Mais conteúdo relacionado Semelhante a Castle Walls Under Digital Siege: Risk-based Security for z/OS (20) Mais de CA Technologies (20) Castle Walls Under Digital Siege: Risk-based Security for z/OS1. Castle Walls Under Digital Siege:
Risk-based Security and z/OS
Kevin Segreti
Mainframe
Union Bank of California
MFT09S
@jcherrington
#CAWorld
Jeff Cherrington
CA Technologies
2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
The mainframe remains the most securable
platform in the data center. However, like
medieval castles, their walls are no longer
impregnable. Learn more about how applying
risk-based security to z/OS helps you anticipate
attacks and compromises before they occur, so
you can enhance your walls of protection to
your mission-critical data.
Kevin Segreti
Union Bank of
California
Assistant Vice
President
Jeff
Cherrington
CA Technologies
Sr. Director, Mainframe
Security
3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
WHAT DO CASTLES HAVE TO DO WITH THE MAINFRAME?
ARMS RACE – CIRCA THE MIDDLE AGES
QUESTION & ANSWER
SAPPERS AND SOCIAL ENGINEERING
WHY THE NORDEA HACK IS THE MAINFRAME GUNPOWDER
PROTECTING YOUR CASTLE – A RISK-BASED APPROACH
1
2
3
4
5
6
4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How History Bears on Protecting the Mainframe Today
Those who cannot
remember the past are
doomed to repeat it.
George Santayana
A smart [person]
learns from their own
mistakes; a wise [person]
learns from the
mistakes of others.
Only a fool learns from
his own mistakes.
The wise [person]
learns from the
mistakes of others.
Paraphrased
from
Anonymous
Otto von Bismark
“
”
“
”
“
”
5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Comparing Castles and Mainframes
Purpose Castle Mainframe
Accumulation of Wealth
Centralized repository for the most
valuable assets of the day
Centralized repository of the critical assets
that define an enterprise’s value
Administration
Focal point for information aggregation,
focus for analysis of gathered intelligence
for decision making
Focal point for information aggregation,
focus for analysis gathered intelligence
for decision making
Protection
Progressively more sophisticated
architecture protecting against
progressively more sophisticated attacks
Progressively more sophisticated
architecture protecting against
progressively more sophisticated attacks
6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What Can the History of Castle Technology
Tell Us About Managing the Mainframe
Arms Race did not originate in
the 20th century.
Castle fortifications and counters
developed by attackers to
overcome them replicate the last
50 years of the mainframe in
many ways.
Learning from that history
offers direction for the future
of the mainframe.
7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
The Beginning – Walls and a Single Gate…
Earliest Mainframe
Isolated in the glass house
with physical access control
Earliest Castles
Forts – a single wall with a guarded gate
© International Business Machines Corporation (IBM)
8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Some Direct Correlations
Mainframe
CA ACF2 and, later, IBM RACF and CA Top
Secret set the standard for “gate-keeping”
of electronic resources.
Castles
Still required entry and exit of people,
requiring guards at the gates.
9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mainframe
Forcing entry onto the network
gave access to the console.
Castles
Rams battered the gates and, once
down, the castle was open.
Earliest Attacks – Bluntest of Forces
10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Escalation – Higher, Thicker Walls Lead to
More Sophisticated Engineering of Attacks
Castle builders reinforced gates,
heightened-thicken walls…
Attackers devised more sophisticated
means of brute force
11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What’s a Sapper?
Direct brute force was not the only or, sometimes,
even the most effective means for opening a breach
in the castle wall.
Soldiers – miners, really –
called “sappers”
tunneled beneath the walls
to weaken their foundations.
12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Social Engineers are Mainframe “Sappers”
While the precise mechanics of
large scale breaches seldom
come fully to light, nor quickly
Still, some report or speculate
that social engineering to obtain
credentials lies at the root of
recent major breaches
Data Source: Click on image to link to the informationisbeautiful.net web page
13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Mainframe external
security managers offer no
greater protection against
social engineering than
other IAMs
Once a privileged
account is compromised,
the foundation of all
protections is destroyed
Social Engineers Tunnel Underneath
Mainframe Protections
14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Some Direct Correlations
Mainframe
As connectivity increased, we surrounded
the mainframe with firewalls.
Castles
Once walls alone were not
enough, moats were added.
Request a
web page
Stateful Packet
Inspection Firewall
This was requested by
a computer on the home
network, deliver it.
This was not requested
by a computer on the
home network, drop it..
1
3
2
2
Internet
Here’s the web file
transfer you asked for.
1
Here’s the web page
you asked for.
15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Gunpowder Changed Everything
The advent of gunpowder reduced
the cost of attack, while increasing
its efficiency
Even the mightiest castle could no
longer be considered impregnable
16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
How the Nordea Hack is the Mainframe’s Gunpowder
Even the mightiest castle could no longer
be considered impregnable…
Pirate Bay co-founder Gottfrid Svartholm Warg was
charged with hacking the IBM mainframe of Logica, a
Swedish IT firm that provided tax services to the Swedish
government, and the IBM mainframe of the Swedish
Nordea bank, the Swedish public prosecutor said.
"This is the biggest investigation into data intrusion ever
performed in Sweden," said public prosecutor Henrik
Olin.
Besides Svartholm Warg, the prosecution charged three
other Swedish citizens.
17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What Do These People Have in Common?
18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Matching Tools To Threats
Threat of data breach – data-centric protection
supplementing user and resource management
Threat of network attack – increased perimeter
defenses and more frequent penetration testing
Threat of compromised privileged user accounts
– Event drive alerts for sensitive transactions
– Frequent, automated analysis of user activity
– Additional authentication factors
Protection of Mainframe Assets
Must Be a Risk-based Approach
18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Focused shifted from solely keeping
attackers out, to identifying attackers
before they arrived
Identifying attacks before they occur required
new strategies, techniques, and tools…
Protecting Castles’ Contents Changed
19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
Tech Talk
Isn’t one authentication mechanism on z Systems™
enough?
11/18 – 4:30pm
Mainframe Content Center
Mainframe
Theater
Panel Discussion: Is Complacency Around Mainframe
Security a Disaster Waiting to Happen?
11/18 – 3:45pm
Mainframe Theater
Tech Talk
The Known Unknown – Finding lost, abandoned, and
hidden regulated data on the Mainframe
11/19 – 12:15pm
Mainframe Content Center
MFX26S
How to Increase User Accountability by Eliminating the
Default User in Unix System Services
11/19 – 1:00pm
Breakers I
MFX47S
Top 10 things you shout NOT forget when evaluating
your security implementation
11/19 – 2:00pm
Breakers I
21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Follow Conversations in the Mainframe Content Center
CA Data Content Discovery
CA ACF2 ™ for z/OS
CA Top Secret® for z/OS
CA Cleanup
CA Auditor
Product X
Theater # location
Advanced Authentication –
Nov 18th @ 4:30pm
The Known Unknown -
Nov 19th @ 12:15pm
22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For Informational Purposes Only
Terms of this Presentation
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA
World 2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer
references relate to customer's specific use and experience of CA products and solutions so actual results may vary.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights
and/or obligations of CA or its licensees under any existing or future license agreement or services agreement relating to any CA software
product; or (ii) amend any product documentation or specifications for any CA software product. This presentation is based on current
information and resource allocations as of November 18, 2015, and is subject to change or withdrawal by CA at any time without notice. The
development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in
this presentation, CA may make such release available to new licensees in the form of a regularly scheduled major product release. Such
release may be made available to licensees of the product who are active subscribers to CA maintenance and support, on a when and if-
available basis. The information in this presentation is not deemed to be incorporated into any contract.
24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15