670 likes | 853 Views
Securing Cyber Space: Safeguarding Access to Critical Resources. Peter Hager, CEO Earl Rasmussen, President Vanguard Security and Compliance Conference June 25, 2012. Net‘Q brings Security into the Net. Agenda. Changing Environment Mainframes, the Internet, the Cloud
E N D
Securing Cyber Space: Safeguarding Access to Critical Resources Peter Hager, CEO Earl Rasmussen, President Vanguard Security and Compliance Conference June 25, 2012 Net‘Q brings Security into the Net
Agenda • Changing Environment • Mainframes, the Internet, the Cloud • Increased Security Threats • Security Cases • Impact • Solutions • Summary
Role of Mainframes • Over 70% of World’s Critical information • Major Industry/Government reliance: • Finance • Energy • Retail • Telecommunications • Transportation • Government • Cloud Computing Environment
Role of Mainframes • 70 percent of all corporate data and 75 percent of all business logic still resides on mainframe • Executing nearly 30 billion transactions a day valued at over $1 trillion a week • Running $30 trillion of applications • 73 Percent of Organizations confirm that the Mainframe is part of their Cloud Computing Strategy • Over 60% of World-wide WAN Traffic is SNA Based
Millions invested in protecting mainframes Yet ….. • Estimates are that 90% of mainframes worldwide are insecure And …. • Nearly 95% are interconnected
Increased Security Threats • “New technologies that enhanced the availability of SNA with more dynamic network recovery and the use of the faster IP infrastructure has “opened” the SNA networking environment. “ • “Organized crime and unorthodox governments have the resources to hire career IT criminals that have the sophistication to attack a SNA network in order to find a big prize.” Source: “Securing an SNA Environment for the 21st century”, White Paper, IBM, 2008
2011 Breaches Continue to Grow • Incidents skyrocketed to over 174 million records • 94% of Data breaches on servers • 58% of Breaches Involved activist groups • 98% of Breaches from external agents • 81% of Breaches involved hacking • 69% of Breached records involved malware • 92% of Breaches were discovered by third parties Source: Verizon 2012 Data Breach Investigation Report
Small-Medium Business Targeted • Over 55% of SMB experienced fraud attacks. • 50% experienced multiple incidents. • 80% of attacks were undetected by the bank. • 87% failed to recover from lost funds. • 40% of those compromised changed banks. • Only 30% of SMBs feel banks are adequately safeguarding their accounts. Source: Guardian Analytics and Ponemon Institute
Cyber Crime Targets • Banking and Finance • Hospitality • Retail • Manufacturing • Government • Telecommunications • Health Care • Energy
The Risk – Are You Safe? There are two types of companies: Those that have been hacked and those that have been hacked but do not know it!! Bank of Scotland TJX Google HBGary Adverse Economic Impacts Loss of Sensitive Data Compromised Intellectual property Privacy Invasion and Personal Data Theft Legal Implications Reduced Trust and Confidence Heartland Payment Systems Health Net DuPont RSA Security E-Trade Epsilon Global Payments LinkedIn Monster.com WordPress Hannaford Bros. Sony Bank of America
New “Flame” Cyber Weapon • Kaspersky Labs have uncovered a massive cyber threat • Creators of the virus used a network of some 80 servers across Asia, Europe and North America to remotely control infected machines
Did you ever hear about new codename Worm.Z.Frame?
Documented Hacking Cases We have documented cases of security violations which have occurred in the mainframe environment They have caused unauthorized viewing of data, free access to databases, unauthorized access to applications, and prolonged outages
Security Cases • Security Case 19 – Hijacking • Security Case 20 – Malicious Software • Security Case 21 – Rogue Intermediate Network • SNA Switches • Hacker-to-Go
Security Environment • Large Institutions • Multiple External Connections • IP Sec (to external connections) • IP Firewall • SSL Encryption • RACF • Single Sign-On • Secure ID Cards
Migrating SNA/APPN/APPC to IP Networks see IPSec Applications see SNA/APPN/APPC IP-HDR Encypted Data TN3270 - Telnet 3270 3270 data streams encapsulated in TCP packets. TN- server converts TCP Packets with SNA Packets. TN3270 TN Server TNLU1 IP@ APPL IP@ EE EE - Enterprise Extender SNA (HPR) frame encapsulated in UDP packets VIP@ APPL VIP@ DLSw DLSw - Data link switching SNA frame encapsulated in TCP packets APPL IP@ IP@ Circuit is still SNA/APPN/APPC TN3270 EE EE EE DLSw SNA-Circuit APPL
IP Encrypting SNA data • Positive • SNA packets are encrypted when transported between IP addresses • Negative • SNA packets are encrypted when transported between IP addresses • SNA packets appear unencrypted at SNA/APPN/APPC nodes • Content of SNA Packets appear unencrypted to applications • IP based firewalls have no control over SNA activities Circuit Circuit is still SNA/APPN/APPC TN3270 EE EE DLSw EE APPL
Migrating SNA Summary • SNA Hardware Devices disappeared • NCP, 3745, 3174, 3600 and many more … • Peripheral Terminal became Applications. • Most of the legacy Applications still exist and are running ( IMS, CICS, TSO, TSO, RACF, JES, NetView ) • VTAM API interfaces have not changed.
Hijack TN3270 SSL-Encrypted Connection ? Switch at the right moment Innocent Telnet Server Rogue 3rd Party Application Target Application APPL Switch APPL Rogue Telnet Server APPL One of many good moments to switch is shortly before the target application times out. Idle time is easy to monitor and calculate by third party application • Send timeout message to innocent user before target application times out • Switch to rogue user • In case innocent user logs on again, switch back to innocent user • Activity of rogue user will avoid timeout at target application
Malicious Software Innocent Telnet Server Rogue 3rd Party Application Target Application APPL Switch APPL 1, 2 3, 4 Copy of Rogue 3rd Party Application A customer who experienced Hijacking found suspicious files on several mainframes. These suspicious files independently started sessions to other applications. After in-depth analysis the customer discovered that the suspicious files were ‘replications’ of the same type. In a test project they tested how successful ‘harmless replicated files’ could be distributed. The result after one weekend was 500 replicates at 20 different networks.
Rogue Intermediate Network - 1st step to get more … SNA TN Server Innocent User 1 TNLU001 CPE IP@ Entry Network: NETE 2 3 5 4 • Initself TNLU001 - LUCICS • Send Search / Locate to CPI • CPI finds LUCICS inside NETI • Logon Exit driven in Rogue LUCICS Logon exit of Rogue application sends both partner names to another rogue location. There are several ways to do: FTP, Email info or IN$FILE. • Rogue LUCICS issues CLSDST, OPTCD=PASS to NETD.LUCICS • Logon to real LUCICS completes successfully Intermediate Network: NETI CPI CPIx LUCICS Rogue Destination Network: NETD 6 CPX LUCICS Real
2nd step done through another Rogue Party SNA TN Server Innocent User 1 TNLU001 CPE IP@ Entry Network: NETE 2 5 Rogue Network: NETR 3 4 LUCICS CPIx LUCICS Intermediate Network: NETI CPI Ra Rogue Rb Spoofed Network: NETE TNLU001 Destination Network: NETD 6 7 Remote location starts up two applications and a) Starts session NETR.LUCICS - NETE.TNLU001 b) Starts session NETE.TNLU001 – NETD.LUCICS As soon as the remote location was able to contact NETI, Rogue LUCICS issues CLSDST, OPTCD=PASS to NETR.LUCICS CPX LUCICS Real
Rogue Intermediate Network, what another Rogue Party can do .. Rogue NETR Spoofed NETE Real NETE Innocent Telnet Server TNLU001 LUCICS TNLU001 LUCICS Switch Real Rogue Telnet Server TNLUXXX Switch in Spoofed NETE.TNLU001 can Hijack like reported in Violation Case 19-3 • RACF in real z/OS does not recognize it gets spoofed • IP based firewall does not recognize this attack • APPN-EE Firewall protects, as it is being able to check authentication of CP-CP connections and it is discovering insufficient security definitions
Rogue Intermediate Network, what another Rogue Party can do .. LU_T0 ATM, Terminal Innocent LU_T1 Real Entry Network Printer Rogue NETR LU_T2 3270, TelNet3270, TPX, NVAS … Spoofed NETE LU_T3 LUCICS Printer LUCICS TNLU001 LU_T6.x APPC, MQ-Series, CICS, IMS, DB2 Rogue Scripts Real Rogue APPL Rogue Scripts and Programs inside NETR.LUCICS can be hacked selectively. • All sessions sending search/locates through Intermediate Network NETI Regardless from which Entry Network to real LUCICS they are coming through. fe. NETE1, NETE99 … • Possible attacks: • Hijack authenticated sessions • Copy data, • modify data • spy for events • denial of service
Parallel Sysplex Concept Network Node (NN) Entry Node (EN)
SNA Switching Local Router NN NN . . . . EN NN DLSw NN EN EN EN EN EN AS-400 EN z/OS Extends Parallel Sysplex to the Desktop Un-Authenticated CP-CP Sessions Enables Encrypted Open Access to Core Mainframe
Hacker-to-Go … • Plug to any Laptop or PC • *** Legally Free Software *** Develop & Test VTAM Applications. TSO - H-Assembler - LinkEdit- VTAM plus Web and FT access • *** Downloadable z/OS Software from Internet available *** • z/OS 1.10 including APPN Crossnet and RACF and • REXX IP much more … • Both versions need just 8 GB USB stick
Logon User Data • Up to 255 bytes • Created by application code or entered by terminal users • Transmitted within the logon flows • Provided by Communication Servers to Applications in clear text • Can contain any text string including USERID, PWD, PIN CODES, Social security IDs or other sensitive data • Often there was no security policy existing when legacy applications were originally designed • Pertains to all types of SNA sessions
User Data carried on logon flows Comm Server Comm Server Comm Server • Logon User Data • Included inside the logon flows search/locates and provided to applications • Distributed intra and cross LPAR, cross DLSw ( SNASw ), cross MS HIS • Searches can distribute user data to external networks / applications • ADJCP and ADJSSCP tables of Comm Server define search order • Original Comm Server has no control over how adjacent servers search • Start Parameter SNVC of original Comm Server defines search depth APPL1 APPL2 CDRM-CDRM Circuit CP-CP Circuit CP-CP Circuit CP-CP Circuit CP-CP Circuit APPL3 EE EE EE
User Data transported inside BIND APPL APPL • Bind User Data • Up to 65 bytes • Created by application code • Carried within the SNA BIND command and delivered to partner applications • Provided by Communication Servers to Applications in clear text • User Data is carried crossnet if search locate found the partner there. LU-LU Circuit
User Data transported inside BIND to TN3270E APPL • Bind User Data • TN3270 server provides User Data to TN3270 client ( RFC 1647 ) • User Data is provided in clear text to TN3270 client • IP based firewall has no control over user data, because telnet server encrypts IP data packets. Telnet Server LU-LU Circuit Check: IP@, Telnet, SSL
Observation 1, providing UID & PWD • A large financial organization. • We have found applications transmitting USERID and PASSWORD as User Data, of which many of them were of privileged users / administrators. • In a conference call, network team assured that this was just inside their own network. • Closer analysis of recordings revealed that USERIDs and PASSWORDs were distributed to other networks. • In some cases USERIDs and PASSWORDs were received from a third party CP which did not have direct a CP-CP connection.
Observation 2, Injection • Another large financial organization. • Hackers were sending in User Data inside Logon requests in the form of an inquiry such as: INQ userid opt=PWD|PIN|SSID • An exit of the destination APPL reacted by sending the WWD|PIN|SSID included in the BIND command back. • Closer analysis of recordings showed USERIDs and PASSWORDs were distributed to other networks. • In some cases USERIDs and PASSWORDs were received from third party Gateways which did not have direct a CP-CP connection.
User Data – Security Considerations • Be aware of the Transmission of sensitive Information • Ensure Security Policy Compliance • Coordinate between System, Security, Risk, and Business • Review Policies for USERDATA and applications using USERDATA • Collect, Record, and Analyze USERDATA • Monitor and Manage use of USERDATA • Re-evaluate Periodically Security Risks and Implications • Single Sign-on and Secure ID Cards may solve the USERID/PASSWORD problem
What can hackers do? • Identification Theft • Data Theft and Modification • Fraudulent Transactions • Monitor Real-Time Data Flow • Malicious Software / Malware Intrusion Activities recorded as authorized user/application
Neutralizes Security Investments • IP Firewalls • Encryption • Secure ID cards • Single Sign-on with changing passwords • RACF Pass Ticket • RACF/TSS/ACF2 will not recognize
APPN-EE Firewall Components Base Package Host Part Net-Examine • VTAM Security Generator • RACF/ACF2/TSS Security Generator • VTAM Performance Generator Optimization Compliancy Client / Master • Corporate Compliancy • Sarbanes-Oxley Compliancy • NIST Compliancy • MASTER Set Handler • CLIENT Functions Suites Corporate Compliance Suite Sarbanes-Oxley Compliance Suite NIST Compliance Suite
Product Operation Scheme SysPlex 1 SysPlex 2 SysPlexnn Mainframes Sys Cons Sys Cons Sys Cons Firewall Firewall Firewall Remote Virtual Resources • FW Config File • VTAMLST • PARMLIB • SMF Precustomized Net-Examine Clients Downloadable Net-Examine Suite + Add-on Functions Security Server Web Server Ongoing Security Examinations NetView Tivoli zSecure Suite VanGuard Other Security Management
Administrate SNA Firewall • Both, Security and Network Team needs to agree on any changes • Get for more info at: http://www.net-q.com/ssl/NetQRuleChangeProcess2.html
LUCK checks Conditions for 3rd Parties Single Sign-on RACF SNA TN3270 SSL Encryption in IP Network Innocent Check: IP@, Telnet, SSL Target Application I P @ I P @ TN Server IP APPL 2 1 LUCK Same day, while innocent user‘s session is active • Check condition to start session to PLU 99% of chance to activate session from LUCK • Check condition to start session to SLU No chance while TN Server LU is in session with Target Application
LUCK checks Conditions for 3rd Parties Single Sign-on RACF SNA TN3270 SSL Encryption in IP Network Innocent Check: IP@, Telnet, SSL Target Application I P @ I P @ X TN Server IP APPL 2 1 LUCK When Innocent User logged off • Good % of chance to activate session from LUCK • Reports successful
LUCK informs other applications Single Sign-on RACF SNA TN3270 SSL Encryption in IP Network Innocent Check: IP@, Telnet, SSL Target Application I P @ I P @ X TN Server IP APPL 2 LUCK When both PLU and SLU accept session 1. Update LUCK Status-Databases • Give Info to other 3rd parties (List congigurable) • Same LPAR • External LPAR in same SysPlex • External LPAR in same Network • External LPAR in other Network
LUCK Does . . . • Checks Status of Logical Units • Checks Connectivity to Logical Units using pre-given Logmodes/Bindimages within Network and Cross Network • Establishes and immediately terminates Sessions to PLU/SLU • Creates Security reports • Designed for large networks
LUCK Does Not . . . • Does not send or receive data on any session • Does not keep any sessions connected • Does not Acquire Resources except specially requested • Does not only check TN3270 LU, it checks all LU
LUCK, Input Output FTP z/OS Comm Server z/OS Comm- Server VTAMLST Manually configured input External LUCK Net- Examine APPN-EE Firewall Trace files LUCK Primary Log Secondary Log Postponed Database Error Log Predictive Security Reports
Predictive Security Report How many sessions would allow • 3rd Man in middle attacks • Hijacked Sessions • Obsolete Secure ID cards like RMF • Obsolete RACF Pass Tokens