how to protect your mainframe from hackers (v1.0)
TRANSCRIPT
Deliveringthebestinzservices,so2ware,hardwareandtraining.Deliveringthebestinzservices,so2ware,hardwareandtraining.
WorldClass,FullSpectrum,zServices
HowtoProtectYourMainframefromHackers
RuiMiguelFeioSecurityLead
Agenda• Introduc@on• MainframeHacking–FactorFic@on?• SecuringtheMainframe• IsthisEnough?• Warning!TheHumanFactor• ReferencesandResources• Ques@ons?
Introduc@onRuiMiguelFeiois…
– SecurityleadatRSMPartners– Mainframetechnicianspecialisinginmainframesecurity:
• Penetra@onTes@ng• SecurityAudit• SecurityImprovement
– Hasbeenworkingwithmainframesforthepast16years– StartedasanMVSSystemsProgrammer– ExperienceinotherplaTormsaswell
MainframeHacking–FactorFic@on?
“Itisafairlyopensecretthatalmostallsystemscanbehacked,somehow.Itisalessspokenofsecretthatsuchhackinghasactuallygonequitemainstream.”
DanKaminsky
HackingaMainframe• Themainframeishighlysecurablebutnotsecurebydefault.
– Youneedtoinvest@meandresourcestomakeitsecure.
• Canthemainframebehacked?– Notonlyitcanbehackedbutithasalreadybeenhacked!
• Mostmainframehackingcasesarenotreported.
• Buttherearecasesthathavecometopublic…
MainframeHackingIntheNews
MainframeHackingIntheNews
HackingtheMainframeonYouTube
HackingtheMainframeonYouTube
HackingtheMainframeonYouTube
HackingtheMainframeonYouTube
SecuringtheMainframe
Top10SecurityVulnerabili@es1. ExcessiveaccesstoAPFlibraries2. NumberofuserswithSystemSpecial3. UserSVCsreques@ngprivilegedfunc@ons4. USScontrols(UNIXPRIV,UID=0)5. StartedtasksnotdefinedasPROTECTED6. RACFdatabasenotproperlyprotected7. ProfilesinOPERCMDSClassnotproperlyset8. SURROGATprofilespermihnguseofprivilegeduserids9. RACFprofileswithUACCorID(*)>NONE10. BatchJobswithexcessiveresourceaccess
What’stheProblem?• ExcessiveaccesstoAPFlibraries
– UserswithUPDATEaccessorhighertoanAPFlibrarycancreateanauthorisedprogramthatcanbypasssecuritycontrolsandexecuteprivilegedinstruc@ons.
• NumberofuserswithSystemSpecial– SPECIALaoributegivestheuserfullcontroloveralloftheRACFprofilesinthe
RACFdatabase.Atthesystemlevel,theSPECIALaoributeallowstheusertoissueallRACFcommands.
• UserSVCsreques@ngprivilegedfunc@ons– Theyareextensionstotheopera@ngsystem,receivingcontrolinSupervisor
Stateandinthemasterstorageprotectedkey(key0).Thismeansthattheyhavethepowertocircumventsecuritymeasuresbyalteringotherwiseprotectedstorageareas.
What’stheProblem?• USScontrols(UNIXPRIV,UID=0)
– TheUNIXPRIVclassresourcerulesaredesignedtogivealimitedsubsetofthesuperuserUID=0capability.Useridswithsuperuserauthority(UID=0),havefullaccesstoallUSSdirectoriesandfilesandfullauthoritytoadminister.
• StartedtasksnotdefinedasPROTECTED– UseridsassociatedwithstartedtasksshouldbedefinedasPROTECTEDwhich
willexemptthemfromrevoca@onduetoinac@vityorexcessiveinvalidpasswordaoempts,aswellasbeingusedtosignontoanapplica@on.
• RACFdatabasenotproperlyprotected– AuserwhohasREADaccesstotheRACFdatabasecouldmakeacopyand
thenuseacrackerprogramtofindthepasswordsofuserids.
What’stheProblem?• ProfilesinOPERCMDSClassnotproperlyset
– Controlswhocanissueoperatorcommands:JES,MVS,operatorcommands.
• SURROGATprofilespermihnguseofprivilegeduserids– Thisclassallowsuseridstoaccesstheprivilegesofotheruseridsbysubmihng
workundertheirauthoritywithoutrequiringapassword.
• RACFprofileswithUACCorID(*)>NONE– IfauseridisnotdefinedtotheAccessControlList(ACL)ofaRACFprofile,
UACCorID(*)willprovidethemtheaccess.Insomecases,READaccesscanbeasecurityriskbecauseitcanprovideaccesstosensi@vedata.
What’stheProblem?• BatchJobswithexcessiveresourceaccess
– Itiscommontoseetheuseridofthebatchjobhavingtoomuchaccessto.Thismeansthatwhenthejobentersintothejobscheduler,itcanaccidentallyormaliciouslyaccesssensi@vedataorresources.
ButThereAreManyMore!!• ProfilesinWarningmode• UseridswithnoPassword
Interval• Datatransfermethods• U@li@es(e.g.ISRDDN,TASID)• RACFClassFacility• RACFClassXFACILIT• RACFClassSERVAUTH• RACFClassJESINPUT• RACFClassJESJOBS• …
MonitoringandAler@ngSystems• MonitoringandAler@ngisessen@albutdoesnotalwayswork.
• Monitoringprocesses:– Notcoveringtheessen@als– Teamsnotskilledenoughtoiden@fyproblems
• Aler@ngprocesses:– Notcoveringtheessen@als– Notproperlyconfigured– Canbecompromised
CompromisingtheAler@ngSystem• Let’susetheexampleofIBMzSecureAlert…
• HLQ.C2POLICE.C2PCUSTcontainsallthealer@ngcodeandconfigura@onsehngs
• WhoeverhasREADaccesstothisdatasetwillbeableto:– Checktheconfigura@onandthealerts– Checkforexampletowhichemailaddressthealertsarebeingsentandflood
theemailaddresswithfalseposi@ves– Whileproblemisbeingiden@fied,thehackerhasawindowofopportunityto
performmaliciousac@vi@es
IsThisEnough?
“Thehackerisgoingtolookforthecrackinthewall…”
KevinMitnickin“TheArtofIntrusion”
Oncehefindsit…It’sPlay@me!
7SecurityPrinciples
• Knowwhatareyoutryingtoprotect1
• Knowtheenvironment2
• Knowyourenemy3
• Knowyourweaknessesandstrengths4
• Assessandplan5
• Defineastrategy6
• Adaptandevolveor‘die’7
TheMainframeisPartofSomething
Themainframeispartofanecosystem:
– Servers– Terminals– Othermainframes– Smartphones– Tablets– Routers– Switches– IoTdevices– Users(technicalandnon-technical)– 3rdpar@es– …
The3Main‘Actors’
Hacker Techie User
5StagesofHacking
CoverTracks
MaintainAccess
GainAccess
Scanning
Reconnaissance
StrengthsandWeaknesses• Technologicalestate• Processes&procedures• Technicaldocuments• Accessrequirements• Segrega@onofdu@es• Trainingandeduca@ontostaffand3rd
par@es• Systems’updates• Processtokeepsystemsup-to-date• Teamwork• Requesthelp!
Assess,PlanandDefineaStrategy
AdaptandEvolve• Securityisnotaone@me@ckinaboxprocess
• Securityrequiresadailyeffortandconstantimprovements
• Youshouldconsiderperformingregular:– Penetra@ontests– SecurityAudits– Implementa@onofSecurityImprovementprogrammes– Runvulnerabilityscannings
• Remember:Hackershaveallthe@meintheworldandareconstantlydevelopingnewwaysofaoackingandcompromising!
Warning!TheHumanFactor
“Mostadvancedaoacksrelyasmuchonexploi@nghumanflawsasonexploi@ngsystemflaws.”
AnHacker
Humans–TheInsideThreat
*Figurefromthe“IBM2015CyberSecurityIntelligenceIndex”report
TheWeakestLink
Insider Associate Affiliate Dumbass
Conclusion
ToSummarise…• There’salotofworktobedonetoprotectthemainframe,
internally,andexternally.
• Trainingandeduca@onareessen@al!
• Needtokeepuptodate.
• Humansaretheweakestlink.
• SecurityMUSTbetakenseriously!
*DarkReadingvisitorsrespondingto“Whatdoyouconsiderthegreatestsecuritythreattoyourorganiza5on?”
References&Resources
LightReading• “IBM2015CyberSecurityIntelligenceIndex”,IBM• “2015ThreatReport”,Websense• “2015CostofCyberCrimeStudy:Global”,PonemonIns@tute• “TheHumanFactor2015”,Proofpoint• “TheInsiderThreat:Detec@ngIndicatorsofHumanCompromise”,Tripwire• “WhiteHats,BlackHats.AHackerCommunityisEmergingAroundthe
Mainframe.WhatYouNeedtoKNow…”,[email protected]• “TheArtofWar”,SunTzu
WebSites• PCWorld:
– hop://www.pcworld.com/ar@cle/2034733/pirate-bay-cofounder-charged-with-hacking-ibm-mainframes-stealing-money.html
• TheRegister:– hop://www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/
• DailyMail:– hop://www.dailymail.co.uk/news/ar@cle-2526726/Married-Barclays-boss-spent-stolen-2million-call-
girls-Banker-accused-five-year-cash-the2.html
YouTubeVideos• HackingMainframesVulnerabili@esinapplica@onsexposedoverTN3270,Dominic
White:– hops://www.youtube.com/watch?v=3HFiv7NvWrM&feature=youtu.be
• MainframesMopedsandMischiefAPenTestersYearinReview,TylerWrightson:– hops://www.youtube.com/watch?v=S-9Uk706wuc
• SmashingtheMainframeforFunandPrisonTime,PhilipYoung:– hops://www.youtube.com/watch?v=SjtyifWTqmc&feature=youtu.be
• BlackHat2013-Mainframes:ThePastWillCometoHauntYou,PhilipYoung:– hops://www.youtube.com/watch?v=uL65zWrofvk&feature=youtu.be
Ques@ons?
HandsUp!!
RuiMiguelFeio,[email protected]:+44(0)7570911459linkedin:www.linkedin.com/in/rfeiowww.rsmpartners.com
Contact