SlideShare a Scribd company logo

It's just a computer...

Download as PPTX, PDF
bigendiansmalls, profile picture
bigendiansmalls

Philip Young and Chad Rikansrud of ZedSec390 gave a presentation at RSA 2017 on managing enterprise risk through legacy system testing. They discussed testing mainframe and legacy systems used by many large companies, government agencies, and other organizations present. The presentation included a disclaimer that the views expressed were their own and not of their employers.

Technology
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
SESSION ID:SESSION ID: #RSAC Philip Young Managing Enterprise Risk through Legacy System Testing TECH-F01 Co-Founder ZedSec390 @mainframed767 Chad Rikansrud Co-Founder ZedSec390 @bigendiansmalls
#RSAC DISCLAIMER 2 We’re not here in the name of or speaking on behalf of our employers. All opinions expressed here at RSA 2017 are our own.
"I predict that the last mainframe will be unplugged on March 15, 1996” - Stewart Alsop, March 1991
Pepsico INC - Hartford Life - UBS - City of Phoenix Phoenix Az USA David DeBevec - GCCPC - State of Alabama Child Support Enforcement Services - Jefferies Bank - Bank Vontobel - Duke Power, DB2 apps - Polfa Tarchomin - Extensity - Patni - FPL - Wellpoint - Standard Insurance - Fulton County - Zagrebacka Banka (ZABA) - Community Loans of America - WGV - NAV - Information Builders - AIG Global Services - T. Rowe Price - Macro Soft - Commerzbank - Macy's Systems and Technologies - Phoenix Home Life - United States Postal Service — Mainframe Ops - United Technologies - APIS IT - Bajaj Allianz - Universität Leipzig - Abraxas - PRT (Puerto Rico Telephone - Claro) - VISA Inc. - Taiwan Cooperative Bank Taiwan - Reserve Bank of India (www.rbi.org.in) - GEICO Atlanta GA Insurance - Garanti Technology Istanbul Turkey - Chrysler - Marist College - GEORGIA STATE UNIVERSITY - Blue Cross Blue Shield MD - Self Employed Consultant - Mpowerss - TD Ameritrade - Seminole Electric - TD Ameritrade - Modern Woodmen of America - TIAA-CREF - VF Corp. - Citi / Primerica - Comerica Bank - American Family Insurance - Alliance Data Systems (Texas and Ohio) - United Parcel Service Inc - American General - Farm Bureau Financial Services - IBM Global Services - Abraxas - SLK software - Brown Brothers Harriman (BBH) - EDEKA - Mainframe Co Ltd - Guardian Life - Enbridge Gas Distribution - SE Tools - Southern Company - Equifax Inc - HSBC - IRS - Watkins(now part of Fedex) - Fortis - General Dynamics - United States Steel - TAG - Bank of America - Pitney Bowes (Danbury, Ct.) - OFD - Infotel - Sainsburys Plc - IRS, New Carrolton MD - TIMKEN - T-Systems - Palm Beach County School District The School District of Palm Beach County West Palm Beach FL USA George Rodriguez - Emory Univ - WIPRO Technologies - Experian Americas - Lawrence Livermore National Laboratories, Livermore, CA - Helsana - Vertex (only Seattle area) - Suntrust Banks Inc - AMB Generali - Casas Bahia - Express Scripts - Harland Clarke (John H. Harland Co) - Medical College of Georgia - Waddell & Reed FInancial Services - Praxair (Danbury, Ct.) - Avnet - BMW - Ryder Trucks Miami FL USA - COVANYS - Emblem Health - Bank of New York Mellon (BNY) (BK) New York NY, Pittsburgh, PA and Nashville, TN, Everett - Allied Irish Bank AIB (www.aib.ie) - VISA Inc. - MAJORIS - AARP - Logica Inc - Matera - R+V - Texas A&M University Colleg Station TX USA - Riocard TI - United Missouri Bank - R R Donlley - TechData - SERPRO - Great-West Life - UNUM Disability/Insurance Portland ME Columbia SC - Lloyds Banking Group - DST - ACS State Healthcare - IBM Global Services - Travelport - State Farm Ins - CDSI - ABSA Bank - Maintec Technologies Inc. - TESCO Bangalore India Sivaprasad Vura - MINDTREE - CAP GEMINI - Mass Mutual - AOK - TD Auto Finance - Blue Cross Blue Shield TN - Applabs - National Life Group - VOLVO IT Corp. - United Health Care (UHG) - Banco Itau - CEPROMAT - Total Systems - University of California at Berkeley, CA - DEVK Köln - Hewlett Packard - M&T Bank - University of Chicago Chicago IL USA - FreddieMac - RHB bank - Commonwealth Automobile Reinsurers - Ecolab, Inc - Montreal - Ford - HPS4 - Bic Banco - Bank Vontobel - Time Customer Service - Phoenix Companies - Alcatel - Turner Broadcasting TBS - Motor Vehicles Admin - Avon Brasil - IBM - Gwinnett County School District - SunGard - CSC - WIPRO (ex-InfoCrossing) USA Outsourcing - Strate (www.Strate.co.za) - Pioneer Life Insurance - Rite Aid - Gwinnett Medical Center - GMAC SmartCash - BNP Paribas Paris France - Lender Processing Services (LPS) - Bank Rakyat Indonesia (BRI) - Nike INC - Tampa General - CPS - PCCW - ADP - Wellmark - Blue Cross Blue Shield SC - RBSLynk - Ameriprise (American Express Financial Advisors) - Chubb - MASCON - SAS Institute NC USA - Thomson Financial-Transaction Services - Washington State Employment Security Department - AliComp www.alicomp.com - AAFES - Merlin International - Veteran Affairs - Donovan Data Systems (Manhattan) - Avon (Westchester) - Sloan Kettering (Bronx) - Shands HealthCare - Wellpoint - MFX Fairfax Morristown NJ USA KLCameron Outsourcing - Virginia Department of Motor Vehicles - ONCOR Dallas TX USA - DST Output - Nation Wide Insurance - Riyad Bank - Bank Central Asia (BCA) - Eddie Bauer - Scientific Games International, Inc - Commerzbank - Lousiana Housing Fin Ag / Baton Rouge CC - Broward County Schools - Verizon (Wireless) - Master Card INC - Connecture - Atos Origin - L&T - Capco - Accenture - Georgia State Dept of Education - Cathy Pacific - GE Financial Assurance - ING - Fidelity Investments Boston MA & New York - PATNI - Maersk Lines (Global Container Shipping), - TCS - British Airways - GAVI - CVS pharmacy - First National Bank - LabCorp - Klein Mgt. Systems (Westchester) - H. E. Butt Grocery Co. - Duke Energy - Vanguard Group - Kaiser Permanente Corona CA USA - State Auto Insurance - Bi-Lo - MARTA - EDS - DHL IT Services - Charles Schwab - CPU Service - Virginia Dept of Corrections - Cielo - Business Connexion (www.bcx.co.za) - Lockheed - Fiat - Symetra - Citi - Collabera - Bank of America (was Nations Bank – Can work out of Alpharetta office) - FIS - State of Montana - Accenture - PWC - State of GA - DHS - Bank Indonesia (BI) - Publix - Porto Seguro - General Motors Detroit Austin Atlanta Phoenix - CPQD - BB&T - Partsearch Technologies - ISO (Jersey City) - HMS - Depository Trust and Clearing Corp - VISA Inc. - EDB ErgoGroup - US Bank - Federal Reserve - Co-operators Canada - OCIT , Sacramento Cty - Progressive Insurance - ZETO - MetaVante (Now Fidelity) - Ford Motor Co - University System of Georgia - California Casualty Management Company, San Mateo and Sacramento, CA - PSP - Thomson Reuters - RBS (Royal Bank of Scotland) - Aurum/BSPR - Social Security - GKVI - Kohls Department Stores - FIS - New York Times (Manhattan) - CIGNA - SunGard Computer Services Voorhees NJ - Florida Power & Light (FPL) Juno Beach FL USA Utility - Fiserv (formerly Check Free) - H&W Computer Systems, Inc. - CA Technologies - Treehouse Software, Inc. http://www.treehouse.com - Ohio Public Employees Retirement System - Montefiore Hospital (Bronx) - Air New Zealand - KEANE - Blue Cross/Blue Shield of Texas - Cotton States Mutual Ins Company - PKO BP Warszawa, Poland - - Insurance Services Office - Citigroup - Liberty Life - Thomson Reuters - Royal Bank of Canada (RBC) - M&T Bank - Medstar Health http://www.medstarhealth.org - Infosys - Maersk Data (Global Logistics/Shipment Tracking) - Missouri Gas Energy Kansas City MO USA KLCameron Utility - Choice Point - Express Scripts - VETTRI - Wellogic - Arby’s – Wendy’s Group - Bacen www.bcb.gov.br - BNP Paribas Fortis Brussels Belgium - Alcan Global ATI - C&S Wholesale Grocers - United States Postal Service -Princeton Retirement Group Inc - POLARIS - Georgia Farm Bureau Mutual - MBT - May bank - BMW - AIG - EDEKA - Delloits - Iflex - Bank of Tokyo (Jersey City) - Crawford and Company - Meredith Corp - Express Scripts - Home Depot U.S.A., Inc. - Broadridge Financial Services - NMBS-Holding http://www.nmbs-holding.be - Prudential - KPN - Bank of Montreal (BMO:CN) - Montreal - Union Bank - R+V - Alcatel-Lucent - DATEV eG - Delta Air Lines Inc - Pershing LLC - Physicians Mutual Insurance Company (PMIC) Omaha NE USA KLCameron Insurance - Morgan Stanley (Brooklyn) - Scotiabank - CSI International OH USA Jon Henderson, COO - Coca Cola Enterprises - Amadeus Data Processing - Zions Bancorporation - Ciber - Gwinnett County - VW - Banco Bradesco - Target INC - Copel - Blue Cross Blue Shield AL - LDS - IPACS - ZETO - Office Depot Deerfield & DelRay - Air France - Capital One - Glen Allen/West Creek - Emigrant Savings Bank - Consist - Siemens - JPMorgan Chase - Banco Davivienda - QBE the Americas - Lufthansa Systems - Metlife - United States Postal Service — Mainframe Ops - Tata Steel - Franklin Templeton - United Parcel Service Inc (UPS) - Nest - Kawasaki Motors Corp - AT&T / BellSouth / Cingular - HSBC GLT - Medical Mutual of Ohio Cleveland OH USA CooperMA - T-System - NYS Dept of Tax and Fin - HealthPlan Services - OFD - State of California Teale Data Center, Rancho Cordova, CA - CEF - Delphi - Tivit http://www.tivit.com.br - Igate Hyderabad India Sivaprasad Vura - Atlanta Journal Constitution - Manhattan Associates - Helsana - MHS - FannieMae - S1 - HDFC Bank - Great Lakes Higher Education Corp. - Norfork Southern Railway - SCHLUMBERGER Sema - United Health Group (UHG) - Union Pacific Omaha NE USA KLCameron Transportation - Outsourcing deTecnica deSistemas - Hardware - CSX - Deutsche Bundesbank - TD Canada Trust - Computer Sciences Corporation (CSC) - Highmark - Rubbermaid - IGS - Edward Jones St. Louis MO Tempe AZ USA - Ministry of Interior (NIC) - IBM - Scott Trade - EMC - Bank International Indonesia (BII) - CIC - Parker Hannifin Cleveland Ohio USA Cooperma - Paccar - Deutsche Bundesbank - Deutsche Bank - Global SMS Networks Pvt. Ltd. ( GLOBALSMSC ) - Chase - Genuine Auto Parts ( Motion Industries) - Hexaware - Virginia State Corp, Commission - Customs & Border Enforcement (CBE) - Protech Training [http://www.protechtraining.com] Training, Consulting & Software Pittsburgh PA USA - NBNZ - ING NA Insurance Corp - IBM Tucson, Arizona Software Development Laboratory (DFSMShsm, Copy Services) - Atlantic Pacific Tea Company (A&P) - CTS - AMB Generali - WIPRO - State of Florida - Northwest Regional Data Center - Brotherhood Bank & Trust - Walmart - VW - MINDTEK - Philip Morris - Intercontinental Hotels Group - Dekalb County - Allstate - Utica Insurance Utica NY USA Insurance – Emirates - Assurance - New York University - Primerica Life Ins Co - Krasdale Foods, Inc. - Prokarma Hyderabad India Sivaprasad Vura - North Carolina State Employees' Credit Union - Commerce Bank Kansas City MO USA - First Data - UPS (Paramus, NJ) - Credit Suisse - State of Illinois - Central Management Services (CMS) - Springfield, IL - Penn Mutual - United States Postal Service — Mgmt Ops - MASTEK - LBBW (Landesbank Baden Wuerttemberg) - DIGITAL - Citi - ELCOT - Wakefern Food Corp - BI Moyle Associates, Inc. - Steria - Acuity Lighting Group Inc.. - HMC Holdings (Manhattan) - ANZ Bank - Banco do Brasil - Allianz Assurancies - DATEV eG - Puget Sound Energy (Seattle) - Charles Schwab - Serasa Experian - TECO - Winn-Dixie - Belastingdienst - Lufthansa Systems - GAP Inc - HCL - Chemical Abstract Services (CAS) - ProdeSP - United States Postal Service - DB2 DBA Ops - Assurant - Prodam SP - Bank Nasional Indonesia (BNI46) - Norfolk Southern Corp - AON Hewitt - ITERGO - Aegon - State of Georgia - Trinity Health - AIG - PNC Bank Pittsburgh PA USA - Washington State Department of Social and Health Services - Credit Suisse - Aviva - ELIT - FINA - Finanz Informatik - Jackson National - BMC Software - Group Health Cooperative - Media Ocean (office here, HQ most likely New York) - Grady Hospital - Ameritech - Allianz Assurancies - Hewlett-Packard - Merrill Lynch (now BOA) - Miami Dade County - IBM Silicon Valley Laboratory, San Jose, CA (home of DFSMS, DB2, IMS, languages) - RedeCard - Connecticut, State of (various Departments including Transportation, Public Safety, and Information Technologies) - UBS APAC (Union Bank of Switzerland) - ZETO - WGV - Conseco - Atlanta Housing Authority - National Life Ins. Co. - Collective Brands - SAS - FIS - TD Ameritrade - Navistar - LDS - Target India - Dominion Power/Dominion Resources - Glen Allen/Innsbrook - US Software - Voith - Thrivent - LBBW (Landesbank Baden Wuerttemberg) - State of Alabama - Bank of America (BAC) - Ford - SATHYAM/PCS - Fiducia - Amadeus Data Processing - State of AZ - ADOT - IBM India - Florida Power & Light - PSA Peugeot Citroen - Mphasis - ADP, Inc. - City of Tulsa - Energy Future Holdings Dallas Tx USA - CGI - Boston Univerity - University of NC - Atos Origin - Key Bank - AFLAC - IBM Global Services - YRCW - Lincoln National - Software Paradigms India - logica CMG - Fujitsu America Dallas TX KLCameron Outsourcing - Southern California Edison - CEF - Mt. Sinai (Bronx) - Blue Cross Blue Shield - HSBC Trinkaus & Burkhardt AG - Mainline Information Systems - Schneider National Green Bay WI USA KLCameron Transportation - Publix - John Dere - PSC Electrical Contracting - Family Life Ins. Co. - DTC (Manhattan) - Eaton Cleveland Ohio USA Cooper MA - Russell Stovers - AEP - Alcatel - Axa (Jersey City) - ACS (Texas) - Mutual of America - Liberty Mutual (Safeco Insurance) - Medicare - Statens Uddannelsesstøtte - Lowe's - Bank Of America - TUI - IVV - Aetna - Sanepar - Sentry Insurance - Fiserv IntegraSys - State of Connecticut (various Departments including Public Safety, Transportation, Information Technologies) - Bovespa - City of New York (Several locations) - Con Edison (Manhattan) - City of Atlanta - GM - UBS - Krakatau Steel Cilegon Indonesia - ITERGO - Blue Cross Blue Shield GA - Scope International(Standard Chatered) - Rutgers University - Office of IT - GM - Santander - State of Alaska - AIG Global Services - Atos Origin - CA Technologies - Garuda Indonesia Jakarta Indonesia Gun gun - Leumi Bank Leumi Bank Tel-Aviv ISrael, Shai Perry - Cognizant Technology Solutions - Barclays bank - Heartland Payment Systems (Texas) - Xerox - State of GA - DOL - SYNTEL - Canadian Imperial Bank of Commerce (CIBC) - Friedkin Information Technology Houston TX USA - NASDAQ Stock Market - Mahindra Satyam - Coca-Cola Co - SIAC (Brooklyn) - Sears Holdings Corporation - Finanz Informatik - Fiducia - Metro North (Manhattan) - FedEx - KEONICS - Ahold - NY City, Various Agencies - IBM - CA Technologies - Principal Financial Group - Georgia Pacific - Governor's Office - Kansas City Life - Old Mutual - Catapiller - Amtrak - CTS - City and County of Alameda, California - Ceridian - DPF - USAA - Traveler's Insurance - Roundy's Supermarkets Milwaukee WI USA - Lexis Nexis (formerly ChoicePoint Inc) - Marriott Hotel - United States Postal Service Applic. Dev. - XANSA - Auto Zone - EDS - Manulife - State of GA - GTA - Washington State Department of Transportation – Source: http://mainframes.wikidot.com/
#RSAC 5 Security DisclosureInfrastructure DesignPlatform ExpertiseSecurity Industry RISK !
It's just a computer...
#RSAC
#RSAC 8
#RSAC The PlatformThe Platform
#RSAC Think of it like this 10 Windows Network Active Directory Oracle/MS SQL Web Applications System Administration Remote Access Event Viewer Mainframe (z/OS) RACF/ACF2/TopSecret DB2/IMS CICS Transaction Servers TSO TN3270 SMF/Syslog It’s Just a Computer
DEMO
#RSAC What You’ll See 12 TSO (the ‘Shell’) Logging in Access Datasets CICS (the ‘application server’) Logging in Access a transaction Unix (the ‘Unix’) Through TSO Through SSH ADD GIF OF TSO HERE
It's just a computer...
#RSAC The PlatformHacking
#RSAC Quick Demonstration 15 Show you how easy it is to hack a mainframe Steal Credentials Execute Code Breach Elevate Privileges
Hacking DEMO
It's just a computer...
It's just a computer...
Game Over
It's just a computer...
#RSAC The PlatformPrevention
#RSAC Enroll in Enterprise Processes 22 Mainframes do not deserve a “Pass” All required security activities must be performed! Do not take “No” for an answer
#RSAC Asset Identification 23 Identify all the business assets on your Mainframe Understand core applications which rely on your Mainframe Understand their downtime thresholds Locate application databases and files How do users/applications access this data? Multiple vendors provide these services
#RSAC Security Requirements 24 Do you even have security requirements? When were they last reviewed? What baseline are they standardized against?
#RSAC Publicly Available Guides 25 ISACA, ISC^2, IBM None provide the depth required except: DoD DISSA STIG for z/OS (RACF, ACF2, TopSecret)
#RSAC Compliance Automation 26 DoD Guide Automation is Easy! Vanguard zSecure Allows for continuous monitoring against DoD Controls DoD too strict? You can modify to your environment
#RSAC Logging and Monitoring 27 All logs must be reviewed! Educate security operations center about alerts Move logs (aka SMF Records) off of Mainframe IronStream Vanguard zSecure CoreLog
#RSAC Training 28 Train your people! Risk and security assessors should understand the platform Your Mainframe security people shouldn’t be IAM people
#RSAC Vulnerability Scanning 29 Implement continuous vulnerability scanning. No Excuses! All systems should be scanned using your enterprise vulnerability scanner (e.g. Qualys, Nessus, etc) Support from vendors, however, is lacking
#RSAC Penetration Testing 30 Conduct annual penetration tests Ensure 100% testing of all mainframe based applications Tools are freely available: Nmap BIRP Metasploit
#RSAC Apply What You’ve Learned 31 Next week you should: Identify business reliance on mainframe In the first three months following this presentation you should: Evaluate current security requirements against DoD STIG Identify critical assets residing on your mainframe Within six months you should: Schedule first Vulnerability and Penetration Tests Implement stronger security requirements
#RSAC The Platform Thank You Questions? Philip Young @mainframed767 mainframed767@gmail.com Chad Rikansrud @bigendiansmalls mainframe@bigendiansmalls.com
#RSAC Appendix 33 Logica Breach, Tools: https://github.com/mainframed Nmap, Metasploit Scripts: https://github.com/zedsec390 Blog Chad: https://www.bigendiansmalls.com/ Blog Phil: http://mainframed767.tumblr.com/ Other Talks: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n IBM Emulated Mainframe: http://www-03.ibm.com/software/products/en/ibm-z-systems-development-and-test- environment
#RSAC DoD STIGs 34 RACF https://www.stigviewer.com/stig/zos_racf/ ACF2 https://www.stigviewer.com/stig/zos_acf2/ TopSecret https://www.stigviewer.com/stig/zos_tss/

More Related Content

PPTX
Breaking the fourth wall hacking customer information system
Ayoub ELAASSAL
 
PPTX
Share winter 2016 encryption
bigendiansmalls
 
PPTX
2016 share the three headed beast v4
bigendiansmalls
 
PDF
Security necromancy - Further adventures in mainframe hacking - DEF CON 23
bigendiansmalls
 
PPT
GE Security sistemas electronicos de seguridad
WERMERMORA1
 
PPTX
Emc World Keynote Tucci
Orange Business Services Business development IT
 
DOCX
Client List for Randy Unsbee
Randy Unsbee, MA, ABC
 
PDF
AustinStatesman Print Ad
Ricky Deakyne
 
Breaking the fourth wall hacking customer information system
Ayoub ELAASSAL
 
Share winter 2016 encryption
bigendiansmalls
 
2016 share the three headed beast v4
bigendiansmalls
 
Security necromancy - Further adventures in mainframe hacking - DEF CON 23
bigendiansmalls
 
GE Security sistemas electronicos de seguridad
WERMERMORA1
 
Emc World Keynote Tucci
Orange Business Services Business development IT
 
Client List for Randy Unsbee
Randy Unsbee, MA, ABC
 
AustinStatesman Print Ad
Ricky Deakyne
 

Similar to It's just a computer... (12)

PDF
Webinar: Get to the Cloud and Big Data Faster with Modern Data Integration
SnapLogic
 
PDF
Designing Instructional Integrity into Virtual Learning Environments
Barbara Sealund
 
PDF
WBENC Corporate Member List 2018
WBDC of Florida
 
PDF
Whos Using Filebound Brochure
Greg Lennon
 
PPT
About Easysoft Limited
easysoft
 
PDF
Seattle chamber directory
AJAY KUMAR
 
PDF
2017 wbenc corporate members list
WBDC of Florida
 
PDF
IBM i: Debunking the Myths - Paul Tuohy
Fresche Solutions
 
DOCX
Corporater Members
ThePersonnelShop2017
 
PDF
DC MOJO companies & websites
Sally Fletcher
 
PDF
Best Companies
lindy23
 
PDF
2013_mvca_researchreport infograph
Antonio Lück
 
Webinar: Get to the Cloud and Big Data Faster with Modern Data Integration
SnapLogic
 
Designing Instructional Integrity into Virtual Learning Environments
Barbara Sealund
 
WBENC Corporate Member List 2018
WBDC of Florida
 
Whos Using Filebound Brochure
Greg Lennon
 
About Easysoft Limited
easysoft
 
Seattle chamber directory
AJAY KUMAR
 
2017 wbenc corporate members list
WBDC of Florida
 
IBM i: Debunking the Myths - Paul Tuohy
Fresche Solutions
 
Corporater Members
ThePersonnelShop2017
 
DC MOJO companies & websites
Sally Fletcher
 
Best Companies
lindy23
 
2013_mvca_researchreport infograph
Antonio Lück
 
Ad

Recently uploaded (20)

PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
August Patch Tuesday
Ivanti
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
August Patch Tuesday
Ivanti
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Unlock new opportunities with location data.pdf
Precisely
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Modernising the Digital Integration Hub
Daniel Toomey
 
The various Industrial Revolutions .pptx
bandileshozi3
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Five Habits of High-Impact Board Members
OnBoard
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Ad

It's just a computer...

  • 1. SESSION ID:SESSION ID: #RSAC Philip Young Managing Enterprise Risk through Legacy System Testing TECH-F01 Co-Founder ZedSec390 @mainframed767 Chad Rikansrud Co-Founder ZedSec390 @bigendiansmalls
  • 2. #RSAC DISCLAIMER 2 We’re not here in the name of or speaking on behalf of our employers. All opinions expressed here at RSA 2017 are our own.
  • 3. "I predict that the last mainframe will be unplugged on March 15, 1996” - Stewart Alsop, March 1991
  • 4. Pepsico INC - Hartford Life - UBS - City of Phoenix Phoenix Az USA David DeBevec - GCCPC - State of Alabama Child Support Enforcement Services - Jefferies Bank - Bank Vontobel - Duke Power, DB2 apps - Polfa Tarchomin - Extensity - Patni - FPL - Wellpoint - Standard Insurance - Fulton County - Zagrebacka Banka (ZABA) - Community Loans of America - WGV - NAV - Information Builders - AIG Global Services - T. Rowe Price - Macro Soft - Commerzbank - Macy's Systems and Technologies - Phoenix Home Life - United States Postal Service — Mainframe Ops - United Technologies - APIS IT - Bajaj Allianz - Universität Leipzig - Abraxas - PRT (Puerto Rico Telephone - Claro) - VISA Inc. - Taiwan Cooperative Bank Taiwan - Reserve Bank of India (www.rbi.org.in) - GEICO Atlanta GA Insurance - Garanti Technology Istanbul Turkey - Chrysler - Marist College - GEORGIA STATE UNIVERSITY - Blue Cross Blue Shield MD - Self Employed Consultant - Mpowerss - TD Ameritrade - Seminole Electric - TD Ameritrade - Modern Woodmen of America - TIAA-CREF - VF Corp. - Citi / Primerica - Comerica Bank - American Family Insurance - Alliance Data Systems (Texas and Ohio) - United Parcel Service Inc - American General - Farm Bureau Financial Services - IBM Global Services - Abraxas - SLK software - Brown Brothers Harriman (BBH) - EDEKA - Mainframe Co Ltd - Guardian Life - Enbridge Gas Distribution - SE Tools - Southern Company - Equifax Inc - HSBC - IRS - Watkins(now part of Fedex) - Fortis - General Dynamics - United States Steel - TAG - Bank of America - Pitney Bowes (Danbury, Ct.) - OFD - Infotel - Sainsburys Plc - IRS, New Carrolton MD - TIMKEN - T-Systems - Palm Beach County School District The School District of Palm Beach County West Palm Beach FL USA George Rodriguez - Emory Univ - WIPRO Technologies - Experian Americas - Lawrence Livermore National Laboratories, Livermore, CA - Helsana - Vertex (only Seattle area) - Suntrust Banks Inc - AMB Generali - Casas Bahia - Express Scripts - Harland Clarke (John H. Harland Co) - Medical College of Georgia - Waddell & Reed FInancial Services - Praxair (Danbury, Ct.) - Avnet - BMW - Ryder Trucks Miami FL USA - COVANYS - Emblem Health - Bank of New York Mellon (BNY) (BK) New York NY, Pittsburgh, PA and Nashville, TN, Everett - Allied Irish Bank AIB (www.aib.ie) - VISA Inc. - MAJORIS - AARP - Logica Inc - Matera - R+V - Texas A&M University Colleg Station TX USA - Riocard TI - United Missouri Bank - R R Donlley - TechData - SERPRO - Great-West Life - UNUM Disability/Insurance Portland ME Columbia SC - Lloyds Banking Group - DST - ACS State Healthcare - IBM Global Services - Travelport - State Farm Ins - CDSI - ABSA Bank - Maintec Technologies Inc. - TESCO Bangalore India Sivaprasad Vura - MINDTREE - CAP GEMINI - Mass Mutual - AOK - TD Auto Finance - Blue Cross Blue Shield TN - Applabs - National Life Group - VOLVO IT Corp. - United Health Care (UHG) - Banco Itau - CEPROMAT - Total Systems - University of California at Berkeley, CA - DEVK Köln - Hewlett Packard - M&T Bank - University of Chicago Chicago IL USA - FreddieMac - RHB bank - Commonwealth Automobile Reinsurers - Ecolab, Inc - Montreal - Ford - HPS4 - Bic Banco - Bank Vontobel - Time Customer Service - Phoenix Companies - Alcatel - Turner Broadcasting TBS - Motor Vehicles Admin - Avon Brasil - IBM - Gwinnett County School District - SunGard - CSC - WIPRO (ex-InfoCrossing) USA Outsourcing - Strate (www.Strate.co.za) - Pioneer Life Insurance - Rite Aid - Gwinnett Medical Center - GMAC SmartCash - BNP Paribas Paris France - Lender Processing Services (LPS) - Bank Rakyat Indonesia (BRI) - Nike INC - Tampa General - CPS - PCCW - ADP - Wellmark - Blue Cross Blue Shield SC - RBSLynk - Ameriprise (American Express Financial Advisors) - Chubb - MASCON - SAS Institute NC USA - Thomson Financial-Transaction Services - Washington State Employment Security Department - AliComp www.alicomp.com - AAFES - Merlin International - Veteran Affairs - Donovan Data Systems (Manhattan) - Avon (Westchester) - Sloan Kettering (Bronx) - Shands HealthCare - Wellpoint - MFX Fairfax Morristown NJ USA KLCameron Outsourcing - Virginia Department of Motor Vehicles - ONCOR Dallas TX USA - DST Output - Nation Wide Insurance - Riyad Bank - Bank Central Asia (BCA) - Eddie Bauer - Scientific Games International, Inc - Commerzbank - Lousiana Housing Fin Ag / Baton Rouge CC - Broward County Schools - Verizon (Wireless) - Master Card INC - Connecture - Atos Origin - L&T - Capco - Accenture - Georgia State Dept of Education - Cathy Pacific - GE Financial Assurance - ING - Fidelity Investments Boston MA & New York - PATNI - Maersk Lines (Global Container Shipping), - TCS - British Airways - GAVI - CVS pharmacy - First National Bank - LabCorp - Klein Mgt. Systems (Westchester) - H. E. Butt Grocery Co. - Duke Energy - Vanguard Group - Kaiser Permanente Corona CA USA - State Auto Insurance - Bi-Lo - MARTA - EDS - DHL IT Services - Charles Schwab - CPU Service - Virginia Dept of Corrections - Cielo - Business Connexion (www.bcx.co.za) - Lockheed - Fiat - Symetra - Citi - Collabera - Bank of America (was Nations Bank – Can work out of Alpharetta office) - FIS - State of Montana - Accenture - PWC - State of GA - DHS - Bank Indonesia (BI) - Publix - Porto Seguro - General Motors Detroit Austin Atlanta Phoenix - CPQD - BB&T - Partsearch Technologies - ISO (Jersey City) - HMS - Depository Trust and Clearing Corp - VISA Inc. - EDB ErgoGroup - US Bank - Federal Reserve - Co-operators Canada - OCIT , Sacramento Cty - Progressive Insurance - ZETO - MetaVante (Now Fidelity) - Ford Motor Co - University System of Georgia - California Casualty Management Company, San Mateo and Sacramento, CA - PSP - Thomson Reuters - RBS (Royal Bank of Scotland) - Aurum/BSPR - Social Security - GKVI - Kohls Department Stores - FIS - New York Times (Manhattan) - CIGNA - SunGard Computer Services Voorhees NJ - Florida Power & Light (FPL) Juno Beach FL USA Utility - Fiserv (formerly Check Free) - H&W Computer Systems, Inc. - CA Technologies - Treehouse Software, Inc. http://www.treehouse.com - Ohio Public Employees Retirement System - Montefiore Hospital (Bronx) - Air New Zealand - KEANE - Blue Cross/Blue Shield of Texas - Cotton States Mutual Ins Company - PKO BP Warszawa, Poland - - Insurance Services Office - Citigroup - Liberty Life - Thomson Reuters - Royal Bank of Canada (RBC) - M&T Bank - Medstar Health http://www.medstarhealth.org - Infosys - Maersk Data (Global Logistics/Shipment Tracking) - Missouri Gas Energy Kansas City MO USA KLCameron Utility - Choice Point - Express Scripts - VETTRI - Wellogic - Arby’s – Wendy’s Group - Bacen www.bcb.gov.br - BNP Paribas Fortis Brussels Belgium - Alcan Global ATI - C&S Wholesale Grocers - United States Postal Service -Princeton Retirement Group Inc - POLARIS - Georgia Farm Bureau Mutual - MBT - May bank - BMW - AIG - EDEKA - Delloits - Iflex - Bank of Tokyo (Jersey City) - Crawford and Company - Meredith Corp - Express Scripts - Home Depot U.S.A., Inc. - Broadridge Financial Services - NMBS-Holding http://www.nmbs-holding.be - Prudential - KPN - Bank of Montreal (BMO:CN) - Montreal - Union Bank - R+V - Alcatel-Lucent - DATEV eG - Delta Air Lines Inc - Pershing LLC - Physicians Mutual Insurance Company (PMIC) Omaha NE USA KLCameron Insurance - Morgan Stanley (Brooklyn) - Scotiabank - CSI International OH USA Jon Henderson, COO - Coca Cola Enterprises - Amadeus Data Processing - Zions Bancorporation - Ciber - Gwinnett County - VW - Banco Bradesco - Target INC - Copel - Blue Cross Blue Shield AL - LDS - IPACS - ZETO - Office Depot Deerfield & DelRay - Air France - Capital One - Glen Allen/West Creek - Emigrant Savings Bank - Consist - Siemens - JPMorgan Chase - Banco Davivienda - QBE the Americas - Lufthansa Systems - Metlife - United States Postal Service — Mainframe Ops - Tata Steel - Franklin Templeton - United Parcel Service Inc (UPS) - Nest - Kawasaki Motors Corp - AT&T / BellSouth / Cingular - HSBC GLT - Medical Mutual of Ohio Cleveland OH USA CooperMA - T-System - NYS Dept of Tax and Fin - HealthPlan Services - OFD - State of California Teale Data Center, Rancho Cordova, CA - CEF - Delphi - Tivit http://www.tivit.com.br - Igate Hyderabad India Sivaprasad Vura - Atlanta Journal Constitution - Manhattan Associates - Helsana - MHS - FannieMae - S1 - HDFC Bank - Great Lakes Higher Education Corp. - Norfork Southern Railway - SCHLUMBERGER Sema - United Health Group (UHG) - Union Pacific Omaha NE USA KLCameron Transportation - Outsourcing deTecnica deSistemas - Hardware - CSX - Deutsche Bundesbank - TD Canada Trust - Computer Sciences Corporation (CSC) - Highmark - Rubbermaid - IGS - Edward Jones St. Louis MO Tempe AZ USA - Ministry of Interior (NIC) - IBM - Scott Trade - EMC - Bank International Indonesia (BII) - CIC - Parker Hannifin Cleveland Ohio USA Cooperma - Paccar - Deutsche Bundesbank - Deutsche Bank - Global SMS Networks Pvt. Ltd. ( GLOBALSMSC ) - Chase - Genuine Auto Parts ( Motion Industries) - Hexaware - Virginia State Corp, Commission - Customs & Border Enforcement (CBE) - Protech Training [http://www.protechtraining.com] Training, Consulting & Software Pittsburgh PA USA - NBNZ - ING NA Insurance Corp - IBM Tucson, Arizona Software Development Laboratory (DFSMShsm, Copy Services) - Atlantic Pacific Tea Company (A&P) - CTS - AMB Generali - WIPRO - State of Florida - Northwest Regional Data Center - Brotherhood Bank & Trust - Walmart - VW - MINDTEK - Philip Morris - Intercontinental Hotels Group - Dekalb County - Allstate - Utica Insurance Utica NY USA Insurance – Emirates - Assurance - New York University - Primerica Life Ins Co - Krasdale Foods, Inc. - Prokarma Hyderabad India Sivaprasad Vura - North Carolina State Employees' Credit Union - Commerce Bank Kansas City MO USA - First Data - UPS (Paramus, NJ) - Credit Suisse - State of Illinois - Central Management Services (CMS) - Springfield, IL - Penn Mutual - United States Postal Service — Mgmt Ops - MASTEK - LBBW (Landesbank Baden Wuerttemberg) - DIGITAL - Citi - ELCOT - Wakefern Food Corp - BI Moyle Associates, Inc. - Steria - Acuity Lighting Group Inc.. - HMC Holdings (Manhattan) - ANZ Bank - Banco do Brasil - Allianz Assurancies - DATEV eG - Puget Sound Energy (Seattle) - Charles Schwab - Serasa Experian - TECO - Winn-Dixie - Belastingdienst - Lufthansa Systems - GAP Inc - HCL - Chemical Abstract Services (CAS) - ProdeSP - United States Postal Service - DB2 DBA Ops - Assurant - Prodam SP - Bank Nasional Indonesia (BNI46) - Norfolk Southern Corp - AON Hewitt - ITERGO - Aegon - State of Georgia - Trinity Health - AIG - PNC Bank Pittsburgh PA USA - Washington State Department of Social and Health Services - Credit Suisse - Aviva - ELIT - FINA - Finanz Informatik - Jackson National - BMC Software - Group Health Cooperative - Media Ocean (office here, HQ most likely New York) - Grady Hospital - Ameritech - Allianz Assurancies - Hewlett-Packard - Merrill Lynch (now BOA) - Miami Dade County - IBM Silicon Valley Laboratory, San Jose, CA (home of DFSMS, DB2, IMS, languages) - RedeCard - Connecticut, State of (various Departments including Transportation, Public Safety, and Information Technologies) - UBS APAC (Union Bank of Switzerland) - ZETO - WGV - Conseco - Atlanta Housing Authority - National Life Ins. Co. - Collective Brands - SAS - FIS - TD Ameritrade - Navistar - LDS - Target India - Dominion Power/Dominion Resources - Glen Allen/Innsbrook - US Software - Voith - Thrivent - LBBW (Landesbank Baden Wuerttemberg) - State of Alabama - Bank of America (BAC) - Ford - SATHYAM/PCS - Fiducia - Amadeus Data Processing - State of AZ - ADOT - IBM India - Florida Power & Light - PSA Peugeot Citroen - Mphasis - ADP, Inc. - City of Tulsa - Energy Future Holdings Dallas Tx USA - CGI - Boston Univerity - University of NC - Atos Origin - Key Bank - AFLAC - IBM Global Services - YRCW - Lincoln National - Software Paradigms India - logica CMG - Fujitsu America Dallas TX KLCameron Outsourcing - Southern California Edison - CEF - Mt. Sinai (Bronx) - Blue Cross Blue Shield - HSBC Trinkaus & Burkhardt AG - Mainline Information Systems - Schneider National Green Bay WI USA KLCameron Transportation - Publix - John Dere - PSC Electrical Contracting - Family Life Ins. Co. - DTC (Manhattan) - Eaton Cleveland Ohio USA Cooper MA - Russell Stovers - AEP - Alcatel - Axa (Jersey City) - ACS (Texas) - Mutual of America - Liberty Mutual (Safeco Insurance) - Medicare - Statens Uddannelsesstøtte - Lowe's - Bank Of America - TUI - IVV - Aetna - Sanepar - Sentry Insurance - Fiserv IntegraSys - State of Connecticut (various Departments including Public Safety, Transportation, Information Technologies) - Bovespa - City of New York (Several locations) - Con Edison (Manhattan) - City of Atlanta - GM - UBS - Krakatau Steel Cilegon Indonesia - ITERGO - Blue Cross Blue Shield GA - Scope International(Standard Chatered) - Rutgers University - Office of IT - GM - Santander - State of Alaska - AIG Global Services - Atos Origin - CA Technologies - Garuda Indonesia Jakarta Indonesia Gun gun - Leumi Bank Leumi Bank Tel-Aviv ISrael, Shai Perry - Cognizant Technology Solutions - Barclays bank - Heartland Payment Systems (Texas) - Xerox - State of GA - DOL - SYNTEL - Canadian Imperial Bank of Commerce (CIBC) - Friedkin Information Technology Houston TX USA - NASDAQ Stock Market - Mahindra Satyam - Coca-Cola Co - SIAC (Brooklyn) - Sears Holdings Corporation - Finanz Informatik - Fiducia - Metro North (Manhattan) - FedEx - KEONICS - Ahold - NY City, Various Agencies - IBM - CA Technologies - Principal Financial Group - Georgia Pacific - Governor's Office - Kansas City Life - Old Mutual - Catapiller - Amtrak - CTS - City and County of Alameda, California - Ceridian - DPF - USAA - Traveler's Insurance - Roundy's Supermarkets Milwaukee WI USA - Lexis Nexis (formerly ChoicePoint Inc) - Marriott Hotel - United States Postal Service Applic. Dev. - XANSA - Auto Zone - EDS - Manulife - State of GA - GTA - Washington State Department of Transportation – Source: http://mainframes.wikidot.com/
  • 10. #RSAC Think of it like this 10 Windows Network Active Directory Oracle/MS SQL Web Applications System Administration Remote Access Event Viewer Mainframe (z/OS) RACF/ACF2/TopSecret DB2/IMS CICS Transaction Servers TSO TN3270 SMF/Syslog It’s Just a Computer
  • 11. DEMO
  • 12. #RSAC What You’ll See 12 TSO (the ‘Shell’) Logging in Access Datasets CICS (the ‘application server’) Logging in Access a transaction Unix (the ‘Unix’) Through TSO Through SSH ADD GIF OF TSO HERE
  • 15. #RSAC Quick Demonstration 15 Show you how easy it is to hack a mainframe Steal Credentials Execute Code Breach Elevate Privileges
  • 22. #RSAC Enroll in Enterprise Processes 22 Mainframes do not deserve a “Pass” All required security activities must be performed! Do not take “No” for an answer
  • 23. #RSAC Asset Identification 23 Identify all the business assets on your Mainframe Understand core applications which rely on your Mainframe Understand their downtime thresholds Locate application databases and files How do users/applications access this data? Multiple vendors provide these services
  • 24. #RSAC Security Requirements 24 Do you even have security requirements? When were they last reviewed? What baseline are they standardized against?
  • 25. #RSAC Publicly Available Guides 25 ISACA, ISC^2, IBM None provide the depth required except: DoD DISSA STIG for z/OS (RACF, ACF2, TopSecret)
  • 26. #RSAC Compliance Automation 26 DoD Guide Automation is Easy! Vanguard zSecure Allows for continuous monitoring against DoD Controls DoD too strict? You can modify to your environment
  • 27. #RSAC Logging and Monitoring 27 All logs must be reviewed! Educate security operations center about alerts Move logs (aka SMF Records) off of Mainframe IronStream Vanguard zSecure CoreLog
  • 28. #RSAC Training 28 Train your people! Risk and security assessors should understand the platform Your Mainframe security people shouldn’t be IAM people
  • 29. #RSAC Vulnerability Scanning 29 Implement continuous vulnerability scanning. No Excuses! All systems should be scanned using your enterprise vulnerability scanner (e.g. Qualys, Nessus, etc) Support from vendors, however, is lacking
  • 30. #RSAC Penetration Testing 30 Conduct annual penetration tests Ensure 100% testing of all mainframe based applications Tools are freely available: Nmap BIRP Metasploit
  • 31. #RSAC Apply What You’ve Learned 31 Next week you should: Identify business reliance on mainframe In the first three months following this presentation you should: Evaluate current security requirements against DoD STIG Identify critical assets residing on your mainframe Within six months you should: Schedule first Vulnerability and Penetration Tests Implement stronger security requirements
  • 32. #RSAC The Platform Thank You Questions? Philip Young @mainframed767 mainframed767@gmail.com Chad Rikansrud @bigendiansmalls mainframe@bigendiansmalls.com
  • 33. #RSAC Appendix 33 Logica Breach, Tools: https://github.com/mainframed Nmap, Metasploit Scripts: https://github.com/zedsec390 Blog Chad: https://www.bigendiansmalls.com/ Blog Phil: http://mainframed767.tumblr.com/ Other Talks: https://www.youtube.com/playlist?list=PLBVy6TfEpKmEL56fb5AnZCM8pXXFfJS0n IBM Emulated Mainframe: http://www-03.ibm.com/software/products/en/ibm-z-systems-development-and-test- environment

Editor's Notes

  • #4: The picture is from Infoworld 2001
  • #5: Source: http://mainframes.wikidot.com/
  • #6: Phil to Animate somehow
  • #7: Cover: Phil was initially under investigation for this breach Gottfrid broke in to government and banks, stole the equivalent of their social security data and the source code to their ‘IRS’ Attacks used were developed on an emulated mainframe he had acquired which was 10 years older than current version, found multiple zero days System owners did not know they were breached, when they did they accidentally deleted forensics data How could this happen?
  • #8: Add Delta Headline
  • #9: Source: http://www-03.ibm.com/systems/z/solutions/enterprise-security.html IBM on the one hand says its 8 times more secure than other platforms? Almost 70% less effort to secure False sense of security with the platform
  • #17: Scan System Aquire Creds – UserID/Password on sharepoint Show Valuable Files Launch Malware Show Encrytped Show ReadMe
  • #21: This is was our test “mainframe” environment looks like
  • #26: What is your policy based on? Do you even know what your Mainframe security requirement are? What baseline?