Mainframe SecurityCombating RansomwareWith File Integrity Monitoring

Presented By: Al Saurette

(403) 818-8625

Al@maintegrity.com

GSE UK Conference 2020 Charity

• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.

• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:

http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion

FIM

Engine

Internal

Security

Agenda

• z/OS Ransomware Vulnerability

• A typical attack

• What is file integrity monitoring

• Fixing Security gaps on z/OS

• Breaking news - ATM hack

• Compliance

• Wrap-up and questions

Ransomware

Compliance

Key staff - Career mainframe system programmers and operations management

Principals involved in enterprise software since the early 90s• Products – Beta Harbor, IBM HDC, New Era SAE, BMC ISPW (Compuware)

2014, FIM+ concept started as a verification tool for application rollouts

2017, No mainframe FIM solution existed (Tripwire, Qualys ….)• MainTegrity - started

• Build a product for rock solid security that saves time and effort

Initially breach detection only – now forensics / recovery / change assure / compliance

Making the mainframe relevant through innovation

Agenda

The Threat

Mainframes stats (ATMs and IMS)

• $7.7 trillion credit card payments (annual)

• 29 billion ATM transactions (annual)

• 12.6 billion transactions (daily)

• ATMs & IMS – who knew?

The IT world is increasingly unsafe

• Dark web many millions of userid / PW for sale – Troy Hunt [1]

• Some of them are likely from your company

• Criminals legit credentials - are indistinguishable from regular staff

• 2 phase attack – Compromise backup then attack real target

[1] https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Steal Credentials

Rogue

Staff

Firewalls & Access ControlRACF, TSS, ACF/2

Bad Guy

Good

Guy

Good

Guy

Good

Guy

Guard the perimeter

• Insiders are past Firewall / Access Control

1. Bad Guys steal credentials (look legitimate)

2. Trusted employees go rogue (disgruntled, gambling, health)

No matter how good your perimeter defences are criminals can get in

Don’t care about Insider Threats – maybe you should

Conventional z/OS security

HackerGain

Access

Key logging Network Sniff

Sys Admin PC

Dark Web UserIDPhishingEmail attachmentEmail LinkNew Attacks

Disk

Backups

Virtual Tape

Database

Ransom Note

Steps in an Advanced

Ransomware Attack[1]

• Reconnaissance

• Penetrate

• Fortify

• Infiltrate

• Spoliation

• Ransom Demand

Anatomy of z/OS Ransomware

CompromiseBackup

EncryptDatabase

[1] Eric Vanderburg: The Six Phases of RansomWare Threat https://www.tcdi.com/6-phases-advanced-ransomware-threat/

Secure Vault

FIM Server

z/OS 2.3 T1

Loadlib Keys

Proclib Keys

Config Keys

Seq file Keys

USS file Keys

Result LogBaseline Saved

FIM – the Basics

z/OS 2.3 T1

Loadlibs (APF)

Proclibs

Configs (Parms)

Seq files

USS

Prod System Agent

File Integrity Monitoring (FIM) Snapshot files at a trusted level (checksum)Save version keys in an encrypted vaultLater take another snapshot and compare

FIM Server

Result Log

Baseline Saved

Trust Vault

z/OS 2.3 T1Loadlib KeysProclib KeysConfig KeysSeq file KeysUSS Keys

9

Validation Scan

z/OS 2.3 T2

Loadlib Keys

Proclib Keys

Config Keys

Seq file Keys

USS file Keys

Validate Success

Time

marches

on

z/OS 2.3 T2

Loadlibs (APF)

Proclibs

Configs (Parms)

Seq files

USS

Prod System

ScanFIM on Windows, Linux, Unix for decades

Tripwire, Qualys, TrustWave

Now on z/OS MainTegrity

Whitelisting

“Use application whitelisting - only allows systems to execute programs permitted by security policy. ” [1]

“Whitelist is a list of discrete entities, …. that are authorized …in a well- defined baseline. ” [2]

• Auto Discover baselines - APF & Program Product Libs (IMS, CICS, DB2 etc)

• Application scan – dynamic baseline build after QA approval

• Support multiple software versions

• Active enforcement – Monitor the whitelist weekly, alert if needed

Benefit:• Malware requires program or parm changes – trigger alert

• Real-time security team alerts – text & email

[1] Protect networks from Ransomware– US Government Inter Agency Documenthttps://www.justice.gov/criminal-ccips/file/872771/download[2] NIST – Guide to Application Whitelistinghttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf

Mainframe Whitelist

z/OS 2.3 T1Loadlib KeysProclib KeysConfig KeysSeq file KeysUSS Keys

Secure Vault

Typical FIM services

Create a z/OS fortress

• Whitelisting[1] – discover / monitor key elements

• Real-time access and FIM alerts via email / text

• Forensic data gathering / display – SMF, approvals

• Policy-driven recovery:

• Suspend userid, Quarantine

• Build restore jobs

• Audit records - prove compliance – PCI, NIST, GDPR

• Verify integrity of backups[2] - Checksum

[1] NIST – Guide to Application Whitelisting

[2] European Central Bank, Cyber resilience oversight

Enterprise Design

FIM Enterprise scope Continuous monitoring z/OS, appls subsystems (CICS, DB2, TCP/IP … )

Executables, JCL, Configs, Backups, Logs, Encrypted, USS

Auto-Discovery, Zero Admin

Offload processing to crypto-card / High Availability Design

Build FIM in to share security info

Conclusive proof that whole systems are correct

MF / Open / Cloud tools and SIEMs via REST APIs

Scheduled, on-demand, batch scans

Must support new and existing staff, GUI or 3270

Email & text alerts direct to response team

.Make z/OS the most secure platform in the world

FIM Detection

Alert

Response Team

FIM Forensics GUI

Click Alert

Compare Text

BaselineCurrent

Copy

Line by line compare

What’s affected

Attack Interval

SIEM

FIM

Who, Exact time

Manage, Detect, Respond, Recover

Approved? Why changed

FIMScheduled

On-Demand

Detection

SMFaccesses

Up to the second

FIM Vault

Key 1Key 2

etc

Splunk, QRadar, Others

ITSM

FIM Forensics GUI

Click Alert

Recover

FIM & Recovery

Alert

Response Team

Compare Text

BaselineCurrent

Copy

Line by line compare

What’s affected

Attack Interval

SIEM

FIM

Who, Exact time

Manage, Detect, Respond, Recover

Approved? Why changed

FIMScheduled

On-Demand

Detection

SMFaccesses

Up to the second

FIM Vault

Key 1Key 2

etc

Splunk, QRadar, Others

Escalate

Scan

ITSM

Quarantine

Suspend

Verify Backup

Recovery

Verify Restore

Policy Driven

Assistant

Recover

Quarantine

Suspend

Verify Backup

Recovery

Verify Restore

Policy Driven

Assistant

Alert

Response Team

FIM+ Forensics GUI

Click Alert

Compare Text

BaselineCurrent

Copy

Line by line compare

What’s affected

Attack Interval

SIEM

FIM+

Who, Exact time

Manage, Detect, Respond, Recover

Approved? Why changed

FIM+Scheduled

On-Demand

Detection

SMFaccesses

Up to the second

FIM+ Vault

Key 1Key 2

etc

Splunk, QRadar, Others

Escalate

Scan

SMFLog

Streams

Real-time

Early Warning

Alert

FIM & Real-time Events

ITSM

When an alert is received one click opens the GUI in any browser and displays relevant SMF access data

Automate Forensics

Email,Text

Alert

SMF Access Time System Access Type UserID Component2019/06/29 12:45:32 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V123

2019/06/28 19:27:55 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V122

2019/06/28 14:15:32 SYSA Update SYSUSR02 IMAGECPY.BANKDB.G00V121

Click 1

Click 2

FIM sends text / email alert

Scan 144 - Backup Checksum - Fail

FailFail

Not just a pretty dashboard – Real Command and Control

IMAGECPY.BANKDB.G00V0123

ServiceNow Info

Change # Reason

NONE No approved change record located for this component at this time

Another click fetches change control info from ServiceNow or Remedy dynamically, without needing mainframe skills.

# Shell script to assign TCP/IP port.

if test -t 1; then

TCP/IP Port 2645 161.185.160.93

exit

Trusted ComponentIncident: SN 2349 Last good: 2019/05/22 09:39:28

# Shell script to assign TCP/IP port.

if test -t 1; then

TCP/IP Port 2645 95.31.18.119

exit

Suspect Component Incident: SN 2349 Error time: 2019/05/22 18:49:03

RussiaNew York

Respond

Click 3

Click 3 can invoke instream file compare to show exactly what line changed.

Click 4

Complete restore can be accomplished by clicking the FIM Recovery Assistant to select and verify all files required

FIM-based Recovery Assistant

H-Recover File #1 2019/05/22 09:39:28

H-Recover File #2 2019/05/22 09:39:28

H-Recover File #99 2019/05/22 09:39:28

...

Provide fast answers instead of questions, when time is crucial

The Bottom Line

Backup Verified or Alert

Send Text - suspend ID

Know who did it

Know what else they did

Know when it started

Automated Forensics

Restore Assistance

Restore compromised data

Hope backups OK

Who should I call?

Who did it?

What else did they do?

When did it start?

Manual SMF searches

What to recover?

Get ready to pay RansomMinutes Weeks

FIM & Access Data* Classic Response

Detect

Recover

Respond

Knowledge + Action = Avoidance, not Ransom

HackerGain

Access

Key logging Network Sniff

Sys Admin PC

Dark Web UserIDPhishingEmail attachmentEmail LinkNew Attacks

Disk

Backups

Virtual Tape

Database

What can FIM do for you?

• Discover what to monitor

• Early Warning

• Real-time Alerts

• Fast reaction – Forensics

• Scope - what else was affected

• Prevented a ransom attack

Ransomware Defeated

Defeat Ransomware & other Malicious exposures – Now!

✓

✓

Breaking News – ATM Hack

Key Points in attack:• Remote access in a card management system is altered

• Likely requires a change to either anti-fraud parameters

or an executable which has been compromised.

• Require knowledge of the card management system

so most likely an ‘inside job”• Most ATM transactions captured by IMS on a mainframe

October 7, 2020

BULLETIN: ATM CASH-OUT THREAT

The PCI Security Standards Council and ATM

Industry Association want to highlight an emerging

threat that requires urgent attention.

What is the threat? ATM “cash-out” attack is an elaborate attack in

which criminals breach a bank or card processor

and manipulate fraud detection controls as well as

customer accounts

Recommended best practices? 1. 24/7 monitoring including File Integrity Monitoring Systems (FIMs)

2. Development and practice of an incident response management system

3. Employee monitoring systems to guard against an “inside job”

4. Strict separation of roles - no one user ID can perform sensitive functions

PCI and FIM

When your Executive goes to sign this, make sure you have done everything you can…

Payment Card Industry Data Security Standard – Process credit/debit Tx?

Sec

10.5.5

Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?

Sec 11.5

Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files?

Without FIM technology you do not comply. Period

Compliant: All sections of PCI DSS complete, all questions answered affirmatively

CPart 3b. Attestation

Signature of Executive Officer __________________________________

Executive Officer Name: _________________________ Date:

Title: _Your CIO, Your CFO, Your CEO

Section 3: …..Part 3. PCI DSS Validation

Proof of Compliance

Audit Report Date: Oct 27, 2020

View Scan Status Date Component System

Compliance Report

On-Demand

Browser ViewTypical

Evidence

for Audit

GDPR is more outcome-based compliance • Article 43 suggests compliance groups - PCI / NIST / ISO 27001• Significant penalties – up to 4% of global turnover • Google received the biggest fine so far in 2020 – €50 million• Over 220 fines in 2020 (over 45 in Oct) for GDPR violations, exceeding €175 million

Companies affected:

Google €50 millionH&M €35 million Telecom Italia €28 million British Airways €22 millionWind €17 million

Only 20% of US, UK, and EU companies are GDPR compliant - 30% yet to start

FIM improves compliance with of PCI / NIST / ISO 27001 so supports Article 32 of GDPR

Ignore at your peril

https://www.iso.org/isoiec-

27001-information-security.html

https://gdpr-info.eu/

GDPR

Banking Cyber Resilience

ECB And other Central Banks [1] now recommend:

• Validate backups with checksums

• Monitor configuration files

• Add new layer of security to legacy systems

• Prevent execution of unauthorized code – Whitelisting

• Isolate affected assets of compromise

• Implement detection systems that that trigger and facilitate

incident response automatically

[1] European Central Bank, Cyber Resilience Oversight Expectations, Dec 2018

https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf

Checksums on Backups

ECB says “Backups should be tested regularly to verify their availability and integrity.” [1]

WHY?:• Provide early warning of an impending Ransomware attack.

• A big ransomware attack could impact the Financial Market stability

SOLUTION:• Full scans for smaller backup datasets

• Sample Scans efficient for terabyte sized backup files

• Creates a key from % of data in the file – User definable

• Sample scans compliments with periodic full scans

• Poly-morphic samples on each scan

• Read only first and last block (Virtual Tape)

[1] European Central Bank, Cyber Resilience Oversighthttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf

CheckSum / HASH

Validation

NIST Framework V1.1Source: NormShield - MainTegrity Inc. Nov 2020

Identify Protect Detect Respond Recover

Asset Management

Business

Environment

Governance

Risk Assessment

Risk Management

Strategy

Access Control

Awareness and

Training

Data Security

Anomalies and

Events

Security Continuous

Monitoring

Detection Processes

Info Protection

Processes

Maintenance

Response Planning

Communications

Analysis

Protective

Technology

Recovery Planning

Improvements

Communication

Mitigate / Improve Recovery Assistant

Stronger controls with FIM*

*

*

*

*

*

*

*

* *Contents

Comparison

*

Select Restore Files

*

*

*

FIM extensions

➢ Whitelists (Baselines)

➢ Verify backup (Checksums)

➢ Ransom early warning

➢ Real-time Alerts

➢ Automated Forensics

➢ Policy-Driven Recovery

➢ Verify restored systems

➢ Audit evidence reports

Backup Checksum

*

Better Security = Better Compliance

*

*Verify Restore

*

Whitelist / Baseline

*

• Thwart would be hackers with Whitelisting and Verified Backups

• React in an instant if problems occur

• Integrate with existing tools - leverage mainframe investments

• Enable the Next Generation of support staff – make the right decisions

• Avoid manual investigation - too much time, effort & skill

• Comply with PCI, NIST, GDPR, Banking cyber-resilience

• Provide crystal clear proof to Auditors

Because tomorrow may well be too late

Because you need to:

Why use FIM now?

Mainframes are High Value targets – Protect them adequately

• At http://conferences.gse.org.uk/2020/feedback/nn

• This session is 3AD

Please submit your session feedback!

Reminder - GSE UK Conference 2020 Charity

• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.

• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:

http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion