security audit on the mainframe (v1.0 - 2016)
TRANSCRIPT
Deliveringthebestinzservices,software,hardwareandtraining.Deliveringthebestinzservices,software,hardwareandtraining.
WorldClasszSpecialists
SecurityAuditontheMainframe
RuiMiguelFeio– SeniorTechnicalLead
Agenda
ConclusionSummary of what was discussed and key points to remember
QuestionsAsk away any questions that you may have!
Beyond the auditIs the audit the “final frontier”? Things to consider besides doing a security audit
Real Life ExamplesSome recent examples of
security audits performed on the mainframe and their
results
Security AuditKey points to consider
when auditing the mainframe. What should
you audit?
How secure is it?Is the mainframe really
secure? Can it be hacked?
WhoAmI?
RUI MIGUEL FEIO
• WorkingwithRSMsince2010• Working withmainframesforthepast17years• StartedwithIBMasanMVSSysProgrammer• Specialises inmainframesecurity• Experienceinotherplatforms
Bio:
SENIOR TECHNICAL LEAD
Canamainframebehacked?• Themainframeishighlysecurablebutnotsecurebydefault.
– Youneedtoinvesttimeandresourcestomakeitsecure.
• Canthemainframebehacked?– Notonlyitcanbehackedbutithasalreadybeenhacked!
• Mostmainframehackingcasesarenotreported.
• “Icouldgiveyoumoreexamplesbut… Ican’t”(NDAagreements)
• Buttherearecasesthathavecometopublic…
Mainframesecurityatrisk– Ignorethesecurityofthemainframeandyou’reupforatreat…
andnotagoodtypeoftreat!
– Considertheimpactforyourorganisationifyourmainframewascompromised…
• Financialimpact• Image• Publicity
– Conclusion?YouMUST takesecurityonthemainframeSERIOUS!
Whatisasecurityaudit?• Inaverysimplisticway,it’stheexerciseofanalysingandreviewing
thesecurityandrecommendingimprovements
• Eachsecurityriskidentifiedhasacategorylevel(e.g.high,medium,low)
• Shouldbedoneperiodically(every6monthsoreveryyear)
• Shouldn’tbeseenasa‘tickinthebox’exercise
• Shouldn’tbeseenassomethingevilorbad
Challenges• Lackofcooperationorinterestfromtheaffectedteams
• Auditissometimesseenasarequirement;a”tickinabox”
• Wantitdoneasapwithminimuminvestment
• ITsystems(orpartofthem)havebeenoutsourced.Canleadto:– Lackofcooperationandaccesstoinformationandresources– WantingtocontroltheSecurityauditandit’soutcome
Opportunities• Tomakeitofficialthesecurityproblemstheteamknowsthatexist
• Toleadtotheremediationofsecurityproblems
• Toreviewsecurityprocessesandprocedures
• Tojustifymoreinvestmentinthesecuritymainframearea:– Tohiremorestaff– Fortrainingandconferences
Definethescopeoftheaudit• Howmany,andwhichmainframesystemswillbeaudited?
• HowmanyRACFdatabases(ACF2,TSS)willbeaudited?
• Subsystemsinscope?
• ISVproductsinscope?
• Internalapplicationsinscope?
• Physicalsecurityinscope?
Typicalsecurityaudit• Thedurationisdirectlydependentonthescopeoftheaudit
• Typically:– 3to5daystoaudit1singlesystemwithoneRACFDB:
• RACF(users,groups,profiles,settings,controls,DBsecurity)• Technicalz/OScontrols• UnixSystemServices(USS)controls• Communicationssettingsanddatatransfermethods
– 5daystoanalyseresultsandwritereport– Total8to10days
Technicalrequirements• Let’stakethemostofthetimewehaveandgetreadybeforethe
auditbegins:
– Desktop/laptopwithaccesstothenetwork– Providesecuritydocumentation– TSOuserid withsystemauditattributeandOMVSsegment– AbilitytoissueSUcommandinUSS– Abilitytoissuedisplaycommands– Accesstoconfig files(e.g.parmlibs,proclibs,etc)– Allowuploadofcode(REXX,JCL,…)tohelpwiththeaudit– Allowdownloadofdocumentedfindings
Performingtheaudit• Auditorsmayrequireadditionalaccesstosomeresources
• Auditorsmayneedtogetanswerstospecificquestions
• Attheendoftheaudit,allreportsgeneratedbytheauditcodewillbedownloadedtofeedonthefinalreport
• Aftertheaudit,thedocumentationcollectedwillbeanalysedandafinalreportproduced
Auditreport• Willdescribethetestsmadeandwhatwasverified
• Enumerateanddetailthevulnerabilities
• Classifyeachvulnerabilitybylevelofimportance(high,medium,low)
• Clientshouldreviewthereport
• Ameetingshouldbeorganisedtogothroughthereport
Aftertheaudit• Thesecurityauditiscomplete;nowwhat?
• Well,ifsecurityvulnerabilitieswereidentifiedtheyneedtobeaddressed.Andaddressedassoonaspossible!!
• Sometimeswehear:– “We’lladdressonlythehighpriorityones”– “Wedon’thavetheresourcestofixtheproblems”– “We’lltalkwithRiskdepartmentandgetadispensationforthisyear”– “We’rebeingoutsourced;we’lllettheoutsourcerdealwithit”
Realitycheck• I’veaskedyoubeforeandIaskyouagain:”Whatwouldbethe
impactforyourorganisationifyourmainframewascompromised?”– Financialimpact– Image– Publicity– Wouldyourjobsbesecured?
• Oh,andifyouthinktheoutsourcerwillfixyoursecurityproblems,justmakesureyougetthatinwriting;otherwiseyou’reupforatreat!
Bank• Recentlyperformedamainframesecurityauditatafinancial
institutioninEurope(51risksidentified)
• LargenumberofuserswithREADaccesstoadailybackupcopyoftheRACFdatabase,Networkcontrolsnotproperlyprotected,…
Classification Score
High 11
Medium 23
Low 17
Energycompany• MainframesecurityauditatalargeenergycompanyintheUSthis
summer(72risksidentified)
• Networkcontrolsnotdefined• READaccesstosensitivedata!!
Classification Score
High 27
Medium 30
Low 15
Governmentagency• SecurityanalysisofaproductionRACFDBatagovernmentagency
intheUK• 33securityproblemsidentifiedintheRACFDB• SERVAUTHclassnotactive!!• LargenumberofuserswithALTERaccesstoMasterCatalog• AllOPERCMDSprofilesinWarningmodeincludingJES2.*and
MVS.*• RACFDatabaseswithUACCofREADandseveraluserswithALTER
andUPDATEaccess
Whataboutalltheotherstuff?• Subsystems(CICS,IMS,DB2,MQ,…)
• Scheduler
• Automation
• AlltheISVproductsyouhave…
• Internalapplications
Othercontrols• It’snotjustaboutmainframesecuritycontrols
• It’saboutyourend-to-endsecurityposture
• It’sabouttheallecosystem:mainframe,otherplatformsanddevices
• Considerdoingregularmainframepenetrationtestings andvulnerabilityscannings
RuiMiguelFeio,[email protected]
mobile:+44(0)7570911459
linkedin: www.linkedin.com/in/rfeio
www.rsmpartners.com
Contact