SlideShare una empresa de Scribd logo

Closing Mainframe Integrity Gaps

R
Ray Overby
1 de 15
Descargar para leer sin conexión
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. Ray Overby Key Resources, Inc. Closing the Integrity Gap in Your Mainframe Ray.Overby@KRIsecurity.com www.KRIsecurity.com
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Introduction: Is the Mainframe Secure?  Enterprise Quadrant Architecture  IBM’s z/OS System Integrity Statement  Mainframe Security Methods  Configuration-based Security  Code-based Security  The Mainframe Vulnerability Lifecycle  Mainframe Configuration Vulnerabilities  Mainframe Software Vulnerabilities  Summary  Questions AGENDA 2
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. Enterprise Quadrant Architecture 3 Network EndUser Operating System Layer Systems Programs Systems Memory Application Layer User Programs User Memory DASD Printers RESOURCES
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  The Mainframe is Only as Secure as the TIME and EFFORT You Spend on Maintaining the Integrity of the Environment  IBM’s z/OS Authorized Assembler Services Guide states that you are responsible for making sure that anything you install on each z/OS system you maintain meets the criteria of the Integrity Statement.  The Integrity of the Environment is Based on the INABILITY of any program, not authorized by a mechanism under your control to:  Disable or circumvent the store or fetch protection encoded in z/OS,  Access an operating system resource that is password protected or protected by a mainframe security product, also called an External Security Manager (ESM),  Obtain control in an authorized state such as APF-authorized, supervisor state, or with a protection key less than eight exploitable to illicitly and invisibly browse, corrupt, or steal data associated with an application Is the Mainframe Secure? 4
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  All installation-supplied authorized code (for example, an installation SVC) must perform the same or an equivalent type of validity checking and control that the system uses to maintain its integrity.  Modifications and additions (3rd Party Software) to the system do not introduce any integrity exposures.  The IBM z/OS Statement of Integrity only applies to IBM software. It does not apply to any ISV code or installation written code. You, the z/OS system owner, are responsible for continually verifying the integrity of any configuration based modifications and code you add to your mainframe. Is the Mainframe Secure? 5
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Configuration-Based Security • Configuration-based Security is built around a Security Policy, the Procedures enacted to maintain the Security Policy, and a correctly configured ESM and Operating System.  An Installation has Responsibility for Securing the following:  IPL (boot) Parameters,  Subsystem Startup Parameters,  Adoption of security procedures (for example, the password protection of appropriate system data sets) that are a necessary complement to the integrity support within the operating system itself,  Setup and management of External Security Managers like IBM RACF®, CA ACF2™ or CA Top Secret®. What are the Security Methods Under My Control? 6
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Code-Based Security • IBM’s Statement of Integrity is the basis for Operating System Integrity Testing™ (OSIT) • Code-based Security is built around a strong Vulnerability Management program as outlined in your Security Policy. • Vulnerability Management across all platforms is now a component of PCI, SOX, etc. • Vulnerability Management on the Mainframe is no different than on any other Platform or Technology  A Mainframe Based Vulnerability Program should include the operating system layer and the application layer  A Mainframe Based Vulnerability Program should encompass all aspects of the Vulnerability Lifecycle What are the Security Methods Under My Control? 7
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. The Mainframe Vulnerability Lifecycle 8 • REPORT THE RESULTS TO THE VENDOR • APPLY VENDOR SUPPLIED FIXES • SCAN AND ASSESS THE RESULTS • RESCAN TO VALIDATE THE VIABILITY OF THE FIX VERIFY DISCOVER REPORTREMEDIATE
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Configuration-based vulnerabilities are caused by improper configuration settings. • Configuration-based vulnerabilities are remediated by changing configuration parameters. • How to Protect Yourself • Configure all security mechanisms based on your security policy, • Turn off all unused services, • Continually monitor roles, permissions, and accounts, • Disabling all default accounts and/or change their passwords, • Set up and monitor logs and alerts. Mainframe Configuration Vulnerabilities 9
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • KRI classifies z/OS integrity vulnerabilities as Severe Security Code Vulnerabilities™ (SSCV). • Severe Security Code Vulnerabilities™ (SSCV’s) are caused by poor design or coding errors in products that reside in the operating system layer on your mainframe. • SSCV’s have the following characteristics IN ALL CASES: • Exploitable • Violates the IBM Statement of Integrity • If exploited, can compromise all data on the system and the system itself • A single SSCV would allow someone with access to z/OS to bypass its controls without forensic evidence of a breach. They can: • Dynamically elevate External Security Manager (ESM) authorities • Dynamically elevate z/OS authorities • Alter operating systems processing: • To suppress forensic evidence • To collect information such as userids and passwords Mainframe Software Vulnerabilities 10
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Common to all of the below is that the vulnerability can be triggered or exploited by a non-authorized user with no special privileges. • Exploitations of this code vulnerability leaves no forensic evidence or audit trails of what was accessed, copied, and/or modified. • Types of Vulnerabilities: • System Instability - System instability occurs when the authorized program is invoked other than as designed and the program does not protect itself against improper invocation. This improper invocation can cause z/OS service issues including crashing the system. • Denial of Service; crashing or slowing the system down. • Identity Spoofing - Identify Spoofing vulnerabilities allow the non-authorized user to create alternate security credentials. Mainframe Software Vulnerabilities 11
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Types of Vulnerabilities: • Trap Door -Trap Door vulnerabilities provide the non-authorized user the ability to call a user provided routine in an authorized state. (Either system key (0-7) or supervisor state.) This enables the user to directly make any changes to the active environment, including: • Direct invocation of any authorized z/OS interface • Changing user’s state (authorized) • Making changes to the operating system • Making changes to system or application data • Impersonating other users • Disabling logging auditing (SMF) • Disrupt z/OS operation (crash or failure) • Least Privilege - Least Privilege vulnerabilities occur when a privilege or authority is assigned where a lessor privilege is appropriate. • Example: An SVC routine or system exit is improperly linked as AC(1). • As SVC routines and system exits are directly invoked by the system already authorized, they do not need to be link edited as AC(1); it has no effect on their normal use. However, the AC(1) attribute allows these routines to be improperly directly invoked via PGM= in JCL, where they were not designed to be invoked. Mainframe Software Vulnerabilities 12
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. In Summary 13 What’s Out There
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • External, independent code validation is essential for both software development “best practices” and controlling enterprise security risk associated with the deployment of third-party applications. • z/OS Clients believe that their External Security Managers (RACF, CA ACF2, and CA Top Secret) are adequately protecting mission-critical platforms, third-party applications and information. • SSCVs allow security (RACF, CA ACF2, and CA Top Secret) to be bypassed – data is compromised. • In general Code-based Vulnerabilities are remediated by: - Reporting the problem to the code owner and the code owner provides a PTF that is applied by the user, - Removing the software from the system – this is very rare. In Summary 14
© 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. IBM, RACF, and z/OS are registered trademarks of IBM in the US CA and ACF2 are trademarks of Computer Associates Technologies, Inc. Other names may be trademarks of their respective owners. TRADEMARKS

Recomendados

Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
Grc 10 eam
Grc 10 eam Grc 10 eam
Grc 10 eam srinivas P
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTRogue Wave Software
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerInformation Security Awareness Group
 
Open security controller security orchestration for openstack
Open security controller security orchestration for openstackOpen security controller security orchestration for openstack
Open security controller security orchestration for openstackPriyanka Aash
 
Stormwatch micration
Stormwatch micrationStormwatch micration
Stormwatch micrationTorsten Böttger
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Sarah Isaacs
 

Recomendados

Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentationrfragola
 
Grc 10 eam
Grc 10 eam Grc 10 eam
Grc 10 eam srinivas P
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTRogue Wave Software
 
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerAndrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger
Andrey Bogdanov, Dmitry Khovratovich, and Christian RechbergerInformation Security Awareness Group
 
Open security controller security orchestration for openstack
Open security controller security orchestration for openstackOpen security controller security orchestration for openstack
Open security controller security orchestration for openstackPriyanka Aash
 
Stormwatch micration
Stormwatch micrationStormwatch micration
Stormwatch micrationTorsten Böttger
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Symantec Endpoint Protection 12.1 RU6 MP6
Symantec Endpoint Protection 12.1 RU6 MP6Sarah Isaacs
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingDsunte Wilson
 
System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2Norman Mayes
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
OSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application ControlOSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application ControlIvanti
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch managementVi Tính Hoàng Nam
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Dronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyDronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyPaul New
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM itaford
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatn|u - The Open Security Community
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012Microsoft TechNet - Belgium and Luxembourg
 
MR201408 SE for Android Overview
MR201408 SE for Android OverviewMR201408 SE for Android Overview
MR201408 SE for Android OverviewFFRI, Inc.
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterDsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalKoko Fontana
 
Five ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 systemFive ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 systemFemi Baiyekusi
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Sa No Scan Paper
Sa No Scan PaperSa No Scan Paper
Sa No Scan Papertafinley
 
Sahib
SahibSahib
SahibSahib Sethi
 
Elijah 3
Elijah 3Elijah 3
Elijah 3Elijah Ogharandukun
 

Más contenido relacionado

La actualidad más candente

SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingDsunte Wilson
 
System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2Norman Mayes
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08kamensm02
 
OSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application ControlOSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application ControlIvanti
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch managementVi Tính Hoàng Nam
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Dronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyDronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyPaul New
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM itaford
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
MR201408 SE for Android Overview
MR201408 SE for Android OverviewMR201408 SE for Android Overview
MR201408 SE for Android OverviewFFRI, Inc.
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterDsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementDsunte Wilson
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalKoko Fontana
 
Five ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 systemFive ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 systemFemi Baiyekusi
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Sa No Scan Paper
Sa No Scan PaperSa No Scan Paper
Sa No Scan Papertafinley
 

La actualidad más candente (20)

SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and ReportingSYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
 
System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2System Center Endpoint Protection 2012 R2
System Center Endpoint Protection 2012 R2
 
Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08Bank World 2008 Kamens 04 29 08
Bank World 2008 Kamens 04 29 08
 
OSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application ControlOSB240: What's New in Ivanti Application Control
OSB240: What's New in Ivanti Application Control
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch management
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Dronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and complyDronesafe™ Flyer - Simply connect, stream and comply
Dronesafe™ Flyer - Simply connect, stream and comply
 
Compliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM iCompliance and Event Monitoring with PowerSC Tools for IBM i
Compliance and Event Monitoring with PowerSC Tools for IBM i
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptx
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
MR201408 SE for Android Overview
MR201408 SE for Android OverviewMR201408 SE for Android Overview
MR201408 SE for Android Overview
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection CenterSYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database ManagementSYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Unisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_finalUnisys_AppDefender_Symantec_CFD_0_1_final
Unisys_AppDefender_Symantec_CFD_0_1_final
 
Five ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 systemFive ways to Securing and Hardening your Windows 10 system
Five ways to Securing and Hardening your Windows 10 system
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Sa No Scan Paper
Sa No Scan PaperSa No Scan Paper
Sa No Scan Paper
 

Destacado

Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World
Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World
Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World Centre for Executive Education
 
Osteoporosis - Preventive Measures
Osteoporosis - Preventive MeasuresOsteoporosis - Preventive Measures
Osteoporosis - Preventive MeasuresSanjiv Haribhakti
 
南倉專案社代分區會議報告20170208 1
南倉專案社代分區會議報告20170208 1南倉專案社代分區會議報告20170208 1
南倉專案社代分區會議報告20170208 1Precian Chen
 
Specialist Degree Diploma and Transcript
Specialist Degree Diploma and TranscriptSpecialist Degree Diploma and Transcript
Specialist Degree Diploma and TranscriptHanna Skalevska
 
service marketing edit
service marketing editservice marketing edit
service marketing editRashed parves
 
Отзыв на иск мгтс
Отзыв на иск мгтсОтзыв на иск мгтс
Отзыв на иск мгтсSarkis Darbinyan
 
sodium and its medical importance for medical students
sodium and its medical importance for medical studentssodium and its medical importance for medical students
sodium and its medical importance for medical studentsMatavalam siva kumar reddy
 
Comunicacion tea
Comunicacion teaComunicacion tea
Comunicacion teaOliver Six
 

Destacado (16)

Sahib
SahibSahib
Sahib
 
Elijah 3
Elijah 3Elijah 3
Elijah 3
 
Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World
Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World
Transforming NextGen Leaders: Executive Briefing on Leading in a VUCA World
 
Osteoporosis - Preventive Measures
Osteoporosis - Preventive MeasuresOsteoporosis - Preventive Measures
Osteoporosis - Preventive Measures
 
Rxjs ngvikings
Rxjs ngvikingsRxjs ngvikings
Rxjs ngvikings
 
Presentación universidad udi
Presentación universidad udiPresentación universidad udi
Presentación universidad udi
 
Integração da europa ue
Integração da europa ueIntegração da europa ue
Integração da europa ue
 
Silabus rpl bk 1 2
Silabus rpl bk 1 2Silabus rpl bk 1 2
Silabus rpl bk 1 2
 
南倉專案社代分區會議報告20170208 1
南倉專案社代分區會議報告20170208 1南倉專案社代分區會議報告20170208 1
南倉專案社代分區會議報告20170208 1
 
Specialist Degree Diploma and Transcript
Specialist Degree Diploma and TranscriptSpecialist Degree Diploma and Transcript
Specialist Degree Diploma and Transcript
 
service marketing edit
service marketing editservice marketing edit
service marketing edit
 
Fontes de Energia - Carvão Mineral
Fontes de Energia - Carvão MineralFontes de Energia - Carvão Mineral
Fontes de Energia - Carvão Mineral
 
Отзыв на иск мгтс
Отзыв на иск мгтсОтзыв на иск мгтс
Отзыв на иск мгтс
 
sodium and its medical importance for medical students
sodium and its medical importance for medical studentssodium and its medical importance for medical students
sodium and its medical importance for medical students
 
Comunicacion tea
Comunicacion teaComunicacion tea
Comunicacion tea
 
Comunicación
ComunicaciónComunicación
Comunicación
 

Similar a Closing Mainframe Integrity Gaps

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonChris Bailey
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesFrank Lesniak
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaChris Bailey
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsIBM Security
 
z/OS Encryption Readiness Technology (zERT)
z/OS Encryption Readiness Technology (zERT) z/OS Encryption Readiness Technology (zERT)
z/OS Encryption Readiness Technology (zERT) zOSCommserver
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소GE코리아
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Chapter 9 Client and application Security
Chapter 9 Client and application SecurityChapter 9 Client and application Security
Chapter 9 Client and application SecurityDr. Ahmed Al Zaidy
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Mike Smith
 
operating system Security presentation vol 3
operating system Security presentation vol 3operating system Security presentation vol 3
operating system Security presentation vol 3qacaybagirovv
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server zOSCommserver
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 

Similar a Closing Mainframe Integrity Gaps (20)

Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim Ellison
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
StarForce ProActive for Business
StarForce ProActive for BusinessStarForce ProActive for Business
StarForce ProActive for Business
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
 
z/OS Encryption Readiness Technology (zERT)
z/OS Encryption Readiness Technology (zERT) z/OS Encryption Readiness Technology (zERT)
z/OS Encryption Readiness Technology (zERT)
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Chapter 9 Client and application Security
Chapter 9 Client and application SecurityChapter 9 Client and application Security
Chapter 9 Client and application Security
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)Systemz Security Overview (for non-Mainframe folks)
Systemz Security Overview (for non-Mainframe folks)
 
operating system Security presentation vol 3
operating system Security presentation vol 3operating system Security presentation vol 3
operating system Security presentation vol 3
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

Closing Mainframe Integrity Gaps

  • 1. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. Ray Overby Key Resources, Inc. Closing the Integrity Gap in Your Mainframe Ray.Overby@KRIsecurity.com www.KRIsecurity.com
  • 2. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Introduction: Is the Mainframe Secure?  Enterprise Quadrant Architecture  IBM’s z/OS System Integrity Statement  Mainframe Security Methods  Configuration-based Security  Code-based Security  The Mainframe Vulnerability Lifecycle  Mainframe Configuration Vulnerabilities  Mainframe Software Vulnerabilities  Summary  Questions AGENDA 2
  • 3. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. Enterprise Quadrant Architecture 3 Network EndUser Operating System Layer Systems Programs Systems Memory Application Layer User Programs User Memory DASD Printers RESOURCES
  • 4. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  The Mainframe is Only as Secure as the TIME and EFFORT You Spend on Maintaining the Integrity of the Environment  IBM’s z/OS Authorized Assembler Services Guide states that you are responsible for making sure that anything you install on each z/OS system you maintain meets the criteria of the Integrity Statement.  The Integrity of the Environment is Based on the INABILITY of any program, not authorized by a mechanism under your control to:  Disable or circumvent the store or fetch protection encoded in z/OS,  Access an operating system resource that is password protected or protected by a mainframe security product, also called an External Security Manager (ESM),  Obtain control in an authorized state such as APF-authorized, supervisor state, or with a protection key less than eight exploitable to illicitly and invisibly browse, corrupt, or steal data associated with an application Is the Mainframe Secure? 4
  • 5. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  All installation-supplied authorized code (for example, an installation SVC) must perform the same or an equivalent type of validity checking and control that the system uses to maintain its integrity.  Modifications and additions (3rd Party Software) to the system do not introduce any integrity exposures.  The IBM z/OS Statement of Integrity only applies to IBM software. It does not apply to any ISV code or installation written code. You, the z/OS system owner, are responsible for continually verifying the integrity of any configuration based modifications and code you add to your mainframe. Is the Mainframe Secure? 5
  • 6. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Configuration-Based Security • Configuration-based Security is built around a Security Policy, the Procedures enacted to maintain the Security Policy, and a correctly configured ESM and Operating System.  An Installation has Responsibility for Securing the following:  IPL (boot) Parameters,  Subsystem Startup Parameters,  Adoption of security procedures (for example, the password protection of appropriate system data sets) that are a necessary complement to the integrity support within the operating system itself,  Setup and management of External Security Managers like IBM RACF®, CA ACF2™ or CA Top Secret®. What are the Security Methods Under My Control? 6
  • 7. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc.  Code-Based Security • IBM’s Statement of Integrity is the basis for Operating System Integrity Testing™ (OSIT) • Code-based Security is built around a strong Vulnerability Management program as outlined in your Security Policy. • Vulnerability Management across all platforms is now a component of PCI, SOX, etc. • Vulnerability Management on the Mainframe is no different than on any other Platform or Technology  A Mainframe Based Vulnerability Program should include the operating system layer and the application layer  A Mainframe Based Vulnerability Program should encompass all aspects of the Vulnerability Lifecycle What are the Security Methods Under My Control? 7
  • 8. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. The Mainframe Vulnerability Lifecycle 8 • REPORT THE RESULTS TO THE VENDOR • APPLY VENDOR SUPPLIED FIXES • SCAN AND ASSESS THE RESULTS • RESCAN TO VALIDATE THE VIABILITY OF THE FIX VERIFY DISCOVER REPORTREMEDIATE
  • 9. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Configuration-based vulnerabilities are caused by improper configuration settings. • Configuration-based vulnerabilities are remediated by changing configuration parameters. • How to Protect Yourself • Configure all security mechanisms based on your security policy, • Turn off all unused services, • Continually monitor roles, permissions, and accounts, • Disabling all default accounts and/or change their passwords, • Set up and monitor logs and alerts. Mainframe Configuration Vulnerabilities 9
  • 10. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • KRI classifies z/OS integrity vulnerabilities as Severe Security Code Vulnerabilities™ (SSCV). • Severe Security Code Vulnerabilities™ (SSCV’s) are caused by poor design or coding errors in products that reside in the operating system layer on your mainframe. • SSCV’s have the following characteristics IN ALL CASES: • Exploitable • Violates the IBM Statement of Integrity • If exploited, can compromise all data on the system and the system itself • A single SSCV would allow someone with access to z/OS to bypass its controls without forensic evidence of a breach. They can: • Dynamically elevate External Security Manager (ESM) authorities • Dynamically elevate z/OS authorities • Alter operating systems processing: • To suppress forensic evidence • To collect information such as userids and passwords Mainframe Software Vulnerabilities 10
  • 11. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Common to all of the below is that the vulnerability can be triggered or exploited by a non-authorized user with no special privileges. • Exploitations of this code vulnerability leaves no forensic evidence or audit trails of what was accessed, copied, and/or modified. • Types of Vulnerabilities: • System Instability - System instability occurs when the authorized program is invoked other than as designed and the program does not protect itself against improper invocation. This improper invocation can cause z/OS service issues including crashing the system. • Denial of Service; crashing or slowing the system down. • Identity Spoofing - Identify Spoofing vulnerabilities allow the non-authorized user to create alternate security credentials. Mainframe Software Vulnerabilities 11
  • 12. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • Types of Vulnerabilities: • Trap Door -Trap Door vulnerabilities provide the non-authorized user the ability to call a user provided routine in an authorized state. (Either system key (0-7) or supervisor state.) This enables the user to directly make any changes to the active environment, including: • Direct invocation of any authorized z/OS interface • Changing user’s state (authorized) • Making changes to the operating system • Making changes to system or application data • Impersonating other users • Disabling logging auditing (SMF) • Disrupt z/OS operation (crash or failure) • Least Privilege - Least Privilege vulnerabilities occur when a privilege or authority is assigned where a lessor privilege is appropriate. • Example: An SVC routine or system exit is improperly linked as AC(1). • As SVC routines and system exits are directly invoked by the system already authorized, they do not need to be link edited as AC(1); it has no effect on their normal use. However, the AC(1) attribute allows these routines to be improperly directly invoked via PGM= in JCL, where they were not designed to be invoked. Mainframe Software Vulnerabilities 12
  • 13. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. In Summary 13 What’s Out There
  • 14. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. • External, independent code validation is essential for both software development “best practices” and controlling enterprise security risk associated with the deployment of third-party applications. • z/OS Clients believe that their External Security Managers (RACF, CA ACF2, and CA Top Secret) are adequately protecting mission-critical platforms, third-party applications and information. • SSCVs allow security (RACF, CA ACF2, and CA Top Secret) to be bypassed – data is compromised. • In general Code-based Vulnerabilities are remediated by: - Reporting the problem to the code owner and the code owner provides a PTF that is applied by the user, - Removing the software from the system – this is very rare. In Summary 14
  • 15. © 2010-2016 Key Resources, Inc. All rights reserved. z/Assure is a registered trademark of Key Resources, Inc. IBM, RACF, and z/OS are registered trademarks of IBM in the US CA and ACF2 are trademarks of Computer Associates Technologies, Inc. Other names may be trademarks of their respective owners. TRADEMARKS