• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Common 2009   Getting Started On The Road To Compliance
 

Common 2009 Getting Started On The Road To Compliance

on

  • 507 views

This is one of the three presentations I provided at COMMON 2009 in Reno, NV

This is one of the three presentations I provided at COMMON 2009 in Reno, NV

Statistics

Views

Total Views
507
Views on SlideShare
507
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Common 2009   Getting Started On The Road To Compliance Common 2009 Getting Started On The Road To Compliance Presentation Transcript

    • IBM i Security Getting Started On The Road To Compliance Getting Started On The Road To Compliance 550068
    • Today's Speaker Robin Tatam - MSI AS/400 Security Specialist rtatam@msiinet.com (515) 246-4111 http://www.linkedin.com/in/robintatam Getting Started On The Road To Compliance
    • Agenda The Showroom Which Options Did We Get? Park Where You Don’t Want To Be 1st Gear Finding The On Ramp 2nd Gear Utilize What You Already Have In i And i5/OS 3rd Gear Network Data and System Access 4th Gear New options with IBM i V6R1 5th Gear Other Considerations And Options 6th Gear Ongoing Monitoring & Compliance Getting Started On The Road To Compliance
    • Which Options Did We Get? Included in Base Model IBM i User Profile Management Resource Level Security Exit Program Ready Anti-Virus Ready Encryption Event Auditing Intrusion Detection System D.o.D. Certification (C2) Getting Started On The Road To Compliance
    • Which Options Did We Get? Popular Option Packages IBM i Exit Programs Anti-Virus Audit Reporting Event Monitoring Compliance Monitoring You can (and many do!) run without them but you are a lot safer with them … Getting Started On The Road To Compliance
    • In Park Getting Started On The Road To Compliance
    • A Big Gamble Your users have the virtual “keys” to your corporate data Do you trust them not to even try to “drive” it? Would you bet your ENTIRE business (or career) on it? Getting Started On The Road To Compliance
    • Hacking For Dummies? “Security by Obscurity” is no longer a good option … Of course, was it ever? Getting Started On The Road To Compliance
    • ACT NOW … “It’s time to take ownership of your data, and your servers, and see that security is not an option, but rather a cost of doing business. You should be investing in PROTECTING the very ENGINE that your business relies upon.” Getting Started On The Road To Compliance
    • … And Avoid Getting Burned !! Getting Started On The Road To Compliance
    • The State of Security 2008 PowerTech uses anonymous Audit Data from their Compliance Assessment tool to compile an Annual Study of Security Statistics This study — available online — provides a picture of what System i shops are currently doing with their security controls. And year after year it shows that there is definitely still room (and need) for improvement! The study sample consists of security-aware environments Source: State of iSeries Security 2008 Getting Started On The Road To Compliance
    • The State of Security 2008 This may be more indicative of IBM’s change to the shipped Default than any concious planning by the customer Source: State of iSeries Security 2008 Getting Started On The Road To Compliance
    • The State of Security 2008 Resource security is the only true way to secure your data from ALL access methods. Unfortunately it can also be daunting to the untrained user; as well as somewhat inflexible so as you can see many people do not change the default of *CHANGE. Source: State of iSeries Security 2008 Getting Started On The Road To Compliance
    • The State of Security 2008 Special Authorities are called “Special” for a reason Getting Started On The Road To Compliance
    • The State of Security 2008 These problems are not the fault of the ‘end’ user Getting Started On The Road To Compliance
    • The State of Security 2008 Of the 70%, very few organizations use automated reporting tools or, in my experience, are auditing enough events Getting Started On The Road To Compliance
    • Don’t Head Down Exposure Road For 231,000,000 more reasons to turn around, check out http://www.privacyrights.org Getting Started On The Road To Compliance
    • 1st Gear — Finding The On Ramp Porsche Cayman S Getting Started On The Road To Compliance
    • Document Your Starting Point Understanding your server’s configuration weaknesses helps define the road ahead, as well as providing a rear- view mirror on your progress. Getting Started On The Road To Compliance
    • Develop Your Security Policy A Security Policy has a two main purposes: i. Define the standards against which to measure your server compliance ii. Provide users with operating policy and procedure Ensure that part ii of the Security Policy is agreed to by the users, via a signed agreement (with annual ‘refreshers’) and a legal usage statement on a 5250 sign on screen. The construction of the Policy is something that should be done outside of I.T. with executive sponsors — you don’t want I.T. creating policy. It is the job of the Security Officer to interpret those directives into the settings specific to each server platform. If you are not sure where or how to start, check out the Open Source Security Policy published by PowerTech (and included in the MSI Security and Compliance guide), or allow us to help you create one from scratch. Getting Started On The Road To Compliance
    • 2nd Gear - Base i5/OS Ferrari 599 Getting Started On The Road To Compliance
    • User Profiles A profile/password is the biggest hurdle you can put between a person and your data — so make it count! Don’t think that “my users could not / would not (know how to) do that” — you already handed them a valid log-in Ensure that profiles are created following a process (and deleted the same way). Use default templates, but NEVER default passwords! Getting Started On The Road To Compliance
    • User Profiles (cont’d) Audit ‘powerful’ profiles (those users with command line capabilities and/or special authority) Do NOT give *ALLOBJ to a programmer (not matter how much they cry!) Do NOT make Help Desk users security officers just to reset passwords etc. Getting Started On The Road To Compliance
    • System Values System values are the main properties used to control the way that your system operates, as well as protects itself There is a category for security-related values (*SEC) Understand each system value, and it’s effect, before setting. If you need to differ from best practices then document the reason in your security policy Getting Started On The Road To Compliance
    • System Values (cont’d) Have a mechanism to check your current values against their expected value. 3rd party tools do this best, but you can manually print and compare Audit for changes to the system values (audit journal code ‘SV’) After V5R2, you can (and should) ‘lock’ down security system values in SST Getting Started On The Road To Compliance
    • Resource Security Obtain a copy of Authority Progression Algorithm (in IBM security book, or send me an email) Object-level protection works regardless of interface Use theory of least access, not the opposite Never make object owners a real user profile or group profile and don’t have IBM profiles (or your programmers) own objects Secure Libraries as the first line of defense (*USE on a libraries still permits object deletion) Getting Started On The Road To Compliance
    • Resource Security (cont’d) Secure objects if library-security not granular enough Consider adopted authority as an access technique Use authorization lists to simplify the task if many objects Audit access to critical objects (and authority failures) Monitor for users to download data, modify and copy it back Getting Started On The Road To Compliance
    • Action Auditing Use CHGSECAUD to perform all necessary setup tasks Auditing uses an audit journal (QAUDJRN) object Uses System value controls to define events to be audited: QAUDCTL On/Off Switch QAUDLVL(2) Controls What Actions to Audit Create a separate library for audit data (stored in Journal Receivers) for easy securing and save/purge Getting Started On The Road To Compliance
    • Action Auditing (cont’d) Journal maintenance is manual Maintain a single profile with Authority to change Auditing options 3rd parties enable push alerting and even do your monitoring Set a policy for data retention (short term & long term) for the audit journal data (defer to auditors or legal dept) Getting Started On The Road To Compliance
    • 3rd Gear - Network Data and System Access KTM X-BOW Getting Started On The Road To Compliance
    • How Does The Network Affect Me? Don’t worry … simply plug your server in and it protects your data 100% from any Network Access Getting Started On The Road To Compliance
    • How Does The Network Affect Me? As long as your ‘network’ only has these … Getting Started On The Road To Compliance
    • How Does The Network Affect Me? For everyone else … This is likely to be your single biggest threat — trust me when I say “Fix it NOW” Resource Security controls WILL protect you regardless of the interface, BUT it has to be implemented properly and does not have flexibility to vary the authority based on the interface being used: it’s ‘One Size Fits All’ Activities that come through the TCP servers are NOT audited — you cannot tell who is downloading (or uploading), running SQL statements, or even executing remote commands Some servers allow command functions and IGNORE a profile’s 5250 command line restriction Getting Started On The Road To Compliance
    • How Does The Network Affect Me? IBM wrote ‘hooks’ in to i5/OS (called Exit Points) but leaves the functionality (accept/reject/audit) of the Exit Programs to your own programmers. Not ALL services are covered (e.g. HTTP) There are over 30 exit points that deal with network access Exit programs are not difficult to write, but the recommended way to go is to purchase a commercial application for tested technology, broader functionality and rapid deployment Oh, did I mention “Fix it NOW”? Getting Started On The Road To Compliance
    • A System With Menus & Application Security Getting Started On The Road To Compliance
    • An Exit Program Protected System Getting Started On The Road To Compliance
    • 4th Gear —New Options with IBM i V6R1 Bugatti Veyron Getting Started On The Road To Compliance
    • Introducing IBM i V6R1 QPWDRULES - New system value to define password syntax If anything other than *NONE, define password rules and replace QPWDxxx system values Require special character Require mixed case Prevent all numeric password Require x number of digits Require x number of letters Require x number of special characters Getting Started On The Road To Compliance
    • Introducing IBM i V6R1 QPWDCHGBLK - New system value to block password changes after a successful password change Prevent change of password for x hours: *NONE 1 to 99 hours Password change block not in effect if PWDEXP(*YES) has been specified by the system administrator. PWDCHGBLK parm also added to the user profile Getting Started On The Road To Compliance
    • Introducing IBM i V6R1 QPWDEXPWRN — Set password expiration warning interval Warn user of expiring password 7 is the Default 1 to 99 days QLMTDEVSSN — Limit Device Session Restrict users to active device sessions 0 = Do not limit (existing value) 1 = Limit user to one session (existing value) 2 to 9 = Limit users to x number of sessions (NEW) LMTDEVSSN user profile parm also extended with this support Getting Started On The Road To Compliance
    • 5th Gear — Other Options Koenisgsegg CCX Getting Started On The Road To Compliance
    • Anti-Virus Firstly, let’s define a “virus” … Native objects are “immune” to traditional virus attacks IFS objects are just as vulnerable as any PC-server or desktop, so if you use NetServer (Network Neighborhood), Lotus Domino, WebSphere etc. then consider AV carefully as it is required by most standards (e.g. PCI) IBM provides scheduled scans at V5R2 and scan-on- open/close at V5R3+ Getting Started On The Road To Compliance
    • Anti-Virus (cont’d) Scan Engine is provided by (two) 3rd party providers — both here at the Expo Don’t overlook malicious code, trojan horses etc that can affect ANY server including the AS/400 IFS can be scanned by PC-engine but 4 significant reasons not to: speed, bandwidth, read/write file shares, and an *ALLOBJ profile requirement Getting Started On The Road To Compliance
    • Encryption Two types: database (at rest) and media (in flight) At-rest encryption is one of the biggest initiatives currently underway and often resembles Y2K in its process Advanced Encryption Standard (AES) is the new U.S. government standard (replacing TDES); another popular solution is PGP ‘Strong’ encryption regarded as 128bit key or better Getting Started On The Road To Compliance
    • Encryption (cont’d) Do NOT encrypt non-secret information Key management is the ‘key’ to success i5/OS and IBM i has built-in encryption (manually intensive) or you can select 3rd party tools to reduce the effort ASP encryption (IBM i V6R1) is probably NOT the ‘silver bullet’ answer (you think) that you have been waiting for … Getting Started On The Road To Compliance
    • Other Considerations SSL connections should always be used (no additional software purchase is required) Consider Single Signon (SSO) to reduce password reliance Monitor for libraries above QSYS (DSPSYSVAL QSYSLIBL) Monitor for user objects in QSYS (PRTUSROBJ) Document your trigger programs (PRTTRGPGM) Document programs that adopt authority (PRTPGMADP) Getting Started On The Road To Compliance
    • Other Considerations (cont’d) Document/watch your job schedule entries Use profile switching for admins / security officers Stay on supported OS & install PTFs Physically secure the server Audit yourself occasionally or (better yet) hire an independent expert Getting Started On The Road To Compliance
    • 6th Gear - Ongoing Compliance Lamborghini Murcialago Getting Started On The Road To Compliance
    • Compliance Reporting i5/OS has limited reporting capabilities so use commercial applications or your own programs TIP: You must be auditing the required types of information before you can report it Use DSPAUDJRNE to display data if you know the journal codes that you want (e,g, CP = Changes to a user profile). Codes are in Security Manual or in help text of the display Getting Started On The Road To Compliance
    • Compliance Reporting Use CPYAUDJRNE to extract data then query or run program Journal data is unformatted and a little hard to interpret Report on audit journal entries and also static metrics (profile settings, system values etc.) Getting Started On The Road To Compliance
    • Policy Adherence Now that you have a policy, and have your system in a condition of adherence, determining continual ongoing compliance is the final step Assess new threats, and continue to tune the policy and settings accordingly Perform periodic reviews of security related settings, user profile parameters Getting Started On The Road To Compliance
    • Policy Adherence Build a process of reports and metrics to be monitored, although doing this manually can be time consuming and hard to do Evaluate the benefit of a native commercial solution to allow the system to more rapidly self-monitor and advise of compliant/non- compliant status Getting Started On The Road To Compliance
    • You’re At Maximum RPM Porsche 911 GT1 Getting Started On The Road To Compliance
    • Additional Resource Introduces the Main areas of Compliance on ‘i’ Info on Premium Solution Providers & Solutions Supplemental CD has trial software, reference materials and sample audit deliverables http://www.msiinet.com/white-paper/compliance-guide/ Getting Started On The Road To Compliance
    • Questions Getting Started On The Road To Compliance