Top Ten Security Vulnerabilities on IBM i - ocean400.org · Top Ten Security Vulnerabilities on IBM...
Transcript of Top Ten Security Vulnerabilities on IBM i - ocean400.org · Top Ten Security Vulnerabilities on IBM...
© HelpSystems. Company Confidential. 11/19/2015 1
Top Ten Security Vulnerabilities on IBM i Carol Woodbury
VP, Global Security Services, HelpSystems
© HelpSystems. Company Confidential. 11/19/2015 3
Top 10 Security Vulnerabilities on IBM i
• IBM i is one of the most securable systems available—but
unless you actually use the features IBM has provided, the
system is vulnerable.
• Tonight we will talk about:
– The top 10 vulnerabilities on the system today
– How to address them using the operating system itself
© HelpSystems. Company Confidential. 11/19/2015 4
• Provided with IBM i – Hardware storage protection – Signed OS – Separation of OS from Application Layer
• You must implement – Security level – Strong passwords – Encrypted sessions, back-ups, disk, data at rest – User capabilities – Access control settings – Auditing / Logging
• Additional layers are available – Exit programs – Additional encryption solutions – Two-factor authentication
IBM i has MANY layers of defense
© HelpSystems. Company Confidential. 11/19/2015 9
• 10.A No auditing means that no actions are logged, meaning none of these vulnerabilities can be investigated effectively
• 10.B Audit journal receivers are not saved
#10 – QAUDCTL = *NONE
© HelpSystems. Company Confidential. 11/19/2015 11
• A share to root (‘/’) also shares /QSYS.LIB
#9b – Root is shared
© HelpSystems. Company Confidential. 11/19/2015 12
Root (‘/’) should not be shared!
If share absolutely cannot be removed:
• Add a ‘$’ to the end of the share name, e.g., share$
– Prevents the share from being discoverable
• Create the share as a ‘read only’ share
• Set QPWFSERVER autl to *PUBLIC *EXCLUDE, authorizing specific users
– Prevents access to libraries in interfaces such as Windows Explorer
• Implement object level security!
#9b - Remediation
© HelpSystems. Company Confidential. 11/19/2015 13
Vulnerability #9a
Guest Profile Assigned to the NetServer
© HelpSystems. Company Confidential. 11/19/2015 14
#9a - NetServer Guest Profile - Properties
Click on the Security tab
Click on Next Start
Guest profiles allow users to connect to the system and access any object with *PUBLIC greater than *EXCLUDE without an IBM i signon
© HelpSystems. Company Confidential. 11/19/2015 16
• Default on CRTUSRPRF
• Allows users to enter commands on a command line
#8 – Profiles with LMTCPB(*NO)
© HelpSystems. Company Confidential. 11/19/2015 18
Open a Dos Window
• Enter command
rmtcmd crtdir '/home/SkyViewTest' //system_name
• This will bring up a prompt to login – or will run if the user’s already logged into that workstation.
#8 – Profiles with LMTCPB(*NO)
© HelpSystems. Company Confidential. 11/19/2015 19
• Make sure EVERY profile is set to LMTCPB(*YES) unless they specifically should be able to run commands.
– even if they should not be able to be used for sign on (service accounts)
#8 - Remediation
© HelpSystems. Company Confidential. 11/19/2015 21
• Password = Profile name by default when creating a new user profile
• Risk is not reduced just because the password is set to expire with first use
• IBM-supplied profiles will be the first profiles attempted because they are well-known
• Vendor profiles are prime suspects
• Accounts are created as a test, then start to be used
#7 – Profiles with a default password
© HelpSystems. Company Confidential. 11/19/2015 22
#7 – Default passwords
Don’t have your *ADMIN instance started all of the time and/or use APPADMIN to control access to Navigator function
© HelpSystems. Company Confidential. 11/19/2015 23
*PWDSYSVAL or • *CHRLMTAJC • *CHRLMTREP • *DGTLMTAJC • *DGTLMTFST • *DGTLMTLST • *DGTMAXn • *DGTMINn • *LMTSAMPOS • *LMTPRFNAME • *LTRLMTAJC • *LTRLMTFST • *LTRLMTLST • *LTRMAXn • *LTRMINn
• *MAXLENnnn • *MINLENnnn • *MIXCASEnnn • *REQANY3 • *SPCCHRLMTAJC • *SPCCHRLMTFST • *SPCCHRLMTLST • *SPCCHRMAXn • *SPCCHRMINn
V7R2 • *ALLCRTCHG
QPWDRULES
© HelpSystems. Company Confidential. 11/19/2015 25
• QPWDEXPITV set to *NOMAX
• Password expiration interval in the user profile is set to *NOMAX (rather than *SYSVAL)
Biggest offenders: Administrators!
#6 – Non-expiring passwords
© HelpSystems. Company Confidential. 11/19/2015 26
• Set the QPWDEXPITV to 90 or less
• Ensure all profiles used for sign on are PWDEXPITV(*SYSVAL)
– Administrators, programmers, vendors, upper management, end users, etc.
• Set IBM-supplied profiles to PASSWORD(*NONE)
• Set QSECOFR to STATUS(*DISABLED)
#6 - Remediation
© HelpSystems. Company Confidential. 11/19/2015 28
• Recent break-ins have exploited passwords sniffed from the network
• PCI DSS requires:
– encrypted sessions for Administrators
– no cleartext passwords • 5250 sign on via an emulator passes the passwords in
cleartext
• POODLE vulnerability has shown weakness in SSL – should be at TLS 1.2 or higher
#5 – Unencrypted communications
© HelpSystems. Company Confidential. 11/19/2015 29
Tutorial: • Coffee with Carol session on configuring iAccess to
use SSL (TLS) https://www.youtube.com/user/SkyViewPartners1/videos
POODLE: • Instructions for enabling an SSL counter:
– http://www-01.ibm.com/support/docview.wss?uid=nas8N1020451
• Instructions for enabling a comm trace that will allow you to
determine which connection(s) use SSL: – http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
#5 – Unencrypted communications
© HelpSystems. Company Confidential. 11/19/2015 31
• Level 20 – by default, all profiles are created with *ALLOBJ and *SAVSYS special authorities
• Level 30 – can use a job description that names a user profile to submit a job and elevate privileges
#4 – QSECURITY Vulnerability
© HelpSystems. Company Confidential. 11/19/2015 33
#4 – Remediation
-20 0 20 40 60 80 100
Level 10
Level 20
Level 30
Level 40
Level 50
Total Available i5/OS Security Capabilities
QSE
CU
RIT
Y V
alu
e
Run at QSECURITY level 40 or 50
© HelpSystems. Company Confidential. 11/19/2015 35
• Objects – especially files containing PII (Personally Identifiable Information) or confidential information are not secured
• Menu “security” is not enough!
• Too many users have *ALLOBJ special authority
• Too many users are a member of a group that owns an application
• Too many *FILEs at *PUBLIC *CHANGE or *ALL
#3 – Objects are not secured
© HelpSystems. Company Confidential. 11/19/2015 36
Data access is more than menus
FTP, ODBC, DDM, Sockets Accounting Menu
1. Accts Receivable
2. Accts Payable
3. Check Requests
Users with legitimate
command line access,
Operators, DBA, Analysts,
Developers
WebSphere and other web apps
Access to data from menus is
tightly controlled
Processes that allow
downloads to a PC or send
data to a Windows Server
Query / SQL
© HelpSystems. Company Confidential. 11/19/2015 37
In reality, data access is NOT tightly controlled
FTP, ODBC, DDM, Sockets *PUBLIC - *ALL or *CHANGE
Member of the Owning Group
*ALLOBJ special authority Users with legitimate
command line access,
Operators, DBA, Analysts,
Developers
WebSphere and other web apps
Processes that allow
downloads to a PC or send
data to a Windows Server
Query / SQL
© HelpSystems. Company Confidential. 11/19/2015 39
Special
Authority
Definition
*AUDIT Configure auditing
*IOSYSCFG Device and communications configuration and management
*JOBCTL Management of any job on the system
*SAVSYS Ability to save and restore any object on the system – or the entire
system regardless of authority to the object
*SECADM Create/Change/Delete user profiles
*SERVICE Ability to use Service Tools
*SPLCTL Access to every spooled file on the system regardless of authority
to the outq – the *ALLOBJ of spooled files
*ALLOBJ All authority to EVERY object on the system!
Too many users with too many Special Authorities
© HelpSystems. Company Confidential. 11/19/2015 40
• Give special authority only to users whose job function requires it
• Start with new profiles
– Create template profiles to create profiles – stop copying existing profiles!
• Do not assign *ALLOBJ to programmers’ profiles
#2 – Remediation
© HelpSystems. Company Confidential. 11/19/2015 42
10. Trust their users 9. Users won’t tolerate security restrictions 8. Budget restrictions 7. Lack of expertise 6. Fear 5. Denial 4. Nothing has ever happened so no worries 3. IBM i has never been hacked 2. Stuck in the 20th Century 1. Apathy
Why no action is taken
© HelpSystems. Company Confidential. 11/19/2015 43
• Data integrity
• Availability of data
• Compliance with laws and regulations
• Data confidentiality
It’s quite likely that if the business realized how exposed their data was they’d demand better protection.
The business is expecting:
© HelpSystems. Company Confidential. 11/19/2015 44
• Business and IT together must determine – What data to secure
– Which security measures to implement
– Where to implement them
• Decision must be – Cost effective
– Appropriate for what’s being protected
– Effectively assist in the effort to reduce risk to an acceptable level
The Business of Security
© HelpSystems. Company Confidential. 11/19/2015 45
• Look at types of data your organization uses
– What is the most critical
– Regulated data (Healthcare, credit card information, etc)
– Other private information (PII data)
• Start with the data that will cost the most if the data is not accurate, not available, not compliant with laws or regulations or lost or stolen
Where Do You Start
© HelpSystems. Company Confidential. 11/19/2015 46
Start somewhere!
Reduce the risk to your organization’s data
© HelpSystems. Company Confidential. 11/19/2015 47
• Contact us for more information on our services:
– Managed Security Services (MSS)
– SkyView Security Check-up
– Remediation Services
– Penetration (Pen) testing
www.helpsystems.com/professional-security-services
For more information