Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Protect Your Mainframe from Hackers (v1.0)

345 views

Published on

This presentation addresses the requirements to protect the mainframe system from hackers. Common problems that need to be addressed, risks and mentalities that need to adapt to the new security realities.

Published in: Technology

How to Protect Your Mainframe from Hackers (v1.0)

  1. 1. Delivering the best in z services, so2ware, hardware and training. Delivering the best in z services, so2ware, hardware and training. World Class, Full Spectrum, z Services How to Protect Your Mainframe from Hackers Rui Miguel Feio Security Lead
  2. 2. Agenda •  Introduc@on •  Mainframe Hacking – Fact or Fic@on? •  Securing the Mainframe •  Is this Enough? •  Warning! The Human Factor •  References and Resources •  Ques@ons?
  3. 3. Introduc@on Rui Miguel Feio is… –  Security lead at RSM Partners –  Mainframe technician specialising in mainframe security: •  Penetra@on Tes@ng •  Security Audit •  Security Improvement –  Has been working with mainframes for the past 16 years –  Started as an MVS Systems Programmer –  Experience in other plaTorms as well
  4. 4. Mainframe Hacking – Fact or Fic@on?
  5. 5. “It is a fairly open secret that almost all systems can be hacked, somehow. It is a less spoken of secret that such hacking has actually gone quite mainstream.” Dan Kaminsky
  6. 6. Hacking a Mainframe •  The mainframe is highly securable but not secure by default. –  You need to invest @me and resources to make it secure. •  Can the mainframe be hacked? –  Not only it can be hacked but it has already been hacked! •  Most mainframe hacking cases are not reported. •  But there are cases that have come to public…
  7. 7. Mainframe Hacking In the News
  8. 8. Mainframe Hacking In the News
  9. 9. Hacking the Mainframe on YouTube
  10. 10. Hacking the Mainframe on YouTube
  11. 11. Hacking the Mainframe on YouTube
  12. 12. Hacking the Mainframe on YouTube
  13. 13. Securing the Mainframe
  14. 14. Top 10 Security Vulnerabili@es 1.  Excessive access to APF libraries 2.  Number of users with System Special 3.  User SVCs reques@ng privileged func@ons 4.  USS controls (UNIXPRIV, UID=0) 5.  Started tasks not defined as PROTECTED 6.  RACF database not properly protected 7.  Profiles in OPERCMDS Class not properly set 8.  SURROGAT profiles permihng use of privileged userids 9.  RACF profiles with UACC or ID(*) > NONE 10.  Batch Jobs with excessive resource access
  15. 15. What’s the Problem? •  Excessive access to APF libraries –  Users with UPDATE access or higher to an APF library can create an authorised program that can bypass security controls and execute privileged instruc@ons. •  Number of users with System Special –  SPECIAL aoribute gives the user full control over all of the RACF profiles in the RACF database. At the system level, the SPECIAL aoribute allows the user to issue all RACF commands. •  User SVCs reques@ng privileged func@ons –  They are extensions to the opera@ng system, receiving control in Supervisor State and in the master storage protected key (key 0). This means that they have the power to circumvent security measures by altering otherwise protected storage areas.
  16. 16. What’s the Problem? •  USS controls (UNIXPRIV, UID=0) –  The UNIXPRIV class resource rules are designed to give a limited subset of the superuser UID=0 capability. Userids with superuser authority (UID=0), have full access to all USS directories and files and full authority to administer. •  Started tasks not defined as PROTECTED –  Userids associated with started tasks should be defined as PROTECTED which will exempt them from revoca@on due to inac@vity or excessive invalid password aoempts, as well as being used to sign on to an applica@on. •  RACF database not properly protected –  A user who has READ access to the RACF database could make a copy and then use a cracker program to find the passwords of userids.
  17. 17. What’s the Problem? •  Profiles in OPERCMDS Class not properly set –  Controls who can issue operator commands: JES, MVS, operator commands. •  SURROGAT profiles permihng use of privileged userids –  This class allows userids to access the privileges of other userids by submihng work under their authority without requiring a password. •  RACF profiles with UACC or ID(*) > NONE –  If a userid is not defined to the Access Control List (ACL) of a RACF profile, UACC or ID(*) will provide them the access. In some cases, READ access can be a security risk because it can provide access to sensi@ve data.
  18. 18. What’s the Problem? •  Batch Jobs with excessive resource access –  It is common to see the userid of the batch job having too much access to. This means that when the job enters into the job scheduler, it can accidentally or maliciously access sensi@ve data or resources.
  19. 19. But There Are Many More!! •  Profiles in Warning mode •  Userids with no Password Interval •  Data transfer methods •  U@li@es (e.g. ISRDDN, TASID) •  RACF Class Facility •  RACF Class XFACILIT •  RACF Class SERVAUTH •  RACF Class JESINPUT •  RACF Class JESJOBS •  …
  20. 20. Monitoring and Aler@ng Systems •  Monitoring and Aler@ng is essen@al but does not always work. •  Monitoring processes: –  Not covering the essen@als –  Teams not skilled enough to iden@fy problems •  Aler@ng processes: –  Not covering the essen@als –  Not properly configured –  Can be compromised
  21. 21. Compromising the Aler@ng System •  Let’s use the example of IBM zSecure Alert… •  HLQ.C2POLICE.C2PCUST contains all the aler@ng code and configura@on sehngs •  Whoever has READ access to this dataset will be able to: –  Check the configura@on and the alerts –  Check for example to which email address the alerts are being sent and flood the email address with false posi@ves –  While problem is being iden@fied, the hacker has a window of opportunity to perform malicious ac@vi@es
  22. 22. Is This Enough?
  23. 23. “The hacker is going to look for the crack in the wall…” Kevin Mitnick in “The Art of Intrusion”
  24. 24. Once he finds it… It’s Play@me!
  25. 25. 7 Security Principles •  Know what are you trying to protect 1 •  Know the environment 2 •  Know your enemy 3 •  Know your weaknesses and strengths 4 •  Assess and plan 5 •  Define a strategy 6 •  Adapt and evolve or ‘die’ 7
  26. 26. The Mainframe is Part of Something The mainframe is part of an ecosystem: –  Servers –  Terminals –  Other mainframes –  Smart phones –  Tablets –  Routers –  Switches –  IoT devices –  Users (technical and non-technical) –  3rd par@es –  …
  27. 27. The 3 Main ‘Actors’ Hacker Techie User
  28. 28. 5 Stages of Hacking Cover Tracks Maintain Access Gain Access Scanning Reconnaissance
  29. 29. Strengths and Weaknesses •  Technological estate •  Processes & procedures •  Technical documents •  Access requirements •  Segrega@on of du@es •  Training and educa@on to staff and 3rd par@es •  Systems’ updates •  Process to keep systems up-to-date •  Team work •  Request help!
  30. 30. Assess, Plan and Define a Strategy
  31. 31. Adapt and Evolve •  Security is not a one @me @ck in a box process •  Security requires a daily effort and constant improvements •  You should consider performing regular: –  Penetra@on tests –  Security Audits –  Implementa@on of Security Improvement programmes –  Run vulnerability scannings •  Remember: Hackers have all the @me in the world and are constantly developing new ways of aoacking and compromising!
  32. 32. Warning! The Human Factor
  33. 33. “Most advanced aoacks rely as much on exploi@ng human flaws as on exploi@ng system flaws.” An Hacker
  34. 34. Humans – The Inside Threat * Figure from the “IBM 2015 Cyber Security Intelligence Index” report
  35. 35. The Weakest Link Insider Associate Affiliate Dumbass
  36. 36. Conclusion
  37. 37. To Summarise… •  There’s a lot of work to be done to protect the mainframe, internally, and externally. •  Training and educa@on are essen@al! •  Need to keep up to date. •  Humans are the weakest link. •  Security MUST be taken seriously! * Dark Reading visitors responding to “What do you consider the greatest security threat to your organiza5on?”
  38. 38. References & Resources
  39. 39. Light Reading •  “IBM 2015 Cyber Security Intelligence Index”, IBM •  “2015 Threat Report”, Websense •  “2015 Cost of Cyber Crime Study: Global”, Ponemon Ins@tute •  “The Human Factor 2015”, Proofpoint •  “The Insider Threat: Detec@ng Indicators of Human Compromise”, Tripwire •  “White Hats, Black Hats. A Hacker Community is Emerging Around the Mainframe. What You Need to KNow…”, Mike Rogers @ Aoachmate.com •  “The Art of War”, Sun Tzu
  40. 40. Web Sites •  PC World: –  hop://www.pcworld.com/ar@cle/2034733/pirate-bay-cofounder-charged-with-hacking-ibm- mainframes-stealing-money.html •  The Register: –  hop://www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/ •  Daily Mail: –  hop://www.dailymail.co.uk/news/ar@cle-2526726/Married-Barclays-boss-spent-stolen-2million-call- girls-Banker-accused-five-year-cash-the2.html
  41. 41. YouTube Videos •  Hacking Mainframes Vulnerabili@es in applica@ons exposed over TN3270, Dominic White: –  hops://www.youtube.com/watch?v=3HFiv7NvWrM&feature=youtu.be •  Mainframes Mopeds and Mischief A PenTesters Year in Review, Tyler Wrightson: –  hops://www.youtube.com/watch?v=S-9Uk706wuc •  Smashing the Mainframe for Fun and Prison Time, Philip Young: –  hops://www.youtube.com/watch?v=SjtyifWTqmc&feature=youtu.be •  Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, Philip Young: –  hops://www.youtube.com/watch?v=uL65zWrofvk&feature=youtu.be
  42. 42. Ques@ons? Hands Up!!
  43. 43. Rui Miguel Feio, RSM Partners ruif@rsmpartners.com mobile: +44 (0) 7570 911459 linkedin: www.linkedin.com/in/rfeio www.rsmpartners.com Contact

×