Top 10 Security Risks - gomitec.com · What Drives Compliance > Security and privacy have increased in visibility and importance > Companies are getting skewered in the press nBank

Copyright (c) 1999 - 2004 The Powertech Group 1

Top 10 i5/OS Security Risks

Extending iSeries Security

PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.

John EarlChief Technology Officer

The PowerTech Groupwww. powertech.com

john.earl@ powertech.com


2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com

HACKERS!!! Your Company

The Biggest Threatto Your Corporate Data

or




What is Security?

> Security needs a definition

> Your IT security policy is how your organization defines security.

> Compliance is the process of measuring your practices against your policy.


What Drives Compliance

> Security and privacy have increased in visibility and importance

> Companies are getting skewered in the pressn Bank of America, Marriott, Citibank, ChoicePoint,

etc.

> The general public is concerned for it’s safety




The Legislature Reacts

> Legislatures create lawsn Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley,

SB1386, etc.

> Laws are open to interpretationn Sarbanes Oxley Section 404 –

u “Perform annual assessment of the effectiveness of internal control over financial reporting…”

u “…and obtain attestation from external auditors”

> Auditors are the interpreters


The Auditor’s View

> Auditors interpret regulationsn Auditors focus on frameworks and processesn Auditors have concluded that IT is lagging when it

comes to internal controls

> Executives just follow the auditors recommendations

> So what are the auditors going to say when they review your systems?




UnprotectedNetwork Access

> Many OS/400 applications rely on menu securityn It was easy to buildn It’s the ‘legacy’ of business applications

> Most menu ‘security’ designs assume:n All access is through the application menun Users do not have command line accessn Query access is limited or denied completelyn That the user is a member of the groupuser is a member of the group that owns

the objects. Or…nn *PUBLIC*PUBLIC has broad access to the data

1


> Menu security is no longer relevant in a networked environmentn Users have intelligent devices, not dumb terminalsn PC’s have sophisticated data access tools like

FTP, ODBC, Remote Command and moren Users are much more sophisticated

u Many enter the workforce already familiar with these tools.

> Don’t believe that the 5250 green screen is the “End” of your security responsibility

UnprotectedNetwork Access 1




Application MenuCRM

Result: Too Much Access

ODBC

Telnet

1






How do you regulate network access to data?> Implement Exit Programs on network access points like

FTP, ODBC, DDM, etc.n Exit Programs:

u Will protect systems that are reliant solely on menu security.u Can be used to limit what trading partners can see when they access

your system.

u Monitor access that normally fly beneath your radaru Stops unwanted activity even when you’re not around.u Provide “defense in depth” security beyond traditional controls



PowerfulUsers

> Users can be made more powerful through the granting of OS/400 “Special Authorities”n Special Authorities can trump OS/400 object level

authorities.u A USER WITH *ALLOBJ CAN READ, CHANGE, OR DELETE

ANY OBJECT ON THE SYSTEM.u A USER WITH *SPLCTL CAN READ, CHANGE, OR DELETE

ANY SPOOL FILE ON THE SYSTEM.u A USER WITH *JOBCTL CAN VIEW, CHANGE, OR STOP ANY

JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)u A USER WITH *SAVSYS CAN READ OR DELETE ANY OBJECT

ON THE SYSTEM.

2




iSeries Security Study 2005 Source: The PowerTech Group Inc.

PowerfulUsers 2

Special Authorities – Average Number of Profiles


PowerfulUsers

> What do special authorities do?

n *ALLOBJ - ALL authority to every object on the system – Game Over!

n *AUDIT - Authority to manipulate system auditing values.

n *IOSYSCFG - Authority to create and modify communications to the system.

n *JOBCTL- Authority to control other user’s jobs.

2




PowerfulUsers

> What do special authorities do?n *SAVRST - Authority to save, restore, and remove

any object on the system.

n *SECADM - Authority to change profiles and passwords

n *SERVICE - Authority to use the system service tools

n *SPLCTL - *ALLOBJ authority for spool files

Learn more at:http://www.powertech.com/documents/articles/Exposures.pdf

2


Weak or Compromised Passwords

> Passwords can be sniffed in network traffic to find clear text passwords

> Several protocols submit user ID’s and passwords in clear textn Among them are FTP, Telnet, and older forms of Client Access

and PC support

> Protect yourself by…n Minimize the use of the legacy OS/400 Sign-on Screen

(QDSIGNON)n Set the Client Access “Bypass Signon” flag to yes, and the

OS/400 system value for QRMTSIGN to “*VERIFY”n Use VPN’s when communicating over un-secure networks

3




> Too many passwords, too many placesn Users will re-use passwords inside and outside the

company.u Unscrupulous webmasters could steal a password

n If passwords are too hard to remember, or there are too many to remember, users will write them down.

n Every occurrence of a password is a potential point of exposure.u The fewer systems that no a password, the fewer that could cough it

up to a hacker.

Weak or Compromised Passwords 3


> Why Single Sign-On (SSO)n Password resets are expensive

n Too many passwords risks disclosure

n Password synchronization schemes extend the problem

n IBM and Microsoft provide native support for SSO

n Password elimination is the most secure approach

Weak or Compromised Passwords 3




User IdentityTheft

> 3 ways to steal an OS/400 user IDn OS/400 Job Description n Submit Job Command (SBMJOB) n IBM API’s to Switch to the user

> None of these methods requires you to know the user’s password

4


> Use an OS/400 job description to masquerade as the user.n A JOBD that has a User ID attached to it represents the ability

to run a job as that user…. u No password required

n Only at QSECURITY level 30 and lower.n SBMJOB CMD(CALL MYPGM)

JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)

n Solution? u Move to QSECURITY level 40 or higher.

User IdentityTheft 4




> Use the Submit Job Command (SBMJOB) to masquerade as the user

> Specify the name of another user, and run using the assumed identity.

n SBMJOB CMD(CALL MYPGM) JOB(REPORT) JOBD(QGPL/QBATCH) USER(SALLY)

User IdentityTheft 4


> Use IBM API’s to switch to the user n No password required

> The following code will allow me to become someone else without knowing their password.

n Program QSYS/QASSUME

PGM PARM(&USER) DCL &USER *CHAR 10

DCL &HANDLE *CHAR 10DCL &ERROR *CHAR 4CHGVAR %BIN(&ERROR) 0CALL 'QSYGETPH’ +

PARM(&USER *NOPWD &HANDLE &ERROR)CHGVAR %BIN(&ERROR) 0CALL 'QWTSETP’ PARM(&HANDLE &ERROR)

ENDPGM

Censored !!!

4User IdentityTheft




> Every OS/400 object specifies some kind of authority for a user called *PUBLIC?n WHO IS *PUBLIC?

u Any user of this computer who does not have explicit authority to a given object.

n In the old days *PUBLIC was “Everyone in my company”.u Then as we networked to more and more systems, *PUBLIC

became every one you do business with (Customers, Vendors, Partners, etc.)

u With virtually every network connected to every other network (it’s called “The Internet!”), *PUBLIC could be anyone in the WORLD that can connect to your network!!!

n In a perfect world, *PUBLIC should have little or no authority to production applications.

The Open Door Policy 5


ü

*PUBLIC AUTHORITY TO LIBRARIES

ü


The Open Door Policy 5




> At a maximum, Business Application users need no more than;n *USE Authority to static objects such as programs.n *CHANGE Authority to dynamic objects such as data files.

> Ideally, don’t give *PUBLIC even read (*USE) authority to anything

> Check out the QCRTAUT system value to see what authority *PUBLIC is given by default to newly created objects.n Update for V5R3 – OS doesn’t require *CHANGE

to QSYS.

5The Open Door Policy


PromiscuousObject Ownership

> All end users belong to a group profile that owns all of the application objects.

ü Easy to administer security.

L Assumes that all application access will take place through a predefined menu interface.

6




> Why is this a problem?n Users are no longer locked into green screen

interfaces and dumb terminals.n There are numerous ways of getting at the data

uCommand Line accessuDFU, DBU, EZView and other Data manipulation toolsuQUERY/400, SQL, and othjer query toolsuOthers???

n Make sure that you’ve got all the back doors (and Windows!) covered as well.

6PromiscuousObject Ownership


> The most important library security setting is the CRTAUT parameter.

> CRTAUT determines what authority *PUBLIC has to newly created objects.

> By default, all libraries are created with CRTAUT(*SYSVAL)

> By default the System Value QCRTAUT is shipped as *CHANGE

Library Security 7




> A library list specifies the order in which objects and files are searched for.

> A user who can place objects into a library could bypass security checking programsn Example:

n If the library list contains LIBa, LIBb, and LIBcn And security checking program PROGZ exists in LIBCn And user Fred has at least *USE + *ADD authority to LIBAn User Fred could place a bogus version of PROGZ into LIBA that bypasses

security

> Solution:n Users only need *USE authority to libraries in their library list.n This is especially true of libraries on the system portion of the

library list (System Value QSYSLIBL)

Library Security 7


> Protect libraries firstn No more than *USE authority to production librariesn *EXCLUDE for sensitive libraries

> User authorities to libraries:n *EXCLUDE => Cannot access anythingn *USE => Read, change, or delete objectsn *USE plus *ADD => Place new objects into a libraryn *ALL => Delete the library

Library Security 7




> The ability to execute commands allows a user to skirt traditional menu limitationsn Commands can be entered in a variety of ways:

1. OS/400 Command line (Call QCMD)2. OS/400 Screens that display a command line

(WRKOUTQ, WRKWTR etc.), or other applications with hidden command line access keys.

3. Through the use of the Attention Key.4. Using FTP to issue a command remotely.5. Using Client Access to issue a command remotely.6. Using DDM to issue a command remotely.

8Command Line Abuse


> Control user’s access to commands by…n Use the Limited Capability parameter (LMTCPB) on

the OS/400 user profile to limit items 1 -5 on the previous page.u Assuming OS/400 V4R2 or higher for ftp,

n Beware that items 5 & 6 on the previous page does not adhere to the LMTCPB parameter limitations u Use an exit program to limit DDM, and Client Access at early

releases.

n Some users require command line access (Programmers, Operators, Vendors, etc.)u Make sure that they are monitored

Command Line Interface Abuse 8




Command Line Interface Abuse 8


System ValueWeaknesses

> There are several system values must be set properly to protect your system.n Set the System Values to their most protective setting

u Then toggle them off/on as needed.

n Monitor System Values to detect and alert you whenever they are changed.n Ensure that those system values are changed backn Monitor for toggle off / toggle on conditionsn Monitor while System Values are toggled off

9




> Sign-On ControlRegulate signon to prevent attacksn QDSPSGNINF = 1

n Display the signon information screen.

n QINACTITV = 30u Time out a screen after 30 idle minutes.

n QINACTMSGQ = *DSCJOBu When job is timed out, disconnect job and show signon screen.

n QMAXSIGN = 3u Maximum invalid signon attempts allowed.

n QMAXSGNACN = 2u Disable User after ‘N’ invalid signon attempts

n QRMTSIGN = *VERIFYn Allow user to bypass legacy signon screen.

System ValueWeaknesses 9


> Operating system integrityn QSECURITY

L 10 = Physical Security L 20 = Password SecurityL 30 = Resource Security ü 40 = Operating System Securityü 50 = Enhanced Operating System Security

n Do not allow programs to bypass OS security





üü

Operating System Integrity - QSECURITY




No AuditAbility

> If you had a security problem, would you know?n Who did it?n What happened?n When it happened?n How it was done?n How to stop it from happening again?

> What if the data was not damaged, but only stolen?

10




> In order to prevent security breaches, you must first be able to detect them.

> Use the OS/400 security auditing journal (QAUDJRN) to help determine where your security stands.n Why?

u It’s free (from IBM)u It’s a comprehensive gathering toolu It’s an irrefutable source of historical events.

No AuditAbility 10


> Turn on OS/400 security auditing by typing:CHGSECAUD QAUDCTL(*AUDLVL) +

QAUDLVL(*AUTFAIL *DELETE +*OBJMGT *PGMFAIL *SAVRST +*SECURITY *SERVICE *SYSMGT ) +

INLJRNRCV(SECURLIB/AUDRCV0001)

> This will generate a lot of audit trails> Use toolstools to sift through the audit trails to find

important events. > If at all possible, save allall security journal receivers. > Make sure QAUDENDACN is *NOTIFY.

No AuditAbility 10




Conclusions

> Security on OS/400 doesn’t just happen, you have to make it happen.

> OS/400 has the best Security tools available, so let’s use them

> Secure network access points before someone else discovers the exposure.

> If you are compromised, will you know?> You can’t play in e-business unless you

guard against network access

Extending iSeries Security

PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.

The PowerTech Group, Inc

:

Email: [email protected] Free: (800) 915-7700

www.powertech.com

PowerLock SecuritySolutions extend iSeries security

intrusion preventionaccess controlpowerful user controlpolicy managementcentral administration

Questions?

Documents

Top 10 Security Risks - gomitec.com · What Drives Compliance > Security and privacy have increased in visibility and importance > Companies are getting skewered in the press nBank