Upload
tranthuy
View
215
Download
2
Embed Size (px)
Citation preview
Copyright (c) 1999 - 2004 The Powertech Group 1
Top 10 i5/OS Security Risks
Extending iSeries Security
PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.
John EarlChief Technology Officer
The PowerTech Groupwww. powertech.com
john.earl@ powertech.com
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
HACKERS!!! Your Company
The Biggest Threatto Your Corporate Data
or
Copyright (c) 1999 - 2004 The Powertech Group 2
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
What is Security?
> Security needs a definition
> Your IT security policy is how your organization defines security.
> Compliance is the process of measuring your practices against your policy.
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
What Drives Compliance
> Security and privacy have increased in visibility and importance
> Companies are getting skewered in the pressn Bank of America, Marriott, Citibank, ChoicePoint,
etc.
> The general public is concerned for it’s safety
Copyright (c) 1999 - 2004 The Powertech Group 3
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
The Legislature Reacts
> Legislatures create lawsn Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley,
SB1386, etc.
> Laws are open to interpretationn Sarbanes Oxley Section 404 –
u “Perform annual assessment of the effectiveness of internal control over financial reporting…”
u “…and obtain attestation from external auditors”
> Auditors are the interpreters
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
The Auditor’s View
> Auditors interpret regulationsn Auditors focus on frameworks and processesn Auditors have concluded that IT is lagging when it
comes to internal controls
> Executives just follow the auditors recommendations
> So what are the auditors going to say when they review your systems?
Copyright (c) 1999 - 2004 The Powertech Group 4
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
UnprotectedNetwork Access
> Many OS/400 applications rely on menu securityn It was easy to buildn It’s the ‘legacy’ of business applications
> Most menu ‘security’ designs assume:n All access is through the application menun Users do not have command line accessn Query access is limited or denied completelyn That the user is a member of the groupuser is a member of the group that owns
the objects. Or…nn *PUBLIC*PUBLIC has broad access to the data
1
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Menu security is no longer relevant in a networked environmentn Users have intelligent devices, not dumb terminalsn PC’s have sophisticated data access tools like
FTP, ODBC, Remote Command and moren Users are much more sophisticated
u Many enter the workforce already familiar with these tools.
> Don’t believe that the 5250 green screen is the “End” of your security responsibility
UnprotectedNetwork Access 1
Copyright (c) 1999 - 2004 The Powertech Group 5
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
Application MenuCRM
Result: Too Much Access
ODBC
Telnet
1
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
UnprotectedNetwork Access 1
Copyright (c) 1999 - 2004 The Powertech Group 6
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
How do you regulate network access to data?> Implement Exit Programs on network access points like
FTP, ODBC, DDM, etc.n Exit Programs:
u Will protect systems that are reliant solely on menu security.u Can be used to limit what trading partners can see when they access
your system.
u Monitor access that normally fly beneath your radaru Stops unwanted activity even when you’re not around.u Provide “defense in depth” security beyond traditional controls
UnprotectedNetwork Access 1
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
PowerfulUsers
> Users can be made more powerful through the granting of OS/400 “Special Authorities”n Special Authorities can trump OS/400 object level
authorities.u A USER WITH *ALLOBJ CAN READ, CHANGE, OR DELETE
ANY OBJECT ON THE SYSTEM.u A USER WITH *SPLCTL CAN READ, CHANGE, OR DELETE
ANY SPOOL FILE ON THE SYSTEM.u A USER WITH *JOBCTL CAN VIEW, CHANGE, OR STOP ANY
JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)u A USER WITH *SAVSYS CAN READ OR DELETE ANY OBJECT
ON THE SYSTEM.
2
Copyright (c) 1999 - 2004 The Powertech Group 7
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
iSeries Security Study 2005 Source: The PowerTech Group Inc.
PowerfulUsers 2
Special Authorities – Average Number of Profiles
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
PowerfulUsers
> What do special authorities do?
n *ALLOBJ - ALL authority to every object on the system – Game Over!
n *AUDIT - Authority to manipulate system auditing values.
n *IOSYSCFG - Authority to create and modify communications to the system.
n *JOBCTL- Authority to control other user’s jobs.
2
Copyright (c) 1999 - 2004 The Powertech Group 8
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
PowerfulUsers
> What do special authorities do?n *SAVRST - Authority to save, restore, and remove
any object on the system.
n *SECADM - Authority to change profiles and passwords
n *SERVICE - Authority to use the system service tools
n *SPLCTL - *ALLOBJ authority for spool files
Learn more at:http://www.powertech.com/documents/articles/Exposures.pdf
2
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
Weak or Compromised Passwords
> Passwords can be sniffed in network traffic to find clear text passwords
> Several protocols submit user ID’s and passwords in clear textn Among them are FTP, Telnet, and older forms of Client Access
and PC support
> Protect yourself by…n Minimize the use of the legacy OS/400 Sign-on Screen
(QDSIGNON)n Set the Client Access “Bypass Signon” flag to yes, and the
OS/400 system value for QRMTSIGN to “*VERIFY”n Use VPN’s when communicating over un-secure networks
3
Copyright (c) 1999 - 2004 The Powertech Group 9
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Too many passwords, too many placesn Users will re-use passwords inside and outside the
company.u Unscrupulous webmasters could steal a password
n If passwords are too hard to remember, or there are too many to remember, users will write them down.
n Every occurrence of a password is a potential point of exposure.u The fewer systems that no a password, the fewer that could cough it
up to a hacker.
Weak or Compromised Passwords 3
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Why Single Sign-On (SSO)n Password resets are expensive
n Too many passwords risks disclosure
n Password synchronization schemes extend the problem
n IBM and Microsoft provide native support for SSO
n Password elimination is the most secure approach
Weak or Compromised Passwords 3
Copyright (c) 1999 - 2004 The Powertech Group 10
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
User IdentityTheft
> 3 ways to steal an OS/400 user IDn OS/400 Job Description n Submit Job Command (SBMJOB) n IBM API’s to Switch to the user
> None of these methods requires you to know the user’s password
4
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Use an OS/400 job description to masquerade as the user.n A JOBD that has a User ID attached to it represents the ability
to run a job as that user…. u No password required
n Only at QSECURITY level 30 and lower.n SBMJOB CMD(CALL MYPGM)
JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)
n Solution? u Move to QSECURITY level 40 or higher.
User IdentityTheft 4
Copyright (c) 1999 - 2004 The Powertech Group 11
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Use the Submit Job Command (SBMJOB) to masquerade as the user
> Specify the name of another user, and run using the assumed identity.
n SBMJOB CMD(CALL MYPGM) JOB(REPORT) JOBD(QGPL/QBATCH) USER(SALLY)
User IdentityTheft 4
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Use IBM API’s to switch to the user n No password required
> The following code will allow me to become someone else without knowing their password.
n Program QSYS/QASSUME
PGM PARM(&USER) DCL &USER *CHAR 10
DCL &HANDLE *CHAR 10DCL &ERROR *CHAR 4CHGVAR %BIN(&ERROR) 0CALL 'QSYGETPH’ +
PARM(&USER *NOPWD &HANDLE &ERROR)CHGVAR %BIN(&ERROR) 0CALL 'QWTSETP’ PARM(&HANDLE &ERROR)
ENDPGM
Censored !!!
4User IdentityTheft
Copyright (c) 1999 - 2004 The Powertech Group 12
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Every OS/400 object specifies some kind of authority for a user called *PUBLIC?n WHO IS *PUBLIC?
u Any user of this computer who does not have explicit authority to a given object.
n In the old days *PUBLIC was “Everyone in my company”.u Then as we networked to more and more systems, *PUBLIC
became every one you do business with (Customers, Vendors, Partners, etc.)
u With virtually every network connected to every other network (it’s called “The Internet!”), *PUBLIC could be anyone in the WORLD that can connect to your network!!!
n In a perfect world, *PUBLIC should have little or no authority to production applications.
The Open Door Policy 5
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
ü
*PUBLIC AUTHORITY TO LIBRARIES
ü
iSeries Security Study 2005 Source: The PowerTech Group Inc.
The Open Door Policy 5
Copyright (c) 1999 - 2004 The Powertech Group 13
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> At a maximum, Business Application users need no more than;n *USE Authority to static objects such as programs.n *CHANGE Authority to dynamic objects such as data files.
> Ideally, don’t give *PUBLIC even read (*USE) authority to anything
> Check out the QCRTAUT system value to see what authority *PUBLIC is given by default to newly created objects.n Update for V5R3 – OS doesn’t require *CHANGE
to QSYS.
5The Open Door Policy
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
PromiscuousObject Ownership
> All end users belong to a group profile that owns all of the application objects.
ü Easy to administer security.
L Assumes that all application access will take place through a predefined menu interface.
6
Copyright (c) 1999 - 2004 The Powertech Group 14
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Why is this a problem?n Users are no longer locked into green screen
interfaces and dumb terminals.n There are numerous ways of getting at the data
uCommand Line accessuDFU, DBU, EZView and other Data manipulation toolsuQUERY/400, SQL, and othjer query toolsuOthers???
n Make sure that you’ve got all the back doors (and Windows!) covered as well.
6PromiscuousObject Ownership
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> The most important library security setting is the CRTAUT parameter.
> CRTAUT determines what authority *PUBLIC has to newly created objects.
> By default, all libraries are created with CRTAUT(*SYSVAL)
> By default the System Value QCRTAUT is shipped as *CHANGE
Library Security 7
Copyright (c) 1999 - 2004 The Powertech Group 15
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> A library list specifies the order in which objects and files are searched for.
> A user who can place objects into a library could bypass security checking programsn Example:
n If the library list contains LIBa, LIBb, and LIBcn And security checking program PROGZ exists in LIBCn And user Fred has at least *USE + *ADD authority to LIBAn User Fred could place a bogus version of PROGZ into LIBA that bypasses
security
> Solution:n Users only need *USE authority to libraries in their library list.n This is especially true of libraries on the system portion of the
library list (System Value QSYSLIBL)
Library Security 7
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Protect libraries firstn No more than *USE authority to production librariesn *EXCLUDE for sensitive libraries
> User authorities to libraries:n *EXCLUDE => Cannot access anythingn *USE => Read, change, or delete objectsn *USE plus *ADD => Place new objects into a libraryn *ALL => Delete the library
Library Security 7
Copyright (c) 1999 - 2004 The Powertech Group 16
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> The ability to execute commands allows a user to skirt traditional menu limitationsn Commands can be entered in a variety of ways:
1. OS/400 Command line (Call QCMD)2. OS/400 Screens that display a command line
(WRKOUTQ, WRKWTR etc.), or other applications with hidden command line access keys.
3. Through the use of the Attention Key.4. Using FTP to issue a command remotely.5. Using Client Access to issue a command remotely.6. Using DDM to issue a command remotely.
8Command Line Abuse
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Control user’s access to commands by…n Use the Limited Capability parameter (LMTCPB) on
the OS/400 user profile to limit items 1 -5 on the previous page.u Assuming OS/400 V4R2 or higher for ftp,
n Beware that items 5 & 6 on the previous page does not adhere to the LMTCPB parameter limitations u Use an exit program to limit DDM, and Client Access at early
releases.
n Some users require command line access (Programmers, Operators, Vendors, etc.)u Make sure that they are monitored
Command Line Interface Abuse 8
Copyright (c) 1999 - 2004 The Powertech Group 17
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
Command Line Interface Abuse 8
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
System ValueWeaknesses
> There are several system values must be set properly to protect your system.n Set the System Values to their most protective setting
u Then toggle them off/on as needed.
n Monitor System Values to detect and alert you whenever they are changed.n Ensure that those system values are changed backn Monitor for toggle off / toggle on conditionsn Monitor while System Values are toggled off
9
Copyright (c) 1999 - 2004 The Powertech Group 18
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Sign-On ControlRegulate signon to prevent attacksn QDSPSGNINF = 1
n Display the signon information screen.
n QINACTITV = 30u Time out a screen after 30 idle minutes.
n QINACTMSGQ = *DSCJOBu When job is timed out, disconnect job and show signon screen.
n QMAXSIGN = 3u Maximum invalid signon attempts allowed.
n QMAXSGNACN = 2u Disable User after ‘N’ invalid signon attempts
n QRMTSIGN = *VERIFYn Allow user to bypass legacy signon screen.
System ValueWeaknesses 9
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Operating system integrityn QSECURITY
L 10 = Physical Security L 20 = Password SecurityL 30 = Resource Security ü 40 = Operating System Securityü 50 = Enhanced Operating System Security
n Do not allow programs to bypass OS security
System ValueWeaknesses 9
Copyright (c) 1999 - 2004 The Powertech Group 19
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
üü
Operating System Integrity - QSECURITY
iSeries Security Study 2005 Source: The PowerTech Group Inc.
System ValueWeaknesses 9
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
No AuditAbility
> If you had a security problem, would you know?n Who did it?n What happened?n When it happened?n How it was done?n How to stop it from happening again?
> What if the data was not damaged, but only stolen?
10
Copyright (c) 1999 - 2004 The Powertech Group 20
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> In order to prevent security breaches, you must first be able to detect them.
> Use the OS/400 security auditing journal (QAUDJRN) to help determine where your security stands.n Why?
u It’s free (from IBM)u It’s a comprehensive gathering toolu It’s an irrefutable source of historical events.
No AuditAbility 10
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
> Turn on OS/400 security auditing by typing:CHGSECAUD QAUDCTL(*AUDLVL) +
QAUDLVL(*AUTFAIL *DELETE +*OBJMGT *PGMFAIL *SAVRST +*SECURITY *SERVICE *SYSMGT ) +
INLJRNRCV(SECURLIB/AUDRCV0001)
> This will generate a lot of audit trails> Use toolstools to sift through the audit trails to find
important events. > If at all possible, save allall security journal receivers. > Make sure QAUDENDACN is *NOTIFY.
No AuditAbility 10
Copyright (c) 1999 - 2004 The Powertech Group 21
Top 10 i5/OS Security Risks
2006 Copyright The PowerTech Group, Inc. All rights reserved PowerTech Confidential www.powertech.com
Conclusions
> Security on OS/400 doesn’t just happen, you have to make it happen.
> OS/400 has the best Security tools available, so let’s use them
> Secure network access points before someone else discovers the exposure.
> If you are compromised, will you know?> You can’t play in e-business unless you
guard against network access
Extending iSeries Security
PowerTech Confidential © 2006 PowerTech Group, Inc. All rights reserved.
The PowerTech Group, Inc
:
Email: [email protected] Free: (800) 915-7700
www.powertech.com
PowerLock SecuritySolutions extend iSeries security
intrusion preventionaccess controlpowerful user controlpolicy managementcentral administration
Questions?