AGENDA. A New Look at Mainframe Hacking And Penetration Testing 01/11/2016. World Class z Specialists

Transcription

1 World Class z Specialists A New Look at Mainframe Hacking And Penetration Testing Delivering the best in z services, software, hardware and training. AGENDA What is the state of mainframe security? How do we stay up to date? How do we protect ourselves? The traditional stuff! What tools are out there today? How do these tool impact us? What are IBM and the vendors doing to help us? Introduction, Objectives and Scene Setting Summary and Questions 1

2 Introduction Being in IT for over 36 Years. Started in May 1980 as a Trainee Computer Operator Technical Director at RSM Partners I lead the Technical team at RSM that amounts to just over 50 technicians IT Security in particular mainframes is my specialist subject All forms of sport, especially Football Outside of work I have a passion for Scuba Diving Motorbikes 2

3 Setting the scene Setting The Scene We have spent several years discussing Mainframe Hacking, Pen Testing and Auditing with the associated risks and issues We have tended to focus on the traditional stuff: Privileged Library Access (APF, Parmlib, etc) SVC s and Exits Poorly written software that can be exploited, the unprotected magic SVC The top ten audit issues found So the idea of this session is to look at the other stuff out there Whats going on outside of the mainframe that can and will affect us? 3

4 Getting the language right Penetration Testing Done by the good people out there to stop the bad folks getting in This is the bit I enjoy the most Hacking The bad guys or gals its not necessarily a male dominated activity these days They are after our stuff. Getting the language right Vulnerability Scanning Scanning the code delivered by IBM and ISV s along with any code you may have developed yourself Test the code to see if it has any vulnerabilities that could be exploited by a knowledgably user 4

5 Getting the language right Auditing The process of checking that we are doing everything correctly These are the good guys and are here to help Work with them not against them Educate them, don t shun them we all had to start somewhere How many IT Auditors actually understand what we do? The traditional stuff! 5

6 The Traditional Stuff! None of the traditional stuff should be ignored, if anything they need even more attention than before If some of the other stuff we will discuss happens, then the risk associated with these issues actually rises: Privileged Library Access (APF, Parmlib, etc) SVC s and Exits Poorly written software that can be exploited, the unprotected magic SVC The top ten audit issues found that have been presented many times see next slide Still The -- Top Ten Audit Issues 1. Excessive Number of User ID s w/no Password Interval 2. Inappropriate Usage of z/os UNIX Superuser Privilege, UID = 0 3. Data Set Profiles with UACC Greater than READ 4. RACF Database is not Adequately Protected 5. Excessive Access to APF Libraries 6. General Resource Profiles in WARN Mode 7. Production Batch Jobs have Excessive Resource Access 8. Data Set Profiles with UACC of READ 9. Improper Use or Lack of UNIXPRIV Profiles 10. Started Task IDs are not Defined as PROTECTED IDs 6

7 01/11/2016 What tools are out there today? 7

8 What tools are out there today? Do a simple google search mainframe hacking tools There is plenty to read and research What tools are out there today? 8

9 What tools are out there today? Some really interesting stuff on the list My favorites are:

10 01/11/

11 Fully supports testing using a RACF database Rumour on the street is that they have already added support for the new IBM password KDFAES algorithm! You Tube inframe+hacking 11

12 Twitter Sublime 3 12

13 01/11/ How do these tool impact us? 13

14 How do these tool impact us? For me its awareness more than anything We have long since understood the risks But lets be honest, many of us have hidden behind the fact that nobody really took any notice of us More Security by obscurity Who knows what a reverse shell is??? I do and its very scary How do these tool impact us? 14

15 What s the state of mainframe security? What s the state of mainframe security? Unfortunately, in my opinion not great. We still see the same old issues The top ten are still the top ten Comments that the mainframe is secure and we dont need to worry or invest in this legacy technology...still happen today! wouldnt be saying that if the mainframe was hacked from a fridge!...buts thats for another day!! 15

16 How do we keep up to date? How do we keep up to date? You need to find the time to do the research Attending meetings: This conference Vanguard Conference Defcon, Blackhat, etc RSA and other mainstream security conferences 16

17 How do we protect ourselves? How do we protect ourselves? Get on the front foot Be proactive Talk to the folks in your organization and understand what they are doing with: Identity and Access Management SIEM How many do we hear that the m/f is out of scope Privileged Users and Privileged Access Data classification 17

18 PEBKAC But remember stupidity rules! But lets not forget our users.we as a group can only go so far...but as long as we have users! Problem Exists Between Keyboard And Chair A useful term for demeaning the incompetent competent user without actually saying it to their face 18

19 But remember stupidity rules! Techie: This isn't working. I'll have to come over there and fix it in person Computer user: Really? Why? Techie: It's a PEBKAC issue sir. It's best handled in person PEBKAC!! 19

20 01/11/2016 PEBKAC!! 39 01/11/2016 Summary 20

21 The Perfect Storm What does that actually mean? From Wikipedia A "perfect storm" is an expression that describes an event where a rare combination of circumstances will aggravate a situation drastically The term is also used to describe an actual phenomenon that happens to occur in such a confluence, resulting in an event of unusual magnitude. In my opinion we have this today! Lack of investment Rising interest in mainframes and mainframe hacking The Internet of Things Stupidity in our user base or a lack of understanding Summary Our world is has changing changed We are not an isolated platform anymore In a connected, digital world, we are the big game in town The hackers, in whatever form are coming after us and they will succeedhave succeeded We need to wake our management up and make them realise years of underinvestment and a lack of attention will come back and bite them 21

22 01/11/2016 Summary Questions 22

23 Contact Mark Wilson RSM Partners mobile: +44 (0)