MultiValue Security

1
MultiValue Security
Nik Kesic, Principal Technical Support Engineer
Steve O’Neal, Principal Sales Engineer

2
Credits and Acknowledgements
Presenters
• Nik Kesic, Principal Technical Support Engineer
• Steve O’Neal, Principal Sales Engineer
Developers & Reviewers
• Jing Cui, Principal Software Engineer
• John Jenkins, Senior Technical Support Engineer
• Nik Kesic, Principal Technical Support Engineer
• Joan Dunn, Senior Education Consultant
©2015 Rocket Software, Inc. All Rights Reserved.

3
MV Security
 The Cloud offers great opportunity for disruption in the business world by
offering ways to create, test, and deploy applications with greater reach
and more simplicity than ever before. Come learn about the Cloud and
how Rocket MV is helping you get SaaS-y with capabilities such as
Account Based Licensing, RESTful APIs, and micro-services.

4
MV Gets SaaS-y
 News articles that spotlight data breaches and security flaws are growing at an alarming rate.
Not only are the demands for security increasing, but the requirement to comply with industry
standards such as PCI-DSS and HIPAA/HITECH are a reality in order to continue doing business.
 In this session, the presenter will take you through a journey outlining major news stories on data
breaches and the dark tricks, such as social engineering and card data harvesting, that are
commonly used by criminals to cause damages. We will talk about the many SSL security flaws
including Heartbleed, POODLE, and FREAK. You will also hear about one Operating System
provider’s direction that has forced major security policy changes, as well as information on audit
requirements in order to meet the future security challenges to continue providing business. The
session also will highlight how the Rocket MV product family can help you to fortify your data and
meet compliance requirements.

5
MV Security Model
ADE SSL
AUDIT
HADR SSO
PKIHIPAA PCI

6
Agenda
Security breaches
IT infrastructure vulnerabilities
Trends and industry standards
APT - Advanced Persistent Threat
Top 10 threats 2015
MV security offering
Resources

7
Security Breaches of 2014
 P.F. Changs - ceased electronic processing of cards and reverted to
using so-called “knuckle busters,” mechanical card presses.
 Sally Beauty Supply - Hacked by the same gang that hacked
Target
 ACME Markets - Discovered malicious software installed on
networks
 Michaels Stores - About 3 million customer debit and credit cards
were acknowledged stolen
 Goodwill Industries - Credit card information at approximately 330
stores had been compromised

8
 Jimmy John’s - An intruder stole log-in credentials from Jimmy John’s point-
of-sale vendor
 Neiman Marcus - Malicious software (malware) was clandestinely installed
on the system
 The Home Depot - 56 million card records were hacked
 Target Corporation - Around 70 million holiday shoppers had their card data
compromised
 JPMorgan Chase - the New York Times reported that 76 million households
and 7 million small businesses were involved
http://www.cutimes.com/2014/10/06/10-biggest-data-breaches-of-2014-so-far

9
 Hacking Team - Exploits put hundreds of millions of Flash
users at risk
 Ashley Madison - Ensnares 37 million cheaters
 Anthem - Breach affected about one-in-three Americans
 IRS - Data breach led to hackers taking tax returns
 OPM - More than 22 million government workers now
vulnerable to blackmail
http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/

10
 Kaspersky - Attacked, but reputation dinged
 LastPass - Saw potentially millions of passwords accessed
 CVS, Walgreens - Hit by credit card breach
 Carphone Warehouse - Tops UK breach list
 UCLA Health - Failed to encrypt 4.5 million records

11
Security Breaches
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

12
IT Infrastructure Vulnerabilities
Heartbleed
• Discovered April 2014
• Exposed the TLS Heartbeat extension vulnerability
• Data could be read, such as:
 Private keys
 Users' session cookies
 Passwords
• This issue did not affect versions of OpenSSL prior to 1.0.1
• Rocket Software U2 products must be at OpenSSL 1.0.1m

13
ShellShock
• Disclosed on September 24, 2014
• Exposed bash shell vulnerability
• OS vendors released fixes
• Rocket Software MV did not produce a variant of bash for its
products

14
Poodle
• Disclosed April 2014
• Causes client connections to fallback to SSL 3.0
• Termed man-in-the-middle exploit

15
IT Infrastructure Vulnerabilities - Freak
Freak
• Disclosed on March 3, 2015
• Exposed weak ciphers
• Attackers could intercept data streams

16
IT Infrastructure Vulnerabilities – LogJam
LogJam
• Disclosed on May 20, 2015
• Exposed weak ciphers
 Allows man-in-the-middle attacker to force the client and server to
use a weak cipher

17
Trends and Industry Standards – Microsoft
Microsoft policy change
Microsoft Root Certificate Program
• SHA1 not allowed after January 1, 2016
 Disabled security protocols
• SSL 3.0 will be disabled
• TLSv1.0 questionable

18
Trends and Industry Standards - Java
Oracle Java policy change
Starting with the January 20, 2015 Critical Patch
Update releases
• Java Runtime Environment has SSLv3 disabled by
default
• JDK 8u31
• JDK 7u75
• JDK 6u91
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

19
Trends and Industry Standards - PCI
“… SSL and early TLS are not considered strong
cryptography and cannot be used as a security control
after June 30, 2016. Prior to this date, existing
implementations that use SSL and/or early TLS must
have a formal Risk Mitigation and Migration Plan in
place. Effective immediately.”

20
Trends and Industry Standards - HIPAA
Follows NIST 800-52
• SSL v3 must not be used
• TLS v1.0 ok for interoperability with non-government
• TLS v1.1 & (TLS v1.2 recommended)
• Only recommended ciphers to be used
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

21
Top Threats for 2015
5. Third-party attacks
4. Mobile malware
3. Social media attacks
2. Sophisticated DDoS attacks
1. IoT: The Insecurity of Things

22
APT (Advanced Persistent Threat)
“Hackers Don't Need Sophisticated Attacks If You
Leave Your Door Unlocked”

23
Set of stealthy and continuous computer
hacking processes
Usually targets organizations and/or nations for
business or political motives
Processes require a high-degree of stealth over a
long period of time
Example of APT - Stuxnet computer worm

24
APT Life Cycle
Targets specific organizations for a singular objective
Attempt to gain a foothold in the environment (common
tactics include spear phishing emails)
Use the compromised systems as access into the target
network
Deploy additional tools that help fulfill the attack objective
Cover tracks to maintain access for future initiatives

25
MV Security Offering
ADE SSL
AUDIT

26
MV Software Solution – The Key Paradigm
Confidentiality, integrity and availability
Confidentiality
• Limiting information access and disclosure to authorized
users
Integrity
• The trustworthiness of information resources
Availability
• The availability of information resources

27
MV Software Solution – The Key Paradigm
Data in transit
• Information we send and receive
Data in use
• Data we are using as we use it
Data at rest
• In our hardware systems
• On backup / archive

29
Automatic Data Encryption
 Tightly integrated into the UniData and UniVerse engines
 Support in UniData and UniVerse components including
clients, backup utilities, transaction logging, and replication
 Robust key and password management
 Flexible encryption modes
 Easy to manage by Graphical User Interface (GUI) tools
and utilities

30
U2 BASIC Engine
U2 Applications
Data Access
Key Manager
Key Cache
Encryption
Engine
U2 Engine
Unencrypted
Data
Master Key Key Store
Encryption Meta
DataAudit Trail
Encrypted
Data
Users through U2 clients
XAdmin
DB / Sys
Admin
uvregen
Wallet
confcmd
Query Processing
encman

31
SSL
Secure Sockets Layer (SSL) / Transport Level
Security (TLS)
• OpenSSL (the basis of U2 SSL/TLS and encryption)
 Software libraries that are an open-source implementation of the SSL
and TLS protocols and provide cryptographic functions to software
systems
 SSL/TLS allows us to send and receive encrypted information
 With the correct – and validated - certificate, parties can be certain
that they are talking to the intended party, and
 Data has not been maliciously changed during transmission

32
Encryption in BASIC Programs
Data Encryption can encrypt data in the U2 data
servers, and this encryption extends to all copies of
the data
 Light-weight (application-level) encryption:
UniBasic or UniVerse BASIC ENCRYPT()
• Very simple to implement
• Relies upon ongoing application development
• Key distribution needs management – Signature / Digest

33
Client
Application
U2
Restful
Service
CUSTOMER
U2
Server
SSL
SSL
SSL
SSL
SSL
Encrypt()
KEY, IV
ADD, DOB, SSN
Encrypt
Encode
Data at rest
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
Customer
record
Customer
recordCan be any technology on the client
Decrypt
subroutine
Extranet
Internet
U2 JPA
Server
SSLSSL
Telnet
Client
Intranet
jfgafgfafasf djdwjhdqwd
78gcagfc7 efewhfvb78yfb
mcgcgwufg cnmgsdc724n
af343rdeff 3erjcgasc763e4hvd73en
sff2r121e sfdfwefe2f
Smnb HDJ efewf2f33
87hgdyhd8 Fwefvv cb34r
338dhgdgg 3erfvdfgv2r2fg
3ervv44fda e13rwdvergvb2
387agdddq 3r2eff13r123
Securing Data in Use, Transit, and at Rest
SSL
or
SSH
4 World Process
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
Scripts
BASICBASIC
C#
Java
KEY
IV
Encryption
process
@ID 104357
FNAME Neddy
LNAME Seagoon
ADDRESS Fn6umnvm6rjkm bnm 6
CITY Denver
STATE CO
ZIP 80237
PHONE 800-426-4357
DOB t3thfdbrhbhfh4
SSN fdgtg45y4hhdh
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
@ID 104357
FNAME Neddy
LNAME Seagoon
ADDRESS 4700 S Syracuse St
CITY Denver
STATE CO
ZIP 80237
PHONE 800-426-4357
DOB 12/31/1967
SSN 123-45-6789
U2
WebDE
SSL
U2 Web
Services

34
Audit Logging – UniVerse Only
UniVerse Audit Logging is designed to be:
• Comprehensive – Covers all types of resources and operations
• Flexible – Can be configured according to event types and
through various policies, as well as before or after starting the
system
• Secure – The configuration file is encrypted and can be
protected by a password, if desired. The Audit Log file is
protected from illegal use and you can also encrypt its content

35
Audit Logging
UniVerse Audit Logging implementation provides the
following features:
 Classifies events and resources, and audits them based on the classification
 Enables you to configure the location and number of audit files before
UniVerse starts
 Allows you to customize U2 database auditing without having to stop and
restart UniVerse
 Writes audit records to a UniVerse hashed file or group of files
 Protects the audit file against unauthorized access and modification

37
File-level encryption
• Provides at rest encryption of a file using AES-128
String-level encryption
• Encrypts arbitrary strings using built-in BASIC functions

38
SSL
MVSP APIs
• Allows access to the database through a variety of languages
• SSL may be enabled when establishing the connection
BASIC
• Allows SSL sockets using built-in BASIC functions

39
Audit Logging
Uses triggers to run a program when an event occurs
All platforms (AIX, Linux, Windows)
• callr (trigger on item read)
• callx (trigger on item update)
• callo (trigger on file open)
• yupt (simple, built-in, program-less trigger on item update)

40
Audit Logging
 Windows specific
• calle (trigger on clear-file)
• callc (trigger on file close)
• calld (trigger on delete-file)

41
SSH
 AIX and Linux
• SSH is in OS
Windows
• Any commercial SSH server may be used (e.g. Cygwin)

42
Authentication
 D3
• Host
• Traditional

43
Permissions
Read access (Retrieval lock)
Write access (Update lock)
Used to limit access to users with matching keys

45
Call for Action - Upgrade
UniVerse and UniData using OpenSSL 1.0.1m
• UniVerse 11.2.4
• UniVerse 11.2.5 Strongly Preferred
• UniData 7.3.7
• UniData 8.1.0 Strongly Preferred

46
Call for Action - Upgrade
• wIntegrate 6.3.7
• SBClient 6.3.3
• ODBC 32/64 bit build UCC-3156
• U2 Client Toolkit
 U2 data client
 UODOTNET
• U2 DB TOOLS 4.x

47
SSH
 AIX and Linux
• SSH is in OS
Windows
• Any commercial SSH server may be used (Pragma Fortress)

49
Summary
 Information security is vital to all business
 Security starts from the top and everyone must pitch in
 Education and training is key to success
 Choose solutions in line with your business goals
 Know the threats
 Use proper countermeasures
 Implement defense-in-depth and defense-in-layers
 Familiarize yourself with MV security features
 MV Premier Services and MV Professional Services have
experience of implementing secure solutions

50
Other MVU Security Sessions
D3 Security Deep Dive
Managing the SSL Process
UniVerse Audit Logging
Create a Data Encryption Strategy Using ADE

51
Additional Resources
 Find further information
• U2 Documentation set http://www.rocketsoftware.com/resource/u2-technical-documentation
 Links
• https://www.rocketsoftware.com
• https://technet.microsoft.com/
• https://www.oracle.com
• https://openssl.org
• https://www.hhs.gov
• http://www.rocketsoftware.com/training-and-professional-services/rocket-u2
 Contacts
• u2askus@rocketsoftware.com
• u2support@rocketsoftware.com

52
Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED
IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY,
WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE.
ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
• CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR
THEIR SUPPLIERS AND/OR LICENSORS); OR
• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF
ROCKET SOFTWARE.

53
Trademarks and Acknowledgements
The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software,
Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by
Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual
property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of
any such marks.
Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure,
Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and
wIntegrate
Other company, product, and service names mentioned herein may be trademarks or service marks of
others.

MultiValue Security

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a MultiValue Security

Similar a MultiValue Security (20)

Último

Último (20)

MultiValue Security