Help! Where do I Start? · 2018. 2. 26. · Malware (e.g., ransomware) will view a mapped drive as...
Transcript of Help! Where do I Start? · 2018. 2. 26. · Malware (e.g., ransomware) will view a mapped drive as...
2/23/2018
www.helpsystems.com/professional-security-services1
Help! Where do I Start?
Carol Woodbury, CISSP, CRISC,
PCIPVP of Global Security
Services
True or False:
If I can’t fix all of my security issues, it’s not worth addressing any of them.
2/23/2018
www.helpsystems.com/professional-security-services2
FALSE!!!
Avoid Business Disruption!
Inappropriate security configuration leads to:Objects being deleted
Files being modified
Confidential / Private data being read
Data being stolen and sold
Vulnerability to malware
2/23/2018
www.helpsystems.com/professional-security-services3
ReduceRisk!
Goal/Objective
HelpSystems Corporate Overview. All rights reserved.
Things to do Right Now
2/23/2018
www.helpsystems.com/professional-security-services4
System Values
Review your system value settings to see if they meet security best practices:
IBM i Security Reference
IBM i Security Administration and Compliance
Risk Assessor output
Enable Auditing
QAUDCTL: *AUDLVL, *OBJAUD, *NOQTEMP
QAUDLVL:*AUTFAIL*CREATE*DELETE*SAVRST*SECCFG*SECRUN*SERVICE*PTFOPR <- V7R2
Manage journal receivers:Have a complete set of receiversSo specific date(s) can easily be retrievedKnow your compliance requirements!
To configure auditing for the first time, use CHGSECAUDCreates QSYS/QAUDJRN journal Creates and attaches the journal receiverChanges the QAUDCTL and QAUDLVL system values
Use Compliance Monitor to automate reporting requirements
2/23/2018
www.helpsystems.com/professional-security-services5
Move to QPWDLVL 1 (or 3)
System value
0 Default
Character set: A-Z, 0-9, $, @, # and _
Maximum length: 10
1 Same as level 0 but gets rid of old NetServer password
2 Character set: Upper / lower case, all punctuation and special characters, numbers and spaces
Maximum length: 128
Keeps NetServer password, encrypts with old and new algorithms
Sign on screen changed to accommodate longer password, CHGPWD and CRT/CHGUSRPRF pwd field changed
3 Same as level 2, gets rid of old encrypted password and old NetServer password
Change require an IPLChanging to level 2/3 may require some investigation. See IBM i Security Reference manual for considerations
Stay Current!
OS level
Many security enhancements – including protocols and cipher suites that may be needed for compliance - aren’t available in lower releases.
V7R1 goes out of support –April 2018
PTFs
Java
Open source
Use the SYSTOOLS.GROUP_PTF_CURRENCY
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Updates/page/DB2%20for%20i%20-%20Services
Register for IBM notificationshttps://static.helpsystems.com/powertech/pdfs/other/registering-for-ibm-i-security-bulletins.pdf?_ga=2.194807588.886329048.1517241858-983144696.1457057176
2/23/2018
www.helpsystems.com/professional-security-services6
Encrypt your Sessions
Why? Prevents credential theft
Step by step instructions provided in this Coffee with Carolhttps://www.helpsystems.com/resources/on-demand-webinars/configuring-acs-access-client-solutions-use-ssl-tls
Inactive User Profiles
At the very leastSet inactive user profiles to status of *DISABLED
Look at the Last used date (not the Last signon date!)
Use the system tools to automatically disable
• GO SECTOOLS, options 2-4
BetterDelete inactive profiles
To take more options and to automate deletion of inactive profiles, look at Powertech Policy Minder
2/23/2018
www.helpsystems.com/professional-security-services7
Get rid of – and prevent – default passwords
ANZDFTPWD
Prevent by in QPWDRULES by specifying*LMTPRFNAME
*ALLCRTCHG (new in V7R2)
along with the rest of your password rules (*REQANY3, *MINLEN8)
Setting the password to be expired at first sign-on is good practice but does not reduce the risk associated with default passwords!
Service Accounts
If they should not be used for interactive signon, set the following attributes:
INLPGM(*NONE)
INLMNU(*SIGNOFF)
ATNPGM(*NONE)
LMTCPB(*YES)
GRPPRF(*NONE)
SPCAUT(*NONE)
2/23/2018
www.helpsystems.com/professional-security-services8
Service accounts
Use the V7R3 feature – Authority Collection – to determine the authorities they need to the objects they are accessing
Works for libraries and objects as well as directories and objects
Remove Unnecessary Special Authorities
Special Authority Definition
*AUDIT Auditing configuration
*IOSYSCFG Communications configuration and management, creation of file shares
*JOBCTL Management of any job on the system
*SAVSYS Ability to save and restore any object on the system – or the entire system regardless of authority to the object
*SECADM Create/Change/Delete user profiles
*SERVICE Ability to use Service Tools
*SPLCTL Access to every spooled file on the system regardless of authority to the outq
*ALLOBJ Access (All authority) to EVERY object on the system!!!!
2/23/2018
www.helpsystems.com/professional-security-services9
Compare Authorities between Partitions
If a service accounts is performing the same tasks on multiple partitions but has different special authorities, look at matching the special authorities from the partition with the lessor authorities.
Especially true for special authorities other than *ALLOBJ
Special Authorities by Role
Start assigning special authorities based on the profiles’ role, for example, End-user, Programmer, Operator, DBA
When unsure what tasks each special authority enables, search Appendix D, in the Security Reference for the commands requiring that special authority.
Start with new profiles, then go back and address existing profiles
2/23/2018
www.helpsystems.com/professional-security-services10
Address the Use of *ALLOBJ special authority
Use Authority Collection (V7R3) to determine what authorities are required
STRAUTCOL
Chapter 10, IBM i Security Reference manual
When in doubt or when *ALLOBJ (or any other special authority) is required for some, but not all tasks, consider using PowerTech Authority Broker to temporarily give users that power
Powertech Network Security
Start logging!DDM
FTP
Start restricting!Service accounts
Especially when they are over authorized and/or have a default password
General users
2/23/2018
www.helpsystems.com/professional-security-services11
Powertech Authority Broker
Start with programmers
Consider what you’re elevating toApplication owner profile
Individual profiles to retain audit integrity
HelpSystems Corporate Overview. All rights reserved.
Things that May Require Investigation
2/23/2018
www.helpsystems.com/professional-security-services12
Security Level (QSECURITY)
-20 0 20 40 60 80 100
Level 10
Level 20
Level 30
Level 40
Level 50
Total Available IBM i Security Capabilities
QS
EC
UR
ITY
Va
lue
Moving to QSECURITY 40 from 30
Add *PGMFAIL and *AUTFAIL to QAUDLVL system value
Audit for AF entries subtypes B, C, D, R, S and J
You do not care about AF – A (authority failures) when moving to security level 40. The same algorithm runs at level 40 that runs at all other levels
2/23/2018
www.helpsystems.com/professional-security-services13
Moving to QSECURITY 40 from 20 (even more investigation)
*ALLOBJ will be removed from all users not in *SECOFR user class.
Need to determine where authority will come from since it will no longer – by default – come from *ALLOBJ
Need to make sure users that should have *ALLOBJ are either in the *SECOFR user class or you modify the profile after IPLing to the higher level.
Plus everything from previous slide
Same authority checking algorithm so can test at level 20 prior to moving to level 40
Secure Directories Containing Confidential Data
For directories containing ‘transient’ but confidential data:Identify profiles needing to read or write to the directory.
Set appropriate *PUBLIC authorityDTAAUT(*EXCLUDE) OBJAUT(*NONE)
Authorized individuals or groups to the directory
Even without touching objects in the directory … risk is reduced significantly
2/23/2018
www.helpsystems.com/professional-security-services14
Remove Read/Write Shares to Root (‘/’)
Malware (e.g., ransomware) will view a mapped drive as another drive on a PC and encrypt everything the user is authorized to.
View who is currently mapped to root
Set authority to root Check to see if any processes are writing/deleting to root
*PUBLIC DTAAUT(*RX) OBJAUT(*NONE)
It CANNOT be set to *EXCLUDE!
Remove guest profile from the NetServer
Use Policy Minder to establish a baseline and identify new file shares and changes to the authority of root
Use StandGuard AV to scan the IFS
Reducing the Scope of Your Risk
Get rid of unused:Profiles
Versions of vendor products
Change management libraries
Copies made of files or programs being changed, e.g., xxxOLD
File shares
If it’s on the system, you have to manage / worry about the security aspects
2/23/2018
www.helpsystems.com/professional-security-services15
HelpSystems Corporate Overview. All rights reserved.
Develop a Plan
Don’t Let Your Frustration Stop Your Progress!
2/23/2018
www.helpsystems.com/professional-security-services16
Start Planning Now
Get a FREE Security Scanhttps://www.helpsystems.com/cta/free-network-security-vulnerability-scan
Start to communicate with your management about the need to protect this vital corporate asset – the data on your IBM i systems
Get a Risk Assessment Detailed list of work items (High, Medium, Low)
Develop a plan / strategy for addressing your organization’s security requirements.
A variety of options are available
Getting Started – Education
Free:
IBM i Security Reference manual https://www.ibm.com/support/knowledgecenter/api/content/nl/en-us/ssw_ibm_i_73/rzarl/sc415302.pdf
Getting Started with IBM i Security – eLearning coursehttps://www.helpsystems.com/cta/getting-started-ibm-i-security-e-course
MCPress Online – articles by Carol Woodbury https://www.mcpressonline.com/search/page-1?searchphrase=all&searchword=woodbury
NIST Cybersecurity Frameworkhttps://www.nist.gov/cyberframework/draft-version-11
For a fee:
IBM i Security Administration and Compliance, 2nd edition, by Carol Woodbury, MC Press Online, 2016.
IBM i Security Deep Dive – 2-day in-person class, April 17-18, Chicago
https://www.eventbrite.com/e/ibm-i-security-deep-dive-training-with-carol-woodbury-tickets-42102189783
2/23/2018
www.helpsystems.com/professional-security-services17
Start Somewhere!!!
HelpSystems’ Solution Based Approach
2/23/2018
www.helpsystems.com/professional-security-services18
Data Security Life Cycle
Questions?
www.helpsystems.com/professional-security-services
www.helpsystems.com
800-328-1000 | [email protected]