ibm i security study
Post on 19-Oct-2014
481 views
DESCRIPTION
Learn from 10 years of IBM i audits, including AS400 audits and iSeries audits. This popular study includes recommendations on iSeries security configurations, iSeries user controls, iSeries client access, and other IBM security tips.TRANSCRIPT
![Page 1: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/1.jpg)
MAY 1, 2013Robin Tatam, Director of Security Technologies
WELCOME
![Page 2: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/2.jpg)
2
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
![Page 4: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/4.jpg)
4
About PowerTech
• Premier Provider of Security Solutions & Services– 16 years in the security industry as an established thought leader– Customers in over 70 countries, representing every industry– Security Subject Matter Expert for COMMON
• IBM Advanced Business Partner• Member of PCI Security Standards Council• Authorized by NASBA to issue CPE Credits for Security Education• Publisher of the Annual “State of IBM i Security” Report
![Page 5: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/5.jpg)
5
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
![Page 6: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/6.jpg)
6
• Legislation, such as Sarbanes-Oxley
(SOX), HIPAA, GLBA, State Privacy Acts
• Industry Regulations, such as Payment
Card Industry (PCI DSS)
• Internal Activity Tracking
• High Availability
• Application Research & Debugging
Why Do I Need To Audit?
![Page 7: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/7.jpg)
7
• Is there a company Security Policy? (We’ve got one to help you get started)
• Guidelines and Standards– COBIT– ISO 27002 (formerly known as 17799)– ITIL
Which Standards DoI Audit Against?
![Page 8: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/8.jpg)
8
IT Controls—An Auditor’s Perspective
Can users perform functions/activities that are in conflict with their job responsibilities?
Can users modify/corrupt application data?
Can users circumvent controls toinitiate/record unauthorized transactions?
Can users engage in fraud and cover their tracks?
![Page 9: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/9.jpg)
9
The Auditor’s Credo…
Of courseI believe you!
(But you still haveto prove it to me)
![Page 10: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/10.jpg)
10
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
![Page 11: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/11.jpg)
11
Help IT managers and auditors understand IBM i security exposures
Focus on top areas of concern in meeting regulatory compliance
Help IT develop strategic plans to address—or confirm—high risk vulnerabilities
Purpose Of The Study
![Page 12: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/12.jpg)
12
PowerTech Compliance Assessment– Launched from a PC– Collects security data– Data for the study is anonymous
Companies are self-selected– More, or less, security-aware?
Study first published in 2003– Over 1,700 participants since inception
Schedule your Compliance Assessmentat www.PowerTech.com
How We CollectThe Data
![Page 13: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/13.jpg)
13
YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES
Be A Part of the Study!
(Participation in the Security Study is optional)
![Page 14: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/14.jpg)
Simple summary provides auditor & executives with visual indicators
![Page 15: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/15.jpg)
15
IBM i registry is reviewedto see if network eventare audited or controlled
![Page 16: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/16.jpg)
*PUBLIC authority levelson application librariesare interrogated
![Page 17: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/17.jpg)
17
Statistics are retrieved on profile metrics, such as anywith default passwords
![Page 18: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/18.jpg)
Review of thesystem values thatimpact security
![Page 19: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/19.jpg)
Verify if auditing is active, and what types of audit events are being logged
![Page 20: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/20.jpg)
Determine how many users have Special Authorities (admin privileges)
![Page 21: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/21.jpg)
21
• System auditing • Privileged users• User and password management• Data access• Network access control• System security values
Six Major Areas of Review
![Page 22: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/22.jpg)
22
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
Today’s Agenda
![Page 23: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/23.jpg)
23
Assessed 101 different systems
A total of:– 109,251 Users – 43,104 Libraries
On average, per assessedsystem there were:
– 1,082 Users– 427 Libraries
State of IBM iSecurity—Overall
![Page 24: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/24.jpg)
24
State of IBM iSecurity—Overall
![Page 25: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/25.jpg)
25
State of IBM iSecurity—Overall
WARNING:September 30 will be here SOON!
![Page 26: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/26.jpg)
26
QSECURITY (System Security Level)
System Value: QSECURITY
No.
of
Syste
ms
![Page 27: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/27.jpg)
27
System SecurityLevel Historically
![Page 28: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/28.jpg)
28
What Does IBM Say AboutSecurity Level 30?
![Page 29: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/29.jpg)
29
Using QUADJRN?
Systems Using the System i Audit Journal
![Page 30: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/30.jpg)
30
Audit Settings Historically
Systems Using the System i Audit Journal (2010-2012)
![Page 31: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/31.jpg)
31
2010: 1,000,000+
2011: 789,962
2012: 154,404
Top 10 “Invalid Sign-OnAttempts” Found
![Page 32: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/32.jpg)
32
10) 7,729
9) 8,333
8) 12,921
7) 19,201
6) 23,183
5) 28,078
4) 147,918
3) 161,427
2) 211,631
1) 567,772
Top 10 “Invalid Sign-OnAttempts” Found
![Page 33: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/33.jpg)
33
Top 10 “Invalid Sign-OnAttempts” Found
6.9 million... All undetected!
But there was one that even shocked us!
![Page 34: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/34.jpg)
34
What should I look for?
![Page 35: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/35.jpg)
35
Too much data
Too many places to look
Manual reporting processes
Audit and IT get locked in a request/respond cycle
What Good Is AuditJournal Data?
![Page 36: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/36.jpg)
36
88% of systems were logging audit data but……only 27% of those had a recognized auditing
tool installed
Over 6.9 million invalid sign-on attempts against a single profile!
– Would you be more concerned if you knew it was the QSECOFR profile?
Is Anyone PayingAttention?
![Page 37: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/37.jpg)
37
The only library authority that keeps users out is *EXCLUDE
A policy of “Least Privilege” calls for *PUBLIC to be excluded and then authorized users granted the appropriate access
You can (potentially) delete objects with only *USE authority to the library
Library Authority
![Page 38: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/38.jpg)
38
Library Authority
![Page 39: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/39.jpg)
39
Library Authority—Historically
![Page 40: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/40.jpg)
40
When New ObjectsAre Created
Default Create Authority by Library
![Page 41: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/41.jpg)
41
Many IBM i applications rely on menu security because…– It’s easy to build– It’s the legacy of many existing business applications
Menu security design assumes:– Access always originates via the menus– No users has command line access– Users have no access to SQL-based tools
Menu security is often accompanied by:– User being a member of group that owns the objects – *PUBLIC is granted broad (*CHANGE) access to data
Network AccessControl
![Page 42: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/42.jpg)
42
Network AccessControl
ODBC isn’t rocket science anymore
![Page 43: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/43.jpg)
43
Are These Services Running?
![Page 44: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/44.jpg)
44
Exit ProgramCoverage
![Page 45: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/45.jpg)
45
Special Authority (aka Privileges)
All ObjectThe “gold key” to every object, and almost everyadministrative operation on the system, includingunstoppable data access
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 46: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/46.jpg)
46
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 47: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/47.jpg)
47
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP)
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 48: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/48.jpg)
48
Special Authority (aka Privileges)
AuditThe user is permitted to manage all aspects ofauditing, including setting the audit system
valuesand running the audit commands(CHGOBJAUD / CHGUSRAUD)
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 49: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/49.jpg)
49
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files. Allows a user to
view/delete/hold/release any spooled file in any
output queue, regardless of restrictions
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 50: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/50.jpg)
50
Special Authority (aka Privileges)
ServiceAllows a user to access the System Service
Tools(SST) login, although, since V5R1, they also
needan SST login
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 51: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/51.jpg)
51
Special Authority (aka Privileges)
Job Control
Enables a user to be able to start/end subsystems,
manipulate other users’ jobs. Also provides access
to spooled files in output queues designated as
“operator control”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 52: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/52.jpg)
52
Special Authority (aka Privileges)
Save System
Enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
Administrator Privileges
![Page 53: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/53.jpg)
53
Administrator Privileges
![Page 54: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/54.jpg)
54
Administrator Privileges
Best Practices call for<10 users with SPCAUTs
![Page 55: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/55.jpg)
55
Powerful Users Historically
![Page 56: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/56.jpg)
56
Endless News Reportsof Insider Breaches
![Page 57: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/57.jpg)
57
Minimum PasswordLength
System Value: QPWDMINLEN
No.
of
Syste
ms
![Page 58: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/58.jpg)
58
Minimum PasswordLength
Not too hard toguess your way in!
System Value: QPWDMINLEN
No.
of
Syste
ms
![Page 59: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/59.jpg)
59
Default PasswordsN
o.
of
Syste
ms
![Page 60: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/60.jpg)
60
Password Expiration
Password Expiration Period (Days)
No.
of
Syste
ms
![Page 61: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/61.jpg)
61
How Many Attempts?
Maximum Signon Attempts Allowed
No.
of
Syste
ms
![Page 62: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/62.jpg)
62
Maximum Sign On Attempts Allowed
No.
of
Syste
ms
How Many Attempts?
Let’s hope this wasn’t theserver that experienced 6.9 million invalid attempts
![Page 63: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/63.jpg)
63
And Then What?
Default Action for Exceeding Invalid Sign On Attempts
![Page 64: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/64.jpg)
64
Inactive ProfilesN
o.
of
Pro
file
s
![Page 65: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/65.jpg)
65
5250 Command LineN
o.
of
Pro
file
s
![Page 66: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/66.jpg)
66
Security awareness among IBM Iprofessionals is generally low
IBM i awareness among auditprofessionals is generally low
Some of the most valuable data in any organization is on your Power Systems server (System i, iSeries, AS/400)
Most IBM i data is not secured and theusers are far too powerful
The Perfect StormOf Vulnerability
![Page 67: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/67.jpg)
67
1. Conduct a Compliance Assessment (free and deep-dive options)
2. Remediate “low-hanging fruit” such as default passwords and inactive accounts
3. Review appropriateness of profile settings: password rules, limit capabilities (command line), special authorities, etc.
4. Perform intrusion tests over FTP and ODC to assess data leak risk
5. Evaluate PowerTech solutions to mitigate risk
The Call To Action
![Page 68: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/68.jpg)
68
Comprehensive Security
Solutions for Power Systems
![Page 69: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/69.jpg)
69
Today’s Agenda
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
![Page 70: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/70.jpg)
70
Online Compliance Guide Security Policy
Additional Resources
![Page 71: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/71.jpg)
71
Today’s Agenda
• Introductions• Regulations on IBM i• Conducting The Study• The State of IBM i Security Study• Resources for Security Officers• Questions and Answers
![Page 72: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/72.jpg)
72
Questions
![Page 73: IBM i Security Study](https://reader033.vdocument.in/reader033/viewer/2022051411/54440903b1af9f740a8b4761/html5/thumbnails/73.jpg)
73
Please visit www.PowerTech.com to access:
• Demonstration Videos & Trial Downloads • Product Information Data Sheets• White Papers / Technical Articles• Customer Success Stories• PowerNews (Newsletter)• Robin’s Security Blog• To request a FREE Compliance Assessment
www.powertech.com (800) 915-7700 [email protected]
Thanks for your time!