Mainframe penetration testing means testing a system's current implementation to find known or unknown vulnerabilities. For various reasons, however, this can often get overlooked by enterprises using the mainframe.
“The challenge with mainframe penetration testing is that, for the testers, the vulnerabilities are largely unknown and there is very little support available,” says Phil Young, co-founder of zedsec 390. “This lack of support is one of the key reasons the platform gets overlooked. We also have the problem of core vendors pretending that it is 1999 and hiding vulnerabilities. Finally, CISOs (Chief Information Security Officers) and CROs (Chief Risk Officers) are largely unaware of the risk posed to the enterprise by an unsecured mainframe, both from a data exfiltration risk and a loss of revenue caused by downtime due to an attack.”
Chad Rikansrud, Director, N. America Operations – RSM Partners, believes there are a few reasons that mainframes get overlooked when it comes to penetration testing. He says, “First, there isn't the necessary overlap of technical skills between those who deeply understand mainframe technologies and those who are well-versed in the current techniques and adversaries that compose the current threat landscape. Second, there is a widely held fallacy that the mainframe is somehow impenetrable or immune to hacking; this is just simply not true.
“Both Phil and I have proven time and again that the same tricks used to exploit x86 and other systems work just fine when ported to the mainframe. Some exploits (e.g., Java-based) don't even require porting and work out of the box.”
So this raises the question: Which tools are being used today for testing the mainframe? According to Young, today's approaches follow common best practices; however, the focus is primarily on enhancing reconnaissance tools. Since most penetration tests begin with a robust reconnaissance activity, both he and Rikansrud are focusing efforts in such areas. He says, “As they exist today, all tools are open source and primarily rely on open source frameworks (such as Nmap and Metasploit) to help increase the tool availability.”
Young and Rikansrud will be presenting at SHARE San Jose 2017 in a session titled: Mainframe Penetration Testing — from the Red Team. This will serve as an introduction to the methodologies and tools used to test mainframes. A walkthrough of a standard penetration test will be conducted with real-world examples, along with steps from planning a mainframe penetration test through testing and documentation.
According to Young, attendees should be able to leave the talk with enough information to begin their own testing, understand the current threat landscape, and help communicate that information within their own organizations.
Rikansrud says, “Given the relative lack of tools and expertise in this field, organizations are not going to be able to ‘buy’ their way out of this, and will (instead) have to really dig in and train their people to understand how to test these systems. People with solid technical skills on other platforms can easily be trained to operate mainframes, despite popular myths.”
Overall, the security topic continues to be one of great relevance to the mainframe. While Young believes organizations are committed to ensuring security and compliance, they tend to focus their energies in the wrong areas. He says, “The mainframe is largely overlooked because of its relative obscurity and appearance of infallibility. Because of this, there is a larger focus on compliance and very little actual security testing. Unfortunately, advances in compliance ultimately occur due to security research. Since security research on the mainframe is effectively stagnant, compliance guides see very few updates. Furthermore, since most compliance departments lack mainframe expertise, they may not even know that their compliance guides are no longer applicable.”
Rikansrud adds, “Mainframe hacking may not be the loudest or most pressing based on what is reported in the news, but certainly the impact to an organization's bottom line would be devastated by having their mainframe compromised. This cannot be overlooked.”