2 5 security on system z, milos kaljevic

© 2014 IBM Corporation.All rights reserved.

IBM Smarter Solution Day 2014 – Croatia

Security on System z

Miloš Kaljevićććć, IBM

© 2014 IBM Corporation

IBM Smarter Solution Day 2014 – Croatia: Security on System z

2

Security on System z

� Who is affected by breaches in System z security

� The elements of an “advanced persistent threat”

� The four domains that are associated with a breach in security

� System z security software products and solutions

� Security conferences, links, documents



3

You know? you can do this online now.



4

IT security is a boardroom discussion

Loss of market share and reputation

Legal exposure

Audit failure

Fines and criminal charges

Financial loss

Loss of data confidentiality, integrity, and/or availability

Violation of employee privacy

Loss of customer trust

Loss of brand reputation

CEO CFO/COO CIO CHRO CMO

Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series



5

� A strong heritage of being an extremely secure platform for virtual environments and workloads

� Security is built into every level of the System z structure

� Processor� Hypervisor � Operating system � Communications � Storage � Applications

� Extensive security certifications (for example, Common Criteria and FIPS 140) including EAL5+

� A strong heritage of being an extremely secure platform for virtual environments and workloads

� Security is built into every level of the System z structure

� Processor� Hypervisor � Operating system � Communications � Storage � Applications

� Extensive security certifications (for example, Common Criteria and FIPS 140) including EAL5+

Source: Verizon 2011 Data Breach Investigations Report

Distribution of Data Breaches by Operating Systems

IBM’s Fort Knox: System z



6

Mainframe security practices have not kept pace with the inherent internal and external connections of today’s IT environments

� 75% of attacks are considered opportunistic.

� 75% are motivated by financial motives.

� 78% of initial intrusions are rated as low difficulty.

� Web applications are the most popular attack vector.

“As mainframes become a major

component in service-oriented architectures, they are increasingly

exposed to malware. Web services

on the mainframe have had a

significant impact on security.”

Meenu Gupta, President of Mittal Technologies Inc.

“As mainframes become a major

component in service-oriented architectures, they are increasingly

exposed to malware. Web services

on the mainframe have had a

significant impact on security.”

Meenu Gupta, President of Mittal Technologies Inc.

Security policies outdated or not properly executed



7

Latest trends

� Most-common attack types:

� 20% DDoS

� 13% SQL Injection

� 10% Malware

� 5% Watering hole

� 3% Physical access

� Roundup of 2013 security incidents:

� The overall attack tactics and techniques have not changed significantly

� The number of overall incidents has increased, the amount of traffic used in distributed-denial-of-service

� DDoS attacks has multiplied, the number of leaked records is steadily rising

� In 2013, attackers continued to use tried and true methods of extracting data

� Oracle Java vulnerabilities continue to be a top point of entry for many of these malware attacks



8

Advanced Persistent Threats (APTs) are bypassing traditional defenses

Advanced� Using exploits for unreported vulnerabilities, also known as a “zero day”

� Advanced, custom malware that is not detected by antivirus products

� Coordinated attacks using a variety of vectors

Persistent� Attacks lasting for months or years

� Attackers are dedicated to the target; they will get in

� Resistant to remediation attempts

Threat� Targeted at specific individuals and groups within an organization,

aimed at compromising confidential information

� Not random attacks; they are actually “out to get you”

Phases of an APT

� Reconnaissance: Gather information about target system

� Probe and attack: Probe for weaknesses and deploy the tools

� Toehold: Exploit weakness and gain entry into the system

� Advancement: Advance from unprivileged to privileged

� Stealth: Hide tracks, install a backdoor

� Listening post: Establish a listening post

� Takeover: Expand control to other hosts on the network



Example of an Advanced Persistent Threat at a State Government, USA

Malicious e-Mail

(Phishing)

Stolen User IDs and Passwords

Databases / Systems

• Employee “unwittingly executed malware, and became compromised” after opening a link in an e-mail.

• Attacker harvested the employee’s credentials.

• Leveraging the user’s access rights, attacker logged in via a remote access service and was able to gain access to other Department of Revenue systems and databases.

• Attacker was able to install backdoor software, password dumping tools, and “multiple generic utilities to execute commands against databases.”

• 33 unique pieces of malicious software and utilities was used to perform the attack

• Breach went undetected for almost 2 months leading up to 44 systems to be compromised

• 74.7 GB of date was stolen from the State’s 44 systems, including Mainframe data copied to SQL servers

• 3.3 million unencrypted bank account numbers stolen

• 3.8 million social security numbers for tax filers compromised

• Cost the state $14 million

• Department of Revenue Director forced to resign

44 Systems Breached over Two Months

74.7 GB of data3.8M SSN’s

3.3M Bank Acct Nos

74.7 GB of data3.8M SSN’s

3.3M Bank Acct Nos

Endpoint Management

Email

Database Activity

MonitoringEvent

Correlation

Realtime Event

Monitoring



Some publicly available tools that could be used in a Mainframe APT

Cyber Crime Kits

� £25 (about $38 USD) will buy a cybercrime kit with exploits of thousands of coding errors.

� Trying looking for

– Blackhole V2.0– Phoenix– Price lists are available…

� If these can compromise your privileged users’ Windows systems, then they can get their passwords and then…..

Shodan

� Can find mainframes on the WEB

� It will find your 3270 sessions presented on the internet

� Anyone with a 3270 emulator will be able to see the logon screens

Solder of Fortran

� Shows script-kiddies how to copy a RACF database

� … and then crack it open using John the ripper to do a dictionary attack.

� RACFSNOW*

– Have you tried it?– Did it get your

passwords?



A list of companies running mainframes, available on Internet

BelgiumBNP Paribas Fortis Brussels Belgium NMBS-Holding

BrazilBDF Banco BradescoBanco do BrasilBanco ItauRiocard TI SERPRO

CanadaCanadian Imperial Bank of CommerceCo-operators Canada Enbridge Gas Distribution Royal Bank of Canada (RBC) Scotiabank…



12

As a result, the security market is shifting

Source: Client Insights 27-Jun-11, An Evaluation of the Security & Risk Opportunity; Assessing a New Approach to Competitive

Differentiation, Ari Sheinkin, IBM, Vice President, Client Insights

Traditional Focus

Governance and Compliance

Emerging Focus

Risk Management

Security strategy React when breached Continual management

Speed to react Weeks/months Real time

Executive reporting None Operational KPIs

Data tracking Thousands of events Millions of events

Network monitoring Server All devices

Employee devices Company-issued Bring your own

Desktop environment Standard build Virtualization

Security enforcement Policy Audit

Endpoint devices Annual physical inventory Automatically managed

Security technology Point products Integrated

Security operations Cost Center Value Driver



13

Solving a security issue is a complex, four-dimensional puzzle

People

Data

Applications

Infrastructure

Hackers Outsourcers Suppliers

Systems applications

Web Applications

Web 2.0 Mobile apps

Structured Unstructured At rest In motion

Attempting to protect the perimeter is not enough – siloed point products and traditional defenses cannot adequately secure the enterprise

Consultants Terrorists Customers

JK

2012-0

4-2

6

In motion

Employees

Systems Applications

Outsourcers

Unstructured

Web 2.0

Customers

Mobile Applications

Structured



14

IBM Security zSecure™ suite overview

IBM SecurityzSecure Suite

IBM Security zSecure Administration� zSecure Admin:

• Improves security at lower labor cost• Also saves cost by:

• Avoiding configuration errors• Improving directory merges• Efficient group management

� zSecure Visual:• Permits changes in minutes vs. overnight• Provides access for only current employees

and contractors (better business control)• Enables segregation of duties (minimizing

business risk)• Aids in reducing labor cost and errors



15

IBM Security zSecure suite overview (cont’d)IBM SecurityzSecure Suite

IBM Security zSecure Compliance and Auditing� zSecure Audit:

• Reports can match business model/requirements• Prioritizes tasks (optimize labor utilization)• Helps find “segregation of duties” exposures

(reduces risk)� zSecure Alert:

• Allows capture of unauthorized “back door”changes to RACF® / security policies

• Addresses real-time audit control points, especially network audit control points

� zSecure Command Verifier• Audits RACF admins’ changes• Offers security monitoring without additional

CPU/cost• Audit in seconds versus days



Key Characteristics

IBM Guardium Provides Real-Time Database Security & Compliance

� Single Integrated Appliance

� Non-invasive/disruptive, cross-platform architecture

� Dynamically scalable

� SOD enforcement for DBA access

� Auto discover sensitive resources and data

� Detect unauthorized & suspicious activity

� Granular, real-time policies

– Who, what, when, how

� Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.

� Growing integration with broader security and compliance management vision

� Continuous, policy-based, real-time monitoring of all database activities, including actions by privileged users

� Database infrastructure scanning for missing patches, misconfigured privileges and other vulnerabilities

� Data protection compliance automation

Integration

with LDAP,

IAM, SIEM,

TSM, Remedy,

…

Also:OracleMySQLMicrosoft SQL ServerSybaseTeradataMicrosoft SharePointPostgreSQL



17

DAST Automates Application Security Testing

DAST (Dynamic Analysis Security Testing) provides application security for multi-tiered, web-enabled applications involving the mainframe

Scan Applications / Source Code Analyze

(identify issues)

Report

(detailed and actionable)

Mainframe or elsewhere

“Running” web application

Tampering with HTTP messages

Results presented as exploited HTTP messages

Easy to use, scales to thousands of users, provides organization-wide visibility and security controls



18

Event Correlation

Activity Baselining and Anomaly Detection

User Activity

Threat Intelligence

Configuration Info

Offense Identification

Security Devices

Network/Virtual Activity

Application Activity

Vulnerability Information

Guardium

�DB2®

�IMS®�VSAM

zSecure

�z/OS®�RACF®�ACF2, TSS

�CICS®Servers & Mainframes

Database Activity

Network/Virtual Activity

Extensive Data SourcesDeep

IntelligenceExceptionally Accurate and

Actionable Insight+ =

� Centralized view of mainframe and distributed network security incidents, activities, and trends

� Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure

� S-TAP feeds routed to QRadar via Guardium Central Policy Manager

� SMF data set feeds with zSecure Audit and Alert

� Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign incident

priorities and surface meaningful activity from noise

� Creates automatic alerts for newly discovered vulnerabilities experiencing active “Attack Paths”

� Produces increased accuracy of risk levels and offense scores, as well as simplified compliance reporting

zSecure, Guardium, DAST, and QRadar® improve your security intelligence

DAST

�Web Apps

�Mobile Apps

�Web services

�Desktop Apps



European zSecure User Group 2014

�Learn about new functions and features from the zSecure Development team

�Share user experiences and tips

�Maximise your use of zSecure to help improve Security on your Mainframe

�Network with System z Security professionals, Business Partners and IBMers

� Influence future product content with requirements

London on the 1st & 2nd July

OR

Frankfurt on the 3rd & 4th July



z Security Annual conference

�Security strategy

�Securing Mobile

�Cyber crime and z

�zSecure Update

�Cloud Security

�WebSphere Security

�Network Security

�z/VM security

�Linux security

September 24th – 27th , 2013Montpellier, France

IBM Software Group

21

IBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z

zSecure on Internet

IBM Security zSecure Forum zSecure subject matter experts from around the world monitor this forum for your

questions every day. http://ibmforums.ibm.com/forums/forum.jspa?forumID=3020

zSecure Product library http://www-01.ibm.com/software/tivoli/products/zsecure/

zSecure data sheets, solution sheets, and white papers http://www-306.ibm.com/software/tivoli/products/zsecure/

IBM Security zSecure Redbook http://www.redbooks.ibm.com/abstracts/sg247633.html?Open

IBM Software GroupIBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z

Docs & Books

� Redbooks & Redpapers http://www.redbooks.ibm.com/zSecure Redbook: http://www.redbooks.ibm.com/abstracts/sg247633.html?Open

Designing for Solution-Based Security on z/OS, SG24-7344

z/OS Version 1 Release 8 RACF Implementation, SG24-7248

IBM Tivoli Security and System z Redbook:http://www.redbooks.ibm.com/redpieces/abstracts/sg247633.html

� IBM Security zSecure 1.11 information center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/welcome.html

� Lab Service offerings: http://stgls01.rchland.ibm.com:81/toasted.nsf/services/AGSYS152

� Education: http://www-306.ibm.com/software/tivoli/education/edu_prd.html#z

� CARLa forum: http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1255

IBM Software GroupIBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z

zSecure Books

zSecure Suite: CARLa-Driven Components Installation and Configuration Manual

zSecure Suite: Admin and Audit for RACFUser Reference Manual

zSecure Suite: Alert User Reference Manual

z/OS Security Healthcheck



Backup Slides



Most-common attack types in 2013

2 5 security on system z, milos kaljevic

Software

Transcript of 2 5 security on system z, milos kaljevic