Castle Walls Under Digital Siege: Risk-based Security for z/OS

467 views

Published on

The mainframe remains more resistant to a malicious breach than any other part of the infrastructure. However, like medieval castles, their walls are no longer impregnable. Just as siege engines brought down walls and traitors opened gates, the mainframe experiences risks from both technical exploits and social engineering. Learn more about how applying risk-based security to z/OS helps you anticipate attacks and compromises before they occur, so you can enhance your walls of protection to your mission-critical data.

For more information, please visit http://cainc.to/Nv2VOe

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
467
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Castle Walls Under Digital Siege: Risk-based Security for z/OS

  1. 1. Castle Walls Under Digital Siege: Risk-based Security and z/OS Kevin Segreti Mainframe Union Bank of California MFT09S @jcherrington #CAWorld Jeff Cherrington CA Technologies
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract The mainframe remains the most securable platform in the data center. However, like medieval castles, their walls are no longer impregnable. Learn more about how applying risk-based security to z/OS helps you anticipate attacks and compromises before they occur, so you can enhance your walls of protection to your mission-critical data. Kevin Segreti Union Bank of California Assistant Vice President Jeff Cherrington CA Technologies Sr. Director, Mainframe Security
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda WHAT DO CASTLES HAVE TO DO WITH THE MAINFRAME? ARMS RACE – CIRCA THE MIDDLE AGES QUESTION & ANSWER SAPPERS AND SOCIAL ENGINEERING WHY THE NORDEA HACK IS THE MAINFRAME GUNPOWDER PROTECTING YOUR CASTLE – A RISK-BASED APPROACH 1 2 3 4 5 6
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How History Bears on Protecting the Mainframe Today Those who cannot remember the past are doomed to repeat it. George Santayana A smart [person] learns from their own mistakes; a wise [person] learns from the mistakes of others. Only a fool learns from his own mistakes. The wise [person] learns from the mistakes of others. Paraphrased from Anonymous Otto von Bismark “ ” “ ” “ ”
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Comparing Castles and Mainframes Purpose Castle Mainframe Accumulation of Wealth Centralized repository for the most valuable assets of the day Centralized repository of the critical assets that define an enterprise’s value Administration Focal point for information aggregation, focus for analysis of gathered intelligence for decision making Focal point for information aggregation, focus for analysis gathered intelligence for decision making Protection Progressively more sophisticated architecture protecting against progressively more sophisticated attacks Progressively more sophisticated architecture protecting against progressively more sophisticated attacks
  6. 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What Can the History of Castle Technology Tell Us About Managing the Mainframe Arms Race did not originate in the 20th century. Castle fortifications and counters developed by attackers to overcome them replicate the last 50 years of the mainframe in many ways. Learning from that history offers direction for the future of the mainframe.
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The Beginning – Walls and a Single Gate… Earliest Mainframe Isolated in the glass house with physical access control Earliest Castles Forts – a single wall with a guarded gate © International Business Machines Corporation (IBM)
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Some Direct Correlations Mainframe CA ACF2 and, later, IBM RACF and CA Top Secret set the standard for “gate-keeping” of electronic resources. Castles Still required entry and exit of people, requiring guards at the gates.
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Mainframe Forcing entry onto the network gave access to the console. Castles Rams battered the gates and, once down, the castle was open. Earliest Attacks – Bluntest of Forces
  10. 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Escalation – Higher, Thicker Walls Lead to More Sophisticated Engineering of Attacks Castle builders reinforced gates, heightened-thicken walls… Attackers devised more sophisticated means of brute force
  11. 11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What’s a Sapper? Direct brute force was not the only or, sometimes, even the most effective means for opening a breach in the castle wall. Soldiers – miners, really – called “sappers” tunneled beneath the walls to weaken their foundations.
  12. 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Social Engineers are Mainframe “Sappers”  While the precise mechanics of large scale breaches seldom come fully to light, nor quickly  Still, some report or speculate that social engineering to obtain credentials lies at the root of recent major breaches Data Source: Click on image to link to the informationisbeautiful.net web page
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Mainframe external security managers offer no greater protection against social engineering than other IAMs  Once a privileged account is compromised, the foundation of all protections is destroyed Social Engineers Tunnel Underneath Mainframe Protections
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Some Direct Correlations Mainframe As connectivity increased, we surrounded the mainframe with firewalls. Castles Once walls alone were not enough, moats were added. Request a web page Stateful Packet Inspection Firewall This was requested by a computer on the home network, deliver it. This was not requested by a computer on the home network, drop it.. 1 3 2 2 Internet Here’s the web file transfer you asked for. 1 Here’s the web page you asked for.
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Gunpowder Changed Everything  The advent of gunpowder reduced the cost of attack, while increasing its efficiency  Even the mightiest castle could no longer be considered impregnable
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD How the Nordea Hack is the Mainframe’s Gunpowder Even the mightiest castle could no longer be considered impregnable… Pirate Bay co-founder Gottfrid Svartholm Warg was charged with hacking the IBM mainframe of Logica, a Swedish IT firm that provided tax services to the Swedish government, and the IBM mainframe of the Swedish Nordea bank, the Swedish public prosecutor said. "This is the biggest investigation into data intrusion ever performed in Sweden," said public prosecutor Henrik Olin. Besides Svartholm Warg, the prosecution charged three other Swedish citizens.
  17. 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What Do These People Have in Common?
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Matching Tools To Threats  Threat of data breach – data-centric protection supplementing user and resource management  Threat of network attack – increased perimeter defenses and more frequent penetration testing  Threat of compromised privileged user accounts – Event drive alerts for sensitive transactions – Frequent, automated analysis of user activity – Additional authentication factors Protection of Mainframe Assets Must Be a Risk-based Approach 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Focused shifted from solely keeping attackers out, to identifying attackers before they arrived  Identifying attacks before they occur required new strategies, techniques, and tools… Protecting Castles’ Contents Changed 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME Tech Talk Isn’t one authentication mechanism on z Systems™ enough? 11/18 – 4:30pm Mainframe Content Center Mainframe Theater Panel Discussion: Is Complacency Around Mainframe Security a Disaster Waiting to Happen? 11/18 – 3:45pm Mainframe Theater Tech Talk The Known Unknown – Finding lost, abandoned, and hidden regulated data on the Mainframe 11/19 – 12:15pm Mainframe Content Center MFX26S How to Increase User Accountability by Eliminating the Default User in Unix System Services 11/19 – 1:00pm Breakers I MFX47S Top 10 things you shout NOT forget when evaluating your security implementation 11/19 – 2:00pm Breakers I
  21. 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Follow Conversations in the Mainframe Content Center CA Data Content Discovery CA ACF2 ™ for z/OS CA Top Secret® for z/OS CA Cleanup CA Auditor Product X Theater # location Advanced Authentication – Nov 18th @ 4:30pm The Known Unknown - Nov 19th @ 12:15pm
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For Informational Purposes Only Terms of this Presentation © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutions so actual results may vary. Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if- available basis. The information in this presentation is not deemed to be incorporated into any contract.
  24. 24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×