Contenu connexe Similaire à MultiValue Security (20) MultiValue Security2. 2
Credits and Acknowledgements
Presenters
• Nik Kesic, Principal Technical Support Engineer
• Steve O’Neal, Principal Sales Engineer
Developers & Reviewers
• Jing Cui, Principal Software Engineer
• John Jenkins, Senior Technical Support Engineer
• Nik Kesic, Principal Technical Support Engineer
• Joan Dunn, Senior Education Consultant
©2015 Rocket Software, Inc. All Rights Reserved.
3. 3
MV Security
The Cloud offers great opportunity for disruption in the business world by
offering ways to create, test, and deploy applications with greater reach
and more simplicity than ever before. Come learn about the Cloud and
how Rocket MV is helping you get SaaS-y with capabilities such as
Account Based Licensing, RESTful APIs, and micro-services.
©2015 Rocket Software, Inc. All Rights Reserved.
4. 4
MV Gets SaaS-y
News articles that spotlight data breaches and security flaws are growing at an alarming rate.
Not only are the demands for security increasing, but the requirement to comply with industry
standards such as PCI-DSS and HIPAA/HITECH are a reality in order to continue doing business.
In this session, the presenter will take you through a journey outlining major news stories on data
breaches and the dark tricks, such as social engineering and card data harvesting, that are
commonly used by criminals to cause damages. We will talk about the many SSL security flaws
including Heartbleed, POODLE, and FREAK. You will also hear about one Operating System
provider’s direction that has forced major security policy changes, as well as information on audit
requirements in order to meet the future security challenges to continue providing business. The
session also will highlight how the Rocket MV product family can help you to fortify your data and
meet compliance requirements.
©2015 Rocket Software, Inc. All Rights Reserved.
6. 6
Agenda
Security breaches
IT infrastructure vulnerabilities
Trends and industry standards
APT - Advanced Persistent Threat
Top 10 threats 2015
MV security offering
Resources
©2015 Rocket Software, Inc. All Rights Reserved.
7. 7
Security Breaches of 2014
P.F. Changs - ceased electronic processing of cards and reverted to
using so-called “knuckle busters,” mechanical card presses.
Sally Beauty Supply - Hacked by the same gang that hacked
Target
ACME Markets - Discovered malicious software installed on
networks
Michaels Stores - About 3 million customer debit and credit cards
were acknowledged stolen
Goodwill Industries - Credit card information at approximately 330
stores had been compromised
©2015 Rocket Software, Inc. All Rights Reserved.
8. 8
Security Breaches of 2014
Jimmy John’s - An intruder stole log-in credentials from Jimmy John’s point-
of-sale vendor
Neiman Marcus - Malicious software (malware) was clandestinely installed
on the system
The Home Depot - 56 million card records were hacked
Target Corporation - Around 70 million holiday shoppers had their card data
compromised
JPMorgan Chase - the New York Times reported that 76 million households
and 7 million small businesses were involved
http://www.cutimes.com/2014/10/06/10-biggest-data-breaches-of-2014-so-far
©2015 Rocket Software, Inc. All Rights Reserved.
9. 9
Security Breaches of 2015
Hacking Team - Exploits put hundreds of millions of Flash
users at risk
Ashley Madison - Ensnares 37 million cheaters
Anthem - Breach affected about one-in-three Americans
IRS - Data breach led to hackers taking tax returns
OPM - More than 22 million government workers now
vulnerable to blackmail
http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/
©2015 Rocket Software, Inc. All Rights Reserved.
10. 10
Security Breaches of 2015
Kaspersky - Attacked, but reputation dinged
LastPass - Saw potentially millions of passwords accessed
CVS, Walgreens - Hit by credit card breach
Carphone Warehouse - Tops UK breach list
UCLA Health - Failed to encrypt 4.5 million records
©2015 Rocket Software, Inc. All Rights Reserved.
12. 12
IT Infrastructure Vulnerabilities
Heartbleed
• Discovered April 2014
• Exposed the TLS Heartbeat extension vulnerability
• Data could be read, such as:
Private keys
Users' session cookies
Passwords
• This issue did not affect versions of OpenSSL prior to 1.0.1
• Rocket Software U2 products must be at OpenSSL 1.0.1m
©2015 Rocket Software, Inc. All Rights Reserved.
13. 13
IT Infrastructure Vulnerabilities
ShellShock
• Disclosed on September 24, 2014
• Exposed bash shell vulnerability
• OS vendors released fixes
• Rocket Software MV did not produce a variant of bash for its
products
©2015 Rocket Software, Inc. All Rights Reserved.
14. 14
IT Infrastructure Vulnerabilities
Poodle
• Disclosed April 2014
• Causes client connections to fallback to SSL 3.0
• Termed man-in-the-middle exploit
• Rocket Software U2 products must be at OpenSSL 1.0.1m
©2015 Rocket Software, Inc. All Rights Reserved.
15. 15
IT Infrastructure Vulnerabilities - Freak
Freak
• Disclosed on March 3, 2015
• Exposed weak ciphers
• Attackers could intercept data streams
• Rocket Software U2 products must be at OpenSSL 1.0.1m
©2015 Rocket Software, Inc. All Rights Reserved.
16. 16
IT Infrastructure Vulnerabilities – LogJam
LogJam
• Disclosed on May 20, 2015
• Exposed weak ciphers
Allows man-in-the-middle attacker to force the client and server to
use a weak cipher
• Rocket Software U2 products must be at OpenSSL 1.0.1m
©2015 Rocket Software, Inc. All Rights Reserved.
17. 17
Trends and Industry Standards – Microsoft
Microsoft policy change
Microsoft Root Certificate Program
• SHA1 not allowed after January 1, 2016
Disabled security protocols
• SSL 3.0 will be disabled
• TLSv1.0 questionable
©2015 Rocket Software, Inc. All Rights Reserved.
18. 18
Trends and Industry Standards - Java
Oracle Java policy change
Starting with the January 20, 2015 Critical Patch
Update releases
• Java Runtime Environment has SSLv3 disabled by
default
• JDK 8u31
• JDK 7u75
• JDK 6u91
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
©2015 Rocket Software, Inc. All Rights Reserved.
19. 19
Trends and Industry Standards - PCI
“… SSL and early TLS are not considered strong
cryptography and cannot be used as a security control
after June 30, 2016. Prior to this date, existing
implementations that use SSL and/or early TLS must
have a formal Risk Mitigation and Migration Plan in
place. Effective immediately.”
©2015 Rocket Software, Inc. All Rights Reserved.
20. 20
Trends and Industry Standards - HIPAA
Follows NIST 800-52
• SSL v3 must not be used
• TLS v1.0 ok for interoperability with non-government
• TLS v1.1 & (TLS v1.2 recommended)
• Only recommended ciphers to be used
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
©2015 Rocket Software, Inc. All Rights Reserved.
21. 21
Top Threats for 2015
5. Third-party attacks
4. Mobile malware
3. Social media attacks
2. Sophisticated DDoS attacks
1. IoT: The Insecurity of Things
23. 23
APT (Advanced Persistent Threat)
Set of stealthy and continuous computer
hacking processes
Usually targets organizations and/or nations for
business or political motives
Processes require a high-degree of stealth over a
long period of time
Example of APT - Stuxnet computer worm
24. 24
APT (Advanced Persistent Threat)
APT Life Cycle
Targets specific organizations for a singular objective
Attempt to gain a foothold in the environment (common
tactics include spear phishing emails)
Use the compromised systems as access into the target
network
Deploy additional tools that help fulfill the attack objective
Cover tracks to maintain access for future initiatives
26. 26
MV Software Solution – The Key Paradigm
Confidentiality, integrity and availability
Confidentiality
• Limiting information access and disclosure to authorized
users
Integrity
• The trustworthiness of information resources
Availability
• The availability of information resources
27. 27
MV Software Solution – The Key Paradigm
Data in transit
• Information we send and receive
Data in use
• Data we are using as we use it
Data at rest
• In our hardware systems
• On backup / archive
©2015 Rocket Software, Inc. All Rights Reserved.
29. 29
Automatic Data Encryption
Tightly integrated into the UniData and UniVerse engines
Support in UniData and UniVerse components including
clients, backup utilities, transaction logging, and replication
Robust key and password management
Flexible encryption modes
Easy to manage by Graphical User Interface (GUI) tools
and utilities
©2015 Rocket Software, Inc. All Rights Reserved.
30. 30
Automatic Data Encryption
U2 BASIC Engine
U2 Applications
Data Access
Key Manager
Key Cache
Encryption
Engine
U2 Engine
Unencrypted
Data
Master Key Key Store
Encryption Meta
DataAudit Trail
Encrypted
Data
Users through U2 clients
XAdmin
DB / Sys
Admin
uvregen
Wallet
confcmd
Query Processing
encman
31. 31
SSL
Secure Sockets Layer (SSL) / Transport Level
Security (TLS)
• OpenSSL (the basis of U2 SSL/TLS and encryption)
Software libraries that are an open-source implementation of the SSL
and TLS protocols and provide cryptographic functions to software
systems
SSL/TLS allows us to send and receive encrypted information
With the correct – and validated - certificate, parties can be certain
that they are talking to the intended party, and
Data has not been maliciously changed during transmission
©2015 Rocket Software, Inc. All Rights Reserved.
32. 32
Encryption in BASIC Programs
©2015 Rocket Software, Inc. All Rights Reserved.
Data Encryption can encrypt data in the U2 data
servers, and this encryption extends to all copies of
the data
Light-weight (application-level) encryption:
UniBasic or UniVerse BASIC ENCRYPT()
• Very simple to implement
• Relies upon ongoing application development
• Key distribution needs management – Signature / Digest
33. 33
Client
Application
U2
Restful
Service
CUSTOMER
U2
Server
SSL
SSL
SSL
SSL
SSL
Encrypt()
KEY, IV
ADD, DOB, SSN
Encrypt
Encode
Data at rest
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
Customer
record
Customer
recordCan be any technology on the client
Decrypt
subroutine
Extranet
Internet
U2 JPA
Server
SSLSSL
Telnet
Client
Intranet
jfgafgfafasf djdwjhdqwd
78gcagfc7 efewhfvb78yfb
mcgcgwufg cnmgsdc724n
af343rdeff 3erjcgasc763e4hvd73en
sff2r121e sfdfwefe2f
Smnb HDJ efewf2f33
87hgdyhd8 Fwefvv cb34r
338dhgdgg 3erfvdfgv2r2fg
3ervv44fda e13rwdvergvb2
387agdddq 3r2eff13r123
Securing Data in Use, Transit, and at Rest
SSL
or
SSH
4 World Process
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
Scripts
BASICBASIC
C#
Java
KEY
IV
Encryption
process
@ID 104357
FNAME Neddy
LNAME Seagoon
ADDRESS Fn6umnvm6rjkm bnm 6
CITY Denver
STATE CO
ZIP 80237
PHONE 800-426-4357
DOB t3thfdbrhbhfh4
SSN fdgtg45y4hhdh
@ID ASCII
FNAME ASCII
LNAME ASCII
ADDRESS Encrypted
CITY ASCII
STATE ASCII
ZIP ASCII
PHONE ASCII
DOB Encrypted
SSN Encrypted
@ID 104357
FNAME Neddy
LNAME Seagoon
ADDRESS 4700 S Syracuse St
CITY Denver
STATE CO
ZIP 80237
PHONE 800-426-4357
DOB 12/31/1967
SSN 123-45-6789
U2
WebDE
SSL
U2 Web
Services
34. 34
Audit Logging – UniVerse Only
UniVerse Audit Logging is designed to be:
• Comprehensive – Covers all types of resources and operations
• Flexible – Can be configured according to event types and
through various policies, as well as before or after starting the
system
• Secure – The configuration file is encrypted and can be
protected by a password, if desired. The Audit Log file is
protected from illegal use and you can also encrypt its content
©2015 Rocket Software, Inc. All Rights Reserved.
35. 35
Audit Logging
UniVerse Audit Logging implementation provides the
following features:
Classifies events and resources, and audits them based on the classification
Enables you to configure the location and number of audit files before
UniVerse starts
Allows you to customize U2 database auditing without having to stop and
restart UniVerse
Writes audit records to a UniVerse hashed file or group of files
Protects the audit file against unauthorized access and modification
©2015 Rocket Software, Inc. All Rights Reserved.
37. 37
Automatic Data Encryption
File-level encryption
• Provides at rest encryption of a file using AES-128
String-level encryption
• Encrypts arbitrary strings using built-in BASIC functions
©2015 Rocket Software, Inc. All Rights Reserved.
38. 38
SSL
MVSP APIs
• Allows access to the database through a variety of languages
• SSL may be enabled when establishing the connection
BASIC
• Allows SSL sockets using built-in BASIC functions
©2015 Rocket Software, Inc. All Rights Reserved.
39. 39
Audit Logging
Uses triggers to run a program when an event occurs
All platforms (AIX, Linux, Windows)
• callr (trigger on item read)
• callx (trigger on item update)
• callo (trigger on file open)
• yupt (simple, built-in, program-less trigger on item update)
©2015 Rocket Software, Inc. All Rights Reserved.
40. 40
Audit Logging
Windows specific
• calle (trigger on clear-file)
• callc (trigger on file close)
• calld (trigger on delete-file)
©2015 Rocket Software, Inc. All Rights Reserved.
41. 41
SSH
AIX and Linux
• SSH is in OS
Windows
• Any commercial SSH server may be used (e.g. Cygwin)
©2015 Rocket Software, Inc. All Rights Reserved.
45. 45
Call for Action - Upgrade
UniVerse and UniData using OpenSSL 1.0.1m
• UniVerse 11.2.4
• UniVerse 11.2.5 Strongly Preferred
• UniData 7.3.7
• UniData 8.1.0 Strongly Preferred
©2015 Rocket Software, Inc. All Rights Reserved.
46. 46
Call for Action - Upgrade
• wIntegrate 6.3.7
• SBClient 6.3.3
• ODBC 32/64 bit build UCC-3156
• U2 Client Toolkit
U2 data client
UODOTNET
• U2 DB TOOLS 4.x
©2015 Rocket Software, Inc. All Rights Reserved.
47. 47
SSH
AIX and Linux
• SSH is in OS
Windows
• Any commercial SSH server may be used (Pragma Fortress)
©2015 Rocket Software, Inc. All Rights Reserved.
49. 49
Summary
Information security is vital to all business
Security starts from the top and everyone must pitch in
Education and training is key to success
Choose solutions in line with your business goals
Know the threats
Use proper countermeasures
Implement defense-in-depth and defense-in-layers
Familiarize yourself with MV security features
MV Premier Services and MV Professional Services have
experience of implementing secure solutions
50. 50
Other MVU Security Sessions
D3 Security Deep Dive
Managing the SSL Process
UniVerse Audit Logging
Create a Data Encryption Strategy Using ADE
©2015 Rocket Software, Inc. All Rights Reserved.
51. 51
Additional Resources
Find further information
• U2 Documentation set http://www.rocketsoftware.com/resource/u2-technical-documentation
Links
• https://www.rocketsoftware.com
• https://technet.microsoft.com/
• https://www.oracle.com
• https://openssl.org
• https://www.hhs.gov
• http://www.rocketsoftware.com/training-and-professional-services/rocket-u2
Contacts
• u2askus@rocketsoftware.com
• u2support@rocketsoftware.com
©2015 Rocket Software, Inc. All Rights Reserved.
52. 52
Disclaimer
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED
IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.
IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY,
WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE.
ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR
OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION.
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF:
• CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR
THEIR SUPPLIERS AND/OR LICENSORS); OR
• ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF
ROCKET SOFTWARE.
©2015 Rocket Software, Inc. All Rights Reserved.
53. 53
Trademarks and Acknowledgements
The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software,
Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and
Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by
Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual
property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of
any such marks.
Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure,
Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and
wIntegrate
Other company, product, and service names mentioned herein may be trademarks or service marks of
others.
©2015 Rocket Software, Inc. All Rights Reserved.