ibm i security in 30 minutes: all about exit programs
TRANSCRIPT
All trademarks and registered trademarks are the property of their respective owners.© HelpSystems LLC. All rights reserved.
IBM i Security in 30 Minutes:All About Exit Programs
HelpSystems. All rights reserved.
ROBIN TATAM, CBCA CISM PCI-PGlobal Director of Security Technologies
Your Speaker
HelpSystems. All rights reserved.
• Premier Security Products (globally-recognized “Powertech” brand)
– Represented by industry veteran, Robin Tatam, CISM CBCA PCI-P
• Comprehensive IBM i and AIX Security Services– Represented by industry veteran, Carol Woodbury, CRISC
• Member of PCI Security Standards Council• Authorized by NASBA to issue CPE Credits for Security Education• Publisher of the Annual “State of IBM i Security” Report
About HelpSystems’ Security Investment
HelpSystems. All rights reserved.
IBM i has an integrated database called DB2
When you obtain a user ID and password, you have credentials that can access the database through every interface supported by the server.
It All Starts Here!
HelpSystems. All rights reserved.
These Were the Easy Days
HelpSystems. All rights reserved.
Menu Security easily limits the applications and options that a user can access
Application Security restricts the functions within an application that the user can access
Both approaches:• Continue to be heavily replied upon• Mask the complexity of object-level security• Remain beneficial to a limited degree• Are no longer sufficiently comprehensive
These Were the Easy Days
HelpSystems. All rights reserved.
But Now There Are “New” Tunnels into the Server
HelpSystems. All rights reserved.
What’s the Problem?
Application Menu
ODBC & JDBC
Telnet
FTP
DDM
HelpSystems. All rights reserved.
ODBC isn’t rocketscience anymore
Easy and Open Database Access
HelpSystems. All rights reserved.
From a User’s Perspective
HelpSystems. All rights reserved.
Even basic read-only (*USE) permission to a file allows for
the data to be viewed, copied, and even taken offline
Easy and Open Database Access
HelpSystems. All rights reserved.
• Some tools allow users to retrieve and return database
data directly (without engaging the application)
• The OS typically does not log this activity
Easy and Open Database Access
HelpSystems. All rights reserved.
File Transfer Protocol (FTP)• No specialized tools required• Simple and very fast• No complex data parsing or application edits to comply with
Easy And Open Database Access
HelpSystems. All rights reserved.
From an Auditor’s Perspective
HelpSystems. All rights reserved.
1. Users typically have excessive rights to application data.
2. IBM i ships with many TCP/IP services active by default.
The 1-2 Punch!
HelpSystems. All rights reserved.
Administrative Privileges Are Often Assigned to Users
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS0
50
100
150
200
250
300
350
400
450
500
Type of Authority
No. o
f Use
rs (A
vera
ge)
HelpSystems. All rights reserved.
*EXCLUDE 6%
*CHANGE 61%
*USE
22%
*ALL 9%
*AUTL1%
IBM i Database Default = Allow All
HelpSystems. All rights reserved.
Library Default - Create Authority
System Default - Create Authority
IBM i Database Default = Allow All
HelpSystems. All rights reserved.
Systems with FTP Autostarted
Many of These Services Are Already Listening
HelpSystems. All rights reserved.
Administrators can control user access to commands using the Limit Capabilities parameter (LMTCPB) on the user profile
However, consider that:• Some PC interfaces do not adhere to this restriction• Certain users may require command line access
(make sure that they are *CMD audited)
Command Line Abuse
HelpSystems. All rights reserved.
Users
+ Open Services= High Risk
A Simple Equation
HelpSystems. All rights reserved.
The IBM i operating system contains a number of exit points, which enable custom functions to be developed.
A registered exit program will be invoked by the OS when a transaction is received, in order to perform the custom function. The OS waits for the exit program to complete and indicateif the transaction should be allowed to continue.
IBM i contains almost 30 exit points dedicatedto users accessing the server and data using PC interfaces.
A New Function?
HelpSystems. All rights reserved.
The function of an exit program can be to do anything (even malicious!) as it’s written by a programmer; however, for network (PC) access, security officers typically want it to:
1. Audit (as IBM i doesn’t do a good job on its own)2. Control (as object security is often weak or lacking)
The exit program returns a pass/fail indicatorto the exit point which then halts or continuesthe transaction’s journey.
NOTE: A “pass” does not mean the transaction will be honored. The request still has to satisfyOS security rules assuming they exist.
A New Function?
HelpSystems. All rights reserved.
Many organizations remain unaware of this capability,or simply chose not to use it, thinking they don’t need it.
Who Is Using Exit Programs?
HelpSystems. All rights reserved.
Exit programs can help compensate for—and reduce the risk associated with—poorly configured security controls.
Use exit programs to:Prevent unwanted access.Allow beneficial and approved access.Log and alert upon network access attempts.
Do We Really Need Exit Programs?
HelpSystems. All rights reserved.
“But I Already Have Object Level Security!”
STILL
• Experts agree that layered security is the most effective.
• Most IBM i data isn’t nearly as secure as the owner thinks.
• Authority for data carries through to all interfaces.
• IBM i cannot differentiate between different access methods.
• Adequate auditing of network requests is not available in the OS.
• Command line permissions can still be circumvented.
Do We Really Need Exit Programs?
HelpSystems. All rights reserved.
• No Obligation • Fast! (~1 minute)• Non-intrusive• Includes expert review• Free 7-Day License• No Cost
Risk Exam for IBM i
Assess Your Risk of a Breach
HelpSystems. All rights reserved.
Option 1: Write Your Own
Option 2: Purchase A Commercial Solution
• IBM provides samples at http://www-01.ibm.com/support/docview.wss?uid=nas8N1018050
• Search the web for published examples
• Can be complex for anything other than simple “block all traffic” type
• Can cause performance issues (esp. with ODBC)
• Should be tested against each OS release
• Auditors often take exception to self-policing
Okay, So How Do I Get Exit Programs?
HelpSystems. All rights reserved.
Powertech Network Security
Network Security features:• Green screen and Insite (HelpSystems’ unified web-based UI)
• Powerful rules engine manages connections by user or IP address
• Audit network activities into a tamperproof audit journal
• Control transactions with allow and reject
• Message alerts plus syslog via “Interact” module
• Switch profile capability allows authority override
• Multiple levels of granularity to simplify management
Rapid ROI as you regain controlof users’ PC connections
HelpSystems. All rights reserved.
Some of the most valuable data is stored on a Power Systems server (iSeries, AS/400).
-------------------------------
Security awareness among IBM iprofessionals is generally low.
IBM i awareness among auditprofessionals is even lower.
Most IBM i data is not secured and the users are far too powerful.
Most data is easily accessed via PC interfaces with little to no oversight.
The Perfect IBM i Security “Storm”
HelpSystems. All rights reserved.
Free Download: 2016 State of IBM i Security
https://www.mc-store.com/products/ibm-i-security-administration-and-compliance-second-edition
Learn more about IBM i Security
HelpSystems. All rights reserved.
Best of Breed Security Solutions
HelpSystems. All rights reserved.
Other Resources
Please visit www.helpsystems.com to access:• Demonstration Videos & Trial Downloads • Product Information Data Sheets• Guides & Technical Articles• Customer Success Stories• How-To Articles• To Request a FREE Security Scan
HelpSystems. All rights reserved.
Question and Answer
HelpSystems. All rights reserved.
www.helpsystems.com
See You Next Time!