Castle Walls Under Digital Siege: Risk-based Security for z/OS

Castle Walls Under Digital Siege:Risk-based Security and z/OS

Kevin Segreti

Mainframe

Union Bank of California

MFT09S

@jcherrington

#CAWorldJeff Cherrington

CA Technologies

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Abstract

The mainframe remains the most securable platform in the data center. However, like medieval castles, their walls are no longer impregnable. Learn more about how applying risk-based security to z/OS helps you anticipate attacks and compromises before they occur, so you can enhance your walls of protection to your mission-critical data.

Kevin SegretiUnion Bank of California

Assistant Vice President

Jeff CherringtonCA Technologies

Sr. Director, Mainframe Security


Agenda

WHAT DO CASTLES HAVE TO DO WITH THE MAINFRAME?

ARMS RACE – CIRCA THE MIDDLE AGES

QUESTION & ANSWER

SAPPERS AND SOCIAL ENGINEERING

WHY THE NORDEA HACK IS THE MAINFRAME GUNPOWDER

PROTECTING YOUR CASTLE – A RISK-BASED APPROACH

1

2

3

4

5

6


How History Bears on Protecting the Mainframe Today

Those who cannot remember the past are

doomed to repeat it.

George Santayana

A smart [person] learns from their own

mistakes; a wise [person] learns from the

mistakes of others.

Only a fool learns from his own mistakes.

The wise [person] learns from the

mistakes of others.

Paraphrased from

AnonymousOtto von Bismark

“”

“

”

“

”


Comparing Castles and Mainframes

Purpose Castle Mainframe

Accumulation of WealthCentralized repository for the most valuable assets of the day

Centralized repository of the critical assets that define an enterprise’s value

AdministrationFocal point for information aggregation, focus for analysis of gathered intelligence for decision making

Focal point for information aggregation, focus for analysis gathered intelligence for decision making

ProtectionProgressively more sophisticated architecture protecting against progressively more sophisticated attacks

Progressively more sophisticated architecture protecting against progressively more sophisticated attacks


What Can the History of Castle TechnologyTell Us About Managing the Mainframe

Arms Race did not originate in the 20th century.

Castle fortifications and counters developed by attackers to overcome them replicate the last 50 years of the mainframe in many ways.

Learning from that history offers direction for the future of the mainframe.


The Beginning – Walls and a Single Gate…

Earliest Mainframe Isolated in the glass house

with physical access control

Earliest Castles Forts – a single wall with a guarded gate

© International Business Machines Corporation (IBM)


Some Direct Correlations

Mainframe CA ACF2 and, later, IBM RACF and CA Top Secret set the standard for “gate-keeping”

of electronic resources.

Castles Still required entry and exit of people,

requiring guards at the gates.


Mainframe Forcing entry onto the network

gave access to the console.

Castles Rams battered the gates and, once

down, the castle was open.

Earliest Attacks – Bluntest of Forces


Escalation – Higher, Thicker Walls Lead to More Sophisticated Engineering of Attacks

Castle builders reinforced gates, heightened-thicken walls…

Attackers devised more sophisticated means of brute force


What’s a Sapper?

Direct brute force was not the only or, sometimes, even the most effective means for opening a breach in the castle wall.

Soldiers – miners, really –called “sappers” tunneled beneath the walls to weaken their foundations.


Social Engineers are Mainframe “Sappers”

While the precise mechanics of large scale breaches seldom come fully to light, nor quickly

Still, some report or speculate that social engineering to obtain credentials lies at the root of recent major breaches

Data Source: Click on image to link to the informationisbeautiful.net web page


Mainframe external security managers offer no greater protection against social engineering than other IAMs

Once a privileged account is compromised, the foundation of all protections is destroyed

Social Engineers Tunnel Underneath Mainframe Protections


Some Direct Correlations

Mainframe As connectivity increased, we surrounded

the mainframe with firewalls.

Castles Once walls alone were not

enough, moats were added.

Request a web page

Stateful Packet Inspection Firewall

This was requested by a computer on the home network, deliver it.

This was not requested by a computer on the home network, drop it..

1

3

2

2

Internet

Here’s the web file transfer you asked for.

1

Here’s the web page you asked for.


Gunpowder Changed Everything

The advent of gunpowder reduced the cost of attack, while increasing its efficiency

Even the mightiest castle could no longer be considered impregnable


How the Nordea Hack is the Mainframe’s Gunpowder

Even the mightiest castle could no longer be considered impregnable…

Pirate Bay co-founder Gottfrid Svartholm Warg was charged with hacking the IBM mainframe of Logica, a Swedish IT firm that provided tax services to the Swedish government, and the IBM mainframe of the Swedish Nordea bank, the Swedish public prosecutor said.

"This is the biggest investigation into data intrusion ever performed in Sweden," said public prosecutor Henrik Olin.

Besides Svartholm Warg, the prosecution charged three other Swedish citizens.


What Do These People Have in Common?


Matching Tools To Threats Threat of data breach – data-centric protection

supplementing user and resource management

Threat of network attack – increased perimeter defenses and more frequent penetration testing

Threat of compromised privileged user accounts

– Event drive alerts for sensitive transactions

– Frequent, automated analysis of user activity

– Additional authentication factors

Protection of Mainframe Assets Must Be a Risk-based Approach



Focused shifted from solely keeping attackers out, to identifying attackers before they arrived Identifying attacks before they occur required

new strategies, techniques, and tools…

Protecting Castles’ Contents Changed



Recommended Sessions

SESSION # TITLE DATE/TIME

Tech TalkIsn’t one authentication mechanism on z Systems™

enough?

11/18 – 4:30pm

Mainframe Content Center

Mainframe

Theater

Panel Discussion: Is Complacency Around Mainframe

Security a Disaster Waiting to Happen?

11/18 – 3:45pm

Mainframe Theater

Tech Talk The Known Unknown – Finding lost, abandoned, and

hidden regulated data on the Mainframe

11/19 – 12:15pm

Mainframe Content Center

MFX26SHow to Increase User Accountability by Eliminating the

Default User in Unix System Services

11/19 – 1:00pm

Breakers I

MFX47STop 10 things you shout NOT forget when evaluating

your security implementation

11/19 – 2:00pm

Breakers I


Follow Conversations in the Mainframe Content Center

CA Data Content Discovery

CA ACF2 ™ for z/OS

CA Top Secret® for z/OS

CA Cleanup

CA Auditor

Product X

Theater # location

Advanced Authentication –Nov 18th @ 4:30pm

The Known Unknown -

Nov 19th @ 12:15pm


Q & A


For Informational Purposes Only

Terms of this Presentation

© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA

World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer

references relate to customer's specific use and experience of CA products and solutions so actual results may vary.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights

and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software

product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current

information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The

development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in

this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such

release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-

available basis. The information in this presentation is not deemed to be incorporated into any contract.


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

Castle Walls Under Digital Siege: Risk-based Security for z/OS

Technology

Transcript of Castle Walls Under Digital Siege: Risk-based Security for z/OS