2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
•
1 like•2,016 views
What tools are out there today? How do these tool impact us? What's the state of mainframe security? How do we keep up to date? How do we protect ourselves? What are IBM and the vendors doing to help us?
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
Similar to 2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2 (20)
More from Rui Miguel Feio
More from Rui Miguel Feio (13)
Recently uploaded
Recently uploaded (20)
2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2
- 2. Agenda • Introduction • Setting the scene • The traditional stuff! • What tools are out there today? • How do these tool impact us? • What’s the state of mainframe security? • How do we keep up to date? • How do we protect ourselves? • What are IBM and the vendors doing to help us? • Summary
- 3. Introducing Rui RUI MIGUEL FEIO • Senior Technical Lead at RSM Partners • Based in the UK but travels all over the world • 18 years experience working with mainframes • Started with IBM as an MVS Sys Programmer • Specialist in mainframe security • Experience in other platforms
- 4. Introducing Steve STEVE TRESADERN • Senior Security Architect at RSM Partners • 30 years experience working with mainframes • Started as a trainee computer operator in 1987. • Specialist in mainframe security
- 5. Introducing RSM Partners • Sole Focus is IBM Mainframe Services • IBM Business Partner • World Leading, 1000+ Man Years Experience • Run 3 mainframes in-house • Working with large financial, retail & utility companies • One area of specialism is mainframe security – Whole range of services, Audits, pen tests, migrations and security remediation programs • We have a reputation for…. – On time, On budget, Every Time
- 7. The traditional stuff!! • None of the traditional stuff should be ignored, if anything they need even more attention than before • If some of the other stuff we will discuss happens, then the risk associated with these issues actually rises: – Privileged Library Access (APF, Parmlib, etc) – SVC’s and Exits – Poorly written software that can be exploited, the unprotected magic SVC – The top ten audit issues found that have been presented many times…see next slide
- 8. Still the – Top Ten Audit Issues 1. Excessive Number of User ID’s w/No Password Interval 2. Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 3. Data Set Profiles with UACC Greater than READ 4. RACF Database is not Adequately Protected 5. Excessive Access to APF Libraries 6. General Resource Profiles in WARN Mode 7. Production Batch Jobs have Excessive Resource Access 8. Data Set Profiles with UACC of READ 9. Improper Use or Lack of UNIXPRIV Profiles 10. Started Task IDs are not Defined as PROTECTED IDs
- 9. Carla – Identify Audit concerns NewList type=audit TT='Audit Concerns on the mainframe' Select AuditPriority>=20 SortList AuditPriority(nd,descending) , System Area AreaParm AuditConcern , AuditPriority ParmName ParmValue
- 12. What tools are out there today? • Do a simple google search on: – “mainframe hacking tools” • There is plenty to read and research
- 14. What tools are out there today? • There’s some really interesting stuff on the list • Some of our favourites are: – https://www.bigendiansmalls.com/ – http://mainframed767.tumblr.com/ – https://github.com/mainframed – http://www.openwall.com/john/
- 23. http://www.openwall.com/john/ • Fully supports testing using a RACF database • Rumour on the street is that they have already added support for the new IBM password KDFAES algorithm! • http://www.openwall.com/john/ • http://www.openwall.com/lists/john-users/2012/03/14/1
- 29. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
- 30. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
- 31. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
- 33. What’s the state of mainframe security? • Unfortunately, in our opinion not great…. • We still see the same old issues: – The top ten are still the top ten – Comments that the mainframe is secure and we don’t need to worry or invest in this legacy technology... still happens today! – We wouldn’t be saying that if the mainframe was hacked from a fridge!... buts that’s for another day!!
- 35. How do we keep up to date? • You need to find the time to do the research • We at RSM are considering creating a mainframe security blog where we will collate information • But it takes time and effort • Attending meetings: – This one – GSE Security Working Group and Annual Conference – Vanguard Conference – Share Conference – RSA and other mainstream security conferences – Defcon, etc
- 37. How do we protect ourselves? • Get on the front foot • Be proactive • Talk to the folks in your organisation and understand what they are doing with: – Identity and Access Management – SIEM • How many times do we hear that the m/f is out of scope? – Privileged Users and Privileged Access – Data classification
- 38. How do we protect ourselves? • Get on the front foot • Be proactive • Talk to the folks in your organisation and understand what they are doing with: – Identity and Access Management – SIEM • How many times do we hear that the m/f is out of scope? – Privileged Users and Privileged Access – Data classification
- 39. PEBKAC
- 40. The PEBKAC…
- 41. Always remember: stupidity rules! • Let’s not forget our users… we as a group can only go so far... but as long as we have users... • PEBKAC - A useful term for demeaning the incompetent competent user without actually saying it to their face
- 42. Always remember: stupidity rules! • Techie: This isn't working. I'll have to come over there and fix it in person • Computer user: Really? Why? • Techie: It's a PEBKAC issue sir. It's best handled in person.
- 43. PEBKAC!!
- 45. Summary
- 46. Summary • Our world is has changing changed. • We are not an isolated platform anymore. • In a connected, digital world, we are the big game in town. • The hackers, in whatever form are coming after us and they will succeed have succeeded. • We need to wake our management up and make them realise years of underinvestment and a lack of attention will come back and bite them.
- 47. Questions