SRC Secure Solutions bv

SRC Secure Solutions bv Agenda  Welcome  Ian Taylor – PKWARE  Ruud Goudriaan – ING  Lionel Gross –  Peter Croes – IBM  Shmuel Zailer – Raz...
Author: Asher Nichols
2 downloads 2 Views 7MB Size
SRC Secure Solutions bv

Agenda  Welcome

 Ian Taylor – PKWARE

 Ruud Goudriaan – ING

 Lionel Gross –

 Peter Croes – IBM  Shmuel Zailer – Raz-Lee



 Ronald Rietveld – ABN



Amro Bank  Coffee

 

Consultant Olympic Fred Wijshoff – KPMG Ronald van Erven – Timeos Piet Munsterman – SRC Drinks and networking

IBM i – is it secure?  The AS400  In 1988 we didn’t (all) use the Internet  Twinax Terminal access  Tapes and Diskettes  SNA  Secure Value Added Networks  A proprietary system with a proprietary database  “Closed”

IBM i – is it secure?  The IBM i  An “Open” system  Internet protocols as standard  Networked  Often connected to Internet  DB2/SQL/FTP/ODBC etc etc  A open system with a open database  Still has a integral security infrastructure….

IBM i – is it secure?  The IBM i  Securing it requires      

Expertise Monitoring Alerting Reporting Remediation Management!

So what’s the problem?

IBM i – is it secure?  The expertise  Is ‘getting on a bit’  Is leaving  Is being automated  The delusion  It is secure  It is not connected to the Internet  Hackers do not ‘know’ the IBM i  The data is not interesting to hackers

Ways to hack the IBM i  Telnet, FTP, HTTP,  SMTP, POP3, LDAP,

 QSHELL/PASE  Ops Nav, Client Access,  IFS, ATTN key, REXX,

 Adopt, REXEC,  DDM, SQL, RMTCMD  Tapes, CD-ROMs, DVDs, USBs etc etc

Recommended books  Hacking iSeries by Shalom Carmel isbn 1-4196-2501-2  IBM I Security Administration & Compliance by Carol

Woodbury isbn 978-1-58347-373-3

Deep Dive Training  September 23 – 26  Training by Carol Woodbury  Former IBM iSeries Security Architect  World renowned security consultant and author  Founder of SkyView Partners  Suitable for IBM i:- Auditors, ICT Managers, Project

Managers, Security Officers, Developers, Operations Managers, etc.

Thank you

Ruud Goudriaan, ING Bank How Banks are dependent on a secure internet

How Banks are dependent on a secure internet Organised Crime vs financial institutions

Ruud Goudriaan - April 2013

12

Content • • • • •

Short history of Information Security Operational Risk Management Development Internet Banks & Internet: no way back Cybercrime: attacks – – – –

Motives Victims and Criminals Cyber Theft Ring (FBI) Internet banking threats - Phishing attack

• Cybercrime: analysis – – – – –

How serious is it? How bad can it get? What can we do? Dutch National Cyber Security Strategy (NCSS) Organisation National Cyber Security Informatieknooppunt Cybercrime What should be the security approach? Ruud Goudriaan - April 2013

13

Information Security Definition Information Security (source: Wikipedia) • The total set of preventive, detective, repressive en corrective measures (incl. procedures and processes) that guarantee the availability, exclusiveness and integrity of all forms of data within an organisation or company, with the aim to preserve the continuity of the information and information handling, and restrict potential security incidents to an acceptable, previously determined level. In other words: 100% security is unattainable!

Ruud Goudriaan - April 2013

14

Short history of Information Security • Encoding messages in war time: – – – – – –

Egypt: hieroglyphs Sweden: runic writing, Stone of Rök Romans: alphabetic substitution Napoleon: Optical telegraph Germany WO II: Enigma machine Cryptography: DEA, RSA, AES, SHA-3 (2012)

Stone of Rök

Source illustrations Detlev Simons

Optical telegraph Enigma: 1919, WO II

Encipher disk: 1466 Ruud Goudriaan - April 2013

15

Operational Risk Management Security/ Fraud

Risk / Impact

Business

Cost

IT/ Continuity

The business managers assess the cost-risk trade-off. The IT, Continuity, Security & Fraud managers provide cost effective security measures.

Operational Risk Management: Enables the organisation and the business to manage its business risks (cost/risk trade-off) Based on ISO 27000 and ISO 25999

Ruud Goudriaan - April 2013

16

Development Internet Internet: connection interrupt triggers new connection • 1960 – Military Communication network – ARPA • Development University network – NSF • Current internet managed by ICANN Internet Corporation for Assigned Names and Numbers

• 1990 – World Wide Web protocol • Now: > 2 billion users: – Informative: Online database, Google – Social: Hyves, Facebook, MSN, etc. – Electronic Commerce/Service: shopping, banking, government.

Ruud Goudriaan - April 2013

17

E-mail & SPAM SPAM: Junk E-mail, Unsolicited Bulk Email • • •

Daily 101 billion SPAM messages (Commtouch* 2011) Daily 200.000 new ‘Zombie-PC’s’ (25% India) More than 90 % of incoming e-mails are SPAM (caught by SPAM-filters)

E-Mail Spam by Topic* Pharmacy Replica Enhancers Dating Phishing 419 fraud Weight Loss Pornography

31% 14% 14% 12% 6% 7% 4% 4%

*) “Q1 2011 Internet threat trends report” Commtouch Software Ltd. http://www.commtouch.com/threat-report-january-2012/

Ruud Goudriaan - April 2013

18

Banks & Internet: no way back Banks migrated from offices to Internet banking • ATMs replace bank counter • Internet banking instead of forms and cash • Online Investments and Mortgages handling Internet services cannot be discontinued: Huge opportunity for organised crime to commit ‘Milking attacks’

Ruud Goudriaan - April 2013

19

Cybercrime: Motives Cybercrime: any crime involving computer/network • Grabowsky: – Virtual Criminality: Old wine in new bottles

• Motives criminals: – Generate income, Power, Revenge, Rivalry, etc.

• Two types of computer crime: – Direct attack on computer/network: Computer viruses, Denial-OfService, Malware – Misuse computer/network: Cyber stalking, Fraud, Identity theft, Information warfare, Phishing, Nigerian scam (419 fraud)

Ruud Goudriaan - April 2013

20

Cybercrime: Victims and Criminals Globalisation Cybercrime via Internet • Millions of potential victims – Via e-mail using spam, viruses and malware – Via social networks using social engineering

• Increasing number of potential criminals – Low risk of being caught by operating from countries without extradition treaties – Partial criminal solutions offered via internet: malware, botnets, money mules, etc.

Ruud Goudriaan - April 2013

21

Cybercrime: Cyber Theft Ring (FBI)*

FBI – April 2011 *) 10-01-2010 Cooperation between US, UK, NL and Ukrain intelligence forces. http://www.fbi.gov/news/stories/2010/october/cyber-banking-fraud/cyber-banking-fraud-graphic

Ruud Goudriaan - April 2013

22

Internet banking threats Criminal organisation vs internet banking • • • •

Malware developed and sold via e-Bay Malware infects PC’s with e.g. Trojan Zeus (botnet) Bank-related log-on data collected and sold Dedicated Social engineering to direct customer to false website and acquire authorisation • Fraudulent funds transfers via money mules to beneficiary accounts abroad Sources: FBI Cyber Theft ring and article Peter Olsthoorn (Webwereld)

Ruud Goudriaan - April 2013

23

Cybercrime: Analysis

Ruud Goudriaan - April 2013

24

Cybercrime: How serious is it? Recent Hacker attacks: • Anonymous: – Payback: DDoS Sony – Playstation: hack PlayStation Network and theft credit card numbers – Assange: Anti-wikileak action triggered DDoS on Amazon, Paypal, Mastercard, Visa and Swiss Bank Postfinance

• Conspiracy Rings of Fire: – Rabobank: DDoS on internet banking

• Diginotar: – False issuing SSL-certificates, corrupted CA

• Internet banking: – Continuously improved attacks: Milking type Ruud Goudriaan - April 2013

25

Cybercrime: How bad can it get? Fox-IT, Ronald Prins: ... many vital infrastructures can be digitally intruded and damaged: drinking water utilities, electricity suppliers, dike protection…. • KLPD/Fox-IT: take-down criminal botnet ‘Bredolab’ (2010) • China: Ghostnet for commercial espionage (103 countries) • Israel: Stuxnet computer worm against Iran (Cyber warfare)

Positions: • Private PC cannot be protected from malware • Company server cannot be protected from DDoS attack Ruud Goudriaan - April 2013

26

Cybercrime: What can we do? Awareness websites • NVB website Veilig Bankieren

http://www.3xkloppen.nl/nl/ http://www.veiligbankieren.nl/nl/

• Getsafeonline: http://www.getsafeonline.org/ Public/private UK website supported by government, multinationals, etc.

Public/private cooperation •

Informatieknooppunt Cybercrime CPNI (tot 1-1-11 NICC): ISAC, FI-ISAC, http://www.cpni.nl/cpni Ruud Goudriaan - April 2013

27

Dutch National Cyber Security Strategy NCSS: Minister Opstelten (V&J) TK 22-02-2011 • Public – Private approach: – Cyber Security Board – Strategy – National Cyber Security Centrum (NCSC) – Knowledge sharing

• Integral threat and risk analyses • Improve protection against Cyber threats • Enlarge effective response capacity • Strengthen chain tracking - prosecution • Budget harmonisation Public/Private/Scientific First initiative: ‘Banking team’ to fight digital criminality by KLPD, Landelijk Parket, Banks Ruud Goudriaan - April 2013

28

Organisation National Cyber Security Cooperation to fight Cybercrime: • • • •

CPNI.nl1 including IKC2 en ISACs3 GOVCERT.NL part of international CSIRTs4 GOVCERT.NL participates in FIRST5, EGC6 and IWWN7 NCSC - Cyber Security Beeld Nederland 2012: https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/trendrapporten/cybersecuritybeeld-nederland.html

1) 2) 3) 4) 5) 6) 7)

CPNI.nl = Centre for Protection of the National Infrastructure: http://www.cpni.nl/cpni IKC = Informatie Knooppunt Cybercrime: http://www.cpni.nl/informatieknooppunt/informatieknooppunt-cybercrime ISAC = Information Sharing & Analysis Centre; FI-ISAC = Financial Institution ISAC CSIRT = Computer Security en Incident Response Teams FIRST = Forum of Incident Response and Security Teams EGC = European Government CERTs IWWN = International Watch and Warning Network

Ruud Goudriaan - April 2013

29

Informatieknooppunt Cybercrime

‘Flower petal model’ [Bloemblaadjesmodel] • NICC, part of CPNI.NL • Cooperation public/private • Exchange incidents / threats • FI-ISAC* part of NICC

*) Financial Institutions – Information Sharing and Analysis Centre

Ruud Goudriaan - April 2013

30

What Banks do now? Dutch banks: fraud in internet banking cannot be avoided. • •

Continuously be prepared for Social Engineering Approach: ‘Fraud-detection’ = Reactive, because of unsafe customer PC

Cat and Mouse game with organised crime: • • • • • •

Cybercrime Monitoring & Investigation Service (CMIS++) of Fox-IT and RSA Participation in FI-ISAC, part of GOVCERT. Contact with internet banking experts in other banks. Temporary lower day limits, stop trans-border payments or internet banking Delaying operation of internet banking transactions Accelerated implementation security patches

Fraude is considered as ‘Cost of doing business’ •

There is ‘No way back’ Ruud Goudriaan - April 2013

31

What should be the security approach? What works: • Detection + Notice & Takedown (Fox-IT + GovCerts) • Track down Botnets (Rustock Botnet March 2011)

What could help: • Customer verifies internet site company or government – Mutual authentication: individual certificate/token – Combined with mutual challenge-response

• Provide customer with boot disk/USB for private-PC: – Only log-on to authentic websites Bank, Companies, Government independent of possible malware on PC – Examples: German bank, products like Ironkey

https://www.ironkey.com/ • Other possibilities??? Ruud Goudriaan - April 2013

32

Thank you

Shmuel Zailer, Raz-Lee How to manage Security and Compliance on the IBM i

iSecurity Overview: Security & Compliance for Today & Beyond Shmuel Zailer, CEO/CTO [email protected]

About Raz-Lee Security

• Internationally renowned IBM i solutions provider • Founded in 1983, 100% focused on IBM i • Corporate offices in: US, Italy, Germany, Israel • Installed in over 35 countries, more than 12,000 licenses • IBM Business Partner, Integration Partner with Tivoli and Q1Labs • Partnerships with other major global security providers: • Official partnership with RSA enVision, GFI SIEM, HP OpenView • OEM by Imperva SecureSphere • Proven integration with ArcSight, CA UniCenter, Splunk, Juniper…

• Worldwide distribution network

Raz-Lee Security – Mission & Product Lines Raz-Lee’s Mission To provide the best and most comprehensive IBM i compliance, auditing and security solutions

• Infrastructure Security: network access, QAUDJRN monitor and report, user profile management and object authorities, automatic tracking of software changes, native object security, anti virus protection, all the above with multi-LPAR management capabilities

• Application Security: DB activity (journal) auditing, Cross-Application business item reporting with real-time alerting, Business Intelligence over transaction data, screen recording…

• System tools: File editor, RPG/COBOL and interactive access to MS SQL, Oracle, MySQL, Excel,…

Raz-Lee’s Global Distribution Network

Selected iSecurity Customers

Some 2011 Customers TAIKO HEALTH INFO AG SOUTHERN WINE & SPIRITS BALLY TOTAL FITNESS WYOMING MACHINERY WILLIAM ADAMS BUTLER MACHINERY CATS ECOMMERCE FOLEY EQUIPMENT COMPANY CAPITAL AVESCO SANDS BETHLEHEM CASINO PANASONIC EXCEL STAFF SANYO ELECTRIC LOGISTICS

Some Banking Customers KUNDINKASSO FORENINGSSPARBANKE RISONA BANK BURAJIRU BANK SVENSKA HANDELSBANKEN-LUXEMB. MIZUHO CORPORATE BANK MIZUHO BANK ROYAL BANK OF SCOTLAND NUEVO BANCO DE SANTA FE KINKI OSAKA BANK BANK OF CHINA VENTURE BANK BANCO DI SARDEGNA FIRST GLOBAL BANK KANSAI URBAN BANK HSH-NORDBANK

iSecurity: Selected Customers • CHS (Community Health Systems, US) appx. 150 LPARs, replaced Powertech

• Royal Bank of Scotland purchased iSecurity after POCs of nearly ALL competitors!

• Venetian Casinos (multi-national) purchased iSecurity following extensive compliance POC.

• Euronet Worldwide banking clearinghouse in Europe & Asia, replaced competitor with iSecurity.

• Svenska Handelsbanken, one of the largest banks in Scandinavia, used competitor for several years; replaced it with iSecurity.

• Unicredit (IT Austria), SkyTV, IKO Industries, JPMorgan Chase, Boyd Gaming, Bank of China, MasterCard, Avis

iSecurity - Characteristics

• Full GUI and green screen - short learning curve, ease of use • Visualizer Business Intelligence analysis • Hundreds of built-in, customizable reports. Report/Query Generator and Scheduler produces print, screen, HTML, PDF, CSV e-mailed reports.

• Wizards, Real Time/Periodical, Alerts. All done on IBM i • Sends SYSLOG, SNMP, Twitter, e-mail, messages

• Cross-enterprise reporting, definitions, logs • Exceptional performance on all sizes of systems • Unique products: Capture, Change/PTF Tracker, DB-Gate, Anti-Virus • The most comprehensive IBM i security suite, with on-going product development

Reports for Large Systems

• Report/Query Generator HTML, PDF, CSV, EXCEL reports by Email (in addition to output via Screen, Print, GUI an OUTFILE)

• Each field includes field description, values and their description, allows selection of possible values

• Filter by EQ, NE, GT… LIST, LIKE, START, ITEM (in an external table) with And/Or conditions

• In AP-Journal also DIFGT, DIFLT… DIF%GT, DIF%LT… (difference between After and Before values in numbers and percentage)

• Report includes Explanation to auditor, Systems included in the report, Statistics…

• Can be observed by Visualizer for analysis • Fully featured Report Scheduler

Consolidated report correlating information from all LPARs, up to last minute Note last 5 minutes and system parameters

Integrated Business Intelligence

 Intuitive Multi-

Level Filtering

 Use Summary

Data for OnLine inspection

 Drill down to

LOG events

Multi-System Support in iSecurity • Replication: • User Profiles & Passwords • System Values • Product definitions/rules

• Reporting: reports on all LPARs from any single LPAR in real time • Compliance: compare compliance scores of systems

• Real Time reaction to security breaches: sends SYSLOG, SNMP, Twitter, e-mail, messages, … with edited messages or Fields

iSecurity Products Overview

PCI, HIPAA, SOX…

Auditing

Security Breach Management Decision

Protection Security Assessment FREE!

Databases

• • • •

Audit QAUDJRN, Status… Real-time Actions, CL scripts Capture screen activity Central Admin of multiple LPARS & systems • User Profile Replication • Change/PTF Tracker

• Firewall FTP, ODBC,… access • Obtain Authority on Demand • Monitor CL Commands • Native Object Security • Anti-Virus protection • DB-Gate: SQL to non-DB2 DBs (Oracle, MS SQL,…) • AP-Journal for DB audit, filter, archive, real-time alerts • View/hide sensitive data • FileScope secured file editor

Evaluation

Compliance Evaluator for SOX, PCI, HIPAA… VisualizerBI for security

Syslog, SNMP for SIEM

Compliance Report with Score for 2 Systems

Summary

Detailed

Major iSecurity Products: Firewall, Audit, AP-Journal Firewall - Provides total protection of ALL company’s critical files, libraries, etc. from network intrusions, viruses, and unauthorized usage.

Audit – Enables easy auditing of ALL company’s critical files, users, jobs, objects, etc. Includes more than 200 built-in, customizable reports which can be scheduled to run at pre-set dates and times.

AP-Journal – Powerful, unique application security: • includes real-time threshold-activated alerts per application fields • changes to business-critical data are highlighted • displays both “before” and “after” data images • generates cross-application timeline reports of all data changes/updates • also monitors and reports on READ access to fields

AP-Journal Examples (for banking/financial) • Provide the customer

with a timeline report showing MORTGAGE history of the last 5 years. Include only important info.

• Send e-mail, SMS, SNMP, SYSLOG, Twitter when the INTEREST_RATE changes by more than 0.2%.

• Who modified PAYMENTS between 20:00 and 06:00 or during corporate summer vacation?

• When did the tariff for overseas transactions change? • Which users, who are not Managers, viewed the confidential PAYMENT_TERMS table since the last business day?

• What changes to the bank’s production libraries were made via non application-specific (SOX mandated) utilities such as IBM DFU?

AP-Journal Technical Overview DB1

DB2

DB3

Business Items B

DB-Reads

Journal A

Long-time storage for critical data C

Processing of Receivers in Real time (or at night)

Receivers

G

Alert Before

D

E

F

Containers

Reporting System

G

Screen

Email & HTML

Print-out

Reporting System

Alert After

AP-Journal - Unique Application Security • React in Real-Time

• Message, e-Mail, SMS, Syslog, Twitter, CL Script • For irregular activity or as Application Extension (SMS the customer when order is ready)

• Interconnect applications (no programming), time based:

• Order history (items, payments, claims, ….) • Mortgage history (loaners, guarantors, real-estates, payments)

• Special support for Misys, JDE…

• Bi-lateral data conversion capabilities between external and internal data • All outputs and inputs are in standard “human” format, all internal representations are according to system logic • Converts internal date representation to external “human” format • Support add/omit decimal point based on actual currency

• Controls READ access (PCI requirement)

• Who read the Credit Card number (xxxx-xxxx-xxxx-xxxx) • Which credit cards were displayed on a certain user’s screen

iSecurity Audit: Information Sources SIEM Support: Syslog, SNMP

OS/400 Objects •Users •Authorities •Objects •Scheduled Jobs •Etc.

QAUDJRN I5/OS

Filtered Data

Current Activity •Active Jobs •System Status •Sharepools

Message Queues •QSYSOFR •Any other Message Queue

` Receivers

Log Alert via Action Report Generator & Visualizer: Screen, GUI, PDF, HTML (by email)

Real-Time Alert handling in iSecurity

Execute CL Scripts

Send e-mail

Write to MSGQ

Write to SYSLOG

Send SMS, SNMP, Twitter, etc.

Issue Real-Time Alerts via iSecurity Action

QAUDJRN (Audit)

Network Security (Firewall)

Critical OS messages (QSYSOPR/ QSYSMSG)

Database Journals (AP Journal)

Authority changes (Authority on Demand)

GUI enables simultaneously managing same subject on several LPARs Note comparison of User Profiles on 2 systems

Over the web single console (e.g. Twitter) Note Alert Message options and message as received in Twitter

DB-Gate: Runs SQL 6 times faster for non-i database access (on RL’s test system) • Standard SQL access to MS SQL, Oracle, MySQL, Excel, CSV and other data sources

• Standard SQL statements, no APIs • Native SQL integration with RPG, Cobol, C - /EXEC SQL • Works interactively from Start SQL • Integrates with IBM Host Server Authentication

• No need for *SQLPKG even when accessing another IBM i

IBM i

DataBases

Enter SQL Statements (STRSQL) > SELECT * FROM PROD.CUST > CREATE VIEW CORPDATA.MANAGERS AS SELECT LASTNAME, DEPT FROM CORP.EM WHERE JOB = 'MANAGER' > DELETE FROM PROD.CUST WHERE ID = 78 ===> ________________________________

COBOL/RPG/C

(STRSQL)

*...1....+....2....+....3... C/EXEC SQL C+ DECLARE C1 CURSOR FOR C+ SELECT * FROM CORPDATA.DEPT C+ WHERE JOB = 'MANAGER' C/END-EXEC

Oracle MS SQL MySQL SQLite PostgreSQL SYBASE Excel, CSV and more…

Change Tracker

• Tracks all software changes with NO human intervention- total “foolproof”. Your auditors will love it.

• Tracks in real-time, relies on actual updates to production libraries • Tracks Programs, Modules, Files, etc. object types including source and attributes

• Have a CMS? Change Tracker will record activities made outside the CMS (Change Management System)

• No CMS? Change Tracker satisfies all your auditor’s requirements • Ideal for medium-small shops, essential for large enterprises

Change Tracker

PTF Tracker

• Automatically tracks all PTF activities; apply, remove, current status • Detailed information relates to the PTF (ID, licensed product, release level), transaction (what, when, by who) and all the objects installed by the PTF (name, type, modules)

• Classifies PTF data into site-specific products such as “Upgrade to TR5”

• Built-in, customizable reports and report generator for on-screen, *PRINT and e-mailed HTML, PDF, CSV output

• Multi-LPAR / Multi-Site reporting

PTF Tracker

AP-Journal

• Audit trail of all database and application activity including accesses • Focused on “before/after” changes to critical business items which may span multiple applications (Load Number, Order Number, etc.)

• Extends existing applications with additional application functionality without programming!

• Real-time alerts when data changes by more/less than pre-defined percentage or numeric thresholds

• Timeline history of changes to business items, e.g. all changes to a Mortgage

AP-Journal

Thank You! Visit us at www.razlee.com [email protected]

Thank you

Ronald Rietveld – ABN AMRO Bank Auditing an IBM i - from an auditors point of view

Thank you

Ian Taylor, PKWARE The importance of data encryption

The Importance of Data Encryption

April, 2013

68

About PKWARE Invented the ZIP Standard Over 30,000 customers in Banking, Financial Services, Healthcare, Retail, Government We help companies eliminate risk and cost of security breaches and reduce cost of processing, moving and storing data in physical, virtual and cloud environments.

69

Business Challenges

70

The Business Value We Deliver Reduce costs related to data Improve data center performance metrics Manage issues related to governance, risk and compliance

71

Information Security

72

Information Security Early Days  Data was protected in a “glass house”  Physical security provided confidentiality, integrity and availability

73

Information Security with the Internet  Internet meant more availability  Access control was no longer enough for confidentiality and integrity  Organizations primarily manage static computing devices  They had a corporate network and primarily access corporate assets on that network  The focus was on perimeter security, “keep the bad guys out”

74

Information Security on Enterprise IT DEFENSE IN DEPTH  Network Security (Firewalls, DMZ, VPN)

 Host Security (Authentication, IDS, IPS)  Application Security (SSO, Content Filtering)

 Data Security (Encryption)

75

Information Security and Consumerisation of IT  In 2013, Organizations must manage and secure a growing globally distributed, remote, and mobile computing environment all accessing corporate assets housed within the corporate network.  CIO’s focus is on data center and critical infrastructure security.  Most CIO’s ignore management and securing mobile computing devices to fate and luck.

76

Information Security and the Cloud  Today, Organizations must continue to manage and secure enterprise IT architectures as they have, but also corporate assets and resources housed and maintained in the “cloud”.  Endpoints require access to corporate resources that are housed inside of the corporate network and in the “cloud”.

77

Data Protection Platform Key Mgmt

Federation of Identity

EDiscovery

IRM

DLP

Application Integration Layer File Access Mgmt & Activity Monitoring

Content Classification, Indexing & Search Auditing Reporting Analytics

Policy Management Centralized Administration & Control File Encryption Bulk Encryption zSeries

iSeries

Open System Server

Desktop

Mobile

Platform Coverage 78

Email

Removable Media

Data-centric Security

79

Data Protection Platform Key Mgmt

Federation of Identity

E-Discovery

IRM

DLP

Application Integration Layer File Access Mgmt & Activity Monitoring

Content Classification, Indexing & Search Auditing Reporting Analytics

Policy Management Centralized Administration & Control

File Encryption Bulk Encryption

Mainframe

iSeries

Open System Server

Desktop

Mobile

Platform Coverage 80

Email

Removable Media

Questions and Answers

81

Thank you

Lionel Gross , ABN AMRO Bank Creating and organising Security Blue Prints

« Core Banking » iSeriesSecurity Blueprint

Lionel Gross

What is an iSeries Security Blueprint ? It’s a document, referencing all security setup, on iSeries, on the system itself, all running applications and communications. Following its rules and recommendations, it guarantees the machine is secured. What it talks about: • OS400 settings (system values, …); • User management; • Library & object security; • iSeries hosted applications; • System supervision • Security reporting • iSeries Interfaces and communications; • Operating procedures for all users. • Data recovery

Who in involved by a Security Blueprint ? The Blueprint establishes the privileges and access-rights for : • • • • •

Business users; Security Officer (LISO); Operators (IBM, …); Application profiles; Auditors.

Blueprint – OS400 settings – system values Related to: • Device QLMTDEVSSN, QAUTOCFG, QAUTOVRT, QDEVRCYACN, QDSCJOBITV, … • Audit journal QAUDLVL, QAUDCTL, QAUDFRCLVL, … • Password, QPWDEXPITV, QPWDLVL, QPWDMINLEN, QPWDPOSDIF, • Login (QMAXSIGN, QMAXSIGNACN, QRMTSIGN, ) • Save & Restore QVFYOBJRST, QCRTAUT,

User Management • • • • •

Group & reference profiles User profiles Application and interface profiles Owners Define access to application by menu - Avoiding command line access or arbitrary program execution - Enforcing dual control on menu assignment - Log of changes and reporting - Log of choices

User Management Role based access: group profiles and reference users

User Management Individual OS400 user profiles

User Management High-privilege OS400 user profiles

User Management Application and Interface profiles

Library and object access

Interfaces & Communications

Authorization list

Application setting

XYZ tables relating to user access

Security reporting

iSeries Security Blueprint

Lionel Gross

Thank you

Fred Wijshoff - KPMG Auditing an IBM i - from an auditors point of view

Auditing an IBM i from an auditors point of view information security 18 April 2013

Introduction

Introduction Drs. F.J.A. Wijshoff RE CISA: ■ Since 2005 working for KPMG IT Advisory ■ Manager KPMG IT Advisory ■ Involved in – IT audit; – Data analytics; – Information security (ISO 27001/ISO 27002); – IBM i Security and consultancy;

– Software certification; – ISAE 3402 (previous SAS-70); – Privacy consultancy and scans;

[email protected] Tel: 06-52078832 © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

103

Agenda

Agenda

1. Quick recap from last time: •

What does an IT-Auditor do?



What is Compliance?

2. Why is security business booming? 3. Why is information security important? 4. What is information security? 5. Top 4 reasons for information security issues (on IBM i) and their solutions 6. Information security from an Financial audit point of view;

7. Trends in auditing IBM i; 8. Questions

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

105

1. Quick recap

Recap: what does an IT-Auditor do? (1/2)

■ An IT auditor performes activities to form an independant opinion on a situation. ■ An IT auditor performs the process of collecting and evaluating evidence to determine whether a computer system or IT organization safeguards assets, maintains data integrity, achieves organisational goals effectively and consumes resources efficiently.

In short: An IT Auditor reflects the status of the IT to the organisation. IT Auditing: ■ Independant and impartial assessment. ■ Leading to a clear opinion about the system/environment/organization.

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

107

Compliance - Unified control framework

ISAE 3402

PCIDSS WFT

Ext. audit

Solven -cy II SOX

FSA

Basel II

REACH

Local Privacy Laws

IA

ISO27002

objectives

objectives

objectives

IT Control Framework

Supply

Demand

IT mngmt

Audit

Risk mngmt

Supply controls

Demand controls

IT mngmt controls

Audit controls

Risk mngmnt controls

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

108

Compliance – an example GITC: Access to system resources and utilities is limited to appropriate individuals.

Sox: Each employee is assigned the predefined role(s) and is granted access to the IT components according the matrix.

IT control framework (e.g. based on COBIT): ■ DS5.3 Identity Management ■ DS5.4 User Account Management

Typical controls for the Supply (and Demand) side: ■ Individual user accounts

■ Naming convention for user accounts ■ etc… © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

109

Compliance - IT Control Framework

Def Deficiency # Type Control # Control description TOD Deficiencies (whether identified by YYYY or XXXX) 1 IT GC

LA3

Human Resources provides a list of employee terminations weekly to the IT Organization. T he terminated employee accounts are deactivated within 48 hours of receiving notification from HR.

Description of deficiency

Identified Remedied by by Related COSO managem managem Application Component ent ent

XXXX noted that the control as described is not in All place. Notification by Human Resources is not done on a weekly basis but is done on an ad-hoc basis. T he monitoring mechanisms do not ensure that all accounts are disabled within the prescribed time limit of 48 hours. In addition, from the sample (8) obtained we found that 1 had been open for 2 days, 1 for even a month.

Exists at periodend

Working Working Communicat Reasonable paper paper ion to possibility reference Compensati reference managemen and Significance for ng controls for t and/or magnitude of deficiency additional (1) additional audit of potential (3)

CA

N

N

Y

N

CA

N

N

Y

N

CA

N

N

Y

N

Impact on substantive procedures (4)

Also note, management concluded that the control (T OE) was ineffective due to lack of evidence.

2 IT GC

LA4

HR Personnel / Business owners formally communicate contractor / temporary employee terminations on weekly or as needed basis to IT group who perform timely (within 48 hours) deactivation of user network access.

XXXX noted that the control as described is not in place. T he monitoring mechanisms do not ensure that all accounts are disabled within the prescribed time limit of 48 hours. T he reporting of temps termination is not done in a timely manner by HR and the monitoring mechanism does not ensure that accounts are disabled within a time limit of 48 hours. XXXX also noted that there is no distiction in the process between permanent employees and temporary employees. In the sample of (8) noted in LA3, we found that 1 had been open for 2 days and 1 for a month.

All

Also note, management concluded that the control (T OE) was ineffective due to lack of evidence. 3 IT GC

LA1

IT Management performs a quarterly review of data owner’s list to identify and remove inappropriate access.

T he data owner list is a register (list) where all owners of EU Domain data (eg finance department) are on. When a user wants access to any of the shares where these data resides, the data owner needs to approve of this. It appears that the data owner list is not reviewed at all. Instead, the actual user access to the financial share is reviewed. Management is not reviewing the data owner list. YYYY management tested whether access to the finance share was properly restricted. XXXX did also. XXXX and YYYY's management did not find any inappropriate authorizations on the finance share.

■ In this example: SOX compliancy. (intentionally unreadable) ■ Based on the requirements a control framework was set up and agreed upon with the client. ■ During the IT-audit, the control framework was used to document the deficiencies. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

110

What does an IT-Auditor actually do? (2/2) Typical audit asignment

3. Test of operational effectiveness

1. Test of design

■ Automated procedure/application control : test of one (mostly already doe during walkthrough)

2. Test of Existence 3. Test of operational effectiveness 4. Write report

■ Manual procedures/ system dependant manual controls:

1. Establish the population; 1. Test of design

2. Establish risk of failure;

■ See that the measure is adequately designed by review of procedures and documentation. (is the setup right?)

3. Define and select a sample of the population 4. Test samples

2. Test of existence ■ See that the measure is actually used. (do a walkthrough of the process)

4. Write report ■ Trivial.

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

111

3. Why is information security important?

Why is security important?

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

113

Causes and costs of IT related security indicents

Causes of critical security incidents

Total recovery cost for security incident 25%

80% 70%

20%

60%

15%

50% 40%

10% 30% 20%

5%

10% 0%

0%

Virussen Ongewenste E-mail Diefstal ICT apparatuur Uitval van kritieke systemen Hacking internetsysteem Onbevoegd toegang Inbraak op de website Inbraak interne systemen Denail of service Attack Brute force aanval Trojan horses Verlies van informatie Fraude Anders

€< € 1.000 € 1.000 - € 5.000 € 5.000 - € 10.000 € 10.000 - € 50.000 € 50.000 - € 100.000 € 100.000 - € 500.000 > € 500.000

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

114

KPMG Data loss barometer: Securitytrends in 2012

Hacking of business last year led to a new record in which confidential information of millions of people has come in the wrong hands. The KPMG Data Loss Barometer shows that worldwide the number of incidents involving confidential information have increased by 40% compared with 2010.

Furthermore, it appears that almost 70% of the incidents are caused by hackers, (people or organizations) who break into computer systems. Hackers increasingly focus on business. Were a number of years medical records and public information were often targeted, hackers now focus mainly on the business. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

115

3. What is information security?

Wat is information security?

Processing of information is crucial for organisations.

Information security means: controlling risks by means of:

Several risks are connected with information processing (non-limitative):

■ Organisational

■ Data leakage, ■ Information theft, ■ Unauthorized information change,

■ Physical and; ■ Technical measures. Information security is an integral part of the business strategy.

■ Unavailability of information ■ Non-compliance to law and regulations.)

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

117

Examples of measures

Physical measures ■ Camera`s ■ Access gates

ICT ■ Secured server room or external ■ Redundant servers ■ Segregation of networks

Organizational measures

■ Authentication of internal & external users

■ Clean desk policy

■ Continuity planning

■ Policy dealing with social media ■ Use of secured USB sticks

Security of personnel ■ Screening of (new) employees ■ Roles and responsibilities are established ■ User declaration

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

118

Information Security Do we know the value of the assets that are to be protected ?

Is our information protected against Data Leakage or misuse ? Do we comply with privacy legislation/regulation & expectations ?

Do we understand the threats and risks that are around ?

Can we measure and report on security and continuity performance to adequately balance performance versus risks ?

Business & IT Security & Privacy measures

Strategy &

Policy IT controls

People

Processes

• Governance • Organisation • Awareness

• Business & IT Access • IT Operations • IT Development

Monitoring 4. of Security & Continuity Technology • Architecture • Components • Tech trends

framework Business & IT Continuity measures

Protected data

(processing) • Compliance • Events (logging) • Security testing • Contingency testing

Life Cycle Management

Outcome

1.

Outcomes

Business Needs & Expectations

2.

3.

How do we determine that continuity measures are aligned with business needs ?

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

119

119

Information security is not just platform security Information security is more than platform security.

Strategic Value

Client and Industry Experience

Enterprise Organization

Client and Industry Experience Security Subject Matter Specialty

Business Process Application

Data Technical IT Competency

Host Network Physical

Tactical Execution 19 … But platform security stays playing an important role in security! © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

120

Logical access path: multiple layers of security (Esp. on IBM i) Checking the ‘Logical Access Path’. Users

E.g.:

Devices Devices

command line Netw ork security

access

Security in system/ service

Security Security in in application application

E.g: ODBC and ftp

Access control

OS & data

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

121

How can this be accomplished? - ISO 27001 Standard PDCA model • Continuous cycle • Same principle as ISO 9001 (quality management)

PLAN

ACT

DO

CHECK

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

122

ISO 27000 family

27007 27009

27000 Principles and Vocabulary

27006 Business Continuity & Disaster Recovery Services

27001

ISO 27000

ISMS Requirements

Family

27005 ISMS Risk Management

27002 27004

17799 (from April 2007) 27003

ISMS metrics & measurements

ISMS Implementation Guidelines © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

123

Increasing overlaps between different standards

ISO/IEC 20000 ISO/IEC TR 18044:2004 Information Security Incident Management

ISO/IEC 19770 Software Asset Management

ISO 154891:2001 Information and Documentation Records Management

BS 25999 Business Continuity Management

ISO/IEC 27001:2005

ISO/IEC 13335-3:1998 Guidelines for the Management of IT Security

IT Service Management

ISO/IEC Guide 73:2002 Risk Management – Vocabulary

COBIT (v5.0)

(not an exhaustive overview)

What framework to use is not easy to determine © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

124

Trends: COBIT used as an IT Control framework

ISAE 3402

PCIDSS WFT

COBIT:

Ext. audit

Solven -cy II SOX

FSA

Basel II

REACH

Local Privacy Laws

IA

ISO27002

objectives

objectives

objectives

IT Control Framework

Supply

Demand

IT mngmt

Audit

Risk mngmt

Supply controls

Demand controls

IT mngmt controls

Audit controls

Risk mngmnt controls

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

125

IT processes based on Cobit provide an overview of the organization of it and its capability

Cobit reference model

Cobit as IT process model General accepted standard process model

GOALS AND OBJECTIVES

C

O BI

T

F RAME W O RK

ME1 ME2 ME3 ME4

Monitor and evaluate IT performance. Monitor and evaluate internal control. Ensure compliance with external requirements. Provide IT governance.

Integrity

Efficiency Effectiveness Compliance

Availability Confidentiality

Reliability PLAN AND ORGANISE

MONITOR AND EVALUATE

DS1

DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12

DS13

Define and manage service levels. Manage third-party services. Manage performance and capacity. Ensure continuous service. Ensure systems security. Identify and allocate costs. Educate and train users. Manage service desk and incidents. Manage the configuration. Manage problems. Manage data. Manage the physical environment. Manage operations.

PO1 PO2

INFORMATION

IT RESOURCES

Applications Information Infrastructure People DELIVER AND SUPPORT

Define a strategic IT plan. Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects.

AI1 AI2 ACQUIRE AND IMPLEMENT

AI3

AI4 AI5 AI6 AI7

Identify automated solutions. Acquire and maintain application software. Acquire and maintain technology infrastructure. Enable operation and use. Procure IT resources. Manage changes. Install and accredit solutions and changes.

Cobit as a IT governance framework ■ Control Objectives for Information and related Technology (Cobit) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. Cobit’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. Source:

■ Cobit is a general accepted standard for IT processes and is therefore very usefull in assessing the organizations capability. The IT process of Cobit cover four domains – Plan and Organize (PO) – Acquire and Implement (AI) – Deliver and Support (DS) – Monitor and Evaluate (ME)

■ The process focus of Cobit is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an endto-end view of IT. Capability maturity assessment ■ Each selected IT process can be assessed on its capability. Cobit describes for each IT process a maturity model. For the assessment the processes are assessed using the general attributes of the processes. ■ Cobit uses the well know CMM maturity levels to determine the capability of each selected IT process. In line with ITIL ■ When used together, Cobit and ITIL provide a top-to-bottom approach to IT governance and, thus, service management. Cobit guides management’s priorities and objectives within a holistic and complete approach to a full range of IT activities. This can focus all stakeholders (business and IT management, auditors, and IT professionals) on an integrated and common approach.

Cobit 4.1 and ITGI

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

126

Capability Maturity levels acording to DNB

Level 1 – Adhoc, initial

Level 3 – Structured and formalized

NederlandsEngelsFransControls are partially defined, but are inconsistently implemented. The mode of implementation depends on individuals.

Controls are documented and are performed organization-wide in a structured and formalized manner. Evidence of performance of controls is retained and can be demonstrated.

Level 2 – Repeatable, informal

Level 4 – Implemented and periodically Controls are defined and implemented in a assessed structured and consistent but informal manner.. Controls are performed on a structured and formalized manner across the organization. The efficiency and effectiveness of the controls are reviewed and is improved if necessary.

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

127

Cobit Maturity model and DNB

Business

Initial/ Ad Hoc

Repeatable but Intuitive

Defined Process

Managed and Measurable

1

2

3

4

Optimised

5

led

Desired IT process capability

Current IT process capability

Technology driven

Gap between current capability and benchmark peers

DNB Level 3 – Structured and formalized Controls are documented and are performed organization-wide in a structured and formalized manner. Evidence of performance of controls is retained and can be demonstrated.

Gap between current and desired capability Benchmark

DNB requirement: Cobit level 3 for all financial organizations © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

128

DNB made a selection of important Cobit IT processen 210 Control objectives in IT processen below. CO

53 Control objectives in IT processen below deemed important by DNB.

GOALS AND OBJECTIVES

B IT

FRAMEWORK

INFORMATION

ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance.

Efficiency Effectiveness Compliance

Integrity Availability Confidentiality

Reliability PLAN AND ORGANISE

MONITOR AND EVALUATE IT RESOURCES

DS1 Define and manage service levels. DS2 Manage third -party services.

DS11 Manage data. DS12 Manage the physical environment.

PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO9 Assess and manage IT risks.

Applications Information Infrastructure People

DS4 Ensure continuous service. DS5 Ensure systems security. DS8 Manage service desk and incidents. DS9 Manage the configuration.

PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships.

DELIVER AND SUPPORT

ACQUIRE AND IMPLEMENT

AI3 AI4 AI6 AI7

Acquire and maintain technology infrastructure. Enable operation and use. Manage changes. Install and accredit solutions and changes.

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

129

Mapping Cobit processes on to the measures from the code of information security (ISO 27002)

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

130

4. Top 4 reasons for information security issues (on IBM i) and their solutions

Top 4 reasons for security breaches and their solutions 1. Easy guessable passwords: – password = User-id – password = “password1” or “welcome01” – password = name

2. Security is mainly based on menu security, leaving access to database files open: – (e.g. *PUBLIC *ALL or *Change) – Sometimes whole groups have all access.

3. User-id’s are not timely disabled or removed when they are no longer necessary. – E.g. HR department does not timely inform the IT department regarding employees leaving the company. 4. Users get too high authorisation (even temporarily) – E.g. IT department temporarily adds a super user for testing purposes and forgets about it. – System account is created and no one knows why – Account was created (a long time ago) and no one knows whether it can be disabled

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

132

Passwords Easy guessable passwords: – password = User-id – password = “password1” or “welcome01” – password = name

Solution:

Analyze default passwords Action taken against profiles . . . . . . : *NONE User Profile SYNC PROD PBACKUP BCOMM FISXXXXX MM ROUTER SNDCONS EXTDEV

STATUS *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED *ENABLED

PWDEXP *NO *NO *YES *NO *YES *NO *NO *NO *NO

Text Bank XXXXXX XXXXX XXXXXXX XXXXXXX sync user Production Backup Helpdesk FISXXXX Message Monitor For sending consolidation files External Developer

■ QPWD* system values ■ QPWDRULES (Password Rules)

– *REQANY3: 3 from 4: Uppercase, Lowercase, Numeric, and/or a special char.

Easy to audit Test of design and existence. Difficult to Test Operational Effectiveness

Important: ■ Choosing a password should not be made too difficult for end-users as they tend to write things down……. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

133

Menu security menu security – All kind of services are ‘connectable’

Limit user access: ■ Use the dspusrprf output to check!

– ODBC and ftp – Limited capability parameter

USEADPAUT parameter

– Access to files and databases no problem if you have enough IBM i knowledge.

Shows services running: DSPFCNUSG.

Solution:

■ Listing functions (and their security settings)

■ Limit capability parameter ■ Use adopted authority ■ Limit the access to services

Easy to audit Test of design and existence. Easy to Test Operational Effectiveness (depends on logging)

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

134

User-id’s are not timely disabled User id’s that are not timely disabled

Timely disable users:

– May have high privileges

■ Use the dspusrprf output to check users

– Open up your system to unknown users

■ Request a list of users from HR with users that have left the company that month.

– May interfere with segregation of duties as others might ‘use’ the user profile.

Solution:

■ Additionally: send the usrprf file to HR department once half a year, and let them check and document to you that all users on the list are valid.

■ Link user administration to HR database ■ Set an expiry date on user profiles ■ Set an expiry period on user profiles Easy to audit Test of design and existence. Easy to Test Operational Effectiveness (depends on logging)

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

135

User get too high authorisations User id’s with high authorisations – May have been around a long time – May be that no one knows what the purpose for the account is. – Might have a hard coded password

Check users: ■ Use the dspusrprf output to check user profiles ■ Review audit logging and transactions of highly privileged users.

– interferes with segregation of duties as it is a super user. Easy to audit Test of design and existence. Solution: ■ Do not grant users high authorisations (except if it is really neccessary)

Easy to Test Operational Effectiveness (depends on logging)

■ Set an expiry date on these user profiles!

■ Document need and time for the user profile ■ Enable logging for high authorized users. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

136

Examples from the field we fotographed

Controlling security risks is for an important part controlling human behaviour. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

137

Information security from an Financial audit point of view

Platform security – why do we need to look at it in financial audits?

Significant items in compliance reports Covered by the operational or financial (or other) auditor

Business processes

Subject related IT applications

Segregation of Duties & User Controls Application controls

IT Infrastructure services Operating systems

Covered by the IT Auditor

General IT Controls

Databases Network components

Physical facilities

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

139

New trend: Facts to Value (F2V) (More than just security checking)

Significant items in compliance reports Covered by the operational or financial (or other) auditor

Fact 2 value Reporting

Business processes

Subject related IT applications

Segregation of Duties & User Controls Application controls

IT Infrastructure services Operating systems

Covered by the IT Auditor

General IT Controls

Databases Network components

Physical facilities Checking business and IT application controls by downloading and analyzing them. Also Business processes are checked by analyzing business data. © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

140

Trends in auditing IBM i

Trends in the Market ■ More and more clients do not have the expertise to run an IBM i by themselves anymore; ■ Service organisations take care of IT management of i for my clients now mostly at the clients (come by twice a month or so); ■ Some clients have already outsourced their IBM i technical IT management (bigger clients) ■ Even with banks we see that they are outsourcing their IT management (to e.g. KPN, IBM or other parties) ■ We see a trend that customers will outsource their “server-hardware” ■ We see a trend that software developers consider to provide hosting services for the clients; ■ Small step to managed hosting. (actually we are talking already about SAAS).

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

142

Organisations have increasingly a need for assurance when they outsource Corporate Governance

Chain automation

Principles of internal control

Focus on costs and quality

Market developments

Professionalising service

Scharpening of supervision

Accountabel w.r.t. Security and privacy requirements

outsourcing Increase in liability

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

143

What is a Third Party Mededeling?

A Third Party Mededeling (TPM) is a written report with regard to the internal control of the processes of a service organization (e.g. service provider or internal shared service center). This report is issued by an independant and impartial auditor. Third Party Mededeling/ 3000/ ISAE 3402

Service Level Management

Clients &

Service Level Agreement

Service provider

other stake-

or

holders

S.S.C.

Auditor

Third Party Mededeling/ 3000/3402

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

144

New standards to replace SAS70 te vervangen

Service Org. Control 1 (SOC 1)

Service Org. Control 2 (SOC 2)

Service Org. Control 3 (SOC 3)

SSAE16 / ISAE3402 – Service Auditor Guidance

AT 101 / COS & ISAE 3000/ ISAE 3402

AT 101 / COS & ISAE 3000

Restricted Use Report (Type I or 2 report)

Generally a Restricted Use Report (Type I or 2 report)

General Use Report (public seal)

Purpose: Reports on controls for FSA

Purpose: Reports on controls related to compliance or operations

Purpose: Reports on controls related to compliance or operations

Bron: AICPA 2010 (10036-8775) © 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

145

There are 2 kind of 3402-assurance reports

“Moment in time”

“report regarding a certain period”

Type I Statement

Type II Statement

Is a statement of the detected control (controls) and management structure (control structure)

Is a statement of the detected control (controls) and management structure (control structure) that has been working for 6 or 12 months.

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

146

In short: the clients are demanding for more assurance: From trust to proof!

TRUST me

TELL me

Bijlagen:

SHOW me

- Stappen 3000/3402-aanpak - Vergelijking 3000/3402-assurance en ISO-certificerin PROVE me - Contactinformatie

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

147

Information security is important in an outsourced situation also Advantages

Disadvantages

■ Auditors will increasingly rely on the ISAE3402 reports from the clients.

■ Initial cost high

■ More clients will be able to use the report ■ Clients will share the costs

■ Clients will have their auditors less ■ Service organization will be burdened only by ISAE 3402 auditor (not by auditors from clients)

■ Scoping of what goes in the report is important ■ Because of scoping, ISAE3402 reporting will be precisely read by clients (IT) auditors. ■ Clients’ IT auditors will have less work.

■ More internal control for service organization ■ Processes and procedures are formalized

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

148

Questions?

Thank you Presenter’s contact details Fred Wijshoff KPMG IT Advisory N.V. Tel: +31 6 5207 8832 [email protected] www.kpmg.nl

© 2013 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

Thank you

Ronald van Erven, Timeos/PvIB The ever growing danger to your data

Food for thought

The ever growing danger to your data Some food for thought

A little bit about me….. •

Positions: from (security) network/systems manager, IT security officer, security manager, ICT auditor and currently information risk officer (Trust & Continuity Program Manager)



Some certifications next to a BSc in electronics/telecom and MSc in ICT management



Active member with: (setting up the dutch ISC2 chapter)



Follow me on:

[email protected] or cisspnl or +31615584056

Know your “opponents”

Know your “friends” even better..

Your (business) information – New Gold •

Know what your critical information is! – – –



How long can you do without (availability) How important is exclusivity to your business? Can you verify the integrity of your critical information?

What of your critical business information is available or reachable? – Should you use whatsapp for your business contacts? – Should you blog on linkedin your new business ventures? (should your linkedin profile contain a passport compliant picture of you?) – Do you make your business phone calls in the train? (a public place?)



What critical information do you transfer? – – –

Do you use secure mail? Do you encrypt your information? Do you sign your information?

The 1st Step No matter how small your firm, you must know what and where your information assets reside (data / information classification can help you with this)

Thank You Do you want to run something by – just give me a call

A business intelligence agent, cyber warrior or just a “friend”?

Thank you