Vulnerabilidades en Tandem: Propuestas XYGATE

Tamaño: px

Comenzar la demostración a partir de la página:

Download "Vulnerabilidades en Tandem: Propuestas XYGATE"

Rodrigo Botella Rojo
hace 8 años
Vistas:

1 Vulnerabilidades en Tandem: Propuestas XYGATE MEXTUG 2012 Manuel Sunderland Ibero América

2 Problemas comunes en Tandem 1. Administrar seguridad de objetos solo con SFG es muy engorroso 2. SFG por si solo, no es suficiente para autenticar 3. SFG es inadecuado para validar construcción de contraseñas fuertes 4. SAFECOM no es intuitivo 5. Usuarios privilegiados (ie. 255,255) se comparten a menudo y se usa PROGID mucho 6. Hay demasiadas fuentes de auditoria, difíciles de unir o consolidar 2

SFG es inadecuado para validar construcción de contraseñas fuertes 4. SAFECOM no es intuitivo 5.

3 Problemas comunes en Tandem 7. Dificultad para alertar y enviar eventos a cajas externas (SIEM) 8. Dificultad de observar eventos casi en tiempo real 9. Dificultad p/reportar eventos en bitácoras 10.Dificultad p/revisar parámetros de seguridad 11.Dificultad para adherirse a las mejores prácticas y cumplir con PCI 12.Datos confidenciales (ie. PAN) se guardan a menudo en claro 3

Dificultad de observar eventos casi en tiempo real 9.

4 Problemas comunes en Tandem 13.La generación y administración de llaves de encripción es con frecuencia un proceso manual 14.Hay llaves que se re-utilizan o comparten 15.Datos confidenciales en diversos canales de comunicación a menudo están en claro 16.Llaves que no se cambian hasta que ocurre un problema 4

proceso manual 14.Hay llaves que se re-utilizan o comparten 15.

5 Preguntas que exponen vulnerabilidades potenciales Se utilizan ALIAS en SFG? Se asignan varios ALIAS al mismo UserID? Se comparten UserIDs? Se forza la expiración de contraseñas? Está disponible el 255,255 a otros usuarios? Cumple SFG con la política de manejo de fallas en LOGON? SFG configurado con mejores prácticas? 5

6 Preguntas que exponen vulnerabilidades potenciales Se sabe que archivos usan el PROGID? Cuáles usan LICENSE? Hay archivos huérfanos? Se permite a usuarios SUPER.* manejar el SPOOLER? ETC Ver documentos en Consultar los libros de XYPRO 6

Hay archivos huérfanos? Se permite a usuarios SUPER.

7 Políticas de Seguridad Las Instituciones tienen políticas de seguridad, verdad? Todos saben que las deben tener Fácil hablar acerca de ellas Los auditores lo exigen, pero Y si las tenemos, se cumplen? Lo sabemos? Además está PCI!! 7

8 Cumplir con PCI requiere XYGATE Hay 12 requerimientos en PCI-DSS 2.0 (Oct 10) La mayoría aplican al HP NonStop Algunos no se pueden cumplir en Tandem XYGATE ayuda con los requerimientos aplicables XYGATE simplifica el cumplimiento cuando otros métodos son imprácticos 8

cumplir en Tandem XYGATE ayuda con los requerimientos aplicables

9 Mission Critical Security Solutions for Dynamic HP NonStop Environments 9

Access Control Access Control Highly-granular, privileged access management o o Individual Accountability Keystroke Logging Privileged Access Management Command and sub-command control Multiple

10 Access Control Access Control Highly-granular, privileged access management o o Individual Accountability Keystroke Logging Privileged Access Management Command and sub-command control Multiple levels of security: Action, Process, $CMON, Spooler, Audit Eliminate shared ID usage o o No shared admin access (e.g., no multiple users of SUPER.SUPER) Employ the principle of Least Privilege Individual accountability o With keystroke logging capability ACLGroup management o Manage access by Job Function group for simplified administration 10

ID usage o o No shared admin access (e.g., no multiple users of SUPER.

11 Persistent Process Keystroke Audit Individual Accountability OSS Support Improved Productivity Role Based Security Command Control 11

12 12

Compliance Security Policy Development Configuration Monitoring Compliance Alerting PCI, HIPAA, SOX Automatic analysis o Entire NonStop security configuration and file integrity monitoring Compliance

13 Compliance Security Policy Development Configuration Monitoring Compliance Alerting PCI, HIPAA, SOX Automatic analysis o Entire NonStop security configuration and file integrity monitoring Compliance comparison o Pre-configured with thousands of industry best practice settings and specific regulations including PCI, HIPAA, and SOX Configurable to each customer s security policy o Analysis, detection, alerting and reporting based on your corporate security policy 13

with thousands of industry best practice settings and specific regulations including PCI, HIPAA, and SOX Configurable

14 14

15 Cumplir con PCI requiere XYGATE 15

Audit Consolidated NonStop security information o Collect, merge, filter and normalize NonStop audit data Audit Event monitoring Consolidated Security Data Event Monitoring o Audit

16 Audit Consolidated NonStop security information o Collect, merge, filter and normalize NonStop audit data Audit Event monitoring Consolidated Security Data Event Monitoring o Audit Reporting Interface to SIEMs Configurable, rules-based event monitoring and alerting Audit reporting o Comply with regulatory audit requirements Interface to HP ArcSight and other enterprise SIEMs 16

Reporting Interface to SIEMs Configurable, rules-based event monitoring and alerting Audit

events to the XMA database and off the server.

17 XYGATE Merged Audit (XMA) Safeguard EMS Measure ODBC/MX JDBC/MX Merged Audit SQL Database XYGAT E Filter Processing ACI BASE24 XMA Alerts and Events , SNMP, EMS, Syslog, Custom HP HLR Filter events and configure alerts to send events to the XMA database and off the server. Optional plug-in products are available to collect events from ACI BASE24 logs or HP s HLR Application HP ArcSight SIEM New! Integration with HP s industry leading solution HP ArcSight SIEM 17

18 Report Manager Provides easy to use interface for reporting tasks 18

19 Reportes pre-definidos Available PCI reports are listed by PCI DSS 1.2 section ID 19

20 Definir el criterio The user can supply criteria to further filter the results shown 20

21 Controlar el formato The user can choose from predefined report layouts. 21

22 P.Ej.: Cambios en Safeguard 22

23 P.Ej.: Reporte de Logon 23

24 P.Ej.: Violaciones al acceder 24

25 Componentes de XMA Data Movers 25

Safeguard Management Dynamic object-based security o Automatically apply security based on object protection rules and patterns o What-if testing mode o Self-documenting Advanced security admin tools

26 Safeguard Management Dynamic object-based security o Automatically apply security based on object protection rules and patterns o What-if testing mode o Self-documenting Advanced security admin tools o Comprehensive GUI interface to Safeguard, OSS, and SQL/MX security Safeguard Management Advanced o Security Manage Admin Tools password policy compliance and synchronize all passwords Single Sign-On Extend authentication for single sign-on with LDAP, RSA, etc. Safeguard Audit Information Safeguard audit information 26

27 27

28 28

Database Management Advanced tools for SQL/MX, SQL/MP, and Enscribe o Simplified database administration tools with a modern GUI o Visual query builder Monitoring and auto reload o Monitor database

29 Database Management Advanced tools for SQL/MX, SQL/MP, and Enscribe o Simplified database administration tools with a modern GUI o Visual query builder Monitoring and auto reload o Monitor database health, detect disorganized files, and automatically reload Partition analysis Database Management o Analyze key-sequenced files Report creation and management SQL/MX, SQL/MP, Enscribe Storage Management Partition Analysis Monitoring and Correction Reporting 29

Data Security Encryption for data-in-transit and data-at-rest o SSL and SSH support for all TCP/IP communications o Encryption software library (FIPS 140-2 validated) o Key Management Stateless

30 Data Security Encryption for data-in-transit and data-at-rest o SSL and SSH support for all TCP/IP communications o Encryption software library (FIPS validated) o Key Management Stateless Tokenization o Avoids shortcomings of traditional tokenization solutions o Supports a wide-range of token formats Format-preserving Encryption o Supports data of any format o Encrypts all or any part of a value o Preserves referential integrity o No schemas (DDL) or structured data table changes Data Security FIPS Validated Encryption Format-Preserving Encryption Tokenization Masking 30

31 Format-Preserving Encryption (FPE) Driver s License Credit Card Tax ID RAMIRJM-302JA FPE BETJJKL-288TU AES 8juYE%UWjaks&dDFeruga2345^WFLERG Ija&2924kUEF65%QarotugDF2390^32 ZLllkdiI3&3#a45Ija8v%Jm<1Pa Supports data of any format Credit Card, Social Security, Bank Account, Generic Alphanumerics, Dates, etc. Maintain rules such as credit card checksums Encrypts all or part of a value e.g., first 6, last 4 preserved Preserves referential integrity Allows encrypted data to be used as database indices & foreign keys Enables searching on encrypted data without performance impact 31

Device-centric Authentication Multi-factor authentication o Authenticates user s device with uniquely expandable and flexible multi-attribute device key o Expands to provide independent transaction

32 Device-centric Authentication Multi-factor authentication o Authenticates user s device with uniquely expandable and flexible multi-attribute device key o Expands to provide independent transaction verification Device-Centric Authentication Exceptional user experience Multi-Factor Authentication Transaction Protection o Requires no user interaction or response Strong, Scalable, Transparent o Sub-second device authentication Purpose-built for integration o Secure service API for easy integration with existing solutions 32

33 Device-centric Multi-Factor Authentication Delivers customer protection against the most dangerous threats & online fraud attacks: Key loggers Stolen cookies and user credentials Phishing attacks Circumvented KBA and Risk-based authentication Man in the middle attacks Man in the browser attacks 33

34 Identity Management Integrate NonStop with enterprise identity management Any LDAP Identity Managem ent System Add, Alter, Delete, Freeze, and Thaw User, Alias, and Group Identity Management Enterprise Identity & Access Management (IAM) Adaptors for HP NonStop Server 34

35 Key Features Authentication, User Security Management, Password Management, Group Management Standard LDAPv3 Interface Risk Reduction, Policy and Regulatory Compliance, Increased operational efficiency, Reduced administration costs, Improved Security Extends current technology investments 35

36 Partnerships Business and Technology 36

aggregation On Platform Security Data at rest

37 En Resumen XYGATE provée Enterprise Key Management Data in motion encryption Compliance audit aggregation On Platform Security Data at rest encryption Audit Reports Alerts Audit Reports SIEM Device Audit Reports 37

38 XYPRO Technology Corporation 38

Documentos relacionados

La identidad en banca Gestión de Identidad en la banca on-line

La identidad en banca Gestión de Identidad en la banca on-line Alejandro García Nieto, CISA, CISM, PCI-DSS QSA Responsable de Servicios de Seguridad IBM Introducción 2 Qué nos dicen los analistas Blissful