Townsend Security Data Privacy Blog

IBM i Security Architecture & Active Monitoring

Posted by Patrick Townsend on Dec 6, 2016 7:30:42 AM

Excerpt from the eBook "IBM i Security: Event Logging & Active Monitoring - A Step By Step Guide."


IBM i Security: Event Logging & Active Monitoring Active monitoring (sometimes referred to as Continuous Monitoring) is a critical security control for all organizations. And it is one of the most effective security controls you can deploy. The large majority of security breaches occur on systems that have been compromised days, weeks, or even months before sensitive data is lost. A recent Verizon Data Breach Investigations Report1 indicates that a full 84 percent of all breaches were detected in system logs. This is why the Center for Internet Security includes active monitoring as a Critical Security Control (Control number 6).

There are several elements of a truly effective Active Monitoring strategy:

Central Collection and Repository of All Events
Attackers almost never start with your core IBM i server directly. They attack a web application or infect a user PC and work their way into the IBM i server. A defensible active monitoring strategy has to collect events from across the entire organization. By the time they show up on your IBM i server they have probably compromised a number of intermediate systems and an opportunity to prevent the breach has been missed. Collect all events across your entire IT infrastructure to gain the best early detection opportunities.

Real Time Event Collection
Data breaches are happening much faster than in the past. In some cases the loss of data happens just minutes after the initial breach. This means that you must collect security events in real time. Good active monitoring solutions are able to digest threat information
in real time and give you the chance to deter them. Avoid batch event collection – you can collect IBM i security audit journal information in real time and you should.

Event Correlation
Event correlation is key to an effect active monitoring solution. This is typically accomplished through the use of special software implemented in Security Information and Event Management (SIEM) solutions. Highly automated SIEM solutions have the ability to correlate events across a large number of systems and automatically identify potential problems. They do exactly what we want computer systems to do – handle large amounts of data and apply intelligent interpretation of the data.

Anomaly Detection
Anomaly detection is another aspect of active monitoring. That unusual system login at 3:00am on a Sunday morning would probably escape the attention of our human IT team members, but good active monitoring solutions can see that anomalous event and report on it.

Alerting and Resolution Management
When a problem is discovered we need to know about it as soon as possible. A good active monitoring solution will inform us through a variety of alerting channels. Emails, text, dashboards and other mechanisms can be deployed to bring attention to the problem - and we need to be able to track the resolution of the event! We are all processing too much information and it is easy to forget or misplace a problem. 

Forensic Tools
Forensic tools are critical to an active monitoring solution as they enable the rapid analysis of an attacker’s footprints in our system. The key tool is an effective and easy-to-use query application. Log data can include millions of events and be impossible to inspect without a good query tool. The ability to save queries and use them at a later time should also be a core feature of your forensic toolset.

IBM i


Topics: System Logging, IBM i

Townsend Security Announces Major Update to Alliance LogAgent for IBM i

Posted by Luke Probasco on Nov 29, 2016 12:01:00 AM

New features include full reporting of administrative users, including authority the user adopts through Group Profiles and Supplemental Group Profiles.

IBM i Security: Event Logging & Active Monitoring Townsend Security today announced a significant update to its existing Alliance LogAgent for IBM i (AS/400, iSeries) solution, allowing full reporting of administrative users, which includes authority the user adopts through Group Profiles and Supplemental Group Profiles. Alliance LogAgent is a Security Information and Event Management (SIEM) integration solution that collects, formats, and transmits security information in real-time to any SIEM or log collection server.

When the new configuration options are enabled, Alliance LogAgent will tag all significant security events as performed by the administrative level user. This enhancement will help security administrators easily identify which users have elevated privileges and enable SIEM solutions to quickly identify and alert on operations. In addition to the new administrative user reporting, Alliance LogAgent now provides an easy-to-use local assessment report that identifies privileged users. This will reduce the overhead of inspecting and adjusting privileges of IBM i users. 

Alliance LogAgent is compatible with all SIEM solutions that accept Syslog messages, IBM QRadar Log Event Extended Format (LEEF), or the HP ArcSight Common Event Format (CEF). The new administrative field reporting will make it easy for SIEM administrators to create dashboards, compliance reports, and alerts based on reported fields. When an administrator privileges are detected Alliance LogAgent adds the following field to the security message:

            admin_user=yes

For IBM QRadar the new field is:

            adminUser=yes

By providing a normalized field in the security events sent to the SIEM monitoring platform, the SIEM’s query and forensic tools can be used more effectively.

“Many IBM i customers have struggled with identifying who on their system has elevated privileges. It is crucial to identify and strictly control these users as cyber criminals often use privilege escalation to enable the exfiltration of sensitive data,” said Patrick Townsend, CEO of Townsend Security. “On first look an IBM i account may appear to have normal user privileges, but may in fact inherit higher privileges through a Group Profile or Supplemental Group Profile. Alliance LogAgent now detects these elevated privileges in real time, and provides the security administrator with an easy-to-use report to identify the source of elevated privileges. We think this is a crucial enhancement that will help IBM i customers better secure their platforms.”

Alliance LogAgent is in use with a wide variety of SIEM solutions including LogRhythm, SecureWorks, NTT Solutionary, IBM QRadar, Alert Logic, AlienVault, McAfee SIEM, Splunk, SolarWinds, and many others. In addition to collecting the IBM i security audit journal information Alliance LogAgent collects system history messages, operator messages, exit point information, system statistics, and a variety of open source application logs in Unix/Linux format.

The solution is licensed on a per logical partition (LPAR) basis, with perpetual and subscription licensing options available. Existing Alliance LogAgent customers on a current maintenance contract can upgrade to the new version at no charge.

IBM i

Topics: Alliance LogAgent, Press Release

Dangers of Encryption on the IBM i (AS/400, iSeries): Avoid These Pitfalls

Posted by Patrick Townsend on Nov 14, 2016 8:35:13 AM

IBM has done a good job of implementing security from the ground up on the IBM i platform. But that doesn’t mean that it is immune from data breaches. All of the PCs and servers on your network with the IBM i server are potential attack points for a data breach. And make no mistake, cyber criminals know that the IBM i server is a rich target. Implementing encryption in IBM i DB2 is an essential part of a defense in depth strategy. But there are lots of pitfalls to avoid. Let’s take a look at some of them (I am shamelessly plugging our Alliance AES/400 solution, too):

Key Management for IBM i - Audit Failures Locally Stored Encryption Keys and Key Management

One of the surest ways to defeat your encryption strategy is to store encryption keys on the same system that stores sensitive data. The IBM i server is no exception. Compliance regulations and security best practices require that you store encryption keys away from the IBM i server in an encryption key vault designed for this purpose. Why is this a security best practice? Cybercriminals are often able to achieve privilege escalation on a compromised IBM i server and then get access to locally stored keys. Storing encryption keys off of the IBM i server makes the compromise of the sensitive data much harder.

How Townsend Security Can Help

The Townsend Security Alliance AES/400 product integrates seamlessly with Townsend Security's Alliance Key Manager solution for protection of encryption keys and key management best practices. Alliance Key Manager stores encryption keys in a hardware security module or VMware instance that is attached to the IBM i server by a secure, authenticated TLS connection. As a FIPS 140-2 compliant key management solution, Alliance AES/400 with Alliance Key Manager solves the key management problem!

High Availability and Key Mirroring

Encryption key management is a part of your critical infrastructure. The loss of an encryption key means the loss of your data! Your encryption key management solution should implement real-time key mirroring and real-time security policy mirroring. In the event the key manager is unavailable due to a hardware or network failure, the failover to a secondary key server should be automatic without business interruption. A key management solution based on the IBM i master key facility cannot achieve real-time mirroring and protection from these failures.

How Townsend Security Can Help

Alliance Key Manager implements real-time key mirroring to one or more backup key servers. The mirroring implementation is active-active meaning that any changes you make to keys or access policies on the secondary server will be mirrored to the production server when it comes back online. This perfectly matches your IBM i high availability failover strategy if you use MIMIX, iTera, Vision, or IBM DataMirror.

Encryption and Insider Threats

Insider threats include both intentional and unintentional access to and loss of sensitive information. Unintentional losses of data represents the largest insider threat. Accidentally copying data to a PC or development environment can lead to a reportable data breach event. This is especially true when access controls to sensitive data are only controlled by native IBM i object level security. You should certainly use native IBM i security mechanisms, but access to decrypted sensitive data should also be controlled using a “whitelist” approach. This will help minimize the intentional and unintentional access by security administrators. Note that it is not only the security profile QSECOFR that has all access to sensitive data: all users with All Object (*ALLOBJ) authority or who adopt this level of authority through a group profile or supplemental group are at risk for intentional or unintentional loss of sensitive data.

How Townsend Security Can Help

Alliance AES/400 implements a whitelist approach for controlled access to decrypted sensitive data. All configuration changes to security policies are logged to the IBM security audit journal QAUDJRN. You can achieve effective Separation of Duties between managers of the encryption keys and security administrators on the IBM i platform.

Poorly Performing Encryption Libraries

Encryption can also present an operational risk to IBM i customers. In order to meet service level expectations of end users encryption and decryption operations must be efficient. Unfortunately for IBM i customers the native AES encryption software libraries provided in the operating system may not provide an adequate level of performance. Even with the new IBM i POWER8 servers with on-chip encryption, the performance of AES encryption and decryption tasks is poor. It is important to assess the size of your protected databases and the nature of batch operations that require access to unencrypted data in order to avoid negative impacts to both interactive and batch applications.

How Townsend Security Can Help

Alliance AES/400 uses the Townsend Security NIST-validated AES encryption library for encryption and decryption tasks. This optimized AES encryption library is more than 100x faster that native IBM i encryption libraries on POWER7 processors, and more than 50x faster on POWER8 processors.

Encrypted Indexes

Many IBM i customers are surprised to learn that their RPG applications will not work correctly with DB2 FieldProc for encrypted indexes (key fields). FieldProc is IBM’s automatic column level encryption feature implemented at the DB2 database level. FieldProc is attractive to IBM i customers because it does not require modifications to applications. While native SQL applications can easily handle encrypted indexes, RPG applications do not use the native SQL Query Engine (SQE) and will not work properly with encrypted indexes. Most IBM i customers exclusively use RPG or have a mix of RPG and SQL applications. The issue with RPG and encrypted indexes represents a major roadblock to encryption. Be sure that your encryption strategy can support encrypted indexes, or be prepared to modernize RPG applications to use native the SQL Query Engine.

How Townsend Security Can Help

Townsend Security tackled the problem of encrypted indexes and offers a solution to the RPG challenge through its Open Access for RPG SQL library. Changing one line of code in your RPG application can automatically use the native SQL Query Engine for database access. This eliminates the challenges of encrypted indexes with FieldProc encryption.

Data Masking

Compliance regulations such as PCI Data Security Standard (PCI-DSS) and security best practices require that we only allow authorized users access to fully decrypted sensitive data. But other users must have access to our database applications. This means that intelligent data masking should be built into your IBM i applications. As noted above, data masking should be based on a whitelist approach and not purely based on object or database level authority. You should have the ability to define masking rules (mask all but the last 4 characters, etc.) and you should be able to define a default masking rule that applies to all unauthorized users. While Row and Column Access Controls (RCAC) can provide some data masking capability, you must manage individual user level authorities to implement this control.

How Townsend Security Can Help

Alliance AES/400 fully implements data masking using a whitelist approach and provides protections from users with All Object (*ALLOBJ) or Security Administrator (*SECADM) privileges. Data is masked in the internal decryption routines and fully exposed data is never visible in the application program.

System Audit Logs

No security policy or solution can be effective on a stand-alone basis and this includes encryption and key management. A good encryption and key management strategy involves monitoring all access to sensitive data, monitoring changes to encryption and key management configurations, monitoring all use of encryption keys, and storing audit logs for future forensic reference. The use of Security Information and Event Management (SIEM) solutions is highly recommended as a part of your monitoring and alerting strategy. Be sure that all access to encryption and encryption keys is fully audited and logged.

How Townsend Security Can Help

Alliance AES/400 and Alliance Key Manager implement system logging and audit for all aspects of administration, configuration and use. Alliance Key Manager implements full logging of all aspects of key management and the server it runs on, and transmits logs to a SIEM solution in real time. Alliance AES/400 fully logs all administrative operations and decryption tasks to the IBM i security audit journal QAUDJRN. The optional Alliance LogAgent solution transmits these logs as well as all IBM i security events to a SIEM solution or log collection server.

Encryption and key management don’t have to feel dangerous or scary! I hope the above points about encryption and key management for the IBM i help you develop a roadmap for successful (and safe!) encryption.

Patrick

Key Management for IBM i - Sources of Audit Failures

Topics: Encryption, Key Management, IBM i

IBM i Security Notification - OpenSSL and OpenVPN

Posted by Patrick Townsend on Nov 8, 2016 8:46:49 AM

In case you missed it, IBM just released a security notification for the IBM i platform - all versions of the operating system from 6.1 through 7.3. This one is important and you should take a look at it right away. The vulnerabilities are related to OpenSSL and to OpenVPN which uses OpenSSL. The vulnerability is called the SWEET32 Birthday attack. OpenSSL is used in several places on the IBM i platform, so patching this should be a priority.

alert.pngHere is the link to the description of the problem and a list of the PTFs that you need to apply for all currently supported platforms. Be sure to read it all the way through.

I recommend that you follow the guidance in this document to turn off Triple DES ciphers.

In addition to patching the IBM instances of OpenSSL and OpenVPN, IBM recommends that you contact your third party software vendors to determine if they have vulnerabilities.

Let me be pre-emptive here:

None of the Townsend Security solutions for the IBM i use the OpenSSL library for secure TLS sessions. Our solutions exclusively use the IBM i System TLS library. Why is that? Well, we ported OpenSSL to the IBM i platform more than 10 years ago. While we were successful with the port to the IBM i, I made a decision that we would not release it nor use it in our IBM i products. OpenSSL is a complex application with many moving parts. I agree with Bruce Schneier that complexity is the enemy of security. It is so easy to introduce a problem in a cryptographic library even if you work in this area a great deal. I felt then, and I feel now, that the maintenance and support of the TLS library should remain with IBM and that the native IBM i System TLS library is the best platform for us and our customers. I believe that this was a good decision then, and remains a good decision now. It has protected our customers from a number of security problems.

Our Managed FTP solution does use the OpenSSH solution for secure FTP sessions. OpenSSH uses the OpenSSL solution for cryptographic operations, but not for secure session establishment and it is not subject to this vulnerability. We use the IBM OpenSSH distribution and not our own port of OpenSSH for the very same reason as above.

I am NOT criticizing the OpenSSL development team. I’ve worked directly with the OpenSSL team over the years and have deep respect for them. They have a gargantuan task in maintaining one of the most widely used secure communications products in the world. Security programming will humble you and, if you are lucky, it will make you risk averse. On the IBM i platform we chose to use the IBM i System TLS library and I still think that was a wise decision.

There are multiple third-party IBM i products that do use their own version of OpenSSL. You need to be talking to them right away. Unfortunately I know of one or two that are no longer supporting the IBM i platform. So you may have some difficulty getting resolution on this issue. I wish you luck in this endeavor!

If you are interested you can read about the SWEET32 attack here.

If you are one of our IBM i customers I recommend that you sign up for our newsletter. If you’ve opted out in the past you might not be getting security notifications from us. When you opt out we honor that request and won’t opt you back in. You have to do that here. 

Patrick

Webinar: Sec

Topics: IBM i

IBM i Security: Auditing Privileged Users, Applications, and Database Files

Posted by Patrick Townsend on Nov 3, 2016 9:21:51 AM

Excerpt from the eBook "IBM i Security: Event Logging & Active Monitoring - A Step By Step Guide."


IBM i Security: Event Logging & Active Monitoring

Audit Privelaged Users

Attackers attempt to gain privileged access to your IBM i system and as a privileged user can perform a wide variety of tasks on the IBM i server. As a privileged user, an attacker can steal sensitive data or damage your system. You should strongly consider enabling full user auditing of any user profile that has a high level of privilege. This should include the IBM user profile QSECOFR and any user with All Object (*ALLOBJ) or Audit (*AUDIT) capabilities. The commands executed by the audit user are logged to the QAUDJRN journal. You can identify privileged users by running an IBM security report:

   PRTUSRPRF TYPE(*AUTINFO)
   SPCAUT(*ALL)

Once you identify privileged users you can enable user auditing with the Change User Audit (CHGUSRAUD) command like this:

   CHGUSRAUD USRPRF(QSECOFR)
   OBJAUD(*ALL) AUDLVL(*AUTFAIL *CMD
   *PGMADP *NETCMN *PGMFAIL)

Note that you may want to increase or decrease the information you audit for privileged users. See the help for the command options.

Auditing Highly Sensitive Applications and Database Files

You should also consider enabling application and database access audit where sensitive data can be changed or where sensitive data is stored. For example, a core HR application that contains employee information, or a core ERP application that stores credit card information should be audited. Once you have a list of sensitive application programs and database files you can use the Change Object Audit (CHGOBJAUD) command to enable auditing. Audit records are sent directly to the QAUDJRN security journal.

   CHGOBJAUD OBJ(PRODLIB/ORD001)
   OBJTYPE(*PGM) OBJAUD(*ALL)

For IFS Files and directories you can use the Change Audit (CHGAUD) command like this:

   CHGAUD OBJ(‘/mydirectory’)
   OBJAUD(*ALL) SUBTREE(*ALL)
   SYMLNK(*YES)

For more information on auditing privelaged users, applications, and database files, as well as more information on IBM i event logging and active monitoring, download our ebook "IBM i Security: Event Logging & Active Monitoring - A Step By Step Guide."
IBM i

Topics: System Logging, IBM i, Alliance LogAgent

New York Financial Regulations and the CISO. Oh My.

Posted by Patrick Townsend on Oct 24, 2016 10:43:52 AM

I’ve been spending some time digesting the proposed State of New York financial regulations that are due to go into effect in the new year. The new regulations are fairly prescriptive which has its good and bad points. But it is very clear that the regulators have had it with “opt out” security controls for banks. One of the areas of focus is on the role of the Chief Information Security Officer, or CISO. Let’s take a closer look at what the new regulation says about the CISO and what it means to your financial organization.

First, you have to have one of these.

eBook The Encryption Guide Larger national and global institutions already have someone filling the CISO role. This won’t be anything new for them. The CISO is responsible for the overall security policy and practices of their organization. I think this will be a larger challenge for smaller regional banks and credit unions. Much of their IT infrastructure is probably outsourced and they depend on a network of vendors and service providers to fill their security needs. So these folks are going to have to on-board someone to fill the CISO role. And the experienced CISO is in hot demand. Hiring a qualified individual will be a challenge.

See below for a suggestion on how you can tackle this problem with a virtual CISO.

Second, the CISO now has to report to the board of directors or the equivalent level in your organization at least twice a year. And the report has to include a fair amount of detail on the security posture of the organization! This is going to be a major shift in almost every financial institution, and is probably a big shock for many! Currently the CISO typically reports to the CEO or similar level of executive management. It is going to be an uncomfortable change for the CEO to let go of this direct report and have unfiltered information going straight to the board of directors.

Why did the State of New York demand this change? I am just guessing here, but way too often I’ve seen the recommendations of a CISO stifled at the CEO level. Business line managers have a hard time understanding the relative importance of investing in security when there are so many demands for resources. Line of business needs often pre-empt security needs. For this reason many large companies are failing to invest in the way they should. I think the State of New York decided that the CISO needs to provide information directly to the board to improve governance, risk management, and compliance. Yeah, that GRC thing.

Lastly, too many financial institutions treat security as a checkbox item, rather than as an ongoing adaptive process. Without a level of seriousness about cyber security in the organization the right things are not prioritized and security investments aren’t made. Making sure that a qualified security professional is in the driver’s seat should help financial institutions become more secure, and thus the data of their customers better protected. A CISO can push this agenda forward.

Smaller institutions will certainly have some difficulty in acquiring the talent needed to meet the CISO role. I suggest that you consider a Virtual CISO (yes, that is a thing) to fill this need for the short or long term. The timelines for the new regulation are very short and you will have to meet some requirements within six months and all of them within one year. That is a very short timeframe for any financial institution.

Here are just a few suggestions:

If you are an IBM i (AS/400, iSeries) shop, look to an expert on this platform to help you. One that I work with on a regular basis is Botz and Associates. I’ve worked with Patrick Botz for many years and he is a long-time advocate for approaching security as a business process, just as this regulation mandates. He was the head of security for the IBM i platform for many years and can help you with his new Virtual CISO service.

Another security firm that I’ve worked with is Coalfire. I’ve always been impressed with their ability to really understand our needs and become that trusted advisor that you need. They also have a Virtual CISO service to help you meet the new regulations, and you get a good security friend in the process.

Here is where you can find the proposed State of New York regulations, it is a pretty easy read.

Financial institutions and their service providers have a big challenge ahead and very tight deadlines. Time to get cracking!

Patrick
The Encryption Guide eBook

Topics: Compliance

IBM i FieldProc Architecture and Implementation

Posted by Luke Probasco on Oct 19, 2016 10:33:47 AM

Excerpt from the eBook "IBM i Encryption with FieldProc - Protecting Data at Rest."


FieldProc Architecture

IBM i Encryption with FieldProc FieldProc is a type of column-level exit point that is implemented directly in the DB2 database. As is typical with any of the other IBM exit points, IBM provides the architecture for the exit point to invoke a user application, but IBM does not provide that application. Customers or vendors can create a FieldProc application based on the documented architecture of the exit point. Townsend Security is one vendor who provides such software.

A note on terminology:
We will use the term “column” when referring to a field in a file, and we will use the term “table”
to refer to a physical file. For the purposes of discussing FieldProc these terms are interchangeable and we will use the more modern terms “column” and “table”. In a similar way we will use the term “index” to refer to a column that is either a primary or secondary key. A secondary key would include a key de ned in a logical file.

The exit point architecture is very simple. There are only two commands and three functions that are supported. The two commands are:

  • Start FieldProc
  • End FieldProc

The three functions that are handled by a FieldProc program are:

  • Initialization
  • Encode (Encrypt)
  • Decode (Decrypt)

When FieldProc is started on a column the FieldProc program is called for Initialization, and then called for each row in the table to provide for the encryption of the column. When FieldProc is ended the FieldProc program is called for each row to decrypt the data. All other normal read, change, and insert operations call the FieldProc program to provide for encryption or decryption as needed. FieldProc is not invoked for a delete operation on a row.

FieldProc Implementation

FieldProc is a SQL feature and is implemented through SQL commands. That is, FieldProc is not implemented through DDS, but only through SQL. Through SQL you create or alter a table to have the FIELDPROC attribute like this:

ALTER TABLE employee alter column
salary set FieldProc Userpgm

Likewise you can remove a FieldProc attribute using a SQL DROP statement like this:

ALTER TABLE employee alter column
salary Drop FieldProc

As noted above when you start FieldProc with the CREATE TABLE or ALTER TABLE commands, the effect is immediate. Starting FieldProc causes the FieldProc program to be called for each row in the table to perform encryption. Dropping the FieldProc attribute of a column causes the FieldProc program to be called for each row to decrypt the data.

Certain operations will cause FieldProc to be invoked even if the column data is not being used. For example, a legacy RPG program might read a file from beginning to end but not use a particular column that is under FieldProc control. Even though the column is not used in the RPG program FieldProc will be invoked to decrypt the value of the column for each row.

Note that a native SQL SELECT statement that does not include the encrypted column will NOT invoke FieldProc for decryption. Some work management operations are difficult with the current IBM implementation of FieldProc. For example, save and restore operations when the restore library is different than the save library can be problematic. Additionally, change management operations where there are changes to column attributes can be difficult to manage and require decrypting the database, applying the change, and then re-encrypting the database. These limitations are especially true in legacy RPG applications.

Supported Field (Column) Types

Most column types are support for FieldProc including character, numeric, date, time, and timestamp  fields. You can use FieldProc on null-capable  fields and double-byte character  fields. Some type of derived and counter  fields do not support FieldProc, but IBM i customers will  find that all normal application  fields are supported. With FieldProc there is no need to change the  eld size or attribute, nor is there any need to change or re-compile applications.

Legacy DDS Files

Many IBM i customers have the impression that legacy DDS  files will not support FieldProc encryption. This is not true! You can readily implement FieldProc encryption on  files created with DDS and it is not necessary to convert them to DDL and SQL tables. As IBM notes there are some advantages to doing so, but it is not necessary and the large majority of FieldProc users continue to use DDS  files. As noted above, you can only start and stop FieldProc using SQL commands, but these SQL commands work  ne on DDS-created  files.

Encrypting Multiple Fields in One File

DB2 FieldProc control can be started on multiple columns in one database table. Three is no practical limit on the number of columns you can select for FieldProc implementation. Of course, there are performance implications for encrypting multiple columns as the FieldProc program will be called independently for each column under FieldProc control. But many IBM i customers place multiple columns in a table under FieldProc encryption control. In some cases customers place hundreds of columns under FieldProc control. FieldProc’s support for multiple columns includes columns that are Primary or Secondary keys to the data. Please see the following sections for a discussion of limitations related to encrypted indexes and legacy RPG applications.

IBM i Encryption with FieldProc

Topics: IBM i, FIELDPROC

New York, Financial Institutions, and IBM i Encryption

Posted by Patrick Townsend on Oct 7, 2016 8:49:18 AM

New York State has finally had enough. Most people think that their bank has strong encryption in place to protect them from cyber criminals and nation-state actors. But that is too often just not the case. After a number of high profile data breaches at larger financial institutions, and a worrying increase in attacks on banks, the State of New York is about to require that banks implement some stringent security controls to protect Non-Public Information (NPI). The  new regulations are not a difficult read and you can find the proposed new regulations here.

Let’s take a look at some of the new requirements.

IBM i Encryption with FieldProc First, banks are required to develop a cyber security program. This means that there must be formal security processes in place, and appropriate management oversight. Banks are required to have systems and processes to identify threats, respond to them, and recover from an attack. The regulation also requires appropriate reporting of security events, something that is not always honored in today’s environment.

Next, banks are required to have a Cybersecurity Policy that addresses a number of areas related to information security, incident response, access controls, data privacy and other areas. If you are familiar with the Center for Internet Security Critical Security Controls or the NIST Cybersecurity Framework, these points will be familiar to you. As you might expect, a premium is placed on ongoing adaptive responses to new threats, so these frameworks are not a check-box response to the problem. Banks are being asked to step up to a new level of seriousness around IT security.

You also need a Chief Information Security Officer (CISO) position designated in your organization. And, interestingly, the CISO is required to report to the board of directors of the bank. I find this requirement interesting as it means that boards of directors cannot remain ignorant about the state of the bank’s IT security. And this means that it will have to become a part of the governance process of the board.

The new regulations now get down into the weeds about what you should be doing. Here are some of the areas:

  • Vulnerability and Penetration testing
  • Collect and archive system logs
  • Implement restricted access controls
  • Conduct risk assessments at least annually
  • Hire cybersecurity professionals and make sure they stay current on new threats
  • Require third parties to adhere to the same security rules as the bank
  • Use multi-factor authentication for internal and external access to NPI
  • Train and monitor all personnel with access to NPI (SIEM, anyone?)
  • Encrypt NPI
  • Develop and incident response plan

The requirement to deploy encryption is surprisingly strong. It is a mandate unless deploying encryption is unfeasible. Given the wide availability of encryption in all major operating systems and databases, I believe it will be difficult for a CISO to argue against the use of encryption. Clearly the regulators want banks to encrypt sensitive NPI data.

Who does the new rule affect?

The new rule affects any financial institution that is regulated by the New York Department of Financial Services. This will affect all national and global banking organizations as New York is one of the leading centers of global finance. It may also affect regional banks through the extension of the rules to affiliates. Regional and local banks should review their relationships with larger banks to try to understand their requirements under these new laws.

When does the new rules take effect?

The new rules take effect on January 1, 2017. In terms of time, that is very soon! And there is only a 180 day transition period. CISOs can request an extension, but these controls must be in place by January of 2018. That is a very aggressive timeframe!

How is the IBM i (AS/400, iSeries) affected?

Almost all large banks and financial institutions use the IBM i server somewhere in their organizations. The IBM i server is perfect for the back office applications that banks run and which need a very high level of availability. Many of the largest third party banking applications are deployed on IBM i servers.

But banks are going to face a big challenge with IBM i DB2 database encryption. The Non-Public Information that must be protected is often used for indexes in the DB2 database. While IBM DB2 supports column level encryption, it won’t work well RPG programs that use encrypted indexes. Here at Townsend Security we have a fix for this problem! By implementing an OAR-based SQL interface for RPG files we are removing the impediment that banks face with encryption on the IBM i server. You can read more here.

And you can get a quick look at how this helps in this short video: 

Patrick

Topics: Compliance, IBM i

System Logging for the IBM i - A Must Have Security Control

Posted by Patrick Townsend on Oct 5, 2016 7:49:48 AM

IBM i (AS/400, iSeries) customers now know that their systems are no more secure than any other. That is, they are just as much a target as any Windows or Linux server that exist in less secure network environments. This is not a criticism of the IBM i security implementation, it just reflects the fact that our IBM i servers are connected to a wide range of other devices including user PCs, network devices, local and WAN networks, and so forth. The attack surface is broad, IBM i servers are a rich target for data thieves, and we are all just one user PC infection away from an IBM i server data breach.

IBM i Security: Event Logging & Active Monitoring A lot of IBM i customers postpone deploying a system logging and SIEM solution to actively monitor for security threats, even though this is one of the most effective means of detecting and preventing a data breach. There is a reason that the Center for Internet Security recommends system log collection and monitoring with a SIEM solution as the 6th Critical Security Control. It just works really well when done properly.

I suspect that cost is one of the reasons that projects are postponed. This reasoning is “penny wise and pound foolish”. Here’s why:

  • There are now very cost effective log collection and SIEM monitoring solutions available for the smaller Enterprise. Some of these solutions are cloud-based and some can be deployed in VMware infrastructure. Cost is not as big an issue as it has been.
  • The failure to collect system logs means that it will be difficult to do the forensic investigation that you must do after a data breach. Imagine a costly data breach and then imagine not being able to figure out how the data thieves entered your system! All too often this means that a second and third data breach happens after the first. Without collecting system logs you won’t be able to deploy the forensics tools to trace the path of the cyber criminal through your organization. Another data breach is almost a certainty.
  • Early detection is one of the most effective means of preventing the data breach. This means large savings on outside security consultants, litigation costs, and the deployment of log collection and monitoring tools at inconvenient times. Early detection is a life-saver for those who can prevent a breach.
  • Log collection and SIEM monitoring solutions are easier to deploy than ever. While deploying an active monitoring system was complex and costly in the past, many SIEM solutions can be deployed and start working to protect your organization is just a matter of hours. Unlike in years past when SIEM solutions took weeks to install, configure and deploy, many are now extremely easy to setup and administer.

From a Governance, Risk Management and Compliance point of view deploying the CIS Critical Security Controls is a minimum requirement. Here is what the California Department of Justice said in this year’s data breach report under “Recommendations”:

“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Every senior executive in the modern organization understands that canceling the fire insurance policy on their headquarters building would be a bad idea. You would be one fire away from the end of your career. The same now holds true for IT security. Shareholders and the board of directors now understand that the failure to use reasonable measures to protect data assets is a fundamental failure of governance. Don’t be the executive who has to try to defend that failure!

Patrick

IBM i

Topics: System Logging, IBM i

The IBM i, OpenSSL and Security Patching

Posted by Patrick Townsend on Oct 4, 2016 1:31:14 PM

alert.pngOpenSSL is one of the most widely used cryptographic applications and libraries. A new group of security vulnerabilities have just been identified for OpenSSL and they need attention right away. IBM i (AS/400, iSeries) customers often feel isolated and protected from the security issues with OpenSSL, but this attitude can lead to trouble. IBM i customers need to monitor for vulnerabilities in OpenSSL and patch their IBM and third-party applications.

IBM uses the OpenSSL application in the Hardware Management Console, or HMC. The HMC is a highly privileged application that can manage many instances of IBM i logical partitions in a customer environment. You should carefully monitor security patches from IBM and apply them to your HMC. You can find IBM’s security alerts and notifications here.

On the IBM i platform itself you should be aware that the PASE environment includes the OpenSSL application. The PASE environment is an AIX emulation environment that is usually present on IBM i customer systems. Since PASE is an IBM licensed program you should apply Program Temporary Fixes (PTFs) to resolve issues with OpenSSL in PASE.

The IBM i no-charge OpenSSH licensed program also contains the OpenSSH application. However, the OpenSSH application does not use OpenSSL for session security. The primary use of OpenSSL in the OpenSSH application is for cryptographic functions. While this reduces the security threat, it does not eliminate it. You should update OpenSSH when they are PTF patches available.

The OpenSSL application is also found in the Linux-like environment of the QSHELL application in later versions of the IBM i operating system. If you use the Start QShell (STRQSH) command you can use the “type openssl” command to determine where it is located. You can view the version of OpenSSL with this command: “openssl version”. As in the above examples, be sure you apply PTFs when there are security notices for OpenSSL.

Lastly there are a number of third-party applications that embed the OpenSSL application. If these third-party applications are not using the IBM-provided OpenSSL libraries, you will need to contact those third party software providers to receive an update. Be sure you carefully review any third party application, open source application or free tool for the presence of OpenSSL. Any application that performs FTP data transfers, implements an inbound or outbound web service, or  communicates with an encryption key management server should be reviewed (see below for a statement about IBM i solutions from Townsend Security).

Here at Townsend Security we have several IBM i security applications that perform secure encrypted TLS connections. None of these applications use the OpenSSL application. Instead we use the native IBM i GSKit library for TLS session security which is configured using the IBM no-charge licensed Digital Certificate Manager (DCM) product. Our Alliance FTP Manager, Alliance AES/400 FieldProc encryption, Alliance Token Manager, Alliance Two Factor Authentication, and Alliance XML/400 solutions are not subject to the OpenSSL security vulnerabilities. Note that our Alliance FTP Manager solution uses the IBM OpenSSH application, so as mentioned above be sure to apply those OpenSSH security updates from IBM if you are using OpenSSH for transfers.

In addition to signing up for IBM i security alerts at the above web site, you can subscribe to US-CERT notifications here.

Hat tip to Alex Woodie for his article on IBM i OpenSSL vulnerabilities. You can find it here.

Patrick

IBM i Encryption with FieldProc

Topics: IBM i