By Mark Wilson, Technical Director at RSM Partners
There are many people in the IT security world that believe we don’t need to test mainframes for security weaknesses, whether that be a penetration test or vulnerability scan. Unfortunately, mainframes are not secure, but they are securable.
In the world we live in today, “hacking” is no longer a high value, high stakes business. It is a serious everyday threat for organizations of every type and size that rely on technology to facilitate business. Reliable security depends on understanding risks; a breach in security defenses could be exploited to access or damage information systems and data. Important questions that must be considered when assessing security needs are: Where are the exposures? What are the weaknesses? Who are the threats?
If you do not know your vulnerabilities, how can you defend yourself?
One of the best ways to test your systems is to get a penetration test performed by a third party. That may be an external organization or it may a specialized internal team, often called a red team. Penetration testing or “ethical hacking” is the process of identifying vulnerabilities in your technology environment and assessing the exposures they create. This is performed in the same way a malicious attacker would use, with the same techniques and tools, but with the intent to identify, rather than exploit.
This allows the enterprise to understand the level of exposure that it has to the various forms of attack and is the only real test that uncovers hidden vulnerabilities. It is a convincing tool in effective planning for remediation activity and security procedures.
It is important to understand that not all attacks are actually carried out in person; in fact, the majority of attacks today are facilitated by automated technologies and malicious software agents that have been specially created to exploit weaknesses.
A continuously changing technology and threat landscape means that penetration testing should not be a one-off exercise, but rather, a strategic process designed to assess exposures on a regular basis. This is done both to understand risk in more detail and aid the design of better controls. It also serves to give peace of mind to confirm that the defences are holding up as intended.
In the mainframe world, these tests are often performed under the guise of a non-privileged internal user, such as a developer, operations analyst or even an operator, where the tester attempts to elevate their privileges (say, obtain RACF SPECIAL as an example) or access sensitive data and exfiltrate the data in an undetected manner. What we mean here is this: Can we bypass any DLP controls that may be in place and get data off the mainframe and outside the organization undetected?
Although the organization may have invested in significant security safeguards, a penetration test can provide assurance that the safeguards in place are effective and are thus protecting the organization’s reputation with customers, business partners and regulators – ultimately acting as a business enabler.
Used properly, a penetration test can also address specific compliance objectives in regulated sectors and help the organization’s IT department to take the necessary corrective measures (e.g. by remediating vulnerable systems) and ensure continuity of critical business operations that rely heavily on IT systems.
As outlined above, penetration testing provides detailed information on actual exploitable security threats. Through the execution of periodic penetration testing exercises, an organization can derive business value by proactively identifying which vulnerabilities are most critical, and then plan a response procedure to ensure that information system resources are available when and where they are needed most.
One of the things we have come to learn is that hackers have plenty of time and can be probing and discovering (“footprinting”) the system over a long period of time. When you do a penetration test, you have a limited amount of time, usually a period of about 7–12 days, during which the tester has access to the system.
With this in mind, we very much support repeatedly testing your mainframe configurations and applications and using the same testing team to do it.
Not only do your systems change, but also the testers themselves learn new vulnerabilities and add new tests to their bag of tricks. For this reason, it is important that the same security team do the testing. Yes, they will learn your system, but this is a benefit because they can continue to check on any previously identified vulnerabilities before focusing on new and emerging risks.
So is penetration testing a one-off exercise? In our opinion, definitely not.
Mark Wilson is the technical director at RSM Partners, who specialize in all things system z aka mainframes. He has more than 35 years of technical IT experience, with a broad range of skills, the majority of which was gained in hands-on technical roles, performing a variety of duties in diverse and complex environments. The majority of Wilson’s experience is focused on IBM mainframe systems, where he performs as an Architect, Technician and Project Manager. His specialist subject is IT Security, in particular z/OS and associated subsystem (CICS, DB2, MQ, etc.) security with RACF, ACF2 or Top Secret installed.