This document will provide an overview of the current (2002) status of mainframe security and a detailed understanding of the CA-Top Secret mainframe security product. It will also provide an overview for using Top Secret and an in-depth guide for auditing and reviewing Top Secret security. Copyright SANS Institute Author Retains Full Rights AD © SANS Institute 2002, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights. Mainframe Security featuring CA-Top Secret by Chad Barker February, 2002 version 1.3 Introduction This document will provide an overview of the current status of mainframe security and a detailed understanding of the CA-Top Secret mainframe security product. It will also provide an overview for using Top Secret and an in-depth guide for auditing and reviewing Top Secret security. Mainframes Today With the surge in technological advances and the big push for distributed systems one would assume that mainframes are dying a quick death. Technology leaders seem to be pushing to move legacy applications off the mainframe to midrange systems. However this is not necessarily the case. Many companies are still using mainframes today and many of them are looking for ways to integrate the mainframe with their client-server networks.  Many of the legacy mainframe applications are still an integral part of company’s revenue stream or back-office systems. The cost and difficulty of re-engineering these applications is forcing company’s to keep the mainframes around. And because system integration is often critical to a company’s success it is becoming more important to integrate the mainframe and midrange applications. IBM has added significant functionality to their mainframe. Mainframes can now serve as a firewall, run e-commerce systems, support TCP/IP, use LDAP to secure access to directory information, and run UNIX. While mainframe security is generally considered more secure than other platforms, this new mainframe functionality has introduced greater security risks. Luckily there are several security packages specifically developed for mainframe security. The three main products are: IBM’s Resource Access Control Facility (RACF) Computer Associates’ Access Control Facility 2 (ACF2) Computer Associates’ Top Secret Each of these software packages has been around for many years and have been effectively implemented and tested over time. Each of these packages will allow a secure mainframe environment if implemented and maintained appropriately. This paper will focus exclusively on the Top Secret product.  Korzeniowski © SANS Institute 2002, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights. Top Secret Overview As stated in the previous section, mainframes have continued to receive less focus in most IT organizations. And mainframe security is usually assigned a lower priority than midrange platforms. This is primarily because mainframes are not known to be associated with significant hacking attempts, viruses, or other security breaches. What these organizations tend to forget is that most security breaches (and usually the largest in terms of financial losses) are internal breaches. So while organizations focus on firewalls, intrusion detection systems, virus prevention, and VPNs, they are not spending their time and resources on the biggest risk…..internal security. The mainframe is still a core system for many institutions and its role is increasing to act as a file, web and application server. This creates additional emphasis on mainframe security. A secure perimeter doesn’t add much value if the interior is insecure!! The focus of the remainder of this paper will be utilizing Top Secret to improve internal mainframe security. It will attempt to provide an overview of how Top Secret works, some important commands (for Security Administrators), and a brief audit guide (for Security Auditors). It will not get into the details of the newer features of Top Secret (i.e. LDAP, UNIX, firewall capabilities, etc.) but will focus on the more traditional mainframe security controls. Top Secret Administration Top Secret provides many functions including: system entry validation, individual accountability, auditing, resource access control, and security administrator control. It is hierarchical in nature allowing a great deal of flexibility for the organization. Each user has a unique user ID called an ACID (Accessor ID). User access can be restricted to allow access only to certain facilities or recources. Each ACID is assigned certain access privileges that are maintained in the user’s Security Record. All of the security records are maintained in the overall Top Secret Security File. The Security File is an encrypted database that contains all user access permissions. Top Secret allows control over user password attributes. Top Secret can control expiration intervals, syntax restrictions, violation thresholds, and password history. Top Secret also controls the syntax and length of the ACID and allows user access to be restricted to specific terminals, facilities or to a particular time of day or day of the week. ACIDs are not only user IDs they can also be zones, divisions, departments, groups, and profiles. This can make auditing Top Secret confusing. The zone, division and department ACIDs are the foundation for the hierarchical Top Secret setup. The groups, profiles and users are the foundation for the functional setup. Understanding this is critical as it is the underlying structure of Top Secret. Zone ACID – the highest level within Top Secret. It allows the organization to be split into several subsections. All other ACIDs and resources are defined to a zone. Division ACID – allows definition of subsections within each zone. Departments, profiles, groups, and users are defined to each division. © SANS Institute 2002, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights. Department ACID – allows for logical separation of users based on job functions (i.e. Accounts Payable, Programming, Finance, etc.). Users and groups are defined to their respective departments. Group ACID – allows grouping of users that share similar access requirements. Groups and profiles are very similar. Profile ACID – allows grouping of common resource access requirements. Then users can be defined to profiles rather than creating separate access permissions for every individual user ACID. User ACID – designates a specific user and must be associated with a single department. With all of these layers it can become a daunting task to perform security administration. Top Secret addresses this by having multiple layers of security administrator functions. This helps facilitate layered security as well as separation of duties for Security Administration. The Security Administrators can be restricted to only allow access to certain zones, divisions, and departments. This feature is particularly nice in larger organizations to help control the access privileges granted to the security administration staff. To accommodate the segregation of duties for Security Administrators, there are several types of security administration ID’s. There are six types of security administrator ID’s: MSCA (Master Security Control ACID) – there is only one MSCA and it is established at installation. This ID has unlimited administration authority and is usually given to the Security Officer. SCA (Central Security Control ACID) – has unlimited scope and is not associated with a specific division or department. There should only be a select few SCA’s and mostly to function as a backup for the MSCA. LSCA (Limited Central Security Control ACID) – similar to and SCA but the authority can be limited to certain zones. ZCA (Zone Control ACID) – is limited to a specific zone but can control the divisions, departments, profiles and users within that zone. VCA (Divisional Control ACID) – is limited to a specific division within a zone but can control the departments, profiles and users within that division. DCA (Departmental Control ACID) – is limited to a specific department and can control profiles and users within that department. Top Secret has four MODES that it can operate under: DORMANT, WARN, FAIL, and IMPL. DORMANT mode means that Top Secret is installed but is NOT validating any rules that have been defined. WARN mode means that Top Secret is functioning but it will only present a warning when a violation occurs but will still allow the event to happen. FAIL mode is when Top Secret will not allow violations to occur. IMPL means Top Secret is active and will fail for violations but users not defined to Top Secret can still function but can’t access protected resources. So it is critical to understand these MODES because a company can have excellent security in place but if Top Secret is not in FAIL mode then there is a false sense of protection. © SANS Institute 2002, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights. Top Secret has several other key areas that are important to know if you are a Security Administrator or Auditor. ALL record – this lists resources that are globally accessible to all mainframe users. AUDIT record – stores the resources that are to be audited. Facility Matrix Table – stores all the facilities (TSO, ROSCOE, etc.) defined to Top Secret. Started Task Table (STC) – stores all the started task procedures and the associated ACIDs. Resource Descriptor Table (RDT) – stores the predefined resource classes. The RDT is also where you can specify default protection rules for all resources. Top Secret allows tracking of security violations and many other activities. Events can be sent directly to SMF, to the Top Secret Audit/Tracking File, or both. There are advantages using the Top Secret file. It reduces overhead to SMF, can’t be suppressed like SMF, and can be viewed immediately without waiting for SMF to generate the reports. Top Secret has several batch programs that help monitor security. TSSAUDIT monitors changes to the Top Secret Security file and other sensitive areas. TSSUTIL allows customized reporting based on various criteria and TSSTRACK can be used for real-time monitoring of security events. This is far from an all-inclusive overview of Top Secret. However, those are the primary areas that a Security Administrator or Auditor should know before evaluating a Top Secret implementation. Next we will walk through some steps to evaluate specific controls within Top Secret.