Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MultiValue Security

107 views

Published on

The Cloud offers great opportunity for disruption in the business world by offering ways to create, test, and deploy applications with greater reach and more simplicity than ever before. Come learn about the Cloud and how Rocket MV is helping you get SaaS-y with capabilities such as Account Based Licensing, RESTful APIs, and micro-services.

Published in: Software
  • Be the first to comment

  • Be the first to like this

MultiValue Security

  1. 1. 1 MultiValue Security Nik Kesic, Principal Technical Support Engineer Steve O’Neal, Principal Sales Engineer
  2. 2. 2 Credits and Acknowledgements Presenters • Nik Kesic, Principal Technical Support Engineer • Steve O’Neal, Principal Sales Engineer Developers & Reviewers • Jing Cui, Principal Software Engineer • John Jenkins, Senior Technical Support Engineer • Nik Kesic, Principal Technical Support Engineer • Joan Dunn, Senior Education Consultant ©2015 Rocket Software, Inc. All Rights Reserved.
  3. 3. 3 MV Security  The Cloud offers great opportunity for disruption in the business world by offering ways to create, test, and deploy applications with greater reach and more simplicity than ever before. Come learn about the Cloud and how Rocket MV is helping you get SaaS-y with capabilities such as Account Based Licensing, RESTful APIs, and micro-services. ©2015 Rocket Software, Inc. All Rights Reserved.
  4. 4. 4 MV Gets SaaS-y  News articles that spotlight data breaches and security flaws are growing at an alarming rate. Not only are the demands for security increasing, but the requirement to comply with industry standards such as PCI-DSS and HIPAA/HITECH are a reality in order to continue doing business.  In this session, the presenter will take you through a journey outlining major news stories on data breaches and the dark tricks, such as social engineering and card data harvesting, that are commonly used by criminals to cause damages. We will talk about the many SSL security flaws including Heartbleed, POODLE, and FREAK. You will also hear about one Operating System provider’s direction that has forced major security policy changes, as well as information on audit requirements in order to meet the future security challenges to continue providing business. The session also will highlight how the Rocket MV product family can help you to fortify your data and meet compliance requirements. ©2015 Rocket Software, Inc. All Rights Reserved.
  5. 5. 5 MV Security Model ©2015 Rocket Software, Inc. All Rights Reserved. ADE SSL AUDIT HADR SSO PKIHIPAA PCI
  6. 6. 6 Agenda Security breaches IT infrastructure vulnerabilities Trends and industry standards APT - Advanced Persistent Threat Top 10 threats 2015 MV security offering Resources ©2015 Rocket Software, Inc. All Rights Reserved.
  7. 7. 7 Security Breaches of 2014  P.F. Changs - ceased electronic processing of cards and reverted to using so-called “knuckle busters,” mechanical card presses.  Sally Beauty Supply - Hacked by the same gang that hacked Target  ACME Markets - Discovered malicious software installed on networks  Michaels Stores - About 3 million customer debit and credit cards were acknowledged stolen  Goodwill Industries - Credit card information at approximately 330 stores had been compromised ©2015 Rocket Software, Inc. All Rights Reserved.
  8. 8. 8 Security Breaches of 2014  Jimmy John’s - An intruder stole log-in credentials from Jimmy John’s point- of-sale vendor  Neiman Marcus - Malicious software (malware) was clandestinely installed on the system  The Home Depot - 56 million card records were hacked  Target Corporation - Around 70 million holiday shoppers had their card data compromised  JPMorgan Chase - the New York Times reported that 76 million households and 7 million small businesses were involved http://www.cutimes.com/2014/10/06/10-biggest-data-breaches-of-2014-so-far ©2015 Rocket Software, Inc. All Rights Reserved.
  9. 9. 9 Security Breaches of 2015  Hacking Team - Exploits put hundreds of millions of Flash users at risk  Ashley Madison - Ensnares 37 million cheaters  Anthem - Breach affected about one-in-three Americans  IRS - Data breach led to hackers taking tax returns  OPM - More than 22 million government workers now vulnerable to blackmail http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/ ©2015 Rocket Software, Inc. All Rights Reserved.
  10. 10. 10 Security Breaches of 2015  Kaspersky - Attacked, but reputation dinged  LastPass - Saw potentially millions of passwords accessed  CVS, Walgreens - Hit by credit card breach  Carphone Warehouse - Tops UK breach list  UCLA Health - Failed to encrypt 4.5 million records ©2015 Rocket Software, Inc. All Rights Reserved.
  11. 11. 11 Security Breaches ©2015 Rocket Software, Inc. All Rights Reserved. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
  12. 12. 12 IT Infrastructure Vulnerabilities Heartbleed • Discovered April 2014 • Exposed the TLS Heartbeat extension vulnerability • Data could be read, such as:  Private keys  Users' session cookies  Passwords • This issue did not affect versions of OpenSSL prior to 1.0.1 • Rocket Software U2 products must be at OpenSSL 1.0.1m ©2015 Rocket Software, Inc. All Rights Reserved.
  13. 13. 13 IT Infrastructure Vulnerabilities ShellShock • Disclosed on September 24, 2014 • Exposed bash shell vulnerability • OS vendors released fixes • Rocket Software MV did not produce a variant of bash for its products ©2015 Rocket Software, Inc. All Rights Reserved.
  14. 14. 14 IT Infrastructure Vulnerabilities Poodle • Disclosed April 2014 • Causes client connections to fallback to SSL 3.0 • Termed man-in-the-middle exploit • Rocket Software U2 products must be at OpenSSL 1.0.1m ©2015 Rocket Software, Inc. All Rights Reserved.
  15. 15. 15 IT Infrastructure Vulnerabilities - Freak Freak • Disclosed on March 3, 2015 • Exposed weak ciphers • Attackers could intercept data streams • Rocket Software U2 products must be at OpenSSL 1.0.1m ©2015 Rocket Software, Inc. All Rights Reserved.
  16. 16. 16 IT Infrastructure Vulnerabilities – LogJam LogJam • Disclosed on May 20, 2015 • Exposed weak ciphers  Allows man-in-the-middle attacker to force the client and server to use a weak cipher • Rocket Software U2 products must be at OpenSSL 1.0.1m ©2015 Rocket Software, Inc. All Rights Reserved.
  17. 17. 17 Trends and Industry Standards – Microsoft Microsoft policy change Microsoft Root Certificate Program • SHA1 not allowed after January 1, 2016  Disabled security protocols • SSL 3.0 will be disabled • TLSv1.0 questionable ©2015 Rocket Software, Inc. All Rights Reserved.
  18. 18. 18 Trends and Industry Standards - Java Oracle Java policy change Starting with the January 20, 2015 Critical Patch Update releases • Java Runtime Environment has SSLv3 disabled by default • JDK 8u31 • JDK 7u75 • JDK 6u91 http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html ©2015 Rocket Software, Inc. All Rights Reserved.
  19. 19. 19 Trends and Industry Standards - PCI “… SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately.” ©2015 Rocket Software, Inc. All Rights Reserved.
  20. 20. 20 Trends and Industry Standards - HIPAA Follows NIST 800-52 • SSL v3 must not be used • TLS v1.0 ok for interoperability with non-government • TLS v1.1 & (TLS v1.2 recommended) • Only recommended ciphers to be used http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf ©2015 Rocket Software, Inc. All Rights Reserved.
  21. 21. 21 Top Threats for 2015 5. Third-party attacks 4. Mobile malware 3. Social media attacks 2. Sophisticated DDoS attacks 1. IoT: The Insecurity of Things
  22. 22. 22 APT (Advanced Persistent Threat) “Hackers Don't Need Sophisticated Attacks If You Leave Your Door Unlocked”
  23. 23. 23 APT (Advanced Persistent Threat) Set of stealthy and continuous computer hacking processes Usually targets organizations and/or nations for business or political motives Processes require a high-degree of stealth over a long period of time Example of APT - Stuxnet computer worm
  24. 24. 24 APT (Advanced Persistent Threat) APT Life Cycle Targets specific organizations for a singular objective Attempt to gain a foothold in the environment (common tactics include spear phishing emails) Use the compromised systems as access into the target network Deploy additional tools that help fulfill the attack objective Cover tracks to maintain access for future initiatives
  25. 25. 25 MV Security Offering ADE SSL AUDIT
  26. 26. 26 MV Software Solution – The Key Paradigm Confidentiality, integrity and availability Confidentiality • Limiting information access and disclosure to authorized users Integrity • The trustworthiness of information resources Availability • The availability of information resources
  27. 27. 27 MV Software Solution – The Key Paradigm Data in transit • Information we send and receive Data in use • Data we are using as we use it Data at rest • In our hardware systems • On backup / archive ©2015 Rocket Software, Inc. All Rights Reserved.
  28. 28. 28 U2 Offering
  29. 29. 29 Automatic Data Encryption  Tightly integrated into the UniData and UniVerse engines  Support in UniData and UniVerse components including clients, backup utilities, transaction logging, and replication  Robust key and password management  Flexible encryption modes  Easy to manage by Graphical User Interface (GUI) tools and utilities ©2015 Rocket Software, Inc. All Rights Reserved.
  30. 30. 30 Automatic Data Encryption U2 BASIC Engine U2 Applications Data Access Key Manager Key Cache Encryption Engine U2 Engine Unencrypted Data Master Key Key Store Encryption Meta DataAudit Trail Encrypted Data Users through U2 clients XAdmin DB / Sys Admin uvregen Wallet confcmd Query Processing encman
  31. 31. 31 SSL Secure Sockets Layer (SSL) / Transport Level Security (TLS) • OpenSSL (the basis of U2 SSL/TLS and encryption)  Software libraries that are an open-source implementation of the SSL and TLS protocols and provide cryptographic functions to software systems  SSL/TLS allows us to send and receive encrypted information  With the correct – and validated - certificate, parties can be certain that they are talking to the intended party, and  Data has not been maliciously changed during transmission ©2015 Rocket Software, Inc. All Rights Reserved.
  32. 32. 32 Encryption in BASIC Programs ©2015 Rocket Software, Inc. All Rights Reserved. Data Encryption can encrypt data in the U2 data servers, and this encryption extends to all copies of the data  Light-weight (application-level) encryption: UniBasic or UniVerse BASIC ENCRYPT() • Very simple to implement • Relies upon ongoing application development • Key distribution needs management – Signature / Digest
  33. 33. 33 Client Application U2 Restful Service CUSTOMER U2 Server SSL SSL SSL SSL SSL Encrypt() KEY, IV ADD, DOB, SSN Encrypt Encode Data at rest @ID ASCII FNAME ASCII LNAME ASCII ADDRESS Encrypted CITY ASCII STATE ASCII ZIP ASCII PHONE ASCII DOB Encrypted SSN Encrypted Customer record Customer recordCan be any technology on the client Decrypt subroutine Extranet Internet U2 JPA Server SSLSSL Telnet Client Intranet jfgafgfafasf djdwjhdqwd 78gcagfc7 efewhfvb78yfb mcgcgwufg cnmgsdc724n af343rdeff 3erjcgasc763e4hvd73en sff2r121e sfdfwefe2f Smnb HDJ efewf2f33 87hgdyhd8 Fwefvv cb34r 338dhgdgg 3erfvdfgv2r2fg 3ervv44fda e13rwdvergvb2 387agdddq 3r2eff13r123 Securing Data in Use, Transit, and at Rest SSL or SSH 4 World Process @ID ASCII FNAME ASCII LNAME ASCII ADDRESS Encrypted CITY ASCII STATE ASCII ZIP ASCII PHONE ASCII DOB Encrypted SSN Encrypted Scripts BASICBASIC C# Java KEY IV Encryption process @ID 104357 FNAME Neddy LNAME Seagoon ADDRESS Fn6umnvm6rjkm bnm 6 CITY Denver STATE CO ZIP 80237 PHONE 800-426-4357 DOB t3thfdbrhbhfh4 SSN fdgtg45y4hhdh @ID ASCII FNAME ASCII LNAME ASCII ADDRESS Encrypted CITY ASCII STATE ASCII ZIP ASCII PHONE ASCII DOB Encrypted SSN Encrypted @ID 104357 FNAME Neddy LNAME Seagoon ADDRESS 4700 S Syracuse St CITY Denver STATE CO ZIP 80237 PHONE 800-426-4357 DOB 12/31/1967 SSN 123-45-6789 U2 WebDE SSL U2 Web Services
  34. 34. 34 Audit Logging – UniVerse Only UniVerse Audit Logging is designed to be: • Comprehensive – Covers all types of resources and operations • Flexible – Can be configured according to event types and through various policies, as well as before or after starting the system • Secure – The configuration file is encrypted and can be protected by a password, if desired. The Audit Log file is protected from illegal use and you can also encrypt its content ©2015 Rocket Software, Inc. All Rights Reserved.
  35. 35. 35 Audit Logging UniVerse Audit Logging implementation provides the following features:  Classifies events and resources, and audits them based on the classification  Enables you to configure the location and number of audit files before UniVerse starts  Allows you to customize U2 database auditing without having to stop and restart UniVerse  Writes audit records to a UniVerse hashed file or group of files  Protects the audit file against unauthorized access and modification ©2015 Rocket Software, Inc. All Rights Reserved.
  36. 36. 36 D3 Offering
  37. 37. 37 Automatic Data Encryption File-level encryption • Provides at rest encryption of a file using AES-128 String-level encryption • Encrypts arbitrary strings using built-in BASIC functions ©2015 Rocket Software, Inc. All Rights Reserved.
  38. 38. 38 SSL MVSP APIs • Allows access to the database through a variety of languages • SSL may be enabled when establishing the connection BASIC • Allows SSL sockets using built-in BASIC functions ©2015 Rocket Software, Inc. All Rights Reserved.
  39. 39. 39 Audit Logging Uses triggers to run a program when an event occurs All platforms (AIX, Linux, Windows) • callr (trigger on item read) • callx (trigger on item update) • callo (trigger on file open) • yupt (simple, built-in, program-less trigger on item update) ©2015 Rocket Software, Inc. All Rights Reserved.
  40. 40. 40 Audit Logging  Windows specific • calle (trigger on clear-file) • callc (trigger on file close) • calld (trigger on delete-file) ©2015 Rocket Software, Inc. All Rights Reserved.
  41. 41. 41 SSH  AIX and Linux • SSH is in OS Windows • Any commercial SSH server may be used (e.g. Cygwin) ©2015 Rocket Software, Inc. All Rights Reserved.
  42. 42. 42 Authentication  D3 • Host • Traditional ©2015 Rocket Software, Inc. All Rights Reserved.
  43. 43. 43 Permissions Read access (Retrieval lock) Write access (Update lock) Used to limit access to users with matching keys ©2015 Rocket Software, Inc. All Rights Reserved.
  44. 44. 44 Resources
  45. 45. 45 Call for Action - Upgrade UniVerse and UniData using OpenSSL 1.0.1m • UniVerse 11.2.4 • UniVerse 11.2.5 Strongly Preferred • UniData 7.3.7 • UniData 8.1.0 Strongly Preferred ©2015 Rocket Software, Inc. All Rights Reserved.
  46. 46. 46 Call for Action - Upgrade • wIntegrate 6.3.7 • SBClient 6.3.3 • ODBC 32/64 bit build UCC-3156 • U2 Client Toolkit  U2 data client  UODOTNET • U2 DB TOOLS 4.x ©2015 Rocket Software, Inc. All Rights Reserved.
  47. 47. 47 SSH  AIX and Linux • SSH is in OS Windows • Any commercial SSH server may be used (Pragma Fortress) ©2015 Rocket Software, Inc. All Rights Reserved.
  48. 48. 48 The Real Enemy Is TIME
  49. 49. 49 Summary  Information security is vital to all business  Security starts from the top and everyone must pitch in  Education and training is key to success  Choose solutions in line with your business goals  Know the threats  Use proper countermeasures  Implement defense-in-depth and defense-in-layers  Familiarize yourself with MV security features  MV Premier Services and MV Professional Services have experience of implementing secure solutions
  50. 50. 50 Other MVU Security Sessions D3 Security Deep Dive Managing the SSL Process UniVerse Audit Logging Create a Data Encryption Strategy Using ADE ©2015 Rocket Software, Inc. All Rights Reserved.
  51. 51. 51 Additional Resources  Find further information • U2 Documentation set http://www.rocketsoftware.com/resource/u2-technical-documentation  Links • https://www.rocketsoftware.com • https://technet.microsoft.com/ • https://www.oracle.com • https://openssl.org • https://www.hhs.gov • http://www.rocketsoftware.com/training-and-professional-services/rocket-u2  Contacts • u2askus@rocketsoftware.com • u2support@rocketsoftware.com ©2015 Rocket Software, Inc. All Rights Reserved.
  52. 52. 52 Disclaimer THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE. ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: • CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS); OR • ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF ROCKET SOFTWARE. ©2015 Rocket Software, Inc. All Rights Reserved.
  53. 53. 53 Trademarks and Acknowledgements The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software, Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of any such marks. Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure, Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and wIntegrate Other company, product, and service names mentioned herein may be trademarks or service marks of others. ©2015 Rocket Software, Inc. All Rights Reserved.
  54. 54. 54

×