z/os Security - FTP Logon Failures

Transcription

1 Page 1 of 5 CLEVER Solutions Empowering Global Enterprise z/os Security: FTP Logon Failures Dear Cathy, Does your business have a laissez faire attitude toward z/os security? Most companies do because the executives keep hearing that the z/os system can't be hacked. Historically internal security departments have not done a good job of including the z/os system in their evaluations, audits, and tests. Note that Black Hat, the premier hacker conference, has taken an interest in z/os, expanding the knowledge of hackers worldwide to the z/os environment. Our last communication on z/os IDS resulted in questions on other security topics. Let's look at FTP Logon Failures. Lauraʹs Corner z/os Security: FTP Logon Failures FTP Operation Both internal and external hackers try to find vulnerable systems that will give them access to business assets. Because of the idiosyncrasies of the z/os operating system, many security professionals believe it is more secure than other systems. This is a false sense of security because many of the applications running on z/os are the same applications that run on other operating systems like UNIX, Linux, and Windows. Does a hacker need to understand the operating system in order to gain access to a system? No! Let's look at FTP as an example. FTP is built on a client-server architecture and uses separate control and data connections between the client and the server. FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or

2 Page 2 of 5 SSH File Transfer Protocol (SFTP) is sometimes also used instead, but is technologically different. FTP login utilizes a normal username and password scheme for granting access. The username is sent to the server using the USER command, and the password is sent using the PASS command. If the information provided by the client is accepted by the server, the server will send a greeting to the client and the session will commence. If the server supports it, users may log in without providing login credentials, but the same server may authorize only limited access for such sessions. Monitoring FTP Logon Failures How many of you consistently monitor your FTP logons for failures? Do you assume that it is just reporting users who forgot their password, left the keylock on, or were typing fast and hit an incorrect key? This may have been an acceptable assumption in the past, but today keeping old assumptions can result in high risk to the business. Pressures from external hackers trying to gain access to your systems and internal hackers (normally disgruntal employees) is growing. Remember it doesn't take a security guru to hack systems! Tools like Hydra, FTP Password Kracker, and Brutus are readily available for download. There is a 10 minute YOUTUBE video explaining how easy it is to hack an FTP system. In February of 2014 a group of hackers began distributing lists of over 7,000 FTP site credentials including the New York Times and UNICEF. Keep in mind that a hacker, especially an external hacker, is patient and it is not unusual for them to take months and sometimes years to gather information in order to launch an attack. Motive for a hacker to upload a file to your system Add malware to applications Add new HTML files that would change websites Embed links in spam Add malicious links to web sites redirecting web users to other sites Download business confidential files from the FTP server Monitoring the FTP Server Logon Failures can help identify anomalies which can be investigated further to determine if they are related to hacking or not. Important information to capture of a failed FTP Server Logon Field Why Should You Monitor Result Client User ID FTP Session ID Remote IP Address Understand who is attempting the FTP logon This is a critical piece of information for tracking purposes. Understand the origin of the logon request. If this a user who does not normally access this system this might be an indicator that they are accessing for malicious deeds. This piece of information can be followed through system logs and other management systems to follow the trail of this logon attempt. Is this coming from an internal or external user, which will impact the processes used in further investigation. If this is from a hacker,

3 Page 3 of 5 Reason for Failed Logon Session Terminated before password was entered Password is not valid Password has expired User ID has been revoked User does not have server access Excessive bad passwords User ID is unknown Recognize the progression of a hackers reconnaissance efforts. it will be critical to determine their location and bring them to justice. A hacker may go through a progression of steps starting with attempting to determine the User ID format used. While this is occurring you may see both the User ID is unknown and Session Terminated messages. Once a valid User ID is determined the password is not valid, password has expired, excessive bad passwords, or password is revoked may be seen. Once a complete User ID and Password is known you might see user does not have access. This information is needed over a potentially long period of time, so it must be kept and accessible during the investigation process. CleverView for TCP/IP provide this level of detail with both real time and historical views as shown below. Case Study In early 2014 it was reported that a group of hackers were circulating a list with thousands of FTP server credentials from business of all sizes. What is interesting is that these businesses did not know that hackers had been doing reconnaissance work on their system for quite some time, collecting user IDs and passwords in a variety of ways. Not all of the information was correct, but a significant amount was correct and included some very sophisticated password schemes. In some cases, hackers used the credentials to access FTP servers and upload malicious files. In other instances, they placed files on FTP servers that incorporate malicious links directing people to scam websites. Using monitoring and digital forensic techniques on FTP Server Logons should help more companies avoid getting on FTP hacker lists. Collecting this critical data over time with proper analytics will offer more protection for your corporation.

4 Page 4 of 5 CLEVER Solutions! CleverView for ctrace Analysis provides an impressive breadth of technical support capabilities while still maintaining a low TCO. As the collected information expands in a multi-architecture environment, the need to restrict viewable data is necessary to improve operator productivity. Its diagnostic capabilities allow companies to simplify trace collection, enhance diagnostic efforts, and accelerate virtualization deployment, all while reducing costs and improving service level performance. It is also used by IT forensic analysts to determine details on security breaches, like FTP breaches, in order to trace the attack to its origins. CleverView for TCP/IP helps performance analysts, operations personnel, knowledge workers, system programmers, and capacity planners effectively monitor performance, and plan for the future. Its superior performance monitoring makes it the ultimate choice for large z/os systems undergoing wide scale Business Services transformation. FTP Server Logon Failure messages can be captured and displayed with the SessionLog function. Real-time monitoring and alerts to potential problems with in-depth historical reporting of activity and trends, make CleverView for TCP/IP a performance, availability and security management tool. Need More Information? If you would like more information on CLEVER Solutions, please visit our Website. If you are interested in setting up an interactive Webinar, or would like to schedule a free 30-day trial, click on the highlighted area to fill out a web based request form, send us an , or call us at (650) or (650) To ensure you receive future editions of the AES Newsletter, simply add news@aesclever.com to your address book. CleverView, CLEVER, CLEVER Mobile, CLEVER TCP/IP, CLEVER eroute, CLEVER ctrace, CLEVER Buffer, CLEVER Web, CLEVER/SNA and CLEVER eperformance are registered trademarks of Applied Expert Systems, Inc. CLEVERDetect is a trademark of Applied Expert Systems, Inc. The IBM logo, Business Partner emblem, zenterprise, z/os, and z/vm are trademarks of International Business Machines Corporation in the United States, other countries, or both. The HP Business Partner logo is a trademark of Hewlett-Packard Development Company, L.P. The Red Hat Ready ISV Partner logo is a trademark of Red Hat, Inc. in the U.S. and other countries. Used under license. The Novell PartnerNet Silver Partner logo is a trademark of Novell, Inc. in the

5 Page 5 of 5 U.S. and other countries. Microsoft and the Microsoft Partner Network logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Android is a trademark of Google Inc. BlackBerry, RIM, Research In Motion, SureType, SurePress and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. Used under license from Research In Motion Limited. ios is a trademark or registered trademark of Cisco in the U.S. and other countries and is used by Apple under license. All other trademarks are the property of their respective owners. Forward This was sent to news@aesclever.com by news@aesclever.com Update Profile/ Address Rapid removal with SafeUnsubscribe Privacy Policy. AES 149 Commonwealth Drive Menlo Park CA 94025