© 2014 IBM Corporation.All rights reserved.
IBM Smarter Solution Day 2014 – Croatia
Security on System z
Miloš Kaljevićććć, IBM
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
2
Security on System z
� Who is affected by breaches in System z security
� The elements of an “advanced persistent threat”
� The four domains that are associated with a breach in security
� System z security software products and solutions
� Security conferences, links, documents
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
3
You know? you can do this online now.
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
4
IT security is a boardroom discussion
Loss of market share and reputation
Legal exposure
Audit failure
Fines and criminal charges
Financial loss
Loss of data confidentiality, integrity, and/or availability
Violation of employee privacy
Loss of customer trust
Loss of brand reputation
CEO CFO/COO CIO CHRO CMO
Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
5
� A strong heritage of being an extremely secure platform for virtual environments and workloads
� Security is built into every level of the System z structure
� Processor� Hypervisor � Operating system � Communications � Storage � Applications
� Extensive security certifications (for example, Common Criteria and FIPS 140) including EAL5+
� A strong heritage of being an extremely secure platform for virtual environments and workloads
� Security is built into every level of the System z structure
� Processor� Hypervisor � Operating system � Communications � Storage � Applications
� Extensive security certifications (for example, Common Criteria and FIPS 140) including EAL5+
Source: Verizon 2011 Data Breach Investigations Report
Distribution of Data Breaches by Operating Systems
IBM’s Fort Knox: System z
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
6
Mainframe security practices have not kept pace with the inherent internal and external connections of today’s IT environments
� 75% of attacks are considered opportunistic.
� 75% are motivated by financial motives.
� 78% of initial intrusions are rated as low difficulty.
� Web applications are the most popular attack vector.
“As mainframes become a major
component in service-oriented architectures, they are increasingly
exposed to malware. Web services
on the mainframe have had a
significant impact on security.”
Meenu Gupta, President of Mittal Technologies Inc.
“As mainframes become a major
component in service-oriented architectures, they are increasingly
exposed to malware. Web services
on the mainframe have had a
significant impact on security.”
Meenu Gupta, President of Mittal Technologies Inc.
Security policies outdated or not properly executed
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
7
Latest trends
� Most-common attack types:
� 20% DDoS
� 13% SQL Injection
� 10% Malware
� 5% Watering hole
� 3% Physical access
� Roundup of 2013 security incidents:
� The overall attack tactics and techniques have not changed significantly
� The number of overall incidents has increased, the amount of traffic used in distributed-denial-of-service
� DDoS attacks has multiplied, the number of leaked records is steadily rising
� In 2013, attackers continued to use tried and true methods of extracting data
� Oracle Java vulnerabilities continue to be a top point of entry for many of these malware attacks
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
8
Advanced Persistent Threats (APTs) are bypassing traditional defenses
Advanced� Using exploits for unreported vulnerabilities, also known as a “zero day”
� Advanced, custom malware that is not detected by antivirus products
� Coordinated attacks using a variety of vectors
Persistent� Attacks lasting for months or years
� Attackers are dedicated to the target; they will get in
� Resistant to remediation attempts
Threat� Targeted at specific individuals and groups within an organization,
aimed at compromising confidential information
� Not random attacks; they are actually “out to get you”
Phases of an APT
� Reconnaissance: Gather information about target system
� Probe and attack: Probe for weaknesses and deploy the tools
� Toehold: Exploit weakness and gain entry into the system
� Advancement: Advance from unprivileged to privileged
� Stealth: Hide tracks, install a backdoor
� Listening post: Establish a listening post
� Takeover: Expand control to other hosts on the network
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Example of an Advanced Persistent Threat at a State Government, USA
Malicious e-Mail
(Phishing)
Stolen User IDs and Passwords
Databases / Systems
• Employee “unwittingly executed malware, and became compromised” after opening a link in an e-mail.
• Attacker harvested the employee’s credentials.
• Leveraging the user’s access rights, attacker logged in via a remote access service and was able to gain access to other Department of Revenue systems and databases.
• Attacker was able to install backdoor software, password dumping tools, and “multiple generic utilities to execute commands against databases.”
• 33 unique pieces of malicious software and utilities was used to perform the attack
• Breach went undetected for almost 2 months leading up to 44 systems to be compromised
• 74.7 GB of date was stolen from the State’s 44 systems, including Mainframe data copied to SQL servers
• 3.3 million unencrypted bank account numbers stolen
• 3.8 million social security numbers for tax filers compromised
• Cost the state $14 million
• Department of Revenue Director forced to resign
44 Systems Breached over Two Months
74.7 GB of data3.8M SSN’s
3.3M Bank Acct Nos
74.7 GB of data3.8M SSN’s
3.3M Bank Acct Nos
Endpoint Management
Database Activity
MonitoringEvent
Correlation
Realtime Event
Monitoring
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Some publicly available tools that could be used in a Mainframe APT
Cyber Crime Kits
� £25 (about $38 USD) will buy a cybercrime kit with exploits of thousands of coding errors.
� Trying looking for
– Blackhole V2.0– Phoenix– Price lists are available…
� If these can compromise your privileged users’ Windows systems, then they can get their passwords and then…..
Shodan
� Can find mainframes on the WEB
� It will find your 3270 sessions presented on the internet
� Anyone with a 3270 emulator will be able to see the logon screens
Solder of Fortran
� Shows script-kiddies how to copy a RACF database
� … and then crack it open using John the ripper to do a dictionary attack.
� RACFSNOW*
– Have you tried it?– Did it get your
passwords?
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
A list of companies running mainframes, available on Internet
BelgiumBNP Paribas Fortis Brussels Belgium NMBS-Holding
BrazilBDF Banco BradescoBanco do BrasilBanco ItauRiocard TI SERPRO
CanadaCanadian Imperial Bank of CommerceCo-operators Canada Enbridge Gas Distribution Royal Bank of Canada (RBC) Scotiabank…
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
12
As a result, the security market is shifting
Source: Client Insights 27-Jun-11, An Evaluation of the Security & Risk Opportunity; Assessing a New Approach to Competitive
Differentiation, Ari Sheinkin, IBM, Vice President, Client Insights
Traditional Focus
Governance and Compliance
Emerging Focus
Risk Management
Security strategy React when breached Continual management
Speed to react Weeks/months Real time
Executive reporting None Operational KPIs
Data tracking Thousands of events Millions of events
Network monitoring Server All devices
Employee devices Company-issued Bring your own
Desktop environment Standard build Virtualization
Security enforcement Policy Audit
Endpoint devices Annual physical inventory Automatically managed
Security technology Point products Integrated
Security operations Cost Center Value Driver
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
13
Solving a security issue is a complex, four-dimensional puzzle
People
Data
Applications
Infrastructure
Hackers Outsourcers Suppliers
Systems applications
Web Applications
Web 2.0 Mobile apps
Structured Unstructured At rest In motion
Attempting to protect the perimeter is not enough – siloed point products and traditional defenses cannot adequately secure the enterprise
Consultants Terrorists Customers
JK
2012-0
4-2
6
In motion
Employees
Systems Applications
Outsourcers
Unstructured
Web 2.0
Customers
Mobile Applications
Structured
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
14
IBM Security zSecure™ suite overview
IBM SecurityzSecure Suite
IBM Security zSecure Administration� zSecure Admin:
• Improves security at lower labor cost• Also saves cost by:
• Avoiding configuration errors• Improving directory merges• Efficient group management
� zSecure Visual:• Permits changes in minutes vs. overnight• Provides access for only current employees
and contractors (better business control)• Enables segregation of duties (minimizing
business risk)• Aids in reducing labor cost and errors
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
15
IBM Security zSecure suite overview (cont’d)IBM SecurityzSecure Suite
IBM Security zSecure Compliance and Auditing� zSecure Audit:
• Reports can match business model/requirements• Prioritizes tasks (optimize labor utilization)• Helps find “segregation of duties” exposures
(reduces risk)� zSecure Alert:
• Allows capture of unauthorized “back door”changes to RACF® / security policies
• Addresses real-time audit control points, especially network audit control points
� zSecure Command Verifier• Audits RACF admins’ changes• Offers security monitoring without additional
CPU/cost• Audit in seconds versus days
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Key Characteristics
IBM Guardium Provides Real-Time Database Security & Compliance
� Single Integrated Appliance
� Non-invasive/disruptive, cross-platform architecture
� Dynamically scalable
� SOD enforcement for DBA access
� Auto discover sensitive resources and data
� Detect unauthorized & suspicious activity
� Granular, real-time policies
– Who, what, when, how
� Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc.
� Growing integration with broader security and compliance management vision
� Continuous, policy-based, real-time monitoring of all database activities, including actions by privileged users
� Database infrastructure scanning for missing patches, misconfigured privileges and other vulnerabilities
� Data protection compliance automation
Integration
with LDAP,
IAM, SIEM,
TSM, Remedy,
…
Also:OracleMySQLMicrosoft SQL ServerSybaseTeradataMicrosoft SharePointPostgreSQL
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
17
DAST Automates Application Security Testing
DAST (Dynamic Analysis Security Testing) provides application security for multi-tiered, web-enabled applications involving the mainframe
Scan Applications / Source Code Analyze
(identify issues)
Report
(detailed and actionable)
Mainframe or elsewhere
“Running” web application
Tampering with HTTP messages
Results presented as exploited HTTP messages
Easy to use, scales to thousands of users, provides organization-wide visibility and security controls
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
18
Event Correlation
Activity Baselining and Anomaly Detection
User Activity
Threat Intelligence
Configuration Info
Offense Identification
Security Devices
Network/Virtual Activity
Application Activity
Vulnerability Information
Guardium
�DB2®
�IMS®�VSAM
zSecure
�z/OS®�RACF®�ACF2, TSS
�CICS®Servers & Mainframes
Database Activity
Network/Virtual Activity
Extensive Data SourcesDeep
IntelligenceExceptionally Accurate and
Actionable Insight+ =
� Centralized view of mainframe and distributed network security incidents, activities, and trends
� Better real-time threat identification and prioritization correlating vulnerabilities with Guardium and zSecure
� S-TAP feeds routed to QRadar via Guardium Central Policy Manager
� SMF data set feeds with zSecure Audit and Alert
� Increases accuracy of threat identification correlating application vulnerabilities with other security alerts to assign incident
priorities and surface meaningful activity from noise
� Creates automatic alerts for newly discovered vulnerabilities experiencing active “Attack Paths”
� Produces increased accuracy of risk levels and offense scores, as well as simplified compliance reporting
zSecure, Guardium, DAST, and QRadar® improve your security intelligence
DAST
�Web Apps
�Mobile Apps
�Web services
�Desktop Apps
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
European zSecure User Group 2014
�Learn about new functions and features from the zSecure Development team
�Share user experiences and tips
�Maximise your use of zSecure to help improve Security on your Mainframe
�Network with System z Security professionals, Business Partners and IBMers
� Influence future product content with requirements
London on the 1st & 2nd July
OR
Frankfurt on the 3rd & 4th July
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
z Security Annual conference
�Security strategy
�Securing Mobile
�Cyber crime and z
�zSecure Update
�Cloud Security
�WebSphere Security
�Network Security
�z/VM security
�Linux security
September 24th – 27th , 2013Montpellier, France
IBM Software Group
21
IBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z
zSecure on Internet
IBM Security zSecure Forum zSecure subject matter experts from around the world monitor this forum for your
questions every day. http://ibmforums.ibm.com/forums/forum.jspa?forumID=3020
zSecure Product library http://www-01.ibm.com/software/tivoli/products/zsecure/
zSecure data sheets, solution sheets, and white papers http://www-306.ibm.com/software/tivoli/products/zsecure/
IBM Security zSecure Redbook http://www.redbooks.ibm.com/abstracts/sg247633.html?Open
IBM Software GroupIBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z
Docs & Books
� Redbooks & Redpapers http://www.redbooks.ibm.com/zSecure Redbook: http://www.redbooks.ibm.com/abstracts/sg247633.html?Open
Designing for Solution-Based Security on z/OS, SG24-7344
z/OS Version 1 Release 8 RACF Implementation, SG24-7248
IBM Tivoli Security and System z Redbook:http://www.redbooks.ibm.com/redpieces/abstracts/sg247633.html
� IBM Security zSecure 1.11 information center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.zsecure.doc/welcome.html
� Lab Service offerings: http://stgls01.rchland.ibm.com:81/toasted.nsf/services/AGSYS152
� Education: http://www-306.ibm.com/software/tivoli/education/edu_prd.html#z
� CARLa forum: http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1255
IBM Software GroupIBM Software GroupIBM Smarter Solution Day 2014 – Croatia: Security on System z
zSecure Books
zSecure Suite: CARLa-Driven Components Installation and Configuration Manual
zSecure Suite: Admin and Audit for RACFUser Reference Manual
zSecure Suite: Alert User Reference Manual
z/OS Security Healthcheck
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Backup Slides
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Most-common attack types in 2013
© 2014 IBM Corporation
IBM Smarter Solution Day 2014 – Croatia: Security on System z
Top Related