PCI 3.2 and how to address it on z/OS...RACF Database JES2 / JES3 RACF Classes Role Based Access...

VANGUARD SECURITY & COMPLIANCE 2016

Brian Marshall

Vice President Development

CST01

PCI 3.2 and how to address it on z/OS

SECURITY & COMPLIANCE CONFERENCE 2016


Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view

these materials for your organization’s internal purposes. Any unauthorized reproduction, distribution,

exhibition or use of these copyrighted materials is expressly prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator Vanguard Advisor Vanguard Analyzer Vanguard SecurityCenter Vanguard Offline Vanguard Cleanup Vanguard PasswordReset Vanguard Authenticator Vanguard inCompliance Vanguard IAM Vanguard GRC Vanguard QuickGen Vanguard Active Alerts

Vanguard Configuration Manager Vanguard Configuration Manager Enterprise Edition Vanguard Policy Manager Vanguard Enforcer Vanguard ez/Token Vanguard Tokenless Authenticator Vanguard ez/PIV Card Authenticator Vanguard ez/Integrator Vanguard ez/SignOn Vanguard ez/Password Synchronization Vanguard Security Solutions Vanguard Security & Compliance Vanguard zSecurity University

Legal Notice


CICS CICSPlex DB2 eServer IBM IBM z IBM z Systems IBM z13

S/390 System z System z9 System z10 System/390 VTAM WebSphere z Systems

z9 z10 z13 z/Architecture z/OS z/VM zEnterprise

IMS MQSeries MVS NetView OS/390 Parallel Sysplex RACF RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.

Legal Notice


Session Topics

• Introductions

• What is PCI DSS – History

• High Level Overview

• Requirements of interest for mainframe

• PCI DSS 3.1 / 3.2

• Top z/OS® vulnerabilities mapped to PCI

• PCI requirements – how to meet them on z/OS

• Q/A


What is PCI DSS?

• What is PCI DSS – Payment Card Industry Data Security Standard

• Set of standards created by the PCI Security Standards Council

• Enforced by contract with banks that provide payment card processing

• Applicable to everyone who “stores, processes or transmits”

payment card data


PCI DSS History

• A brief History of PCI DSS

• The PCI Security Standards Council • Formed September 7, 2006

• Founded by: • American Express • Discover Financial Services • JCB International • MasterCard International • VISA


PCI DSS History

• Payment Card Industry Data Security Standard (PCI DSS)

• Was developed to encourage and enhance cardholder data security

and facilitate the broad adoption of consistent data security measures globally.

• PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).


PCI DSS Requirements

• High-level Overview of the 12 PCI DSS Requirements

• 01. Install and maintain a firewall configuration to protect

cardholder data

• 02. Do not use vendor-supplied defaults for system passwords and other security parameters

• 03. Protect stored cardholder data

• 04. Encrypt transmission of cardholder data across open public networks




• 05. Use and regularly update antivirus software

• 06. Develop and maintain secure systems and applications

• 07. Restrict access to cardholder data by business

need-to-know

• 08. Assign a unique ID to each person with computer access




• 09. Restrict physical access to cardholder data

• 10. Track and monitor all access to network resources and

cardholder data

• 11. Regularly test security systems and processes

• 12. Maintain a policy that addresses information security


PCI DSS Procedures

• Detailed PCI DSS Requirements and Security Assessment

Procedures

• The following defines the column headings for the PCI DSS requirements

and security assessment procedures

• PCI DSS Requirements - Defines the data security standard requirements PCI DSS compliance is validated against these requirements

• Testing Procedures - Shows processes to be followed by the assessor to validate that PCI DSS requirements have been met and are “in place”


PCI DSS Procedures

• Guidance - Describes the intent or security objective behind each of the PCI DSS requirements, contains guidance only, and is intended to assist understanding of the intent of each requirement.

The guidance in this column does not replace or extend the PCI DSS requirements and testing procedures


Requirements of Interest for Mainframe

• Req. 1.1.3 – requirement for a current diagram that shows all

cardholder data flows across systems and networks

• Cardholder data-flow diagrams identify the location of all cardholder

data that is stored, processed or transmitted within the network

• Network (1.1.2) and cardholder data-flow diagrams (1.1.3) help an organization to understand and keep track of the scope of their environment by showing how cardholder data flows across networks and between individual systems and devices


Requirements of Interest for Mainframe

• PCI Requirement 5, "Use and regularly update anti-virus software or programs", mandates that comprehensive measures are in place for detecting, removing, and protecting all known types of malicious software that can seriously threaten the safety and security of system components within the cardholder data environment (CDE), and all other systems commonly affected by malware


What is a z/OS “System Component”

1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator

Master Catalog SDSF The RACF Database Dataset Profiles

APF Authorized Datasets Session Managers Copies of the RACF database General Resource Profiles

LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes

User Catalogs WebSphere RACF CDT Group Connect Authorities

RACF Database JES2 / JES3 RACF Classes Role Based Access

Parmlib Datasets OMEGAMON General Resource Profiles Database Administrator

Multi-User Access Systems WebSphere MQ Encryption Keys IMS Databases

z/OS Security Patches DFSMS Group Membership DB2 Databases

System Proclibs SVC’s Privileged Userids DB2 Table Trace

Started Tasks CICS System Datasets RACF Exits Oracle Databases

SYS1.Parmlib DB2 System Datasets RACF Tables RACF Classes for DB2

SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS

System Exits Vendor Security Products Logging Parameters QSA & Compliance Officers

ICSF Encryption Keys Magnetic Tape ?


PCI Requirements

• Requirement 2.2 develop Configuration Standards for all System Components


PCI Requirements

• https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=5


PCI DSS 3.1 Changes

• PCI SSC Bulletin on Impending Revisions to PCI DSS, PA-DSS

• To ensure the continued strength and integrity of PCI Standards for

payment data protection, the Council has ongoing processes for monitoring threats and vulnerabilities and for updating the standards as necessary.

• The National Institute of Standards and Technology (NIST) has

identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol.


PCI DSS 3.1 Changes

• PCI SSC Bulletin on Impending Revisions to PCI DSS, PA-DSS

• Because of these weaknesses, no version of SSL meets PCI SSC’s

definition of “strong cryptography,” and revisions to the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) are necessary.


PCI DSS 3.1 Changes

• What is the Issue with SSL/TLS?

• SSL/TLS encrypts a channel between two endpoints (for example,

between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel.

• Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections.


PCI DSS 3.1 Changes

• More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0.

• The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE.

• SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels.


PCI DSS 3.1 Changes

• A padding oracle attack is an attack which is performed using the padding of a cryptographic message.

• In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive


PCI DSS 3.1 Changes

• What is the Issue with SSL/TLS – (cont)

• Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol


PCI DSS 3.1 Changes

• What is a Risk Mitigation and Migration Plan?

• The Risk Mitigation and Migration Plan is a document prepared by the entity that details their plans for migrating to a secure protocol, and also describes controls the entity has in place to reduce the risk associated with SSL early TLS until the migration is complete.

• The Risk Mitigation and Migration Plan will need to be provided to the assessor as part of the PCI DSS assessment process


PCI DSS 3.2 Changes – Published 4/28/16

• SSC has announced that the PCI DSS has reached a point of maturity. Consequently, they no longer plan to release major revisions to the standard on a three-year cycle, but will instead issue releases more often with fewer changes between them..


PCI DSS 3.2 Changes

• Appendix A2: Mitigation of SSL and early TLS must be completed by June 30, 2018

• 8.3 Multi-factor authentication requirements for accessing the cardholder data environment is required for ALL non-console administrative access and all REMOTE access (previously it was only required for remote access)

• A3.2.4 Service providers must perform penetration testing on segmentation controls every 6 months

• 10.8.1 Requires service providers to detect and document failures of critical security control systems (Best Practice until June 30th 2018)


PCI DSS 3.2 Changes

• Requires new documentation surrounding the cryptographic architecture of a business.

• 12.4.1 – Aims to establish that executive management of service providers is responsible for the protection of cardholder data

• New requirements 12.11 and 12.11.1 for service providers to perform quarterly reviews of personnel to ensure employees are actually following the security procedures in place


“Identifying Not in Place Requirements”

• Vanguard Findings Mapped to PCI Requirements


Meeting PCI Requirements on z/OS


Focus on PCI DSS 10 and 11

• PCI DSS Requirements 10 and 11 should be the focus for RACF® Administrators and SYSPROGS

• 10. Track and monitor all access to network resources and cardholder data

• 11. Regularly test security systems and processes

• Some Requirements “Not Our Problem”

• 9. Restrict physical access to cardholder data

• 9.1.1 Use video cameras and / or access control mechanisms to monitor individual physical access to sensitive areas



• 10.1 Link Access to System Components to Individual Users

• RACF SMF Type 80 Events 2.x

mvssysb RACF: Event: 2.3 - RESOURCE ACCESS: Warning Message Issued - Timestamp: 12034 17:44:52.27 - UserID: xxxxxx - Group: RESTRICT - Auth: Normal check - Reas: AUDIT option - Term: TCPB2922 - Job: xxxxxx - Res: SYS1.USER.PROCLIB - Req: UPDATE - Allow: READ - Type: DATASET - Prof: SYS1.USER.** - Name: CHARLES MILLS



• Formatted for SIEM

• Security Information and Event Management System

• How your enterprise already tracks security events

• Other than mainframe?

• Compliance the #1 driver for SIEM sales

• PCI DSS the #1 compliance driver

• MSSP = SIEM in the Cloud

• Managed Security Service Provider


What do SIEMs do?

SIEM

Routers

Firewalls

Unix

• Sophisticated correlation • IP Location • Real-time Text alerts • Service desk Integration • Query and Search • Reports • Compliance • Forensic archive


Or Use Conventional Reports



• 10.2.1 Access to Cardholder Data

• SMF 14 Jul 22 15:50:59 MVSSYSA DS_Input: WorkType: T - JobNm: DV237A - RdrTime: 2016-07-22T19:50:59.120 - DDN: SYS00001 – DSN=TEST1.CREDIT.TESTDATA

• SMF 119 Subtype 70 – FTP Server Complete

Mar 26 17:32:46 mvssysb TCP/IP: Subtype: FTP server complete - Op: Retrieve - FileType: SEQ - RemtDataIP: ::ffff:10.31.0.209 - UserID: RX239JB - DStype: HFS - Start: 11037 22:32:45.21 - Dur: 0.78 - Bytes: 56324 - DSN: /u/rx239jb/Source/Fields.C - Security: {Mech: None - CtlProt: None - DataProt: None - Login: Password}



• What about IND$FILE

May 28 16:18:10 MVSSYSB CorreLog: SubT: IND$FILE Audit - SubCmd: GET - DSN: SYSP.ACCOUNT.DATA - Type: Sequential - RdrTime: 2015-05-28T20:16:41.164 - UserID: DEV013 - Name: John Jones - Group: RESTRICT - RemtIP: 129.42.38.1 - JobID: TSU00637 - TermNm: NVA00076 - Dur: P00:00:22.660



• 10.2.2 Actions by Individuals with Administrative Privileges

• SETROPTS SAUDIT and SMF 80

Jul 12 12:42:08 MVSSYSC RACF: ALTUSER: No Violations - Auth: SPECIAL - Group: SYS1 - JobNm: WVH2 - Owner: SYS1 - Name: VINCE HAMMOND - Reas_Special: Yes - RdrTime: 2016-07-11T18:20:16.200 - POE: LCL701 - POEclass: Terminal - SessType: TSO Logon - TermNm: LCL701 - UserID: WVH2 - CmdUserID: WVH2 - Segment: {Name: OMVS - SubKeyWd: UID - Data: 0} - Segment: {Name: OMVS - SubKeyWd: SHARED}



• 10.2.4 Invalid Logical Access Attempts

• RACF SMF Type 80 Events 1.x

Jul 11 14:33:19 MVSSYSA RACF: INIT/LOGON: Password Expired - Auth: None - Violation: Yes - Group: TSOHOLD - JobNm: NVPRHUB3 - Pgm: NIS - Name: FRANK WILLIAMS - Reas_Verify: Yes - RdrTime: 2016- 07-08T14:10:06.970 - UserID: DV221A

• RACF SMF Type 80 Event 2.1

Jul 5 10:23:32 MVSSYSC RACF: RESOURCE ACCESS: Insufficient Auth - Auth_Normal: Yes - Auth: Normal check - Violation: Yes - Group: TSOHOLD - Vol: PREP51 - Type: DATASET - Res: JCP.DEV.RELPREP.R740A.CLIST - Prof: JCP.DEV.** - Owner: DEVCGC - Req: READ - Name: ALLEN BURG - Allow: NONE - Reas_Audit: Yes - RdrTime: 2016-07-05T14:04:54.580 - POE: TCPP0641 - POEclass: Terminal - SessType: TSO Logon - UserID: DEVAG1



• 10.2.4 Invalid Logical Access on DB2

• DB2® Trace IFCID 140

Jul 24 14:43:07 MVSSYSA DB2: Subsys: DA1L - IFCID: 140 - IFCID_D: Authorization failures - AuthID: RU018A - Conn: BATCH - CorrID: RU018BDD - Trans: RU018BDD - WrkSta: BATCH - Plan: DSNTP410 - LUWID: USASG.NA01DA1L.d1176529545f.1 - AuthIDType: AuthID - Lang1: Dynamic - ObjType: User auth - Priv: Explain - SrcQual: CORE1010 - Src: NEWPHONE - Sql: SELECT * FROM CORE1010.NEWPHONE - POE: INTRDR - Group: RESTRICT - Node: JES2SYSA



• 10.2.5 Changes to Authentication Mechanisms

• …including but not limited to creation of new accounts and

elevation of privileges – and all changes, additions or deletions

to accounts with root or administrative privileges

• ALTUSER to OMVS UID 0

Jul 24 14:56:00 MVSSYSA RACF: ALTUSER: No Violations - Auth_Special: Yes - Auth: SPECIAL - Group: SYS1 - JobNm: IBMUSER - Owner: SYS1 - Reas_Special: Yes - RdrTime: 2016-06-28T19:31:44.730 - POE: LCL701 - POEclass: Terminal - SessType: TSO Logon - TermNm: LCL701 - UserID: IBMUSER - CmdUserID: WVH3 - Segment: {Name: OMVS - SubKeyWd: UID - Data: 0}



• 10.2.6 Initialization of Audit Logs

• SET SMF Command – SMF Type 90 Subtype 5

Jul 25 13:00:14 MVSSYSC System Status: SubT: SET SMF - MAXDORM: P00:30:00.000 - Status: T01:00:00.000 - JWT: P04:00:00.000 - Sysid: SYSC - Opts: {LISTDSN, NOPrompt, NOSMF30COUNT, LASTDS(MSG), NOBUFFS(MSG), SID} - IPL: 2016-07-25T07:53:53.470 - BUFSIZMAX: 0128M - BUFUSEWARN: 25 - DSN: SYS1.SYSC.MAN1 - DSN: SYS1.SYSC.MAN2 - DSN: SYS1.SYSC.MAN3 - Subsys: {Name: SYS - Detail: Yes - Interval: P00:49:60.000 - Exits: IEFU29 IEFUTL IEFUJI IEFUSO IEFUJP IEFUSI IEFUJV IEFACTRT IEFU85 IEFU84 IEFU83} - Subsys: {Name: OMVS - Detail: Yes - Interval: P00:49:60.000 - Exits: IEFU85 IEFU84 IEFU83} - Subsys: {Name: STC - Detail: Yes - Interval: P00:49:60.000 - Exits: IEFUTL IEFUSO IEFUJP IEFU85 IEFU84 IEFU83 IEFU29 IEFACTRT}



• 10.2.7 System Level Objects

• SMF 42

Mar 26 05:22:09 mvssysb DFSMS: Action: Add/Replace - JobNm: SYS013B - Step: $TSUSER - Proc: $TSUSER - DSN: SYS1.PARMLIB - Flag: Replace - Mem: IEAAPF00 - UserID: SYS013B - POE: TCPB2931 - Group: RESTRICT

• DB2 Trace IFCID 92 Jul 24 14:58:57 MVSSYSA DB2: Subsys: DA1L - IFCID: 97 - IFCID_D: AMS exit - AuthID: RU018B - Conn: UTILITY - CorrID: RU018BDL - UserID: RU018B - Trans: RU018BDL - WrkSta: UTILITY - OpID: RU018B - Plan: DSNUTIL - LUWID: USASG.NA01DA1L.d11768b3358e.8 - Cmd: DEFINE CL(NAME(CL(NAME(DA1LDB.DSNDBC.CORED10U.NEWPHONE.I0001.A001)NOERASE LIN OWNER(SY002A ) RUS SPEED CISZ( 4096)) DATA (NAME(DA1LDB.DSNDBD.CORED10U.NEWPHONE.I0001.A001) KB(00001440 00000720) OWNER(SY002A ) SHR(3,3) RUS VOL('* ' ));



• 10 Track Access to Resources and Cardholder Data

• 10.3 Record at least the following audit trail entries for all system

components for each event: User identification, Type of event, Date and time, Success or failure indication, Origination of event, Identity or name of affected data, system component, or resource.

• 10.4 Using time synchronization technology, synchronize all critical system clocks and times and implement controls for acquiring, distributing, and storing time

• 10.5 Secure audit trails so they cannot be altered • 10.6 Review logs for all system components related to security functions at least

daily. Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.

• 10.7 Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis



• 11.5 File Integrity Monitoring

• SMF Type 15, 42 and 64

mvssysb FIM: JobNm: xxxxxxx - DDN: OUTDD - DSN:

xxxxxx.PREPROD.V660.OBJLIB - Member: INEXIV12

• SMF Type 8- Event 2.0 mvssysb RACF: Event: 2.0 - RESOURCE ACCESS: Successful Access - UserID: xxxxxx - Group: QAL - Auth: Normal check - Reas: AUDIT option - Term: TCPQ2912 - Job: xxxxxxx - Res: SYS1.DEVL.PARMLIB - Req: UPDATE - Allow: UPDATE - Vol: ESACAT - Type: DATASET - Prof: SYS1.DEVL.** - Owner: SYS1 - Name: xxxx xxxxxxxx - POE: TCPQ2912


Help and Questions

• Here are some helpful websites

• Requirements and Security Assessment Procedures

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf • PCI SSC Data Security Standards

https://www.pcisecuritystandards.org/security_standards/index.php


Help and Questions

• Vanguard Integrity Professionals

• Requirements and Security Assessment Procedures

www.go2vanguard.com

[email protected]

+1 877 794 0014

+1 702 794 0014


Questions


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

Date post:	03-Jul-2020
Category:	Documents
Upload:	others
View:	12 times
Download:	1 times

PCI 3.2 and how to address it on z/OS...RACF Database JES2 / JES3 RACF Classes Role Based Access...

Documents