More Related Content
Similar to IBM i Security Expert Uncovers Dirty Little Secret
Similar to IBM i Security Expert Uncovers Dirty Little Secret (20)
More from HelpSystems (20)
IBM i Security Expert Uncovers Dirty Little Secret
- 2. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners2
ROBIN TATAM
Director of Security Technologies
robin.tatam@powertech.com
Your Presenter
- 3. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners3
• Has over 25 years of IBM i experience, including
10 years in security
• Is a subject matter expert and award-winning
speaker for COMMON
• Officially certified by ISACA as an Information
Security Manager
• Holds more than 20 IBM certifications
• Hosts technical presentations on a variety of
security topics
• Authors articles on security for leading trade
journals and newsletters
• An award-winning photographer
Your Presenter
- 4. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners4
Security vs. Compliance
Security vs. Compliance
- 5. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners5
Security
A state of being whose ultimate
objective is to prevent unauthorized
or undesired activity
Security vs. Compliance
- 6. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners6
Compliance
The adherence to a stated
policy or standard
Security vs. Compliance
- 7. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners7
Warning: You can be fully compliant
even if the policy or standard does
not outline desirable practices!
Security vs. Compliance
Policy:
• Don’t prevent authorized activity
• Allow any user to modify data
• Permit data to be taken home
- 8. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners8
The primary goal of a compliance
standard is to act as a guideline to help
maintain an acceptable level of
operating procedures and security.
Regulations are:
– Not a precise technical roadmap
– Have to be interpreted
– Often outline a basic minimum
Security vs. Compliance
- 9. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners9
Businesses rely on auditors to be interpreters.
Unfortunately, many don’t speak the ‘i’ language.
4.3.2 Privileged
account access should…
Don’t grant
end users *ALLOBJ
Security vs. Compliance
- 10. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners10
Okay SOX, what
should I set my
system values to?!
Regulations don’t usually speak
‘technology’, and certainly don’t speak ‘i’.
Security vs. Compliance
- 11. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners11
Far too many organizations approach
compliance as the sole objective without
seeing the value to their security.
Security vs. Compliance
What’s the least I can do
and still be able to check
the box to say I did it?
- 12. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners12
Unfortunately, the fact that
most organizations have to
invest so much to achieve
compliance shows how our
security has fallen short.
Don’t lose sight of security even
when your compliance is your
primary objective.
Security vs. Compliance
- 13. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners13
Do you have your own
regulatory directive?
Security vs. Compliance
- 14. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners14
Maybe you say NO!
as you don’t have to deal with
PCI, HIPAA, SOX, GLBA, BASEL II, etc.
Security vs. Compliance
- 15. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners15
But
everyone
should have one
Security vs. Compliance
- 16. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners16
It’s called a
Security Policy
Security vs. Compliance
- 17. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners17
A security policy is a map to guide employees
and may contain many levels targeted at
different audiences, business units, or purposes.
Corporate What the business goal is
Information Technology
How to configure the technology to support the
business goals
End User Acceptable use policies
Security vs. Compliance
- 18. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners18
How susceptible is my
IBM Power Systems
server to attack?
“I was assured this
server was secure!”
Why Do We Care? We’re On Power Systems!
- 19. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners19
- 20. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners20
The IBM i
operating
system is
secure
Why Do We Care? We’re On Power Systems!
- 21. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners21
Why Do We Care? We’re On Power Systems!
- 22. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners22
Why Do We Care? We’re On Power Systems!
What do you think?
- 23. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners23
The IBM i
operating
system is
secure
Why Do We Care? We’re On Power Systems!
- 24. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners24
The IBM i
operating system
is highly
securable
Why Do We Care? We’re On Power Systems!
- 25. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners25
Secure Securable
A Common Misconception
- 26. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners26
They’re On To Us!
- 27. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners27
“Security by obscurity”
is no longer a good option…
Of course, it never
really was!
v
Hacking for Dummies?
Security By Obscurity
- 28. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners28
But are you using them?
IBM i contains numerous
world-class security features!
A Common Misconception
- 29. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners29
What’s integrated?
– Intrusion Detection System (IDS)
– Support for Role-Based Access (RBAC)
– Object-level security
– Event auditing
– Operating system integrity protection
– Security exit points
What Comes Free (or Cheap)?
- 30. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners30
What else is needed?
– Security exit programs
– User provisioning and management
– Real-time audit notification
– Database monitoring
– Audit and compliance reporting and control
– Anti-virus software
What Upgrades Are Available?
- 31. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners31
An Alarming State
State of IBM i Security
- 32. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners32
PowerTech uses anonymous audit data
from our Compliance Assessment tool
to compile an annual study of security
statistics.
This study (available online) provides a
picture of what IBM i shops are
currently doing with their security
controls.
And, year after year, it shows that there
is definitely still room (and a need) for
improvement!
Where Is Improvement Needed?
2015
www.helpsystems.com/powertech
resources / white-papers
- 33. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners33
QSECURITY: System Security Level
- 34. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners34
Library Authority
- 35. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners35
Password Frenzy
Not too hard to
guess your way in!
- 36. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners36
Who’s Using the Audit Journal?
- 37. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners37
Managing
Network Access
Network Access
- 38. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners38
Exit Point Coverage
- 39. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners39
Exit Point Coverage
- 40. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners40
PowerTech Network Security
• Modern Browser-based UI
• Multi-Partition Aware
• Real-time Dashboards
• Transaction Reports
• Access Control
• Alert Notification
• On-going development
• World-class Support
Comprehensive Exit Point Coverage
from the leader in IBM i Security
- 41. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners41
Managing
Privileged Users
Privileged Users
- 42. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners42
Programmers
Claim they need *ALLOBJ authority to fix production applications
System Administrators
Claim they need *IOSYSCFG authority to configure and change the
system and *SECADM and perhaps *ALLOBJ to reset passwords
Operators
Claim they need *JOBCTL, *SPLCTL, and *SAVSYS to IPL and do
backups and other specialized functions
Vendors
Can’t imagine running without Security Officer rights
Privileged Users
- 43. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners43
END USER # 427
Oh, and…
- 44. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners44
Limit Capabilities *NO
User Class *PGMR
Initial Menu QSYS/MAIN
Special Authorities: *ALLOBJ, *JOBCTL
Operations Navigator
END USER # 427
Hackers Aren’t The Only Threat
- 45. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners45
Endless Examples of Insider Breaches
- 46. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners46
Don’t ever assume that
“my users could not/would not (know how to) do that”
because you already gave them a valid login.
It CAN Happen To You
- 47. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners47
The #1 issue cited
by auditors is:
Control and monitoring
of powerful users
Auditors Are In Agreement
- 48. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners48
What defines a powerful user?
1. Carry one or more special
authorities
2. Granted private authority
3. Access to a system with
permissive public access
to production data
PLUS the ability to execute commands
What is Powerful?
- 49. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners49
How Many On Each Server (Average)?
- 50. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners50
5
Mistakes Are Made
- 51. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners51
Grant access to privileges on an as-needed
basis.
User Actions should be audited to ensure
accountability and visibility to each individual’s
activities.
This is required to satisfy virtually all regulatory
mandates worldwide.
Mitigate This!
- 52. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners52
PowerTech Authority Broker
User profile
lacks
necessary
authority
Switch profile
request
submitted
Authority
increased
Comprehensive Reporting
Profile Swap Alerts
Separation of Duties
- 53. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners53
PowerTech Authority Broker
- 54. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners54
PowerTech Authority Broker
Easy-to-read (and searchable) visibility to:
• Interactive SQL
• Data File Utility (DFU)
• System Service Tools (SST)
• Program Development Manager
- 55. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners55
A Common Myth
A Common Myth
- 56. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners56
‘i’ can contract a virus!
Long thought to be immune to the virus threat, IBM i can
actually act as the source of virus problems on your network.
Virus activity can be discovered on:
• Mapped Drives
• FTP
• Image Catalogs
• Backup Tapes
• High Availability
A Common Myth
- 57. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners57
Who’s Scanning For Viruses?
- 58. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners58
Where Next?
Wrapping Up
- 59. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners59
• Data is secured by out-of-date methods
(if at all).
• Management assumes data is secured
as no one is advising them otherwise.
• Regulatory demands are the primary
catalyst of change.
The Past and The Present
- 60. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners60
• More regulatory mandates trying to
stem data loss.
• Businesses will be called upon to react
faster using more calculated methods.
• Potential for corporate and consumer
”breach fatigue.”
The Future
- 61. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners61
Do NO thing
The Worst Plan
- 62. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners62
Take ACT ion
The Best Plan
- 63. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners63
• IT Security has (but has to keep) executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
– Fight symptoms of “breach fatigue”
• Control users with broad authority to production data
– Leaving users unchecked is both an audit exception and an
accident waiting to happen
– Don’t accept that powerful users have to be limitless
• Limit the use of—and necessity for—powerful profiles
– Monitor and report when power is used
Summary
- 64. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners64
• SECURITY and COMPLIANCE are not the same
• IBM i ships in an “allow-all” configuration and CORRECTIVE
ACTION must be taken to move to a “deny-all” configuration
• Evaluate coverage and functionality of 1st gen security tools
• OS and tooling should play COMPLEMENTARY ROLES
• RISK can (and should) be reduced; it’s never totally eliminated
Summary
- 65. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners65
How Can PowerTech Help Us?
- 66. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners66
6 categories of review
Completes in under 5 minutes
Includes executive summary
Accompanied by live review and Q&A
Personalized recommendations
7-day grace period
FREE!
Option 1 — Security Scan
- 67. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners67
Did I Remember To Mention…
- 68. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners68
System Auditing Controls
Unsecured Profiles
Public Authorities
Password Policy
Administrative Rights
Analyzed by Leading Industry Experts
Option 2 —Risk Assessment
- 69. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners69
Other Available Information
- 70. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners70
Familiarize yourself with the Ponemon Institute.
Perform cost analysis of a breach:
• Forensic analysis
• Notification
• Lawsuits
• Loss of customer confidence
• Corporate embarrassment
• Suspension of ability to trade
• Lowered business valuation
• Jail terms
A significant breach can be a enterprise killer!
Additional Steps for Cost Justification
- 71. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners71
Visit PowerTech online to access:
www.helpsystems.com/powertech
• State of IBM i Security Study
• Online Compliance Guide
• Open source security policy
• Articles
• Webinars/educational events
• White papers
• e-newsletter
• Security solution datasheets
Free Online Resources
- 72. © 2015 HelpSystems, LLC. All trademarks and registered trademarks are the property of their respective owners72
Thank You For Joining Me
ROBIN TATAM
Director of Security Technologies
robin.tatam@powertech.com
www.helpsystems.com/powertech