Development of Protective Strategies for Large Data
WY BigData Conference
September 2014
Barry Schrager
[email protected]
Barry Schrager
• Founded and was first Project Manager of the SHARE Security Project in 1972
• One of 20 customers asked by IBM to review MVM (aka MVS) Operating System before it was announced
• Delivered security requirements to IBM in 1974
• See www.share‐sec.com/history.html
• Designer and Primary Author of ACF2 for MVS in 1978
• IBM introduced RACF in 1976 which did not meet the requirements
• And told me they were not achievable
• I developed ACF2 to prove the requirements were achievable
• As President of SKK, introduced:
• The first IBM VM Operating System security product, ACF2/VM
• The first Operating System Auditing Product, Examine/MVS, now CA‐Auditor
• 40 years in mainframe software development and data security
• Member, Mainframe Hall of Fame (along with Dr. Gene Amdahl and Admiral Grace Hopper)
Barry Schrager, Inc.
2
Thanks to Phil & Steve for their insightful input to this presentation
• Phil Young ([email protected]) • Director Core System Security at a major credit card brand
• Phil does this for fun – nothing to do with his employer
• aka Soldier of Fortran ;‐)
• Steve Beaver ([email protected]) • Expert in IBM mainframe security systems (ACF2, RACF & Top Secret)
• One of the very few people outside of DISA that truly understands the STIGs for Mainframes
• Developer of privilege validation for ACF2 & RACF systems
Barry Schrager, Inc.
3
ACF2 at significant places
•
•
•
•
•
•
•
•
•
Office of the President
US Senate
CIA, NSA, MI‐5
Many US Department of Defense
Entire Australian Government
Federal Reserve System
JPMorgan Chase, Procter & Gamble
FDIC, USDA
General Motors & Chrysler
• GM was the first ACF2 customer, later outsourced to Perot Systems (RACF)
• now bringing mainframe operations back in house with ACF2
• Over 2700 sites
• 60% market share against IBM & CA when SKK sold to UCCEL in 1987
Barry Schrager, Inc.
4
Interesting Story About the CIA
• I met Barry Lewis in the mid‐1970’s at SHARE • In early 1979, he calls, now at the Department of Labor, and wants me to fly to DC to give him a presentation on ACF2
• Department of Labor was still MVT – ACF2 did not run on MVT
• Then he calls, now at the CIA, wants to test ACF2
• After a month, he calls again
• Some good news and some bad news
Barry Schrager, Inc.
5
CIA ‐‐ Bad News
• Barry ‐‐ We found a way to bypass ACF2
• Me – tell me and we’ll fix it
• Barry – it was not really your fault, it was IBM’s, but you could have blocked it
• Me – OK, let me know what to do
• Barry – Naw, we may have to use it! • The CIA was into hacking (exploiting vulnerabilities) in 1979!!!
Barry Schrager, Inc.
6
CIA – Good News …
• We’re going to buy ACF2 & recommend it to 100 of our collaborators and subcontractors
• Give me their names & I’ll have someone call them
• No, I can’t do that ‐‐ they will just call you Barry Schrager, Inc.
7
It’s in the news
• Target, eBay, Michaels, Neiman Marcus, P.F. Changs, JP Morgan Chase, HHS healthcare.gov, Home Depot, and many more
• According to Fox News, 7 of the top 15 banks were hacked in July
• These breaches all have drastically hurt the organizations
• All were Windows/Linux/Unix servers except
• Logica in Sweden which was an IBM mainframe in 2012
Barry Schrager, Inc.
8
Home Depot Data Breach (from Bloomberg)
• Using older version of Symantec’s anti‐virus software on its point‐of‐
sale devices
• Home Depot had purchased software designed to encrypt credit card data during transmission from point‐of‐sale devices to central servers, it had not been implemented yet
• Managers allege that the company’s technology executives were underfunding the security program leading to higher‐than‐average levels of security staff turnover
• Where could the managers have gone to report these vulnerabilities?
Barry Schrager, Inc.
9
The Logica Mainframe Breach
•
•
•
•
•
•
•
•
•
•
•
•
February/March 2012
Logica is an IT Services organization
Provided services to the Swedish Government
Hacked by Pirate‐Bay founder Gottfrid Svartholm Warg
Warg obtained a z/OS image on a Hercules emulator
He located a vulnerability that allowed escalation of his OMVS privileges – NIST CVE‐2012‐5955
And, the Webserver – NIST CVE‐2012‐5951
Obtained a legitimate user’s Userid and password ‐ stealing it from unencrypted FTP session
Gained access to an OMVS (Unix) partition
Escalated his privileges using the vulnerability
Security/Monitoring systems did not detect this attack
A sharp Operator noticed unusual activity and reported it
10
Barry Schrager, Inc.
Things to be learned from Logica
• IBM z/OS (MVS) is the most “securable” system available
• Yet, with a local “sandbox” system, a system integrity vulnerability was located
• And, because of configuration weaknesses, like unencrypted connections, a Userid and Password were stolen
• And the perpetrator used the normal user access and enhanced his privileges with the vulnerability to gain access to data
• Monitoring for unusual activity is a must – we can’t depend on a sharp Operator to notice things
Barry Schrager, Inc.
11
Beware of unintentional system integrity vulnerabilities
• Unintentional by your operating system vendor, ISV’s & your support staff
• Need commitment from all your suppliers to system integrity similar to IBM’s which was announced in 1973!!!!
• No guarantee there are no vulnerabilities, but there are none that we know of
• If one is reported, we will fix it
• Note that IBM was focusing on system stability, not system security, at that time
• The smaller servers and their operating systems were not designed with security as an absolute requirement – therefore, with the migration from the mainframe and the growth of new server facilities, organizations have placed themselves in a vulnerable situation
• Need outside expert security review of all configuration and settings
12
Barry Schrager, Inc.
Worse yet – Intentional Vulnerabilities
• Intentional by your support staff
• Usually created for convenience – often years ago
• Leaving unencrypted connections available so as not to inconvenience the users who would have to change the port number on their connections
• Granting excessive privileges to too many people in support staff
Barry Schrager, Inc.
13
Vulnerabilities I Found When Doing Audits
• Mainframe ‐‐ Like “Get me into authorized state” SVCs
• Large Wall Street Systems Programming Manager when I found it at a large Wall St. Organization ‐‐
• – “How the bleep did he figure that out?”
• Shared production storage volumes with a development/sandbox systems
• Well known US Government Agency – production volumes accessed by many in the sandbox environment –
found when I aided the GAO in auditing them
• Mainframe Hardware Management Console (“HMC”) allows system operator commands including varying production volumes online (if they were configured to the sandbox systems but just varied offline for convenience that way) to sandbox environments, APF authorizing a private library, etc. • Operator consoles historically have been in secure locations and operators watched over anyone entering commands
• All console commands and, until recently, entered with no authority checking by z/OS – found when I audited the Wall Street Organization – reported to IBM who has since fixed it
• HMC allows remote access. In some sites virtually all systems programmers have remote access!!
• The Wall Street Organization had two datacenters • One internal – 49 people authorized to the HMC – all with remote access
• One outsourced to IBM – 150 people authorized to the HMC – all remote access
• I asked – do you even know who they all are? / datacenter now being insourced
Barry Schrager, Inc.
14
Logica Breach
• IBM, because of its commitment to system integrity, has repaired the vulnerabilities • Organizations must demand of their vendors a commitment to system integrity, similar to the IBM commitment
• In my 1974 SHARE Presentation (www.share‐sec.com/history.html), • In a multi‐user system, “there can be no system security without operating system integrity”
• Organizations cannot be sloppy or lazy in configuration vulnerabilities like unencrypted connections
• According to Phil Young (Soldier of Fortran), 53% of mainframe connections are not encrypted (plain text)!!!!
Barry Schrager, Inc.
15
Internet Available Mainframe Systems without secure connections – Phil Young, Soldier of Fortran
16
Barry Schrager, Inc.
Many available – Phil Young’s Tumblr Page
17
Barry Schrager, Inc.
Phil’s page: http://mainframed767.tumblr.com/
18
Barry Schrager, Inc.
19
Barry Schrager, Inc.
1978 – First ACF2 Customer
•
•
•
•
General Motors ‐‐ Pontiac Motor Division 250 Users and about 1 GB DASD
All the users were local
Gerry Lyons – first ACF2 Security Officer
• Could look at an entry in an ACF2 report
• Say – that’s Jack upstairs
• He knew all the users
• That dataset contains radio inventory
• He knew all the data by dataset name
• We are in the month of May. Jack is trying to optimize the build out of the cars for this model year based upon the inventory – you can’t put a cheap radio in an expensive car or vice versa
• He knew the business reason for access
Barry Schrager, Inc.
20
Times Have Changed
• Tens or hundreds of thousands of users
• From all over the globe
• Exabytes of data and millions of datasets
• Security staff can’t possibly know all the users
• Security staff certainly can’t know all the data
• Data easily downloaded to laptops or mobile devices
• Edward Snowden proves the insider threat is serious
Barry Schrager, Inc.
21
New Laws and Regulations
• PCI, HIPAA, HiTech, PII, etc.
• Sensitive data is everywhere
• Older copies of sensitive data, if disclosed, can harm the organization just as much
• Access to all sensitive data must be validated
• Copies, created for legitimate use, must be de‐identified, masked, etc. to eliminate the risk of disclosure
• Don’t forget Intellectual Property!! Plans, formulas, designs, etc.
Barry Schrager, Inc.
22
The Insider
• The insider is an employee, contractor, etc. who has legitimate access to your systems although that access is limited
• The insider may become malicious – Edward Snowden
• Ovum Survey – Only 9% of respondents felt safe from the insider threat – 26% felt vulnerable
• Information Security Magazine – 52% have re‐evaluated excessive privileges in the wake of Edward Snowden
• Information Week April 2014 – Top Threats –
• 56% Cyber‐Criminals / 49% Authorized Users or Employees
• And don’t forget the hacker who obtains insider credentials and gains access to your systems
• There are vulnerabilities that can be exploited
• Logica breach – stolen credentials and a vulnerability in z/OS Unix System Services
• And, incorrect, overly permissive, access permissions
• Sensitive data your security staff does not know exists 23
Barry Schrager, Inc.
First Step – Securing Your System
• Configuration vulnerabilities must be discovered and rectified
• Use configuration auditing products like the one we created 30 years ago at SKK –
Examine/MVS now known as CA‐Auditor
• Use outside security experts – they have seen many sites and can spot configuration vulnerabilities your own staff would either ignore or miss
• Be sure all connections are secure and encrypted
• Use two factor authentication for all privileged users (RSA tokens, tokens sent to mobile phones, etc.)
• Consider virtual machines for privileged users to minimize the possibility that their computer becomes infected with malware
• Have walls between sensitive data processing and “routine” processing. • Why was the Target HVAC contractor even in the same complex as Credit Card processing?
Barry Schrager, Inc.
24
Questions for your vendors
• How can I process my current workload on your systems and still be secure?
• How can I configure my systems to provide the most security for my environment?
• Have your security team regularly meet with your application experts to assure maximum security
• What are the guidelines I should use?
• DISA STIGs – Defense Information Systems Agency – Security Technical Implementation Guidelines
• The “STIG” contains known security configuration vulnerabilities, and issues required to be addressed by DoD policy
• Don’t forget, some of these recent hacks were perpetrated by 13 year olds. Think about what Nation‐States can accomplish!! • The latest JPMorgan hack originated in Russia. There is a question as to whether the Russian government was involved. • According to the latest news, the same Russian hackers did both the Target and Home Depot breaches
Barry Schrager, Inc.
25
Second Step ‐‐ Apply Security Intelligence
• Data Discovery
•
•
•
•
Do you know where all your sensitive data is stored? Å talk to Marty Casey
Originals and copies – reports and query results too
Should the data even exist?
Implement and enforce policies about copying sensitive data –
• Review Data Access Controls for Sensitive Data
• Use Data Masking Techniques for Development/Test data
• Are all the people with access permissions entitled to having those permissions based upon the sensitive category (PCI, PII, PHI, IP, etc.) of data?
• Data Usage
• Are all accesses to the sensitive data journaled?
• Does any process/person look at the journals?
26
Barry Schrager, Inc.
Third Step – Monitor Your Users’ Activity
• Edward Snowden is a good example
• He was an administrator – no need to access or download the data
• He “borrowed” other administrator accounts and passwords
• Why were these other users coming in from his IP address?
• Was the same “user” using the system simultaneously from two different locations? • This is something a Security Event Information Management (SEIM) system should be analyzing and raising flags
Barry Schrager, Inc.
27
Fourth Step – Automate • Edward Snowden had excessive access and was accessing and transferring the data under his control
• All Data Transfers should be done under full automation using a Scheduling System something like IBM Sterling’s Connect: Direct to do the actual transfer
• Limit the use by individuals where a computer can do it while enforcing controls and journaling
Barry Schrager, Inc.
28
Fifth Step ‐‐ Privilege Validation
• Regularly, categorize all database tables/files with sensitive information
• Create a “blessed” list with the organization that contains the list of users authorized for each category of data
• Force the data owner to re‐certify those on the “access list”
• And compare the list to the organization’s “blessed” list for that category of data (PCI, PII, PHI, IP, etc.)
• Highlight the users that are not “blessed” so they can be either validated to be on the “blessed” list or removed from the access list
• Note that often a user is given access to certain data for a specific project or period, but the access is never revoked
• Or, a user transfers departments and his old permissions are never cleaned up
• ‐> Steve Beaver just developed that for ACF2 and RACF
29
Barry Schrager, Inc.
Organizations must take affirmative action
• Board of Directors must demand necessary investments in system and data security
• It would be good if a cyber security expert was on the Board or a Committee of the Board – only 9 of the Fortune 500 companies had a compliance expert on the Board
• C‐Level executives must invest and support data security initiatives
• There must be a vehicle for employees to report, what they believe to be, security weaknesses
• Yes, it costs money, but what is the cost of a breach? • Target Stores spent in excess of $61 million, over $200 million loss for financial institutions, plus $17 million from their liability insurance to contain and perform Disaster Control and, in the end, the CEO was terminated
“There are risks and costs to a program of action – but they are far less than the long range cost of
comfortable inaction.”
President John F. Kennedy
Barry Schrager, Inc.
30
Thank you
• Feel free to contact me at:
Barry Schrager
[email protected]
(970) 479‐9377
• Note: Some of the information in the presentation came from Phil Young (aka Soldier of Fortran) –
[email protected] and Steve Beaver – [email protected]
31
Barry Schrager, Inc.