How to Protect Your Mainframe from Hackers (v1.0)
2 likes1,057 views
The document discusses the security of mainframes, highlighting the reality of mainframe hacking and the importance of securing these systems against threats. It outlines common vulnerabilities, such as excessive access to APF libraries and improperly protected RACF databases, and emphasizes the need for ongoing monitoring, training, and adaptation to evolving security challenges. The human factor is pointed out as a critical weakness, necessitating a focused effort on education and security measures to protect mainframe environments.
How to Protect Your Mainframe from Hackers (v1.0)
- 2. Agenda • Introduc@on • Mainframe Hacking – Fact or Fic@on? • Securing the Mainframe • Is this Enough? • Warning! The Human Factor • References and Resources • Ques@ons?
- 3. Introduc@on Rui Miguel Feio is… – Security lead at RSM Partners – Mainframe technician specialising in mainframe security: • Penetra@on Tes@ng • Security Audit • Security Improvement – Has been working with mainframes for the past 16 years – Started as an MVS Systems Programmer – Experience in other plaTorms as well
- 6. Hacking a Mainframe • The mainframe is highly securable but not secure by default. – You need to invest @me and resources to make it secure. • Can the mainframe be hacked? – Not only it can be hacked but it has already been hacked! • Most mainframe hacking cases are not reported. • But there are cases that have come to public…
- 14. Top 10 Security Vulnerabili@es 1. Excessive access to APF libraries 2. Number of users with System Special 3. User SVCs reques@ng privileged func@ons 4. USS controls (UNIXPRIV, UID=0) 5. Started tasks not defined as PROTECTED 6. RACF database not properly protected 7. Profiles in OPERCMDS Class not properly set 8. SURROGAT profiles permihng use of privileged userids 9. RACF profiles with UACC or ID(*) > NONE 10. Batch Jobs with excessive resource access
- 15. What’s the Problem? • Excessive access to APF libraries – Users with UPDATE access or higher to an APF library can create an authorised program that can bypass security controls and execute privileged instruc@ons. • Number of users with System Special – SPECIAL aoribute gives the user full control over all of the RACF profiles in the RACF database. At the system level, the SPECIAL aoribute allows the user to issue all RACF commands. • User SVCs reques@ng privileged func@ons – They are extensions to the opera@ng system, receiving control in Supervisor State and in the master storage protected key (key 0). This means that they have the power to circumvent security measures by altering otherwise protected storage areas.
- 16. What’s the Problem? • USS controls (UNIXPRIV, UID=0) – The UNIXPRIV class resource rules are designed to give a limited subset of the superuser UID=0 capability. Userids with superuser authority (UID=0), have full access to all USS directories and files and full authority to administer. • Started tasks not defined as PROTECTED – Userids associated with started tasks should be defined as PROTECTED which will exempt them from revoca@on due to inac@vity or excessive invalid password aoempts, as well as being used to sign on to an applica@on. • RACF database not properly protected – A user who has READ access to the RACF database could make a copy and then use a cracker program to find the passwords of userids.
- 17. What’s the Problem? • Profiles in OPERCMDS Class not properly set – Controls who can issue operator commands: JES, MVS, operator commands. • SURROGAT profiles permihng use of privileged userids – This class allows userids to access the privileges of other userids by submihng work under their authority without requiring a password. • RACF profiles with UACC or ID(*) > NONE – If a userid is not defined to the Access Control List (ACL) of a RACF profile, UACC or ID(*) will provide them the access. In some cases, READ access can be a security risk because it can provide access to sensi@ve data.
- 19. But There Are Many More!! • Profiles in Warning mode • Userids with no Password Interval • Data transfer methods • U@li@es (e.g. ISRDDN, TASID) • RACF Class Facility • RACF Class XFACILIT • RACF Class SERVAUTH • RACF Class JESINPUT • RACF Class JESJOBS • …
- 20. Monitoring and Aler@ng Systems • Monitoring and Aler@ng is essen@al but does not always work. • Monitoring processes: – Not covering the essen@als – Teams not skilled enough to iden@fy problems • Aler@ng processes: – Not covering the essen@als – Not properly configured – Can be compromised
- 21. Compromising the Aler@ng System • Let’s use the example of IBM zSecure Alert… • HLQ.C2POLICE.C2PCUST contains all the aler@ng code and configura@on sehngs • Whoever has READ access to this dataset will be able to: – Check the configura@on and the alerts – Check for example to which email address the alerts are being sent and flood the email address with false posi@ves – While problem is being iden@fied, the hacker has a window of opportunity to perform malicious ac@vi@es
- 22. Is This Enough?
- 23. “The hacker is going to look for the crack in the wall…” Kevin Mitnick in “The Art of Intrusion”
- 25. 7 Security Principles • Know what are you trying to protect 1 • Know the environment 2 • Know your enemy 3 • Know your weaknesses and strengths 4 • Assess and plan 5 • Define a strategy 6 • Adapt and evolve or ‘die’ 7
- 26. The Mainframe is Part of Something The mainframe is part of an ecosystem: – Servers – Terminals – Other mainframes – Smart phones – Tablets – Routers – Switches – IoT devices – Users (technical and non-technical) – 3rd par@es – …
- 29. Strengths and Weaknesses • Technological estate • Processes & procedures • Technical documents • Access requirements • Segrega@on of du@es • Training and educa@on to staff and 3rd par@es • Systems’ updates • Process to keep systems up-to-date • Team work • Request help!
- 31. Adapt and Evolve • Security is not a one @me @ck in a box process • Security requires a daily effort and constant improvements • You should consider performing regular: – Penetra@on tests – Security Audits – Implementa@on of Security Improvement programmes – Run vulnerability scannings • Remember: Hackers have all the @me in the world and are constantly developing new ways of aoacking and compromising!
- 33. “Most advanced aoacks rely as much on exploi@ng human flaws as on exploi@ng system flaws.” An Hacker
- 34. Humans – The Inside Threat * Figure from the “IBM 2015 Cyber Security Intelligence Index” report
- 35. The Weakest Link Insider Associate Affiliate Dumbass
- 36. Conclusion
- 37. To Summarise… • There’s a lot of work to be done to protect the mainframe, internally, and externally. • Training and educa@on are essen@al! • Need to keep up to date. • Humans are the weakest link. • Security MUST be taken seriously! * Dark Reading visitors responding to “What do you consider the greatest security threat to your organiza5on?”
- 39. Light Reading • “IBM 2015 Cyber Security Intelligence Index”, IBM • “2015 Threat Report”, Websense • “2015 Cost of Cyber Crime Study: Global”, Ponemon Ins@tute • “The Human Factor 2015”, Proofpoint • “The Insider Threat: Detec@ng Indicators of Human Compromise”, Tripwire • “White Hats, Black Hats. A Hacker Community is Emerging Around the Mainframe. What You Need to KNow…”, Mike Rogers @ Aoachmate.com • “The Art of War”, Sun Tzu
- 40. Web Sites • PC World: – hop://www.pcworld.com/ar@cle/2034733/pirate-bay-cofounder-charged-with-hacking-ibm- mainframes-stealing-money.html • The Register: – hop://www.theregister.co.uk/2013/03/04/convicted_hacker_hack_into_prison/ • Daily Mail: – hop://www.dailymail.co.uk/news/ar@cle-2526726/Married-Barclays-boss-spent-stolen-2million-call- girls-Banker-accused-five-year-cash-the2.html
- 41. YouTube Videos • Hacking Mainframes Vulnerabili@es in applica@ons exposed over TN3270, Dominic White: – hops://www.youtube.com/watch?v=3HFiv7NvWrM&feature=youtu.be • Mainframes Mopeds and Mischief A PenTesters Year in Review, Tyler Wrightson: – hops://www.youtube.com/watch?v=S-9Uk706wuc • Smashing the Mainframe for Fun and Prison Time, Philip Young: – hops://www.youtube.com/watch?v=SjtyifWTqmc&feature=youtu.be • Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, Philip Young: – hops://www.youtube.com/watch?v=uL65zWrofvk&feature=youtu.be