Security Information & Event Management Blog | SIEM

Guest blog post, z/OS security, from Barry Schrager Part 2 of 7: User Authentication

Posted by Barry Schrager on Jun 30, 2015 12:10:00 PM

Mainframe Security Part 2: User Authentication

bigstock-Login-Sequence-21837038How can a system accurately determine whether access to data should be allowed when it is not certain who the user is? We have seen this in the NSA - Edward Snowden case – he borrowed other administrators’ User IDs and passwords in order to gain access to data that he was not authorized for. Also, people working together sometimes share this information for convenience. But, what does that do for security and accountability? It destroys it. This is a critical situation for any user with access to some segment of an organization’s sensitive data, which is almost everyone these days.

I raised the idea of two-factor identification in my 1974 papers, but the world was different then. 

The idea was, for access to sensitive information, the system entry must be done from a terminal in a location where a guard could authenticate the user and I also suggested fingerprints and even lip-prints. But, the technology was not available then.

Download the 8 PCI DSS Guidlines Whitepaper

The guard approach obviously would not work in today’s Internet-connected world. But, a secondary identification through the use of something like an RSA token or a code sent to a mobile device would provide an additional user validation layer and also limit the sharing of User IDs and passwords for convenience. My concern about biometric secondary validation is that fingerprints, facial recognition, etc. do not change, so, if a hacker obtained the “signature,” a PC could be programmed to deliver it when asked and spoof the user’s identity.

A secondary authentication method would also address the situation where a User ID and password were obtained by looking over someone’s shoulder or monitoring unencrypted connection looking for a User ID/password combination. One thing that shocked me was a statement by Phil Young, aka Soldier of Fortran, that, in an admittedly unscientific study, he found about half of the 3270 connections were unencrypted. This is a huge vulnerability. Click here to view Phil's presentations.

This is how the hacker, Pirate Bay co-founder Gottfrid Svartholm Warg, obtained his initial access to the Logica mainframe and then used a USS vulnerability to enhance his authorities. The Logica system provided services to the Swedish government and Gottfrid was able to obtain access to very sensitive personal data. For more information on this mainframe breach, click here.

So, how many of your mainframe ports are unencrypted? Well, they obviously started out that way decades ago and eliminating the unencrypted connections would have slightly inconvenienced users for a short time, but why are they still available for use? Sit down with the configuration people and determine if your installation still has unencrypted ports/connections, what the risk is for each and how to remediate the exposure.

Security Event Correlation May Have Helped...

The next step towards your protection is a regular analysis of system accesses looking for abnormal patterns. One of the examples I raised in 1974 was multiple sessions from a user from two different locations that could not be accomplished, such as one session that originated in Chicago and another that originated in New York City an hour or two later. With today’s vast internet connectivity, this may be just due to how the user connected, but analysis would raise a red-flag. In the NSA Snowden case, his co-workers were sharing their identifications with him and, if they did not happen to be in the same location, the IP addresses would have indicated suspicious behavior that needed to be followed up on.

More to come in Part 3

Topics: insider threat, automated threat detection; event log management;, Log Management, enterprise SIEM system, indexing and storing data

Subscribe via Email

Connect with CorreLog