2/23/2018

www.helpsystems.com/professional-security-services1

Help! Where do I Start?

Carol Woodbury, CISSP, CRISC,

PCIPVP of Global Security

Services

True or False:

If I can’t fix all of my security issues, it’s not worth addressing any of them.

2/23/2018

www.helpsystems.com/professional-security-services2

FALSE!!!

Avoid Business Disruption!

Inappropriate security configuration leads to:Objects being deleted

Files being modified

Confidential / Private data being read

Data being stolen and sold

Vulnerability to malware

2/23/2018

www.helpsystems.com/professional-security-services3

ReduceRisk!

Goal/Objective

HelpSystems Corporate Overview. All rights reserved.

Things to do Right Now

2/23/2018

www.helpsystems.com/professional-security-services4

System Values

Review your system value settings to see if they meet security best practices:

IBM i Security Reference

IBM i Security Administration and Compliance

Risk Assessor output

Enable Auditing

QAUDCTL: *AUDLVL, *OBJAUD, *NOQTEMP

QAUDLVL:*AUTFAIL*CREATE*DELETE*SAVRST*SECCFG*SECRUN*SERVICE*PTFOPR <- V7R2

Manage journal receivers:Have a complete set of receiversSo specific date(s) can easily be retrievedKnow your compliance requirements!

To configure auditing for the first time, use CHGSECAUDCreates QSYS/QAUDJRN journal Creates and attaches the journal receiverChanges the QAUDCTL and QAUDLVL system values

Use Compliance Monitor to automate reporting requirements

2/23/2018

www.helpsystems.com/professional-security-services5

Move to QPWDLVL 1 (or 3)

System value

0 Default

Character set: A-Z, 0-9, $, @, # and _

Maximum length: 10

1 Same as level 0 but gets rid of old NetServer password

2 Character set: Upper / lower case, all punctuation and special characters, numbers and spaces

Maximum length: 128

Keeps NetServer password, encrypts with old and new algorithms

Sign on screen changed to accommodate longer password, CHGPWD and CRT/CHGUSRPRF pwd field changed

3 Same as level 2, gets rid of old encrypted password and old NetServer password

Change require an IPLChanging to level 2/3 may require some investigation. See IBM i Security Reference manual for considerations

Stay Current!

OS level

Many security enhancements – including protocols and cipher suites that may be needed for compliance - aren’t available in lower releases.

V7R1 goes out of support –April 2018

PTFs

Java

Open source

Use the SYSTOOLS.GROUP_PTF_CURRENCY

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/page/DB2%20for%20i%20-%20Services

Register for IBM notificationshttps://static.helpsystems.com/powertech/pdfs/other/registering-for-ibm-i-security-bulletins.pdf?_ga=2.194807588.886329048.1517241858-983144696.1457057176

2/23/2018

www.helpsystems.com/professional-security-services6

Encrypt your Sessions

Why? Prevents credential theft

Step by step instructions provided in this Coffee with Carolhttps://www.helpsystems.com/resources/on-demand-webinars/configuring-acs-access-client-solutions-use-ssl-tls

Inactive User Profiles

At the very leastSet inactive user profiles to status of *DISABLED

Look at the Last used date (not the Last signon date!)

Use the system tools to automatically disable

• GO SECTOOLS, options 2-4

BetterDelete inactive profiles

To take more options and to automate deletion of inactive profiles, look at Powertech Policy Minder

2/23/2018

www.helpsystems.com/professional-security-services7

Get rid of – and prevent – default passwords

ANZDFTPWD

Prevent by in QPWDRULES by specifying*LMTPRFNAME

*ALLCRTCHG (new in V7R2)

along with the rest of your password rules (*REQANY3, *MINLEN8)

Setting the password to be expired at first sign-on is good practice but does not reduce the risk associated with default passwords!

Service Accounts

If they should not be used for interactive signon, set the following attributes:

INLPGM(*NONE)

INLMNU(*SIGNOFF)

ATNPGM(*NONE)

LMTCPB(*YES)

GRPPRF(*NONE)

SPCAUT(*NONE)

2/23/2018

www.helpsystems.com/professional-security-services8

Service accounts

Use the V7R3 feature – Authority Collection – to determine the authorities they need to the objects they are accessing

Works for libraries and objects as well as directories and objects

Remove Unnecessary Special Authorities

Special Authority Definition

*AUDIT Auditing configuration

*IOSYSCFG Communications configuration and management, creation of file shares

*JOBCTL Management of any job on the system

*SAVSYS Ability to save and restore any object on the system – or the entire system regardless of authority to the object

*SECADM Create/Change/Delete user profiles

*SERVICE Ability to use Service Tools

*SPLCTL Access to every spooled file on the system regardless of authority to the outq

*ALLOBJ Access (All authority) to EVERY object on the system!!!!

2/23/2018

www.helpsystems.com/professional-security-services9

Compare Authorities between Partitions

If a service accounts is performing the same tasks on multiple partitions but has different special authorities, look at matching the special authorities from the partition with the lessor authorities.

Especially true for special authorities other than *ALLOBJ

Special Authorities by Role

Start assigning special authorities based on the profiles’ role, for example, End-user, Programmer, Operator, DBA

When unsure what tasks each special authority enables, search Appendix D, in the Security Reference for the commands requiring that special authority.

Start with new profiles, then go back and address existing profiles

2/23/2018

www.helpsystems.com/professional-security-services10

Address the Use of *ALLOBJ special authority

Use Authority Collection (V7R3) to determine what authorities are required

STRAUTCOL

Chapter 10, IBM i Security Reference manual

When in doubt or when *ALLOBJ (or any other special authority) is required for some, but not all tasks, consider using PowerTech Authority Broker to temporarily give users that power

Powertech Network Security

Start logging!DDM

FTP

Start restricting!Service accounts

Especially when they are over authorized and/or have a default password

General users

2/23/2018

www.helpsystems.com/professional-security-services11

Powertech Authority Broker

Start with programmers

Consider what you’re elevating toApplication owner profile

Individual profiles to retain audit integrity

HelpSystems Corporate Overview. All rights reserved.

Things that May Require Investigation

2/23/2018

www.helpsystems.com/professional-security-services12

Security Level (QSECURITY)

-20 0 20 40 60 80 100

Level 10

Level 20

Level 30

Level 40

Level 50

Total Available IBM i Security Capabilities

QS

EC

UR

ITY

Va

lue

Moving to QSECURITY 40 from 30

Add *PGMFAIL and *AUTFAIL to QAUDLVL system value

Audit for AF entries subtypes B, C, D, R, S and J

You do not care about AF – A (authority failures) when moving to security level 40. The same algorithm runs at level 40 that runs at all other levels

2/23/2018

www.helpsystems.com/professional-security-services13

Moving to QSECURITY 40 from 20 (even more investigation)

*ALLOBJ will be removed from all users not in *SECOFR user class.

Need to determine where authority will come from since it will no longer – by default – come from *ALLOBJ

Need to make sure users that should have *ALLOBJ are either in the *SECOFR user class or you modify the profile after IPLing to the higher level.

Plus everything from previous slide

Same authority checking algorithm so can test at level 20 prior to moving to level 40

Secure Directories Containing Confidential Data

For directories containing ‘transient’ but confidential data:Identify profiles needing to read or write to the directory.

Set appropriate *PUBLIC authorityDTAAUT(*EXCLUDE) OBJAUT(*NONE)

Authorized individuals or groups to the directory

Even without touching objects in the directory … risk is reduced significantly

2/23/2018

www.helpsystems.com/professional-security-services14

Remove Read/Write Shares to Root (‘/’)

Malware (e.g., ransomware) will view a mapped drive as another drive on a PC and encrypt everything the user is authorized to.

View who is currently mapped to root

Set authority to root Check to see if any processes are writing/deleting to root

*PUBLIC DTAAUT(*RX) OBJAUT(*NONE)

It CANNOT be set to *EXCLUDE!

Remove guest profile from the NetServer

Use Policy Minder to establish a baseline and identify new file shares and changes to the authority of root

Use StandGuard AV to scan the IFS

Reducing the Scope of Your Risk

Get rid of unused:Profiles

Versions of vendor products

Change management libraries

Copies made of files or programs being changed, e.g., xxxOLD

File shares

If it’s on the system, you have to manage / worry about the security aspects

2/23/2018

www.helpsystems.com/professional-security-services15

HelpSystems Corporate Overview. All rights reserved.

Develop a Plan

Don’t Let Your Frustration Stop Your Progress!

2/23/2018

www.helpsystems.com/professional-security-services16

Start Planning Now

Get a FREE Security Scanhttps://www.helpsystems.com/cta/free-network-security-vulnerability-scan

Start to communicate with your management about the need to protect this vital corporate asset – the data on your IBM i systems

Get a Risk Assessment Detailed list of work items (High, Medium, Low)

Develop a plan / strategy for addressing your organization’s security requirements.

A variety of options are available

Getting Started – Education

Free:

IBM i Security Reference manual https://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/ssw_ibm_i_73/rzarl/sc415302.pdf

Getting Started with IBM i Security – eLearning coursehttps://www.helpsystems.com/cta/getting-started-ibm-i-security-e-course

MCPress Online – articles by Carol Woodbury https://www.mcpressonline.com/search/page-1?searchphrase=all&searchword=woodbury

NIST Cybersecurity Frameworkhttps://www.nist.gov/cyberframework/draft-version-11

For a fee:

IBM i Security Administration and Compliance, 2nd edition, by Carol Woodbury, MC Press Online, 2016.

IBM i Security Deep Dive – 2-day in-person class, April 17-18, Chicago

https://www.eventbrite.com/e/ibm-i-security-deep-dive-training-with-carol-woodbury-tickets-42102189783

2/23/2018

www.helpsystems.com/professional-security-services17

Start Somewhere!!!

HelpSystems’ Solution Based Approach

2/23/2018

www.helpsystems.com/professional-security-services18

Data Security Life Cycle

Questions?

www.helpsystems.com/professional-security-services

www.helpsystems.com

800-328-1000 | info@helpsystems.com