SRC Secure Solutions bv
Agenda Welcome
Ian Taylor – PKWARE
Ruud Goudriaan – ING
Lionel Gross –
Peter Croes – IBM Shmuel Zailer – Raz-Lee
Ronald Rietveld – ABN
Amro Bank Coffee
Consultant Olympic Fred Wijshoff – KPMG Ronald van Erven – Timeos Piet Munsterman – SRC Drinks and networking
IBM i – is it secure? The AS400 In 1988 we didn’t (all) use the Internet Twinax Terminal access Tapes and Diskettes SNA Secure Value Added Networks A proprietary system with a proprietary database “Closed”
IBM i – is it secure? The IBM i An “Open” system Internet protocols as standard Networked Often connected to Internet DB2/SQL/FTP/ODBC etc etc A open system with a open database Still has a integral security infrastructure….
IBM i – is it secure? The IBM i Securing it requires
Expertise Monitoring Alerting Reporting Remediation Management!
So what’s the problem?
IBM i – is it secure? The expertise Is ‘getting on a bit’ Is leaving Is being automated The delusion It is secure It is not connected to the Internet Hackers do not ‘know’ the IBM i The data is not interesting to hackers
Ways to hack the IBM i Telnet, FTP, HTTP, SMTP, POP3, LDAP,
QSHELL/PASE Ops Nav, Client Access, IFS, ATTN key, REXX,
Adopt, REXEC, DDM, SQL, RMTCMD Tapes, CD-ROMs, DVDs, USBs etc etc
Recommended books Hacking iSeries by Shalom Carmel isbn 1-4196-2501-2 IBM I Security Administration & Compliance by Carol
Woodbury isbn 978-1-58347-373-3
Deep Dive Training September 23 – 26 Training by Carol Woodbury Former IBM iSeries Security Architect World renowned security consultant and author Founder of SkyView Partners Suitable for IBM i:- Auditors, ICT Managers, Project
Managers, Security Officers, Developers, Operations Managers, etc.
Thank you
Ruud Goudriaan, ING Bank How Banks are dependent on a secure internet
How Banks are dependent on a secure internet Organised Crime vs financial institutions
Ruud Goudriaan - April 2013
12
Content • • • • •
Short history of Information Security Operational Risk Management Development Internet Banks & Internet: no way back Cybercrime: attacks – – – –
Motives Victims and Criminals Cyber Theft Ring (FBI) Internet banking threats - Phishing attack
• Cybercrime: analysis – – – – –
How serious is it? How bad can it get? What can we do? Dutch National Cyber Security Strategy (NCSS) Organisation National Cyber Security Informatieknooppunt Cybercrime What should be the security approach? Ruud Goudriaan - April 2013
13
Information Security Definition Information Security (source: Wikipedia) • The total set of preventive, detective, repressive en corrective measures (incl. procedures and processes) that guarantee the availability, exclusiveness and integrity of all forms of data within an organisation or company, with the aim to preserve the continuity of the information and information handling, and restrict potential security incidents to an acceptable, previously determined level. In other words: 100% security is unattainable!
Ruud Goudriaan - April 2013
14
Short history of Information Security • Encoding messages in war time: – – – – – –
Egypt: hieroglyphs Sweden: runic writing, Stone of Rök Romans: alphabetic substitution Napoleon: Optical telegraph Germany WO II: Enigma machine Cryptography: DEA, RSA, AES, SHA-3 (2012)
Stone of Rök
Source illustrations Detlev Simons
Optical telegraph Enigma: 1919, WO II
Encipher disk: 1466 Ruud Goudriaan - April 2013
15
Operational Risk Management Security/ Fraud
Risk / Impact
Business
Cost
IT/ Continuity
The business managers assess the cost-risk trade-off. The IT, Continuity, Security & Fraud managers provide cost effective security measures.
Operational Risk Management: Enables the organisation and the business to manage its business risks (cost/risk trade-off) Based on ISO 27000 and ISO 25999
Ruud Goudriaan - April 2013
16
Development Internet Internet: connection interrupt triggers new connection • 1960 – Military Communication network – ARPA • Development University network – NSF • Current internet managed by ICANN Internet Corporation for Assigned Names and Numbers
• 1990 – World Wide Web protocol • Now: > 2 billion users: – Informative: Online database, Google – Social: Hyves, Facebook, MSN, etc. – Electronic Commerce/Service: shopping, banking, government.
Ruud Goudriaan - April 2013
17
E-mail & SPAM SPAM: Junk E-mail, Unsolicited Bulk Email • • •
Daily 101 billion SPAM messages (Commtouch* 2011) Daily 200.000 new ‘Zombie-PC’s’ (25% India) More than 90 % of incoming e-mails are SPAM (caught by SPAM-filters)
E-Mail Spam by Topic* Pharmacy Replica Enhancers Dating Phishing 419 fraud Weight Loss Pornography
31% 14% 14% 12% 6% 7% 4% 4%
*) “Q1 2011 Internet threat trends report” Commtouch Software Ltd. http://www.commtouch.com/threat-report-january-2012/
Ruud Goudriaan - April 2013
18
Banks & Internet: no way back Banks migrated from offices to Internet banking • ATMs replace bank counter • Internet banking instead of forms and cash • Online Investments and Mortgages handling Internet services cannot be discontinued: Huge opportunity for organised crime to commit ‘Milking attacks’
Ruud Goudriaan - April 2013
19
Cybercrime: Motives Cybercrime: any crime involving computer/network • Grabowsky: – Virtual Criminality: Old wine in new bottles
• Motives criminals: – Generate income, Power, Revenge, Rivalry, etc.
• Two types of computer crime: – Direct attack on computer/network: Computer viruses, Denial-OfService, Malware – Misuse computer/network: Cyber stalking, Fraud, Identity theft, Information warfare, Phishing, Nigerian scam (419 fraud)
Ruud Goudriaan - April 2013
20
Cybercrime: Victims and Criminals Globalisation Cybercrime via Internet • Millions of potential victims – Via e-mail using spam, viruses and malware – Via social networks using social engineering
• Increasing number of potential criminals – Low risk of being caught by operating from countries without extradition treaties – Partial criminal solutions offered via internet: malware, botnets, money mules, etc.
Ruud Goudriaan - April 2013
21
Cybercrime: Cyber Theft Ring (FBI)*
FBI – April 2011 *) 10-01-2010 Cooperation between US, UK, NL and Ukrain intelligence forces. http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud-graphic
Ruud Goudriaan - April 2013
22
Internet banking threats Criminal organisation vs internet banking • • • •
Malware developed and sold via e-Bay Malware infects PC’s with e.g. Trojan Zeus (botnet) Bank-related log-on data collected and sold Dedicated Social engineering to direct customer to false website and acquire authorisation • Fraudulent funds transfers via money mules to beneficiary accounts abroad Sources: FBI Cyber Theft ring and article Peter Olsthoorn (Webwereld)
Ruud Goudriaan - April 2013
23
Cybercrime: Analysis
Ruud Goudriaan - April 2013
24
Cybercrime: How serious is it? Recent Hacker attacks: • Anonymous: – Payback: DDoS Sony – Playstation: hack PlayStation Network and theft credit card numbers – Assange: Anti-wikileak action triggered DDoS on Amazon, Paypal, Mastercard, Visa and Swiss Bank Postfinance
• Conspiracy Rings of Fire: – Rabobank: DDoS on internet banking
• Diginotar: – False issuing SSL-certificates, corrupted CA
• Internet banking: – Continuously improved attacks: Milking type Ruud Goudriaan - April 2013
25
Cybercrime: How bad can it get? Fox-IT, Ronald Prins: ... many vital infrastructures can be digitally intruded and damaged: drinking water utilities, electricity suppliers, dike protection…. • KLPD/Fox-IT: take-down criminal botnet ‘Bredolab’ (2010) • China: Ghostnet for commercial espionage (103 countries) • Israel: Stuxnet computer worm against Iran (Cyber warfare)
Positions: • Private PC cannot be protected from malware • Company server cannot be protected from DDoS attack Ruud Goudriaan - April 2013
26
Cybercrime: What can we do? Awareness websites • NVB website Veilig Bankieren
http://www.3xkloppen.nl/nl/ http://www.veiligbankieren.nl/nl/
• Getsafeonline: http://www.getsafeonline.org/ Public/private UK website supported by government, multinationals, etc.
Public/private cooperation •
Informatieknooppunt Cybercrime CPNI (tot 1-1-11 NICC): ISAC, FI-ISAC, http://www.cpni.nl/cpni Ruud Goudriaan - April 2013
27
Dutch National Cyber Security Strategy NCSS: Minister Opstelten (V&J) TK 22-02-2011 • Public – Private approach: – Cyber Security Board – Strategy – National Cyber Security Centrum (NCSC) – Knowledge sharing
• Integral threat and risk analyses • Improve protection against Cyber threats • Enlarge effective response capacity • Strengthen chain tracking - prosecution • Budget harmonisation Public/Private/Scientific First initiative: ‘Banking team’ to fight digital criminality by KLPD, Landelijk Parket, Banks Ruud Goudriaan - April 2013
28
Organisation National Cyber Security Cooperation to fight Cybercrime: • • • •
CPNI.nl1 including IKC2 en ISACs3 GOVCERT.NL part of international CSIRTs4 GOVCERT.NL participates in FIRST5, EGC6 and IWWN7 NCSC - Cyber Security Beeld Nederland 2012: https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/trendrapporten/cybersecuritybeeld-nederland.html
1) 2) 3) 4) 5) 6) 7)
CPNI.nl = Centre for Protection of the National Infrastructure: http://www.cpni.nl/cpni IKC = Informatie Knooppunt Cybercrime: http://www.cpni.nl/informatieknooppunt/informatieknooppunt-cybercrime ISAC = Information Sharing & Analysis Centre; FI-ISAC = Financial Institution ISAC CSIRT = Computer Security en Incident Response Teams FIRST = Forum of Incident Response and Security Teams EGC = European Government CERTs IWWN = International Watch and Warning Network
Ruud Goudriaan - April 2013
29
Informatieknooppunt Cybercrime
‘Flower petal model’ [Bloemblaadjesmodel] • NICC, part of CPNI.NL • Cooperation public/private • Exchange incidents / threats • FI-ISAC* part of NICC
*) Financial Institutions – Information Sharing and Analysis Centre
Ruud Goudriaan - April 2013
30
What Banks do now? Dutch banks: fraud in internet banking cannot be avoided. • •
Continuously be prepared for Social Engineering Approach: ‘Fraud-detection’ = Reactive, because of unsafe customer PC
Cat and Mouse game with organised crime: • • • • • •
Cybercrime Monitoring & Investigation Service (CMIS++) of Fox-IT and RSA Participation in FI-ISAC, part of GOVCERT. Contact with internet banking experts in other banks. Temporary lower day limits, stop trans-border payments or internet banking Delaying operation of internet banking transactions Accelerated implementation security patches
Fraude is considered as ‘Cost of doing business’ •
There is ‘No way back’ Ruud Goudriaan - April 2013
31
What should be the security approach? What works: • Detection + Notice & Takedown (Fox-IT + GovCerts) • Track down Botnets (Rustock Botnet March 2011)
What could help: • Customer verifies internet site company or government – Mutual authentication: individual certificate/token – Combined with mutual challenge-response
• Provide customer with boot disk/USB for private-PC: – Only log-on to authentic websites Bank, Companies, Government independent of possible malware on PC – Examples: German bank, products like Ironkey
https://www.ironkey.com/ • Other possibilities??? Ruud Goudriaan - April 2013
32
Thank you
Shmuel Zailer, Raz-Lee How to manage Security and Compliance on the IBM i
iSecurity Overview: Security & Compliance for Today & Beyond Shmuel Zailer, CEO/CTO
[email protected]
About Raz-Lee Security
• Internationally renowned IBM i solutions provider • Founded in 1983, 100% focused on IBM i • Corporate offices in: US, Italy, Germany, Israel • Installed in over 35 countries, more than 12,000 licenses • IBM Business Partner, Integration Partner with Tivoli and Q1Labs • Partnerships with other major global security providers: • Official partnership with RSA enVision, GFI SIEM, HP OpenView • OEM by Imperva SecureSphere • Proven integration with ArcSight, CA UniCenter, Splunk, Juniper…
• Worldwide distribution network
Raz-Lee Security – Mission & Product Lines Raz-Lee’s Mission To provide the best and most comprehensive IBM i compliance, auditing and security solutions
• Infrastructure Security: network access, QAUDJRN monitor and report, user profile management and object authorities, automatic tracking of software changes, native object security, anti virus protection, all the above with multi-LPAR management capabilities
• Application Security: DB activity (journal) auditing, Cross-Application business item reporting with real-time alerting, Business Intelligence over transaction data, screen recording…
• System tools: File editor, RPG/COBOL and interactive access to MS SQL, Oracle, MySQL, Excel,…
Raz-Lee’s Global Distribution Network
Selected iSecurity Customers
Some 2011 Customers TAIKO HEALTH INFO AG SOUTHERN WINE & SPIRITS BALLY TOTAL FITNESS WYOMING MACHINERY WILLIAM ADAMS BUTLER MACHINERY CATS ECOMMERCE FOLEY EQUIPMENT COMPANY CAPITAL AVESCO SANDS BETHLEHEM CASINO PANASONIC EXCEL STAFF SANYO ELECTRIC LOGISTICS
Some Banking Customers KUNDINKASSO FORENINGSSPARBANKE RISONA BANK BURAJIRU BANK SVENSKA HANDELSBANKEN-LUXEMB. MIZUHO CORPORATE BANK MIZUHO BANK ROYAL BANK OF SCOTLAND NUEVO BANCO DE SANTA FE KINKI OSAKA BANK BANK OF CHINA VENTURE BANK BANCO DI SARDEGNA FIRST GLOBAL BANK KANSAI URBAN BANK HSH-NORDBANK
iSecurity: Selected Customers • CHS (Community Health Systems, US) appx. 150 LPARs, replaced Powertech
• Royal Bank of Scotland purchased iSecurity after POCs of nearly ALL competitors!
• Venetian Casinos (multi-national) purchased iSecurity following extensive compliance POC.
• Euronet Worldwide banking clearinghouse in Europe & Asia, replaced competitor with iSecurity.
• Svenska Handelsbanken, one of the largest banks in Scandinavia, used competitor for several years; replaced it with iSecurity.
• Unicredit (IT Austria), SkyTV, IKO Industries, JPMorgan Chase, Boyd Gaming, Bank of China, MasterCard, Avis
iSecurity - Characteristics
• Full GUI and green screen - short learning curve, ease of use • Visualizer Business Intelligence analysis • Hundreds of built-in, customizable reports. Report/Query Generator and Scheduler produces print, screen, HTML, PDF, CSV e-mailed reports.
• Wizards, Real Time/Periodical, Alerts. All done on IBM i • Sends SYSLOG, SNMP, Twitter, e-mail, messages
• Cross-enterprise reporting, definitions, logs • Exceptional performance on all sizes of systems • Unique products: Capture, Change/PTF Tracker, DB-Gate, Anti-Virus • The most comprehensive IBM i security suite, with on-going product development
Reports for Large Systems
• Report/Query Generator HTML, PDF, CSV, EXCEL reports by Email (in addition to output via Screen, Print, GUI an OUTFILE)
• Each field includes field description, values and their description, allows selection of possible values
• Filter by EQ, NE, GT… LIST, LIKE, START, ITEM (in an external table) with And/Or conditions
• In AP-Journal also DIFGT, DIFLT… DIF%GT, DIF%LT… (difference between After and Before values in numbers and percentage)
• Report includes Explanation to auditor, Systems included in the report, Statistics…
• Can be observed by Visualizer for analysis • Fully featured Report Scheduler
Consolidated report correlating information from all LPARs, up to last minute Note last 5 minutes and system parameters
Integrated Business Intelligence
Intuitive Multi-
Level Filtering
Use Summary
Data for OnLine inspection
Drill down to
LOG events
Multi-System Support in iSecurity • Replication: • User Profiles & Passwords • System Values • Product definitions/rules
• Reporting: reports on all LPARs from any single LPAR in real time • Compliance: compare compliance scores of systems
• Real Time reaction to security breaches: sends SYSLOG, SNMP, Twitter, e-mail, messages, … with edited messages or Fields
iSecurity Products Overview
PCI, HIPAA, SOX…
Auditing
Security Breach Management Decision
Protection Security Assessment FREE!
Databases
• • • •
Audit QAUDJRN, Status… Real-time Actions, CL scripts Capture screen activity Central Admin of multiple LPARS & systems • User Profile Replication • Change/PTF Tracker
• Firewall FTP, ODBC,… access • Obtain Authority on Demand • Monitor CL Commands • Native Object Security • Anti-Virus protection • DB-Gate: SQL to non-DB2 DBs (Oracle, MS SQL,…) • AP-Journal for DB audit, filter, archive, real-time alerts • View/hide sensitive data • FileScope secured file editor
Evaluation
Compliance Evaluator for SOX, PCI, HIPAA… VisualizerBI for security
Syslog, SNMP for SIEM
Compliance Report with Score for 2 Systems
Summary
Detailed
Major iSecurity Products: Firewall, Audit, AP-Journal Firewall - Provides total protection of ALL company’s critical files, libraries, etc. from network intrusions, viruses, and unauthorized usage.
Audit – Enables easy auditing of ALL company’s critical files, users, jobs, objects, etc. Includes more than 200 built-in, customizable reports which can be scheduled to run at pre-set dates and times.
AP-Journal – Powerful, unique application security: • includes real-time threshold-activated alerts per application fields • changes to business-critical data are highlighted • displays both “before” and “after” data images • generates cross-application timeline reports of all data changes/updates • also monitors and reports on READ access to fields
AP-Journal Examples (for banking/financial) • Provide the customer
with a timeline report showing MORTGAGE history of the last 5 years. Include only important info.
• Send e-mail, SMS, SNMP, SYSLOG, Twitter when the INTEREST_RATE changes by more than 0.2%.
• Who modified PAYMENTS between 20:00 and 06:00 or during corporate summer vacation?
• When did the tariff for overseas transactions change? • Which users, who are not Managers, viewed the confidential PAYMENT_TERMS table since the last business day?
• What changes to the bank’s production libraries were made via non application-specific (SOX mandated) utilities such as IBM DFU?
AP-Journal Technical Overview DB1
DB2
DB3
Business Items B
DB-Reads
Journal A
Long-time storage for critical data C
Processing of Receivers in Real time (or at night)
Receivers
G
Alert Before
D
E
F
Containers
Reporting System
G
Screen
Email & HTML
Print-out
Reporting System
Alert After
AP-Journal - Unique Application Security • React in Real-Time
• Message, e-Mail, SMS, Syslog, Twitter, CL Script • For irregular activity or as Application Extension (SMS the customer when order is ready)
• Interconnect applications (no programming), time based:
• Order history (items, payments, claims, ….) • Mortgage history (loaners, guarantors, real-estates, payments)
• Special support for Misys, JDE…
• Bi-lateral data conversion capabilities between external and internal data • All outputs and inputs are in standard “human” format, all internal representations are according to system logic • Converts internal date representation to external “human” format • Support add/omit decimal point based on actual currency
• Controls READ access (PCI requirement)
• Who read the Credit Card number (xxxx-xxxx-xxxx-xxxx) • Which credit cards were displayed on a certain user’s screen
iSecurity Audit: Information Sources SIEM Support: Syslog, SNMP
OS/400 Objects •Users •Authorities •Objects •Scheduled Jobs •Etc.
QAUDJRN I5/OS
Filtered Data
Current Activity •Active Jobs •System Status •Sharepools
Message Queues •QSYSOFR •Any other Message Queue
` Receivers
Log Alert via Action Report Generator & Visualizer: Screen, GUI, PDF, HTML (by email)
Real-Time Alert handling in iSecurity
Execute CL Scripts
Send e-mail
Write to MSGQ
Write to SYSLOG
Send SMS, SNMP, Twitter, etc.
Issue Real-Time Alerts via iSecurity Action
QAUDJRN (Audit)
Network Security (Firewall)
Critical OS messages (QSYSOPR/ QSYSMSG)
Database Journals (AP Journal)
Authority changes (Authority on Demand)
GUI enables simultaneously managing same subject on several LPARs Note comparison of User Profiles on 2 systems
Over the web single console (e.g. Twitter) Note Alert Message options and message as received in Twitter
DB-Gate: Runs SQL 6 times faster for non-i database access (on RL’s test system) • Standard SQL access to MS SQL, Oracle, MySQL, Excel, CSV and other data sources
• Standard SQL statements, no APIs • Native SQL integration with RPG, Cobol, C - /EXEC SQL • Works interactively from Start SQL • Integrates with IBM Host Server Authentication
• No need for *SQLPKG even when accessing another IBM i
IBM i
DataBases
Enter SQL Statements (STRSQL) > SELECT * FROM PROD.CUST > CREATE VIEW CORPDATA.MANAGERS AS SELECT LASTNAME, DEPT FROM CORP.EM WHERE JOB = 'MANAGER' > DELETE FROM PROD.CUST WHERE ID = 78 ===> ________________________________
COBOL/RPG/C
(STRSQL)
*...1....+....2....+....3... C/EXEC SQL C+ DECLARE C1 CURSOR FOR C+ SELECT * FROM CORPDATA.DEPT C+ WHERE JOB = 'MANAGER' C/END-EXEC
Oracle MS SQL MySQL SQLite PostgreSQL SYBASE Excel, CSV and more…
Change Tracker
• Tracks all software changes with NO human intervention- total “foolproof”. Your auditors will love it.
• Tracks in real-time, relies on actual updates to production libraries • Tracks Programs, Modules, Files, etc. object types including source and attributes
• Have a CMS? Change Tracker will record activities made outside the CMS (Change Management System)
• No CMS? Change Tracker satisfies all your auditor’s requirements • Ideal for medium-small shops, essential for large enterprises
Change Tracker
PTF Tracker
• Automatically tracks all PTF activities; apply, remove, current status • Detailed information relates to the PTF (ID, licensed product, release level), transaction (what, when, by who) and all the objects installed by the PTF (name, type, modules)
• Classifies PTF data into site-specific products such as “Upgrade to TR5”
• Built-in, customizable reports and report generator for on-screen, *PRINT and e-mailed HTML, PDF, CSV output
• Multi-LPAR / Multi-Site reporting
PTF Tracker
AP-Journal
• Audit trail of all database and application activity including accesses • Focused on “before/after” changes to critical business items which may span multiple applications (Load Number, Order Number, etc.)
• Extends existing applications with additional application functionality without programming!
• Real-time alerts when data changes by more/less than pre-defined percentage or numeric thresholds
• Timeline history of changes to business items, e.g. all changes to a Mortgage
AP-Journal
Thank You! Visit us at www.razlee.com
[email protected]
Thank you
Ronald Rietveld – ABN AMRO Bank Auditing an IBM i - from an auditors point of view
Thank you
Ian Taylor, PKWARE The importance of data encryption
The Importance of Data Encryption
April, 2013
68
About PKWARE Invented the ZIP Standard Over 30,000 customers in Banking, Financial Services, Healthcare, Retail, Government We help companies eliminate risk and cost of security breaches and reduce cost of processing, moving and storing data in physical, virtual and cloud environments.
69
Business Challenges
70
The Business Value We Deliver Reduce costs related to data Improve data center performance metrics Manage issues related to governance, risk and compliance
71
Information Security
72
Information Security Early Days Data was protected in a “glass house” Physical security provided confidentiality, integrity and availability
73
Information Security with the Internet Internet meant more availability Access control was no longer enough for confidentiality and integrity Organizations primarily manage static computing devices They had a corporate network and primarily access corporate assets on that network The focus was on perimeter security, “keep the bad guys out”
74
Information Security on Enterprise IT DEFENSE IN DEPTH Network Security (Firewalls, DMZ, VPN)
Host Security (Authentication, IDS, IPS) Application Security (SSO, Content Filtering)
Data Security (Encryption)
75
Information Security and Consumerisation of IT In 2013, Organizations must manage and secure a growing globally distributed, remote, and mobile computing environment all accessing corporate assets housed within the corporate network. CIO’s focus is on data center and critical infrastructure security. Most CIO’s ignore management and securing mobile computing devices to fate and luck.
76
Information Security and the Cloud Today, Organizations must continue to manage and secure enterprise IT architectures as they have, but also corporate assets and resources housed and maintained in the “cloud”. Endpoints require access to corporate resources that are housed inside of the corporate network and in the “cloud”.
77
Data Protection Platform Key Mgmt
Federation of Identity
EDiscovery
IRM
DLP
Application Integration Layer File Access Mgmt & Activity Monitoring
Content Classification, Indexing & Search Auditing Reporting Analytics
Policy Management Centralized Administration & Control File Encryption Bulk Encryption zSeries
iSeries
Open System Server
Desktop
Mobile
Platform Coverage 78
Email
Removable Media
Data-centric Security
79
Data Protection Platform Key Mgmt
Federation of Identity
E-Discovery
IRM
DLP
Application Integration Layer File Access Mgmt & Activity Monitoring
Content Classification, Indexing & Search Auditing Reporting Analytics
Policy Management Centralized Administration & Control
File Encryption Bulk Encryption
Mainframe
iSeries
Open System Server
Desktop
Mobile
Platform Coverage 80
Email
Removable Media
Questions and Answers
81
Thank you
Lionel Gross , ABN AMRO Bank Creating and organising Security Blue Prints
« Core Banking » iSeriesSecurity Blueprint
Lionel Gross
What is an iSeries Security Blueprint ? It’s a document, referencing all security setup, on iSeries, on the system itself, all running applications and communications. Following its rules and recommendations, it guarantees the machine is secured. What it talks about: • OS400 settings (system values, …); • User management; • Library & object security; • iSeries hosted applications; • System supervision • Security reporting • iSeries Interfaces and communications; • Operating procedures for all users. • Data recovery
Who in involved by a Security Blueprint ? The Blueprint establishes the privileges and access-rights for : • • • • •
Business users; Security Officer (LISO); Operators (IBM, …); Application profiles; Auditors.
Blueprint – OS400 settings – system values Related to: • Device QLMTDEVSSN, QAUTOCFG, QAUTOVRT, QDEVRCYACN, QDSCJOBITV, … • Audit journal QAUDLVL, QAUDCTL, QAUDFRCLVL, … • Password, QPWDEXPITV, QPWDLVL, QPWDMINLEN, QPWDPOSDIF, • Login (QMAXSIGN, QMAXSIGNACN, QRMTSIGN, ) • Save & Restore QVFYOBJRST, QCRTAUT,
User Management • • • • •
Group & reference profiles User profiles Application and interface profiles Owners Define access to application by menu - Avoiding command line access or arbitrary program execution - Enforcing dual control on menu assignment - Log of changes and reporting - Log of choices
User Management Role based access: group profiles and reference users
User Management Individual OS400 user profiles
User Management High-privilege OS400 user profiles
User Management Application and Interface profiles
Library and object access
Interfaces & Communications
Authorization list
Application setting
XYZ tables relating to user access
Security reporting
iSeries Security Blueprint
Lionel Gross
Thank you
Fred Wijshoff - KPMG Auditing an IBM i - from an auditors point of view
Auditing an IBM i from an auditors point of view information security 18 April 2013
Introduction
Introduction Drs. F.J.A. Wijshoff RE CISA: ■ Since 2005 working for KPMG IT Advisory ■ Manager KPMG IT Advisory ■ Involved in – IT audit; – Data analytics; – Information security (ISO 27001/ISO 27002); – IBM i Security and consultancy;
– Software certification; – ISAE 3402 (previous SAS-70); – Privacy consultancy and scans;
[email protected] Tel: 06-52078832 © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
103
Agenda
Agenda
1. Quick recap from last time: •
What does an IT-Auditor do?
•
What is Compliance?
2. Why is security business booming? 3. Why is information security important? 4. What is information security? 5. Top 4 reasons for information security issues (on IBM i) and their solutions 6. Information security from an Financial audit point of view;
7. Trends in auditing IBM i; 8. Questions
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
105
1. Quick recap
Recap: what does an IT-Auditor do? (1/2)
■ An IT auditor performes activities to form an independant opinion on a situation. ■ An IT auditor performs the process of collecting and evaluating evidence to determine whether a computer system or IT organization safeguards assets, maintains data integrity, achieves organisational goals effectively and consumes resources efficiently.
In short: An IT Auditor reflects the status of the IT to the organisation. IT Auditing: ■ Independant and impartial assessment. ■ Leading to a clear opinion about the system/environment/organization.
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
107
Compliance - Unified control framework
ISAE 3402
PCIDSS WFT
Ext. audit
Solven -cy II SOX
FSA
Basel II
REACH
Local Privacy Laws
IA
ISO27002
objectives
objectives
objectives
IT Control Framework
Supply
Demand
IT mngmt
Audit
Risk mngmt
Supply controls
Demand controls
IT mngmt controls
Audit controls
Risk mngmnt controls
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
108
Compliance – an example GITC: Access to system resources and utilities is limited to appropriate individuals.
Sox: Each employee is assigned the predefined role(s) and is granted access to the IT components according the matrix.
IT control framework (e.g. based on COBIT): ■ DS5.3 Identity Management ■ DS5.4 User Account Management
Typical controls for the Supply (and Demand) side: ■ Individual user accounts
■ Naming convention for user accounts ■ etc… © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
109
Compliance - IT Control Framework
Def Deficiency # Type Control # Control description TOD Deficiencies (whether identified by YYYY or XXXX) 1 IT GC
LA3
Human Resources provides a list of employee terminations weekly to the IT Organization. T he terminated employee accounts are deactivated within 48 hours of receiving notification from HR.
Description of deficiency
Identified Remedied by by Related COSO managem managem Application Component ent ent
XXXX noted that the control as described is not in All place. Notification by Human Resources is not done on a weekly basis but is done on an ad-hoc basis. T he monitoring mechanisms do not ensure that all accounts are disabled within the prescribed time limit of 48 hours. In addition, from the sample (8) obtained we found that 1 had been open for 2 days, 1 for even a month.
Exists at periodend
Working Working Communicat Reasonable paper paper ion to possibility reference Compensati reference managemen and Significance for ng controls for t and/or magnitude of deficiency additional (1) additional audit of potential (3)
CA
N
N
Y
N
CA
N
N
Y
N
CA
N
N
Y
N
Impact on substantive procedures (4)
Also note, management concluded that the control (T OE) was ineffective due to lack of evidence.
2 IT GC
LA4
HR Personnel / Business owners formally communicate contractor / temporary employee terminations on weekly or as needed basis to IT group who perform timely (within 48 hours) deactivation of user network access.
XXXX noted that the control as described is not in place. T he monitoring mechanisms do not ensure that all accounts are disabled within the prescribed time limit of 48 hours. T he reporting of temps termination is not done in a timely manner by HR and the monitoring mechanism does not ensure that accounts are disabled within a time limit of 48 hours. XXXX also noted that there is no distiction in the process between permanent employees and temporary employees. In the sample of (8) noted in LA3, we found that 1 had been open for 2 days and 1 for a month.
All
Also note, management concluded that the control (T OE) was ineffective due to lack of evidence. 3 IT GC
LA1
IT Management performs a quarterly review of data owner’s list to identify and remove inappropriate access.
T he data owner list is a register (list) where all owners of EU Domain data (eg finance department) are on. When a user wants access to any of the shares where these data resides, the data owner needs to approve of this. It appears that the data owner list is not reviewed at all. Instead, the actual user access to the financial share is reviewed. Management is not reviewing the data owner list. YYYY management tested whether access to the finance share was properly restricted. XXXX did also. XXXX and YYYY's management did not find any inappropriate authorizations on the finance share.
■ In this example: SOX compliancy. (intentionally unreadable) ■ Based on the requirements a control framework was set up and agreed upon with the client. ■ During the IT-audit, the control framework was used to document the deficiencies. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
110
What does an IT-Auditor actually do? (2/2) Typical audit asignment
3. Test of operational effectiveness
1. Test of design
■ Automated procedure/application control : test of one (mostly already doe during walkthrough)
2. Test of Existence 3. Test of operational effectiveness 4. Write report
■ Manual procedures/ system dependant manual controls:
1. Establish the population; 1. Test of design
2. Establish risk of failure;
■ See that the measure is adequately designed by review of procedures and documentation. (is the setup right?)
3. Define and select a sample of the population 4. Test samples
2. Test of existence ■ See that the measure is actually used. (do a walkthrough of the process)
4. Write report ■ Trivial.
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
111
3. Why is information security important?
Why is security important?
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
113
Causes and costs of IT related security indicents
Causes of critical security incidents
Total recovery cost for security incident 25%
80% 70%
20%
60%
15%
50% 40%
10% 30% 20%
5%
10% 0%
0%
Virussen Ongewenste E-mail Diefstal ICT apparatuur Uitval van kritieke systemen Hacking internetsysteem Onbevoegd toegang Inbraak op de website Inbraak interne systemen Denail of service Attack Brute force aanval Trojan horses Verlies van informatie Fraude Anders
€< € 1.000 € 1.000 - € 5.000 € 5.000 - € 10.000 € 10.000 - € 50.000 € 50.000 - € 100.000 € 100.000 - € 500.000 > € 500.000
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
114
KPMG Data loss barometer: Securitytrends in 2012
Hacking of business last year led to a new record in which confidential information of millions of people has come in the wrong hands. The KPMG Data Loss Barometer shows that worldwide the number of incidents involving confidential information have increased by 40% compared with 2010.
Furthermore, it appears that almost 70% of the incidents are caused by hackers, (people or organizations) who break into computer systems. Hackers increasingly focus on business. Were a number of years medical records and public information were often targeted, hackers now focus mainly on the business. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
115
3. What is information security?
Wat is information security?
Processing of information is crucial for organisations.
Information security means: controlling risks by means of:
Several risks are connected with information processing (non-limitative):
■ Organisational
■ Data leakage, ■ Information theft, ■ Unauthorized information change,
■ Physical and; ■ Technical measures. Information security is an integral part of the business strategy.
■ Unavailability of information ■ Non-compliance to law and regulations.)
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
117
Examples of measures
Physical measures ■ Camera`s ■ Access gates
ICT ■ Secured server room or external ■ Redundant servers ■ Segregation of networks
Organizational measures
■ Authentication of internal & external users
■ Clean desk policy
■ Continuity planning
■ Policy dealing with social media ■ Use of secured USB sticks
Security of personnel ■ Screening of (new) employees ■ Roles and responsibilities are established ■ User declaration
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
118
Information Security Do we know the value of the assets that are to be protected ?
Is our information protected against Data Leakage or misuse ? Do we comply with privacy legislation/regulation & expectations ?
Do we understand the threats and risks that are around ?
Can we measure and report on security and continuity performance to adequately balance performance versus risks ?
Business & IT Security & Privacy measures
Strategy &
Policy IT controls
People
Processes
• Governance • Organisation • Awareness
• Business & IT Access • IT Operations • IT Development
Monitoring 4. of Security & Continuity Technology • Architecture • Components • Tech trends
framework Business & IT Continuity measures
Protected data
(processing) • Compliance • Events (logging) • Security testing • Contingency testing
Life Cycle Management
Outcome
1.
Outcomes
Business Needs & Expectations
2.
3.
How do we determine that continuity measures are aligned with business needs ?
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
119
119
Information security is not just platform security Information security is more than platform security.
Strategic Value
Client and Industry Experience
Enterprise Organization
Client and Industry Experience Security Subject Matter Specialty
Business Process Application
Data Technical IT Competency
Host Network Physical
Tactical Execution 19 … But platform security stays playing an important role in security! © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
120
Logical access path: multiple layers of security (Esp. on IBM i) Checking the ‘Logical Access Path’. Users
E.g.:
Devices Devices
command line Netw ork security
access
Security in system/ service
Security Security in in application application
E.g: ODBC and ftp
Access control
OS & data
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
121
How can this be accomplished? - ISO 27001 Standard PDCA model • Continuous cycle • Same principle as ISO 9001 (quality management)
PLAN
ACT
DO
CHECK
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
122
ISO 27000 family
27007 27009
27000 Principles and Vocabulary
27006 Business Continuity & Disaster Recovery Services
27001
ISO 27000
ISMS Requirements
Family
27005 ISMS Risk Management
27002 27004
17799 (from April 2007) 27003
ISMS metrics & measurements
ISMS Implementation Guidelines © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
123
Increasing overlaps between different standards
ISO/IEC 20000 ISO/IEC TR 18044:2004 Information Security Incident Management
ISO/IEC 19770 Software Asset Management
ISO 154891:2001 Information and Documentation Records Management
BS 25999 Business Continuity Management
ISO/IEC 27001:2005
ISO/IEC 13335-3:1998 Guidelines for the Management of IT Security
IT Service Management
ISO/IEC Guide 73:2002 Risk Management – Vocabulary
COBIT (v5.0)
(not an exhaustive overview)
What framework to use is not easy to determine © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
124
Trends: COBIT used as an IT Control framework
ISAE 3402
PCIDSS WFT
COBIT:
Ext. audit
Solven -cy II SOX
FSA
Basel II
REACH
Local Privacy Laws
IA
ISO27002
objectives
objectives
objectives
IT Control Framework
Supply
Demand
IT mngmt
Audit
Risk mngmt
Supply controls
Demand controls
IT mngmt controls
Audit controls
Risk mngmnt controls
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
125
IT processes based on Cobit provide an overview of the organization of it and its capability
Cobit reference model
Cobit as IT process model General accepted standard process model
GOALS AND OBJECTIVES
C
O BI
T
F RAME W O RK
ME1 ME2 ME3 ME4
Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure compliance with external requirements. Provide IT governance.
Integrity
Efficiency Effectiveness Compliance
Availability Confidentiality
Reliability PLAN AND ORGANISE
MONITOR AND EVALUATE
DS1
DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12
DS13
Define and manage service levels. Manage third-party services. Manage performance and capacity. Ensure continuous service. Ensure systems security. Identify and allocate costs. Educate and train users. Manage service desk and incidents. Manage the configuration. Manage problems. Manage data. Manage the physical environment. Manage operations.
PO1 PO2
INFORMATION
IT RESOURCES
Applications Information Infrastructure People DELIVER AND SUPPORT
Define a strategic IT plan. Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects.
AI1 AI2 ACQUIRE AND IMPLEMENT
AI3
AI4 AI5 AI6 AI7
Identify automated solutions. Acquire and maintain application software. Acquire and maintain technology infrastructure. Enable operation and use. Procure IT resources. Manage changes. Install and accredit solutions and changes.
Cobit as a IT governance framework ■ Control Objectives for Information and related Technology (Cobit) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. Cobit’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. Source:
■ Cobit is a general accepted standard for IT processes and is therefore very usefull in assessing the organizations capability. The IT process of Cobit cover four domains – Plan and Organize (PO) – Acquire and Implement (AI) – Deliver and Support (DS) – Monitor and Evaluate (ME)
■ The process focus of Cobit is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an endto-end view of IT. Capability maturity assessment ■ Each selected IT process can be assessed on its capability. Cobit describes for each IT process a maturity model. For the assessment the processes are assessed using the general attributes of the processes. ■ Cobit uses the well know CMM maturity levels to determine the capability of each selected IT process. In line with ITIL ■ When used together, Cobit and ITIL provide a top-to-bottom approach to IT governance and, thus, service management. Cobit guides management’s priorities and objectives within a holistic and complete approach to a full range of IT activities. This can focus all stakeholders (business and IT management, auditors, and IT professionals) on an integrated and common approach.
Cobit 4.1 and ITGI
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
126
Capability Maturity levels acording to DNB
Level 1 – Adhoc, initial
Level 3 – Structured and formalized
NederlandsEngelsFransControls are partially defined, but are inconsistently implemented. The mode of implementation depends on individuals.
Controls are documented and are performed organization-wide in a structured and formalized manner. Evidence of performance of controls is retained and can be demonstrated.
Level 2 – Repeatable, informal
Level 4 – Implemented and periodically Controls are defined and implemented in a assessed structured and consistent but informal manner.. Controls are performed on a structured and formalized manner across the organization. The efficiency and effectiveness of the controls are reviewed and is improved if necessary.
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
127
Cobit Maturity model and DNB
Business
Initial/ Ad Hoc
Repeatable but Intuitive
Defined Process
Managed and Measurable
1
2
3
4
Optimised
5
led
Desired IT process capability
Current IT process capability
Technology driven
Gap between current capability and benchmark peers
DNB Level 3 – Structured and formalized Controls are documented and are performed organization-wide in a structured and formalized manner. Evidence of performance of controls is retained and can be demonstrated.
Gap between current and desired capability Benchmark
DNB requirement: Cobit level 3 for all financial organizations © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
128
DNB made a selection of important Cobit IT processen 210 Control objectives in IT processen below. CO
53 Control objectives in IT processen below deemed important by DNB.
GOALS AND OBJECTIVES
B IT
FRAMEWORK
INFORMATION
ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance.
Efficiency Effectiveness Compliance
Integrity Availability Confidentiality
Reliability PLAN AND ORGANISE
MONITOR AND EVALUATE IT RESOURCES
DS1 Define and manage service levels. DS2 Manage third -party services.
DS11 Manage data. DS12 Manage the physical environment.
PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO9 Assess and manage IT risks.
Applications Information Infrastructure People
DS4 Ensure continuous service. DS5 Ensure systems security. DS8 Manage service desk and incidents. DS9 Manage the configuration.
PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships.
DELIVER AND SUPPORT
ACQUIRE AND IMPLEMENT
AI3 AI4 AI6 AI7
Acquire and maintain technology infrastructure. Enable operation and use. Manage changes. Install and accredit solutions and changes.
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
129
Mapping Cobit processes on to the measures from the code of information security (ISO 27002)
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
130
4. Top 4 reasons for information security issues (on IBM i) and their solutions
Top 4 reasons for security breaches and their solutions 1. Easy guessable passwords: – password = User-id – password = “password1” or “welcome01” – password = name
2. Security is mainly based on menu security, leaving access to database files open: – (e.g. *PUBLIC *ALL or *Change) – Sometimes whole groups have all access.
3. User-id’s are not timely disabled or removed when they are no longer necessary. – E.g. HR department does not timely inform the IT department regarding employees leaving the company. 4. Users get too high authorisation (even temporarily) – E.g. IT department temporarily adds a super user for testing purposes and forgets about it. – System account is created and no one knows why – Account was created (a long time ago) and no one knows whether it can be disabled
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
132
Passwords Easy guessable passwords: – password = User-id – password = “password1” or “welcome01” – password = name
Solution:
Analyze default passwords Action taken against profiles . . . . . . : *NONE User Profile SYNC PROD PBACKUP BCOMM FISXXXXX MM ROUTER SNDCONS EXTDEV
STATUS *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED
PWDEXP *NO *NO *YES *NO *YES *NO *NO *NO *NO
Text Bank XXXXXX XXXXX XXXXXXX XXXXXXX sync user Production Backup Helpdesk FISXXXX Message Monitor For sending consolidation files External Developer
■ QPWD* system values ■ QPWDRULES (Password Rules)
– *REQANY3: 3 from 4: Uppercase, Lowercase, Numeric, and/or a special char.
Easy to audit Test of design and existence. Difficult to Test Operational Effectiveness
Important: ■ Choosing a password should not be made too difficult for end-users as they tend to write things down……. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
133
Menu security menu security – All kind of services are ‘connectable’
Limit user access: ■ Use the dspusrprf output to check!
– ODBC and ftp – Limited capability parameter
USEADPAUT parameter
– Access to files and databases no problem if you have enough IBM i knowledge.
Shows services running: DSPFCNUSG.
Solution:
■ Listing functions (and their security settings)
■ Limit capability parameter ■ Use adopted authority ■ Limit the access to services
Easy to audit Test of design and existence. Easy to Test Operational Effectiveness (depends on logging)
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
134
User-id’s are not timely disabled User id’s that are not timely disabled
Timely disable users:
– May have high privileges
■ Use the dspusrprf output to check users
– Open up your system to unknown users
■ Request a list of users from HR with users that have left the company that month.
– May interfere with segregation of duties as others might ‘use’ the user profile.
Solution:
■ Additionally: send the usrprf file to HR department once half a year, and let them check and document to you that all users on the list are valid.
■ Link user administration to HR database ■ Set an expiry date on user profiles ■ Set an expiry period on user profiles Easy to audit Test of design and existence. Easy to Test Operational Effectiveness (depends on logging)
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
135
User get too high authorisations User id’s with high authorisations – May have been around a long time – May be that no one knows what the purpose for the account is. – Might have a hard coded password
Check users: ■ Use the dspusrprf output to check user profiles ■ Review audit logging and transactions of highly privileged users.
– interferes with segregation of duties as it is a super user. Easy to audit Test of design and existence. Solution: ■ Do not grant users high authorisations (except if it is really neccessary)
Easy to Test Operational Effectiveness (depends on logging)
■ Set an expiry date on these user profiles!
■ Document need and time for the user profile ■ Enable logging for high authorized users. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
136
Examples from the field we fotographed
Controlling security risks is for an important part controlling human behaviour. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
137
Information security from an Financial audit point of view
Platform security – why do we need to look at it in financial audits?
Significant items in compliance reports Covered by the operational or financial (or other) auditor
Business processes
Subject related IT applications
Segregation of Duties & User Controls Application controls
IT Infrastructure services Operating systems
Covered by the IT Auditor
General IT Controls
Databases Network components
Physical facilities
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
139
New trend: Facts to Value (F2V) (More than just security checking)
Significant items in compliance reports Covered by the operational or financial (or other) auditor
Fact 2 value Reporting
Business processes
Subject related IT applications
Segregation of Duties & User Controls Application controls
IT Infrastructure services Operating systems
Covered by the IT Auditor
General IT Controls
Databases Network components
Physical facilities Checking business and IT application controls by downloading and analyzing them. Also Business processes are checked by analyzing business data. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
140
Trends in auditing IBM i
Trends in the Market ■ More and more clients do not have the expertise to run an IBM i by themselves anymore; ■ Service organisations take care of IT management of i for my clients now mostly at the clients (come by twice a month or so); ■ Some clients have already outsourced their IBM i technical IT management (bigger clients) ■ Even with banks we see that they are outsourcing their IT management (to e.g. KPN, IBM or other parties) ■ We see a trend that customers will outsource their “server-hardware” ■ We see a trend that software developers consider to provide hosting services for the clients; ■ Small step to managed hosting. (actually we are talking already about SAAS).
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
142
Organisations have increasingly a need for assurance when they outsource Corporate Governance
Chain automation
Principles of internal control
Focus on costs and quality
Market developments
Professionalising service
Scharpening of supervision
Accountabel w.r.t. Security and privacy requirements
outsourcing Increase in liability
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
143
What is a Third Party Mededeling?
A Third Party Mededeling (TPM) is a written report with regard to the internal control of the processes of a service organization (e.g. service provider or internal shared service center). This report is issued by an independant and impartial auditor. Third Party Mededeling/ 3000/ ISAE 3402
Service Level Management
Clients &
Service Level Agreement
Service provider
other stake-
or
holders
S.S.C.
Auditor
Third Party Mededeling/ 3000/3402
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
144
New standards to replace SAS70 te vervangen
Service Org. Control 1 (SOC 1)
Service Org. Control 2 (SOC 2)
Service Org. Control 3 (SOC 3)
SSAE16 / ISAE3402 – Service Auditor Guidance
AT 101 / COS & ISAE 3000/ ISAE 3402
AT 101 / COS & ISAE 3000
Restricted Use Report (Type I or 2 report)
Generally a Restricted Use Report (Type I or 2 report)
General Use Report (public seal)
Purpose: Reports on controls for FSA
Purpose: Reports on controls related to compliance or operations
Purpose: Reports on controls related to compliance or operations
Bron: AICPA 2010 (10036-8775) © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
145
There are 2 kind of 3402-assurance reports
“Moment in time”
“report regarding a certain period”
Type I Statement
Type II Statement
Is a statement of the detected control (controls) and management structure (control structure)
Is a statement of the detected control (controls) and management structure (control structure) that has been working for 6 or 12 months.
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
146
In short: the clients are demanding for more assurance: From trust to proof!
TRUST me
TELL me
Bijlagen:
SHOW me
- Stappen 3000/3402-aanpak - Vergelijking 3000/3402-assurance en ISO-certificerin PROVE me - Contactinformatie
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
147
Information security is important in an outsourced situation also Advantages
Disadvantages
■ Auditors will increasingly rely on the ISAE3402 reports from the clients.
■ Initial cost high
■ More clients will be able to use the report ■ Clients will share the costs
■ Clients will have their auditors less ■ Service organization will be burdened only by ISAE 3402 auditor (not by auditors from clients)
■ Scoping of what goes in the report is important ■ Because of scoping, ISAE3402 reporting will be precisely read by clients (IT) auditors. ■ Clients’ IT auditors will have less work.
■ More internal control for service organization ■ Processes and procedures are formalized
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
148
Questions?
Thank you Presenter’s contact details Fred Wijshoff KPMG IT Advisory N.V. Tel: +31 6 5207 8832
[email protected] www.kpmg.nl
© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Thank you
Ronald van Erven, Timeos/PvIB The ever growing danger to your data
Food for thought
The ever growing danger to your data Some food for thought
A little bit about me….. •
Positions: from (security) network/systems manager, IT security officer, security manager, ICT auditor and currently information risk officer (Trust & Continuity Program Manager)
•
Some certifications next to a BSc in electronics/telecom and MSc in ICT management
•
Active member with: (setting up the dutch ISC2 chapter)
•
Follow me on:
[email protected] or cisspnl or +31615584056
Know your “opponents”
Know your “friends” even better..
Your (business) information – New Gold •
Know what your critical information is! – – –
•
How long can you do without (availability) How important is exclusivity to your business? Can you verify the integrity of your critical information?
What of your critical business information is available or reachable? – Should you use whatsapp for your business contacts? – Should you blog on linkedin your new business ventures? (should your linkedin profile contain a passport compliant picture of you?) – Do you make your business phone calls in the train? (a public place?)
•
What critical information do you transfer? – – –
Do you use secure mail? Do you encrypt your information? Do you sign your information?
The 1st Step No matter how small your firm, you must know what and where your information assets reside (data / information classification can help you with this)
Thank You Do you want to run something by – just give me a call
A business intelligence agent, cyber warrior or just a “friend”?
Thank you
