Upload
randall-strickland
View
223
Download
3
Embed Size (px)
Citation preview
Multi Factor Authentication for Z
Steven Ringelberg
Vanguard Integrity Professionals
go2vanguard.com
About Vanguard
Founded: 1986Business: Cybersecurity Experts for Large Enterprises
Software, Professional Services, and Training
Customers: 1,000+ Worldwide
Over 20 distributors/resellers serving 50+ countries worldwide
3
Data Breaches
Number of breaches and outside attacks increasing
Continuing problem of insiders - malicious or by accident
4
“Target was certified as meeting the standard for payment card industry (PCI DSS) in September 2013. Nonetheless, we suffered a data breach…”
now ex-chairman, ex-president, and ex-CEO of Target Corporation, Gregg Steinhafel (http://buswk.co/1lT9j0X)
6
Data Breaches
Logica and Nordea Bank Mainframe breached in April 2013
7
Data Breaches
Others:
Home Depot
Staples
Anthem Health Insurance
7
Data Breaches: Two Themes
Mandiant: 2014 Data Breach Report
100% of breaches examined included an exploitation of a user id and password that was compromised.
7
MULTI FACTOR AUTHENTICATION
• An Industry full of often confused terms
– Multi-Factor Authentication is a method of requiring factors from the following three categories;• Knowledge Factors• Possession Factors• Inherence Factors
MULTI FACTOR AUTHENTICATION
– Two-Factor Authentication – Two-Step Verification– Strong Authentication
MULTI FACTOR AUTHENTICATION
– Knowledge Factors• Password• PIN Number• Mothers Maiden Name• Favorite Potato Chip
MULTI FACTOR AUTHENTICATION
– Possession Factors• Disconnected (RSA, ActivID, etc)
– Sequence-Based Tokens – Singular button, multiple depresses
– Time-Based Tokens – Change Every ‘x’ Seconds typically
– Challenge-Based Tokens – Small keypad to enter challenge code
– Mobile Phones» Soft Token» SMS one-time password
MULTI FACTOR AUTHENTICATION
– Possession Factors• Connected–Magnetic Strip – ATM Card, etc– Contacts – SmartCard, EMV Credit
Cards, – USB – zPDT Key, RSA SecureID800, –Wireless – RFID, Bluetooth,
Proximity–Other – Audio Port, iButtons, etc
MULTI FACTOR AUTHENTICATION
– Possession Factors• Connected–Magnetic Strip – ATM Card, etc– Contacts – SmartCard, EMV Credit
Cards, – USB – zPDT Key, RSA SecureID800, –Wireless – RFID, Bluetooth,
Proximity–Other – Audio Port, iButtons, etc
MULTI FACTOR AUTHENTICATION
– Inherence Factors• Fingerprint• Hand Topography• Eye (Iris)
MULTI FACTOR AUTHENTICATION
Exposure Issues
– Phishing/Man-In-The-Middle– Malware– Session Hijacking– Lost/Stolen
MULTI FACTOR AUTHENTICATION
Exposure Issues• Coding Flaws – Exposures in the Code of the applications, protocols, or
otherExample: Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs http://www.pcworld.com/article/2095860/cybercriminals-compromise-home-routers-to-attack-online-banking-users.html
• http://www.darkreading.com/attacks-and-breaches/zeus-botnet-eurograbber-steals-$47-million/d/d-id/1107673?
• http://www.technologyreview.com/news/415371/real-time-hackers-foil-two-factor-security/
• http://www.scmagazine.com/yahoo-session-hijacking-likely-culprit-of-android-spam/article/250454/
• https://www.mandiant.com/blog/attackers-exploit-heartbleed-openssl-vulnerability-circumvent-multifactor-authentication-vpns/
MULTI FACTOR AUTHENTICATION
• US based Regulation and Guidance
– NIST FIPS 201/HSPD-12– HIPPA – NERC CIP – NIST SP 800-63-2 – PCI DSS– FFIEC
Vendors – Multi Factor and Z
Vanguard Integrity Professionals.• Physical Tokens – Vanguard ez/Token• “soft” Tokens – Vanguard Tokenless• “Smart Cards” a/k/a “PIV Cards” a/k/a
“CAC Cards”
33
Vanguard
SoftwareWe provide you with the analytical tools that allows you to do an in-depth audit of your z/OS systems against multiple standards Provides detailed explanation, risk analysis, user action to correct
ServicesWe will execute z/OS system audits against multiple standards We will also remediate
Training We will train you how to audit z/OS systems against multiple standards We will also train you to remediate
33
Questions?
35
For more information Call 800-794-0014 or email us at [email protected]
Grazie
Japanese
Thank You
English
MerciFrench
Russian
DankeGerman
Italian
Gracias
Spanish
Obrigado
Brazilian PortugueseArabic
Simplified Chinese
Traditional ChineseHindi
Thai
Korean
37