Minimum Password
Length

System Value: QPWDMINLEN

57
No. of Systems

Minimum Password
Length

Not too hard to
guess your way in!

System Value: QPWDMINLEN

58
No. of Systems

Default Passwords

59
No. of Systems

Password Expiration

Password Expiration Period (Days)

60
No. of Systems

How Many Attempts?

Maximum Signon Attempts Allowed

61
No. of Systems

How Many Attempts?

Let’s hope this wasn’t the
server that experienced 6.9
million invalid attempts

Maxim...
And Then What?

Default Action for Exceeding Invalid Sign On Attempts

63
No. of Profiles

Inactive Profiles

64
No. of Profiles

5250 Command Line

65
The Perfect Storm
Of Vulnerability

Security awareness among IBM I
professionals is generally low
IBM i awareness among au...
The Call To Action

1. Conduct a Compliance Assessment (free and deep-dive options)
2. Remediate ―low-hanging fruit‖ such ...
Comprehensive Security
Solutions for Power Systems

68
Today’s Agenda

•
•
•
•
•
•

69

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study...
Additional Resources

Online Compliance Guide

70

Security Policy
Today’s Agenda

•
•
•
•
•
•

71

Introductions
Regulations on IBM i
Conducting The Study
The State of IBM i Security Study...
Questions

72
Thanks for your time!

Please visit www.PowerTech.com to access:
• Demonstration Videos & Trial Downloads
• Product Inform...
Upcoming SlideShare
Loading in...5
×

IBM i Security Study

488

Published on

Learn from 10 years of IBM i audits, including AS400 audits and iSeries audits. This popular study includes recommendations on iSeries security configurations, iSeries user controls, iSeries client access, and other IBM security tips.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
488
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "IBM i Security Study"

  1. 1. WELCOME MAY 1, 2013 Robin Tatam, Director of Security Technologies
  2. 2. Today’s Agenda • • • • • • 2 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  3. 3. Today’s Speaker ROBIN TATAM Director of Security Technologies 952-563-2768 robin.tatam@powertech.com 3
  4. 4. About PowerTech • Premier Provider of Security Solutions & Services – 16 years in the security industry as an established thought leader – Customers in over 70 countries, representing every industry – Security Subject Matter Expert for COMMON • • • • 4 IBM Advanced Business Partner Member of PCI Security Standards Council Authorized by NASBA to issue CPE Credits for Security Education Publisher of the Annual “State of IBM i Security” Report
  5. 5. Today’s Agenda • • • • • • 5 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  6. 6. Why Do I Need To Audit? • • Industry Regulations, such as Payment Card Industry (PCI DSS) • Internal Activity Tracking • High Availability • 6 Legislation, such as Sarbanes-Oxley (SOX), HIPAA, GLBA, State Privacy Acts Application Research & Debugging
  7. 7. Which Standards Do I Audit Against? • Is there a company Security Policy? (We’ve got one to help you get started) • Guidelines and Standards – COBIT – ISO 27002 (formerly known as 17799) – ITIL 7
  8. 8. IT Controls— An Auditor’s Perspective Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt application data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks? 8
  9. 9. The Auditor’s Credo… Of course I believe you! (But you still have to prove it to me) 9
  10. 10. Today’s Agenda • • • • • • 10 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  11. 11. Purpose Of The Study Help IT managers and auditors understand IBM i security exposures Focus on top areas of concern in meeting regulatory compliance Help IT develop strategic plans to address—or confirm—high risk vulnerabilities 11
  12. 12. How We Collect The Data PowerTech Compliance Assessment – Launched from a PC – Collects security data – Data for the study is anonymous Companies are self-selected – More, or less, security-aware? Study first published in 2003 – Over 1,700 participants since inception Schedule your Compliance Assessment at www.PowerTech.com 12
  13. 13. Be A Part of the Study! YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES (Participation in the Security Study is optional) 13
  14. 14. Simple summary provides auditor & executives with visual indicators
  15. 15. IBM i registry is reviewed to see if network event are audited or controlled 15
  16. 16. *PUBLIC authority levels on application libraries are interrogated
  17. 17. Statistics are retrieved on profile metrics, such as any with default passwords 17
  18. 18. Review of the system values that impact security
  19. 19. Verify if auditing is active, and what types of audit events are being logged
  20. 20. Determine how many users have Special Authorities (admin privileges)
  21. 21. Six Major Areas of Review • • • • • • 21 System auditing Privileged users User and password management Data access Network access control System security values
  22. 22. Today’s Agenda • • • • • • 22 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  23. 23. State of IBM i Security—Overall Assessed 101 different systems A total of: – 109,251 Users – 43,104 Libraries On average, per assessed system there were: – 1,082 Users – 427 Libraries 23
  24. 24. State of IBM i Security—Overall 24
  25. 25. State of IBM i Security—Overall WARNING: September 30 will be here SOON! 25
  26. 26. No. of Systems QSECURITY (System Security Level) System Value: QSECURITY 26
  27. 27. System Security Level Historically 27
  28. 28. What Does IBM Say About Security Level 30? 28
  29. 29. Using QUADJRN? Systems Using the System i Audit Journal 29
  30. 30. Audit Settings Historically Systems Using the System i Audit Journal (2010-2012) 30
  31. 31. Top 10 “Invalid Sign-On Attempts” Found 2010: 1,000,000+ 2011: 789,962 2012: 154,404 31
  32. 32. Top 10 “Invalid Sign-On Attempts” Found 10) 9) 8) 7) 6) 5) 4) 3) 2) 1) 32 7,729 8,333 12,921 19,201 23,183 28,078 147,918 161,427 211,631 567,772
  33. 33. Top 10 “Invalid Sign-On Attempts” Found But there was one that even shocked us! 6.9 million... All undetected! 33
  34. 34. What should I look for? 34
  35. 35. What Good Is Audit Journal Data? Too much data Too many places to look Manual reporting processes Audit and IT get locked in a request/respond cycle 35
  36. 36. Is Anyone Paying Attention? 88% of systems were logging audit data but… …only 27% of those had a recognized auditing tool installed Over 6.9 million invalid sign-on attempts against a single profile! – Would you be more concerned if you knew it was the QSECOFR profile? 36
  37. 37. Library Authority The only library authority that keeps users out is *EXCLUDE A policy of ―Least Privilege‖ calls for *PUBLIC to be excluded and then authorized users granted the appropriate access You can (potentially) delete objects with only *USE authority to the library 37
  38. 38. Library Authority 38
  39. 39. Library Authority— Historically 39
  40. 40. When New Objects Are Created Default Create Authority by Library 40
  41. 41. Network Access Control Many IBM i applications rely on menu security because… – It’s easy to build – It’s the legacy of many existing business applications Menu security design assumes: – Access always originates via the menus – No users has command line access – Users have no access to SQL-based tools Menu security is often accompanied by: – User being a member of group that owns the objects – *PUBLIC is granted broad (*CHANGE) access to data 41
  42. 42. Network Access Control ODBC isn’t rocket science anymore 42
  43. 43. Are These Services Running? 43
  44. 44. Exit Program Coverage 44
  45. 45. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS All Object The ―gold key‖ to every object, and almost every administrative operation on the system, including unstoppable data access 45
  46. 46. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Security Administration Enables a user to create and maintain the system user profiles without requiring the user to be in the *SECOFR user class or giving *ALLOBJ authority 46
  47. 47. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS I/O Systems Configuration Allows the user to create, delete, and manage devices, lines, and controllers. Also permits the configuration of TCP/IP, and the start of associated servers (e.g., HTTP) 47
  48. 48. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Audit The user is permitted to manage all aspects of auditing, including setting the audit system values and running the audit commands (CHGOBJAUD / CHGUSRAUD) 48
  49. 49. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Spool Control This is the *ALLOBJ of Spooled Files. Allows a user to view/delete/hold/release any spooled file in any output queue, regardless of restrictions 49
  50. 50. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Service Allows a user to access the System Service Tools (SST) login, although, since V5R1, they also need an SST login 50
  51. 51. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Job Control Enables a user to be able to start/end subsystems, manipulate other users’ jobs. Also provides access to spooled files in output queues designated as ―operator control‖ 51
  52. 52. Administrator Privileges Special Authority (aka Privileges) *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS Save System Enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object * Be cautious if securing objects at only a library level * 52
  53. 53. Administrator Privileges 53
  54. 54. Administrator Privileges Best Practices call for <10 users with SPCAUTs 54
  55. 55. Powerful Users Historically 55
  56. 56. Endless News Reports of Insider Breaches 56
  57. 57. No. of Systems Minimum Password Length System Value: QPWDMINLEN 57
  58. 58. No. of Systems Minimum Password Length Not too hard to guess your way in! System Value: QPWDMINLEN 58
  59. 59. No. of Systems Default Passwords 59
  60. 60. No. of Systems Password Expiration Password Expiration Period (Days) 60
  61. 61. No. of Systems How Many Attempts? Maximum Signon Attempts Allowed 61
  62. 62. No. of Systems How Many Attempts? Let’s hope this wasn’t the server that experienced 6.9 million invalid attempts Maximum Sign On Attempts Allowed 62
  63. 63. And Then What? Default Action for Exceeding Invalid Sign On Attempts 63
  64. 64. No. of Profiles Inactive Profiles 64
  65. 65. No. of Profiles 5250 Command Line 65
  66. 66. The Perfect Storm Of Vulnerability Security awareness among IBM I professionals is generally low IBM i awareness among audit professionals is generally low Some of the most valuable data in any organization is on your Power Systems server (System i, iSeries, AS/400) Most IBM i data is not secured and the users are far too powerful 66
  67. 67. The Call To Action 1. Conduct a Compliance Assessment (free and deep-dive options) 2. Remediate ―low-hanging fruit‖ such as default passwords and inactive accounts 3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc. 4. Perform intrusion tests over FTP and ODC to assess data leak risk 5. Evaluate PowerTech solutions to mitigate risk 67
  68. 68. Comprehensive Security Solutions for Power Systems 68
  69. 69. Today’s Agenda • • • • • • 69 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  70. 70. Additional Resources Online Compliance Guide 70 Security Policy
  71. 71. Today’s Agenda • • • • • • 71 Introductions Regulations on IBM i Conducting The Study The State of IBM i Security Study Resources for Security Officers Questions and Answers
  72. 72. Questions 72
  73. 73. Thanks for your time! Please visit www.PowerTech.com to access: • Demonstration Videos & Trial Downloads • Product Information Data Sheets • White Papers / Technical Articles • Customer Success Stories • PowerNews (Newsletter) • Robin’s Security Blog • To request a FREE Compliance Assessment www.powertech.com 73 (800) 915-7700 info@powertech.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×