This document describes z/Assure, an IBM z/OS vulnerability analysis solution created by security developers. It performs penetration tests on z/OS systems and applications to identify integrity-based software vulnerabilities. These vulnerabilities can allow attackers to bypass security controls and access sensitive data without authorization. While security systems like RACF aim to prevent this, vulnerabilities in IBM and third-party software leave systems at risk. z/Assure can help organizations identify these vulnerabilities and ensure NIST, PCI, and SOX compliance. Customers can choose to conduct an initial assessment or deploy z/Assure enterprise-wide for ongoing monitoring and remediation of vulnerabilities over time.

1. z/Assure Vulnerability Analysis
Enterprise Solution
By Robert Fragola
www.kr-inc.com
1 © Key Resources, Inc. 2012

2. Compliance Requirements
 SOX requires publically traded companies to
put controls into place to protect reporting and
financial information
 PCI Requirement 11.3 Guidance --
Vulnerability scans and penetration tests will
expose any remaining vulnerabilities that
could later be found and exploited by an
attacker.
 NIST 800-53 –The organization includes, as
part of a security-control assessment,
malicious user testing and penetration testing
2 © Key Resources, Inc. 2012

3. What is an Integrity - Based Software
Vulnerability?
 A weakness in z/OS systems, that allows the exploitation
of products from Independent Software Vendor (ISV)
and/or in-house developed authorized interfaces (SVCs
and PCs) as well as (APF) authorized applications.
 Vulnerabilities can compromise all data on your system as
well as the system itself
- Disrupt System Availability
- View and Modify Sensitive Information
 It can allow an Internal attacker to circumvent RACF,
ACF2 or Top Secret’s installation controls
- Cause Compliance Violations
- Severely Damage the Firm’s Reputation
3 © Key Resources, Inc. 2012

4. Exploiting Integrity - Based
Software Vulnerabilities
 An Exploit is a way of taking advantage
of a software Vulnerability
 Bypassing the installation-security
controls
 Gain unauthorized access to data
without proper permission and
 Without any logging (SMF)
4 © Key Resources, Inc. 2012

5. Big Three Security Systems
 RACF developed by IBM and introduced in 1976
 ACF2 authored by Barry Schrager, Mainframe
Hall of Fame member, founder of SKK and
introduced in 1978 (now owned by CA)
 Top Secret developed by CGA Allen and
introduced in 1981 (now owned by CA)
 ACF2, Top Secret and RACF depend on system
integrity because any program that can leverage
a system integrity vulnerability can get access to
any data it wants.
“There can be no system security without
5 operating system integrity”
© Key Resources, Inc. 2012

6. According to Gartner
“The IBM z/OS mainframe continues to be an
important platform for many enterprises, hosting
about 90% of their mission-critical applications.
Enterprises may not take the same steps to
address configuration errors and poor identity
and entitlements administration on the
mainframe as they do on other OSs. Thus, the
incidence of high-risk vulnerabilities is
astonishingly high, and enterprises often lack
formal programs to identify and remediate
these.”
© Key Resources, Inc. 2012
6
Gartner Research Note G00172909

7. Vulnerabilities May Have Been
Added
 During routine maintenance activities or
the installation of new ISV products or
locally developed authorized code
 By well meaning Systems Programmers
who wanted a programming function
 Who did not think of the implications
 Who have long since left or retired
7 © Key Resources, Inc. 2012

8. z/Assure a New IBM z/OS
Vulnerability Analysis Solution
 Created by Preeminent Security Developers
 z/Assure is Independent of ACF2, RACF and
Top Secret
 Performs Penetration Tests on z/OS systems,
as well as ISV,3rd Party and In-house
Developed Applications
 Ensures Compliance Standards and Protects
Your Most Important Resource – Your Data
8  Absolutely 2012 other product like this on the
© Key Resources, Inc. no

9. Eliminating Integrity - Based
Software Vulnerabilities
 Must be Identified using the VAT Enterprise
Solution
 Remediated by the Code Owner
 Over Time, New Vulnerabilities could be
Introduced
 On-going Identification and Remediation is
required using the z/Assure Solution
9 © Key Resources, Inc. 2012

10. Vulnerability Exploit Demonstration
 z/OS 1.11
 No extra-ordinary security authority is
required
 Security System is RACF (it does not
matter – exploit would work with ACF2
or Top Secret with minor changes)
10 © Key Resources, Inc. 2012

11. Access a Dataset
11 © Key Resources, Inc. 2012

12. Denied by RACF – 913
ABEND!!
12 © Key Resources, Inc. 2012

13. Run an Exploit
13 © Key Resources, Inc. 2012

14. Now in RACF PRIVILEGED!!
14 © Key Resources, Inc. 2012

15. Access the Dataset Again
15 © Key Resources, Inc. 2012

16. Now Have Access!!
16 © Key Resources, Inc. 2012

17. The Exploiter Has Complete
Control
 The Exploiter may be a knowledgeable
insider (high level of technical expertise)
 They could be an insiders with low
levels of technical expertise who
obtained the exploit from knowledgeable
outsiders
17 © Key Resources, Inc. 2012

18. But, you say:
 These attacks would not be from
insiders
 Insiders are a trusted bunch of people
 Well …
18 © Key Resources, Inc. 2012

19. 2008 Strategic Counsel Survey
 Commissioned by CA Technologies
 Internal Breaches are Rising
 2003 – 15% of breaches
 2006 – 42% of breaches
 2008 – 44% of breaches
 The biggest security threats are from the
inside!
 And, they are increasing!
19 © Key Resources, Inc. 2012

20. 2010 CSO Magazine Survey
 2010 CyberSecurity Watch Survey
 “…the most costly or damaging attacks
are caused by insiders”
 Almost three quarters (72%), on the
average, of insider incidents are handled
internally without legal action or the
involvement of law enforcement
20 © Key Resources, Inc. 2012

21. Is My Firm At Risk?
Yes, Because You Have IBM, ISV,
and In-House Developed
Systems that Contain
Vulnerabilities
21 © Key Resources, Inc. 2012

22. How Well Does z/Assure Work?
 At a recent assessment we found 15 vulnerabilities
in IBM and ISV code
 On average over 50% of the reported vulnerabilities
are zero day vulnerabilities
 A single vulnerability will compromise all data as
well as the system itself
 Vulnerabilities were found in software from premiere
software vendors such as: IBM, CA, BMC, EMC
and Compuware
 Vulnerabilities are also normally found in In-house
Developed Applications, Authorized Interfaces and
System Exits
22 © Key Resources, Inc. 2012

23. How Can You Take Advantage of the
z/Assure Enterprise Solution?
Option1 Assessment:
 Initial on-site Assessment using the
z/Assure Solution
 Manually review installation added
authorized code such as: SVCs, PCs and
Exits
 Produces initial list of Integrity-based
vulnerabilities
 Provide z/Assure training for your staff
23 © Key Resources, Inc. 2012

24. How Can You Take Advantage of the
z/Assure Solution?
Option 2 Enterprise Deployment:
Customer licenses z/Assure enterprise class
license
Annual license fee charged by the number of
LPARs protected by the z/Assure Solution
Typically installed in hardening systems
24 © Key Resources, Inc. 2012

25. Questions and Next Steps:
z/Assure Enterprise
Solution
www.kr-inc.com
914 393-7000
25 © Key Resources, Inc. 2012