![Page 1: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/1.jpg)
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
IBMzSystemsSecurityConferenceBusinessSecurityfortodayandtomorrow
> 27-30September| Montpellier
MainframeSecurity– It’snotjustaboutyourESM!RuiMiguelFeioTechnical Lead– RSMPartners
1
![Page 2: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/2.jpg)
Agenda• Introductions• Objectives• NetworkControls• OtherControls• RealLifeExamples• TakingSecuritySeriously(orNot)• Conclusions• Questions
![Page 3: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/3.jpg)
Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.
WorldClasszSpecialists
![Page 4: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/4.jpg)
ThispresentationInitiallycreatedbyMarkWilson Improvedandpresentedbyme!
![Page 5: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/5.jpg)
Introduction• TechnicalleadatRSMPartners
• Beenworkingwithmainframesforthepast17yearsandwithcomputerssince1984
• StartedasanMVSSystemsProgrammerwithIBMandendedupspecialisinginmainframesecurity
• Experienceinnon-mainframeplatformsaswell
• Igivepresentationsallovertheworld
![Page 6: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/6.jpg)
Objectives
![Page 7: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/7.jpg)
Objectives• Let’sstartwiththebasics:
– ESMstandsforExternalSecurityManager– RACF,ACF2,TSS– ESMhelpsprotectthemainframe
• Butwhatdoesitmean‘protectthemainframe’?
• WewillbelookingatsomeoftheothersecuritycontrolsavailableandanumberofnonESMrelatedsecuritycontrolsthatshouldbeusedtoprotectthemainframe
![Page 8: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/8.jpg)
SomeoftheNetworkControls
![Page 9: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/9.jpg)
Wekeephearingnon-mainframepeopleandevensomemainframetechnicianssay:
“Themainframeisfine,it’sbehindafirewall…”
![Page 10: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/10.jpg)
NetworkControls• Themainframeispartofanecosystemofdifferentplatformsand
devices
• Morethanlikelyoneormoredevicesandsystemsofthisecosystem(includingthemainframe)willbeconnectedtotheinternet
• Thismeansthatpotentiallytherearemanydifferentwaystoreachthemainframe
• Weneedtoconsider:– Intrusiondetectionservices(IDS),TCPIPsecurity,SENDMAILand
SMTPSecurity
![Page 11: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/11.jpg)
NetworkControls• Askyourself:“HowmuchdoIactuallyknowaboutnetworksecurity
andwhatfeatures/facilitiesIBMhavebuiltintothesystem?”
• Whointhisroomhasaclearunderstandingof:– TheSERVAUTHclass– TLS/SSLvs AT-TLSvs IPsec– IPFiltering– IntrusionDetectionServices(IDS)– DefenceManager(DM)
Let’scheckthisone
![Page 12: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/12.jpg)
SERVAUTHClass• TheSERVAUTHresourceclasssupportsTCP/IPsecurity
• ProfilesintheSERVAUTHclassareprefixedwithEZB
• Secondqualifierspecifiesthefunction(forexample):– EZB.STACKACCESS.**toprotectaccesstotheTCPstack– EZB.NETACCESS.**tospecifywhocanaccessaspecifiednetwork– EZB.TN3270.**toprotectTN3270SecureTelnetPortAccess– EZB.PORTACCESS.**tospecifywhocanusewhichTCPandUDPports
• SERVAUTHclassmustbeRACLISTed
![Page 13: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/13.jpg)
SERVAUTHClass• EZB.STACKACCESS.sysname.tcpname• EZB.NETACCESS.sysname.tcpname.netname• EZB.PORTACCESS.sysname.tcpname.portname• EZB.TN3270.sysname.tcpname.PORTnnnnn• EZB.NETSTAT.sysname.tcpname.netstatoption• EZB.FRCAACCESS.sysname.tcpname• EZB.MODDVIPA.sysname.tcpname• EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST• EZB.NETMGMT.sysname.tcpname.SYSTCPDA• EZB.NETMGMT.sysname.tcpname.SYSTCPCN• EZB.NETMGMT.sysname.tcpname.SYSTCPSM
![Page 14: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/14.jpg)
TLS/SSLvs AT-TLSvsIPsec• Theyallprovideencryption/certificateforTCP/IP…
• Butwhatelsecanyoudowiththem?
• Whoknowsthedifferences?
• Whoknowstherestrictions?
![Page 15: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/15.jpg)
TLS/SSL• TLS– TransportLayerSecurity• SSL– SecureSocketsLayer• Encryptsend-to-endtotheapplicationbuffers• ApplicationmustsupportSystemSSL• Developmentmaintenanceoverhead• CannotworkforUDPservices(EE,DNSlookup,SNMP...)
![Page 16: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/16.jpg)
AT-TLS• AT-TLS– ApplicationTransparentTransportLayerSecurity• EncryptstoTCP/IPstackonz/OS• ComponentofCommunicationsServer• Definedperapplication• RemovesneedforapplicationtosupportSystemSSL• IBMrecommendedsolution• CannotworkforUDPservices(EE,DNSlookup,SNMP..)• Requirespolicyagent
![Page 17: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/17.jpg)
IPsec• IPsec– InternetProtocolsecurity• Providesanencrypted“tunnel”atIPlinklayer• Component ofCommunicationsServer• Tunnelcanbesharedbymultipleapplications/services• TunnelcanbeusedforTCPandUDPservices• Datacanflowincleartoapplicationwithindatacentre• Requirespolicyagent
![Page 18: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/18.jpg)
IPFiltering
• Effectivelyafirewallforz/OS• Component ofCommunicationsServer• Requirespolicyagent• Configuretoallow/rejectanyIPpacket• Youcanusethe:
– Target/OriginIPaddress– Target/OriginPort– Plusothermetrics…
• AuditlogwrittentoSyslogD
![Page 19: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/19.jpg)
IntrusionDetectionServices(IDS)• Ahackerdetectionmechanismforz/OS• Component ofCommunicationsServer• Looksforawiderangeofintrusionattacks
– ICMPattacks– UDPattacks– Portscans– TCPstateviolations– TCPmalformedpackets– Manymore…
• Requirespolicyagent• AuditlogwrittentoSyslogD
![Page 20: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/20.jpg)
IntrusionDetectionServices(IDS)• Weallunderstandthebusinessdisasterthatisadatabreachand
themillionsthatcancostanorganisation
• Butadenialofservicecancostanorganisationjustasmuch
• Whatifoneofyourmajorcompetitorshiredsomeonefromthe“DarkWeb”totakedownyoursystems…
• Whatiftheyhavemainframeknowledge?
• Hackerslearnquicklyandtheyareplatformagnostic.Aslongastheygetpaid,theydon’tcare.EverheardofHackingasaservice?
![Page 21: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/21.jpg)
IntrusionDetectionServices(IDS)
![Page 22: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/22.jpg)
SyslogD• Giventhisistypicallywherealltheusefulinformationiswritten…
• Howmanyofusactuallymonitororevenalertonwhat’swritteninhere?
• Borrowedthenextslidefromacomms servermanual
![Page 23: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/23.jpg)
SyslogD• Thesyslogd facilityusesa
commonmechanismforsegregatingmessages
• Thetableshowsthefacilitiesusedbyz/OSCommunicationsServerfunctionswhichwritemessagestosyslogd
• ThePrimarysyslogfacilitycolumnshowsthesyslogfacilityusedformostmessagesloggedbytheapplication
• Someapplicationsuseotherfacilitiesforcertainmessages
![Page 24: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/24.jpg)
FileTransfer• AnotherkeyareaisFTP
• ObviouslytheSERVAUTHprofileshelptosomeextent,butyoureallyneedanadditionallayerofsecurityforFTP/FTPSwhichyouhavetowriteyourselforpurchaseadditionalsoftwaretogetallthatyouneed
• Howaboutsftp andOpenSSH?
• Lesssupportforsecurityhereandtheyneedtobecarefullyconsidered
![Page 25: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/25.jpg)
SMTP• HowmanyofyouarerunningSMTP?
• Howareyoucontrollingit?
• Whatwouldbethebusinessandreputationalimpactforyourcompanyifsomeonewasabletoemailsensitivedatafromthemainframetotheoutsideworld?
• ‘PanamaPapers’anyone?
![Page 26: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/26.jpg)
OtherControls
![Page 27: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/27.jpg)
OtherControls• It’snotjustaboutmainframesecuritycontrols
• It’saboutyourend-to-endsecurityposture
• Youneedtoworkthroughwhatawellmotivatedhacker,oradisgruntledemployeemaydo
• Youneedtostartthinkinglikethem
• It’sabouttheallecosystem:mainframe,otherplatformsanddevices
![Page 28: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/28.jpg)
Whataboutalltheotherstuff?• Subsystems(CICS,IMS,DB2,MQ)• Scheduler• Automation• SourceControland4eyechecking• AlltheISVproductsyouhave…• Howaboutvulnerabilityscanning:
– IBM– ISV– Internallydeveloped
![Page 29: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/29.jpg)
RealLifeExamples
![Page 30: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/30.jpg)
RealLifeExamples• Recentlyperformedamainframesecurityauditatafinancial
institutioninEurope(51risksidentified)
• LargenumberofuserswithREADaccesstoadailybackupcopyoftheRACFdatabase,Networkcontrolsnotproperlyprotected,…
Classification Score
Critical 11
Serious 23
Important 17
![Page 31: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/31.jpg)
RealLifeExamples• MainframesecurityauditatalargeenergycompanyintheUSthis
summer(72risksidentified)
• Networkcontrolsnotdefined• READaccesstosensitivedata!!
Classification Score
Critical 27
Serious 30
Important 15
![Page 32: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/32.jpg)
RealLifeExamples• SecurityanalysisofaproductionRACFDBatagovernmentagency
intheUKlastmonth• 33securityproblemsidentifiedintheRACFDB• SERVAUTHclassnotactive!!• LargenumberofuserswithALTERaccesstoMasterCatalog• AllOPERCMDSprofilesinWarningmodeincludingJES2.*and
MVS.*• RACFDatabaseswithUACCofREADandseveraluserswithALTER
andUPDATEaccess
![Page 33: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/33.jpg)
RealExamples
![Page 34: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/34.jpg)
Takingsecurityseriously(ornot)
![Page 35: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/35.jpg)
OnaniceSundaymorning…
![Page 36: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/36.jpg)
OnitsTVscreenfacingthestreet
![Page 37: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/37.jpg)
Onthetrainonabusinesstrip…
![Page 38: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/38.jpg)
Onthetrainonabusinesstrip…
![Page 39: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/39.jpg)
Onasite,somewhereinEurope…
![Page 40: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/40.jpg)
Onasite,somewhereinEurope…
![Page 41: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/41.jpg)
Conclusions
![Page 42: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/42.jpg)
Youneedaplan1.SecurityPolicy
2.SecurityDesign
3.SecurityProcedures
4.SecurityImplementation
5.SecurityAuditing
6.MeasurementAgainstPolicy
![Page 43: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/43.jpg)
It’sacontinuousprocess
Discovery
Attack(Optionally)Attackthesystemwithdiscoveryinformation.
Success?Usethefindingstoyourbenefittoenhanceyoursecurityposture.
DiscoverDiscovertheflawsinyoursystemwiththeknowledgegained.
EducationThisandmanyotherseesions
KnowledgeNowyouknowwhattodo!
![Page 44: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/44.jpg)
Questions
![Page 45: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/45.jpg)
RuiMiguelFeioRSMPartners
Email:[email protected]:+44(0)7570911459LinkedIn: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact
![Page 46: Mainframe Security - It's not just about your ESM v2.2](https://reader034.vdocuments.site/reader034/viewer/2022052405/587f04241a28abc26f8b4821/html5/thumbnails/46.jpg)
IBMzSystemsSecurityConference| 27-30September| Montpellier
IBMSystems
46
www.ibm.com/security