ibm i security in 30 minutes: all about exit programs

All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.

IBM i Security in 30 Minutes:All About Exit Programs

HelpSystems. All rights reserved.

ROBIN TATAM, CBCA CISM PCI-PGlobal Director of Security Technologies

[email protected]

Your Speaker


• Premier Security Products (globally-recognized “Powertech” brand)

– Represented by industry veteran, Robin Tatam, CISM CBCA PCI-P

• Comprehensive IBM i and AIX Security Services– Represented by industry veteran, Carol Woodbury, CRISC

• Member of PCI Security Standards Council• Authorized by NASBA to issue CPE Credits for Security Education• Publisher of the Annual “State of IBM i Security” Report

About HelpSystems’ Security Investment

http://www8.software.ibm.com/bpconnections/bpcms.nsf/BPE/0D129368771B9F9786256C4A0067C0A3?OpenDocument&OpenFrameset


IBM i has an integrated database called DB2

When you obtain a user ID and password, you have credentials that can access the database through every interface supported by the server.

It All Starts Here!


These Were the Easy Days


Menu Security easily limits the applications and options that a user can access

Application Security restricts the functions within an application that the user can access

Both approaches:• Continue to be heavily replied upon• Mask the complexity of object-level security• Remain beneficial to a limited degree• Are no longer sufficiently comprehensive

These Were the Easy Days


But Now There Are “New” Tunnels into the Server


What’s the Problem?

Application Menu

ODBC & JDBC

Telnet

FTP

DDM


ODBC isn’t rocketscience anymore

Easy and Open Database Access


From a User’s Perspective


Even basic read-only (*USE) permission to a file allows for

the data to be viewed, copied, and even taken offline



• Some tools allow users to retrieve and return database

data directly (without engaging the application)

• The OS typically does not log this activity



File Transfer Protocol (FTP)• No specialized tools required• Simple and very fast• No complex data parsing or application edits to comply with

Easy And Open Database Access


From an Auditor’s Perspective


1. Users typically have excessive rights to application data.

2. IBM i ships with many TCP/IP services active by default.

The 1-2 Punch!


Administrative Privileges Are Often Assigned to Users

*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS0

50

100

150

200

250

300

350

400

450

500

Type of Authority

No. o

f Use

rs (A

vera

ge)


*EXCLUDE 6%

*CHANGE 61%

*USE

22%

*ALL 9%

*AUTL1%

IBM i Database Default = Allow All


Library Default - Create Authority

System Default - Create Authority

IBM i Database Default = Allow All


Systems with FTP Autostarted

Many of These Services Are Already Listening


Administrators can control user access to commands using the Limit Capabilities parameter (LMTCPB) on the user profile

However, consider that:• Some PC interfaces do not adhere to this restriction• Certain users may require command line access

(make sure that they are *CMD audited)

Command Line Abuse


Users

+ Open Services= High Risk

A Simple Equation


The IBM i operating system contains a number of exit points, which enable custom functions to be developed.

A registered exit program will be invoked by the OS when a transaction is received, in order to perform the custom function. The OS waits for the exit program to complete and indicateif the transaction should be allowed to continue.

IBM i contains almost 30 exit points dedicatedto users accessing the server and data using PC interfaces.

A New Function?


The function of an exit program can be to do anything (even malicious!) as it’s written by a programmer; however, for network (PC) access, security officers typically want it to:

1. Audit (as IBM i doesn’t do a good job on its own)2. Control (as object security is often weak or lacking)

The exit program returns a pass/fail indicatorto the exit point which then halts or continuesthe transaction’s journey.

NOTE: A “pass” does not mean the transaction will be honored. The request still has to satisfyOS security rules assuming they exist.

A New Function?


Many organizations remain unaware of this capability,or simply chose not to use it, thinking they don’t need it.

Who Is Using Exit Programs?


Exit programs can help compensate for—and reduce the risk associated with—poorly configured security controls.

Use exit programs to:Prevent unwanted access.Allow beneficial and approved access.Log and alert upon network access attempts.

Do We Really Need Exit Programs?


“But I Already Have Object Level Security!”

STILL

• Experts agree that layered security is the most effective.

• Most IBM i data isn’t nearly as secure as the owner thinks.

• Authority for data carries through to all interfaces.

• IBM i cannot differentiate between different access methods.

• Adequate auditing of network requests is not available in the OS.

• Command line permissions can still be circumvented.

Do We Really Need Exit Programs?


• No Obligation • Fast! (~1 minute)• Non-intrusive• Includes expert review• Free 7-Day License• No Cost

Risk Exam for IBM i

Assess Your Risk of a Breach


Option 1: Write Your Own

Option 2: Purchase A Commercial Solution

• IBM provides samples at http://www-01.ibm.com/support/docview.wss?uid=nas8N1018050

• Search the web for published examples

• Can be complex for anything other than simple “block all traffic” type

• Can cause performance issues (esp. with ODBC)

• Should be tested against each OS release

• Auditors often take exception to self-policing

Okay, So How Do I Get Exit Programs?

http://www-01.ibm.com/support/docview.wss?uid=nas8N1018050


Powertech Network Security

Network Security features:• Green screen and Insite (HelpSystems’ unified web-based UI)

• Powerful rules engine manages connections by user or IP address

• Audit network activities into a tamperproof audit journal

• Control transactions with allow and reject

• Message alerts plus syslog via “Interact” module

• Switch profile capability allows authority override

• Multiple levels of granularity to simplify management

Rapid ROI as you regain controlof users’ PC connections


Some of the most valuable data is stored on a Power Systems server (iSeries, AS/400).

-------------------------------

Security awareness among IBM iprofessionals is generally low.

IBM i awareness among auditprofessionals is even lower.

Most IBM i data is not secured and the users are far too powerful.

Most data is easily accessed via PC interfaces with little to no oversight.

The Perfect IBM i Security “Storm”


Free Download: 2016 State of IBM i Security

https://www.mc-store.com/products/ibm-i-security-administration-and-compliance-second-edition

Learn more about IBM i Security


Best of Breed Security Solutions


Other Resources

Please visit www.helpsystems.com to access:• Demonstration Videos & Trial Downloads • Product Information Data Sheets• Guides & Technical Articles• Customer Success Stories• How-To Articles• To Request a FREE Security Scan


Question and Answer


www.helpsystems.com

See You Next Time!

ibm i security in 30 minutes: all about exit programs

Software