Upload
others
View
17
Download
1
Embed Size (px)
Citation preview
Top Ten Security Vulnerabilities
in z/OS & RACF Security
1
Philip Emrich
Senior Professional Services Consultant
©2016 Vanguard Integrity Professionals, Inc.
Legal Notice
Copyright
©2015 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard SecurityCenter for DB2
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
2
©2016 Vanguard Integrity Professionals, Inc.
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
3
©2016 Vanguard Integrity Professionals, Inc.
About Vanguard The Cybersecurity Experts
Founded: 1986 – 30 years of Securing Lives and Businesses
Business: Mature Enterprise – Cyber Security, Professional Services, Education and Customer Support
Customers: Large Enterprises with 1000+ employees
Markets: Financial, Insurance, HealthCare, Education, Transportation and Government Agencies
Manufacture: We manufacture and develop in the U.S.A. to
ensure the highest standards of quality
Operate: Global company with a global customer base, serving diverse markets, providing long-term stability
HQ – Las Vegas, Nevada R&D – Orange, California Intl. HQ – United Kingdom
4
©2016 Vanguard Integrity Professionals, Inc.
Agenda
This part discusses the overall assessment process and remediation of exposures identified.
3
Assessment and Remediation
2
Vanguard’s most Frequently Encountered Significant Exposures
This part covers the “Top Ten” most frequently encountered Severe or High risk exposures encountered in assessment of z/OS systems Vanguard has conducted for our clients.
1
The Need for “Best Practices” for z/OS Security
This part introduces the need to assess z/OS systems for vulnerabilities and the reasons for doing regular vulnerability assessments.
5
©2016 Vanguard Integrity Professionals, Inc.
The Issues
• Is your mainframe critical to your enterprise?
– Is it central to your Disaster Recover Plan
– Does it host mission critical applications and data
– What would be the immediate and long term impact of a
system outage
The level of security controls for
your mainframe must be sufficient
for the criticality of the data and
business processes hosted on it.
6
©2016 Vanguard Integrity Professionals, Inc.
System z/OS® workloads are going UP in terms of data stored and transactions processed, NOT down. This is the opposite of the public or common perception.
If you have a z/OS system in your network,
that is the “bank vault” – everything else is
just an “ATM”.
The Issues
7
©2016 Vanguard Integrity Professionals, Inc.
The Mainframe
Mainframe at 50: Why the mainframe keeps on going
For the past 50 years, the mainframe has been the technological workhorse enabling government policy and business processes.
In fact, 80% of the world's corporate data is still managed by mainframes.
In a video interview with Computer Weekly's Cliff Saran, IBM Hursley lab director Rob Lamb said the mainframe has kept up with the
shifts in computing paradigms and application systems, such as the move to the web and mobile technology.
"The platform is continually reinventing itself to remain relevant for cloud and mobile computing and to be able to run the most popular
application server packages," he said.
Yet while it appears to be middle-aged technology, in terms of reach it seems the mainframe touches almost everything in modern life,
according to Lamb.
“If you are using a mobile application today that runs a transaction to check your bank balance or transfer money from one account to
another, there is a four in five chance that there is a mainframe behind that transaction," he said.
And the amount of processing run on the mainframe dwarfs the internet giants. "Every second there are 6,900 tweets, 30,000 Facebook
likes and 60,000 Google searches. But the CICs application server, which runs on the IBM mainframe, processes 1.1 million transactions
per second – that's 100 billion transactions a day," he said.
IBM will be formally celebrating the 50th anniversary of the System/360 on 8 April 2014.
" 80% of the world’s corporate data is still
managed by mainframes."
"If you are using a mobile application today
that runs a transaction to check your bank
balance or transfer money from one account to
another, there is a four in five chance that there
is a mainframe behind that transaction."
Source: Computer Weekly; Interview with Rob Lamb, IBM Hursley lab director, March 24, 2014
8
©2016 Vanguard Integrity Professionals, Inc.
Mainframe Survey of 350 CIOs
Global Survey Reveals Companies at Risk From Inadequate Planning for Generational
Shift in Mainframe Stewardship
Key survey findings from 350 enterprise CIOs:
88% believe the mainframe will be a key business asset over the next decade
78% see the mainframe as a key enabler of innovation
70% are concerned about knowledge transfer and risk
39% have no explicit plans for addressing mainframe developer shortages
70% are surprised by how much additional work and money is required to ensure new platforms and applications match the security provided by the mainframe
DETROIT,
June 10, 2015 (GLOBE NEWSWIRE) -- Compuware Corporation, the world's leading mainframe-dedicated software company, today released the findings from a survey
of 350 CIOs regarding the use and management of mainframe hardware and software in the enterprise. The survey uncovered a profound disconnect between the
continued importance of the mainframe to the business and the actions CIOs are taking to protect their investments in the platform.
Growing workloads, ongoing innovation
The survey makes it clear that CIOs see the mainframe playing a central role in the future of the digital enterprise. 88% agreed that the mainframe will continue to be a
key business asset over the next decade, and 81% reported that their mainframes continue to evolve—running more new and different workloads than they did five years
ago. In particular, survey respondents cited the advantages of the mainframe in processing Big Data.
The overwhelming majority of respondents also see mainframe code as valuable corporate intellectual property (89%) and see the mainframe as a key enabler of
innovation (78%).
CIOs also see the mainframe as superior to other platforms from a cost/benefit perspective. 70% reported that they have been surprised by how much additional work and
money is required to ensure new platforms and applications match the security provided by the mainframe.
Enterprises at risk
Despite the central role the mainframe continues to play in the digital enterprise, the survey reveals that inadequate investment in the mainframe is putting companies at
risk in multiple ways. For example, while 75% of CIOs recognize that distributed application developers have little understanding of the mainframe and 70% are
concerned that a lack of documentation will hinder knowledge transfer and create risk, 4 out of 10 have not put formal plans in place to address the coming generational
shift in mainframe stewardship—as their most experienced platform professionals retire.
By the same token, advancement of mainframe applications ranked lowest on the survey when it came to allocation of human resources on the mainframe—despite the
fact that respondents claimed to value those applications as key corporate IP.
The survey also revealed that the mainframe remains "siloed" from the rest of IT, even though CIOs also recognize the increasing importance of utilizing the mainframe
in concert with other enterprise IT resources.
" The survey makes it clear that CIOs
see the mainframe playing a central role
in the future of the digital enterprise.
88% agreed that the mainframe will
continue to be a key business asset over
the next decade…"
Source: Nasdaq GlobeNewswire, Compuware Corporation, June 10, 2015
9
©2016 Vanguard Integrity Professionals, Inc.
The Situation
• While most IT security teams tend to lump mainframe
systems into the category of legacy systems
unnecessary or impossible to scrutinize during
regular audits, that couldn't be farther from the truth.
• I see them described as legacy all the time: 'Oh, we
don't need to implement this policy because it's a
legacy system.' Calling a mainframe legacy is like
calling Windows 2012 Server legacy because parts
of the Window NT kernel are still in the code. Or it's
like calling my car legacy because it's still got tires.
• A website was released with a number of tools to aid
with the hacking of a mainframe, including VERY
SPECIFIC mainframe vulnerabilities. (ACEE zapper,
USS elevated permission code, TN3270 sniffers) -
https://github.com/mainframed
Mainframes: The Past
will Come Back to
Haunt You
Philip Young,
aka Soldier of Fortran
10
©2016 Vanguard Integrity Professionals, Inc.
The Logica and Nordea Hack
HQ – Las Vegas, Nevada R&D – Orange, California
11
• Pirate Bay co-founder Gottfrid Svartholm Warg was charged with hacking the IBM
mainframe of Logica, a Swedish IT firm that provided tax services to the Swedish
government, and the IBM mainframe of the Swedish Nordea bank, according to the
Swedish public prosecutor Henrik Olin.
• A large amount of data from companies and agencies was taken during the hack,
according to Olin, including a large amount of personal data, such as personal identity
numbers of people with protected identities.
• Only one of the attempts to transfer money from eight Nordea bank accounts
succeeded, according to Olin. The intruders managed to do that by hacking the
mainframe that was located in Sweden.
• They attempted to steal over $900K from Nordea customers accounts.
©2016 Vanguard Integrity Professionals, Inc.
Cost of a Data Breach
HQ – Las Vegas, Nevada R&D – Orange, California
2015 Cost of Data Breach Study:
Global Analysis Part 1. Introduction
2014 will be remembered for such highly publicized mega breaches as Sony Pictures Entertainment and JPMorgan Chase & Co. Sony suffered a major online attack that resulted in
employees’ personal data and corporate correspondence being leaked. The JPMorgan Chase & Co. data breach affected 76 million households and seven million small businesses.
IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis. According to our research, the average total cost of a data breach for the 350
companies participating in this research increased from 3.52 to $3.79 million2. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in
2014 to $154 in this year’s study.
In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage
to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations.
In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70
percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest
$250 million and have a staff of 1,000 committed to IT security.3
For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our
research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in
Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more
likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.
In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian
region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than
101,000 compromised records4. We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.
1This report is dated in the year of publication rather than the fieldwork completion date. Please note that the majority of data breach incidents studied in the current report happened in the 2014 calendar
year.
2Local currencies were converted to U.S. dollars.
3 New JPMorgan Chase Breach Details Emerge by Mathew J. Schwartz, Bankinfosecurity.com, August 29, 2014
4The terms “cost per compromised record” and “per capita cost” have equivalent meaning in this report.
" According to our research, the average total cost
of a data breach for the 350 companies
participating in this research increased from 3.52
to $3.79 million2. The average cost
paid for each lost or stolen record containing
sensitive and confidential information increased
from $145 in 2014 to $154 in this year’s study."
Source: Ponemon Institute® Research Report, May, 2015
12
©2016 Vanguard Integrity Professionals, Inc.
Business Realities
HQ – Las Vegas, Nevada R&D – Orange, California
13
The Need to Implement Security “Best Practices”
Information Security Compliance is a top organizational initiative – Laws, Regulations, and Standards require validation of proper
implementation of IT internal controls .
– IT Internal Control failures threaten the organization’s image and can carry heavy fines and even executive management imprisonment.
– Cyber-crime activities are a serious threat and companies are expected to implement all reasonable measures to prevent successful attacks .
– Outside auditors can and are issuing sanctions that restrict core business activities based on IT security risks identified in their audits .
Bottom Line: The Information Security organization must be proactive in their efforts to implement and maintain Security “Best Practices” in their enterprises.
©2016 Vanguard Integrity Professionals, Inc.
Origins of “Best Practices”
HQ – Las Vegas, Nevada R&D – Orange, California
14
• Objective Sources: • HIPAA (1996) & HITECH Act 2009
• Gramm-Leach-Bliley Act – 1999 (GLBA)
– Financial Privacy Rule
– Safeguards Rule
• Sarbanes-Oxley Act of 2002 (SOX)
– Section 404: Assessment of internal control
• PCI-DSS (Payment Card Industry - Data Security Standard)
https://www.pcisecuritystandards.org
– PCI Standards & Documents
– Documents Library
• ISO/IEC 27001 - Information security management standard
©2016 Vanguard Integrity Professionals, Inc.
Origins of “Best Practices”
HQ – Las Vegas, Nevada R&D – Orange, California
15
• Objective Sources:
• DOD DISA STIGs
– Defense Information Systems Agency Security Technical Implementation Guides
http://iase.disa.mil/stigs
• NIST (National Institute of Standards and Technology)
– co-hosts with DHS (Department of Homeland Security)
– security configuration checklists on the National Vulnerability Database
https://web.nvd.nist.gov/view/ncp/repository
– Target Product: IBM OS390
©2016 Vanguard Integrity Professionals, Inc.
Regulatory Compliance
The identified security issues present risk to regulatory / industry compliance
standards depending on the data present within the assessed system
Compliance
Challenges
PCI DSS
GLBA
NIST
STIG
HIPAA
HITECH
FISCAM
SOX
National Institute of Standards
and Technology
Security Technical
Implementation Guides
Sarbanes-Oxley Act
Gramm-Leach-Bliley Act
Payment Card Industry Data Security Standard
Health Insurance Portability
and Accountability Act
Health Information
Technology for Economic and
Clinical Health
Federal Information System
Controls Audit Manual
16
©2016 Vanguard Integrity Professionals, Inc.
Origins of “Best Practices”
HQ – Las Vegas, Nevada R&D – Orange, California
17
• Subjective Source: • Vanguard Best Practices
– Professional Services Consultants with an
average of 30+ years experience
– Based on our technical understanding of z/OS
and key Subsystem software
– Related to risks and exposures identified in
hundreds of Security Assessments conducted
over more than 20 years
– Each Security Assessments involves several
hundred tests
– New assessment tests added as required
©2016 Vanguard Integrity Professionals, Inc.
Vanguard's Assessment Process
• Analysis of over Hundreds of Assessments – Private firms across numerous industries
– Various governmental agencies: • Federal
• State
• Local
– Totaling over 1800 Individual Findings
– Over 300 unique Findings
– Correlated to regulations or compliance requirements
– Categorized by Severity and Remediation effort
18
©2016 Vanguard Integrity Professionals, Inc.
Vanguard’s Exposure Severity Rating
• SEVERE (needs immediate remediation) – Immediate unauthorized access into a system
– Elevated authorities or attributes
– Cause system wide outages
– the ability to violate IBM’s Integrity Statement
• HIGH (needs remediation in the near future) – Vulnerabilities that provide a high potential of disclosing sensitive or
confidential data
– cause a major sub-system outage
– assignment of excessive access to resources
• MEDIUM(needs a plan for remediation within a reasonable period) – Vulnerabilities that provide information and/or access that could potentially
lead to compromise
– the inability to produce necessary audit trails
• LOW (should be remediated when time and resources permit) – Implementation or configuration issues that have the possibility of
degrading performance and/or security administration
19
©2016 Vanguard Integrity Professionals, Inc.
Vulnerability Assessment Findings
Scope: Vanguard’s Top Ten z/OS Risks Identified in Client Security Assessments
Excessive Number
of User IDs with
No Password
Interval
Inappropriate
Usage of z/OS
UNIX Superuser
Privilege UID(0)
RACF Database
is not
Adequately
Protected
Sensitive Data
Sets with UACC
Greater than
NONE
Improper Use or
Lack of
UNIXPRIV
Profiles
Excessive
Access to APF
Libraries
Excessive
Access to the
SMF Data Sets
1 2 3 4 5
6 7 8 9
Critical Data
Set Profiles
with UACC
Greater than
READ
Started Task IDs
are not Defined
as PROTECTED
IDs
Excessive Access
to z/OS UNIX File
System Data Sets
10
Data collected from hundreds of security assessments performed by Vanguard Integrity Professionals.
20
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #1
Excessive Number of User IDs with No Password
Interval
User IDs with no password Interval are not required to change their
passwords.
SEVERE - Since passwords do not need to be changed periodically,
people who knew a password for an ID could still access that ID
even if they are no longer authorized users.
Review each of the personal user profiles to determine why they
require NOINTERVAL. Their passwords should adhere to the
company policy regarding password changes. If the user ID is being
used for started tasks or surrogate, it should be reviewed and
changed to PROTECTED. If the user ID is being used for off
platform process, then review controls for where the passwords are
stored and consider converting to usage of digital certificates or
other alternatives.
21
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #2
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
User IDs with z/OS UNIX superuser authority, UID(0), have full
access to all UNIX directories and files and full authority to
administer z/OS UNIX.
SEVERE - Since the UNIX environment is the z/OS portal for critical
applications such as file transfers, Web applications, and TCPIP
connectivity to the network in general, the ability of these
superusers to accidentally or maliciously affect these operations is a
serious threat. No personal user IDs should be defined with an
OMVS segment specifying UID(0).
The assignment of UID(0) authority should be minimized by
managing superuser privileges by granting access to one or more of
the ‘BPX.qualifier’ profiles in the FACILITY class or access to one or
more profiles in the UNIXPRIV class for both personal user IDs and
IDs associated with started tasks for which UID(0) is not required..
22
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #3
Sensitive Data Sets with UACC Greater than NONE
The UACC value for a dataset profile defines the default level of
access to which any user whose user ID or a group to which it has
been connected does not appear in the access list.
SEVERE – Sensitive data sets that are protected by a RACF profile
with a UACC greater than NONE allow most users with system
access to read or modify these data sets. In addition, users may be
able to delete any data set covered by a dataset profile that has a
UACC of ALTER.
Review each of these profiles and determine whether the UACC is
appropriate. For those profiles where the UACC is excessive, you
will have to determine who really needs access before changing the
UACC. To find out who is accessing these data sets, review SMF
data to determine who is accessing the data sets with the UACC.
23
Recommended
Best Practice
and Remediation
Finding
Explanation
Risk
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #4
Critical Data Sets with UACC Greater than READ
The UACC value for a dataset profile defines the default level of
access to which any user whose user ID or a group to which it has
been connected does not appear in the access list.
HIGH – Critical data sets that are protected by a RACF profile with a
UACC greater than READ will allow most users with system access
the ability to modify the data residing in these data sets. In addition,
users may be able to delete any data set covered by a dataset
profile that has a UACC of ALTER.
Review each of these profiles and determine whether the UACC is
appropriate. For those profiles where the UACC is excessive, you
will have to determine who really needs access before changing the
UACC. To find out who is accessing these data sets, review SMF
data to determine who is accessing the data sets with greater than
READ access and then issue appropriate PERMIT commands
based on the review of the SMF data.
24
Recommended
Best Practice
and Remediation
Finding
Explanation
Risk
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #5
Started Task IDs are not Defined as PROTECTED IDs
User IDs associated with started tasks should be defined as
PROTECTED which will exempt them from revocation due to
inactivity or excessive invalid password attempts, as well as being
used to sign on to any application.
HIGH - RACF will allow the user ID to be used for the started task
even if it has become revoked, but some started tasks may either
submit jobs to the internal reader that will fail or may issue a
RACROUTE REQUEST=VERIFY macro for the user ID that will
also fail.
Review all started task user IDs that are not protected. Determine if
the user IDs are used for any other function that might require a
password. Define the started task user IDs as PROTECTED for
those tasks that do not require a password.
25
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #6
Improper Use or Lack of UNIXPRIV Profiles
The UNIXPRIV class resource rules are designed to give a limited
subset of the superuser UID(0) capability. When implemented
properly, UNIXPRIV profiles can significantly reduce unnecessary
requests for assignment of UID(0) to user IDs.
HIGH - Without UNIXPRIV profiles defined, administrator IDs would
require superuser ability through the assignment of UID(0) or
access to the BPX.SUPERUSER profile in the FCILITY class.. The
ability of these superusers to accidentally or maliciously affect the
operation of your z/OS UNIX system environment is a serious
threat.
Review the users’ activity that are currently defined as
SUPERUSERs to determine if granular profiles may be defined in
the UNIXPRIV class that will authorize their activity. Refine the
access list and define more granular profiles based upon the
superuser functions that the users with UID(0) need.
26
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #7
Excessive Access to SMF Data Sets
SMF data collection is the system activity journaling facility of the
z/OS system. With the proper parameter specifications it provides
an audit trail of system activity and also serves as the basis to
ensure individual user accountability.
HIGH - The ability to READ SMF data enables someone to identify
potential opportunities to breach your security. If UPDATE or higher
access is granted, a risk of audit log corruption exists. Appropriate
access control for the unloaded data is also critical to ensure a valid
chain of custody.
Ensure that access authority to SMF collection files is limited to only
appropriate systems programming staff and and/or batch jobs that
perform SMF dump processing and ensure that any UPDATE or
higher accesses are being logged.
27
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #8
Excessive Access to APF Libraries
Authorized Program Facility (APF) libraries are an integral part of
the z/OS architecture to enable maintenance of the integrity of the
z/OS operating system environment. Libraries designated as APF
allow programs to execute with the authority of z/OS itself, so the
ability to modify these libraries must be strictly controlled.
SEVERE - UPDATE or higher access to an APF library can allow an
individual to create an authorized program which can bypass
security controls and execute privileged instructions. UPDATE or
higher access should be limited to senior systems support staff.
Review the protection of all APF libraries. APF libraries should be
protected by RACF profiles that cover only one or more APF
libraries, e.g. a fully qualified generic profile. Remove or change
inappropriate access list entries and ensure that any UPDATE
activity is logged to SMF.
28
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #9
Excessive Access to z/OS UNIX File System Data
Sets
For the z/OS UNIX environment, there are z/OS data sets that
contain operating system components and data sets that contain
HFS file systems with application system and user data. All of these
UNIX file system data sets require proper protection in RACF to
enforce desired access controls.
HIGH - Anyone that has at least READ access to the z/OS File
System data sets can make a copy and possibly view the contents
of the z/OS UNIX files.
Determine which users have a legitimate need to access the z/OS
File System data sets. Then create profiles with appropriate access
lists and set the UACC value for these profiles to NONE.
29
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
“Top Ten” Assessment Finding #10
RACF Database is not Adequately Protected
The RACF database contains extremely sensitive security
information. No access to the RACF database is required for
normal administration activities using either RACF commands or the
RACF provided ISPF panels.
SEVERE - Any user who has read access to the RACF database or
any backup copy could make a copy and then use a cracker
program to find passwords for user IDs and could obtain a list of
user IDs and resources.
Review the protection for the RACF database and any backup
copies and remove any access list entries granting access higher
than NONE, other than to senior RACF administrators and system
staff responsible for running RACF database utilities.
30
Finding
Explanation
Risk
Recommended
Best Practice
and Remediation
©2016 Vanguard Integrity Professionals, Inc.
2016 Top Ten z/OS Vulnerabilities
The percentage numbers represent the percentages of environments in which Vanguard
has found this configuration error in over 200 environments in the last 8 years.
74% Excessive Number of User ID’s with no Password Interval SEVERE
60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID(0) SEVERE
54% Sensitive Data Set Profiles with UACC Greater than NONE SEVERE
54% Critical Data Set Profiles with UACC Greater than READ HIGH
53% Started Task IDs are not Defined as PROTECTED IDs HIGH
52% Improper Use or Lack of UNIXPRIV Profiles HIGH
44% Excessive Access to the SMF Data Sets HIGH
42% Excessive Access to APF Libraries SEVERE
42% Excessive Access to z/OS UNIX File System Data Sets HIGH
40% RACF Database is not Adequately Protected SEVERE
31
©2016 Vanguard Integrity Professionals, Inc.
2015 Top Ten z/OS Vulnerabilities
The percentage numbers represent the percentages of environments in which Vanguard
has found this configuration error in over 200 environments in the last 8 years.
73% Excessive Number of User ID’s with no Password Interval SEVERE
60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID(0) SEVERE
52% Sensitive Data Set Profiles with UACC Greater than NONE SEVERE
52% Critical Data Set Profiles with UACC Greater than READ HIGH
51% Started Task IDs are not Defined as PROTECTED IDs HIGH
51% Improper Use or Lack of UNIXPRIV Profiles HIGH
40% RACF Database is not Adequately Protected SEVERE
39% Excessive Access to APF Libraries SEVERE
38% General Resource Profiles in WARN Mode SEVERE
33% Production Batch Jobs have Excessive Resource Access SEVERE
32
©2016 Vanguard Integrity Professionals, Inc.
Vulnerability Assessment Objectives
Insure effective security control implementation
Assess security configuration settings
which could create exposure conditions
Remediate exposures to improve existing
level of security
Improve Security Posture on z/OS
33
©2016 Vanguard Integrity Professionals, Inc.
Vulnerability Assessment Process
Data Collectection
This is the data collection phase to
be able to assess the environment.
Data Analysis
This is the data analysis phase where the data collected is
analyzed for any potential
vulnerabilities.
Report
This is the report phase where the
consultant creates a findings reports and
discusses the findings and
recommendations with the customer.
Remediation
This is remediation phase where the
Vanguard consultant explains the results of the data analysis
and provides remediation advice.
1 2 3 4
34
©2016 Vanguard Integrity Professionals, Inc.
Conclusion
Questions?
35
©2016 Vanguard Integrity Professionals, Inc.
Thank You!
Grazie
Japanese
Thank You English
Merci French
Russian
Danke German
Italian
Gracias Spanish
Obrigado Brazilian Portuguese
Arabic
Simplified Chinese
Traditional Chinese Hindi
Tamil
Thai
Korean
For more information, please visit:
http://www.go2vanguard.com
36