The document discusses platform-based security assessments and identifies some good, bad, and ugly aspects. The good aspects include conducting in-depth security assessments of entire operating systems to identify intrinsic security flaws. However, some platforms like mainframes are often overlooked (the bad). Hackers are actively targeting platforms like mainframes (the ugly) using tools adapted for these platforms and exploiting vulnerabilities. It is important to include all platforms and not make assumptions when conducting security assessments.

2. For those of you who
don’t know me

3. For those of you who
don’t know me
This is me ------>

4. My first computer

5. My second computer

6. Third Computer

7. Number 4

8. Number 5 (with dial up internet)

9. Much More Computers :)

10. My most recent computer :)

11. My favourite computer

12. Looks like this…

13. Looks like this… yes, that’s a Mainframe

14. Christopher O'Malley
President and CEO at Compuware
“There’s an acknowledged surge of interest in Agile and DevOps
on the mainframe. With good reason. Your business can’t be truly
agile unless your systems-of-record are truly agile. And for most
large enterprises, those systems run on the mainframe………”
https://www.linkedin.com/pulse/big-agile-devops-decision-you-need-make-today-christopher-o-malley

15. *) TechNerd examination points…

16. Email: henri@zdevops.com
Twitter: @henrikuiper
LinkedIN: https://nl.linkedin.com/in/wizardofzos

17. So how did I end up here?

20. Software
• Encryption
• Smartcrypt TDE
• SecureZIP
• Compression
• PKZIP
• Threat Detection
• TrapX
for most major platforms

21. Services
• Pentesting
• Vulnerability Checks
• Risk Assessments
• Security Officers!
• Monitoring
• Policy Enforcers
• Managed Security Services

23. www.srcsecuresolutions.eu

24. 161116 PBSA Good, Bad, Ugly

25. Legal Stuff
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras feugiat velit ac justo finibus, ut molestie lectus bibendum. Duis leo massa, bibendum vitae imperdiet in,
commodo nec velit. Vivamus tincidunt, eros eu rutrum posuere, ex dui porta sapien, in placerat quam diam sit amet tortor. Aenean nec diam tellus. Integer ornare
euismod enim. Aenean ipsum diam, feugiat hendrerit justo ut, maximus ornare nisi. Nullam augue diam, malesuada consequat porta non, ullamcorper sed tortor.
Phasellus in lacus eget erat vestibulum hendrerit sed nec quam. Praesent ante magna, consequat eget ultrices vitae, congue sed leo. Vivamus nec felis ac neque
accumsan rutrum in id massa. Ut mollis in mauris a auctor. Aliquam dictum lectus vel vehicula iaculis.
Quisque at quam ut libero rhoncus consectetur. Proin ac ultricies lacus. Sed in mauris ut velit malesuada consequat in eu lorem. Quisque sollicitudin dapibus orci sit
amet feugiat. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Class aptent taciti sociosqu ad litora torquent per conubia nostra,
per inceptos himenaeos. Nulla facilisi. Sed ultricies tellus in sem elementum, vitae fringilla ante vestibulum.
Nullam pharetra arcu odio, sed pharetra purus pulvinar et. Suspendisse nec aliquet orci. Nulla consequat elit ante, eu malesuada elit laoreet ut. Sed malesuada
ornare tortor. Pellentesque fringilla fermentum quam eget bibendum. Etiam porttitor, quam sit amet laoreet ultricies, erat ipsum fermentum metus, sit amet
elementum elit leo aliquet purus. Maecenas varius metus purus, eu eleifend est pellentesque a. Duis mauris eros, ultricies sit amet posuere sed, pulvinar ut elit.
Aliquam mattis ligula felis, sit amet venenatis ligula porta quis. Nunc ut vulputate ante. Pellentesque congue eleifend pellentesque. Curabitur bibendum porttitor sem,
eu varius mauris ultricies vitae. Phasellus pulvinar vestibulum gravida. Proin non eleifend odio. Aenean pharetra pretium orci ac scelerisque.
Sed lobortis vel magna nec volutpat. Nam et dui metus. Quisque aliquam ligula dapibus, convallis purus ac, accumsan ex. Ut id tempus diam, vel porttitor justo.
Pellentesque venenatis justo sem, sit amet interdum mauris tristique vitae. Fusce metus magna, suscipit vitae convallis eget, ultricies sed est. Fusce sodales diam sit
amet imperdiet venenatis. Aenean sed eros quis arcu dapibus porttitor id ut magna. Ut suscipit ex eu nibh bibendum posuere.
Quisque semper feugiat ante, pharetra ultrices turpis feugiat ac. Fusce non neque purus. Curabitur eget sagittis nunc, nec aliquam diam. Integer augue ligula,
eleifend ut eleifend vitae, congue eu est. Vestibulum semper, nunc nec placerat condimentum, tortor lectus tempor risus, eu viverra sem tortor sed dolor. Nam
volutpat nulla a felis ultricies, ac pellentesque ligula vehicula. Phasellus imperdiet velit sit amet laoreet sollicitudin. Morbi elementum viverra enim, eget feugiat sem
interdum nec. Nulla facilisi. Praesent ex lectus, posuere non molestie et, laoreet at lorem. Phasellus mollis, justo quis venenatis ultricies, ante ante ultrices est, sed
dapibus turpis odio ac leo. In pharetra velit commodo massa eleifend, eget vehicula felis commodo.

26. Legal Stuff
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras feugiat velit ac justo finibus, ut molestie lectus bibendum. Duis leo massa, bibendum vitae imperdiet in,
commodo nec velit. Vivamus tincidunt, eros eu rutrum posuere, ex dui porta sapien, in placerat quam diam sit amet tortor. Aenean nec diam tellus. Integer ornare
euismod enim. Aenean ipsum diam, feugiat hendrerit justo ut, maximus ornare nisi. Nullam augue diam, malesuada consequat porta non, ullamcorper sed tortor.
Phasellus in lacus eget erat vestibulum hendrerit sed nec quam. Praesent ante magna, consequat eget ultrices vitae, congue sed leo. Vivamus nec felis ac neque
accumsan rutrum in id massa. Ut mollis in mauris a auctor. Aliquam dictum lectus vel vehicula iaculis.
Quisque at quam ut libero rhoncus consectetur. Proin ac ultricies lacus. Sed in mauris ut velit malesuada consequat in eu lorem. Quisque sollicitudin dapibus orci sit
amet feugiat. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Class aptent taciti sociosqu ad litora torquent per conubia nostra,
per inceptos himenaeos. Nulla facilisi. Sed ultricies tellus in sem elementum, vitae fringilla ante vestibulum.
Nullam pharetra arcu odio, sed pharetra purus pulvinar et. Suspendisse nec aliquet orci. Nulla consequat elit ante, eu malesuada elit laoreet ut. Sed malesuada
ornare tortor. Pellentesque fringilla fermentum quam eget bibendum. Etiam porttitor, quam sit amet laoreet ultricies, erat ipsum fermentum metus, sit amet
elementum elit leo aliquet purus. Maecenas varius metus purus, eu eleifend est pellentesque a. Duis mauris eros, ultricies sit amet posuere sed, pulvinar ut elit.
Aliquam mattis ligula felis, sit amet venenatis ligula porta quis. Nunc ut vulputate ante. Pellentesque congue eleifend pellentesque. Curabitur bibendum porttitor sem,
eu varius mauris ultricies vitae. Phasellus pulvinar vestibulum gravida. Proin non eleifend odio. Aenean pharetra pretium orci ac scelerisque.
Sed lobortis vel magna nec volutpat. Nam et dui metus. Quisque aliquam ligula dapibus, convallis purus ac, accumsan ex. Ut id tempus diam, vel porttitor justo.
Pellentesque venenatis justo sem, sit amet interdum mauris tristique vitae. Fusce metus magna, suscipit vitae convallis eget, ultricies sed est. Fusce sodales diam sit
amet imperdiet venenatis. Aenean sed eros quis arcu dapibus porttitor id ut magna. Ut suscipit ex eu nibh bibendum posuere.
Quisque semper feugiat ante, pharetra ultrices turpis feugiat ac. Fusce non neque purus. Curabitur eget sagittis nunc, nec aliquam diam. Integer augue ligula,
eleifend ut eleifend vitae, congue eu est. Vestibulum semper, nunc nec placerat condimentum, tortor lectus tempor risus, eu viverra sem tortor sed dolor. Nam
volutpat nulla a felis ultricies, ac pellentesque ligula vehicula. Phasellus imperdiet velit sit amet laoreet sollicitudin. Morbi elementum viverra enim, eget feugiat sem
interdum nec. Nulla facilisi. Praesent ex lectus, posuere non molestie et, laoreet at lorem. Phasellus mollis, justo quis venenatis ultricies, ante ante ultrices est, sed
dapibus turpis odio ac leo. In pharetra velit commodo massa eleifend, eget vehicula felis commodo.

27. EXCLUSIVELY INCLUSIVE
PROJECT
DATE
16/11/2016
PLATFORM BASED SECURITY ASSESSMENTS
THE GOOD, THE BAD AND THE UGLY

28. YOU’VE BEEN WARNED

29. AGENDA
The Good
The Bad
The Ugly

30. THE GOOD
IN-DEPTH SECURITY ASSESSMENT
FOR THE ENTIRE OPERATING SYSTEM

31. Platform Security Assessments
Are they better than Network Security Scanners? (Wireshark, nmap,
metasploit, …)?
Or better than Web Security Scanners? (OWASP, Burp Suite, …)?
They identify intrinsic security flaws
How do you do them?
And what’s the goal?

32. EXECUTING A SECURITY ASSESSMENT…..
LIST BASED AND/OR SERIOUSLY CHECKING THE SYSTEM?

38. “I don’t hate technology, I don’t hate hackers, because that’s just
what comes with it without those hackers we wouldn’t solve the
problems we need to solve, especially security.”
–Fred Durst, Limp Bizkit

39. “I don’t hate technology, I don’t hate hackers, because that’s just
what comes with it without those hackers we wouldn’t solve the
problems we need to solve, especially security.”
–Fred Durst, Limp Bizkit

40. “I don’t hate technology, I don’t hate hackers, because that’s just
what comes with it without those hackers we wouldn’t solve the
problems we need to solve, especially security.”
–Fred Durst, Limp Bizkit
Somewhere on http://quotemaster.org/Hacking

41. THE BAD : SOME PLATFORMS…
HTTPS://XKCD.COM/908/

42. “Type a quote here.”
–Johnny Appleseed
AWESOME !!
The Mainframe (for me)

43. The Mainframe (for most people I know)

44. What on Earth is a Mainframe?
youtube.com/watch?v=H_oAXf1Og_o
5m27secs

45. RULE #1
ALWAYS HAVE A BACKUP

46. RULE #1
ALWAYS HAVE A BACKUP

47. Mainframe Myths
Mainframes are old/legacy
Mainframes don’t run modern applications
Mainframes are expensive
There is a skill shortage
It’s unbelievably secure

48. Did you know…..
nmap and metasploit have support for
the mainframe?
tso-brute, vtam-enum, etc.
Every heard of ELV.APF?
3 words: Started Task Impersonation

49. Did you know…..
nmap and metasploit have support for
the mainframe?
tso-brute, vtam-enum, etc.
Every heard of ELV.APF?
3 words: Started Task Impersonation

50. Did you know…..
nmap and metasploit have support for
the mainframe?
tso-brute, vtam-enum, etc.
Every heard of ELV.APF?
3 words: Started Task Impersonation

51. Did you know…..
nmap and metasploit have support for
the mainframe?
tso-brute, vtam-enum, etc.
Every heard of ELV.APF?
3 words: Started Task Impersonation

52. THE UGLY
THE HACKERS ARE COMING FOR YOU

53. The hackers don’t care…
Offering their services via the dark web
Have plenty of resources
Operate like a regular business
three-letter (foreign) agencies?
Cyberwarfare
…..

54. Remember the video?
Pretty interesting for hackers

55. So why does this happen….

56. So why does this happen….

57. Anti Patterns

58. Anti Patterns
Accepting “you don’t need to test this” scenarios

59. Anti Patterns
Accepting “you don’t need to test this” scenarios
Scoping off an assessment on the platform level

60. Anti Patterns
Accepting “you don’t need to test this” scenarios
Scoping off an assessment on the platform level
Assuming protocols and procedures are enforced (or controlled)

61. Anti Patterns
Accepting “you don’t need to test this” scenarios
Scoping off an assessment on the platform level
Assuming protocols and procedures are enforced (or controlled)
Complacency vs. Compliancy

62. Anti Patterns
Accepting “you don’t need to test this” scenarios
Scoping off an assessment on the platform level
Assuming protocols and procedures are enforced (or controlled)
Complacency vs. Compliancy
You can’t test this on production

63. Summary and things to remember

64. Summary

65. Summary
Don’t stick at the platform scope

66. Summary
Don’t stick at the platform scope
Include The Mainframe in all tests & assessments

67. Summary
Don’t stick at the platform scope
Include The Mainframe in all tests & assessments
Assume you already have been hacked

68. Summary
Don’t stick at the platform scope
Include The Mainframe in all tests & assessments
Assume you already have been hacked
Don’t believe previous reports

69. Summary
Don’t stick at the platform scope
Include The Mainframe in all tests & assessments
Assume you already have been hacked
Don’t believe previous reports
Be careful out there…..