Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2

788 views

Published on

What tools are out there today?
How do these tool impact us?
What's the state of mainframe security?
How do we keep up to date?
How do we protect ourselves?
What are IBM and the vendors doing to help us?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2017 - A New Look at Mainframe Hacking and Penetration Testing v2.2

  1. 1. Delivering the best in z services, software, hardware and training.Delivering the best in z services, software, hardware and training. Delivering the best in z services, skills, security and software. A New Look at Mainframe Hacking and Penetration Testing
  2. 2. Agenda • Introduction • Setting the scene • The traditional stuff! • What tools are out there today? • How do these tool impact us? • What’s the state of mainframe security? • How do we keep up to date? • How do we protect ourselves? • What are IBM and the vendors doing to help us? • Summary
  3. 3. Introducing Rui RUI MIGUEL FEIO • Senior Technical Lead at RSM Partners • Based in the UK but travels all over the world • 18 years experience working with mainframes • Started with IBM as an MVS Sys Programmer • Specialist in mainframe security • Experience in other platforms
  4. 4. Introducing Steve STEVE TRESADERN • Senior Security Architect at RSM Partners • 30 years experience working with mainframes • Started as a trainee computer operator in 1987. • Specialist in mainframe security
  5. 5. Introducing RSM Partners • Sole Focus is IBM Mainframe Services • IBM Business Partner • World Leading, 1000+ Man Years Experience • Run 3 mainframes in-house • Working with large financial, retail & utility companies • One area of specialism is mainframe security – Whole range of services, Audits, pen tests, migrations and security remediation programs • We have a reputation for…. – On time, On budget, Every Time
  6. 6. Setting the scene
  7. 7. The traditional stuff!! • None of the traditional stuff should be ignored, if anything they need even more attention than before • If some of the other stuff we will discuss happens, then the risk associated with these issues actually rises: – Privileged Library Access (APF, Parmlib, etc) – SVC’s and Exits – Poorly written software that can be exploited, the unprotected magic SVC – The top ten audit issues found that have been presented many times…see next slide
  8. 8. Still the – Top Ten Audit Issues 1. Excessive Number of User ID’s w/No Password Interval 2. Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 3. Data Set Profiles with UACC Greater than READ 4. RACF Database is not Adequately Protected 5. Excessive Access to APF Libraries 6. General Resource Profiles in WARN Mode 7. Production Batch Jobs have Excessive Resource Access 8. Data Set Profiles with UACC of READ 9. Improper Use or Lack of UNIXPRIV Profiles 10. Started Task IDs are not Defined as PROTECTED IDs
  9. 9. Carla – Identify Audit concerns NewList type=audit TT='Audit Concerns on the mainframe' Select AuditPriority>=20 SortList AuditPriority(nd,descending) , System Area AreaParm AuditConcern , AuditPriority ParmName ParmValue
  10. 10. What tools are out there today?
  11. 11. What tools are out there today? • Do a simple google search on: – “mainframe hacking tools” • There is plenty to read and research
  12. 12. What tools are out there today?
  13. 13. What tools are out there today? • There’s some really interesting stuff on the list • Some of our favourites are: – https://www.bigendiansmalls.com/ – http://mainframed767.tumblr.com/ – https://github.com/mainframed – http://www.openwall.com/john/
  14. 14. https://www.bigendiansmalls.com
  15. 15. https://www.bigendiansmalls.com
  16. 16. http://mainframed767.tumblr.com
  17. 17. https://github.com/mainframedhttps://github.com/mainframed
  18. 18. https://github.com/mainframedhttps://github.com/mainframed
  19. 19. https://github.com/mainframedhttps://github.com/mainframed
  20. 20. https://github.com/mainframedhttps://github.com/mainframed
  21. 21. https://github.com/mainframed
  22. 22. http://www.openwall.com/john/ • Fully supports testing using a RACF database • Rumour on the street is that they have already added support for the new IBM password KDFAES algorithm! • http://www.openwall.com/john/ • http://www.openwall.com/lists/john-users/2012/03/14/1
  23. 23. http://www.openwall.com/john/
  24. 24. http://www.openwall.com/john/
  25. 25. YouTube • How about YouTube? Try searching for “mainframe hacking”…
  26. 26. How do these tool impact us?
  27. 27. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
  28. 28. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
  29. 29. How do these tool impact us? • For us it’s awareness more than anything • We have long since understood the risks • But let’s be honest, many of us have hidden behind the fact that nobody really took any notice of us, of the mainframe • More “Security by obscurity”
  30. 30. What’s the state of mainframe security?
  31. 31. What’s the state of mainframe security? • Unfortunately, in our opinion not great…. • We still see the same old issues: – The top ten are still the top ten – Comments that the mainframe is secure and we don’t need to worry or invest in this legacy technology... still happens today! – We wouldn’t be saying that if the mainframe was hacked from a fridge!... buts that’s for another day!!
  32. 32. How do we keep up to date?
  33. 33. How do we keep up to date? • You need to find the time to do the research • We at RSM are considering creating a mainframe security blog where we will collate information • But it takes time and effort • Attending meetings: – This one – GSE Security Working Group and Annual Conference – Vanguard Conference – Share Conference – RSA and other mainstream security conferences – Defcon, etc
  34. 34. How do we protect ourselves?
  35. 35. How do we protect ourselves? • Get on the front foot • Be proactive • Talk to the folks in your organisation and understand what they are doing with: – Identity and Access Management – SIEM • How many times do we hear that the m/f is out of scope? – Privileged Users and Privileged Access – Data classification
  36. 36. How do we protect ourselves? • Get on the front foot • Be proactive • Talk to the folks in your organisation and understand what they are doing with: – Identity and Access Management – SIEM • How many times do we hear that the m/f is out of scope? – Privileged Users and Privileged Access – Data classification
  37. 37. PEBKAC
  38. 38. The PEBKAC…
  39. 39. Always remember: stupidity rules! • Let’s not forget our users… we as a group can only go so far... but as long as we have users... • PEBKAC - A useful term for demeaning the incompetent competent user without actually saying it to their face
  40. 40. Always remember: stupidity rules! • Techie: This isn't working. I'll have to come over there and fix it in person • Computer user: Really? Why? • Techie: It's a PEBKAC issue sir. It's best handled in person.
  41. 41. PEBKAC!!
  42. 42. PEBKAC!! 44 28/06/2017
  43. 43. Summary
  44. 44. Summary • Our world is has changing changed. • We are not an isolated platform anymore. • In a connected, digital world, we are the big game in town. • The hackers, in whatever form are coming after us and they will succeed have succeeded. • We need to wake our management up and make them realise years of underinvestment and a lack of attention will come back and bite them.
  45. 45. Questions
  46. 46. Rui Miguel Feio RSM Partners ruif@rsmpartners.com mobile: +44 (0) 7570 911459 www.rsmpartners.com Contact Steve Tresadern RSM Partners stevet@rsmpartners.com mobile: +44 (0) 7718 968464 www.rsmpartners.com

×